@ouro.bot/cli 0.1.0-alpha.364 → 0.1.0-alpha.365

package/dist/heart/daemon/cli-exec.js

@@ -62,10 +62,13 @@ const bundle_meta_1 = require("./hooks/bundle-meta");
 const agent_config_v2_1 = require("./hooks/agent-config-v2");
 const bundle_manifest_1 = require("../../mind/bundle-manifest");
 const tasks_1 = require("../../repertoire/tasks");
+const credential_access_1 = require("../../repertoire/credential-access");
+const vault_setup_1 = require("../../repertoire/vault-setup");
+const vault_unlock_1 = require("../../repertoire/vault-unlock");
 const thoughts_1 = require("./thoughts");
 const launchd_1 = require("./launchd");
 const auth_flow_1 = require("../auth/auth-flow");
-const provider_credential_pool_1 = require("../provider-credential-pool");
+const provider_credentials_1 = require("../provider-credentials");
 const provider_binding_resolver_1 = require("../provider-binding-resolver");
 const provider_state_1 = require("../provider-state");
 const machine_identity_1 = require("../machine-identity");
@@ -94,11 +97,10 @@ const DEFAULT_DAEMON_STARTUP_LOG_LINES = 10;
 async function checkAlreadyRunningAgentProviders(deps) {
     const agents = await Promise.resolve(deps.listDiscoveredAgents ? deps.listDiscoveredAgents() : (0, cli_defaults_1.defaultListDiscoveredAgents)());
     const bundlesRoot = deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)();
-    const secretsRoot = deps.secretsRoot ?? path.join(os.homedir(), ".agentsecrets");
     const degraded = [];
     for (const agent of agents) {
         try {
-            const result = await (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agent, bundlesRoot, secretsRoot);
+            const result = await (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agent, bundlesRoot);
             if (result.ok)
                 continue;
             const errorReason = result.error ?? "agent provider health check failed";
@@ -132,8 +134,7 @@ async function checkAlreadyRunningAgentProviders(deps) {
 }
 async function checkProviderHealthBeforeChat(agentName, deps) {
     const bundlesRoot = deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)();
-    const secretsRoot = deps.secretsRoot ?? path.join(os.homedir(), ".agentsecrets");
-    const result = await (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agentName, bundlesRoot, secretsRoot);
+    const result = await (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agentName, bundlesRoot);
     if (!result.ok) {
         const output = `${result.error}\n${result.fix ? `      fix:   ${result.fix}` : ""}`;
         deps.writeStdout(output);
@@ -546,7 +547,7 @@ async function resolveHatchInput(command, deps) {
 }
 // ── Provider state CLI helpers ──
 function providerCliHomeDir(deps) {
-    return (0, provider_credential_pool_1.providerCredentialHomeDirFromSecretsRoot)(deps.secretsRoot);
+    return (0, provider_credentials_1.providerCredentialMachineHomeDir)(deps.homeDir);
 }
 function providerCliAgentRoot(command, deps) {
     return path.join(deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)(), `${command.agent}.ouro`);
@@ -554,6 +555,144 @@ function providerCliAgentRoot(command, deps) {
 function providerCliNow(deps) {
     return new Date((deps.now ?? Date.now)());
 }
+function writeAgentVaultConfig(agentName, configPath, config, vault) {
+    const nextConfig = {
+        ...config,
+        vault: {
+            email: vault.email,
+            serverUrl: vault.serverUrl,
+        },
+    };
+    fs.writeFileSync(configPath, `${JSON.stringify(nextConfig, null, 2)}\n`, "utf8");
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.vault_config_written",
+        message: "wrote credential vault locator to agent config",
+        meta: { agentName, configPath, email: vault.email, serverUrl: vault.serverUrl },
+    });
+}
+async function executeVaultUnlock(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        throw new Error("SerpentGuide does not have a persistent credential vault. Hatch bootstrap uses selected provider credentials in memory only.");
+    }
+    const prompt = deps.promptInput;
+    if (!prompt)
+        throw new Error("vault unlock requires an interactive prompt to capture the vault unlock secret");
+    const { config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
+    const vault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
