@ouro.bot/cli 0.1.0-alpha.376 → 0.1.0-alpha.378

package/dist/heart/daemon/runtime-metadata.js

@@ -36,7 +36,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.getRuntimeMetadata = getRuntimeMetadata;
 const crypto_1 = require("crypto");
 const fs = __importStar(require("fs"));
-const os = __importStar(require("os"));
 const path = __importStar(require("path"));
 const childProcess = __importStar(require("child_process"));
 const identity_1 = require("../identity");
@@ -87,19 +86,7 @@ function readLastUpdated(repoRoot, packageJsonPath, statSyncImpl, execFileSyncIm
         return { value: UNKNOWN_METADATA, source: "unknown" };
     }
 }
-function readHomeDir() {
-    const homedirImpl = optionalFunction(os, "homedir");
-    if (!homedirImpl) {
-        return null;
-    }
-    try {
-        return homedirImpl.call(os);
-    }
-    catch {
-        return null;
-    }
-}
-function listConfigTargets(bundlesRoot, secretsRoot, daemonLoggingPath, readdirSyncImpl) {
+function listConfigTargets(bundlesRoot, daemonLoggingPath, readdirSyncImpl) {
     if (!readdirSyncImpl)
         return [];
     const targets = new Set();
@@ -117,19 +104,6 @@ function listConfigTargets(bundlesRoot, secretsRoot, daemonLoggingPath, readdirS
     catch {
         // ignore unreadable bundle roots
     }
-    if (secretsRoot) {
-        try {
-            const secretEntries = readdirSyncImpl(secretsRoot, { withFileTypes: true });
-            for (const entry of secretEntries) {
-                if (!entry.isDirectory())
-                    continue;
-                targets.add(path.join(secretsRoot, entry.name, "secrets.json"));
-            }
-        }
-        catch {
-            // ignore unreadable secrets roots
-        }
-    }
     return [...targets].sort();
 }
 function readConfigFingerprint(targets, readFileSyncImpl, existsSyncImpl) {
@@ -172,8 +146,6 @@ function readConfigFingerprint(targets, readFileSyncImpl, existsSyncImpl) {
 function getRuntimeMetadata(deps = {}) {
     const repoRoot = deps.repoRoot ?? (0, identity_1.getRepoRoot)();
     const bundlesRoot = deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)();
-    const homeDir = readHomeDir();
-    const secretsRoot = deps.secretsRoot ?? (homeDir ? path.join(homeDir, ".agentsecrets") : null);
     const daemonLoggingPath = deps.daemonLoggingPath ?? (0, identity_1.getAgentDaemonLoggingConfigPath)();
     const readFileSyncImpl = deps.readFileSync ?? optionalFunction(fs, "readFileSync")?.bind(fs) ?? null;
     const statSyncImpl = deps.statSync ?? optionalFunction(fs, "statSync")?.bind(fs) ?? null;
@@ -191,7 +163,7 @@ function getRuntimeMetadata(deps = {}) {
             throw new Error("git unavailable");
         }))
         : { value: UNKNOWN_METADATA, source: "unknown" };
-    const configTargets = listConfigTargets(bundlesRoot, secretsRoot, daemonLoggingPath, readdirSyncImpl);
+    const configTargets = listConfigTargets(bundlesRoot, daemonLoggingPath, readdirSyncImpl);
     const configFingerprint = readConfigFingerprint(configTargets, readFileSyncImpl, existsSyncImpl);
     (0, runtime_1.emitNervesEvent)({
         component: "daemon",

