@ouro.bot/cli 0.1.0-alpha.394 → 0.1.0-alpha.395

package/changelog.json

@@ -1,6 +1,16 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.395",
+      "changes": [
+        "`ouro vault replace` and `ouro vault recover` now default to the stable agent vault email, `<agent>@ouro.bot`, instead of timestamped `+replaced` or `+recovered` addresses.",
+        "Vault repair now treats previously generated repair emails as stale defaults and repairs back to the stable agent email unless the human explicitly supplies `--email <email>`.",
+        "Existing-account repair guidance now tells operators to unlock the stable vault when possible and use `--email` only when intentionally moving an agent to a different vault account.",
+        "Auth/provider docs and CLI help now describe stable vault identity repair for old auth-style agents without implying that Ouro can recover a forgotten unlock secret.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the stable vault identity repair release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.394",
       "changes": [

package/dist/heart/daemon/cli-exec.js

@@ -686,19 +686,22 @@ function readVaultRecoverSource(sourcePath) {
         runtimeConfig: recoverRuntimeConfig(parsed),
     };
 }
-function defaultReplacementVaultEmail(agentName, now, action) {
+function defaultStableVaultEmail(agentName) {
     const local = agentName
         .toLowerCase()
         .replace(/[^a-z0-9._-]+/g, "-")
         .replace(/^-+|-+$/g, "") || "agent";
-    const stamp = now.toISOString().replace(/[-:.TZ]/g, "").slice(0, 14);
-    return `${local}+${action}-${stamp}@ouro.bot`;
+    return `${local}@ouro.bot`;
 }
-function defaultRecoveredVaultEmail(agentName, now) {
-    return defaultReplacementVaultEmail(agentName, now, "recovered");
+function isGeneratedRepairVaultEmail(email) {
+    const [local, domain] = email.trim().split("@");
+    return domain?.toLowerCase() === "ouro.bot" && /\+(?:replaced|recovered)-\d{14}(?:$|\+)/i.test(local);
 }
-function defaultReplacedVaultEmail(agentName, now) {
-    return defaultReplacementVaultEmail(agentName, now, "replaced");
+function defaultRepairVaultEmail(agentName, config) {
+    const configuredEmail = config.vault?.email?.trim();
+    if (configuredEmail && !isGeneratedRepairVaultEmail(configuredEmail))
+        return configuredEmail;
+    return defaultStableVaultEmail(agentName);
 }
 function ensureVaultSecretPrompt(promptSecret, action) {
     if (promptSecret)
@@ -708,13 +711,17 @@ function ensureVaultSecretPrompt(promptSecret, action) {
 function rejectGeneratedVaultUnlockSecret(action) {
     throw new Error(`vault ${action} no longer supports --generate-unlock-secret. Re-run without that flag and enter a human-chosen unlock secret; Ouro will not print vault unlock secrets.`);
 }
-async function createReplacementVaultForAgent(input) {
+async function createRepairVaultForAgent(input) {
     const result = await (0, vault_setup_1.createVaultAccount)("Ouro credential vault", input.serverUrl, input.email, input.unlockSecret);
     if (!result.success) {
         const message = [
             `vault ${input.action} failed for ${input.agentName}: ${result.error}`,
             "",
-            "This creates a replacement vault. If that vault account already exists, retry with a fresh --email value.",
+            "Could not create the selected vault account.",
+            "If this is the existing vault, run:",
+            `  ouro vault unlock --agent ${input.agentName}`,
+            "If the unlock secret is lost and you intentionally need a different vault account, rerun with --email <email>.",
+            "If this looks like a server or network issue, check --server and retry.",
         ].join("\n");
         input.deps.writeStdout(message);
         return { ok: false, message };
@@ -807,16 +814,15 @@ async function executeVaultReplace(command, deps) {
     if (command.generateUnlockSecret)
         rejectGeneratedVaultUnlockSecret("replace");
     const promptSecret = ensureVaultSecretPrompt(deps.promptSecret, "replace");
-    const now = providerCliNow(deps);
     const { configPath, config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
     const configuredVault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
-    const email = command.email ?? defaultReplacedVaultEmail(command.agent, now);
+    const email = command.email ?? defaultRepairVaultEmail(command.agent, config);
     const serverUrl = command.serverUrl ?? config.vault?.serverUrl ?? configuredVault.serverUrl;
-    const unlockSecret = (await promptSecret(`Choose replacement Ouro vault unlock secret for ${email}: `)).trim();
+    const unlockSecret = (await promptSecret(`Choose Ouro vault unlock secret for ${email}: `)).trim();
     if (!unlockSecret) {
-        throw new Error("vault replace requires a replacement unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.");
+        throw new Error("vault replace requires an unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.");
     }
-    const replacement = await createReplacementVaultForAgent({
+    const repair = await createRepairVaultForAgent({
         action: "replace",
         agentName: command.agent,
         email,
@@ -827,12 +833,12 @@ async function executeVaultReplace(command, deps) {
         configPath,
         config,
     });
-    if (!replacement.ok)
-        return replacement.message;
+    if (!repair.ok)
+        return repair.message;
     const message = [
         `vault replaced for ${command.agent}`,
         `vault: ${email} at ${serverUrl}`,
-        `local unlock store: ${replacement.store.kind}${replacement.store.secure ? "" : " (explicit plaintext fallback)"}`,
+        `local unlock store: ${repair.store.kind}${repair.store.secure ? "" : " (explicit plaintext fallback)"}`,
         "credentials imported: none",
         "This is the no-export path for agents that predate vault auth or lost an unsaved unlock secret.",
         "Re-auth/re-enter the credentials this agent should use:",
@@ -840,7 +846,7 @@ async function executeVaultReplace(command, deps) {
         `  ouro vault config set --agent ${command.agent} --key <field>`,
         `  ouro provider refresh --agent ${command.agent}`,
         `  ouro auth verify --agent ${command.agent}`,
-        "Keep the replacement vault unlock secret saved outside Ouro. Another machine will need it once.",
+        "Keep the vault unlock secret saved outside Ouro. Another machine will need it once.",
     ].join("\n");
     deps.writeStdout(message);
     return message;
@@ -856,13 +862,13 @@ async function executeVaultRecover(command, deps) {
     const now = providerCliNow(deps);
     const { configPath, config } = (0, auth_flow_1.readAgentConfigForAgent)(command.agent, deps.bundlesRoot);
     const configuredVault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
-    const email = command.email ?? defaultRecoveredVaultEmail(command.agent, now);
+    const email = command.email ?? defaultRepairVaultEmail(command.agent, config);
     const serverUrl = command.serverUrl ?? config.vault?.serverUrl ?? configuredVault.serverUrl;
-    const unlockSecret = (await promptSecret(`Choose replacement Ouro vault unlock secret for ${email}: `)).trim();
+    const unlockSecret = (await promptSecret(`Choose Ouro vault unlock secret for ${email}: `)).trim();
     if (!unlockSecret) {
-        throw new Error("vault recover requires a replacement unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.");
+        throw new Error("vault recover requires an unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.");
     }
-    const replacement = await createReplacementVaultForAgent({
+    const repair = await createRepairVaultForAgent({
         action: "recover",
         agentName: command.agent,
         email,
@@ -873,8 +879,8 @@ async function executeVaultRecover(command, deps) {
         configPath,
         config,
     });
-    if (!replacement.ok)
-        return replacement.message;
+    if (!repair.ok)
+        return repair.message;
     const importedProviders = new Set();
     let mergedRuntimeConfig = {};
     for (const source of sourceImports) {
@@ -899,12 +905,12 @@ async function executeVaultRecover(command, deps) {
     const message = [
         `vault recovered for ${command.agent}`,
         `vault: ${email} at ${serverUrl}`,
-        `local unlock store: ${replacement.store.kind}${replacement.store.secure ? "" : " (explicit plaintext fallback)"}`,
+        `local unlock store: ${repair.store.kind}${repair.store.secure ? "" : " (explicit plaintext fallback)"}`,
         `sources imported: ${sourceImports.length}`,
         `provider credentials imported: ${providerList.length === 0 ? "none" : providerList.join(", ")}`,
         `runtime credentials imported: ${runtimeFields.length === 0 ? "none" : runtimeFields.join(", ")}`,
         "credential values were not printed",
-        "Keep the replacement vault unlock secret saved outside Ouro. Another machine will need it once.",
+        "Keep the vault unlock secret saved outside Ouro. Another machine will need it once.",
     ].join("\n");
     deps.writeStdout(message);
     return message;

