npm - @ouro.bot/cli - Versions diffs - 0.1.0-alpha.39 → 0.1.0-alpha.391 - Mend

@ouro.bot/cli 0.1.0-alpha.39 → 0.1.0-alpha.391

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (332) hide show

package/README.md +109 -14
package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/agent.json +3 -2
package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/SOUL.md +2 -2
package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/the-serpent.md +1 -1
package/changelog.json +2377 -4
package/dist/arc/attention-types.js +8 -0
package/dist/arc/cares.js +140 -0
package/dist/arc/episodes.js +117 -0
package/dist/arc/intentions.js +133 -0
package/dist/arc/json-store.js +117 -0
package/dist/arc/obligations.js +237 -0
package/dist/arc/packets.js +193 -0
package/dist/arc/presence.js +185 -0
package/dist/arc/task-lifecycle.js +65 -0
package/dist/heart/active-work.js +832 -0
package/dist/heart/agent-entry.js +58 -3
package/dist/heart/attachments/image-normalize.js +194 -0
package/dist/heart/attachments/materialize.js +97 -0
package/dist/heart/attachments/originals.js +88 -0
package/dist/heart/attachments/render.js +29 -0
package/dist/heart/attachments/sources/adapter.js +2 -0
package/dist/heart/attachments/sources/bluebubbles.js +156 -0
package/dist/heart/attachments/sources/cli-local-file.js +78 -0
package/dist/heart/attachments/sources/index.js +16 -0
package/dist/heart/attachments/store.js +103 -0
package/dist/heart/attachments/types.js +93 -0
package/dist/heart/auth/auth-flow.js +378 -0
package/dist/heart/bridges/manager.js +358 -0
package/dist/heart/bridges/state-machine.js +135 -0
package/dist/heart/bridges/store.js +123 -0
package/dist/heart/bundle-state.js +168 -0
package/dist/heart/commitments.js +111 -0
package/dist/heart/config-registry.js +304 -0
package/dist/heart/config.js +111 -128
package/dist/heart/core.js +803 -259
package/dist/heart/cross-chat-delivery.js +131 -0
package/dist/heart/daemon/agent-config-check.js +384 -0
package/dist/heart/daemon/agent-discovery.js +79 -3
package/dist/heart/daemon/agent-service.js +360 -0
package/dist/heart/daemon/agentic-repair.js +205 -0
package/dist/heart/daemon/bluebubbles-health-diagnostics.js +122 -0
package/dist/heart/daemon/cadence.js +70 -0
package/dist/heart/daemon/cli-defaults.js +599 -0
package/dist/heart/daemon/cli-exec.js +3384 -0
package/dist/heart/daemon/cli-help.js +385 -0
package/dist/heart/daemon/cli-parse.js +1097 -0
package/dist/heart/daemon/cli-render-doctor.js +57 -0
package/dist/heart/daemon/cli-render.js +560 -0
package/dist/heart/daemon/cli-types.js +8 -0
package/dist/heart/daemon/daemon-cli.js +28 -1582
package/dist/heart/daemon/daemon-entry.js +356 -3
package/dist/heart/daemon/daemon-health.js +141 -0
package/dist/heart/daemon/daemon-runtime-sync.js +157 -12
package/dist/heart/daemon/daemon-tombstone.js +236 -0
package/dist/heart/daemon/daemon.js +684 -58
package/dist/heart/daemon/doctor-types.js +8 -0
package/dist/heart/daemon/doctor.js +419 -0
package/dist/heart/daemon/health-monitor.js +79 -1
package/dist/heart/daemon/hooks/agent-config-v2.js +33 -0
package/dist/heart/daemon/hooks/bundle-meta.js +115 -1
package/dist/heart/daemon/http-health-probe.js +80 -0
package/dist/heart/daemon/inner-status.js +89 -0
package/dist/heart/daemon/interactive-repair.js +182 -0
package/dist/heart/daemon/launchd.js +46 -9
package/dist/heart/daemon/log-tailer.js +82 -12
package/dist/heart/daemon/logs-prune.js +105 -0
package/dist/heart/daemon/message-router.js +17 -8
package/dist/heart/daemon/os-cron-deps.js +134 -0
package/dist/heart/daemon/ouro-bot-entry.js +4 -2
package/dist/heart/daemon/ouro-entry.js +3 -1
package/dist/heart/daemon/process-manager.js +201 -0
package/dist/heart/daemon/provider-discovery.js +137 -0
package/dist/heart/daemon/pulse.js +475 -0
package/dist/heart/daemon/run-hooks.js +2 -0
package/dist/heart/daemon/runtime-logging.js +67 -16
package/dist/heart/daemon/runtime-metadata.js +73 -0
package/dist/heart/daemon/runtime-mode.js +67 -0
package/dist/heart/daemon/safe-mode.js +161 -0
package/dist/heart/daemon/sense-manager.js +119 -30
package/dist/heart/daemon/session-id-resolver.js +131 -0
package/dist/heart/daemon/skill-management-installer.js +94 -0
package/dist/heart/daemon/socket-client.js +307 -0
package/dist/heart/daemon/stale-bundle-prune.js +96 -0
package/dist/heart/daemon/startup-tui.js +237 -0
package/dist/heart/daemon/task-scheduler.js +3 -25
package/dist/heart/daemon/thoughts.js +510 -0
package/dist/heart/daemon/up-progress.js +135 -0
package/dist/heart/delegation.js +62 -0
package/dist/heart/habits/habit-migration.js +181 -0
package/dist/heart/habits/habit-parser.js +140 -0
package/dist/heart/habits/habit-scheduler.js +371 -0
package/dist/heart/{daemon → hatch}/hatch-flow.js +55 -126
package/dist/heart/{daemon → hatch}/hatch-specialist.js +3 -3
package/dist/heart/{daemon → hatch}/specialist-prompt.js +12 -9
package/dist/heart/{daemon → hatch}/specialist-tools.js +33 -12
package/dist/heart/identity.js +153 -65