package/dist/heart/daemon/sense-manager.js

@@ -39,6 +39,7 @@ const os = __importStar(require("os"));
 const path = __importStar(require("path"));
 const runtime_1 = require("../../nerves/runtime");
 const identity_1 = require("../identity");
+const runtime_credentials_1 = require("../runtime-credentials");
 const sense_truth_1 = require("../sense-truth");
 const process_manager_1 = require("./process-manager");
 const DEFAULT_TEAMS_PORT = 3978;
@@ -87,22 +88,6 @@ function readAgentSenses(agentJsonPath) {
     }
     return defaults;
 }
-function readSecretsPayload(secretsPath) {
-    try {
-        const raw = fs.readFileSync(secretsPath, "utf-8");
-        const parsed = JSON.parse(raw);
-        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
-            return { payload: {}, error: "invalid secrets.json object" };
-        }
-        return { payload: parsed, error: null };
-    }
-    catch (error) {
-        return {
-            payload: {},
-            error: error instanceof Error ? error.message : String(error),
-        };
-    }
-}
 function textField(record, key) {
     const value = record?.[key];
     return typeof value === "string" ? value.trim() : "";
@@ -111,13 +96,18 @@ function numberField(record, key, fallback) {
     const value = record?.[key];
     return typeof value === "number" && Number.isFinite(value) ? value : fallback;
 }
-function senseFactsFromSecrets(agent, senses, secretsPath) {
+function senseFactsFromRuntimeConfig(agent, senses, runtimeConfig) {
     const base = {
         cli: { configured: true, detail: "local interactive terminal" },
         teams: { configured: false, detail: "not enabled in agent.json" },
         bluebubbles: { configured: false, detail: "not enabled in agent.json" },
     };
-    const { payload, error } = readSecretsPayload(secretsPath);
+    const payload = runtimeConfig.ok ? runtimeConfig.config : {};
+    const unavailableDetail = runtimeConfig.ok
+        ? ""
+        : runtimeConfig.reason === "missing"
+            ? `missing vault runtime/config (${agent})`
+            : `vault runtime/config unavailable (${runtimeConfig.error})`;
     const teams = payload.teams;
     const teamsChannel = payload.teamsChannel;
     const bluebubbles = payload.bluebubbles;
@@ -137,9 +127,7 @@ function senseFactsFromSecrets(agent, senses, secretsPath) {
             }
             : {
                 configured: false,
-                detail: error && !fs.existsSync(secretsPath)
-                    ? `missing secrets.json (${agent})`
-                    : `missing ${missing.join("/")}`,
+                detail: runtimeConfig.ok ? `missing ${missing.join("/")}` : unavailableDetail,
             };
     }
     if (senses.bluebubbles.enabled) {
@@ -155,13 +143,17 @@ function senseFactsFromSecrets(agent, senses, secretsPath) {
             }
             : {
                 configured: false,
-                detail: error && !fs.existsSync(secretsPath)
-                    ? `missing secrets.json (${agent})`
-                    : `missing ${missing.join("/")}`,
+                detail: runtimeConfig.ok ? `missing ${missing.join("/")}` : unavailableDetail,
             };
     }
     return base;
 }
+function senseRepairHint(agent, sense) {
+    if (sense === "teams") {
+        return `Run 'ouro vault config set --agent ${agent} --key teams.clientId', teams.clientSecret, and teams.tenantId; then run 'ouro up' again.`;
