@ouro.bot/cli 0.1.0-alpha.364 → 0.1.0-alpha.366

package/dist/heart/daemon/agent-config-check.js

@@ -42,7 +42,7 @@ const runtime_1 = require("../../nerves/runtime");
 const provider_models_1 = require("../provider-models");
 const machine_identity_1 = require("../machine-identity");
 const provider_state_1 = require("../provider-state");
-const provider_credential_pool_1 = require("../provider-credential-pool");
+const provider_credentials_1 = require("../provider-credentials");
 function isAgentProvider(value) {
     return Object.prototype.hasOwnProperty.call(identity_1.PROVIDER_CREDENTIALS, value);
 }
@@ -52,20 +52,6 @@ function agentRootFor(agentName, bundlesRoot) {
 function configPathFor(agentName, bundlesRoot) {
     return path.join(agentRootFor(agentName, bundlesRoot), "agent.json");
 }
-function formatFacingList(facings) {
-    if (facings.length === 1)
-        return facings[0];
-    return `${facings.slice(0, -1).join(", ")} and ${facings[facings.length - 1]}`;
-}
-function selectedProviderMap(selectedProviders) {
-    const byProvider = new Map();
-    for (const selected of selectedProviders) {
-        const facings = byProvider.get(selected.provider) ?? [];
-        facings.push(selected.facing);
-        byProvider.set(selected.provider, facings);
-    }
-    return byProvider;
-}
 function resolveFacingProvider(parsed, facing, agentName, agentJsonPath) {
     const raw = parsed[facing];
     if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
@@ -101,114 +87,6 @@ function resolveFacingProvider(parsed, facing, agentName, agentJsonPath) {
     }
     return { ok: true, selected: { facing, provider } };
 }
-function resolveSelectedProviders(parsed, agentName, agentJsonPath) {
-    const hasHumanFacing = parsed.humanFacing !== undefined;
-    const hasAgentFacing = parsed.agentFacing !== undefined;
-    if (!hasHumanFacing && !hasAgentFacing && typeof parsed.provider === "string") {
-        if (!isAgentProvider(parsed.provider)) {
-            return {
-                ok: false,
-                result: {
-                    ok: false,
-                    error: `Unknown provider '${parsed.provider}' in agent.json for '${agentName}'`,
-                    fix: `Set provider to one of: ${Object.keys(identity_1.PROVIDER_CREDENTIALS).join(", ")}`,
-                },
-            };
-        }
-        return { ok: true, selectedProviders: [{ facing: "provider", provider: parsed.provider }] };
-    }
-    const human = resolveFacingProvider(parsed, "humanFacing", agentName, agentJsonPath);
-    if (!human.ok)
-        return human;
-    const agent = resolveFacingProvider(parsed, "agentFacing", agentName, agentJsonPath);
-    if (!agent.ok)
-        return agent;
-    return { ok: true, selectedProviders: [human.selected, agent.selected] };
-}
-function readConfigCheckContext(agentName, bundlesRoot, secretsRoot) {
-    const agentJsonPath = path.join(bundlesRoot, `${agentName}.ouro`, "agent.json");
-    let raw;
-    try {
-        raw = fs.readFileSync(agentJsonPath, "utf-8");
-    }
-    catch {
-        return {
-            ok: false,
-            result: {
-                ok: false,
-                error: `agent.json not found at ${agentJsonPath}`,
-                fix: `Run 'ouro hatch ${agentName}' to create the agent bundle, or verify that ${bundlesRoot}/${agentName}.ouro/ exists.`,
-            },
-        };
-    }
-    let parsed;
-    try {
-        parsed = JSON.parse(raw);
-    }
-    catch {
-        return {
-            ok: false,
-            result: {
-                ok: false,
-                error: `agent.json at ${agentJsonPath} contains invalid JSON`,
-                fix: `Open ${agentJsonPath} and fix the JSON syntax.`,
-            },
-        };
-    }
-    // Disabled agents are valid — they just won't run
-    if (parsed.enabled === false) {
-        return {
-            ok: true,
-            context: {
-                agentJsonPath,
-                secretsJsonPath: path.join(secretsRoot, agentName, "secrets.json"),
-                providers: {},
-                selectedProviders: [],
-            },
-        };
