npm - @ouro.bot/cli - Versions diffs - 0.1.0-alpha.397 → 0.1.0-alpha.399 - Mend

@ouro.bot/cli 0.1.0-alpha.397 → 0.1.0-alpha.399

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/changelog.json +19 -0
package/dist/heart/auth/auth-flow.js +14 -0
package/dist/heart/daemon/cli-exec.js +5 -1
package/dist/nerves/coverage/contract.js +5 -5
package/dist/repertoire/bitwarden-store.js +25 -5
package/package.json +1 -1

package/changelog.json CHANGED Viewed

@@ -1,6 +1,25 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.399",
+      "changes": [
+        "Bitwarden-backed credential writes now pipe provider vault item payloads to `bw create item` and `bw edit item` over stdin instead of putting encoded credential JSON in process arguments.",
+        "Bitwarden CLI failures are now sanitized before they reach CLI output, so `Command failed: bw ...` argv, encoded payloads, raw provider tokens, and vault item passwords are not printed.",
+        "Bitwarden master-password prompts during credential writes now surface as a short locked/expired local session message instead of dumping the failed command invocation.",
+        "The nerves redaction audit now looks for credential-shaped text instead of failing on ordinary file paths or branch names that contain words like `secret`, `password`, or `api-key`.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the Bitwarden secret redaction release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.398",
+      "changes": [
+        "`ouro auth --agent <agent> --provider <provider>` now prints safe progress breadcrumbs while it checks vault access, runs provider login, stores credentials in the agent vault, refreshes the local provider snapshot, and verifies the provider.",
+        "Provider auth launched from `ouro repair` and hatch bootstrap now uses the same auth progress hook, so browser/login flows no longer leave humans staring at a silent cursor after the provider says login succeeded.",
+        "Auth progress messages are phase labels only; they never include OAuth tokens, API keys, vault unlock secrets, or credential payload values.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the auth progress breadcrumb release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.397",
       "changes": [