+    const unlockSecret = await prompt(`Ouro vault unlock secret for ${vault.email}: `);
+    const store = (0, vault_unlock_1.storeVaultUnlockSecret)({
+        agentName: command.agent,
+        email: vault.email,
+        serverUrl: vault.serverUrl,
+    }, unlockSecret, { homeDir: deps.homeDir, store: command.store });
+    (0, credential_access_1.resetCredentialStore)();
+    await (0, credential_access_1.getCredentialStore)(command.agent).get("__ouro_vault_probe__");
+    const message = [
+        `vault unlocked for ${command.agent} on this machine`,
+        `vault: ${vault.email} at ${vault.serverUrl}`,
+        `local unlock store: ${store.kind}${store.secure ? "" : " (explicit plaintext fallback)"}`,
+    ].join("\n");
+    deps.writeStdout(message);
+    return message;
+}
+async function executeVaultCreate(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        throw new Error("SerpentGuide does not have a persistent credential vault. Create a vault for the hatchling agent, not SerpentGuide.");
+    }
+    const prompt = deps.promptInput;
+    const { configPath, config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
+    const configuredVault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
+    const email = command.email ?? config.vault?.email ?? (prompt ? (await prompt("Ouro credential vault email: ")).trim() : "");
+    if (!email) {
+        throw new Error("vault create requires --email <email> when the agent bundle has no vault.email");
+    }
+    const serverUrl = command.serverUrl ?? config.vault?.serverUrl ?? configuredVault.serverUrl;
+    const requestedUnlockSecret = command.generateUnlockSecret
+        ? ""
+        : prompt
+            ? (await prompt(`Choose Ouro vault unlock secret for ${email}: `)).trim()
+            : "";
+    if (!requestedUnlockSecret && !command.generateUnlockSecret) {
+        throw new Error("vault create requires an unlock secret. Re-run with an interactive terminal or pass --generate-unlock-secret.");
+    }
+    const unlockSecret = requestedUnlockSecret || (0, crypto_1.randomBytes)(32).toString("base64");
+    const result = await (0, vault_setup_1.createVaultAccount)("Ouro credential vault", serverUrl, email, unlockSecret);
+    if (!result.success) {
+        const message = [
+            `vault create failed for ${command.agent}: ${result.error}`,
+            "",
+            "If this vault account already exists, run:",
+            `  ouro vault unlock --agent ${command.agent}`,
+        ].join("\n");
+        deps.writeStdout(message);
+        return message;
+    }
+    writeAgentVaultConfig(command.agent, configPath, config, { email, serverUrl });
+    const store = (0, vault_unlock_1.storeVaultUnlockSecret)({
+        agentName: command.agent,
+        email,
+        serverUrl,
+    }, unlockSecret, { homeDir: deps.homeDir, store: command.store });
+    (0, credential_access_1.resetCredentialStore)();
+    await (0, credential_access_1.getCredentialStore)(command.agent).get("__ouro_vault_probe__");
+    const message = [
+        `vault created for ${command.agent}`,
+        `vault: ${email} at ${serverUrl}`,
+        `local unlock store: ${store.kind}${store.secure ? "" : " (explicit plaintext fallback)"}`,
+        "Provider credentials will be stored in this agent's Ouro credential vault.",
+        ...(command.generateUnlockSecret
+            ? [
+                "",
+                `vault unlock secret: ${unlockSecret}`,
+                "",
+                "Store this in the operator password manager now. Another machine cannot unlock the vault without it.",
+            ]
+            : ["Store the vault unlock secret in the operator password manager. Another machine will need it once."]),
+    ].join("\n");
+    deps.writeStdout(message);
+    return message;
+}
+async function executeVaultStatus(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        const message = "SerpentGuide has no persistent credential vault. Hatch bootstrap uses selected provider credentials in memory only.";
+        deps.writeStdout(message);
+        return message;
+    }
+    const { config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
+    const vault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
+    const status = (0, vault_unlock_1.getVaultUnlockStatus)({
