@ouro.bot/cli 0.1.0-alpha.363 → 0.1.0-alpha.365

package/dist/heart/provider-credentials.js

@@ -0,0 +1,379 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.splitProviderCredentialFields = splitProviderCredentialFields;
+exports.providerCredentialsVaultPath = providerCredentialsVaultPath;
+exports.providerCredentialItemName = providerCredentialItemName;
+exports.providerCredentialMachineHomeDir = providerCredentialMachineHomeDir;
+exports.readProviderCredentialPool = readProviderCredentialPool;
+exports.refreshProviderCredentialPool = refreshProviderCredentialPool;
+exports.createProviderCredentialRecord = createProviderCredentialRecord;
+exports.cacheProviderCredentialRecords = cacheProviderCredentialRecords;
+exports.readCachedProviderCredentialRecord = readCachedProviderCredentialRecord;
+exports.readProviderCredentialRecord = readProviderCredentialRecord;
+exports.upsertProviderCredential = upsertProviderCredential;
+exports.redactProviderCredentialPool = redactProviderCredentialPool;
+exports.summarizeProviderCredentialPool = summarizeProviderCredentialPool;
+exports.resetProviderCredentialCache = resetProviderCredentialCache;
+const crypto = __importStar(require("node:crypto"));
+const os = __importStar(require("node:os"));
+const runtime_1 = require("../nerves/runtime");
+const credential_access_1 = require("../repertoire/credential-access");
+const VALID_PROVIDERS = ["azure", "minimax", "anthropic", "openai-codex", "github-copilot"];
+const VALID_PROVENANCE_SOURCES = ["auth-flow", "manual"];
+const VAULT_ITEM_PREFIX = "providers/";
+const PROVIDER_FIELD_SPLITS = {
+    anthropic: {
+        credentials: ["setupToken", "refreshToken", "expiresAt"],
+        config: [],
+    },
+    "openai-codex": {
+        credentials: ["oauthAccessToken"],
+        config: [],
+    },
+    azure: {
+        credentials: ["apiKey"],
+        config: ["endpoint", "deployment", "apiVersion", "managedIdentityClientId"],
+    },
+    minimax: {
+        credentials: ["apiKey"],
+        config: [],
+    },
+    "github-copilot": {
+        credentials: ["githubToken"],
+        config: ["baseUrl"],
+    },
+};
+let cachedPools = new Map();
+function isRecord(value) {
+    return !!value && typeof value === "object" && !Array.isArray(value);
+}
+function isAgentProvider(value) {
+    return VALID_PROVIDERS.includes(value);
+}
+function isProvenanceSource(value) {
+    return typeof value === "string" && VALID_PROVENANCE_SOURCES.includes(value);
+}
+function isCredentialValue(value) {
+    return typeof value === "string" || typeof value === "number";
+}
+function isPresentCredentialValue(value) {
+    if (!isCredentialValue(value))
+        return false;
+    if (typeof value === "string")
+        return value.trim().length > 0;
+    return Number.isFinite(value) && value !== 0;
+}
+function copyKnownFields(source, fields) {
+    const result = {};
+    for (const field of fields) {
+        const value = source[field];
+        if (isPresentCredentialValue(value)) {
+            result[field] = value;
+        }
+    }
+    return result;
+}
+function splitProviderCredentialFields(provider, rawConfig) {
+    const fields = PROVIDER_FIELD_SPLITS[provider];
+    return {
+        credentials: copyKnownFields(rawConfig, fields.credentials),
+        config: copyKnownFields(rawConfig, fields.config),
+    };
+}
+function providerCredentialsVaultPath(agentName) {
+    return `vault:${agentName}:${VAULT_ITEM_PREFIX}*`;
+}
+function providerCredentialItemName(provider) {
+    return `${VAULT_ITEM_PREFIX}${provider}`;
+}
+function providerCredentialMachineHomeDir(homeDir) {
+    return homeDir ?? os.homedir();
+}
+function stableJson(value) {
+    if (Array.isArray(value))
+        return `[${value.map(stableJson).join(",")}]`;
+    if (isRecord(value)) {
+        return `{${Object.keys(value).sort().map((key) => `${JSON.stringify(key)}:${stableJson(value[key])}`).join(",")}}`;
+    }
+    return JSON.stringify(value);
+}
+function makeRevision(payload) {
+    const hash = crypto
+        .createHash("sha256")
+        .update(stableJson({
+        provider: payload.provider,
+        credentials: payload.credentials,
+        config: payload.config,
+        provenance: payload.provenance,
+        updatedAt: payload.updatedAt,
+    }))
+        .digest("hex")
+        .slice(0, 16);
+    return `vault_${hash}`;
+}
+function validateProviderCredentialPayload(value, expectedProvider) {
+    if (!isRecord(value))
+        throw new Error("provider credential payload must be an object");
+    if (value.schemaVersion !== 1)
+        throw new Error("provider credential payload schemaVersion must be 1");
