@ouro.bot/cli 0.1.0-alpha.376 → 0.1.0-alpha.377

package/README.md

@@ -11,7 +11,7 @@ Ouroboros is a TypeScript harness for daemon-managed agents that live in externa
 - `ouro up` starts the daemon from the installed production version, syncs the launcher, installs workflow helpers, and reconciles stale runtime state.
 - `ouro dev` starts the daemon from a local repo build. It auto-builds from source, disables launchd auto-restart (so the installed daemon doesn't respawn underneath you), persists the repo path in `~/.ouro-cli/dev-config.json` for next time, and force-restarts the daemon. If you run `ouro dev` from inside the repo, it detects the CWD automatically. Run `ouro up` to return to production mode (this also cleans up `dev-config.json`).
 - Agent bundles live outside the repo at `~/AgentBundles/<agent>.ouro/`.
-- Provider credentials live in the owning agent's Bitwarden/Vaultwarden vault. Tool/sense credential vault migration is a follow-up.
+- Credentials live in the owning agent's Bitwarden/Vaultwarden vault. Provider credentials use `providers/<provider>`, runtime/sense/integration credentials use `runtime/config`, and travel/tool credentials use ordinary vault credential items.
 - Vault coordinates and local runtime state live in the agent bundle; raw credentials do not.
 - Machine-scoped test and runtime spillover lives under `~/.agentstate/...`.
 
@@ -93,9 +93,9 @@ Task docs do not live in this repo anymore. Planning and doing docs live in the
 
 - `agent.json` is the source of truth for identity, phrase pools, context settings, enabled senses, and vault coordinates. Legacy `humanFacing`/`agentFacing` values are bootstrap inputs, not live machine fallback.
 - `state/providers.json` is the local source of truth for provider+model selection on this machine. It has two lanes: `outward` for CLI, Teams, and BlueBubbles turns, and `inner` for inner dialogue.
-- Each agent has one credential vault for provider credentials. There is no machine-wide provider credential pool.
+- Each agent has one credential vault for provider, runtime, sense, integration, travel, and tool credentials. There is no machine-wide credential pool.
 - Vault unlock material is local machine state. Prefer macOS Keychain, Windows DPAPI, or Linux Secret Service; plaintext fallback is allowed only by explicit human choice.
-- Provider credentials are loaded into daemon memory at startup/auth/unlock/refresh and reused. The remote vault is not queried for every model request.
+- Provider and runtime credentials are loaded into process memory at startup/auth/unlock/refresh and reused. The remote vault is not queried for every model or sense request.
 - The daemon discovers bundles dynamically from `~/AgentBundles`.
 - `ouro status` reports version, last-updated time, discovered agents, senses, and workers.
 - `bundle-meta.json` tracks the runtime version that last touched a bundle.
@@ -170,6 +170,8 @@ ouro logs
 ouro stop
 ouro vault unlock --agent <name>
 ouro vault status --agent <name>
+ouro vault config set --agent <name> --key bluebubbles.password
+ouro vault config status --agent <name>
 ouro auth --agent <name>
 ouro auth --agent <name> --provider <provider>
 ouro auth verify --agent <name> [--provider <provider>]

package/SerpentGuide.ouro/psyche/SOUL.md

@@ -21,5 +21,5 @@ I help humans hatch new agent partners. I am one of thirteen serpent guides —
 
 ## Filesystem orientation
 - Bundles live at `~/AgentBundles/<Name>.ouro/`.
-- Secrets live at `~/.agentsecrets/<name>/secrets.json`.
+- Credentials live in the hatchling agent's Bitwarden/Vaultwarden vault; I never persist credentials for myself.
 - I tell the human exactly where their hatchling was created.