+        agentName: command.agent,
+        email: vault.email,
+        serverUrl: vault.serverUrl,
+    }, { homeDir: deps.homeDir, store: command.store });
+    const lines = [
+        `agent: ${command.agent}`,
+        `vault: ${vault.email} at ${vault.serverUrl}`,
+        `local unlock store: ${status.store ? `${status.store.kind}${status.store.secure ? "" : " (explicit plaintext fallback)"}` : "unavailable"}`,
+        `local unlock: ${status.stored ? "available" : "missing"}`,
+    ];
+    if (status.stored) {
+        const pool = await (0, provider_credentials_1.refreshProviderCredentialPool)(command.agent);
+        if (pool.ok) {
+            const summary = (0, provider_credentials_1.summarizeProviderCredentialPool)(pool.pool);
+            lines.push(`provider credentials: ${summary.providers.length === 0 ? "none stored" : ""}`);
+            for (const provider of summary.providers) {
+                lines.push(`  ${provider.provider}: credential fields ${provider.credentialFields.join(", ") || "none"}, config fields ${provider.configFields.join(", ") || "none"}`);
+            }
+        }
+        else {
+            lines.push(`provider credentials: unavailable (${pool.error})`);
+        }
+    }
+    else {
+        lines.push("");
+        lines.push(status.fix);
+    }
+    const message = lines.join("\n");
+    deps.writeStdout(message);
+    return message;
+}
 function readOrBootstrapProviderState(agentName, deps) {
     const agentRoot = providerCliAgentRoot({ agent: agentName }, deps);
     const readResult = (0, provider_state_1.readProviderState)(agentRoot);
@@ -604,56 +743,15 @@ function pingAttemptCount(result) {
         return result.attempts.length;
     return undefined;
 }
-function providerCliLegacyRecord(agent, provider, deps) {
-    try {
-        const legacyCandidates = (0, provider_credential_pool_1.readLegacyAgentProviderCredentials)({
-            homeDir: providerCliHomeDir(deps),
-            agentName: agent,
-        });
-        const candidate = legacyCandidates.find((entry) => entry.provider === provider);
-        if (candidate)
-            return { credentials: candidate.credentials, config: candidate.config };
-    }
-    catch {
-        // Fall through to the injected/secretsRoot-aware legacy reader below.
-    }
-    try {
-        const { secrets } = (0, auth_flow_1.loadAgentSecrets)(agent, { secretsRoot: deps.secretsRoot });
-        const providerSecrets = secrets.providers[provider];
-        const split = (0, provider_credential_pool_1.splitProviderCredentialFields)(provider, providerSecrets);
-        if (Object.keys(split.credentials).length === 0 && Object.keys(split.config).length === 0)
-            return null;
-        return split;
-    }
-    catch {
-        return null;
-    }
-}
-function readProviderCredentialRecord(agent, provider, deps) {
-    const homeDir = providerCliHomeDir(deps);
-    const poolResult = (0, provider_credential_pool_1.readProviderCredentialPool)(homeDir);
+async function readProviderCredentialRecord(agent, provider, _deps) {
+    const poolResult = await (0, provider_credentials_1.refreshProviderCredentialPool)(agent);
     if (poolResult.ok) {
         const existing = poolResult.pool.providers[provider];
         if (existing)
             return { ok: true, record: existing };
     }
-    else if (poolResult.reason === "invalid") {
-        return { ok: false, reason: "invalid", poolPath: poolResult.poolPath, error: poolResult.error };
-    }
-    const legacy = providerCliLegacyRecord(agent, provider, deps);
-    if (legacy) {
-        const record = (0, provider_credential_pool_1.upsertProviderCredential)({
-            homeDir,
-            provider,
-            credentials: legacy.credentials,
-            config: legacy.config,
-            provenance: {
-                source: "legacy-agent-secrets",
-                contributedByAgent: agent,
-            },
-            now: providerCliNow(deps),
-        });
-        return { ok: true, record };
+    else if (poolResult.reason === "invalid" || poolResult.reason === "unavailable") {
+        return { ok: false, reason: poolResult.reason, poolPath: poolResult.poolPath, error: poolResult.error };
     }
     return {
         ok: false,
@@ -703,7 +801,7 @@ async function executeProviderUse(command, deps, options = {}) {