package/dist/heart/kept-notes.js +357 -0
package/dist/heart/kicks.js +2 -20
package/dist/heart/machine-identity.js +161 -0
package/dist/heart/mcp/mcp-server.js +653 -0
package/dist/heart/migrate-config.js +100 -0
package/dist/heart/model-capabilities.js +59 -0
package/dist/heart/outlook/outlook-http-hooks.js +64 -0
package/dist/heart/outlook/outlook-http-response.js +7 -0
package/dist/heart/outlook/outlook-http-routes.js +232 -0
package/dist/heart/outlook/outlook-http-static.js +99 -0
package/dist/heart/outlook/outlook-http-transport.js +116 -0
package/dist/heart/outlook/outlook-http.js +99 -0
package/dist/heart/outlook/outlook-read.js +28 -0
package/dist/heart/outlook/outlook-types.js +27 -0
package/dist/heart/outlook/outlook-view.js +195 -0
package/dist/heart/outlook/readers/agent-machine.js +359 -0
package/dist/heart/outlook/readers/continuity-readers.js +332 -0
package/dist/heart/outlook/readers/runtime-readers.js +660 -0
package/dist/heart/outlook/readers/sessions.js +232 -0
package/dist/heart/outlook/readers/shared.js +111 -0
package/dist/heart/platform.js +81 -0
package/dist/heart/progress-story.js +42 -0
package/dist/heart/provider-attempt.js +133 -0
package/dist/heart/provider-binding-resolver.js +239 -0
package/dist/heart/provider-credentials.js +379 -0
package/dist/heart/provider-failover.js +266 -0
package/dist/heart/provider-models.js +81 -0
package/dist/heart/provider-ping.js +237 -0
package/dist/heart/provider-state.js +216 -0
package/dist/heart/provider-visibility.js +186 -0
package/dist/heart/providers/anthropic-token.js +131 -0
package/dist/heart/providers/anthropic.js +193 -55
package/dist/heart/providers/azure.js +103 -12
package/dist/heart/providers/error-classification.js +63 -0
package/dist/heart/providers/github-copilot.js +145 -0
package/dist/heart/providers/minimax-vlm.js +189 -0
package/dist/heart/providers/minimax.js +29 -7
package/dist/heart/providers/openai-codex.js +39 -29
package/dist/heart/runtime-credentials.js +181 -0
package/dist/heart/session-activity.js +190 -0
package/dist/heart/session-events.js +855 -0
package/dist/heart/session-transcript.js +167 -0
package/dist/heart/start-of-turn-packet.js +345 -0
package/dist/heart/streaming.js +36 -27
package/dist/heart/sync.js +332 -0
package/dist/heart/target-resolution.js +127 -0
package/dist/heart/tempo.js +93 -0
package/dist/heart/temporal-view.js +41 -0
package/dist/heart/tool-activity-callbacks.js +36 -0
package/dist/heart/tool-description.js +135 -0
package/dist/heart/tool-friction.js +55 -0
package/dist/heart/tool-loop.js +200 -0
package/dist/heart/turn-context.js +351 -0
package/dist/heart/turn-coordinator.js +28 -0
package/dist/heart/{daemon → versioning}/ouro-bot-global-installer.js +1 -1
package/dist/heart/{daemon → versioning}/ouro-bot-wrapper.js +1 -1
package/dist/heart/versioning/ouro-path-installer.js +301 -0
package/dist/heart/versioning/ouro-version-manager.js +295 -0
package/dist/heart/{daemon → versioning}/staged-restart.js +40 -8
package/dist/heart/{daemon → versioning}/update-checker.js +12 -2
package/dist/heart/{daemon → versioning}/update-hooks.js +63 -59
package/dist/mind/bundle-manifest.js +7 -1
package/dist/mind/context.js +141 -94
package/dist/mind/diary-integrity.js +60 -0
package/dist/mind/{memory.js → diary.js} +84 -96
package/dist/mind/embedding-provider.js +60 -0
package/dist/mind/file-state.js +179 -0
package/dist/mind/first-impressions.js +14 -1
package/dist/mind/friends/channel.js +21 -0
package/dist/mind/friends/group-context.js +144 -0
package/dist/mind/friends/resolver.js +38 -1
package/dist/mind/friends/store-file.js +39 -3
package/dist/mind/friends/trust-explanation.js +74 -0
package/dist/mind/friends/types.js +1 -1
package/dist/mind/journal-index.js +161 -0
package/dist/mind/note-search.js +268 -0
package/dist/mind/obligation-steering.js +221 -0
package/dist/mind/pending.js +66 -7
package/dist/mind/prompt-refresh.js +3 -2
package/dist/mind/prompt.js +946 -167
package/dist/mind/provenance-trust.js +26 -0
package/dist/mind/scrutiny.js +173 -0
package/dist/mind/token-estimate.js +8 -12
package/dist/nerves/cli-logging.js +7 -1
package/dist/nerves/coverage/audit-rules.js +15 -6
package/dist/nerves/coverage/audit.js +28 -2
package/dist/nerves/coverage/cli.js +1 -1
package/dist/nerves/coverage/file-completeness.js +83 -5
package/dist/nerves/coverage/run-artifacts.js +1 -1
package/dist/nerves/event-buffer.js +111 -0
package/dist/nerves/index.js +224 -4
package/dist/nerves/observation.js +20 -0
package/dist/nerves/redact.js +79 -0
package/dist/nerves/runtime.js +5 -1
package/dist/outlook-ui/assets/index-BAcU08c-.css +1 -0
package/dist/outlook-ui/assets/index-D7l3l4vY.js +61 -0
package/dist/outlook-ui/index.html +15 -0
package/dist/repertoire/ado-client.js +15 -56
package/dist/repertoire/ado-semantic.js +11 -10
package/dist/repertoire/api-client.js +97 -0
package/dist/repertoire/bitwarden-store.js +365 -0
package/dist/repertoire/bundle-templates.js +72 -0