package/dist/heart/daemon/cli-help.js

@@ -270,12 +270,12 @@ const SUBCOMMAND_HELP = {
         example: "ouro vault create --agent ouroboros --email ouroboros@ouro.bot",
     },
     "vault replace": {
-        description: "Create an empty replacement agent vault when no unlock secret or JSON export exists",
+        description: "Create an empty agent vault at the stable agent email when no unlock secret or JSON export exists",
         usage: "ouro vault replace --agent <name> [--email <email>] [--server <url>] [--store <store>]",
         example: "ouro vault replace --agent ouroboros",
     },
     "vault recover": {
-        description: "Create a replacement agent vault and import local JSON credential exports",
+        description: "Create an agent vault at the stable agent email and import local JSON credential exports",
         usage: "ouro vault recover --agent <name> --from <json> [--from <json>] [--email <email>] [--server <url>] [--store <store>]",
         example: "ouro vault recover --agent ouroboros --from ./credentials.json",
     },

package/dist/repertoire/vault-unlock.js

@@ -100,7 +100,7 @@ function vaultUnlockReplaceRecoverFix(agentName, nextStep = "Then run 'ouro up'
     return [
         `Run 'ouro vault unlock --agent ${agentName}' if you have the saved vault unlock secret.`,
         `If this agent predates vault auth or nobody saved the unlock secret, run 'ouro vault replace --agent ${agentName}' to create a new empty vault, then re-auth/re-enter credentials.`,
-        `If you do have a local JSON credential export, run 'ouro vault recover --agent ${agentName} --from <json>' to create a replacement vault and import it.`,
+        `If you do have a local JSON credential export, run 'ouro vault recover --agent ${agentName} --from <json>' to create the agent vault and import it.`,
         nextStep,
     ].join(" ");
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.394",
+  "version": "0.1.0-alpha.395",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",