@ouro.bot/cli 0.1.0-alpha.364 → 0.1.0-alpha.365

package/dist/heart/providers/minimax-vlm.js

@@ -85,8 +85,8 @@ async function minimaxVlmDescribe(params) {
     if (!params.apiKey) {
         // We deliberately do NOT emit _start for param-validation errors — there's
         // no meaningful "started a request" to pair with. Only the _error fires.
-        emitError(params, "minimax VLM: API key is empty — re-run credential setup or add a minimax key to secrets.json");
-        throw new Error("minimax VLM: API key is empty — re-run credential setup or add a minimax key to secrets.json");
+        emitError(params, "minimax VLM: API key is empty — run `ouro auth --agent <agent> --provider minimax`");
+        throw new Error("minimax VLM: API key is empty — run `ouro auth --agent <agent> --provider minimax`");
     }
     if (!params.prompt) {
         emitError(params, "minimax VLM: missing prompt — supply a targeted question (e.g. 'what's the flight number in the bottom-right?') and retry");

package/dist/heart/providers/minimax.js

@@ -29,7 +29,7 @@ function createMinimaxProviderRuntime(model, minimaxConfig = (0, config_1.getMin
         meta: { provider: "minimax" },
     });
     if (!minimaxConfig.apiKey) {
-        throw new Error("provider 'minimax' is selected in agent.json but providers.minimax.apiKey is missing in secrets.json.");
+        throw new Error("provider 'minimax' is selected but minimax.apiKey is missing in the agent vault. Run `ouro auth --agent <agent> --provider minimax`.");
     }
     // Registry consulted; MiniMax models return empty defaults (no capabilities to derive)
     (0, model_capabilities_1.getModelCapabilities)(model);

package/dist/heart/providers/openai-codex.js

@@ -20,9 +20,6 @@ const OPENAI_CODEX_AUTH_FAILURE_MARKERS = [
     "invalid bearer token",
 ];
 const OPENAI_CODEX_BACKEND_BASE_URL = "https://chatgpt.com/backend-api/codex";
-function getOpenAICodexSecretsPathForGuidance() {
-    return (0, identity_1.getAgentSecretsPath)();
-}
 function getOpenAICodexAgentNameForGuidance() {
     return (0, identity_1.getAgentName)();
 }
@@ -30,11 +27,9 @@ function getOpenAICodexOAuthInstructions() {
     const agentName = getOpenAICodexAgentNameForGuidance();
     return [
         "Fix:",
-        `  1. Run \`ouro auth --agent ${agentName}\``,
-        `  2. Open ${getOpenAICodexSecretsPathForGuidance()}`,
-        "  3. Confirm providers.openai-codex.oauthAccessToken is set",
-        "  4. This provider uses chatgpt.com/backend-api/codex/responses (not api.openai.com/responses).",
-        "  5. After reauth, retry the failed ouro command or reconnect this session.",
+        `  1. Run \`ouro auth --agent ${agentName} --provider openai-codex\``,
+        "  2. This provider uses chatgpt.com/backend-api/codex/responses (not api.openai.com/responses).",
+        "  3. After reauth, retry the failed ouro command or reconnect this session.",
     ].join("\n");
 }
 function getOpenAICodexReauthGuidance(reason) {
@@ -95,7 +90,7 @@ function createOpenAICodexProviderRuntime(model, codexConfig = (0, config_1.getO
         meta: { provider: "openai-codex" },
     });
     if (!codexConfig.oauthAccessToken) {
-        throw new Error(getOpenAICodexReauthGuidance("provider 'openai-codex' is selected in agent.json but providers.openai-codex.oauthAccessToken is missing in secrets.json."));
+        throw new Error(getOpenAICodexReauthGuidance("provider 'openai-codex' is selected but openai-codex.oauthAccessToken is missing in the agent vault."));
     }
     const token = codexConfig.oauthAccessToken.trim();
     if (!token) {

