@ouro.bot/cli 0.1.0-alpha.364 → 0.1.0-alpha.365

package/dist/heart/daemon/doctor.js

@@ -300,38 +300,18 @@ function checkHabits(deps) {
 function checkSecurity(deps) {
     const checks = [];
     const agents = discoverAgents(deps);
-    const providerPoolPath = `${deps.secretsRoot}/providers.json`;
-    if (deps.existsSync(providerPoolPath)) {
-        const stat = deps.statSync(providerPoolPath);
-        const worldReadable = (stat.mode & 0o004) !== 0;
-        checks.push({
-            label: "machine provider credentials perms",
-            status: worldReadable ? "warn" : "pass",
-            detail: worldReadable ? "world-readable — consider chmod 600" : "not world-readable",
-        });
-        try {
-            JSON.parse(deps.readFileSync(providerPoolPath));
-            checks.push({ label: "machine provider credentials", status: "pass", detail: "readable JSON" });
-        }
-        catch {
-            checks.push({ label: "machine provider credentials", status: "fail", detail: "unparseable JSON" });
-        }
-    }
     for (const agentDir of agents) {
         const agentName = agentDir.replace(/\.ouro$/, "");
         const secretsPath = `${deps.secretsRoot}/${agentName}/secrets.json`;
-        if (!deps.existsSync(secretsPath)) {
-            checks.push({ label: `${agentDir} secrets.json`, status: "fail", detail: "missing" });
-            continue;
-        }
-        // Check file permissions
-        const stat = deps.statSync(secretsPath);
-        const worldReadable = (stat.mode & 0o004) !== 0;
-        if (worldReadable) {
-            checks.push({ label: `${agentDir} secrets.json perms`, status: "warn", detail: "world-readable — consider chmod 600" });
-        }
-        else {
-            checks.push({ label: `${agentDir} secrets.json perms`, status: "pass", detail: "not world-readable" });
+        if (deps.existsSync(secretsPath)) {
+            const stat = deps.statSync(secretsPath);
+            const worldReadable = (stat.mode & 0o004) !== 0;
+            if (worldReadable) {
+                checks.push({ label: `${agentDir} legacy secrets.json perms`, status: "warn", detail: "world-readable — consider deleting or chmod 600" });
+            }
+            else {
+                checks.push({ label: `${agentDir} legacy secrets.json perms`, status: "pass", detail: "not world-readable" });
+            }
         }
         // Check agent.json for leaked credential keys
         const configPath = `${deps.bundlesRoot}/${agentDir}/agent.json`;