+    }
+    return `Run 'ouro vault config set --agent ${agent} --key bluebubbles.serverUrl' and bluebubbles.password; then run 'ouro up' again.`;
+}
 function parseSenseSnapshotName(name) {
     const parts = name.split(":");
     if (parts.length !== 2)
@@ -235,16 +227,15 @@ class DaemonSenseManager {
     bundlesRoot;
     constructor(options) {
         const bundlesRoot = options.bundlesRoot ?? path.join(os.homedir(), "AgentBundles");
-        const secretsRoot = options.secretsRoot ?? path.join(os.homedir(), ".agentsecrets");
         this.bundlesRoot = bundlesRoot;
         this.contexts = new Map(options.agents.map((agent) => {
             const senses = readAgentSenses(path.join(bundlesRoot, `${agent}.ouro`, "agent.json"));
-            const facts = senseFactsFromSecrets(agent, senses, path.join(secretsRoot, agent, "secrets.json"));
+            const facts = senseFactsFromRuntimeConfig(agent, senses, (0, runtime_credentials_1.readRuntimeCredentialConfig)(agent));
             return [agent, { senses, facts }];
         }));
         const managedSenseAgents = [...this.contexts.entries()].flatMap(([agent, context]) => {
             return ["teams", "bluebubbles"]
-                .filter((sense) => context.senses[sense].enabled && context.facts[sense].configured)
+                .filter((sense) => context.senses[sense].enabled)
                 .map((sense) => ({
                 name: `${agent}:${sense}`,
                 agentArg: agent,
@@ -255,6 +246,24 @@ class DaemonSenseManager {
         });
         this.processManager = options.processManager ?? new process_manager_1.DaemonProcessManager({
             agents: managedSenseAgents,
+            configCheck: async (name) => {
+                const parsed = parseSenseSnapshotName(name);
+                if (!parsed)
+                    return { ok: true };
+                const context = this.contexts.get(parsed.agent);
+                if (!context)
+                    return { ok: true };
+                const refreshed = await (0, runtime_credentials_1.refreshRuntimeCredentialConfig)(parsed.agent, { preserveCachedOnFailure: true });
+                context.facts = senseFactsFromRuntimeConfig(parsed.agent, context.senses, refreshed);
+                const fact = context.facts[parsed.sense];
+                if (fact.configured)
+                    return { ok: true };
+                return {
+                    ok: false,
+                    error: `${parsed.sense} is enabled for ${parsed.agent} but runtime credentials are not ready: ${fact.detail}`,
+                    fix: senseRepairHint(parsed.agent, parsed.sense),
+                };
+            },
         });
         (0, runtime_1.emitNervesEvent)({
             component: "channels",
@@ -290,6 +299,7 @@ class DaemonSenseManager {
             runtime.set(parsed.agent, current);
         }
         const rows = [...this.contexts.entries()].flatMap(([agent, context]) => {
+            context.facts = senseFactsFromRuntimeConfig(agent, context.senses, (0, runtime_credentials_1.readRuntimeCredentialConfig)(agent));
             const blueBubblesRuntimeFacts = readBlueBubblesRuntimeFacts(agent, this.bundlesRoot, runtime.get(agent)?.bluebubbles);
             const runtimeInfo = {
                 cli: { configured: true },