         return message;
     };
     const { agentRoot, state } = readOrBootstrapProviderState(command.agent, deps);
-    const credential = readProviderCredentialRecord(command.agent, command.provider, deps);
+    const credential = await readProviderCredentialRecord(command.agent, command.provider, deps);
     if (!credential.ok) {
         if (!command.force) {
             const message = [
@@ -763,7 +861,7 @@ async function executeProviderUse(command, deps, options = {}) {
 async function executeProviderCheck(command, deps) {
     const { agentRoot, state } = readOrBootstrapProviderState(command.agent, deps);
     const binding = state.lanes[command.lane];
-    const credential = readProviderCredentialRecord(command.agent, binding.provider, deps);
+    const credential = await readProviderCredentialRecord(command.agent, binding.provider, deps);
     if (!credential.ok) {
         const message = [
             `${command.agent} ${command.lane} ${binding.provider} / ${binding.model}: unknown (${credential.error})`,
@@ -803,18 +901,18 @@ async function executeProviderCheck(command, deps) {
 }
 function renderProviderCredentialLine(credential) {
     if (credential.status === "present") {
-        const contributor = credential.contributedByAgent ? ` by ${credential.contributedByAgent}` : "";
         const credentialFields = credential.credentialFields.length > 0 ? ` credentials: ${credential.credentialFields.join(", ")}` : " credentials: none";
         const configFields = credential.configFields.length > 0 ? ` config: ${credential.configFields.join(", ")}` : " config: none";
-        return `credentials: present (${credential.source}${contributor}; ${credential.revision};${credentialFields};${configFields})`;
+        return `credentials: present in vault (${credential.source}; ${credential.revision};${credentialFields};${configFields})`;
     }
     if (credential.status === "invalid-pool") {
-        return `credentials: invalid pool (${credential.error}); repair: ${credential.repair.command}`;
+        return `credentials: vault unavailable (${credential.error}); repair: ${credential.repair.command}`;
     }
     return `credentials: missing; repair: ${credential.repair.command}`;
 }
-function executeProviderStatus(command, deps) {
+async function executeProviderStatus(command, deps) {
     const agentRoot = providerCliAgentRoot(command, deps);
+    await (0, provider_credentials_1.refreshProviderCredentialPool)(command.agent);
     const homeDir = providerCliHomeDir(deps);
     const lines = [`provider status: ${command.agent}`];
     for (const lane of ["outward", "inner"]) {
@@ -841,6 +939,45 @@ function executeProviderStatus(command, deps) {
     deps.writeStdout(message);
     return message;
 }
+async function executeProviderRefresh(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        const message = "SerpentGuide has no persistent provider credentials to refresh. Hatch bootstrap uses selected credentials in memory only.";
+        deps.writeStdout(message);
+        return message;
+    }
+    const pool = await (0, provider_credentials_1.refreshProviderCredentialPool)(command.agent);
+    const lines = [];
+    if (pool.ok) {
+        const summary = (0, provider_credentials_1.summarizeProviderCredentialPool)(pool.pool);
+        lines.push(`refreshed provider credential snapshot for ${command.agent}`);
+        lines.push(`providers: ${summary.providers.map((provider) => provider.provider).join(", ") || "none"}`);
+    }
+    else {
+        lines.push(`provider credential refresh failed for ${command.agent}: ${pool.error}`);
+        lines.push(`Run \`ouro vault unlock --agent ${command.agent}\`, then retry.`);
+    }
+    try {
+        const alive = await deps.checkSocketAlive(deps.socketPath);
+        if (alive) {
+            const response = await deps.sendCommand(deps.socketPath, { kind: "agent.restart", agent: command.agent });
+            if (response.ok) {
+                lines.push(`restarted ${command.agent} so the running agent reloads credentials`);
+            }
+            else {
+                lines.push(`daemon restart skipped: ${response.error ?? response.message ?? "unknown daemon error"}`);
+            }
+        }
+        else {
+            lines.push("daemon is not running; the next start will load the refreshed snapshot");