package/dist/heart/daemon/provider-discovery.js

@@ -1,19 +1,20 @@
 "use strict";
 /**
- * Shared provider discovery — single path for finding a working LLM provider.
+ * Shared provider discovery for repair.
  *
- * Scans machine-pool credentials, legacy disk credentials, and environment variables,
- * deduplicates by provider, then pings each candidate to validate credentials actually work.
+ * Runtime repair only trusts the agent vault. First-run conveniences may still
+ * inspect env vars before credentials are stored, but once an agent exists the
+ * vault is the source of truth.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.scanEnvVarCredentials = scanEnvVarCredentials;
 exports.discoverWorkingProvider = discoverWorkingProvider;
 const identity_1 = require("../identity");
-const provider_credential_pool_1 = require("../provider-credential-pool");
+const provider_credentials_1 = require("../provider-credentials");
 const runtime_1 = require("../../nerves/runtime");
 /**
- * Scan environment variables for API keys using the canonical PROVIDER_CREDENTIALS descriptor.
- * Returns one DiscoveredCredential per provider that has at least one required field set.
+ * Scan environment variables for API keys during first-run bootstrap.
+ * This does not participate in runtime provider repair.
  */
 function scanEnvVarCredentials(env) {
     const results = [];
@@ -25,7 +26,6 @@ function scanEnvVarCredentials(env) {
                 cred[credKey] = value;
             }
         }
-        // Only register if at least one required field was found
         const hasRequired = desc.required.some((key) => !!cred[key]);
         if (hasRequired) {
             results.push({
@@ -45,62 +45,35 @@ function stringifyProviderFields(fields) {
     }
     return result;
 }
-function machinePoolSource(record) {
-    if (record.provenance.contributedByAgent) {
-        return `machine-pool:${record.provenance.contributedByAgent}`;
-    }
-    return `machine-pool:${record.provenance.source}`;
-}
-function discoverMachinePoolCredentials(secretsRoot) {
-    const homeDir = (0, provider_credential_pool_1.providerCredentialHomeDirFromSecretsRoot)(secretsRoot);
-    const poolResult = (0, provider_credential_pool_1.readProviderCredentialPool)(homeDir);
-    if (!poolResult.ok)
-        return [];
-    const credentials = [];
-    for (const [, record] of Object.entries(poolResult.pool.providers)) {
-        credentials.push({
-            provider: record.provider,
-            agentName: machinePoolSource(record),
-            credentials: stringifyProviderFields(record.credentials),
-            providerConfig: stringifyProviderFields(record.config),
-        });
-    }
-    return credentials;
+function discoveredFromVaultRecord(record) {
+    return {
+        provider: record.provider,
+        agentName: "vault",
+        credentials: stringifyProviderFields(record.credentials),
+        providerConfig: stringifyProviderFields(record.config),
+    };
 }
-/**
- * Discover the first working provider by scanning configured credential sources,
- * deduplicating by provider, and pinging each candidate.
- */
 async function discoverWorkingProvider(deps) {
-    const poolCreds = discoverMachinePoolCredentials(deps.secretsRoot);
-    const diskCreds = deps.discoverExistingCredentials(deps.secretsRoot);
-    const envCreds = scanEnvVarCredentials(deps.env);
-    // Deduplicate: machine pool first, legacy per-agent disk next, env vars last.
-    const seenProviders = new Set();
-    const candidates = [];
-    for (const cred of poolCreds) {
-        seenProviders.add(cred.provider);
-        candidates.push(cred);
-    }
-    for (const cred of diskCreds) {
-        if (!seenProviders.has(cred.provider)) {
-            seenProviders.add(cred.provider);
-            candidates.push(cred);
-        }
-    }
-    for (const cred of envCreds) {
-        if (!seenProviders.has(cred.provider)) {
-            seenProviders.add(cred.provider);
-            candidates.push(cred);
-        }
+    const poolResult = await (0, provider_credentials_1.refreshProviderCredentialPool)(deps.agentName);
+    if (!poolResult.ok) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "warn",
+            component: "daemon",
+            event: "daemon.provider_discovery_none",
+            message: "provider discovery could not read agent vault",
+            meta: { agentName: deps.agentName, reason: poolResult.reason },
+        });
+        return null;
     }
+    const candidates = Object.entries(poolResult.pool.providers)
+        .map(([, record]) => discoveredFromVaultRecord(record));
     if (candidates.length === 0) {
         (0, runtime_1.emitNervesEvent)({
             level: "info",
             component: "daemon",
             event: "daemon.provider_discovery_none",
-            message: "no provider credentials found in machine pool, legacy disk, or environment",
-            meta: {},
+            message: "no provider credentials found in agent vault",
+            meta: { agentName: deps.agentName },
         });
         return null;
     }
@@ -111,7 +84,7 @@ async function discoverWorkingProvider(deps) {
             component: "daemon",
             event: "daemon.provider_discovery_ping",
             message: `pinging provider: ${candidate.provider}`,
-            meta: { provider: candidate.provider, source: candidate.agentName },
+            meta: { agentName: deps.agentName, provider: candidate.provider, source: candidate.agentName },
         });
         const result = await deps.pingProvider(candidate.provider, config);
         if (result.ok) {
@@ -120,7 +93,7 @@ async function discoverWorkingProvider(deps) {
                 component: "daemon",
                 event: "daemon.provider_discovery_ok",
                 message: `provider discovery succeeded: ${candidate.provider}`,
-                meta: { provider: candidate.provider, source: candidate.agentName },
+                meta: { agentName: deps.agentName, provider: candidate.provider, source: candidate.agentName },
             });
             return {
                 provider: candidate.provider,
@@ -133,8 +106,8 @@ async function discoverWorkingProvider(deps) {
         level: "warn",
         component: "daemon",
         event: "daemon.provider_discovery_all_failed",
-        message: "all provider candidates failed ping",
-        meta: { candidateCount: candidates.length },
+        message: "all vault provider candidates failed ping",
+        meta: { agentName: deps.agentName, candidateCount: candidates.length },
     });
     return null;
 }