+    if (value.kind !== "provider-credential")
+        throw new Error("provider credential payload kind must be provider-credential");
+    if (typeof value.provider !== "string" || !isAgentProvider(value.provider)) {
+        throw new Error("provider credential payload provider must be valid");
+    }
+    if (expectedProvider && value.provider !== expectedProvider) {
+        throw new Error(`provider credential payload provider must be ${expectedProvider}`);
+    }
+    if (typeof value.updatedAt !== "string" || value.updatedAt.length === 0) {
+        throw new Error("provider credential payload updatedAt must be non-empty");
+    }
+    if (!isRecord(value.credentials))
+        throw new Error("provider credential payload credentials must be an object");
+    if (!isRecord(value.config))
+        throw new Error("provider credential payload config must be an object");
+    for (const [field, fieldValue] of Object.entries(value.credentials)) {
+        if (!isCredentialValue(fieldValue))
+            throw new Error(`credentials.${field} must be a string or number`);
+    }
+    for (const [field, fieldValue] of Object.entries(value.config)) {
+        if (!isCredentialValue(fieldValue))
+            throw new Error(`config.${field} must be a string or number`);
+    }
+    if (!isRecord(value.provenance))
+        throw new Error("provider credential payload provenance must be an object");
+    if (!isProvenanceSource(value.provenance.source)) {
+        throw new Error("provider credential payload provenance.source must be auth-flow or manual");
+    }
+    if (typeof value.provenance.updatedAt !== "string" || value.provenance.updatedAt.length === 0) {
+        throw new Error("provider credential payload provenance.updatedAt must be non-empty");
+    }
+    return value;
+}
+function recordFromPayload(payload) {
+    return {
+        provider: payload.provider,
+        revision: makeRevision(payload),
+        updatedAt: payload.updatedAt,
+        credentials: { ...payload.credentials },
+        config: { ...payload.config },
+        provenance: { ...payload.provenance },
+    };
+}
+function missingPool(agentName, error = "provider credentials have not been loaded from vault") {
+    return {
+        ok: false,
+        reason: "missing",
+        poolPath: providerCredentialsVaultPath(agentName),
+        error,
+    };
+}
+function cacheResult(agentName, result) {
+    cachedPools.set(agentName, result);
+    return result;
+}
+function resultForProvider(poolResult, provider) {
+    if (!poolResult.ok)
+        return poolResult;
+    const record = poolResult.pool.providers[provider];
+    if (!record) {
+        return {
+            ok: false,
+            reason: "missing",
+            poolPath: poolResult.poolPath,
+            error: `${provider} credentials are missing from ${poolResult.poolPath}`,
+        };
+    }
+    return { ok: true, poolPath: poolResult.poolPath, record };
+}
+function readProviderCredentialPool(agentName) {
+    return cachedPools.get(agentName) ?? missingPool(agentName);
+}
+async function refreshProviderCredentialPool(agentName, options = {}) {
+    try {
+        const store = (0, credential_access_1.getCredentialStore)(agentName);
+        const items = await store.list();
+        const providers = {};
+        let updatedAt = new Date(0).toISOString();
+        for (const item of items) {
+            if (!item.domain.startsWith(VAULT_ITEM_PREFIX))
+                continue;
+            const provider = item.domain.slice(VAULT_ITEM_PREFIX.length);
+            if (!isAgentProvider(provider))
+                continue;
+            const raw = await store.getRawSecret(item.domain, "password");
+            const payload = validateProviderCredentialPayload(JSON.parse(raw), provider);
+            const record = recordFromPayload(payload);
+            providers[provider] = record;
+            if (record.updatedAt > updatedAt)
+                updatedAt = record.updatedAt;
+        }
+        const pool = {
+            schemaVersion: 1,
+            updatedAt,
+            providers,
+        };
+        (0, runtime_1.emitNervesEvent)({
+            component: "config/identity",
+            event: "config.provider_credentials_loaded",
+            message: "loaded provider credentials from vault",
+            meta: { agentName, providerCount: Object.keys(providers).length },
+        });
+        return cacheResult(agentName, { ok: true, poolPath: providerCredentialsVaultPath(agentName), pool });
+    }
+    catch (error) {