package/dist/repertoire/bw-installer.js +79 -0
package/dist/repertoire/coding/codex-jsonl.js +64 -0
package/dist/repertoire/coding/context-pack.js +330 -0
package/dist/repertoire/coding/feedback.js +197 -30
package/dist/repertoire/coding/manager.js +158 -9
package/dist/repertoire/coding/spawner.js +55 -9
package/dist/repertoire/coding/tools.js +170 -7
package/dist/repertoire/commerce-errors.js +109 -0
package/dist/repertoire/commerce-self-test.js +156 -0
package/dist/repertoire/credential-access.js +107 -0
package/dist/repertoire/duffel-client.js +185 -0
package/dist/repertoire/github-client.js +14 -55
package/dist/repertoire/graph-client.js +11 -52
package/dist/repertoire/guardrails.js +371 -0
package/dist/repertoire/mcp-client.js +255 -0
package/dist/repertoire/mcp-manager.js +305 -0
package/dist/repertoire/mcp-tools.js +63 -0
package/dist/repertoire/shell-sessions.js +133 -0
package/dist/repertoire/skills.js +15 -24
package/dist/repertoire/stripe-client.js +131 -0
package/dist/repertoire/tasks/board.js +43 -5
package/dist/repertoire/tasks/fix.js +182 -0
package/dist/repertoire/tasks/index.js +28 -10
package/dist/repertoire/tasks/lifecycle.js +2 -2
package/dist/repertoire/tasks/parser.js +3 -2
package/dist/repertoire/tasks/scanner.js +194 -37
package/dist/repertoire/tasks/transitions.js +16 -79
package/dist/repertoire/tool-results.js +29 -0
package/dist/repertoire/tools-attachments.js +317 -0
package/dist/repertoire/tools-base.js +42 -690
package/dist/repertoire/tools-bluebubbles.js +1 -0
package/dist/repertoire/tools-bridge.js +141 -0
package/dist/repertoire/tools-bundle.js +984 -0
package/dist/repertoire/tools-config.js +185 -0
package/dist/repertoire/tools-continuity.js +248 -0
package/dist/repertoire/tools-credential.js +182 -0
package/dist/repertoire/tools-files.js +342 -0
package/dist/repertoire/tools-flight.js +224 -0
package/dist/repertoire/tools-flow.js +105 -0
package/dist/repertoire/tools-github.js +1 -7
package/dist/repertoire/tools-notes.js +376 -0
package/dist/repertoire/tools-session.js +739 -0
package/dist/repertoire/tools-shell.js +120 -0
package/dist/repertoire/tools-stripe.js +180 -0
package/dist/repertoire/tools-surface.js +243 -0
package/dist/repertoire/tools-teams.js +12 -62
package/dist/repertoire/tools-travel.js +125 -0
package/dist/repertoire/tools-user-profile.js +144 -0
package/dist/repertoire/tools-vault.js +40 -0
package/dist/repertoire/tools.js +144 -115
package/dist/repertoire/travel-api-client.js +360 -0
package/dist/repertoire/user-profile.js +118 -0
package/dist/repertoire/vault-setup.js +246 -0
package/dist/repertoire/vault-unlock.js +366 -0
package/dist/scripts/claude-code-hook.js +41 -0
package/dist/scripts/claude-code-stop-hook.js +47 -0
package/dist/senses/attention-queue.js +116 -0
package/dist/senses/bluebubbles/attachment-cache.js +53 -0
package/dist/senses/bluebubbles/attachment-download.js +137 -0
package/dist/senses/{bluebubbles-client.js → bluebubbles/client.js} +260 -9
package/dist/senses/bluebubbles/entry.js +70 -0
package/dist/senses/bluebubbles/inbound-log.js +113 -0
package/dist/senses/bluebubbles/index.js +1620 -0
package/dist/senses/{bluebubbles-media.js → bluebubbles/media.js} +121 -70
package/dist/senses/{bluebubbles-model.js → bluebubbles/model.js} +33 -12
package/dist/senses/{bluebubbles-mutation-log.js → bluebubbles/mutation-log.js} +46 -6
package/dist/senses/bluebubbles/replay.js +129 -0
package/dist/senses/bluebubbles/runtime-state.js +109 -0
package/dist/senses/{bluebubbles-session-cleanup.js → bluebubbles/session-cleanup.js} +1 -1
package/dist/senses/cli/bracketed-paste.js +82 -0
package/dist/senses/cli/image-paste.js +287 -0
package/dist/senses/cli/image-ref-navigation.js +75 -0
package/dist/senses/cli/ink-app.js +156 -0
package/dist/senses/cli/inline-diff.js +64 -0
package/dist/senses/cli/input-keys.js +174 -0
package/dist/senses/cli/kill-ring.js +86 -0
package/dist/senses/cli/message-list.js +51 -0
package/dist/senses/cli/ouro-tui.js +605 -0
package/dist/senses/cli/spinner-imperative.js +135 -0
package/dist/senses/cli/spinner.js +101 -0
package/dist/senses/cli/status-line.js +60 -0
package/dist/senses/cli/streaming-markdown.js +526 -0
package/dist/senses/cli/tool-display.js +83 -0
package/dist/senses/cli/tool-render.js +85 -0
package/dist/senses/cli/tui-store.js +240 -0
package/dist/senses/cli/virtual-list.js +35 -0
package/dist/senses/cli-entry.js +60 -8
package/dist/senses/cli-layout.js +187 -0
package/dist/senses/cli.js +526 -211
package/dist/senses/commands.js +66 -3
package/dist/senses/continuity.js +94 -0
package/dist/senses/habit-turn-message.js +108 -0
package/dist/senses/inner-dialog-worker.js +112 -19
package/dist/senses/inner-dialog.js +600 -95
package/dist/senses/pipeline.js +539 -61
package/dist/senses/proactive-content-guard.js +51 -0
package/dist/senses/shared-turn.js +205 -0
package/dist/senses/surface-tool.js +68 -0
package/dist/senses/teams-entry.js +60 -8
package/dist/senses/teams.js +569 -237