package/dist/heart/hatch/hatch-flow.js

@@ -33,7 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.writeSecretsFile = writeSecretsFile;
+exports.storeHatchlingProviderCredentials = storeHatchlingProviderCredentials;
 exports.runHatchFlow = runHatchFlow;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
@@ -45,7 +45,7 @@ const auth_flow_1 = require("../auth/auth-flow");
 const provider_models_1 = require("../provider-models");
 const habit_parser_1 = require("../habits/habit-parser");
 const machine_identity_1 = require("../machine-identity");
-const provider_credential_pool_1 = require("../provider-credential-pool");
+const provider_credentials_1 = require("../provider-credentials");
 const provider_state_1 = require("../provider-state");
 const hatch_specialist_1 = require("./hatch-specialist");
 function requiredCredentialKeys(provider) {
@@ -67,8 +67,8 @@ function validateCredentials(provider, credentials) {
         throw new Error(`Missing required credentials for ${provider}: ${missing.join(", ")}`);
     }
 }
-function writeSecretsFile(agentName, provider, credentials, secretsRoot) {
-    return (0, auth_flow_1.writeProviderCredentials)(agentName, provider, credentials, { secretsRoot }).secretsPath;
+async function storeHatchlingProviderCredentials(agentName, provider, credentials) {
+    return (await (0, auth_flow_1.storeProviderCredentials)(agentName, provider, credentials)).credentialPath;
 }
 function writeReadme(dir, purpose) {
     fs.mkdirSync(dir, { recursive: true });
@@ -135,10 +135,10 @@ function writeHatchlingAgentConfig(bundleRoot, input) {
     template.enabled = true;
     fs.writeFileSync(path.join(bundleRoot, "agent.json"), `${JSON.stringify(template, null, 2)}\n`, "utf-8");
 }
-function writeHatchlingProviderState(bundleRoot, input, secretsRoot, now) {
+function writeHatchlingProviderState(bundleRoot, input, now) {
     const model = (0, provider_models_1.getDefaultModelForProvider)(input.provider);
     const machine = (0, machine_identity_1.loadOrCreateMachineIdentity)({
-        homeDir: (0, provider_credential_pool_1.providerCredentialHomeDirFromSecretsRoot)(secretsRoot),
+        homeDir: (0, provider_credentials_1.providerCredentialMachineHomeDir)(),
         now: () => now,
     });
     const state = (0, provider_state_1.bootstrapProviderStateFromAgentConfig)({
@@ -160,7 +160,6 @@ async function runHatchFlow(input, deps = {}) {
     });
     validateCredentials(input.provider, input.credentials);
     const bundlesRoot = deps.bundlesRoot ?? path.join(os.homedir(), "AgentBundles");
-    const secretsRoot = deps.secretsRoot ?? path.join(os.homedir(), ".agentsecrets");
     const sourceIdentities = deps.specialistIdentitySourceDir ?? (0, hatch_specialist_1.getSpecialistIdentitySourceDir)();
     const targetIdentities = deps.specialistIdentityTargetDir ?? (0, hatch_specialist_1.getRepoSpecialistIdentitiesDir)();
     const now = deps.now ? deps.now() : new Date();
@@ -173,8 +172,6 @@ async function runHatchFlow(input, deps = {}) {
         identitiesDir: targetIdentities,
         random,
     });
-    const specialistSecretsPath = writeSecretsFile("SerpentGuide", input.provider, input.credentials, secretsRoot);
-    const hatchlingSecretsPath = writeSecretsFile(input.agentName, input.provider, input.credentials, secretsRoot);
     const bundleRoot = path.join(bundlesRoot, `${input.agentName}.ouro`);
     fs.mkdirSync(bundleRoot, { recursive: true });
     writeReadme(bundleRoot, "Root of this agent bundle.");
@@ -189,7 +186,8 @@ async function runHatchFlow(input, deps = {}) {
     writeReadme(path.join(bundleRoot, "senses"), "Sense-specific config.");
     writeReadme(path.join(bundleRoot, "senses", "teams"), "Teams sense config.");
     writeHatchlingAgentConfig(bundleRoot, input);
-    writeHatchlingProviderState(bundleRoot, input, secretsRoot, now);
+    const credentialPath = await storeHatchlingProviderCredentials(input.agentName, input.provider, input.credentials);
+    writeHatchlingProviderState(bundleRoot, input, now);
     writeDiaryScaffold(bundleRoot);
     writeFriendImprint(bundleRoot, input.humanName, now);
     writeHeartbeatHabit(bundleRoot, now);
@@ -202,7 +200,6 @@ async function runHatchFlow(input, deps = {}) {
     return {
         bundleRoot,
         selectedIdentity: selected.fileName,
-        specialistSecretsPath,
-        hatchlingSecretsPath,
+        credentialPath,
     };
 }

package/dist/heart/hatch/specialist-prompt.js

@@ -44,7 +44,7 @@ function buildSpecialistSystemPrompt(soulText, identityText, existingBundles, co
         `Provider: ${context.provider}`,
         `Temp directory: ${context.tempDir}`,
         "Final home: ~/AgentBundles/<Name>.ouro/",
-        "Secrets: ~/.agentsecrets/<name>/secrets.json",
+        "Provider credentials: the hatch tool stores them in the agent's vault.",
     ].join("\n"));
     sections.push([
         "## Bundle creation guidelines",

