@ouro.bot/cli 0.1.0-alpha.386 → 0.1.0-alpha.389

package/changelog.json

@@ -1,6 +1,27 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.389",
+      "changes": [
+        "CLI entrypoints now print command failures to stderr before exiting, so invalid commands and vault recovery errors are visible in the terminal instead of only appearing in runtime logs.",
+        "Vault unlock secret prompts now fail fast when stdin/stdout is not an interactive terminal, preserving the non-echoing human-provided secret flow instead of dangling or silently exiting.",
+        "`ouro vault recover` now validates every local `--from` JSON source before asking for the replacement vault unlock secret, so bad paths or malformed files never ask the human to type a secret first.",
+        "Vault recovery tests now assert that bad source files do not call the secret prompt and that entrypoint failures are terminal-visible.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault recovery prompt polish release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.388",
+      "changes": [
+        "The default agent credential vault host now points at the live Vaultwarden endpoint `https://vault.ouroboros.bot` instead of the website redirect host.",
+        "`ouro vault create` and `ouro vault recover` now create accounts through the live Bitwarden/Vaultwarden identity registration endpoint and include the registration URL in setup failures.",
+        "Vault unlock/create/recover prompts now use a non-echoing secret prompt for vault unlock secrets, and the supported docs/help path asks the human to provide a saved secret instead of generating or printing one.",
+        "Deprecated `--generate-unlock-secret` vault flags now fail fast with guidance to rerun interactively, preventing new vault unlock secrets from being printed into terminals or logs.",
+        "Vault setup, unlock, provider CLI, help, docs, and runtime-config tests now encode the canonical vault host and human-provided secret flow so the wrong host or unsafe prompt path cannot silently return.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the canonical vault recovery release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.386",
       "changes": [

package/dist/heart/daemon/cli-defaults.js

@@ -221,6 +221,43 @@ async function defaultPromptInput(question) {
         rl.close();
     }
 }
+async function defaultPromptSecret(question) {
+    if (process.stdin.isTTY !== true || process.stdout.isTTY !== true) {
+        throw new Error("vault unlock secret entry requires an interactive terminal so the secret can be hidden. Re-run this command in a terminal and enter the human-chosen secret when prompted.");
+    }
+    const readline = await Promise.resolve().then(() => __importStar(require("readline")));
+    const rl = readline.createInterface({
+        input: process.stdin,
+        output: process.stdout,
+        terminal: true,
+    });
+    const mutableRl = rl;
+    const originalWriteToOutput = mutableRl._writeToOutput;
+    let muted = false;
+    if (originalWriteToOutput) {
+        mutableRl._writeToOutput = (stringToWrite) => {
+            if (!muted) {
+                originalWriteToOutput.call(rl, stringToWrite);
+            }
+        };
+    }
+    try {
+        const response = await new Promise((resolve) => {
+            rl.question(question, (answer) => {
+                process.stdout.write("\n");
+                resolve(answer);
+            });
+            muted = true;
+        });
+        return response.trim();
+    }
+    finally {
+        if (originalWriteToOutput) {
+            mutableRl._writeToOutput = originalWriteToOutput;
+        }
+        rl.close();
+    }
+}
 function defaultListDiscoveredAgents() {
     return (0, agent_discovery_1.listEnabledBundleAgents)({
         bundlesRoot: (0, identity_1.getAgentBundlesRoot)(),
@@ -464,6 +501,7 @@ function createDefaultOuroCliDeps(socketPath = socket_client_1.DEFAULT_DAEMON_SO
         listDiscoveredAgents: defaultListDiscoveredAgents,
         runHatchFlow: hatch_flow_1.runHatchFlow,
         promptInput: defaultPromptInput,
+        promptSecret: defaultPromptSecret,
         runSerpentGuide: defaultRunSerpentGuide,
         runAuthFlow: auth_flow_1.runRuntimeAuthFlow,
         registerOuroBundleType: ouro_uti_1.registerOuroBundleUti,