package/dist/senses/trust-gate.js +6 -7
package/package.json +28 -7
package/skills/agent-commerce.md +106 -0
package/skills/browser-navigation.md +110 -0
package/skills/commerce-setup-guide.md +116 -0
package/skills/commerce-setup.md +84 -0
package/skills/configure-dev-tools.md +101 -0
package/skills/travel-planning.md +134 -0
package/dist/heart/daemon/ouro-path-installer.js +0 -178
package/dist/heart/daemon/subagent-installer.js +0 -134
package/dist/mind/associative-recall.js +0 -197
package/dist/senses/bluebubbles-entry.js +0 -11
package/dist/senses/bluebubbles.js +0 -832
package/dist/senses/debug-activity.js +0 -127
package/subagents/README.md +0 -60
package/subagents/work-doer.md +0 -235
package/subagents/work-merger.md +0 -618
package/subagents/work-planner.md +0 -382
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/basilisk.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/jafar.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/jormungandr.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/kaa.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/medusa.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/monty.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/nagini.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/ouroboros.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/python.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/quetzalcoatl.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/sir-hiss.md +0 -0
/package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/the-snake.md +0 -0
/package/dist/heart/{daemon → hatch}/hatch-animation.js +0 -0
/package/dist/heart/{daemon → hatch}/specialist-orchestrator.js +0 -0
/package/dist/heart/{daemon → versioning}/ouro-uti.js +0 -0
/package/dist/heart/{daemon → versioning}/wrapper-publish-guard.js +0 -0

package/dist/repertoire/vault-setup.js ADDED Viewed

@@ -0,0 +1,246 @@
+"use strict";
+/**
+ * Vault setup module — Bitwarden/Vaultwarden account creation.
+ *
+ * Implements the Bitwarden registration protocol using Node.js crypto:
+ * - PBKDF2-SHA256 for master key derivation
+ * - HKDF-SHA256 for key stretching
+ * - AES-256-CBC for symmetric key protection
+ * - RSA-2048 keypair for asymmetric encryption
+ *
+ * All crypto follows the Bitwarden security whitepaper:
+ * https://bitwarden.com/help/bitwarden-security-white-paper/
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deriveMasterKey = deriveMasterKey;
+exports.deriveMasterPasswordHash = deriveMasterPasswordHash;
+exports.deriveStretchedMasterKey = deriveStretchedMasterKey;
+exports.makeProtectedSymmetricKey = makeProtectedSymmetricKey;
+exports.createVaultAccount = createVaultAccount;
+const crypto = __importStar(require("node:crypto"));
+const runtime_1 = require("../nerves/runtime");
+// ---------------------------------------------------------------------------
+// Crypto primitives
+// ---------------------------------------------------------------------------
+/**
+ * Derive the master key from password and email using PBKDF2-SHA256.
+ * Email is lowercased and used as the salt per Bitwarden spec.
+ */
+function deriveMasterKey(password, email, iterations) {
+    return new Promise((resolve, reject) => {
+        crypto.pbkdf2(password, email.toLowerCase(), iterations, 32, "sha256", (err, key) => {
+            /* v8 ignore next -- defensive: pbkdf2 rejects on invalid input @preserve */
+            if (err)
+                reject(err);
+            else
+                resolve(key);
+        });
+    });
+}
+/**
+ * Derive the master password hash: PBKDF2-SHA256(masterKey, password, 1 iteration).
+ * This hash is sent to the server for authentication — it never sees the master key.
+ */
+function deriveMasterPasswordHash(masterKey, password) {
+    return new Promise((resolve, reject) => {
+        crypto.pbkdf2(masterKey, password, 1, 32, "sha256", (err, hash) => {
+            /* v8 ignore next -- defensive: pbkdf2 rejects on invalid input @preserve */
+            if (err)
+                reject(err);
+            else
+                resolve(hash.toString("base64"));
+        });
+    });
+}
+/**
+ * Stretch the master key using HKDF-Expand-only (RFC 5869 §2.3) to produce a 64-byte key.
+ * First 32 bytes = encryption key, last 32 bytes = MAC key.
+ *
+ * CRITICAL: Bitwarden uses HKDF-Expand ONLY (no Extract step).
+ * Node.js crypto.hkdfSync() does Extract+Expand which produces DIFFERENT output.
+ * Reference: https://github.com/bitwarden/sdk-internal/blob/main/crates/bitwarden-crypto/src/util.rs
+ * Bitwarden calls Hkdf::<Sha256>::from_prk(masterKey).expand(info, output) — Expand only.
+ */
+function deriveStretchedMasterKey(masterKey) {
+    const encKey = hkdfExpandOnly(masterKey, "enc", 32);
+    const macKey = hkdfExpandOnly(masterKey, "mac", 32);
+    return Buffer.concat([encKey, macKey]);
+}
+/**
+ * HKDF-Expand only (RFC 5869 §2.3) — no Extract step.
+ * Matches Bitwarden's Hkdf::from_prk(prk).expand(info).