+        const cached = cachedPools.get(agentName);
+        const result = {
+            ok: false,
+            reason: "unavailable",
+            poolPath: providerCredentialsVaultPath(agentName),
+            error: error instanceof Error ? error.message : String(error),
+        };
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            component: "config/identity",
+            event: "config.provider_credentials_unavailable",
+            message: "provider credentials unavailable",
+            meta: { agentName, reason: result.reason, poolPath: result.poolPath },
+        });
+        if (options.preserveCachedOnFailure && cached?.ok)
+            return cached;
+        return cacheResult(agentName, result);
+    }
+}
+function createProviderCredentialRecord(input) {
+    const updatedAt = (input.now ?? new Date()).toISOString();
+    const payload = {
+        schemaVersion: 1,
+        kind: "provider-credential",
+        provider: input.provider,
+        updatedAt,
+        credentials: { ...input.credentials },
+        config: { ...input.config },
+        provenance: {
+            source: input.provenance.source,
+            updatedAt,
+        },
+    };
+    return recordFromPayload(payload);
+}
+function cacheProviderCredentialRecords(agentName, records, now = new Date()) {
+    const providers = {};
+    let updatedAt = now.toISOString();
+    for (const record of records) {
+        providers[record.provider] = record;
+        if (record.updatedAt > updatedAt)
+            updatedAt = record.updatedAt;
+    }
+    const pool = {
+        schemaVersion: 1,
+        updatedAt,
+        providers,
+    };
+    return cacheResult(agentName, { ok: true, poolPath: providerCredentialsVaultPath(agentName), pool });
+}
+function readCachedProviderCredentialRecord(agentName, provider) {
+    return resultForProvider(readProviderCredentialPool(agentName), provider);
+}
+async function readProviderCredentialRecord(agentName, provider, options = {}) {
+    const cached = readCachedProviderCredentialRecord(agentName, provider);
+    if (cached.ok || options.refreshIfMissing === false)
+        return cached;
+    return resultForProvider(await refreshProviderCredentialPool(agentName), provider);
+}
+async function upsertProviderCredential(input) {
+    const updatedAt = (input.now ?? new Date()).toISOString();
+    const payload = {
+        schemaVersion: 1,
+        kind: "provider-credential",
+        provider: input.provider,
+        updatedAt,
+        credentials: { ...input.credentials },
+        config: { ...input.config },
+        provenance: {
+            source: input.provenance.source,
+            updatedAt,
+        },
+    };
+    const record = recordFromPayload(payload);
+    const store = (0, credential_access_1.getCredentialStore)(input.agentName);
+    await store.store(providerCredentialItemName(input.provider), {
+        username: input.provider,
+        password: JSON.stringify(payload),
+        notes: "Ouro provider credentials. The vault item password is a versioned JSON payload.",
+    });
+    await refreshProviderCredentialPool(input.agentName);
+    (0, runtime_1.emitNervesEvent)({
+        component: "config/identity",
+        event: "config.provider_credential_upserted",
+        message: "upserted provider credential record in vault",
+        meta: { agentName: input.agentName, provider: input.provider, revision: record.revision, source: record.provenance.source },
+    });
+    return record;
+}
+function redactProviderCredentialPool(pool) {
+    const providers = {};
+    for (const [provider, record] of Object.entries(pool.providers)) {
+        const redactedCredentials = {};
+        for (const key of Object.keys(record.credentials)) {
+            redactedCredentials[key] = "[redacted]";
+        }
+        providers[provider] = {
+            ...record,
+            credentials: redactedCredentials,
+            config: { ...record.config },
+            provenance: { ...record.provenance },
+        };
+    }
+    return {
+        ...pool,
+        providers,
+    };
+}
+function summarizeProviderCredentialPool(pool) {
+    return {
+        providers: Object.entries(pool.providers).map(([, record]) => ({
+            provider: record.provider,
+            revision: record.revision,
+            source: record.provenance.source,
+            updatedAt: record.updatedAt,
+            credentialFields: Object.keys(record.credentials).sort(),
+            configFields: Object.keys(record.config).sort(),
+        })),
+    };
+}
+function resetProviderCredentialCache() {
+    cachedPools = new Map();
+}