package/dist/heart/hatch/specialist-tools.js

@@ -42,7 +42,10 @@ const tools_base_1 = require("../../repertoire/tools-base");
 const hatch_flow_1 = require("./hatch-flow");
 const hatch_animation_1 = require("./hatch-animation");
 const bundle_manifest_1 = require("../../mind/bundle-manifest");
+const identity_1 = require("../identity");
 const runtime_1 = require("../../nerves/runtime");
+const vault_setup_1 = require("../../repertoire/vault-setup");
+const vault_unlock_1 = require("../../repertoire/vault-unlock");
 const completeAdoptionTool = {
     type: "function",
     function: {
@@ -171,8 +174,17 @@ async function execCompleteAdoption(args, deps) {
     // Move tempDir -> final bundle location
     moveDir(deps.tempDir, targetBundle);
     // Write secrets
+    let generatedVaultUnlockSecret = null;
     try {
-        (0, hatch_flow_1.writeSecretsFile)(name, deps.provider, deps.credentials, deps.secretsRoot);
+        const vault = (0, identity_1.resolveVaultConfig)(name);
+        const vaultUnlockSecret = crypto.randomBytes(32).toString("base64");
+        const vaultResult = await (0, vault_setup_1.createVaultAccount)(name, vault.serverUrl, vault.email, vaultUnlockSecret);
+        if (!vaultResult.success) {
+            throw new Error(`failed to create vault: ${vaultResult.error}`);
+        }
+        (0, vault_unlock_1.storeVaultUnlockSecret)({ agentName: name, email: vault.email, serverUrl: vault.serverUrl }, vaultUnlockSecret);
+        generatedVaultUnlockSecret = vaultUnlockSecret;
+        await (0, hatch_flow_1.storeHatchlingProviderCredentials)(name, deps.provider, deps.credentials);
     }
     catch (e) {
         // Rollback: remove the moved bundle
@@ -217,6 +229,14 @@ async function execCompleteAdoption(args, deps) {
     if (handoffMessage && deps.animationWriter) {
         deps.animationWriter(`\n${handoffMessage}\n`);
     }
+    if (generatedVaultUnlockSecret && deps.animationWriter) {
+        deps.animationWriter([
+            "",
+            `Vault unlock secret for ${name}: ${generatedVaultUnlockSecret}`,
+            `Use this with \`ouro vault unlock --agent ${name}\` on another machine.`,
+            "",
+        ].join("\n"));
+    }
     (0, runtime_1.emitNervesEvent)({
         component: "daemon",
         event: "daemon.adoption_complete",

package/dist/heart/migrate-config.js

@@ -1,7 +1,7 @@
 "use strict";
 // v1 → v2 agent.json migration.
-// Moves model from secrets.json into agent.json under humanFacing/agentFacing.
-// Uses raw fs — NO import from config.ts (avoids circular dependency).
+// Creates explicit humanFacing/agentFacing blocks from the legacy provider.
+// Uses raw fs and provider-model defaults — NO import from config.ts.
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);
@@ -40,19 +40,15 @@ exports.migrateAgentConfigV1ToV2 = migrateAgentConfigV1ToV2;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const runtime_1 = require("../nerves/runtime");
-const MODEL_FIELD = {
-    azure: "modelName",
-    minimax: "model",
-    anthropic: "model",
-    "openai-codex": "model",
-    "github-copilot": "model",
-};
-function resolveSecretsPath(agentRoot, deps) {
-    const agentName = path.basename(agentRoot).replace(/\.ouro$/, "");
-    const secretsBase = deps?.secretsRoot ?? path.join(require("os").homedir(), ".agentsecrets");
-    return path.join(secretsBase, agentName, "secrets.json");
+const provider_models_1 = require("./provider-models");
+function isAgentProvider(value) {
+    return value === "azure" ||
+        value === "minimax" ||
+        value === "anthropic" ||
+        value === "openai-codex" ||
+        value === "github-copilot";
 }
-function migrateAgentConfigV1ToV2(agentRoot, deps) {
+function migrateAgentConfigV1ToV2(agentRoot) {
     const configPath = path.join(agentRoot, "agent.json");
     let raw;
     try {
@@ -84,44 +80,21 @@ function migrateAgentConfigV1ToV2(agentRoot, deps) {
         message: "migrating agent config v1 → v2",
         meta: { agentRoot },
     });
-    const provider = config.provider;
-    let model = "";
-    if (provider) {
-        const secretsPath = resolveSecretsPath(agentRoot, deps);
-        try {
-            const secretsRaw = fs.readFileSync(secretsPath, "utf-8");
-            const secrets = JSON.parse(secretsRaw);
-            const providers = secrets.providers;
-            if (providers) {
-                const providerSecrets = providers[provider];
-                if (providerSecrets) {
-                    /* v8 ignore next -- fallback: all known providers are in MODEL_FIELD @preserve */
-                    const fieldName = MODEL_FIELD[provider] ?? "model";
-                    const rawModel = providerSecrets[fieldName];
-                    model = typeof rawModel === "string" ? rawModel : "";
-                    // Strip model from secrets
-                    delete providerSecrets[fieldName];
-                    fs.writeFileSync(secretsPath, JSON.stringify(secrets, null, 2) + "\n", "utf-8");
-                }
-            }
-        }
-        catch {
-            // Missing or malformed secrets.json — leave model as empty string
-        }
-    }
+    const provider = isAgentProvider(config.provider) ? config.provider : "anthropic";
+    const model = (0, provider_models_1.getDefaultModelForProvider)(provider);
     // Write v2 config
     const { provider: _removed, ...rest } = config;
     const v2Config = {
         ...rest,
         version: 2,
-        humanFacing: { provider: provider ?? "anthropic", model },
-        agentFacing: { provider: provider ?? "anthropic", model },
+        humanFacing: { provider, model },
+        agentFacing: { provider, model },
     };
     fs.writeFileSync(configPath, JSON.stringify(v2Config, null, 2) + "\n", "utf-8");
     (0, runtime_1.emitNervesEvent)({
         component: "config/identity",
         event: "config_identity.migrate_end",
         message: "agent config migration complete",
-        meta: { agentRoot, provider: provider ?? "unknown", model },
+        meta: { agentRoot, provider, model },
     });
 }

