@ouro.bot/cli 0.1.0-alpha.385 → 0.1.0-alpha.388

package/changelog.json

@@ -1,6 +1,25 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.388",
+      "changes": [
+        "The default agent credential vault host now points at the live Vaultwarden endpoint `https://vault.ouroboros.bot` instead of the website redirect host.",
+        "`ouro vault create` and `ouro vault recover` now create accounts through the live Bitwarden/Vaultwarden identity registration endpoint and include the registration URL in setup failures.",
+        "Vault unlock/create/recover prompts now use a non-echoing secret prompt for vault unlock secrets, and the supported docs/help path asks the human to provide a saved secret instead of generating or printing one.",
+        "Deprecated `--generate-unlock-secret` vault flags now fail fast with guidance to rerun interactively, preventing new vault unlock secrets from being printed into terminals or logs.",
+        "Vault setup, unlock, provider CLI, help, docs, and runtime-config tests now encode the canonical vault host and human-provided secret flow so the wrong host or unsafe prompt path cannot silently return.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the canonical vault recovery release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.386",
+      "changes": [
+        "`ouro vault recover --help` and `ouro help vault recover` now show the recovery-specific flags instead of generic vault help.",
+        "Nested command help now preserves subcommand words before flags, so help output can be specific to commands like `vault recover`.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault recovery help release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.385",
       "changes": [

package/dist/heart/daemon/cli-defaults.js

@@ -221,6 +221,40 @@ async function defaultPromptInput(question) {
         rl.close();
     }
 }
+async function defaultPromptSecret(question) {
+    const readline = await Promise.resolve().then(() => __importStar(require("readline")));
+    const rl = readline.createInterface({
+        input: process.stdin,
+        output: process.stdout,
+        terminal: true,
+    });
+    const mutableRl = rl;
+    const originalWriteToOutput = mutableRl._writeToOutput;
+    let muted = false;
+    if (originalWriteToOutput) {
+        mutableRl._writeToOutput = (stringToWrite) => {
+            if (!muted) {
+                originalWriteToOutput.call(rl, stringToWrite);
+            }
+        };
+    }
+    try {
+        const response = await new Promise((resolve) => {
+            rl.question(question, (answer) => {
+                process.stdout.write("\n");
+                resolve(answer);
+            });
+            muted = true;
+        });
+        return response.trim();
+    }
+    finally {
+        if (originalWriteToOutput) {
+            mutableRl._writeToOutput = originalWriteToOutput;
+        }
+        rl.close();
+    }
+}
 function defaultListDiscoveredAgents() {
     return (0, agent_discovery_1.listEnabledBundleAgents)({
         bundlesRoot: (0, identity_1.getAgentBundlesRoot)(),
@@ -464,6 +498,7 @@ function createDefaultOuroCliDeps(socketPath = socket_client_1.DEFAULT_DAEMON_SO
         listDiscoveredAgents: defaultListDiscoveredAgents,
         runHatchFlow: hatch_flow_1.runHatchFlow,
         promptInput: defaultPromptInput,
+        promptSecret: defaultPromptSecret,
         runSerpentGuide: defaultRunSerpentGuide,
         runAuthFlow: auth_flow_1.runRuntimeAuthFlow,
         registerOuroBundleType: ouro_uti_1.registerOuroBundleUti,