package/dist/heart/identity.js

@@ -48,7 +48,6 @@ exports.getAgentDaemonLogsDir = getAgentDaemonLogsDir;
 exports.getAgentDaemonLoggingConfigPath = getAgentDaemonLoggingConfigPath;
 exports.getAgentMessagesRoot = getAgentMessagesRoot;
 exports.getAgentToolsRoot = getAgentToolsRoot;
-exports.getAgentSecretsPath = getAgentSecretsPath;
 exports.loadAgentConfig = loadAgentConfig;
 exports.setAgentName = setAgentName;
 exports.setAgentConfigOverride = setAgentConfigOverride;
@@ -248,12 +247,6 @@ function getAgentMessagesRoot(agentName) {
 function getAgentToolsRoot(agentName) {
     return path.join(getAgentStateRoot(resolveOptionalAgentName(agentName)), "tools");
 }
-/**
- * Returns the conventional secrets path: `~/.agentsecrets/<agentName>/secrets.json`
- */
-function getAgentSecretsPath(agentName = getAgentName()) {
-    return path.join(os.homedir(), ".agentsecrets", agentName, "secrets.json");
-}
 const VALID_PROVIDERS = ["azure", "minimax", "anthropic", "openai-codex", "github-copilot"];
 function isValidProvider(value) {
     return typeof value === "string" && VALID_PROVIDERS.includes(value);

