@ouro.bot/cli 0.1.0-alpha.383 → 0.1.0-alpha.385

package/changelog.json

@@ -1,6 +1,23 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.385",
+      "changes": [
+        "`ouro up` provider-check repair hints for locked agent vaults now mention both normal unlock and lost-secret `ouro vault recover --agent <agent> --from <json>` recovery.",
+        "Provider health checks now share the locked-vault unlock-or-recover wording so compact degraded summaries do not send operators back to a secret they never saved.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the locked-vault repair-hint release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.384",
+      "changes": [
+        "Added `ouro vault recover --agent <agent> --from <json>` for existing alpha agents whose vault coordinates exist but whose unlock secret was never saved.",
+        "`ouro vault recover` creates a replacement agent vault, imports provider credentials into `providers/*`, imports runtime/sense/integration credentials into `runtime/config`, and prints only redacted field/provider summaries.",
+        "Auth/provider docs now distinguish normal vault unlock from lost-secret replacement-vault recovery, including the old-auth checklist path.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault recovery release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.383",
       "changes": [

package/dist/heart/daemon/agent-config-check.js

@@ -33,6 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.vaultUnlockOrRecoverFix = vaultUnlockOrRecoverFix;
 exports.checkAgentConfig = checkAgentConfig;
 exports.checkAgentConfigWithProviderHealth = checkAgentConfigWithProviderHealth;
 const fs = __importStar(require("fs"));
@@ -238,7 +239,7 @@ function invalidPoolResult(agentName, lane, provider, model, pool) {
         return {
             ok: false,
             error: `${lane} provider ${provider} model ${model} cannot read provider credentials because ${agentName}'s credential vault is locked on this machine.`,
-            fix: `Run 'ouro vault unlock --agent ${agentName}', then run 'ouro up' again.`,
+            fix: vaultUnlockOrRecoverFix(agentName),
         };
     }
     if (pool.reason === "invalid") {
@@ -251,13 +252,20 @@ function invalidPoolResult(agentName, lane, provider, model, pool) {
     return {
         ok: false,
         error: `${lane} provider ${provider} model ${model} cannot read provider credentials from ${agentName}'s vault at ${pool.poolPath}: ${pool.error}`,
-        fix: `Run 'ouro vault unlock --agent ${agentName}', then run 'ouro up' again. If the credential is missing or stale after unlock, run 'ouro auth --agent ${agentName} --provider ${provider}'.`,
+        fix: vaultUnlockOrRecoverFix(agentName, `Then run 'ouro up' again. If the credential is missing or stale after unlock or recovery, run 'ouro auth --agent ${agentName} --provider ${provider}'.`),
     };
 }
 function isVaultLockedError(error) {
     const normalized = error.toLowerCase();
     return /(?:ouro )?credential vault is locked|vault(?: is)? locked/.test(normalized);
 }
+function vaultUnlockOrRecoverFix(agentName, nextStep = "Then run 'ouro up' again.") {
+    return [
+        `Run 'ouro vault unlock --agent ${agentName}' if you have the saved vault unlock secret.`,
+        `If nobody saved it, run 'ouro vault recover --agent ${agentName} --from <json>' with a local credential export.`,
+        nextStep,
+    ].join(" ");
+}
 function failedPingResult(agentName, lane, provider, model, result) {
     return {
         ok: false,