package/dist/heart/daemon/cli-exec.js

@@ -694,16 +694,22 @@ function defaultRecoveredVaultEmail(agentName, now) {
     const stamp = now.toISOString().replace(/[-:.TZ]/g, "").slice(0, 14);
     return `${local}+recovered-${stamp}@ouro.bot`;
 }
+function ensureVaultSecretPrompt(promptSecret, action) {
+    if (promptSecret)
+        return promptSecret;
+    throw new Error(`vault ${action} requires an interactive secret prompt that does not echo the vault unlock secret`);
+}
+function rejectGeneratedVaultUnlockSecret(action) {
+    throw new Error(`vault ${action} no longer supports --generate-unlock-secret. Re-run without that flag and enter a human-chosen unlock secret; Ouro will not print vault unlock secrets.`);
+}
 async function executeVaultUnlock(command, deps) {
     if (command.agent === "SerpentGuide") {
         throw new Error("SerpentGuide does not have a persistent credential vault. Hatch bootstrap uses selected provider credentials in memory only.");
     }
-    const prompt = deps.promptInput;
-    if (!prompt)
-        throw new Error("vault unlock requires an interactive prompt to capture the vault unlock secret");
+    const promptSecret = ensureVaultSecretPrompt(deps.promptSecret, "unlock");
     const { config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
     const vault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
-    const unlockSecret = await prompt(`Ouro vault unlock secret for ${vault.email}: `);
+    const unlockSecret = await promptSecret(`Ouro vault unlock secret for ${vault.email}: `);
     const store = (0, vault_unlock_1.storeVaultUnlockSecret)({
         agentName: command.agent,
         email: vault.email,
@@ -723,6 +729,8 @@ async function executeVaultCreate(command, deps) {
     if (command.agent === "SerpentGuide") {
         throw new Error("SerpentGuide does not have a persistent credential vault. Create a vault for the hatchling agent, not SerpentGuide.");
     }
+    if (command.generateUnlockSecret)
+        rejectGeneratedVaultUnlockSecret("create");
     const prompt = deps.promptInput;
     const { configPath, config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
     const configuredVault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
@@ -730,16 +738,12 @@ async function executeVaultCreate(command, deps) {
     if (!email) {
         throw new Error("vault create requires --email <email> when the agent bundle has no vault.email");
     }
+    const promptSecret = ensureVaultSecretPrompt(deps.promptSecret, "create");
     const serverUrl = command.serverUrl ?? config.vault?.serverUrl ?? configuredVault.serverUrl;
-    const requestedUnlockSecret = command.generateUnlockSecret
-        ? ""
-        : prompt
-            ? (await prompt(`Choose Ouro vault unlock secret for ${email}: `)).trim()
-            : "";
-    if (!requestedUnlockSecret && !command.generateUnlockSecret) {
-        throw new Error("vault create requires an unlock secret. Re-run with an interactive terminal or pass --generate-unlock-secret.");
+    const unlockSecret = (await promptSecret(`Choose Ouro vault unlock secret for ${email}: `)).trim();
+    if (!unlockSecret) {
+        throw new Error("vault create requires an unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.");
     }
-    const unlockSecret = requestedUnlockSecret || (0, crypto_1.randomBytes)(32).toString("base64");
     const result = await (0, vault_setup_1.createVaultAccount)("Ouro credential vault", serverUrl, email, unlockSecret);
     if (!result.success) {
         const message = [
@@ -764,14 +768,7 @@ async function executeVaultCreate(command, deps) {
         `vault: ${email} at ${serverUrl}`,
         `local unlock store: ${store.kind}${store.secure ? "" : " (explicit plaintext fallback)"}`,
         "All raw credentials for this agent will be stored in this Ouro credential vault.",
-        ...(command.generateUnlockSecret
-            ? [
-                "",
-                `vault unlock secret: ${unlockSecret}`,
-                "",
-                "Keep this saved outside Ouro now. Another machine cannot unlock the vault without it.",
-            ]
-            : ["Keep the vault unlock secret saved outside Ouro. Another machine will need it once."]),
+        "Keep the vault unlock secret saved outside Ouro. Another machine will need it once.",
     ].join("\n");
     deps.writeStdout(message);
     return message;
@@ -780,21 +777,18 @@ async function executeVaultRecover(command, deps) {
     if (command.agent === "SerpentGuide") {
         throw new Error("SerpentGuide does not have a persistent credential vault. Recover the hatchling agent vault, not SerpentGuide.");
     }
-    const prompt = deps.promptInput;
+    if (command.generateUnlockSecret)
+        rejectGeneratedVaultUnlockSecret("recover");
+    const promptSecret = ensureVaultSecretPrompt(deps.promptSecret, "recover");
     const now = providerCliNow(deps);
     const { configPath, config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
     const configuredVault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
     const email = command.email ?? defaultRecoveredVaultEmail(command.agent, now);
     const serverUrl = command.serverUrl ?? config.vault?.serverUrl ?? configuredVault.serverUrl;
-    const requestedUnlockSecret = command.generateUnlockSecret
-        ? ""
-        : prompt
-            ? (await prompt(`Choose replacement Ouro vault unlock secret for ${email}: `)).trim()
-            : "";
-    if (!requestedUnlockSecret && !command.generateUnlockSecret) {
-        throw new Error("vault recover requires a replacement unlock secret. Re-run with an interactive terminal or pass --generate-unlock-secret.");
+    const unlockSecret = (await promptSecret(`Choose replacement Ouro vault unlock secret for ${email}: `)).trim();
+    if (!unlockSecret) {
+        throw new Error("vault recover requires a replacement unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.");
     }
-    const unlockSecret = requestedUnlockSecret || (0, crypto_1.randomBytes)(32).toString("base64");
     const sourceImports = command.sources.map(readVaultRecoverSource);
     const result = await (0, vault_setup_1.createVaultAccount)("Ouro credential vault", serverUrl, email, unlockSecret);
     if (!result.success) {
@@ -843,14 +837,7 @@ async function executeVaultRecover(command, deps) {
         `provider credentials imported: ${providerList.length === 0 ? "none" : providerList.join(", ")}`,
         `runtime credentials imported: ${runtimeFields.length === 0 ? "none" : runtimeFields.join(", ")}`,
         "credential values were not printed",
-        ...(command.generateUnlockSecret
-            ? [
-                "",
-                `vault unlock secret: ${unlockSecret}`,
-                "",
-                "Keep this saved outside Ouro now. Another machine cannot unlock the vault without it.",
-            ]
-            : ["Keep the replacement vault unlock secret saved outside Ouro. Another machine will need it once."]),
+        "Keep the replacement vault unlock secret saved outside Ouro. Another machine will need it once.",
     ].join("\n");
     deps.writeStdout(message);
     return message;