package/dist/heart/runtime-credentials.js

@@ -0,0 +1,181 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RUNTIME_CONFIG_ITEM_NAME = void 0;
+exports.readRuntimeCredentialConfig = readRuntimeCredentialConfig;
+exports.cacheRuntimeCredentialConfig = cacheRuntimeCredentialConfig;
+exports.refreshRuntimeCredentialConfig = refreshRuntimeCredentialConfig;
+exports.upsertRuntimeCredentialConfig = upsertRuntimeCredentialConfig;
+exports.resetRuntimeCredentialConfigCache = resetRuntimeCredentialConfigCache;
+const crypto = __importStar(require("node:crypto"));
+const runtime_1 = require("../nerves/runtime");
+const credential_access_1 = require("../repertoire/credential-access");
+const identity_1 = require("./identity");
+exports.RUNTIME_CONFIG_ITEM_NAME = "runtime/config";
+let cachedRuntimeConfigs = new Map();
+function isRecord(value) {
+    return !!value && typeof value === "object" && !Array.isArray(value);
+}
+function stableJson(value) {
+    if (Array.isArray(value))
+        return `[${value.map(stableJson).join(",")}]`;
+    if (isRecord(value)) {
+        return `{${Object.keys(value).sort().map((key) => `${JSON.stringify(key)}:${stableJson(value[key])}`).join(",")}}`;
+    }
+    return JSON.stringify(value);
+}
+function runtimeConfigVaultPath(agentName) {
+    return `vault:${agentName}:${exports.RUNTIME_CONFIG_ITEM_NAME}`;
+}
+function runtimeConfigRevision(payload) {
+    return `runtime_${crypto
+        .createHash("sha256")
+        .update(stableJson(payload))
+        .digest("hex")
+        .slice(0, 16)}`;
+}
+function validateRuntimeCredentialPayload(value) {
+    if (!isRecord(value))
+        throw new Error("runtime credential payload must be an object");
+    if (value.schemaVersion !== 1)
+        throw new Error("runtime credential payload schemaVersion must be 1");
+    if (value.kind !== "runtime-config")
+        throw new Error("runtime credential payload kind must be runtime-config");
+    if (typeof value.updatedAt !== "string" || value.updatedAt.trim().length === 0) {
+        throw new Error("runtime credential payload updatedAt must be non-empty");
+    }
+    if (!isRecord(value.config))
+        throw new Error("runtime credential payload config must be an object");
+    return value;
+}
+function resultFromPayload(agentName, payload) {
+    return {
+        ok: true,
+        itemPath: runtimeConfigVaultPath(agentName),
+        config: { ...payload.config },
+        revision: runtimeConfigRevision(payload),
+        updatedAt: payload.updatedAt,
+    };
+}
+function missingRuntimeConfig(agentName) {
+    return {
+        ok: false,
+        reason: "missing",
+        itemPath: runtimeConfigVaultPath(agentName),
+        error: `no runtime credentials stored at ${runtimeConfigVaultPath(agentName)}`,
+    };
+}
+function cacheResult(agentName, result) {
+    cachedRuntimeConfigs.set(agentName, result);
+    return result;
+}
+function readRuntimeCredentialConfig(agentName = (0, identity_1.getAgentName)()) {
+    return cachedRuntimeConfigs.get(agentName) ?? missingRuntimeConfig(agentName);
+}
+function cacheRuntimeCredentialConfig(agentName, config, now = new Date()) {
+    const payload = {
+        schemaVersion: 1,
+        kind: "runtime-config",
+        updatedAt: now.toISOString(),
+        config: { ...config },
+    };
+    return cacheResult(agentName, resultFromPayload(agentName, payload));
+}
+async function refreshRuntimeCredentialConfig(agentName, options = {}) {
+    try {
+        const store = (0, credential_access_1.getCredentialStore)(agentName);
+        const raw = await store.getRawSecret(exports.RUNTIME_CONFIG_ITEM_NAME, "password");
+        const payload = validateRuntimeCredentialPayload(JSON.parse(raw));
+        const result = resultFromPayload(agentName, payload);
+        (0, runtime_1.emitNervesEvent)({
+            component: "config/identity",
+            event: "config.runtime_credentials_loaded",
+            message: "loaded runtime credentials from vault",
+            meta: { agentName, itemPath: result.itemPath, revision: result.revision },
+        });
+        return cacheResult(agentName, result);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        const cached = cachedRuntimeConfigs.get(agentName);
+        const reason = message.includes(`no credential found for domain "${exports.RUNTIME_CONFIG_ITEM_NAME}"`)
+            ? "missing"
+            : message.includes("runtime credential payload")
+                ? "invalid"
+                : "unavailable";
+        const result = {
+            ok: false,
+            reason,
+            itemPath: runtimeConfigVaultPath(agentName),
+            error: reason === "missing" ? `no runtime credentials stored at ${runtimeConfigVaultPath(agentName)}` : message,
+        };
+        (0, runtime_1.emitNervesEvent)({
+            level: reason === "missing" ? "warn" : "error",
+            component: "config/identity",
+            event: "config.runtime_credentials_unavailable",
+            message: "runtime credentials unavailable",
+            meta: { agentName, reason, itemPath: result.itemPath },
+        });
+        if (options.preserveCachedOnFailure && cached?.ok)
+            return cached;
+        return cacheResult(agentName, result);
+    }
+}
+async function upsertRuntimeCredentialConfig(agentName, config, now = new Date()) {
+    const payload = {
+        schemaVersion: 1,
+        kind: "runtime-config",
+        updatedAt: now.toISOString(),
+        config: { ...config },
+    };
+    const store = (0, credential_access_1.getCredentialStore)(agentName);
+    await store.store(exports.RUNTIME_CONFIG_ITEM_NAME, {
+        username: "runtime/config",
+        password: JSON.stringify(payload),
+        notes: "Ouro runtime credentials for senses and integrations. Provider credentials live in providers/* items.",
+    });
+    const result = resultFromPayload(agentName, payload);
+    (0, runtime_1.emitNervesEvent)({
+        component: "config/identity",
+        event: "config.runtime_credentials_upserted",
+        message: "upserted runtime credential config in vault",
+        meta: { agentName, itemPath: result.itemPath, revision: result.revision },
+    });
+    cacheResult(agentName, result);
+    return result;
+}
+function resetRuntimeCredentialConfigCache() {
+    cachedRuntimeConfigs = new Map();
+}