+        }
+    }
+    catch (error) {
+        lines.push(`daemon restart skipped: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    const message = lines.join("\n");
+    deps.writeStdout(message);
+    return message;
+}
 async function executeLegacyAuthSwitch(command, deps) {
     const { state } = readOrBootstrapProviderState(command.agent, deps);
     const lanes = command.facing
@@ -855,6 +992,7 @@ async function executeLegacyAuthSwitch(command, deps) {
             lane,
             provider: command.provider,
             model,
+            force: true,
             legacyFacing: command.facing,
         }, deps, { writeStdout: false }));
     }
@@ -871,7 +1009,7 @@ async function executeLegacyConfigModel(command, deps) {
     const { agentRoot, state } = readOrBootstrapProviderState(command.agent, deps);
     const binding = state.lanes[lane];
     if (binding.provider === "github-copilot") {
-        const credential = readProviderCredentialRecord(command.agent, "github-copilot", deps);
+        const credential = await readProviderCredentialRecord(command.agent, "github-copilot", deps);
         if (credential.ok) {
             const ghConfig = {
                 ...credential.record.config,
@@ -1641,15 +1779,12 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             else {
                 await (0, agentic_repair_1.runAgenticRepair)(daemonResult.stability.degraded, {
                     /* v8 ignore start -- production provider discovery wiring @preserve */
-                    discoverWorkingProvider: async () => {
+                    discoverWorkingProvider: async (agentName) => {
                         const { discoverWorkingProvider: discover } = await Promise.resolve().then(() => __importStar(require("./provider-discovery")));
-                        const { discoverExistingCredentials } = await Promise.resolve().then(() => __importStar(require("./cli-defaults")));
                         const { pingProvider } = await Promise.resolve().then(() => __importStar(require("../provider-ping")));
                         return discover({
-                            discoverExistingCredentials,
+                            agentName,
                             pingProvider: pingProvider,
-                            env: process.env,
-                            secretsRoot: deps.secretsRoot ?? `${process.env["HOME"]}/.agentsecrets`,
                         });
                     },
                     createProviderRuntime: agentic_repair_1.createAgenticDiagnosisProviderRuntime,
@@ -2269,6 +2404,18 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
     if (command.kind === "provider.status") {
         return executeProviderStatus(command, deps);
     }
+    if (command.kind === "provider.refresh") {
+        return executeProviderRefresh(command, deps);
+    }
+    if (command.kind === "vault.unlock") {
+        return executeVaultUnlock(command, deps);
+    }
+    if (command.kind === "vault.create") {
+        return executeVaultCreate(command, deps);
+    }
+    if (command.kind === "vault.status") {
+        return executeVaultStatus(command, deps);
+    }
     // ── auth (local, no daemon socket needed) ──
     if (command.kind === "auth.run") {
         const provider = command.provider ?? (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot).config.humanFacing.provider;
@@ -2279,29 +2426,18 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             provider,
             promptInput: deps.promptInput,
         });
-        const credentials = (result.credentials ?? {});
-        const split = (0, provider_credential_pool_1.splitProviderCredentialFields)(provider, credentials);
-        if (Object.keys(split.credentials).length > 0 || Object.keys(split.config).length > 0) {
-            (0, provider_credential_pool_1.upsertProviderCredential)({
-                homeDir: providerCliHomeDir(deps),
-                provider,
-                credentials: split.credentials,
-                config: split.config,
-                provenance: {
-                    source: "auth-flow",
-                    contributedByAgent: command.agent,
-                },
-                now: providerCliNow(deps),
-            });
-        }
         // Behavior: ouro auth stores credentials only — does NOT switch provider.