package/dist/heart/daemon/cli-help.js

@@ -229,6 +229,38 @@ exports.COMMAND_REGISTRY = {
         subcommands: ["replay"],
     },
 };
+const SUBCOMMAND_HELP = {
+    "vault create": {
+        description: "Create an agent credential vault and store local unlock material",
+        usage: "ouro vault create --agent <name> --email <email> [--server <url>] [--store <store>]",
+        example: "ouro vault create --agent ouroboros --email ouroboros@ouro.bot",
+    },
+    "vault recover": {
+        description: "Create a replacement agent vault and import local JSON credential exports",
+        usage: "ouro vault recover --agent <name> --from <json> [--from <json>] [--email <email>] [--server <url>] [--store <store>]",
+        example: "ouro vault recover --agent ouroboros --from ./credentials.json",
+    },
+    "vault unlock": {
+        description: "Unlock an existing agent credential vault on this machine",
+        usage: "ouro vault unlock --agent <name> [--store <store>]",
+        example: "ouro vault unlock --agent ouroboros",
+    },
+    "vault status": {
+        description: "Show whether this machine can unlock an agent credential vault",
+        usage: "ouro vault status --agent <name> [--store <store>]",
+        example: "ouro vault status --agent ouroboros",
+    },
+    "vault config set": {
+        description: "Write runtime configuration into the agent credential vault",
+        usage: "ouro vault config set --agent <name> --key <path> [--value <value>]",
+        example: "ouro vault config set --agent ouroboros --key senses/outlook/clientId",
+    },
+    "vault config status": {
+        description: "List runtime configuration keys stored in the agent credential vault",
+        usage: "ouro vault config status --agent <name>",
+        example: "ouro vault config status --agent ouroboros",
+    },
+};
 // ── Levenshtein distance ──
 function levenshteinDistance(a, b) {
     if (a.length === 0)
@@ -296,7 +328,7 @@ function getGroupedHelp() {
 }
 // ── Per-command help ──
 function getCommandHelp(name) {
-    const entry = exports.COMMAND_REGISTRY[name];
+    const entry = SUBCOMMAND_HELP[name] ?? exports.COMMAND_REGISTRY[name];
     if (!entry)
         return null;
     const lines = [

package/dist/heart/daemon/cli-parse.js

@@ -42,6 +42,17 @@ function facingToProviderLane(facing) {
 function isProviderLane(value) {
     return value === "outward" || value === "inner";
 }
+function helpCommandName(args) {
+    const positional = [];
+    for (const arg of args) {
+        if (arg === "--help" || arg === "-h")
+            break;
+        if (arg.startsWith("-"))
+            break;
+        positional.push(arg);
+    }
+    return positional.length > 0 ? positional.join(" ") : undefined;
+}
 function extractLaneFlag(args) {
     const idx = args.indexOf("--lane");
     if (idx === -1 || idx + 1 >= args.length)
@@ -73,8 +84,8 @@ function usage() {
         "  ouro auth --agent <name> [--provider <provider>]",
         "  ouro auth verify --agent <name> [--provider <provider>]",
         "  ouro auth switch --agent <name> --provider <provider>",
-        "  ouro vault create --agent <name> --email <email> [--server <url>] [--store <store>] [--generate-unlock-secret]",
-        "  ouro vault recover --agent <name> --from <json> [--from <json>] [--email <email>] [--server <url>] [--store <store>] [--generate-unlock-secret]",
+        "  ouro vault create --agent <name> --email <email> [--server <url>] [--store <store>]",
+        "  ouro vault recover --agent <name> --from <json> [--from <json>] [--email <email>] [--server <url>] [--store <store>]",
         "  ouro vault unlock --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
         "  ouro vault status --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
         "  ouro vault config set --agent <name> --key <path> [--value <value>]",
@@ -932,11 +943,13 @@ function parseOuroCommand(args) {
         return { kind: "daemon.up" };
     // ── help command ──
     if (head === "help") {
-        return second ? { kind: "help", command: second } : { kind: "help" };
+        const command = helpCommandName(args.slice(1));
+        return command ? { kind: "help", command } : { kind: "help" };
     }
     // ── per-command --help ──
-    if (args.includes("--help")) {
-        return { kind: "help", command: head };
+    if (args.includes("--help") || args.includes("-h")) {
+        const command = helpCommandName(args);
+        return command ? { kind: "help", command } : { kind: "help" };
     }
     if (head === "--agent" && second) {
         return parseOuroCommand(args.slice(2));