package/dist/heart/provider-binding-resolver.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.normalizeProviderLane = normalizeProviderLane;
 exports.resolveEffectiveProviderBinding = resolveEffectiveProviderBinding;
 const runtime_1 = require("../nerves/runtime");
-const provider_credential_pool_1 = require("./provider-credential-pool");
+const provider_credentials_1 = require("./provider-credentials");
 const provider_state_1 = require("./provider-state");
 function legacyLaneWarning(selector, lane) {
     return {
@@ -36,7 +36,7 @@ function buildUseRepair(agentName, lane, force = false) {
 function buildAuthRepair(agentName, provider) {
     return {
         command: `ouro auth --agent ${agentName} --provider ${provider}`,
-        message: `Authenticate ${provider} once for this machine's shared credential pool.`,
+        message: `Store ${provider} credentials in ${agentName}'s vault.`,
     };
 }
 function missingProviderStateWarning(agentName) {
@@ -54,13 +54,13 @@ function invalidProviderStateWarning(agentName) {
 function missingCredentialWarning(provider) {
     return {
         code: "credential-missing",
-        message: `${provider} has no credential record in the machine credential pool.`,
+        message: `${provider} has no credential record in the agent vault.`,
     };
 }
 function invalidCredentialPoolWarning(provider) {
     return {
         code: "credential-pool-invalid",
-        message: `${provider} cannot read credentials because the machine credential pool is invalid.`,
+        message: `${provider} cannot read credentials from the agent vault.`,
     };
 }
 function presentCredential(record) {
@@ -69,7 +69,6 @@ function presentCredential(record) {
         provider: record.provider,
         revision: record.revision,
         source: record.provenance.source,
-        contributedByAgent: record.provenance.contributedByAgent,
         updatedAt: record.updatedAt,
         credentialFields: Object.keys(record.credentials).sort(),
         configFields: Object.keys(record.config).sort(),
@@ -90,7 +89,7 @@ function resolveCredential(poolResult, provider, agentName) {
             warnings: [missingCredentialWarning(provider)],
         };
     }
-    if (poolResult.reason === "invalid") {
+    if (poolResult.reason === "invalid" || poolResult.reason === "unavailable") {
         return {
             credential: {
                 status: "invalid-pool",
@@ -198,7 +197,7 @@ function resolveEffectiveProviderBinding(input) {
         return result;
     }
     const laneBinding = stateResult.state.lanes[laneResolution.lane];
-    const poolResult = (0, provider_credential_pool_1.readProviderCredentialPool)(input.homeDir);
+    const poolResult = (0, provider_credentials_1.readProviderCredentialPool)(input.agentName);
     const credentialResult = resolveCredential(poolResult, laneBinding.provider, input.agentName);
     const readinessResult = resolveReadiness({
         provider: laneBinding.provider,