-    }
-    const selected = resolveSelectedProviders(parsed, agentName, agentJsonPath);
-    if (!selected.ok)
-        return selected;
-    const secretsJsonPath = path.join(secretsRoot, agentName, "secrets.json");
-    let secrets;
-    try {
-        const secretsRaw = fs.readFileSync(secretsJsonPath, "utf-8");
-        secrets = JSON.parse(secretsRaw);
-    }
-    catch {
-        const firstProvider = selected.selectedProviders[0].provider;
-        return {
-            ok: false,
-            result: {
-                ok: false,
-                error: `secrets.json not found or unreadable at ${secretsJsonPath}`,
-                fix: `Run 'ouro auth --agent ${agentName} --provider ${firstProvider}' to configure credentials, or create ${secretsJsonPath} with providers.${firstProvider} credentials.`,
-            },
-        };
-    }
-    const providers = secrets.providers;
-    if (!providers || typeof providers !== "object" || Array.isArray(providers)) {
-        const firstProvider = selected.selectedProviders[0].provider;
-        return {
-            ok: false,
-            result: {
-                ok: false,
-                error: `secrets.json for '${agentName}' is missing providers object`,
-                fix: `Run 'ouro auth --agent ${agentName} --provider ${firstProvider}' to configure credentials.`,
-            },
-        };
-    }
-    return {
-        ok: true,
-        context: {
-            agentJsonPath,
-            secretsJsonPath,
-            providers,
-            selectedProviders: selected.selectedProviders,
-        },
-    };
-}
 function readAgentConfigForProviderState(agentName, bundlesRoot) {
     const agentJsonPath = configPathFor(agentName, bundlesRoot);
     let raw;
@@ -270,7 +148,7 @@ function bootstrapMissingProviderState(input) {
     if (!inner.ok)
         return { ok: false, error: inner.result.error, fix: inner.result.fix };
     const now = new Date();
-    const homeDir = (0, provider_credential_pool_1.providerCredentialHomeDirFromSecretsRoot)(input.secretsRoot);
+    const homeDir = (0, provider_credentials_1.providerCredentialMachineHomeDir)(input.homeDir);
     const machine = (0, machine_identity_1.loadOrCreateMachineIdentity)({ homeDir, now: () => now });
     const state = (0, provider_state_1.bootstrapProviderStateFromAgentConfig)({
         machineId: machine.machineId,
@@ -290,7 +168,7 @@ function bootstrapMissingProviderState(input) {
     });
     return { ok: true, agentRoot, state };
 }
-function readOrBootstrapProviderStateForCheck(agentName, bundlesRoot, secretsRoot) {
+function readOrBootstrapProviderStateForCheck(agentName, bundlesRoot, deps = {}) {
     const configResult = readAgentConfigForProviderState(agentName, bundlesRoot);
     if (!configResult.ok)
         return { ok: false, result: configResult.result };
@@ -314,61 +192,14 @@ function readOrBootstrapProviderStateForCheck(agentName, bundlesRoot, secretsRoo
     const bootstrap = bootstrapMissingProviderState({
         agentName,
         bundlesRoot,
-        secretsRoot,
         parsed: configResult.parsed,
         agentJsonPath: configResult.agentJsonPath,
+        homeDir: deps.homeDir,
     });
     if (!bootstrap.ok)
         return { ok: false, result: bootstrap };
     return { ok: true, disabled: false, agentRoot: bootstrap.agentRoot, state: bootstrap.state };
 }
-function validateSelectedProviderSecrets(agentName, context) {
-    for (const [provider, facings] of selectedProviderMap(context.selectedProviders)) {
-        const desc = identity_1.PROVIDER_CREDENTIALS[provider];
-        const providerSecrets = context.providers[provider];
-        const selectedBy = formatFacingList(facings);
-        if (!providerSecrets) {
-            return {
-                ok: false,
-                error: `secrets.json for '${agentName}' is missing providers.${provider} section selected by ${selectedBy}`,
-                fix: `Run 'ouro auth --agent ${agentName} --provider ${provider}' to configure ${provider} credentials.`,
-            };
-        }
-        // Azure special case: managed identity only needs endpoint + deployment.