package/dist/heart/provider-failover.js

@@ -8,7 +8,7 @@ exports.runMachineProviderFailoverInventory = runMachineProviderFailoverInventor
 const identity_1 = require("./identity");
 const provider_ping_1 = require("./provider-ping");
 const provider_models_1 = require("./provider-models");
-const provider_credential_pool_1 = require("./provider-credential-pool");
+const provider_credentials_1 = require("./provider-credentials");
 const runtime_1 = require("../nerves/runtime");
 const CLASSIFICATION_LABELS = {
     "auth-failure": "authentication failed",
@@ -33,14 +33,8 @@ function formatErrorDetail(errorMessage, errorSummary) {
     return detail.length > 300 ? `${detail.slice(0, 297)}...` : detail;
 }
 function formatCredentialProvenanceLabel(candidate) {
-    if (candidate.contributedByAgent && candidate.source) {
-        return `credentials from ${candidate.contributedByAgent} via ${candidate.source}`;
-    }
-    if (candidate.contributedByAgent) {
-        return `credentials from ${candidate.contributedByAgent}`;
-    }
     if (candidate.source) {
-        return `credentials from this machine via ${candidate.source}`;
+        return `credentials in vault via ${candidate.source}`;
     }
     return undefined;
 }
@@ -200,7 +194,6 @@ function handleFailoverReply(reply, context) {
                 lane: currentLane,
                 ...(candidate.credentialRevision ? { credentialRevision: candidate.credentialRevision } : {}),
                 ...(candidate.source ? { source: candidate.source } : {}),
-                ...(candidate.contributedByAgent ? { contributedByAgent: candidate.contributedByAgent } : {}),
             };
         }
     }
@@ -211,12 +204,11 @@ function candidateFromCredentialRecord(record) {
         provider: record.provider,
         credentialRevision: record.revision,
         source: record.provenance.source,
-        contributedByAgent: record.provenance.contributedByAgent,
     };
 }
 async function runMachineProviderFailoverInventory(agentName, currentProvider, options = {}) {
     const ping = options.ping ?? provider_ping_1.pingProvider;
-    const poolResult = (0, provider_credential_pool_1.readProviderCredentialPool)(options.homeDir);
+    const poolResult = await (0, provider_credentials_1.refreshProviderCredentialPool)(agentName);
     const providers = Object.keys(identity_1.PROVIDER_CREDENTIALS).filter((provider) => provider !== currentProvider);
     const inventory = { ready: [], unavailable: [], unconfigured: [] };
     if (!poolResult.ok) {