package/changelog.json

@@ -1,6 +1,15 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.377",
+      "changes": [
+        "Runtime configuration now lives in each agent's vault as `runtime/config`, alongside provider credentials in `providers/*`, making the agent vault the single credential/config source of truth.",
+        "`ouro vault config set/status`, daemon startup, senses, prompt rendering, doctor checks, and provider repair paths now share the same vault-backed runtime config loader instead of reading or writing local `~/.agentsecrets` files.",
+        "Provider credentials, runtime config, and travel/tool credentials are documented as vault items; legacy local secrets paths are now only guarded against or reported as migration hazards.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault source-of-truth release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.376",
       "changes": [

package/dist/heart/agent-entry.js

@@ -35,17 +35,37 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 // Unified agent runtime entrypoint.
 // Requires --agent before importing runtime modules that rely on identity.
-if (!process.argv.includes("--agent")) {
+const agentArgIndex = process.argv.indexOf("--agent");
+const agentName = agentArgIndex >= 0 ? process.argv[agentArgIndex + 1] : undefined;
+if (!agentName) {
     // eslint-disable-next-line no-console -- pre-boot guard
     console.error("Missing required --agent <name> argument.\nUsage: node dist/heart/agent-entry.js --agent ouroboros");
     process.exit(1);
 }
 const cli_logging_1 = require("../nerves/cli-logging");
+const runtime_1 = require("../nerves/runtime");
 (0, cli_logging_1.configureCliRuntimeLogger)("self");
+(0, runtime_1.emitNervesEvent)({
+    component: "senses",
+    event: "senses.entry_boot",
+    message: "booting inner-dialog entrypoint",
+    meta: { entry: "inner-dialog", agentName },
+});
 // Dynamic import: agent-entry is boot-time wiring that starts a sense process.
 // Using dynamic import avoids a static heart/ -> senses/ dependency.
-Promise.resolve().then(() => __importStar(require("../senses/inner-dialog-worker"))).then(({ startInnerDialogWorker }) => startInnerDialogWorker())
+Promise.resolve().then(() => __importStar(require("./runtime-credentials"))).then(async ({ refreshRuntimeCredentialConfig }) => {
+    await refreshRuntimeCredentialConfig(agentName, { preserveCachedOnFailure: true }).catch(() => undefined);
+    const { startInnerDialogWorker } = await Promise.resolve().then(() => __importStar(require("../senses/inner-dialog-worker")));
+    await startInnerDialogWorker();
+})
     .catch((error) => {
+    (0, runtime_1.emitNervesEvent)({
+        level: "error",
+        component: "senses",
+        event: "senses.entry_error",
+        message: "inner-dialog entrypoint failed",
+        meta: { entry: "inner-dialog", agentName, error: error instanceof Error ? error.message : String(error) },
+    });
     // eslint-disable-next-line no-console -- fatal startup guard for worker process
     console.error(error instanceof Error ? error.message : String(error));
     process.exit(1);