-        if (provider === "azure") {
-            const hasEndpoint = typeof providerSecrets.endpoint === "string" && providerSecrets.endpoint.length > 0;
-            const hasDeployment = typeof providerSecrets.deployment === "string" && providerSecrets.deployment.length > 0;
-            const hasManagedId = typeof providerSecrets.managedIdentityClientId === "string" && providerSecrets.managedIdentityClientId.length > 0;
-            if (hasEndpoint && hasDeployment && hasManagedId) {
-                continue;
-            }
-        }
-        const missing = desc.required.filter((field) => {
-            const val = providerSecrets[field];
-            return typeof val !== "string" || val.length === 0;
-        });
-        if (missing.length > 0) {
-            return {
-                ok: false,
-                error: `secrets.json for '${agentName}' is missing required ${provider} credentials selected by ${selectedBy}: ${missing.join(", ")}`,
-                fix: `Run 'ouro auth --agent ${agentName} --provider ${provider}' to set up ${provider} credentials, or add the missing fields to providers.${provider} in ${context.secretsJsonPath}.`,
-            };
-        }
-    }
-    return { ok: true };
-}
-function emitConfigValid(agentName, context, liveProviderCheck) {
-    (0, runtime_1.emitNervesEvent)({
-        component: "daemon",
-        event: "daemon.agent_config_valid",
-        message: "agent config validation passed",
-        meta: {
-            agent: agentName,
-            providers: [...selectedProviderMap(context.selectedProviders).keys()],
-            liveProviderCheck,
-        },
-    });
-}
 function providerCredentialConfig(record) {
     return {
         ...record.credentials,
@@ -395,65 +226,38 @@ function writeLaneReadiness(input) {
     };
     (0, provider_state_1.writeProviderState)(input.agentRoot, input.state);
 }
-function legacyProviderCredentialCandidates(agentName, secretsRoot) {
-    const secretsPath = path.join(secretsRoot, agentName, "secrets.json");
-    let parsed;
-    try {
-        parsed = JSON.parse(fs.readFileSync(secretsPath, "utf-8"));
-    }
-    catch {
-        return [];
-    }
-    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
-        return [];
-    const providers = parsed.providers;
-    if (!providers || typeof providers !== "object" || Array.isArray(providers))
-        return [];
-    const candidates = [];
-    for (const [providerKey, rawConfig] of Object.entries(providers)) {
-        if (!isAgentProvider(providerKey) || !rawConfig || typeof rawConfig !== "object" || Array.isArray(rawConfig)) {
-            continue;
-        }
-        const split = (0, provider_credential_pool_1.splitProviderCredentialFields)(providerKey, rawConfig);
-        if (Object.keys(split.credentials).length === 0 && Object.keys(split.config).length === 0)
-            continue;
-        candidates.push({ provider: providerKey, credentials: split.credentials, config: split.config });
-    }
-    return candidates;
-}
-function readPoolWithLegacyMigration(agentName, homeDir, secretsRoot) {
-    const initial = (0, provider_credential_pool_1.readProviderCredentialPool)(homeDir);
-    if (initial.ok || initial.reason === "invalid")
-        return initial;
-    const candidates = legacyProviderCredentialCandidates(agentName, secretsRoot);
-    for (const candidate of candidates) {
-        (0, provider_credential_pool_1.upsertProviderCredential)({
-            homeDir,
-            provider: candidate.provider,
-            credentials: candidate.credentials,
-            config: candidate.config,
-            provenance: {
-                source: "legacy-agent-secrets",
-                contributedByAgent: agentName,
-            },
-        });
-    }
-    return candidates.length > 0 ? (0, provider_credential_pool_1.readProviderCredentialPool)(homeDir) : initial;
-}
-function missingCredentialResult(agentName, lane, provider, model, poolPath) {
+function missingCredentialResult(agentName, lane, provider, model, credentialPath) {
     return {
         ok: false,
-        error: `${lane} provider ${provider} model ${model} has no credentials in the machine provider pool at ${poolPath}`,
+        error: `${lane} provider ${provider} model ${model} has no credentials in ${agentName}'s vault at ${credentialPath}`,
         fix: `Run 'ouro auth --agent ${agentName} --provider ${provider}' to authenticate this machine, or run 'ouro use --agent ${agentName} --lane ${lane} --provider <provider> --model <model>' to choose a working provider/model.`,