+ */
+function hkdfExpandOnly(prk, info, length) {
+    const hashLen = 32; // SHA-256
+    const n = Math.ceil(length / hashLen);
+    let okm = Buffer.alloc(0);
+    let t = Buffer.alloc(0);
+    for (let i = 1; i <= n; i++) {
+        t = crypto.createHmac("sha256", prk)
+            .update(Buffer.concat([t, Buffer.from(info, "utf8"), Buffer.from([i])]))
+            .digest();
+        okm = Buffer.concat([okm, t]);
+    }
+    return okm.subarray(0, length);
+}
+/**
+ * Encrypt data with AES-256-CBC and HMAC-SHA256 MAC.
+ * Returns a Bitwarden "type 2" cipherstring: "2.<iv>|<ct>|<mac>"
+ */
+function encryptWithStretchedKey(data, stretchedKey) {
+    const encKey = stretchedKey.subarray(0, 32);
+    const macKey = stretchedKey.subarray(32, 64);
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv("aes-256-cbc", encKey, iv);
+    const ct = Buffer.concat([cipher.update(data), cipher.final()]);
+    // MAC covers iv + ct
+    const mac = crypto.createHmac("sha256", macKey)
+        .update(iv)
+        .update(ct)
+        .digest();
+    return `2.${iv.toString("base64")}|${ct.toString("base64")}|${mac.toString("base64")}`;
+}
+/**
+ * Generate a 64-byte symmetric key, encrypt it with the stretched master key.
+ * Returns the "protected symmetric key" cipherstring.
+ */
+function makeProtectedSymmetricKey(stretchedMasterKey) {
+    const symKey = crypto.randomBytes(64);
+    return encryptWithStretchedKey(symKey, stretchedMasterKey);
+}
+/**
+ * Generate an RSA-2048 keypair.
+ * Returns { publicKey: base64-DER, privateKeyDer: Buffer }.
+ */
+function generateRsaKeypair() {
+    const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", {
+        modulusLength: 2048,
+        publicKeyEncoding: { type: "spki", format: "der" },
+        privateKeyEncoding: { type: "pkcs8", format: "der" },
+    });
+    return {
+        publicKeyB64: publicKey.toString("base64"),
+        privateKeyDer: privateKey,
+    };
+}
+// ---------------------------------------------------------------------------
+// Registration
+// ---------------------------------------------------------------------------
+const KDF_PBKDF2 = 0;
+const KDF_ITERATIONS = 600000;
+const REGISTER_ACCOUNT_PATH = "/identity/accounts/register";
+/**
+ * Create a Bitwarden account on the configured Vaultwarden server.
+ * Uses the Bitwarden registration API with standard KDF implementation.
+ */
+async function createVaultAccount(agentName, serverUrl, email, masterPassword) {
+    (0, runtime_1.emitNervesEvent)({
+        event: "repertoire.vault_setup_start",
+        component: "repertoire",
+        message: `creating vault account for ${agentName}`,
+        meta: { agentName, serverUrl, email },
+    });
+    try {
+        // Step 1: Derive keys
+        const masterKey = await deriveMasterKey(masterPassword, email, KDF_ITERATIONS);
+        const masterPasswordHash = await deriveMasterPasswordHash(masterKey, masterPassword);
+        const stretchedKey = deriveStretchedMasterKey(masterKey);
+        // Step 2: Generate symmetric key (64 bytes = 32 enc + 32 mac), encrypt with stretched key
+        const symKey = crypto.randomBytes(64);
+        const protectedSymKey = encryptWithStretchedKey(symKey, stretchedKey);
+        // Step 3: Generate RSA keypair, encrypt private key with the symmetric key
+        const { publicKeyB64, privateKeyDer } = generateRsaKeypair();
+        const encryptedPrivateKey = encryptWithStretchedKey(privateKeyDer, symKey);
+        // Step 4: POST registration
+        const registrationUrl = `${serverUrl}${REGISTER_ACCOUNT_PATH}`;
+        const res = await fetch(registrationUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                name: agentName,
+                email,
+                masterPasswordHash,
+                masterPasswordHint: null,
+                key: protectedSymKey,
+                kdf: KDF_PBKDF2,
+                kdfIterations: KDF_ITERATIONS,
+                keys: {
+                    publicKey: publicKeyB64,
+                    encryptedPrivateKey,
+                },
+            }),
+        });
+        if (!res.ok) {
+            let errorDetail;
+            try {
+                const body = await res.json();
+                errorDetail = body.message ?? `HTTP ${res.status} ${res.statusText}`;
+            }
+            catch {
+                errorDetail = `HTTP ${res.status} ${res.statusText}`;
+            }
+            const endpointAwareError = `${errorDetail} from ${registrationUrl}. Check --server; Ouro expects a Bitwarden/Vaultwarden identity API.`;
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                event: "repertoire.vault_setup_error",
+                component: "repertoire",
+                message: `vault registration failed: ${endpointAwareError}`,
+                meta: { agentName, serverUrl, email, registrationUrl, reason: endpointAwareError },
+            });
+            return { success: false, email, serverUrl, error: endpointAwareError };
+        }
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.vault_setup_end",
+            component: "repertoire",
+            message: `vault account created for ${agentName}`,
+            meta: { agentName, serverUrl, email },
+        });
+        return { success: true, email, serverUrl };
+    }
+    catch (err) {
+        const reason = err instanceof Error ? err.message : String(err);
+        const registrationUrl = `${serverUrl}${REGISTER_ACCOUNT_PATH}`;
+        const endpointAwareError = `cannot reach vault registration endpoint ${registrationUrl}: ${reason}. Check network, DNS/TLS, and --server.`;