package/dist/heart/daemon/cli-exec.js

@@ -599,6 +599,101 @@ function writeAgentVaultConfig(agentName, configPath, config, vault) {
         meta: { agentName, configPath, email: vault.email, serverUrl: vault.serverUrl },
     });
 }
+function isJsonRecord(value) {
+    return !!value && typeof value === "object" && !Array.isArray(value);
+}
+function cloneJsonRecord(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+function importableCredentialFields(value) {
+    if (!isJsonRecord(value))
+        return {};
+    const result = {};
+    for (const [key, fieldValue] of Object.entries(value)) {
+        if (typeof fieldValue === "string" && fieldValue.trim()) {
+            result[key] = fieldValue;
+        }
+        else if (typeof fieldValue === "number" && Number.isFinite(fieldValue)) {
+            result[key] = fieldValue;
+        }
+    }
+    return result;
+}
+function providerImportFromRaw(provider, raw) {
+    if (!isJsonRecord(raw))
+        return null;
+    const hasStructuredFields = isJsonRecord(raw.credentials) || isJsonRecord(raw.config);
+    const fields = hasStructuredFields
+        ? {
+            credentials: importableCredentialFields(raw.credentials),
+            config: importableCredentialFields(raw.config),
+        }
+        : (0, provider_credentials_1.splitProviderCredentialFields)(provider, raw);
+    if (Object.keys(fields.credentials).length === 0 && Object.keys(fields.config).length === 0)
+        return null;
+    return { provider, credentials: fields.credentials, config: fields.config };
+}
+function recoverProviderImports(raw) {
+    const providers = isJsonRecord(raw.providers) ? raw.providers : raw;
+    const imports = [];
+    for (const [providerName, providerRaw] of Object.entries(providers)) {
+        if (!(0, cli_parse_2.isAgentProvider)(providerName))
+            continue;
+        const imported = providerImportFromRaw(providerName, providerRaw);
+        if (imported)
+            imports.push(imported);
+    }
+    return imports;
+}
+const RECOVER_RUNTIME_EXCLUDED_TOP_LEVEL = new Set(["providers", "vault", "context", "schemaVersion", "updatedAt"]);
+function recoverRuntimeConfig(raw) {
+    const config = {};
+    for (const [key, value] of Object.entries(raw)) {
+        if (RECOVER_RUNTIME_EXCLUDED_TOP_LEVEL.has(key) || (0, cli_parse_2.isAgentProvider)(key))
+            continue;
+        config[key] = isJsonRecord(value) ? cloneJsonRecord(value) : value;
+    }
+    return config;
+}
+function mergeRuntimeConfig(a, b) {
+    const merged = { ...a };
+    for (const [key, value] of Object.entries(b)) {
+        if (isJsonRecord(merged[key]) && isJsonRecord(value)) {
+            merged[key] = mergeRuntimeConfig(merged[key], value);
+        }
+        else {
+            merged[key] = isJsonRecord(value) ? cloneJsonRecord(value) : value;
+        }
+    }
+    return merged;
+}
+function readVaultRecoverSource(sourcePath) {
+    const resolved = path.resolve(sourcePath);
+    let parsed;
+    try {
+        parsed = JSON.parse(fs.readFileSync(resolved, "utf8"));
+    }
+    catch (error) {
+        const reason = String(error);
+        throw new Error(`cannot read vault recover source ${resolved}: ${reason}`);
+    }
+    if (!isJsonRecord(parsed)) {
+        throw new Error(`vault recover source ${resolved} must be a JSON object`);
+    }
+    return {
+        sourcePath: resolved,
+        providers: recoverProviderImports(parsed),
+        runtimeConfig: recoverRuntimeConfig(parsed),
+    };
+}
+function defaultRecoveredVaultEmail(agentName, now) {
+    const local = agentName
+        .toLowerCase()
+        .replace(/[^a-z0-9._-]+/g, "-")
+        .replace(/^-+|-+$/g, "") || "agent";
+    const stamp = now.toISOString().replace(/[-:.TZ]/g, "").slice(0, 14);
+    return `${local}+recovered-${stamp}@ouro.bot`;
+}
 async function executeVaultUnlock(command, deps) {
     if (command.agent === "SerpentGuide") {
         throw new Error("SerpentGuide does not have a persistent credential vault. Hatch bootstrap uses selected provider credentials in memory only.");
@@ -681,6 +776,85 @@ async function executeVaultCreate(command, deps) {
     deps.writeStdout(message);
     return message;
 }
+async function executeVaultRecover(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        throw new Error("SerpentGuide does not have a persistent credential vault. Recover the hatchling agent vault, not SerpentGuide.");
+    }
+    const prompt = deps.promptInput;