     };
 }
 function invalidPoolResult(agentName, lane, provider, model, pool) {
+    if (pool.reason === "unavailable" && isVaultLockedError(pool.error)) {
+        return {
+            ok: false,
+            error: `${lane} provider ${provider} model ${model} cannot read provider credentials because ${agentName}'s credential vault is locked on this machine.`,
+            fix: `Run 'ouro vault unlock --agent ${agentName}', then run 'ouro up' again.`,
+        };
+    }
+    if (pool.reason === "invalid") {
+        return {
+            ok: false,
+            error: `${lane} provider ${provider} model ${model} cannot read provider credentials from ${agentName}'s vault at ${pool.poolPath}: ${pool.error}`,
+            fix: `Run 'ouro auth --agent ${agentName} --provider ${provider}' to rewrite this provider credential, then run 'ouro up' again.`,
+        };
+    }
     return {
         ok: false,
-        error: `${lane} provider ${provider} model ${model} cannot read machine provider credentials at ${pool.poolPath}: ${pool.error}`,
-        fix: `Fix ${pool.poolPath}, then run 'ouro auth --agent ${agentName} --provider ${provider}' or 'ouro use --agent ${agentName} --lane ${lane} --provider <provider> --model <model> --force'.`,
+        error: `${lane} provider ${provider} model ${model} cannot read provider credentials from ${agentName}'s vault at ${pool.poolPath}: ${pool.error}`,
+        fix: `Run 'ouro vault unlock --agent ${agentName}', then run 'ouro up' again. If the credential is missing or stale after unlock, run 'ouro auth --agent ${agentName} --provider ${provider}'.`,
     };
 }
+function isVaultLockedError(error) {
+    const normalized = error.toLowerCase();
+    return /(?:ouro )?credential vault is locked|vault(?: is)? locked/.test(normalized);
+}
 function failedPingResult(agentName, lane, provider, model, result) {
     return {
         ok: false,
@@ -465,30 +269,47 @@ function credentialRecordForLane(pool, provider) {
     return pool.providers[provider];
 }
 /**
- * Pre-spawn validation: ensures agent.json exists and required secrets are present.
- * Returns `{ ok: true }` when the agent is ready to run, or a descriptive error
- * with an actionable fix message when something is missing.
+ * Structural validation only. Live provider credential validation belongs to
+ * checkAgentConfigWithProviderHealth(), which reads the agent vault and pings.
  */
-function checkAgentConfig(agentName, bundlesRoot, secretsRoot) {
-    const contextResult = readConfigCheckContext(agentName, bundlesRoot, secretsRoot);
-    if (!contextResult.ok)
-        return contextResult.result;
-    const context = contextResult.context;
-    const structural = validateSelectedProviderSecrets(agentName, context);
-    if (!structural.ok)
-        return structural;
-    emitConfigValid(agentName, context, false);
+function checkAgentConfig(agentName, bundlesRoot) {
+    const configResult = readAgentConfigForProviderState(agentName, bundlesRoot);
+    if (!configResult.ok)
+        return configResult.result;
+    if (configResult.disabled)
+        return { ok: true };
+    const outward = readFacingForBootstrap(configResult.parsed, "humanFacing", agentName, configResult.agentJsonPath);
+    if (!outward.ok)
+        return outward.result;
+    const inner = readFacingForBootstrap(configResult.parsed, "agentFacing", agentName, configResult.agentJsonPath);
+    if (!inner.ok)
+        return inner.result;
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.agent_config_valid",
+        message: "agent config validation passed",
+        meta: {
+            agent: agentName,
+            providers: [...new Set([outward.provider, inner.provider])],
+            liveProviderCheck: false,
+        },
+    });
     return { ok: true };
 }
-async function checkAgentConfigWithProviderHealth(agentName, bundlesRoot, secretsRoot, deps = {}) {
-    const stateResult = readOrBootstrapProviderStateForCheck(agentName, bundlesRoot, secretsRoot);
+async function checkAgentConfigWithProviderHealth(agentName, bundlesRoot, secretsRootOrDeps = {}, maybeDeps = {}) {
+    const deps = typeof secretsRootOrDeps === "string"
+        ? {
+            ...maybeDeps,
+            homeDir: maybeDeps.homeDir ?? (path.basename(secretsRootOrDeps) === ".agentsecrets" ? path.dirname(secretsRootOrDeps) : undefined),
+        }
+        : secretsRootOrDeps;
+    const stateResult = readOrBootstrapProviderStateForCheck(agentName, bundlesRoot, deps);
     if (!stateResult.ok)
         return stateResult.result;