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            event: "repertoire.vault_setup_error",
+            component: "repertoire",
+            message: `vault setup failed: ${endpointAwareError}`,
+            meta: { agentName, serverUrl, email, registrationUrl, reason: endpointAwareError },
+        });
+        return { success: false, email, serverUrl, error: endpointAwareError };
+    }
+}

package/dist/repertoire/vault-unlock.js ADDED Viewed

@@ -0,0 +1,366 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveVaultUnlockStore = resolveVaultUnlockStore;
+exports.readVaultUnlockSecret = readVaultUnlockSecret;
+exports.storeVaultUnlockSecret = storeVaultUnlockSecret;
+exports.getVaultUnlockStatus = getVaultUnlockStatus;
+const node_child_process_1 = require("node:child_process");
+const crypto = __importStar(require("node:crypto"));
+const fs = __importStar(require("node:fs"));
+const os = __importStar(require("node:os"));
+const path = __importStar(require("node:path"));
+const runtime_1 = require("../nerves/runtime");
+const VAULT_UNLOCK_SERVICE = "ouro.vault";
+const PLAINTEXT_UNLOCK_DIR = path.join(".ouro-cli", "vault-unlock");
+const WINDOWS_DPAPI_UNLOCK_DIR = path.join(".ouro-cli", "vault-unlock-dpapi");
+const SUPPORTED_STORES = ["auto", "macos-keychain", "windows-dpapi", "linux-secret-service", "plaintext-file"];
+function platform(deps) {
+    return deps.platform ?? process.platform;
+}
+function spawnSync(deps) {
+    return deps.spawnSync ?? node_child_process_1.spawnSync;
+}
+function homeDir(deps) {
+    return deps.homeDir ?? os.homedir();
+}
+function vaultKey(config) {
+    return `${config.serverUrl}:${config.email}`;
+}
+function vaultLabel(config) {
+    return `${config.email} at ${config.serverUrl}`;
+}
+function plaintextUnlockPath(config, deps) {
+    const digest = crypto.createHash("sha256").update(vaultKey(config)).digest("hex").slice(0, 24);
+    return path.join(homeDir(deps), PLAINTEXT_UNLOCK_DIR, `${digest}.secret`);
+}
+function windowsDpapiUnlockPath(config, deps) {
+    const digest = crypto.createHash("sha256").update(vaultKey(config)).digest("hex").slice(0, 24);
+    const localAppData = process.env.LOCALAPPDATA;
+    const baseDir = localAppData && platform(deps) === "win32"
+        ? path.join(localAppData, "Ouro")
+        : path.join(homeDir(deps), WINDOWS_DPAPI_UNLOCK_DIR);
+    return path.join(baseDir, "vault-unlock", `${digest}.dpapi`);
+}
+function commandExists(command, deps) {
+    const result = spawnSync(deps)(command, ["--version"], { encoding: "utf8" });
+    const code = result.error?.code;
+    return code !== "ENOENT";
+}
+function missingSecureStoreMessage(config) {
+    const agentPart = config.agentName ? ` for ${config.agentName}` : "";
+    return [
+        `No supported secure local secret store was found on this machine${agentPart}.`,
+        "",
+        `Ouro knows the credential vault is ${vaultLabel(config)}, but it cannot cache the vault unlock secret here yet.`,
+        "",
+        "On macOS, Ouro uses Keychain automatically.",
+        "On Windows, Ouro uses a CurrentUser DPAPI-encrypted local file automatically.",
+        "On Linux/WSL, install and configure Secret Service/libsecret, or choose the explicit plaintext fallback on a trusted machine.",
+        "",
+        config.agentName
+            ? `Run \`ouro vault unlock --agent ${config.agentName} --store plaintext-file\` to store the vault unlock secret in a chmod 0600 local file.`
+            : "Run `ouro vault unlock --store plaintext-file` to store the vault unlock secret in a chmod 0600 local file.",
+    ].join("\n");
+}
+function lockedMessage(config, store) {
+    const agentPart = config.agentName ? ` for ${config.agentName}` : "";
+    const command = config.agentName
+        ? `ouro vault unlock --agent ${config.agentName}${store.kind === "plaintext-file" ? " --store plaintext-file" : ""}`
+        : `ouro vault unlock${store.kind === "plaintext-file" ? " --store plaintext-file" : ""}`;
+    return [
+        `Ouro credential vault is locked on this machine${agentPart}.`,
+        "",
+        `Vault: ${vaultLabel(config)}`,
+        `Local unlock store: ${store.kind} (${store.location})`,
+        "",
+        "Provider credentials are still stored in the agent vault.",
+        "This computer does not currently have usable local unlock material for that vault.",
+        "This can happen on a new computer, after a local profile or hostname migration, or if the local unlock entry was removed.",
+        "",
+        `Run \`${command}\` and enter the saved agent vault unlock secret from the human/operator who controls that vault.`,
+        config.agentName
+            ? `If nobody saved that unlock secret, run \`ouro vault recover --agent ${config.agentName} --from <json>\` with a local credential export, or create a replacement vault and re-enter credentials.`
+            : "If nobody saved that unlock secret, run `ouro vault recover --agent <agent> --from <json>` with a local credential export, or create a replacement vault and re-enter credentials.",
+    ].join("\n");
+}
+function validateStoreKind(store) {
+    const requested = store ?? "auto";
+    if (!SUPPORTED_STORES.includes(requested)) {
+        throw new Error(`unknown vault unlock store '${requested}'. Use auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file.`);
+    }
+    return requested;
+}
+function resolveVaultUnlockStore(config, deps = {}) {
+    const requested = validateStoreKind(deps.store);
+    const currentPlatform = platform(deps);
+    if (requested === "macos-keychain") {
+        if (currentPlatform !== "darwin") {