+    const now = providerCliNow(deps);
+    const { configPath, config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
+    const configuredVault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
+    const email = command.email ?? defaultRecoveredVaultEmail(command.agent, now);
+    const serverUrl = command.serverUrl ?? config.vault?.serverUrl ?? configuredVault.serverUrl;
+    const requestedUnlockSecret = command.generateUnlockSecret
+        ? ""
+        : prompt
+            ? (await prompt(`Choose replacement Ouro vault unlock secret for ${email}: `)).trim()
+            : "";
+    if (!requestedUnlockSecret && !command.generateUnlockSecret) {
+        throw new Error("vault recover requires a replacement unlock secret. Re-run with an interactive terminal or pass --generate-unlock-secret.");
+    }
+    const unlockSecret = requestedUnlockSecret || (0, crypto_1.randomBytes)(32).toString("base64");
+    const sourceImports = command.sources.map(readVaultRecoverSource);
+    const result = await (0, vault_setup_1.createVaultAccount)("Ouro credential vault", serverUrl, email, unlockSecret);
+    if (!result.success) {
+        const message = [
+            `vault recover failed for ${command.agent}: ${result.error}`,
+            "",
+            "Recovery creates a replacement vault. If that vault account already exists, retry with a fresh --email value.",
+        ].join("\n");
+        deps.writeStdout(message);
+        return message;
+    }
+    writeAgentVaultConfig(command.agent, configPath, config, { email, serverUrl });
+    const store = (0, vault_unlock_1.storeVaultUnlockSecret)({
+        agentName: command.agent,
+        email,
+        serverUrl,
+    }, unlockSecret, { homeDir: deps.homeDir, store: command.store });
+    (0, credential_access_1.resetCredentialStore)();
+    await (0, credential_access_1.getCredentialStore)(command.agent).get("__ouro_vault_probe__");
+    const importedProviders = new Set();
+    let mergedRuntimeConfig = {};
+    for (const source of sourceImports) {
+        for (const provider of source.providers) {
+            await (0, provider_credentials_1.upsertProviderCredential)({
+                agentName: command.agent,
+                provider: provider.provider,
+                credentials: provider.credentials,
+                config: provider.config,
+                provenance: { source: "manual" },
+                now,
+            });
+            importedProviders.add(provider.provider);
+        }
+        mergedRuntimeConfig = mergeRuntimeConfig(mergedRuntimeConfig, source.runtimeConfig);
+    }
+    const runtimeFields = summarizeRuntimeConfigFields(mergedRuntimeConfig);
+    if (runtimeFields.length > 0) {
+        await (0, runtime_credentials_1.upsertRuntimeCredentialConfig)(command.agent, mergedRuntimeConfig, now);
+    }
+    const providerList = [...importedProviders].sort();
+    const message = [
+        `vault recovered for ${command.agent}`,
+        `vault: ${email} at ${serverUrl}`,
+        `local unlock store: ${store.kind}${store.secure ? "" : " (explicit plaintext fallback)"}`,
+        `sources imported: ${sourceImports.length}`,
+        `provider credentials imported: ${providerList.length === 0 ? "none" : providerList.join(", ")}`,
+        `runtime credentials imported: ${runtimeFields.length === 0 ? "none" : runtimeFields.join(", ")}`,
+        "credential values were not printed",
+        ...(command.generateUnlockSecret
+            ? [
+                "",
+                `vault unlock secret: ${unlockSecret}`,
+                "",
+                "Keep this saved outside Ouro now. Another machine cannot unlock the vault without it.",
+            ]
+            : ["Keep the replacement vault unlock secret saved outside Ouro. Another machine will need it once."]),
+    ].join("\n");
+    deps.writeStdout(message);
+    return message;
+}
 async function executeVaultStatus(command, deps) {
     if (command.agent === "SerpentGuide") {
         const message = "SerpentGuide has no persistent credential vault. Hatch bootstrap uses selected provider credentials in memory only.";
@@ -2553,6 +2727,9 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
     if (command.kind === "vault.create") {
         return executeVaultCreate(command, deps);
     }
+    if (command.kind === "vault.recover") {
+        return executeVaultRecover(command, deps);
+    }
     if (command.kind === "vault.status") {
         return executeVaultStatus(command, deps);
     }

