@ouro.bot/cli 0.1.0-alpha.365 → 0.1.0-alpha.366

package/changelog.json

@@ -1,6 +1,14 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.366",
+      "changes": [
+        "`ouro up` now treats locked per-agent credential vaults as an unlock problem instead of a provider-auth problem, prompting `ouro vault unlock --agent <agent>` before any `ouro auth` repair flow.",
+        "Provider startup checks now preserve credential-pool `unavailable` state and show concise locked-vault guidance instead of nesting duplicate vault errors and secondary auth instructions.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault unlock repair release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.365",
       "changes": [

package/dist/heart/daemon/agent-config-check.js

@@ -234,12 +234,30 @@ function missingCredentialResult(agentName, lane, provider, model, credentialPat
     };
 }
 function invalidPoolResult(agentName, lane, provider, model, pool) {
+    if (pool.reason === "unavailable" && isVaultLockedError(pool.error)) {
+        return {
+            ok: false,
+            error: `${lane} provider ${provider} model ${model} cannot read provider credentials because ${agentName}'s credential vault is locked on this machine.`,
+            fix: `Run 'ouro vault unlock --agent ${agentName}', then run 'ouro up' again.`,
+        };
+    }
+    if (pool.reason === "invalid") {
+        return {
+            ok: false,
+            error: `${lane} provider ${provider} model ${model} cannot read provider credentials from ${agentName}'s vault at ${pool.poolPath}: ${pool.error}`,
+            fix: `Run 'ouro auth --agent ${agentName} --provider ${provider}' to rewrite this provider credential, then run 'ouro up' again.`,
+        };
+    }
     return {
         ok: false,
         error: `${lane} provider ${provider} model ${model} cannot read provider credentials from ${agentName}'s vault at ${pool.poolPath}: ${pool.error}`,
-        fix: `Run 'ouro vault unlock --agent ${agentName}', then run 'ouro auth --agent ${agentName} --provider ${provider}' if the credential is missing or stale.`,
+        fix: `Run 'ouro vault unlock --agent ${agentName}', then run 'ouro up' again. If the credential is missing or stale after unlock, run 'ouro auth --agent ${agentName} --provider ${provider}'.`,
     };
 }
+function isVaultLockedError(error) {
+    const normalized = error.toLowerCase();
+    return /(?:ouro )?credential vault is locked|vault(?: is)? locked/.test(normalized);
+}
 function failedPingResult(agentName, lane, provider, model, result) {
     return {
         ok: false,
@@ -302,7 +320,7 @@ async function checkAgentConfigWithProviderHealth(agentName, bundlesRoot, secret
             }
             return invalidPoolResult(agentName, lane, binding.provider, binding.model, {
                 ...poolResult,
-                reason: "invalid",
+                reason: poolResult.reason,
             });
         }
         const record = credentialRecordForLane(poolResult.pool, binding.provider);

package/dist/heart/daemon/agentic-repair.js

@@ -48,6 +48,7 @@ function makeInteractiveRepairDeps(deps) {
         writeStdout: deps.writeStdout,
         /* v8 ignore next -- fallback no-op: tests always inject runAuthFlow; default is for production @preserve */
         runAuthFlow: deps.runAuthFlow ?? (async () => undefined),
+        runVaultUnlock: deps.runVaultUnlock,
     };
 }
 function discoveredProviderModel(provider) {

package/dist/heart/daemon/cli-exec.js

@@ -1815,6 +1815,9 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
                         const authRunner = deps.runAuthFlow ?? (await Promise.resolve().then(() => __importStar(require("../auth/auth-flow")))).runRuntimeAuthFlow;
                         await authRunner({ agentName: agent, provider, promptInput: deps.promptInput });
                     },
+                    runVaultUnlock: async (agent) => {
+                        await executeVaultUnlock({ kind: "vault.unlock", agent }, deps);
+                    },
                 });
             }
         }

package/dist/heart/daemon/interactive-repair.js

@@ -14,8 +14,12 @@ function isCredentialIssue(degraded) {
     const hint = degraded.fixHint.toLowerCase();
     return reason.includes("credentials") || hint.includes("ouro auth");
 }
+function isVaultUnlockIssue(degraded) {
+    const text = `${degraded.errorReason}\n${degraded.fixHint}`.toLowerCase();
+    return /ouro vault unlock|credential vault is locked|vault(?: is)? locked/.test(text);
+}
 function isConfigError(degraded) {
-    return degraded.fixHint.length > 0 && !isCredentialIssue(degraded);
+    return degraded.fixHint.length > 0 && !isVaultUnlockIssue(degraded) && !isCredentialIssue(degraded);
 }
 function isAgentProvider(value) {
     return Object.prototype.hasOwnProperty.call(identity_1.PROVIDER_CREDENTIALS, value);
@@ -31,6 +35,10 @@ function authCommandFor(degraded) {
     const command = degraded.fixHint.match(/ouro auth[^\n.]+/)?.[0]?.trim();
     return command && command.length > 0 ? command : `ouro auth --agent ${degraded.agent}`;
 }
+function vaultUnlockCommandFor(degraded) {
+    const command = degraded.fixHint.match(/ouro vault unlock[^\n.]+/)?.[0]?.trim();
+    return command && command.length > 0 ? command : `ouro vault unlock --agent ${degraded.agent}`;
+}
 async function runInteractiveRepair(degraded, deps) {
     (0, runtime_1.emitNervesEvent)({
         level: "info",
@@ -44,7 +52,34 @@ async function runInteractiveRepair(degraded, deps) {
     }
     let repairsAttempted = false;
     for (const entry of degraded) {
-        if (isCredentialIssue(entry)) {
+        if (isVaultUnlockIssue(entry)) {
+            const unlockCommand = vaultUnlockCommandFor(entry);
+            const answer = await deps.promptInput(`run \`${unlockCommand}\` now? [y/n] `);
+            if (answer.toLowerCase() === "y") {
+                try {
+                    if (!deps.runVaultUnlock) {
+                        deps.writeStdout(`fix hint for ${entry.agent}: ${entry.fixHint}`);
+                    }
+                    else {
+                        await deps.runVaultUnlock(entry.agent);
+                        repairsAttempted = true;
+                    }
+                }
+                catch (error) {
+                    const msg = error instanceof Error ? error.message : String(error);
+                    deps.writeStdout(`vault unlock error for ${entry.agent}: ${msg}`);
+                    repairsAttempted = true;
+                    (0, runtime_1.emitNervesEvent)({
+                        level: "error",
+                        component: "daemon",
+                        event: "daemon.interactive_repair_vault_unlock_error",
+                        message: `vault unlock failed for ${entry.agent}`,
+                        meta: { agent: entry.agent, error: msg },
+                    });
+                }
+            }
+        }
+        else if (isCredentialIssue(entry)) {
             const provider = extractProviderFromFixHint(entry.fixHint);
             const authCommand = authCommandFor(entry);
             const answer = await deps.promptInput(`run \`${authCommand}\` now? [y/n] `);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.365",
+  "version": "0.1.0-alpha.366",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",