package/dist/heart/turn-context.js

@@ -146,18 +146,7 @@ function readSenseStatusLines() {
         teams: { enabled: false },
         bluebubbles: { enabled: false },
     };
-    let payload = {};
-    try {
-        const raw = fs.readFileSync((0, identity_1.getAgentSecretsPath)(), "utf-8");
-        const parsed = JSON.parse(raw);
-        if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
-            payload = parsed;
-        }
-    }
-    catch { /* v8 ignore start -- defensive: fallback on read failure @preserve */
-        payload = {};
-        /* v8 ignore stop */
-    }
+    const payload = (0, config_1.loadConfig)();
     const teams = payload.teams;
     const bluebubbles = payload.bluebubbles;
     const configured = {

package/dist/mind/prompt.js

@@ -64,6 +64,7 @@ const ouro_version_manager_1 = require("../heart/versioning/ouro-version-manager
 const tools_1 = require("../repertoire/tools");
 const skills_1 = require("../repertoire/skills");
 const identity_1 = require("../heart/identity");
+const config_1 = require("../heart/config");
 const runtime_mode_1 = require("../heart/daemon/runtime-mode");
 const types_1 = require("./friends/types");
 const trust_explanation_1 = require("./friends/trust-explanation");
@@ -416,17 +417,7 @@ function localSenseStatusLines() {
         teams: { enabled: false },
         bluebubbles: { enabled: false },
     };
-    let payload = {};
-    try {
-        const raw = fs.readFileSync((0, identity_1.getAgentSecretsPath)(), "utf-8");
-        const parsed = JSON.parse(raw);
-        if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
-            payload = parsed;
-        }
-    }
-    catch {
-        payload = {};
-    }
+    const payload = (0, config_1.loadConfig)();
     const teams = payload.teams;
     const bluebubbles = payload.bluebubbles;
     const configured = {
@@ -454,13 +445,13 @@ function senseRuntimeGuidance(channel, preReadStatusLines) {
     lines.push("sense states:");
     lines.push("- interactive = available when opened by the user instead of kept running by the daemon");
     lines.push("- disabled = turned off in agent.json");
-    lines.push("- needs_config = enabled but missing required secrets.json values");
+    lines.push("- needs_config = enabled but missing required vault runtime/config values");
     lines.push("- ready = enabled and configured; `ouro up` should bring it online");
     lines.push("- running = enabled and currently active");
     lines.push("- error = enabled but unhealthy");
-    lines.push("If asked how to enable another sense, I explain the relevant agent.json senses entry and required secrets.json fields instead of guessing.");
-    lines.push("teams setup truth: enable `senses.teams.enabled`, then provide `teams.clientId`, `teams.clientSecret`, and `teams.tenantId` in secrets.json.");
-    lines.push("bluebubbles setup truth: enable `senses.bluebubbles.enabled`, then provide `bluebubbles.serverUrl` and `bluebubbles.password` in secrets.json.");
+    lines.push("If asked how to enable another sense, I explain the relevant agent.json senses entry and required agent-vault runtime/config fields instead of guessing.");
+    lines.push("teams setup truth: enable `senses.teams.enabled`, then store `teams.clientId`, `teams.clientSecret`, and `teams.tenantId` in the agent vault runtime/config item.");
+    lines.push("bluebubbles setup truth: enable `senses.bluebubbles.enabled`, then store `bluebubbles.serverUrl` and `bluebubbles.password` in the agent vault runtime/config item.");
     if (channel === "cli") {
         lines.push("cli is interactive: it is available when the user opens it, not something `ouro up` daemonizes.");
     }

package/dist/repertoire/tools-notes.js

@@ -127,7 +127,7 @@ exports.notesToolDefinitions = [
             try {
                 const key = (0, config_1.getIntegrationsConfig)().perplexityApiKey;
                 if (!key)
-                    return "error: perplexityApiKey not configured in secrets.json";
+                    return "error: perplexityApiKey not configured in the agent vault runtime/config item";
                 const res = await fetch("https://api.perplexity.ai/search", {
                     method: "POST",
                     headers: {

package/dist/repertoire/vault-unlock.js

@@ -110,7 +110,8 @@ function lockedMessage(config, store) {
         "This computer does not currently have usable local unlock material for that vault.",
         "This can happen on a new computer, after a local profile or hostname migration, or if the local unlock entry was removed.",
         "",
-        `Run \`${command}\` and enter the vault unlock secret from the operator password manager.`,
+        `Run \`${command}\` and enter the saved agent vault unlock secret from the human/operator who controls that vault.`,
+        "If nobody saved that unlock secret, Ouro cannot recover it; create or rotate the agent vault and re-enter credentials.",
     ].join("\n");
 }
 function validateStoreKind(store) {