package/dist/heart/provider-ping.js

@@ -11,10 +11,10 @@ const azure_1 = require("./providers/azure");
 const minimax_1 = require("./providers/minimax");
 const openai_codex_1 = require("./providers/openai-codex");
 const github_copilot_1 = require("./providers/github-copilot");
-const auth_flow_1 = require("./auth/auth-flow");
 const provider_models_1 = require("./provider-models");
 const runtime_1 = require("../nerves/runtime");
 const provider_attempt_1 = require("./provider-attempt");
+const provider_credentials_1 = require("./provider-credentials");
 const PING_TIMEOUT_MS = 10_000;
 const PING_PROMPT = "ping";
 const CHAT_PING_MAX_TOKENS = 1;
@@ -212,10 +212,20 @@ const PINGABLE_PROVIDERS = ["anthropic", "openai-codex", "azure", "minimax", "gi
 async function runHealthInventory(agentName, currentProvider, deps = {}) {
     /* v8 ignore next -- default: tests inject ping dep @preserve */
     const ping = deps.ping ?? pingProvider;
-    const { secrets } = (0, auth_flow_1.loadAgentSecrets)(agentName);
+    const poolResult = await (0, provider_credentials_1.refreshProviderCredentialPool)(agentName);
     const providers = PINGABLE_PROVIDERS.filter((p) => p !== currentProvider);
+    if (!poolResult.ok) {
+        return Object.fromEntries(providers.map((provider) => [
+            provider,
+            { ok: false, classification: "auth-failure", message: poolResult.error },
+        ]));
+    }
     const results = await Promise.all(providers.map(async (provider) => {
-        const config = secrets.providers[provider];
+        const record = poolResult.pool.providers[provider];
+        if (!record) {
+            return [provider, { ok: false, classification: "auth-failure", message: "no credentials configured" }];
+        }
+        const config = { ...record.config, ...record.credentials };
         const result = await ping(provider, config);
         return [provider, result];
     }));

package/dist/heart/provider-state.js

@@ -149,6 +149,14 @@ function getProviderStatePath(agentRoot) {
 function readProviderState(agentRoot) {
     const statePath = getProviderStatePath(agentRoot);
     let raw;
+    try {
+        if (!fs.existsSync(statePath)) {
+            return { ok: false, reason: "missing", statePath, error: "provider state not found" };
+        }
+    }
+    catch (error) {
+        return { ok: false, reason: "invalid", statePath, error: String(error) };
+    }
     try {
         raw = fs.readFileSync(statePath, "utf-8");
     }

package/dist/heart/provider-visibility.js

@@ -16,7 +16,6 @@ function credentialVisibility(binding) {
         return {
             status: "present",
             source: credential.source,
-            contributedByAgent: credential.contributedByAgent,
             revision: credential.revision,
         };
     }
@@ -84,12 +83,10 @@ function buildAgentProviderVisibility(input) {
     return visibility;
 }
 function credentialLabel(credential) {
-    if (credential.status === "present") {
-        const source = credential.source ?? "unknown";
-        return credential.contributedByAgent ? `${source} from ${credential.contributedByAgent}` : source;
-    }
+    if (credential.status === "present")
+        return credential.source ?? "vault";
     if (credential.status === "invalid-pool")
-        return "invalid pool";
+        return "vault unavailable";
     return "missing";
 }
 function readinessLabel(readiness) {