         // Use `ouro auth switch` to change the active provider.
         deps.writeStdout(result.message);
         // Verify the credentials actually work by pinging the provider
         /* v8 ignore start -- integration: real API ping after auth @preserve */
         try {
-            const { secrets } = (0, auth_flow_1.loadAgentSecrets)(command.agent, { secretsRoot: deps.secretsRoot });
-            const status = await verifyProviderCredentials(provider, secrets.providers);
+            const credential = await readProviderCredentialRecord(command.agent, provider, deps);
+            const status = credential.ok
+                ? await verifyProviderCredentials(provider, {
+                    [provider]: { ...credential.record.config, ...credential.record.credentials },
+                })
+                : `stored but could not be re-read from vault (${credential.error})`;
             deps.writeStdout(`${provider}: ${status}`);
         }
         catch {
@@ -2313,19 +2449,35 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
     // ── auth verify (local, no daemon socket needed) ──
     /* v8 ignore start -- auth verify/switch: tested in daemon-cli.test.ts but v8 traces differ in CI @preserve */
     if (command.kind === "auth.verify") {
-        const { secrets } = (0, auth_flow_1.loadAgentSecrets)(command.agent, { secretsRoot: deps.secretsRoot });
-        const providers = secrets.providers;
+        const poolResult = await (0, provider_credentials_1.refreshProviderCredentialPool)(command.agent);
+        if (!poolResult.ok) {
+            const message = `vault unavailable: ${poolResult.error}\nRun \`ouro vault unlock --agent ${command.agent}\`, then retry.`;
+            deps.writeStdout(message);
+            return message;
+        }
         if (command.provider) {
-            const status = await verifyProviderCredentials(command.provider, providers);
+            const record = poolResult.pool.providers[command.provider];
+            if (!record) {
+                const message = `${command.provider}: missing. Run \`ouro auth --agent ${command.agent} --provider ${command.provider}\`.`;
+                deps.writeStdout(message);
+                return message;
+            }
+            const status = await verifyProviderCredentials(command.provider, {
+                [command.provider]: { ...record.config, ...record.credentials },
+            });
             const message = `${command.provider}: ${status}`;
             deps.writeStdout(message);
             return message;
         }
         const lines = [];
-        for (const p of Object.keys(providers)) {
-            const status = await verifyProviderCredentials(p, providers);
+        for (const [p, record] of Object.entries(poolResult.pool.providers)) {
+            const status = await verifyProviderCredentials(p, {
+                [p]: { ...record.config, ...record.credentials },
+            });
             lines.push(`${p}: ${status}`);
         }
+        if (lines.length === 0)
+            lines.push(`no provider credentials in ${command.agent}'s vault`);
         const message = lines.join("\n");
         deps.writeStdout(message);
         return message;
@@ -2345,9 +2497,11 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             deps.writeStdout(message);
             return message;
         }
-        const { secrets } = (0, auth_flow_1.loadAgentSecrets)(command.agent, { secretsRoot: deps.secretsRoot });
-        const ghConfig = secrets.providers["github-copilot"];
-        if (!ghConfig.githubToken || !ghConfig.baseUrl) {
+        const credential = await readProviderCredentialRecord(command.agent, "github-copilot", deps);
+        const ghConfig = credential.ok
+            ? { ...credential.record.config, ...credential.record.credentials }
+            : {};
+        if (typeof ghConfig.githubToken !== "string" || typeof ghConfig.baseUrl !== "string") {
             throw new Error(`github-copilot credentials not configured. Run \`ouro auth --agent ${command.agent} --provider github-copilot\` first.`);
         }
         const fetchFn = deps.fetchImpl ?? fetch;