package/dist/heart/config.js

@@ -35,6 +35,7 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.loadConfig = loadConfig;
 exports.resetConfigCache = resetConfigCache;
+exports.cacheRuntimeConfigForTests = cacheRuntimeConfigForTests;
 exports.patchRuntimeConfig = patchRuntimeConfig;
 exports.getAzureConfig = getAzureConfig;
 exports.getMinimaxConfig = getMinimaxConfig;
@@ -62,6 +63,7 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const identity_1 = require("./identity");
 const provider_credentials_1 = require("./provider-credentials");
+const runtime_credentials_1 = require("./runtime-credentials");
 const runtime_1 = require("../nerves/runtime");
 const DEFAULT_LOCAL_RUNTIME_CONFIG = {
     teams: {
@@ -119,9 +121,6 @@ function defaultRuntimeConfig() {
 let _runtimeConfigOverride = null;
 let _testContextOverride = null;
 let _providerConfigOverride = null;
-function resolveConfigPath() {
-    return (0, identity_1.getAgentSecretsPath)();
-}
 function deepMerge(defaults, partial) {
     const result = { ...defaults };
     for (const key of Object.keys(partial)) {
@@ -138,92 +137,26 @@ function deepMerge(defaults, partial) {
     }
     return result;
 }
+function localRuntimeFields(config) {
+    const { providers: _providers, context: _context, ...localFields } = config;
+    return localFields;
+}
 function loadConfig() {
-    const configPath = resolveConfigPath();
-    // Auto-create config directory if it doesn't exist
-    const configDir = path.dirname(configPath);
-    fs.mkdirSync(configDir, { recursive: true });
-    let fileData = {};
-    try {
-        const raw = fs.readFileSync(configPath, "utf-8");
-        fileData = JSON.parse(raw);
-    }
-    catch (error) {
-        const errorCode = error &&
-            typeof error === "object" &&
-            "code" in error &&
-            typeof error.code === "string"
-            ? error.code
-            : undefined;
-        if (errorCode === "ENOENT") {
-            try {
-                fs.writeFileSync(configPath, JSON.stringify(DEFAULT_LOCAL_RUNTIME_CONFIG, null, 2) + "\n", "utf-8");
-            }
-            catch (writeError) {
-                (0, runtime_1.emitNervesEvent)({
-                    level: "warn",
-                    event: "config_identity.error",
-                    component: "config/identity",
-                    message: "failed writing default secrets config",
-                    meta: {
-                        phase: "loadConfig",
-                        path: configPath,
-                        reason: writeError instanceof Error ? writeError.message : String(writeError),
-                    },
-                });
-            }
-        }
-        (0, runtime_1.emitNervesEvent)({
-            level: "warn",
-            event: "config_identity.error",
-            component: "config/identity",
-            message: "config read failed; defaults applied",
-            meta: {
-                phase: "loadConfig",
-                reason: error instanceof Error ? error.message : String(error),
-            },
-        });
-        // ENOENT or parse error -- use defaults
-    }
-    const sanitizedFileData = { ...fileData };
-    if ("providers" in sanitizedFileData) {
-        delete sanitizedFileData.providers;
-        (0, runtime_1.emitNervesEvent)({
-            level: "warn",
-            event: "config_identity.error",
-            component: "config/identity",
-            message: "ignored legacy providers block in secrets config",
-            meta: {
-                phase: "loadConfig",
-                path: configPath,
-            },
-        });
-    }
-    if ("context" in sanitizedFileData) {
-        delete sanitizedFileData.context;
-        (0, runtime_1.emitNervesEvent)({
-            level: "warn",
-            event: "config_identity.error",
-            component: "config/identity",
-            message: "ignored legacy context block in secrets config",
-            meta: {
-                phase: "loadConfig",
-                path: configPath,
-            },
-        });
-    }
-    const mergedConfig = deepMerge(defaultRuntimeConfig(), sanitizedFileData);
+    const runtimeResult = (0, runtime_credentials_1.readRuntimeCredentialConfig)((0, identity_1.getAgentName)());
+    const vaultData = runtimeResult.ok ? localRuntimeFields(runtimeResult.config) : {};
+    const mergedConfig = deepMerge(defaultRuntimeConfig(), vaultData);
     const config = _runtimeConfigOverride
         ? deepMerge(mergedConfig, _runtimeConfigOverride)
         : mergedConfig;
     (0, runtime_1.emitNervesEvent)({
         event: "config.load",
         component: "config/identity",
-        message: "config loaded from disk",
+        message: "config loaded from runtime credential cache",
         meta: {
-            source: "disk",
-            used_defaults_only: Object.keys(fileData).length === 0,
+            source: runtimeResult.ok ? "vault-cache" : "defaults",
+            used_defaults_only: !runtimeResult.ok,
             override_applied: _runtimeConfigOverride !== null,
+            runtime_credentials: runtimeResult.ok ? "available" : runtimeResult.reason,
         },
     });
     return config;
@@ -233,6 +166,10 @@ function resetConfigCache() {
     _testContextOverride = null;
     _providerConfigOverride = null;
     (0, provider_credentials_1.resetProviderCredentialCache)();
+    (0, runtime_credentials_1.resetRuntimeCredentialConfigCache)();
+}
+function cacheRuntimeConfigForTests(agentName, config) {
+    (0, runtime_credentials_1.cacheRuntimeCredentialConfig)(agentName, config, new Date(0));
 }
 function seedProviderCredentialCache(providers) {
     if (!providers)
@@ -340,10 +277,10 @@ function getBlueBubblesConfig() {
     const config = loadConfig();
     const { serverUrl, password, accountId } = config.bluebubbles;
     if (!serverUrl.trim()) {
-        throw new Error("bluebubbles.serverUrl is required in secrets.json to run the BlueBubbles sense.");
+        throw new Error("bluebubbles.serverUrl is required in the agent vault runtime/config item to run the BlueBubbles sense.");
     }
     if (!password.trim()) {
-        throw new Error("bluebubbles.password is required in secrets.json to run the BlueBubbles sense.");
+        throw new Error("bluebubbles.password is required in the agent vault runtime/config item to run the BlueBubbles sense.");
     }
     return {
         serverUrl: serverUrl.trim(),