package/dist/heart/providers/anthropic-token.js

@@ -1,46 +1,12 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.needsRefresh = needsRefresh;
 exports.refreshAnthropicToken = refreshAnthropicToken;
 exports.persistTokenState = persistTokenState;
 exports.ensureFreshToken = ensureFreshToken;
 /* v8 ignore start -- OAuth token lifecycle: requires live API calls, tested via integration @preserve */
-const fs = __importStar(require("fs"));
 const runtime_1 = require("../../nerves/runtime");
-const identity_1 = require("../identity");
+const provider_credentials_1 = require("../provider-credentials");
 const OAUTH_TOKEN_ENDPOINT = "https://console.anthropic.com/v1/oauth/token";
 const OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
 const REFRESH_MARGIN_MS = 5 * 60 * 1000; // refresh 5 minutes before expiry
@@ -114,19 +80,21 @@ async function refreshAnthropicToken(refreshToken, fetchImpl = fetch) {
     }
 }
 /**
- * Persist refreshed token state back to secrets.json.
+ * Persist refreshed token state back to the agent vault.
  */
-function persistTokenState(agentName, state) {
+async function persistTokenState(agentName, state) {
     try {
-        const secretsPath = (0, identity_1.getAgentSecretsPath)(agentName);
-        const raw = fs.readFileSync(secretsPath, "utf-8");
-        const secrets = JSON.parse(raw);
-        secrets.providers = secrets.providers ?? {};
-        secrets.providers.anthropic = secrets.providers.anthropic ?? {};
-        secrets.providers.anthropic.setupToken = state.accessToken;
-        secrets.providers.anthropic.refreshToken = state.refreshToken;
-        secrets.providers.anthropic.expiresAt = state.expiresAt;
-        fs.writeFileSync(secretsPath, JSON.stringify(secrets, null, 2) + "\n", "utf-8");
+        await (0, provider_credentials_1.upsertProviderCredential)({
+            agentName,
+            provider: "anthropic",
+            credentials: {
+                setupToken: state.accessToken,
+                refreshToken: state.refreshToken,
+                expiresAt: state.expiresAt,
+            },
+            config: {},
+            provenance: { source: "auth-flow" },
+        });
         /* v8 ignore start -- defensive: persistence failure must not crash the provider @preserve */
     }
     catch (error) {
@@ -157,7 +125,7 @@ async function ensureFreshToken(currentToken, refreshToken, expiresAt, agentName
     if (!newState) {
         return currentToken; // refresh failed — try the old token
     }
-    persistTokenState(agentName, newState);
+    await persistTokenState(agentName, newState);
     return newState.accessToken;
 }
 /* v8 ignore stop */