package/dist/heart/identity.js

@@ -75,7 +75,7 @@ exports.DEFAULT_AGENT_PHRASES = {
     tool: ["running tool"],
     followup: ["processing"],
 };
-exports.DEFAULT_VAULT_SERVER_URL = "https://vault.ouro.bot";
+exports.DEFAULT_VAULT_SERVER_URL = "https://vault.ouroboros.bot";
 /**
  * Resolve the vault config for an agent, applying defaults.
  * If vault is not configured in agent.json, returns default values.

package/dist/repertoire/vault-setup.js

@@ -161,6 +161,7 @@ function generateRsaKeypair() {
 // ---------------------------------------------------------------------------
 const KDF_PBKDF2 = 0;
 const KDF_ITERATIONS = 600000;
+const REGISTER_ACCOUNT_PATH = "/identity/accounts/register";
 /**
  * Create a Bitwarden account on the configured Vaultwarden server.
  * Uses the Bitwarden registration API with standard KDF implementation.
@@ -184,7 +185,8 @@ async function createVaultAccount(agentName, serverUrl, email, masterPassword) {
         const { publicKeyB64, privateKeyDer } = generateRsaKeypair();
         const encryptedPrivateKey = encryptWithStretchedKey(privateKeyDer, symKey);
         // Step 4: POST registration
-        const res = await fetch(`${serverUrl}/api/accounts/register`, {
+        const registrationUrl = `${serverUrl}${REGISTER_ACCOUNT_PATH}`;
+        const res = await fetch(registrationUrl, {
             method: "POST",
             headers: { "Content-Type": "application/json" },
             body: JSON.stringify({
@@ -210,14 +212,15 @@ async function createVaultAccount(agentName, serverUrl, email, masterPassword) {
             catch {
                 errorDetail = `HTTP ${res.status} ${res.statusText}`;
             }
+            const endpointAwareError = `${errorDetail} from ${registrationUrl}. Check --server; Ouro expects a Bitwarden/Vaultwarden identity API.`;
             (0, runtime_1.emitNervesEvent)({
                 level: "error",
                 event: "repertoire.vault_setup_error",
                 component: "repertoire",
-                message: `vault registration failed: ${errorDetail}`,
-                meta: { agentName, serverUrl, email, reason: errorDetail },
+                message: `vault registration failed: ${endpointAwareError}`,
+                meta: { agentName, serverUrl, email, registrationUrl, reason: endpointAwareError },
             });
-            return { success: false, email, serverUrl, error: errorDetail };
+            return { success: false, email, serverUrl, error: endpointAwareError };
         }
         (0, runtime_1.emitNervesEvent)({
             event: "repertoire.vault_setup_end",
@@ -229,13 +232,15 @@ async function createVaultAccount(agentName, serverUrl, email, masterPassword) {
     }
     catch (err) {
         const reason = err instanceof Error ? err.message : String(err);
+        const registrationUrl = `${serverUrl}${REGISTER_ACCOUNT_PATH}`;
+        const endpointAwareError = `cannot reach vault registration endpoint ${registrationUrl}: ${reason}. Check network, DNS/TLS, and --server.`;
         (0, runtime_1.emitNervesEvent)({
             level: "error",
             event: "repertoire.vault_setup_error",
             component: "repertoire",
-            message: `vault setup failed: ${reason}`,
-            meta: { agentName, serverUrl, email, reason },
+            message: `vault setup failed: ${endpointAwareError}`,
+            meta: { agentName, serverUrl, email, registrationUrl, reason: endpointAwareError },
         });
-        return { success: false, email, serverUrl, error: reason };
+        return { success: false, email, serverUrl, error: endpointAwareError };
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.385",
+  "version": "0.1.0-alpha.388",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",