package/dist/heart/daemon/agent-config-check.js

@@ -296,13 +296,7 @@ function checkAgentConfig(agentName, bundlesRoot) {
     });
     return { ok: true };
 }
-async function checkAgentConfigWithProviderHealth(agentName, bundlesRoot, secretsRootOrDeps = {}, maybeDeps = {}) {
-    const deps = typeof secretsRootOrDeps === "string"
-        ? {
-            ...maybeDeps,
-            homeDir: maybeDeps.homeDir ?? (path.basename(secretsRootOrDeps) === ".agentsecrets" ? path.dirname(secretsRootOrDeps) : undefined),
-        }
-        : secretsRootOrDeps;
+async function checkAgentConfigWithProviderHealth(agentName, bundlesRoot, deps = {}) {
     const stateResult = readOrBootstrapProviderStateForCheck(agentName, bundlesRoot, deps);
     if (!stateResult.ok)
         return stateResult.result;

package/dist/heart/daemon/bluebubbles-health-diagnostics.js

@@ -46,7 +46,7 @@ function formatBlueBubblesHealthcheckFailure(serverUrlInput, error) {
         case "network-error":
             return `Cannot reach BlueBubbles at ${serverUrl}. Check \`bluebubbles.serverUrl\`, confirm the BlueBubbles app/API is running, and verify this machine can reach it. Raw error: ${rawReason}`;
         case "auth-failure":
-            return `BlueBubbles auth failed at ${serverUrl} (HTTP ${status}). Check \`bluebubbles.password\` in secrets.json and confirm the server accepts it. Raw error: ${rawReason}`;
+            return `BlueBubbles auth failed at ${serverUrl} (HTTP ${status}). Check \`bluebubbles.password\` in the agent vault runtime/config item and confirm the server accepts it. Raw error: ${rawReason}`;
         case "server-error":
             return `BlueBubbles upstream returned HTTP ${status} at ${serverUrl}. Check the BlueBubbles app/server logs and confirm the upstream API is healthy. Raw error: ${rawReason}`;
         default:

package/dist/heart/daemon/cli-exec.js

@@ -69,6 +69,7 @@ const thoughts_1 = require("./thoughts");
 const launchd_1 = require("./launchd");
 const auth_flow_1 = require("../auth/auth-flow");
 const provider_credentials_1 = require("../provider-credentials");
+const runtime_credentials_1 = require("../runtime-credentials");
 const provider_binding_resolver_1 = require("../provider-binding-resolver");
 const provider_state_1 = require("../provider-state");
 const machine_identity_1 = require("../machine-identity");
@@ -667,7 +668,7 @@ async function executeVaultCreate(command, deps) {
         `vault created for ${command.agent}`,
         `vault: ${email} at ${serverUrl}`,
         `local unlock store: ${store.kind}${store.secure ? "" : " (explicit plaintext fallback)"}`,
-        "Provider credentials will be stored in this agent's Ouro credential vault.",
+        "All raw credentials for this agent will be stored in this Ouro credential vault.",
         ...(command.generateUnlockSecret
             ? [
                 "",
@@ -696,10 +697,21 @@ async function executeVaultStatus(command, deps) {
     const lines = [
         `agent: ${command.agent}`,
         `vault: ${vault.email} at ${vault.serverUrl}`,
+        `vault locator: ${config.vault ? "agent.json" : "default"}`,
         `local unlock store: ${status.store ? `${status.store.kind}${status.store.secure ? "" : " (explicit plaintext fallback)"}` : "unavailable"}`,
         `local unlock: ${status.stored ? "available" : "missing"}`,
     ];
     if (status.stored) {
+        const runtime = await (0, runtime_credentials_1.refreshRuntimeCredentialConfig)(command.agent, { preserveCachedOnFailure: true });
+        if (runtime.ok) {
+            lines.push(`runtime credentials: ${summarizeRuntimeConfigFields(runtime.config).join(", ") || "none stored"} (${runtime.revision})`);
+        }
+        else {
+            lines.push(`runtime credentials: ${runtime.reason} (${runtime.error})`);
+            if (runtime.reason === "missing") {
+                lines.push(`  fix: Run 'ouro vault config set --agent ${command.agent} --key <field>' to store sense/integration credentials.`);
+            }
+        }
         const pool = await (0, provider_credentials_1.refreshProviderCredentialPool)(command.agent);
         if (pool.ok) {
             const summary = (0, provider_credentials_1.summarizeProviderCredentialPool)(pool.pool);
@@ -720,6 +732,95 @@ async function executeVaultStatus(command, deps) {
     deps.writeStdout(message);
     return message;
 }
+const RUNTIME_CONFIG_KEY_SEGMENT = /^[A-Za-z][A-Za-z0-9_-]*$/;
+const FORBIDDEN_RUNTIME_CONFIG_KEY_SEGMENTS = new Set(["__proto__", "prototype", "constructor"]);
+function parseRuntimeConfigKey(key) {
+    const segments = key.split(".").map((segment) => segment.trim()).filter(Boolean);
+    if (segments.length < 2) {
+        throw new Error("runtime config key must be a dotted path such as bluebubbles.password");
+    }
+    for (const segment of segments) {
+        if (!RUNTIME_CONFIG_KEY_SEGMENT.test(segment) || FORBIDDEN_RUNTIME_CONFIG_KEY_SEGMENTS.has(segment)) {
+            throw new Error(`invalid runtime config key segment '${segment}'`);
+        }
+    }
+    return segments;
+}
+function setRuntimeConfigValue(config, key, value) {
+    const segments = parseRuntimeConfigKey(key);
+    const next = JSON.parse(JSON.stringify(config));
+    let cursor = next;
+    for (const segment of segments.slice(0, -1)) {
+        const existing = cursor[segment];
+        if (!existing || typeof existing !== "object" || Array.isArray(existing)) {
+            cursor[segment] = {};
+        }
+        cursor = cursor[segment];
+    }
+    cursor[segments[segments.length - 1]] = value;
+    return next;
+}
+function summarizeRuntimeConfigFields(config) {
+    const fields = [];
+    const visit = (prefix, value) => {
+        if (!value || typeof value !== "object" || Array.isArray(value)) {
+            fields.push(prefix);
+            return;
+        }
+        for (const [key, child] of Object.entries(value)) {
+            visit(prefix ? `${prefix}.${key}` : key, child);
+        }
+    };
+    visit("", config);
+    return fields.filter(Boolean).sort();
+}
+async function executeVaultConfigSet(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        throw new Error("SerpentGuide does not have persistent runtime credentials. Store credentials in the hatchling agent vault.");
+    }
+    const prompt = deps.promptInput;
+    const value = command.value ?? (prompt ? await prompt(`Value for ${command.key}: `) : "");
+    if (!value) {
+        throw new Error("vault config set requires --value <value> or an interactive prompt");
+    }
+    const current = await (0, runtime_credentials_1.refreshRuntimeCredentialConfig)(command.agent, { preserveCachedOnFailure: true });
+    if (!current.ok && current.reason !== "missing") {
+        throw new Error(`cannot read existing runtime credentials from ${current.itemPath}: ${current.error}`);
+    }
+    const nextConfig = setRuntimeConfigValue(current.ok ? current.config : {}, command.key, value);
+    const stored = await (0, runtime_credentials_1.upsertRuntimeCredentialConfig)(command.agent, nextConfig, providerCliNow(deps));
+    const message = [
+        `stored ${command.key} for ${command.agent} in the agent vault runtime/config item`,
+        `runtime credentials: ${stored.revision}`,
+        "value was not printed",
+    ].join("\n");
+    deps.writeStdout(message);
+    return message;
+}
+async function executeVaultConfigStatus(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        const message = "SerpentGuide has no persistent runtime credentials. Hatch bootstrap stores selected credentials in the hatchling vault.";
+        deps.writeStdout(message);
+        return message;
+    }
+    const runtime = await (0, runtime_credentials_1.refreshRuntimeCredentialConfig)(command.agent, { preserveCachedOnFailure: true });
+    const lines = [`agent: ${command.agent}`, `runtime config item: ${runtime.itemPath}`];
+    if (runtime.ok) {
+        lines.push(`status: available (${runtime.revision})`);
+        const fields = summarizeRuntimeConfigFields(runtime.config);
+        lines.push(`fields: ${fields.length === 0 ? "none stored" : fields.join(", ")}`);
+    }
+    else {
+        lines.push(`status: ${runtime.reason}`);
+        lines.push(`error: ${runtime.error}`);
+        lines.push(runtime.reason === "missing"
+            ? `fix: Run 'ouro vault config set --agent ${command.agent} --key <field>' to store runtime credentials.`
+            : `fix: Run 'ouro vault unlock --agent ${command.agent}', then retry.`);
+    }
+    const message = lines.join("\n");
+    deps.writeStdout(message);
+    return message;
+}
 function readOrBootstrapProviderState(agentName, deps) {
     const agentRoot = providerCliAgentRoot({ agent: agentName }, deps);
     const readResult = (0, provider_state_1.readProviderState)(agentRoot);
@@ -2452,6 +2553,12 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
     if (command.kind === "vault.status") {
         return executeVaultStatus(command, deps);
     }
+    if (command.kind === "vault.config.set") {
+        return executeVaultConfigSet(command, deps);
+    }
+    if (command.kind === "vault.config.status") {
+        return executeVaultConfigStatus(command, deps);
+    }
     // ── auth (local, no daemon socket needed) ──
     if (command.kind === "auth.run") {
         const provider = command.provider ?? (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot).config.humanFacing.provider;
@@ -2938,7 +3045,6 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             fetchImpl: deps.fetchImpl ?? fetch,
             socketPath: deps.socketPath,
             bundlesRoot: deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)(),
-            secretsRoot: deps.secretsRoot ?? path.join(os.homedir(), ".agentsecrets"),
             homedir: os.homedir(),
             envPath: process.env.PATH ?? "",
         };