package/dist/heart/daemon/cli-exec.js

@@ -694,16 +694,22 @@ function defaultRecoveredVaultEmail(agentName, now) {
     const stamp = now.toISOString().replace(/[-:.TZ]/g, "").slice(0, 14);
     return `${local}+recovered-${stamp}@ouro.bot`;
 }
+function ensureVaultSecretPrompt(promptSecret, action) {
+    if (promptSecret)
+        return promptSecret;
+    throw new Error(`vault ${action} requires an interactive secret prompt that does not echo the vault unlock secret`);
+}
+function rejectGeneratedVaultUnlockSecret(action) {
+    throw new Error(`vault ${action} no longer supports --generate-unlock-secret. Re-run without that flag and enter a human-chosen unlock secret; Ouro will not print vault unlock secrets.`);
+}
 async function executeVaultUnlock(command, deps) {
     if (command.agent === "SerpentGuide") {
         throw new Error("SerpentGuide does not have a persistent credential vault. Hatch bootstrap uses selected provider credentials in memory only.");
     }
-    const prompt = deps.promptInput;
-    if (!prompt)
-        throw new Error("vault unlock requires an interactive prompt to capture the vault unlock secret");
+    const promptSecret = ensureVaultSecretPrompt(deps.promptSecret, "unlock");
     const { config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
     const vault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
-    const unlockSecret = await prompt(`Ouro vault unlock secret for ${vault.email}: `);
+    const unlockSecret = await promptSecret(`Ouro vault unlock secret for ${vault.email}: `);
     const store = (0, vault_unlock_1.storeVaultUnlockSecret)({
         agentName: command.agent,
         email: vault.email,
@@ -723,6 +729,8 @@ async function executeVaultCreate(command, deps) {
     if (command.agent === "SerpentGuide") {
         throw new Error("SerpentGuide does not have a persistent credential vault. Create a vault for the hatchling agent, not SerpentGuide.");
     }
+    if (command.generateUnlockSecret)
+        rejectGeneratedVaultUnlockSecret("create");
     const prompt = deps.promptInput;
     const { configPath, config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
     const configuredVault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
@@ -730,16 +738,12 @@ async function executeVaultCreate(command, deps) {
     if (!email) {
         throw new Error("vault create requires --email <email> when the agent bundle has no vault.email");
     }
+    const promptSecret = ensureVaultSecretPrompt(deps.promptSecret, "create");
     const serverUrl = command.serverUrl ?? config.vault?.serverUrl ?? configuredVault.serverUrl;
-    const requestedUnlockSecret = command.generateUnlockSecret
-        ? ""
-        : prompt
-            ? (await prompt(`Choose Ouro vault unlock secret for ${email}: `)).trim()
-            : "";
-    if (!requestedUnlockSecret && !command.generateUnlockSecret) {
-        throw new Error("vault create requires an unlock secret. Re-run with an interactive terminal or pass --generate-unlock-secret.");
+    const unlockSecret = (await promptSecret(`Choose Ouro vault unlock secret for ${email}: `)).trim();
+    if (!unlockSecret) {
+        throw new Error("vault create requires an unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.");
     }
-    const unlockSecret = requestedUnlockSecret || (0, crypto_1.randomBytes)(32).toString("base64");
     const result = await (0, vault_setup_1.createVaultAccount)("Ouro credential vault", serverUrl, email, unlockSecret);
     if (!result.success) {
         const message = [
@@ -764,14 +768,7 @@ async function executeVaultCreate(command, deps) {
         `vault: ${email} at ${serverUrl}`,
         `local unlock store: ${store.kind}${store.secure ? "" : " (explicit plaintext fallback)"}`,
         "All raw credentials for this agent will be stored in this Ouro credential vault.",
-        ...(command.generateUnlockSecret
-            ? [
-                "",
-                `vault unlock secret: ${unlockSecret}`,
-                "",
-                "Keep this saved outside Ouro now. Another machine cannot unlock the vault without it.",
-            ]
-            : ["Keep the vault unlock secret saved outside Ouro. Another machine will need it once."]),
+        "Keep the vault unlock secret saved outside Ouro. Another machine will need it once.",
     ].join("\n");
     deps.writeStdout(message);
     return message;
@@ -780,22 +777,19 @@ async function executeVaultRecover(command, deps) {
     if (command.agent === "SerpentGuide") {
         throw new Error("SerpentGuide does not have a persistent credential vault. Recover the hatchling agent vault, not SerpentGuide.");
     }
-    const prompt = deps.promptInput;
+    if (command.generateUnlockSecret)
+        rejectGeneratedVaultUnlockSecret("recover");
+    const sourceImports = command.sources.map(readVaultRecoverSource);
+    const promptSecret = ensureVaultSecretPrompt(deps.promptSecret, "recover");
     const now = providerCliNow(deps);
     const { configPath, config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
     const configuredVault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
     const email = command.email ?? defaultRecoveredVaultEmail(command.agent, now);
     const serverUrl = command.serverUrl ?? config.vault?.serverUrl ?? configuredVault.serverUrl;
-    const requestedUnlockSecret = command.generateUnlockSecret
-        ? ""
-        : prompt
-            ? (await prompt(`Choose replacement Ouro vault unlock secret for ${email}: `)).trim()
-            : "";
-    if (!requestedUnlockSecret && !command.generateUnlockSecret) {
-        throw new Error("vault recover requires a replacement unlock secret. Re-run with an interactive terminal or pass --generate-unlock-secret.");
+    const unlockSecret = (await promptSecret(`Choose replacement Ouro vault unlock secret for ${email}: `)).trim();
+    if (!unlockSecret) {
+        throw new Error("vault recover requires a replacement unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.");
     }
-    const unlockSecret = requestedUnlockSecret || (0, crypto_1.randomBytes)(32).toString("base64");
-    const sourceImports = command.sources.map(readVaultRecoverSource);
     const result = await (0, vault_setup_1.createVaultAccount)("Ouro credential vault", serverUrl, email, unlockSecret);
     if (!result.success) {
         const message = [
@@ -843,14 +837,7 @@ async function executeVaultRecover(command, deps) {
         `provider credentials imported: ${providerList.length === 0 ? "none" : providerList.join(", ")}`,
         `runtime credentials imported: ${runtimeFields.length === 0 ? "none" : runtimeFields.join(", ")}`,
         "credential values were not printed",
-        ...(command.generateUnlockSecret
-            ? [
-                "",
-                `vault unlock secret: ${unlockSecret}`,
-                "",
-                "Keep this saved outside Ouro now. Another machine cannot unlock the vault without it.",
-            ]
-            : ["Keep the replacement vault unlock secret saved outside Ouro. Another machine will need it once."]),
+        "Keep the replacement vault unlock secret saved outside Ouro. Another machine will need it once.",
     ].join("\n");
     deps.writeStdout(message);
     return message;