package/dist/heart/providers/anthropic.js

@@ -49,9 +49,6 @@ const error_classification_1 = require("./error-classification");
 const ANTHROPIC_SETUP_TOKEN_PREFIX = "sk-ant-oat01-";
 const ANTHROPIC_SETUP_TOKEN_MIN_LENGTH = 80;
 const ANTHROPIC_OAUTH_BETA_HEADER = "claude-code-20250219,oauth-2025-04-20,fine-grained-tool-streaming-2025-05-14,interleaved-thinking-2025-05-14";
-function getAnthropicSecretsPathForGuidance() {
-    return (0, identity_1.getAgentSecretsPath)();
-}
 function getAnthropicAgentNameForGuidance() {
     return (0, identity_1.getAgentName)();
 }
@@ -59,10 +56,8 @@ function getAnthropicSetupTokenInstructions() {
     const agentName = getAnthropicAgentNameForGuidance();
     return [
         "Fix:",
-        `  1. Run \`ouro auth --agent ${agentName}\``,
-        `  2. Open ${getAnthropicSecretsPathForGuidance()}`,
-        "  3. Confirm providers.anthropic.setupToken is set",
-        "  4. After reauth, retry the failed ouro command or reconnect this session.",
+        `  1. Run \`ouro auth --agent ${agentName} --provider anthropic\``,
+        "  2. After reauth, retry the failed ouro command or reconnect this session.",
     ].join("\n");
 }
 function getAnthropicReauthGuidance(reason) {
@@ -72,7 +67,7 @@ function getAnthropicReauthGuidance(reason) {
         getAnthropicSetupTokenInstructions(),
     ].join("\n");
 }
-function resolveAnthropicSetupTokenCredential(anthropicConfig = (0, config_1.getAnthropicConfig)()) {
+function resolveAnthropicSetupTokenCredential(anthropicConfig) {
     const token = anthropicConfig.setupToken?.trim();
     if (!token) {
         throw new Error(getAnthropicReauthGuidance("Anthropic provider is selected but no setup-token credential was found."));
@@ -418,7 +413,7 @@ function createAnthropicProviderRuntime(model, anthropicConfig = (0, config_1.ge
         meta: { provider: "anthropic" },
     });
     if (!anthropicConfig.setupToken) {
-        throw new Error(getAnthropicReauthGuidance("provider 'anthropic' is selected in agent.json but providers.anthropic.setupToken is missing in secrets.json."));
+        throw new Error(getAnthropicReauthGuidance("provider 'anthropic' is selected but anthropic.setupToken is missing in the agent vault."));
     }
     const modelCaps = (0, model_capabilities_1.getModelCapabilities)(model);
     const capabilities = new Set();

package/dist/heart/providers/azure.js

@@ -68,9 +68,9 @@ function createAzureTokenProvider(managedIdentityClientId) {
             const detail = err instanceof Error ? err.message : String(err);
             throw new Error(`Azure OpenAI authentication failed: ${detail}\n` +
                 "To fix this, either:\n" +
-                "  1. Set providers.azure.apiKey in secrets.json, or\n" +
+                "  1. Run `ouro auth --agent <agent> --provider azure`, or\n" +
                 "  2. Run 'az login' to authenticate with your Azure account (for local dev), or\n" +
-                "  3. Attach a managed identity to your App Service and set providers.azure.managedIdentityClientId in secrets.json (for deployed environments)");
+                "  3. Attach a managed identity to your App Service and store azure.managedIdentityClientId in the agent vault.");
         }
     };
 }
@@ -84,7 +84,7 @@ function createAzureProviderRuntime(model, azureConfig = (0, config_1.getAzureCo
         meta: { provider: "azure", authMethod },
     });
     if (!(azureConfig.endpoint && azureConfig.deployment)) {
-        throw new Error("provider 'azure' is selected in agent.json but providers.azure is incomplete in secrets.json.");
+        throw new Error("provider 'azure' is selected but azure endpoint/deployment is incomplete in the agent vault. Run `ouro auth --agent <agent> --provider azure`.");
     }
     const modelCaps = (0, model_capabilities_1.getModelCapabilities)(model);
     const capabilities = new Set();

package/dist/heart/providers/github-copilot.js

@@ -22,10 +22,10 @@ function createGithubCopilotProviderRuntime(model, config = (0, config_1.getGith
         meta: { provider: "github-copilot" },
     });
     if (!config.githubToken) {
-        throw new Error("provider 'github-copilot' is selected in agent.json but providers.github-copilot.githubToken is missing in secrets.json.");
+        throw new Error("provider 'github-copilot' is selected but github-copilot.githubToken is missing in the agent vault. Run `ouro auth --agent <agent> --provider github-copilot`.");
     }
     if (!config.baseUrl) {
-        throw new Error("provider 'github-copilot' is selected in agent.json but providers.github-copilot.baseUrl is missing in secrets.json.");
+        throw new Error("provider 'github-copilot' is selected but github-copilot.baseUrl is missing in the agent vault. Run `ouro auth --agent <agent> --provider github-copilot`.");
     }
     const isCompletionsModel = model.startsWith("claude");
     const modelCaps = (0, model_capabilities_1.getModelCapabilities)(model);