package/dist/heart/daemon/cli-help.js

@@ -165,10 +165,10 @@ exports.COMMAND_REGISTRY = {
     },
     vault: {
         category: "Auth",
-        description: "Create, unlock, inspect, and populate the agent credential vault",
-        usage: "ouro vault <create|unlock|status|config> --agent <name>",
+        description: "Create, recover, unlock, inspect, and populate the agent credential vault",
+        usage: "ouro vault <create|recover|unlock|status|config> --agent <name>",
         example: "ouro vault status --agent ouroboros",
-        subcommands: ["create", "unlock", "status", "config set", "config status"],
+        subcommands: ["create", "recover", "unlock", "status", "config set", "config status"],
     },
     thoughts: {
         category: "Internal",

package/dist/heart/daemon/cli-parse.js

@@ -74,6 +74,7 @@ function usage() {
         "  ouro auth verify --agent <name> [--provider <provider>]",
         "  ouro auth switch --agent <name> --provider <provider>",
         "  ouro vault create --agent <name> --email <email> [--server <url>] [--store <store>] [--generate-unlock-secret]",
+        "  ouro vault recover --agent <name> --from <json> [--from <json>] [--email <email>] [--server <url>] [--store <store>] [--generate-unlock-secret]",
         "  ouro vault unlock --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
         "  ouro vault status --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
         "  ouro vault config set --agent <name> --key <path> [--value <value>]",
@@ -444,6 +445,7 @@ function parseVaultCommand(args) {
     let serverUrl;
     let store;
     let generateUnlockSecret = false;
+    const sources = [];
     for (let i = 0; i < rest.length; i += 1) {
         const token = rest[i];
         if (token === "--email") {
@@ -465,14 +467,22 @@ function parseVaultCommand(args) {
             i += 1;
             continue;
         }
+        if (token === "--from") {
+            const value = rest[i + 1];
+            if (!value)
+                throw new Error("Usage: ouro vault recover --agent <name> --from <json> [--from <json>]");
+            sources.push(value);
+            i += 1;
+            continue;
+        }
         if (token === "--generate-unlock-secret") {
             generateUnlockSecret = true;
             continue;
         }
-        throw new Error("Usage: ouro vault create|unlock|status --agent <name>");
+        throw new Error("Usage: ouro vault create|recover|unlock|status --agent <name>");
     }
-    if (!agent || (sub !== "create" && sub !== "unlock" && sub !== "status")) {
-        throw new Error("Usage: ouro vault create|unlock|status --agent <name>");
+    if (!agent || (sub !== "create" && sub !== "recover" && sub !== "unlock" && sub !== "status")) {
+        throw new Error("Usage: ouro vault create|recover|unlock|status --agent <name>");
     }
     if (sub === "create") {
         return {
@@ -484,6 +494,20 @@ function parseVaultCommand(args) {
             ...(generateUnlockSecret ? { generateUnlockSecret: true } : {}),
         };
     }
+    if (sub === "recover") {
+        if (sources.length === 0) {
+            throw new Error("Usage: ouro vault recover --agent <name> --from <json> [--from <json>]");
+        }
+        return {
+            kind: "vault.recover",
+            agent,
+            sources,
+            ...(email ? { email } : {}),
+            ...(serverUrl ? { serverUrl } : {}),
+            ...(store ? { store } : {}),
+            ...(generateUnlockSecret ? { generateUnlockSecret: true } : {}),
+        };
+    }
     if (sub === "unlock") {
         return { kind: "vault.unlock", agent, ...(store ? { store } : {}) };
     }

package/dist/repertoire/vault-unlock.js

@@ -111,7 +111,9 @@ function lockedMessage(config, store) {
         "This can happen on a new computer, after a local profile or hostname migration, or if the local unlock entry was removed.",
         "",
         `Run \`${command}\` and enter the saved agent vault unlock secret from the human/operator who controls that vault.`,
-        "If nobody saved that unlock secret, Ouro cannot recover it; create or rotate the agent vault and re-enter credentials.",
+        config.agentName
+            ? `If nobody saved that unlock secret, run \`ouro vault recover --agent ${config.agentName} --from <json>\` with a local credential export, or create a replacement vault and re-enter credentials.`
+            : "If nobody saved that unlock secret, run `ouro vault recover --agent <agent> --from <json>` with a local credential export, or create a replacement vault and re-enter credentials.",
     ].join("\n");
 }
 function validateStoreKind(store) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.383",
+  "version": "0.1.0-alpha.385",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",