package/dist/heart/daemon/cli-help.js

@@ -232,13 +232,13 @@ exports.COMMAND_REGISTRY = {
 const SUBCOMMAND_HELP = {
     "vault create": {
         description: "Create an agent credential vault and store local unlock material",
-        usage: "ouro vault create --agent <name> --email <email> [--server <url>] [--store <store>] [--generate-unlock-secret]",
-        example: "ouro vault create --agent ouroboros --email ouroboros@ouro.bot --generate-unlock-secret",
+        usage: "ouro vault create --agent <name> --email <email> [--server <url>] [--store <store>]",
+        example: "ouro vault create --agent ouroboros --email ouroboros@ouro.bot",
     },
     "vault recover": {
         description: "Create a replacement agent vault and import local JSON credential exports",
-        usage: "ouro vault recover --agent <name> --from <json> [--from <json>] [--email <email>] [--server <url>] [--store <store>] [--generate-unlock-secret]",
-        example: "ouro vault recover --agent ouroboros --from ./credentials.json --generate-unlock-secret",
+        usage: "ouro vault recover --agent <name> --from <json> [--from <json>] [--email <email>] [--server <url>] [--store <store>]",
+        example: "ouro vault recover --agent ouroboros --from ./credentials.json",
     },
     "vault unlock": {
         description: "Unlock an existing agent credential vault on this machine",

package/dist/heart/daemon/cli-parse.js

@@ -84,8 +84,8 @@ function usage() {
         "  ouro auth --agent <name> [--provider <provider>]",
         "  ouro auth verify --agent <name> [--provider <provider>]",
         "  ouro auth switch --agent <name> --provider <provider>",
-        "  ouro vault create --agent <name> --email <email> [--server <url>] [--store <store>] [--generate-unlock-secret]",
-        "  ouro vault recover --agent <name> --from <json> [--from <json>] [--email <email>] [--server <url>] [--store <store>] [--generate-unlock-secret]",
+        "  ouro vault create --agent <name> --email <email> [--server <url>] [--store <store>]",
+        "  ouro vault recover --agent <name> --from <json> [--from <json>] [--email <email>] [--server <url>] [--store <store>]",
         "  ouro vault unlock --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
         "  ouro vault status --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
         "  ouro vault config set --agent <name> --key <path> [--value <value>]",

package/dist/heart/daemon/ouro-bot-entry.js

@@ -12,12 +12,14 @@ const ouro_bot_wrapper_1 = require("../versioning/ouro-bot-wrapper");
     meta: { args: process.argv.slice(2) },
 });
 void (0, ouro_bot_wrapper_1.runOuroBotWrapper)(process.argv.slice(2)).catch((error) => {
+    const message = error instanceof Error ? error.message : String(error);
+    process.stderr.write(`${message}\n`);
     (0, runtime_1.emitNervesEvent)({
         level: "error",
         component: "daemon",
         event: "daemon.ouro_bot_entry_error",
         message: "ouro.bot wrapper entrypoint failed",
-        meta: { error: error instanceof Error ? error.message : String(error) },
+        meta: { error: message },
     });
     process.exit(1);
 });