package/dist/heart/daemon/cli-help.js

@@ -163,6 +163,13 @@ exports.COMMAND_REGISTRY = {
         example: "ouro auth --agent ouroboros",
         subcommands: ["verify", "switch"],
     },
+    vault: {
+        category: "Auth",
+        description: "Create, unlock, inspect, and populate the agent credential vault",
+        usage: "ouro vault <create|unlock|status|config> --agent <name>",
+        example: "ouro vault status --agent ouroboros",
+        subcommands: ["create", "unlock", "status", "config set", "config status"],
+    },
     thoughts: {
         category: "Internal",
         description: "View agent inner dialog thoughts",

package/dist/heart/daemon/cli-parse.js

@@ -76,6 +76,8 @@ function usage() {
         "  ouro vault create --agent <name> --email <email> [--server <url>] [--store <store>] [--generate-unlock-secret]",
         "  ouro vault unlock --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
         "  ouro vault status --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
+        "  ouro vault config set --agent <name> --key <path> [--value <value>]",
+        "  ouro vault config status --agent <name>",
         "  ouro chat <agent>",
         "  ouro msg --to <agent> [--session <id>] [--task <ref>] <message>",
         "  ouro poke <agent> --task <task-id>",
@@ -435,6 +437,8 @@ function isVaultUnlockStoreKind(value) {
 }
 function parseVaultCommand(args) {
     const sub = args[0];
+    if (sub === "config")
+        return parseVaultConfigCommand(args.slice(1));
     const { agent, rest } = extractAgentFlag(args.slice(1));
     let email;
     let serverUrl;
@@ -485,6 +489,39 @@ function parseVaultCommand(args) {
     }
     return { kind: "vault.status", agent, ...(store ? { store } : {}) };
 }
+function parseVaultConfigCommand(args) {
+    const sub = args[0];
+    const { agent, rest } = extractAgentFlag(args.slice(1));
+    let key;
+    let value;
+    for (let i = 0; i < rest.length; i += 1) {
+        const token = rest[i];
+        if (token === "--key") {
+            key = rest[i + 1];
+            i += 1;
+            continue;
+        }
+        if (token === "--value") {
+            value = rest[i + 1];
+            i += 1;
+            continue;
+        }
+        throw new Error("Usage: ouro vault config set --agent <name> --key <path> [--value <value>] OR ouro vault config status --agent <name>");
+    }
+    if (!agent || (sub !== "set" && sub !== "status")) {
+        throw new Error("Usage: ouro vault config set --agent <name> --key <path> [--value <value>] OR ouro vault config status --agent <name>");
+    }
+    if (sub === "status") {
+        if (key || value) {
+            throw new Error("Usage: ouro vault config status --agent <name>");
+        }
+        return { kind: "vault.config.status", agent };
+    }
+    if (!key) {
+        throw new Error("Usage: ouro vault config set --agent <name> --key <path> [--value <value>]");
+    }
+    return { kind: "vault.config.set", agent, key, ...(value !== undefined ? { value } : {}) };
+}
 function parseProviderUseCommand(args) {
     const { agent, rest: afterAgent } = extractAgentFlag(args);
     const { facing, rest: afterFacing } = extractFacingFlag(afterAgent);