+            throw new Error(`macos-keychain unlock store is only available on macOS; this machine is ${currentPlatform}.`);
+        }
+        return { kind: "macos-keychain", secure: true, location: "macOS Keychain" };
+    }
+    if (requested === "linux-secret-service") {
+        if (currentPlatform !== "linux") {
+            throw new Error(`linux-secret-service unlock store is only available on Linux/WSL; this machine is ${currentPlatform}.`);
+        }
+        if (!commandExists("secret-tool", deps)) {
+            throw new Error("linux-secret-service unlock store requires the `secret-tool` command from libsecret.");
+        }
+        return { kind: "linux-secret-service", secure: true, location: "Secret Service via secret-tool" };
+    }
+    if (requested === "windows-dpapi") {
+        if (currentPlatform !== "win32") {
+            throw new Error(`windows-dpapi unlock store is only available on Windows; this machine is ${currentPlatform}.`);
+        }
+        return { kind: "windows-dpapi", secure: true, location: windowsDpapiUnlockPath(config, deps) };
+    }
+    if (requested === "plaintext-file") {
+        return { kind: "plaintext-file", secure: false, location: plaintextUnlockPath(config, deps) };
+    }
+    if (currentPlatform === "darwin") {
+        return { kind: "macos-keychain", secure: true, location: "macOS Keychain" };
+    }
+    if (currentPlatform === "win32") {
+        return { kind: "windows-dpapi", secure: true, location: windowsDpapiUnlockPath(config, deps) };
+    }
+    if (currentPlatform === "linux" && commandExists("secret-tool", deps)) {
+        return { kind: "linux-secret-service", secure: true, location: "Secret Service via secret-tool" };
+    }
+    throw new Error(missingSecureStoreMessage(config));
+}
+function readFromMacosKeychain(config, deps) {
+    const result = spawnSync(deps)("security", [
+        "find-generic-password",
+        "-s",
+        VAULT_UNLOCK_SERVICE,
+        "-a",
+        vaultKey(config),
+        "-w",
+    ], { encoding: "utf8" });
+    const secret = typeof result.stdout === "string" ? result.stdout.trim() : "";
+    return result.status === 0 && secret ? secret : null;
+}
+function writeToMacosKeychain(config, secret, deps) {
+    const result = spawnSync(deps)("security", [
+        "add-generic-password",
+        "-U",
+        "-s",
+        VAULT_UNLOCK_SERVICE,
+        "-a",
+        vaultKey(config),
+        "-w",
+        secret,
+    ], { encoding: "utf8" });
+    if (result.status !== 0) {
+        const stderr = typeof result.stderr === "string" ? result.stderr.trim() : "";
+        throw new Error(`failed to store vault unlock secret in macOS Keychain${stderr ? `: ${stderr}` : ""}`);
+    }
+}
+function readFromLinuxSecretService(config, deps) {
+    const result = spawnSync(deps)("secret-tool", [
+        "lookup",
+        "service",
+        VAULT_UNLOCK_SERVICE,
+        "account",
+        vaultKey(config),
+    ], { encoding: "utf8" });
+    const secret = typeof result.stdout === "string" ? result.stdout.trim() : "";
+    return result.status === 0 && secret ? secret : null;
+}
+function writeToLinuxSecretService(config, secret, deps) {
+    const result = spawnSync(deps)("secret-tool", [
+        "store",
+        "--label",
+        `Ouro credential vault ${vaultLabel(config)}`,
+        "service",
+        VAULT_UNLOCK_SERVICE,
+        "account",
+        vaultKey(config),
+    ], { encoding: "utf8", input: secret });
+    if (result.status !== 0) {
+        const stderr = typeof result.stderr === "string" ? result.stderr.trim() : "";
+        throw new Error(`failed to store vault unlock secret in Linux Secret Service${stderr ? `: ${stderr}` : ""}`);
+    }
+}
+function runWindowsDpapi(mode, payload, deps) {
+    const script = `
+$ErrorActionPreference = "Stop"
+$inputJson = [Console]::In.ReadToEnd()
+$payload = $inputJson | ConvertFrom-Json
+Add-Type -AssemblyName System.Security
+if ($payload.mode -eq "protect") {
+  $bytes = [Text.Encoding]::UTF8.GetBytes([string]$payload.secret)
+  $protected = [Security.Cryptography.ProtectedData]::Protect($bytes, $null, [Security.Cryptography.DataProtectionScope]::CurrentUser)
+  [Console]::Out.Write([Convert]::ToBase64String($protected))
+} elseif ($payload.mode -eq "unprotect") {
+  $protected = [Convert]::FromBase64String([string]$payload.ciphertext)
+  $bytes = [Security.Cryptography.ProtectedData]::Unprotect($protected, $null, [Security.Cryptography.DataProtectionScope]::CurrentUser)
+  [Console]::Out.Write([Text.Encoding]::UTF8.GetString($bytes))
+} else {
+  throw "unknown DPAPI mode"
+}
+`;
+    const result = spawnSync(deps)("powershell.exe", [
+        "-NoProfile",
+        "-NonInteractive",
+        "-ExecutionPolicy",
+        "Bypass",
+        "-Command",
+        script,
+    ], {
+        encoding: "utf8",
+        input: JSON.stringify({ mode, ...payload }),
+    });
+    if (result.status !== 0) {
+        const stderr = typeof result.stderr === "string" ? result.stderr.trim() : "";
+        const error = result.error instanceof Error ? result.error.message : stderr;
+        throw new Error(`Windows DPAPI ${mode} failed${error ? `: ${error}` : ""}`);
+    }
+    return typeof result.stdout === "string" ? result.stdout : "";
+}
+function readFromWindowsDpapi(config, deps) {
+    const filePath = windowsDpapiUnlockPath(config, deps);
+    if (!fs.existsSync(filePath))
+        return null;
+    const ciphertext = fs.readFileSync(filePath, "utf8").trim();
+    if (!ciphertext)
+        return null;
+    const secret = runWindowsDpapi("unprotect", { ciphertext }, deps).trim();
+    return secret || null;
+}
+function writeToWindowsDpapi(config, secret, deps) {