package/dist/heart/daemon/ouro-entry.js

@@ -12,12 +12,14 @@ const runtime_logging_1 = require("./runtime-logging");
     meta: { args: process.argv.slice(2) },
 });
 void (0, daemon_cli_1.runOuroCli)(process.argv.slice(2)).catch((error) => {
+    const message = error instanceof Error ? error.message : String(error);
+    process.stderr.write(`${message}\n`);
     (0, runtime_1.emitNervesEvent)({
         level: "error",
         component: "daemon",
         event: "daemon.cli_entry_error",
         message: "ouro CLI entrypoint failed",
-        meta: { error: error instanceof Error ? error.message : String(error) },
+        meta: { error: message },
     });
     process.exit(1);
 });

package/dist/heart/identity.js

@@ -75,7 +75,7 @@ exports.DEFAULT_AGENT_PHRASES = {
     tool: ["running tool"],
     followup: ["processing"],
 };
-exports.DEFAULT_VAULT_SERVER_URL = "https://vault.ouro.bot";
+exports.DEFAULT_VAULT_SERVER_URL = "https://vault.ouroboros.bot";
 /**
  * Resolve the vault config for an agent, applying defaults.
  * If vault is not configured in agent.json, returns default values.

package/dist/repertoire/vault-setup.js

@@ -161,6 +161,7 @@ function generateRsaKeypair() {
 // ---------------------------------------------------------------------------
 const KDF_PBKDF2 = 0;
 const KDF_ITERATIONS = 600000;
+const REGISTER_ACCOUNT_PATH = "/identity/accounts/register";
 /**
  * Create a Bitwarden account on the configured Vaultwarden server.
  * Uses the Bitwarden registration API with standard KDF implementation.
@@ -184,7 +185,8 @@ async function createVaultAccount(agentName, serverUrl, email, masterPassword) {
         const { publicKeyB64, privateKeyDer } = generateRsaKeypair();
         const encryptedPrivateKey = encryptWithStretchedKey(privateKeyDer, symKey);
         // Step 4: POST registration
-        const res = await fetch(`${serverUrl}/api/accounts/register`, {
+        const registrationUrl = `${serverUrl}${REGISTER_ACCOUNT_PATH}`;
+        const res = await fetch(registrationUrl, {
             method: "POST",
             headers: { "Content-Type": "application/json" },
             body: JSON.stringify({
@@ -210,14 +212,15 @@ async function createVaultAccount(agentName, serverUrl, email, masterPassword) {
             catch {
                 errorDetail = `HTTP ${res.status} ${res.statusText}`;
             }
+            const endpointAwareError = `${errorDetail} from ${registrationUrl}. Check --server; Ouro expects a Bitwarden/Vaultwarden identity API.`;
             (0, runtime_1.emitNervesEvent)({
                 level: "error",
                 event: "repertoire.vault_setup_error",
                 component: "repertoire",
-                message: `vault registration failed: ${errorDetail}`,
-                meta: { agentName, serverUrl, email, reason: errorDetail },
+                message: `vault registration failed: ${endpointAwareError}`,
+                meta: { agentName, serverUrl, email, registrationUrl, reason: endpointAwareError },
             });
-            return { success: false, email, serverUrl, error: errorDetail };
+            return { success: false, email, serverUrl, error: endpointAwareError };
         }
         (0, runtime_1.emitNervesEvent)({
             event: "repertoire.vault_setup_end",
@@ -229,13 +232,15 @@ async function createVaultAccount(agentName, serverUrl, email, masterPassword) {
     }
     catch (err) {
         const reason = err instanceof Error ? err.message : String(err);
+        const registrationUrl = `${serverUrl}${REGISTER_ACCOUNT_PATH}`;
+        const endpointAwareError = `cannot reach vault registration endpoint ${registrationUrl}: ${reason}. Check network, DNS/TLS, and --server.`;
         (0, runtime_1.emitNervesEvent)({
             level: "error",
             event: "repertoire.vault_setup_error",
             component: "repertoire",
-            message: `vault setup failed: ${reason}`,
-            meta: { agentName, serverUrl, email, reason },
+            message: `vault setup failed: ${endpointAwareError}`,
+            meta: { agentName, serverUrl, email, registrationUrl, reason: endpointAwareError },
         });
-        return { success: false, email, serverUrl, error: reason };
+        return { success: false, email, serverUrl, error: endpointAwareError };
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.386",
+  "version": "0.1.0-alpha.389",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",