package/dist/heart/daemon/doctor.js

@@ -18,6 +18,7 @@ exports.runDoctorChecks = runDoctorChecks;
 const runtime_1 = require("../../nerves/runtime");
 const bluebubbles_health_diagnostics_1 = require("./bluebubbles-health-diagnostics");
 const ouro_path_installer_1 = require("../versioning/ouro-path-installer");
+const runtime_credentials_1 = require("../runtime-credentials");
 const DEFAULT_BLUEBUBBLES_REQUEST_TIMEOUT_MS = 30_000;
 // ── Category checkers ──
 function checkCliPath(deps) {
@@ -87,14 +88,6 @@ function numberField(record, key, fallback) {
     const value = record?.[key];
     return typeof value === "number" && Number.isFinite(value) ? value : fallback;
 }
-function readJsonObject(deps, filePath) {
-    try {
-        return asRecord(JSON.parse(deps.readFileSync(filePath)));
-    }
-    catch {
-        return null;
-    }
-}
 const SENSITIVE_CONFIG_KEYS = ["apiKey", "token", "secret", "password"];
 function credentialKeyLeaks(raw) {
     return SENSITIVE_CONFIG_KEYS.filter((key) => raw.includes(`"${key}"`));
@@ -208,26 +201,19 @@ async function checkSenses(deps) {
                 });
             }
             if (sense === "bluebubbles" && senseObj.enabled === true) {
-                const secretsPath = `${deps.secretsRoot}/${agentName}/secrets.json`;
-                if (!deps.existsSync(secretsPath)) {
+                const runtimeConfig = await (0, runtime_credentials_1.refreshRuntimeCredentialConfig)(agentName, { preserveCachedOnFailure: true });
+                if (!runtimeConfig.ok) {
                     checks.push({
                         label: `${agentDir} bluebubbles config`,
                         status: "fail",
-                        detail: "missing secrets.json",
+                        detail: runtimeConfig.reason === "missing"
+                            ? "missing vault runtime/config"
+                            : `vault runtime/config unavailable: ${runtimeConfig.error}`,
                     });
                     continue;
                 }
-                const secrets = readJsonObject(deps, secretsPath);
-                if (!secrets) {
-                    checks.push({
-                        label: `${agentDir} bluebubbles config`,
-                        status: "fail",
-                        detail: "secrets.json unparseable",
-                    });
-                    continue;
-                }
-                const bluebubbles = asRecord(secrets.bluebubbles);
-                const bluebubblesChannel = asRecord(secrets.bluebubblesChannel);
+                const bluebubbles = asRecord(runtimeConfig.config.bluebubbles);
+                const bluebubblesChannel = asRecord(runtimeConfig.config.bluebubblesChannel);
                 const serverUrl = textField(bluebubbles, "serverUrl");
                 const password = textField(bluebubbles, "password");
                 const missing = [];
@@ -302,16 +288,16 @@ function checkSecurity(deps) {
     const agents = discoverAgents(deps);
     for (const agentDir of agents) {
         const agentName = agentDir.replace(/\.ouro$/, "");
-        const secretsPath = `${deps.secretsRoot}/${agentName}/secrets.json`;
-        if (deps.existsSync(secretsPath)) {
-            const stat = deps.statSync(secretsPath);
-            const worldReadable = (stat.mode & 0o004) !== 0;
-            if (worldReadable) {
-                checks.push({ label: `${agentDir} legacy secrets.json perms`, status: "warn", detail: "world-readable — consider deleting or chmod 600" });
-            }
-            else {
-                checks.push({ label: `${agentDir} legacy secrets.json perms`, status: "pass", detail: "not world-readable" });
-            }
+        const legacySecretsPath = `${deps.homedir}/.agentsecrets/${agentName}/secrets.json`;
+        if (deps.existsSync(legacySecretsPath)) {
+            checks.push({
+                label: `${agentDir} legacy secrets.json`,
+                status: "fail",
+                detail: "legacy local credential file exists; migrate values into the agent vault runtime/config item and remove it",
+            });
+        }
+        else {
+            checks.push({ label: `${agentDir} legacy secrets.json`, status: "pass", detail: "absent" });
         }
         // Check agent.json for leaked credential keys
         const configPath = `${deps.bundlesRoot}/${agentDir}/agent.json`;