@@ -2728,7 +2882,10 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             await deps.startChat(hatchInput.agentName);
             return "";
         }
-        const message = `hatched ${hatchInput.agentName} at ${result.bundleRoot} using specialist identity ${result.selectedIdentity}; ${daemonResult.message}`;
+        const vaultLine = result.vaultUnlockSecret
+            ? `\nvault unlock secret for ${hatchInput.agentName}: ${result.vaultUnlockSecret}\nUse this with \`ouro vault unlock --agent ${hatchInput.agentName}\` on another machine.`
+            : "";
+        const message = `hatched ${hatchInput.agentName} at ${result.bundleRoot} using specialist identity ${result.selectedIdentity}; ${daemonResult.message}${vaultLine}`;
         deps.writeStdout(message);
         return message;
     }

package/dist/heart/daemon/cli-parse.js

@@ -65,6 +65,7 @@ function usage() {
         "  ouro status --agent <name>",
         "  ouro use --agent <name> --lane outward|inner --provider <provider> --model <model> [--force]",
         "  ouro check --agent <name> --lane outward|inner",
+        "  ouro provider refresh --agent <name>",
         "  ouro outlook [--json]",
         "  ouro -v|--version",
         "  ouro config model --agent <name> <model-name>",
@@ -72,6 +73,9 @@ function usage() {
         "  ouro auth --agent <name> [--provider <provider>]",
         "  ouro auth verify --agent <name> [--provider <provider>]",
         "  ouro auth switch --agent <name> --provider <provider>",
+        "  ouro vault create --agent <name> --email <email> [--server <url>] [--store <store>] [--generate-unlock-secret]",
+        "  ouro vault unlock --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
+        "  ouro vault status --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
         "  ouro chat <agent>",
         "  ouro msg --to <agent> [--session <id>] [--task <ref>] <message>",
         "  ouro poke <agent> --task <task-id>",
@@ -426,6 +430,61 @@ function parseAuthCommand(args) {
     }
     return provider ? { kind: "auth.run", agent, provider } : { kind: "auth.run", agent };
 }
+function isVaultUnlockStoreKind(value) {
+    return value === "auto" || value === "macos-keychain" || value === "windows-dpapi" || value === "linux-secret-service" || value === "plaintext-file";
+}
+function parseVaultCommand(args) {
+    const sub = args[0];
+    const { agent, rest } = extractAgentFlag(args.slice(1));
+    let email;
+    let serverUrl;
+    let store;
+    let generateUnlockSecret = false;
+    for (let i = 0; i < rest.length; i += 1) {
+        const token = rest[i];
+        if (token === "--email") {
+            email = rest[i + 1];
+            i += 1;
+            continue;
+        }
+        if (token === "--server") {
+            serverUrl = rest[i + 1];
+            i += 1;
+            continue;
+        }
+        if (token === "--store") {
+            const value = rest[i + 1];
+            if (!isVaultUnlockStoreKind(value)) {
+                throw new Error("vault --store must be auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file");
+            }
+            store = value;
+            i += 1;
+            continue;
+        }
+        if (token === "--generate-unlock-secret") {
+            generateUnlockSecret = true;
+            continue;
+        }
+        throw new Error("Usage: ouro vault create|unlock|status --agent <name>");
+    }
+    if (!agent || (sub !== "create" && sub !== "unlock" && sub !== "status")) {
+        throw new Error("Usage: ouro vault create|unlock|status --agent <name>");
+    }
+    if (sub === "create") {
+        return {
+            kind: "vault.create",
+            agent,
+            ...(email ? { email } : {}),
+            ...(serverUrl ? { serverUrl } : {}),
+            ...(store ? { store } : {}),
+            ...(generateUnlockSecret ? { generateUnlockSecret: true } : {}),
+        };
+    }
+    if (sub === "unlock") {
+        return { kind: "vault.unlock", agent, ...(store ? { store } : {}) };
+    }
+    return { kind: "vault.status", agent, ...(store ? { store } : {}) };
+}
 function parseProviderUseCommand(args) {