package/dist/senses/bluebubbles/entry.js

@@ -1,13 +1,70 @@
 "use strict";
 // Thin entrypoint for `npm run bluebubbles` / `node dist/senses/bluebubbles/entry.js --agent <name>`.
 // Separated from index.ts so the BlueBubbles adapter stays testable.
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
-if (!process.argv.includes("--agent")) {
+const agentArgIndex = process.argv.indexOf("--agent");
+const agentName = agentArgIndex >= 0 ? process.argv[agentArgIndex + 1] : undefined;
+if (!agentName) {
     // eslint-disable-next-line no-console -- pre-boot guard: --agent check before imports
     console.error("Missing required --agent <name> argument.\nUsage: node dist/senses/bluebubbles/entry.js --agent ouroboros");
     process.exit(1);
 }
-const index_1 = require("./index");
 const runtime_logging_1 = require("../../heart/daemon/runtime-logging");
+const runtime_1 = require("../../nerves/runtime");
 (0, runtime_logging_1.configureDaemonRuntimeLogger)("bluebubbles");
-(0, index_1.startBlueBubblesApp)();
+(0, runtime_1.emitNervesEvent)({
+    component: "senses",
+    event: "senses.entry_boot",
+    message: "booting BlueBubbles entrypoint",
+    meta: { entry: "bluebubbles", agentName },
+});
+Promise.resolve().then(() => __importStar(require("../../heart/runtime-credentials"))).then(async ({ refreshRuntimeCredentialConfig }) => {
+    await refreshRuntimeCredentialConfig(agentName, { preserveCachedOnFailure: true }).catch(() => undefined);
+    const { startBlueBubblesApp } = await Promise.resolve().then(() => __importStar(require("./index")));
+    await startBlueBubblesApp();
+})
+    .catch((error) => {
+    (0, runtime_1.emitNervesEvent)({
+        level: "error",
+        component: "senses",
+        event: "senses.entry_error",
+        message: "BlueBubbles entrypoint failed",
+        meta: { entry: "bluebubbles", agentName, error: error instanceof Error ? error.message : String(error) },
+    });
+    // eslint-disable-next-line no-console -- fatal startup guard for sense process
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+});

package/dist/senses/cli-entry.js

@@ -1,15 +1,67 @@
 "use strict";
-// Thin entrypoint for `npm run cli` / `node dist/senses/cli-entry.js --agent <name>`.
-// Separated from cli.ts so the CLI adapter is pure library code with clean
-// 100% test coverage -- entrypoints can't be covered by vitest since
-// require.main !== module in the test runner.
-// All config comes from the conventional ~/.agentsecrets/<agent>/secrets.json path.
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
+const runtime_1 = require("../nerves/runtime");
 // Fail fast if --agent is missing (before any src/ code tries getAgentName())
-if (!process.argv.includes("--agent")) {
+const agentArgIndex = process.argv.indexOf("--agent");
+const agentName = agentArgIndex >= 0 ? process.argv[agentArgIndex + 1] : undefined;
+if (!agentName) {
     // eslint-disable-next-line no-console -- pre-boot guard: --agent check before imports
     console.error("Missing required --agent <name> argument.\nUsage: node dist/senses/cli-entry.js --agent ouroboros");
     process.exit(1);
 }
-const cli_1 = require("./cli");
-(0, cli_1.main)();
+(0, runtime_1.emitNervesEvent)({
+    component: "senses",
+    event: "senses.entry_boot",
+    message: "booting CLI entrypoint",
+    meta: { entry: "cli", agentName },
+});
+Promise.resolve().then(() => __importStar(require("../heart/runtime-credentials"))).then(async ({ refreshRuntimeCredentialConfig }) => {
+    await refreshRuntimeCredentialConfig(agentName, { preserveCachedOnFailure: true }).catch(() => undefined);
+    const { main } = await Promise.resolve().then(() => __importStar(require("./cli")));
+    main();
+})
+    .catch((error) => {
+    (0, runtime_1.emitNervesEvent)({
+        level: "error",
+        component: "senses",
+        event: "senses.entry_error",
+        message: "CLI entrypoint failed",
+        meta: { entry: "cli", agentName, error: error instanceof Error ? error.message : String(error) },
+    });
+    // eslint-disable-next-line no-console -- fatal startup guard for sense process
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+});