package/dist/heart/daemon/runtime-metadata.js

@@ -36,7 +36,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.getRuntimeMetadata = getRuntimeMetadata;
 const crypto_1 = require("crypto");
 const fs = __importStar(require("fs"));
-const os = __importStar(require("os"));
 const path = __importStar(require("path"));
 const childProcess = __importStar(require("child_process"));
 const identity_1 = require("../identity");
@@ -87,19 +86,7 @@ function readLastUpdated(repoRoot, packageJsonPath, statSyncImpl, execFileSyncIm
         return { value: UNKNOWN_METADATA, source: "unknown" };
     }
 }
-function readHomeDir() {
-    const homedirImpl = optionalFunction(os, "homedir");
-    if (!homedirImpl) {
-        return null;
-    }
-    try {
-        return homedirImpl.call(os);
-    }
-    catch {
-        return null;
-    }
-}
-function listConfigTargets(bundlesRoot, secretsRoot, daemonLoggingPath, readdirSyncImpl) {
+function listConfigTargets(bundlesRoot, daemonLoggingPath, readdirSyncImpl) {
     if (!readdirSyncImpl)
         return [];
     const targets = new Set();
@@ -117,19 +104,6 @@ function listConfigTargets(bundlesRoot, secretsRoot, daemonLoggingPath, readdirS
     catch {
         // ignore unreadable bundle roots
     }
-    if (secretsRoot) {
-        try {
-            const secretEntries = readdirSyncImpl(secretsRoot, { withFileTypes: true });
-            for (const entry of secretEntries) {
-                if (!entry.isDirectory())
-                    continue;
-                targets.add(path.join(secretsRoot, entry.name, "secrets.json"));
-            }
-        }
-        catch {
-            // ignore unreadable secrets roots
-        }
-    }
     return [...targets].sort();
 }
 function readConfigFingerprint(targets, readFileSyncImpl, existsSyncImpl) {
@@ -172,8 +146,6 @@ function readConfigFingerprint(targets, readFileSyncImpl, existsSyncImpl) {
 function getRuntimeMetadata(deps = {}) {
     const repoRoot = deps.repoRoot ?? (0, identity_1.getRepoRoot)();
     const bundlesRoot = deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)();
-    const homeDir = readHomeDir();
-    const secretsRoot = deps.secretsRoot ?? (homeDir ? path.join(homeDir, ".agentsecrets") : null);
     const daemonLoggingPath = deps.daemonLoggingPath ?? (0, identity_1.getAgentDaemonLoggingConfigPath)();
     const readFileSyncImpl = deps.readFileSync ?? optionalFunction(fs, "readFileSync")?.bind(fs) ?? null;
     const statSyncImpl = deps.statSync ?? optionalFunction(fs, "statSync")?.bind(fs) ?? null;
@@ -191,7 +163,7 @@ function getRuntimeMetadata(deps = {}) {
             throw new Error("git unavailable");
         }))
         : { value: UNKNOWN_METADATA, source: "unknown" };
-    const configTargets = listConfigTargets(bundlesRoot, secretsRoot, daemonLoggingPath, readdirSyncImpl);
+    const configTargets = listConfigTargets(bundlesRoot, daemonLoggingPath, readdirSyncImpl);
     const configFingerprint = readConfigFingerprint(configTargets, readFileSyncImpl, existsSyncImpl);
     (0, runtime_1.emitNervesEvent)({
         component: "daemon",