package/dist/repertoire/bitwarden-store.js

@@ -2,24 +2,59 @@
 /**
  * Bitwarden CLI credential store — wraps `bw` CLI for the agent's own vault.
  *
- * Unlike AacCredentialStore (which accesses someone else's vault via approval),
- * this store authenticates directly as the agent using its own master password.
+ * This store authenticates directly as the agent using its own master password.
  * The agent owns the vault, so no human-in-the-loop is needed.
  *
  * Requires the `bw` CLI to be installed. Session tokens are cached process-local.
  */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.BitwardenCredentialStore = void 0;
 const node_child_process_1 = require("node:child_process");
+const fs = __importStar(require("node:fs"));
 const runtime_1 = require("../nerves/runtime");
 const bw_installer_1 = require("./bw-installer");
 // ---------------------------------------------------------------------------
 // bw CLI wrapper
 // ---------------------------------------------------------------------------
-function execBw(args, sessionToken) {
-    const env = sessionToken
-        ? { ...process.env, BW_SESSION: sessionToken }
-        : process.env;
+function execBw(args, sessionToken, appDataDir) {
+    const env = {
+        ...process.env,
+        ...(sessionToken ? { BW_SESSION: sessionToken } : {}),
+        ...(appDataDir ? { BITWARDENCLI_APPDATA_DIR: appDataDir } : {}),
+    };
     return new Promise((resolve, reject) => {
         (0, node_child_process_1.execFile)("bw", args, { timeout: 30_000, env }, (err, stdout) => {
             if (err) {
@@ -62,11 +97,13 @@ class BitwardenCredentialStore {
     serverUrl;
     email;
     masterPassword;
+    appDataDir;
     sessionToken = null;
-    constructor(serverUrl, email, masterPassword) {
+    constructor(serverUrl, email, masterPassword, options = {}) {
         this.serverUrl = serverUrl;
         this.email = email;
         this.masterPassword = masterPassword;
+        this.appDataDir = options.appDataDir;
     }
     isReady() {
         return true;
@@ -79,6 +116,9 @@ class BitwardenCredentialStore {
     async login() {
         // Ensure bw CLI is installed before any bw commands
         await (0, bw_installer_1.ensureBwCli)();
+        if (this.appDataDir) {
+            fs.mkdirSync(this.appDataDir, { recursive: true, mode: 0o700 });
+        }
         let lastError;
         for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
             try {
@@ -112,7 +152,7 @@ class BitwardenCredentialStore {
         // Check current status
         let status = {};
         try {
-            const raw = await execBw(["status"]);
+            const raw = await execBw(["status"], undefined, this.appDataDir);
             status = JSON.parse(raw);
         }
         catch (err) {
@@ -125,7 +165,7 @@ class BitwardenCredentialStore {
         // Configure server URL if needed (only works when logged out)
         if (status.status === "unauthenticated" || !status.serverUrl) {
             try {
-                await execBw(["config", "server", this.serverUrl]);
+                await execBw(["config", "server", this.serverUrl], undefined, this.appDataDir);
             }
             catch {
                 // "Logout required" means already logged in — that's fine, skip config
@@ -133,12 +173,12 @@ class BitwardenCredentialStore {
         }
         if (status.status === "locked") {
             // Already logged in, just needs unlock
-            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"]);
+            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"], undefined, this.appDataDir);
             this.sessionToken = unlockOutput.trim();
         }
         else if (status.status === "unauthenticated" || !status.status) {
             // Not logged in — full login
-            const loginOutput = await execBw(["login", this.email, this.masterPassword, "--raw"]);
+            const loginOutput = await execBw(["login", this.email, this.masterPassword, "--raw"], undefined, this.appDataDir);
             try {
                 const parsed = JSON.parse(loginOutput);
                 this.sessionToken = parsed.access_token ?? loginOutput.trim();
@@ -149,7 +189,7 @@ class BitwardenCredentialStore {
         }
         else {
             // Status is "unlocked" — already good, just need the session token
-            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"]);
+            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"], undefined, this.appDataDir);
             this.sessionToken = unlockOutput.trim();
         }
     }
@@ -221,8 +261,9 @@ class BitwardenCredentialStore {
             meta: { domain, backend: "bitwarden" },
         });
         const session = await this.ensureSession();
-        // Create a new login item
+        const existing = await this.findItemByDomain(domain, session);
         const item = {
+            ...(existing ?? {}),
             type: 1, // Login type
             name: domain,
             login: {
@@ -233,7 +274,12 @@ class BitwardenCredentialStore {
             notes: data.notes ?? null,
         };
         const encoded = Buffer.from(JSON.stringify(item)).toString("base64");
-        await execBw(["create", "item", encoded], session);
+        if (existing) {
+            await execBw(["edit", "item", existing.id, encoded], session, this.appDataDir);
+        }
+        else {
+            await execBw(["create", "item", encoded], session, this.appDataDir);
+        }
         (0, runtime_1.emitNervesEvent)({
             event: "repertoire.bw_credential_store_end",
             component: "repertoire",
@@ -250,7 +296,7 @@ class BitwardenCredentialStore {
         });
         const session = await this.ensureSession();
         try {
-            const stdout = await execBw(["list", "items"], session);
+            const stdout = await execBw(["list", "items"], session, this.appDataDir);
             const items = JSON.parse(stdout);
             const results = items.map((item) => ({
                 domain: item.name,
@@ -294,7 +340,7 @@ class BitwardenCredentialStore {
             });
             return false;
         }
-        await execBw(["delete", "item", item.id], session);
+        await execBw(["delete", "item", item.id], session, this.appDataDir);
         (0, runtime_1.emitNervesEvent)({
             event: "repertoire.bw_credential_delete_end",
             component: "repertoire",
@@ -306,7 +352,7 @@ class BitwardenCredentialStore {
     // --- Private ---
     async findItemByDomain(domain, session) {
         try {
-            const stdout = await execBw(["list", "items", "--search", domain], session);
+            const stdout = await execBw(["list", "items", "--search", domain], session, this.appDataDir);
             const items = JSON.parse(stdout);
             // Find exact match by name
             return items.find((item) => item.name === domain) ?? items[0] ?? null;

package/dist/repertoire/bundle-templates.js

@@ -8,7 +8,7 @@
  *
  *   - Runtime state (sessions, logs, runtime files) — stale data with no
  *     value for review or history.
- *   - Credentials — real secrets live in `~/.agentsecrets`, but defense
+ *   - Credentials — real secrets live in the agent vault, but defense
  *     in depth in case anything leaks into the bundle.
  *   - Editor / OS noise (.DS_Store, .idea/, etc.).
  *   - Build artifacts (rare in bundles, but possible).
@@ -32,7 +32,7 @@ exports.PII_BUNDLE_DIRECTORIES = exports.BUNDLE_GITIGNORE_TEMPLATE = void 0;
 exports.BUNDLE_GITIGNORE_TEMPLATE = `# Runtime state — sessions, logs, runtime files, never tracked
 state/
 
-# Credentials — never tracked. Real secrets live in ~/.agentsecrets, but
+# Credentials — never tracked. Real secrets live in the agent vault, but
 # defense in depth in case anything leaks into the bundle.
 .env
 .env.*