     if (stateResult.disabled)
         return { ok: true };
     const ping = deps.pingProvider ?? (await Promise.resolve().then(() => __importStar(require("../provider-ping")))).pingProvider;
-    const homeDir = (0, provider_credential_pool_1.providerCredentialHomeDirFromSecretsRoot)(secretsRoot);
-    const poolResult = readPoolWithLegacyMigration(agentName, homeDir, secretsRoot);
+    const poolResult = await (0, provider_credentials_1.refreshProviderCredentialPool)(agentName);
     const pingGroups = new Map();
     const lanes = ["outward", "inner"];
     for (const lane of lanes) {
@@ -499,7 +320,7 @@ async function checkAgentConfigWithProviderHealth(agentName, bundlesRoot, secret
             }
             return invalidPoolResult(agentName, lane, binding.provider, binding.model, {
                 ...poolResult,
-                reason: "invalid",
+                reason: poolResult.reason,
             });
         }
         const record = credentialRecordForLane(poolResult.pool, binding.provider);

package/dist/heart/daemon/agentic-repair.js

@@ -48,6 +48,7 @@ function makeInteractiveRepairDeps(deps) {
         writeStdout: deps.writeStdout,
         /* v8 ignore next -- fallback no-op: tests always inject runAuthFlow; default is for production @preserve */
         runAuthFlow: deps.runAuthFlow ?? (async () => undefined),
+        runVaultUnlock: deps.runVaultUnlock,
     };
 }
 function discoveredProviderModel(provider) {
@@ -111,7 +112,7 @@ async function runAgenticRepair(degraded, deps) {
     // Try to discover a working provider for agentic diagnosis
     let discoveredProvider = null;
     try {
-        discoveredProvider = await deps.discoverWorkingProvider();
+        discoveredProvider = await deps.discoverWorkingProvider(degraded[0].agent);
     }
     catch (error) {
         const msg = error instanceof Error ? error.message : String(error);

package/dist/heart/daemon/cli-defaults.js

@@ -42,7 +42,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.defaultStartDaemonProcess = defaultStartDaemonProcess;
 exports.readFirstBundleMetaVersion = readFirstBundleMetaVersion;
 exports.defaultListDiscoveredAgents = defaultListDiscoveredAgents;
-exports.discoverExistingCredentials = discoverExistingCredentials;
 exports.defaultRunSerpentGuide = defaultRunSerpentGuide;
 exports.createDefaultOuroCliDeps = createDefaultOuroCliDeps;
 const child_process_1 = require("child_process");
@@ -73,6 +72,7 @@ const auth_flow_1 = require("../auth/auth-flow");
 const provider_models_1 = require("../provider-models");
 const cli_parse_1 = require("./cli-parse");
 const provider_discovery_1 = require("./provider-discovery");
+const provider_credentials_1 = require("../provider-credentials");
 // ── Default implementations ──
 function defaultStartDaemonProcess(socketPath) {
     const entry = path.join((0, identity_1.getRepoRoot)(), "dist", "heart", "daemon", "daemon-entry.js");
@@ -228,65 +228,10 @@ function defaultListDiscoveredAgents() {
         readFileSync: fs.readFileSync,
     });
 }
-// ── Credential discovery ──
-function discoverExistingCredentials(secretsRoot) {
-    const found = [];
-    let entries;
-    try {
-        entries = fs.readdirSync(secretsRoot, { withFileTypes: true });
-    }
-    catch {
-        return found;
-    }
-    for (const entry of entries) {
-        if (!entry.isDirectory())
-            continue;
-        const secretsPath = path.join(secretsRoot, entry.name, "secrets.json");
-        let raw;
-        try {
-            raw = fs.readFileSync(secretsPath, "utf-8");
-        }
-        catch {
-            continue;
-        }
-        let parsed;
-        try {
-            parsed = JSON.parse(raw);
-        }
-        catch {
-            continue;
-        }
-        if (!parsed.providers)
-            continue;
-        for (const [provName, provConfig] of Object.entries(parsed.providers)) {
-            const desc = identity_1.PROVIDER_CREDENTIALS[provName];
-            /* v8 ignore next -- guard: unknown provider names in stored secrets @preserve */
-            if (!desc)
-                continue;
-            const hasRequired = desc.required.every((key) => !!provConfig[key]);
-            if (hasRequired) {
-                const credentials = {};
-                for (const key of Object.keys(provConfig))
-                    credentials[key] = provConfig[key];
-                found.push({ agentName: entry.name, provider: provName, credentials, providerConfig: { ...provConfig } });
-            }
-        }
-    }
-    // Deduplicate by provider+credential value (keep first seen)