+    const filePath = windowsDpapiUnlockPath(config, deps);
+    const ciphertext = runWindowsDpapi("protect", { secret }, deps).trim();
+    fs.mkdirSync(path.dirname(filePath), { recursive: true });
+    fs.writeFileSync(filePath, `${ciphertext}\n`, "utf8");
+}
+function readFromPlaintextFile(config, deps) {
+    const filePath = plaintextUnlockPath(config, deps);
+    if (!fs.existsSync(filePath))
+        return null;
+    if (platform(deps) !== "win32") {
+        const mode = fs.statSync(filePath).mode & 0o777;
+        if ((mode & 0o077) !== 0) {
+            throw new Error(`refusing to read plaintext vault unlock file at ${filePath} because permissions are too broad; run chmod 600 ${filePath}`);
+        }
+    }
+    const secret = fs.readFileSync(filePath, "utf8").trim();
+    return secret || null;
+}
+function writeToPlaintextFile(config, secret, deps) {
+    const filePath = plaintextUnlockPath(config, deps);
+    fs.mkdirSync(path.dirname(filePath), { recursive: true, mode: 0o700 });
+    fs.writeFileSync(filePath, secret, { encoding: "utf8", mode: 0o600 });
+    if (platform(deps) !== "win32") {
+        fs.chmodSync(path.dirname(filePath), 0o700);
+        fs.chmodSync(filePath, 0o600);
+    }
+}
+function readFromStore(config, store, deps) {
+    if (store.kind === "macos-keychain")
+        return readFromMacosKeychain(config, deps);
+    if (store.kind === "windows-dpapi")
+        return readFromWindowsDpapi(config, deps);
+    if (store.kind === "linux-secret-service")
+        return readFromLinuxSecretService(config, deps);
+    return readFromPlaintextFile(config, deps);
+}
+function writeToStore(config, store, secret, deps) {
+    if (store.kind === "macos-keychain") {
+        writeToMacosKeychain(config, secret, deps);
+        return;
+    }
+    if (store.kind === "linux-secret-service") {
+        writeToLinuxSecretService(config, secret, deps);
+        return;
+    }
+    if (store.kind === "windows-dpapi") {
+        writeToWindowsDpapi(config, secret, deps);
+        return;
+    }
+    writeToPlaintextFile(config, secret, deps);
+}
+function readVaultUnlockSecret(config, deps = {}) {
+    const store = resolveVaultUnlockStore(config, deps);
+    const secret = readFromStore(config, store, deps);
+    if (!secret) {
+        throw new Error(lockedMessage(config, store));
+    }
+    (0, runtime_1.emitNervesEvent)({
+        component: "repertoire",
+        event: "repertoire.vault_unlock_loaded",
+        message: "loaded vault unlock material from local store",
+        meta: { store: store.kind, secure: store.secure, hasAgentName: !!config.agentName },
+    });
+    return { secret, store };
+}
+function storeVaultUnlockSecret(config, secret, deps = {}) {
+    const trimmed = secret.trim();
+    if (!trimmed) {
+        throw new Error("vault unlock secret is required");
+    }
+    const store = resolveVaultUnlockStore(config, deps);
+    writeToStore(config, store, trimmed, deps);
+    (0, runtime_1.emitNervesEvent)({
+        component: "repertoire",
+        event: "repertoire.vault_unlock_stored",
+        message: "stored vault unlock material in local store",
+        meta: { store: store.kind, secure: store.secure, hasAgentName: !!config.agentName },
+    });
+    return store;
+}
+function getVaultUnlockStatus(config, deps = {}) {
+    try {
+        const store = resolveVaultUnlockStore(config, deps);
+        const stored = !!readFromStore(config, store, deps);
+        return {
+            configured: true,
+            stored,
+            store,
+            fix: stored
+                ? "Vault unlock secret is available on this machine."
+                : lockedMessage(config, store),
+        };
+    }
+    catch (error) {
+        return {
+            configured: false,
+            stored: false,
+            error: error instanceof Error ? error.message : String(error),
+            fix: error instanceof Error ? error.message : String(error),
+        };
+    }
+}

package/dist/scripts/claude-code-hook.js ADDED Viewed

@@ -0,0 +1,41 @@
+"use strict";
+// Claude Code lifecycle hook handler.
+// Receives events from Claude Code's hooks system (SessionStart, Stop, PostToolUse)
+// and forwards them to the Ouroboros daemon for agent awareness.
+//
+// This module exports handleHookEvent for testability.
+// The actual hook scripts (scripts/claude-code-hook.js) read stdin and call this.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleHookEvent = handleHookEvent;
+const socket_client_1 = require("../heart/daemon/socket-client");
+const runtime_1 = require("../nerves/runtime");
+/**
+ * Handle a Claude Code lifecycle hook event.
+ * Sends the event to the daemon and always exits 0 (hooks must not block the IDE).
+ */
+async function handleHookEvent(hookEvent) {
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.hook_event_received",
+        message: "claude code hook event received",
+        meta: { hookEvent: hookEvent.event, sessionId: hookEvent.sessionId },
+    });
+    try {
+        await (0, socket_client_1.sendDaemonCommand)(socket_client_1.DEFAULT_DAEMON_SOCKET_PATH, {
+            kind: "hook.event",
+            event: hookEvent.event,
+            sessionId: hookEvent.sessionId,
+            toolName: hookEvent.toolName,
+        });
+    }
+    catch {
+        // Daemon unavailable — silently ignore. Hooks must not block.
+        (0, runtime_1.emitNervesEvent)({
+            component: "daemon",
+            event: "daemon.hook_event_daemon_unavailable",
+            message: "daemon unavailable for hook event",
+            meta: { hookEvent: hookEvent.event },
+        });
+    }
+    return { exitCode: 0 };
+}