     const { agent, rest: afterAgent } = extractAgentFlag(args);
     const { facing, rest: afterFacing } = extractFacingFlag(afterAgent);
@@ -483,6 +542,14 @@ function parseProviderCheckCommand(args) {
         ...(facing ? { legacyFacing: facing } : {}),
     };
 }
+function parseProviderCommand(args) {
+    const sub = args[0];
+    const { agent, rest } = extractAgentFlag(args.slice(1));
+    if (sub === "refresh" && agent && rest.length === 0) {
+        return { kind: "provider.refresh", agent };
+    }
+    throw new Error("Usage: ouro provider refresh --agent <name>");
+}
 function parseReminderCommand(args) {
     const { agent, rest: cleaned } = extractAgentFlag(args);
     const [sub, ...rest] = cleaned;
@@ -878,6 +945,8 @@ function parseOuroCommand(args) {
         return parseProviderUseCommand(args.slice(1));
     if (head === "check")
         return parseProviderCheckCommand(args.slice(1));
+    if (head === "provider")
+        return parseProviderCommand(args.slice(1));
     if (head === "logs") {
         if (second === "prune")
             return { kind: "daemon.logs.prune" };
@@ -889,6 +958,8 @@ function parseOuroCommand(args) {
         return parseHatchCommand(args.slice(1));
     if (head === "auth")
         return parseAuthCommand(args.slice(1));
+    if (head === "vault")
+        return parseVaultCommand(args.slice(1));
     if (head === "task")
         return parseTaskCommand(args.slice(1));
     if (head === "reminder")

package/dist/heart/daemon/daemon-cli.js

@@ -14,7 +14,7 @@
  * ouro-entry.ts, ouro-bot-wrapper.ts) continue to work unchanged.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.discoverExistingCredentials = exports.readFirstBundleMetaVersion = exports.createDefaultOuroCliDeps = exports.pingGithubCopilotModel = exports.listGithubCopilotModels = exports.ensureDaemonRunning = exports.runOuroCli = exports.parseOuroCommand = void 0;
+exports.readFirstBundleMetaVersion = exports.createDefaultOuroCliDeps = exports.pingGithubCopilotModel = exports.listGithubCopilotModels = exports.ensureDaemonRunning = exports.runOuroCli = exports.parseOuroCommand = void 0;
 // ── Parsing ──
 var cli_parse_1 = require("./cli-parse");
 Object.defineProperty(exports, "parseOuroCommand", { enumerable: true, get: function () { return cli_parse_1.parseOuroCommand; } });
@@ -29,4 +29,3 @@ Object.defineProperty(exports, "pingGithubCopilotModel", { enumerable: true, get
 var cli_defaults_1 = require("./cli-defaults");
 Object.defineProperty(exports, "createDefaultOuroCliDeps", { enumerable: true, get: function () { return cli_defaults_1.createDefaultOuroCliDeps; } });
 Object.defineProperty(exports, "readFirstBundleMetaVersion", { enumerable: true, get: function () { return cli_defaults_1.readFirstBundleMetaVersion; } });
-Object.defineProperty(exports, "discoverExistingCredentials", { enumerable: true, get: function () { return cli_defaults_1.discoverExistingCredentials; } });

package/dist/heart/daemon/daemon-entry.js

@@ -54,7 +54,6 @@ const habit_migration_1 = require("../habits/habit-migration");
 const os_cron_deps_1 = require("./os-cron-deps");
 const os_cron_1 = require("./os-cron");
 const daemon_tombstone_1 = require("./daemon-tombstone");
-const os = __importStar(require("os"));
 const agent_config_check_1 = require("./agent-config-check");
 const pulse_1 = require("./pulse");
 const socket_client_1 = require("./socket-client");
@@ -102,8 +101,7 @@ const processManager = new process_manager_1.DaemonProcessManager({
     /* v8 ignore next 4 -- wiring: delegates to checkAgentConfigWithProviderHealth which has full unit tests @preserve */
     configCheck: async (agent) => {
         const bundlesRoot = (0, identity_1.getAgentBundlesRoot)();
-        const secretsRoot = path.join(os.homedir(), ".agentsecrets");
-        return (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agent, bundlesRoot, secretsRoot);
+        return (0, agent_config_check_1.checkAgentConfigWithProviderHealth)(agent, bundlesRoot);
     },
     /* v8 ignore start -- pulse flush wiring: integration code; flushPulse itself has full unit tests @preserve */
     onSnapshotChange: () => {