-    const seen = new Set();
-    return found.filter((cred) => {
-        const key = `${cred.provider}:${JSON.stringify(cred.credentials)}`;
-        if (seen.has(key))
-            return false;
-        seen.add(key);
-        return true;
-    });
-}
 // ── Serpent guide (interactive hatch) ──
 /* v8 ignore start -- integration: interactive terminal specialist session @preserve */
 async function defaultRunSerpentGuide() {
     const { runCliSession } = await Promise.resolve().then(() => __importStar(require("../../senses/cli")));
-    const { patchRuntimeConfig } = await Promise.resolve().then(() => __importStar(require("../config")));
     const { setAgentName, setAgentConfigOverride } = await Promise.resolve().then(() => __importStar(require("../identity")));
     const readlinePromises = await Promise.resolve().then(() => __importStar(require("readline/promises")));
     const crypto = await Promise.resolve().then(() => __importStar(require("crypto")));
@@ -301,8 +246,7 @@ async function defaultRunSerpentGuide() {
     let providerConfig = {};
     const tempDir = path.join(os.tmpdir(), `ouro-hatch-${crypto.randomUUID()}`);
     try {
-        const secretsRoot = path.join(os.homedir(), ".agentsecrets");
-        const discovered = discoverExistingCredentials(secretsRoot);
+        const discovered = [];
         const existingBundleCount = (0, specialist_orchestrator_1.listExistingBundles)((0, identity_1.getAgentBundlesRoot)()).length;
         const hatchVerb = existingBundleCount > 0 ? "let's hatch a new agent." : "let's hatch your first agent.";
         // Default models per provider (used when entering new credentials)
@@ -367,11 +311,20 @@ async function defaultRunSerpentGuide() {
         }
         coldRl.close();
         process.stdout.write("\n");
+        const selectedCredentialPayload = { ...providerConfig, ...credentials };
+        const split = (0, provider_credentials_1.splitProviderCredentialFields)(providerRaw, selectedCredentialPayload);
+        (0, provider_credentials_1.cacheProviderCredentialRecords)("SerpentGuide", [
+            (0, provider_credentials_1.createProviderCredentialRecord)({
+                provider: providerRaw,
+                credentials: split.credentials,
+                config: split.config,
+                provenance: { source: "manual" },
+            }),
+        ]);
         // Phase 2: configure runtime for serpent guide
         const bundleSourceDir = path.resolve(__dirname, "..", "..", "..", "SerpentGuide.ouro");
         const bundlesRoot = (0, identity_1.getAgentBundlesRoot)();
-        const secretsRoot2 = path.join(os.homedir(), ".agentsecrets");
-        // Suppress non-critical log noise during hatch (no secrets.json, etc.)
+        // Suppress non-critical log noise during hatch.
         const { setRuntimeLogger } = await Promise.resolve().then(() => __importStar(require("../../nerves/runtime")));
         const { createLogger } = await Promise.resolve().then(() => __importStar(require("../../nerves")));
         setRuntimeLogger(createLogger({ level: "error" }));
@@ -394,14 +347,9 @@ async function defaultRunSerpentGuide() {
             agentFacing: { provider: providerRaw, model: resolvedModel },
             phrases,
         });
-        patchRuntimeConfig({
-            providers: {
-                [providerRaw]: { ...providerConfig, ...credentials },
-            },
-        });
         // Ping-verify credentials before entering the serpent guide session
         const { pingProvider } = await Promise.resolve().then(() => __importStar(require("../provider-ping")));
-        const pingResult = await pingProvider(providerRaw, { ...providerConfig, ...credentials });
+        const pingResult = await pingProvider(providerRaw, selectedCredentialPayload);
         if (!pingResult.ok) {
             process.stdout.write(`credentials didn't work (${pingResult.message}). run 'ouro hatch' to try again.\n`);
             return null;
@@ -416,10 +364,9 @@ async function defaultRunSerpentGuide() {
         const specialistTools = (0, specialist_tools_1.getSpecialistTools)();
         const specialistExecTool = (0, specialist_tools_1.createSpecialistExecTool)({
             tempDir,
-            credentials,
+            credentials: selectedCredentialPayload,
             provider: providerRaw,
             bundlesRoot,
-            secretsRoot: secretsRoot2,
             animationWriter: (text) => process.stdout.write(text),
         });
         // Run the serpent guide session via runCliSession