package/dist/heart/auth/auth-flow.js CHANGED Viewed

@@ -187,6 +187,9 @@ function ensurePromptInput(promptInput, provider) {
         return promptInput;
     throw new Error(`No prompt input is available for ${provider} authentication.`);
 }
+function writeAuthProgress(input, message) {
+    input.onProgress?.(message);
+}
 function validateAnthropicToken(token) {
     const trimmed = token.trim();
     if (!trimmed) {
@@ -206,10 +209,12 @@ async function collectRuntimeAuthCredentials(input, deps) {
     if (input.provider === "github-copilot") {
         let token = process.env.GH_TOKEN?.trim() || process.env.GITHUB_TOKEN?.trim() || "";
         if (!token) {
+            writeAuthProgress(input, "checking GitHub CLI credentials...");
             const result = spawnSync("gh", ["auth", "token"], { encoding: "utf8" });
             token = (result.status === 0 && result.stdout ? result.stdout.trim() : "");
         }
         if (!token) {
+            writeAuthProgress(input, "starting GitHub login...");
             (0, runtime_1.emitNervesEvent)({
                 component: "daemon",
                 event: "daemon.auth_gh_login_start",
@@ -228,6 +233,7 @@ async function collectRuntimeAuthCredentials(input, deps) {
                 throw new Error("gh auth login completed but no token was found. Run `gh auth login` and try again.");
             }
         }
+        writeAuthProgress(input, "checking GitHub Copilot access...");
         const response = await fetch("https://api.github.com/copilot_internal/user", {
             headers: { Authorization: `Bearer ${token}` },
         });
@@ -252,6 +258,7 @@ async function collectRuntimeAuthCredentials(input, deps) {
             message: "starting codex login for runtime auth",
             meta: { agentName: input.agentName },
         });
+        writeAuthProgress(input, "starting openai-codex browser login...");
         const result = spawnSync("codex", ["login"], { stdio: "inherit" });
         if (result.error) {
             throw new Error(`Failed to run 'codex login': ${result.error.message}`);
@@ -259,6 +266,7 @@ async function collectRuntimeAuthCredentials(input, deps) {
         if (result.status !== 0) {
             throw new Error(`'codex login' exited with status ${result.status}.`);
         }
+        writeAuthProgress(input, "openai-codex login complete; reading local Codex token...");
         const token = readCodexAccessToken(homeDir);
         if (!token) {
             throw new Error("Codex login completed but no token was found in ~/.codex/auth.json. Re-run `codex login` and try again.");
@@ -272,6 +280,7 @@ async function collectRuntimeAuthCredentials(input, deps) {
             message: "starting claude setup-token for runtime auth",
             meta: { agentName: input.agentName },
         });
+        writeAuthProgress(input, "starting anthropic setup-token flow...");
         const result = spawnSync("claude", ["setup-token"], { stdio: "inherit" });
         if (result.error) {
             throw new Error(`Failed to run 'claude setup-token': ${result.error.message}`);
@@ -287,6 +296,7 @@ async function collectRuntimeAuthCredentials(input, deps) {
         /* v8 ignore start -- token exchange: requires live Anthropic OAuth endpoint @preserve */
         try {
             const { refreshAnthropicToken } = await Promise.resolve().then(() => __importStar(require("../providers/anthropic-token")));
+            writeAuthProgress(input, "exchanging anthropic setup token...");
             const tokenState = await refreshAnthropicToken(setupToken);
             if (tokenState) {
                 return {
@@ -329,6 +339,7 @@ async function resolveHatchCredentials(input) {
             agentName: input.agentName,
             provider: input.provider,
             promptInput: input.promptInput,
+            onProgress: input.onProgress,
         });
         Object.assign(credentials, result.credentials);
         /* v8 ignore next 3 -- branch: auth flow always fills all required fields in production @preserve */
@@ -357,12 +368,15 @@ async function runRuntimeAuthFlow(input, deps = {}) {
         message: "starting runtime auth flow",
         meta: { agentName: input.agentName, provider: input.provider },
     });
+    writeAuthProgress(input, `checking ${input.agentName}'s vault access...`);
     const vault = await (0, provider_credentials_1.refreshProviderCredentialPool)(input.agentName);
     if (!vault.ok && vault.reason === "unavailable") {
         throw new Error(`${vault.error}\n${(0, vault_unlock_1.vaultUnlockReplaceRecoverFix)(input.agentName, `Then retry 'ouro auth --agent ${input.agentName} --provider ${input.provider}'.`)}`);
     }
     const credentials = await collectRuntimeAuthCredentials(input, deps);
+    writeAuthProgress(input, `${input.provider} credentials collected; storing in ${input.agentName}'s vault...`);
     const { credentialPath } = await storeProviderCredentials(input.agentName, input.provider, credentials);
+    writeAuthProgress(input, `credentials stored at ${credentialPath}; local provider snapshot refreshed.`);
     (0, runtime_1.emitNervesEvent)({
         component: "daemon",
         event: "daemon.auth_flow_end",

package/dist/heart/daemon/cli-exec.js CHANGED Viewed

@@ -595,6 +595,7 @@ async function resolveHatchInput(command, deps) {
         credentials: command.credentials,
         promptInput: prompt,
         runAuthFlow: deps.runAuthFlow,
+        onProgress: deps.writeStdout,
     });
     return {
         agentName,
@@ -1414,6 +1415,7 @@ async function executeReadinessRepairAction(agent, action, deps) {
             agentName: agent,
             provider,
             promptInput: deps.promptInput,
+            onProgress: deps.writeStdout,
         });
         deps.writeStdout(result.message);
         await executeProviderRefresh({ kind: "provider.refresh", agent }, deps);
@@ -2327,7 +2329,7 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
                         const provider = providerOverride ?? config.humanFacing.provider;
                         /* v8 ignore next -- tests always inject runAuthFlow; default is for production @preserve */
                         const authRunner = deps.runAuthFlow ?? (await Promise.resolve().then(() => __importStar(require("../auth/auth-flow")))).runRuntimeAuthFlow;
-                        await authRunner({ agentName: agent, provider, promptInput: deps.promptInput });
+                        await authRunner({ agentName: agent, provider, promptInput: deps.promptInput, onProgress: deps.writeStdout });
                     },
                     runVaultUnlock: async (agent) => {
                         await executeVaultUnlock({ kind: "vault.unlock", agent }, deps);
@@ -2963,6 +2965,7 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             agentName: command.agent,
             provider,
             promptInput: deps.promptInput,
+            onProgress: deps.writeStdout,
         });
         // Behavior: ouro auth stores credentials only — does NOT switch provider.
         // Use `ouro auth switch` to change the active provider.
@@ -2970,6 +2973,7 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
         // Verify the credentials actually work by pinging the provider
         /* v8 ignore start -- integration: real API ping after auth @preserve */
         try {
+            deps.writeStdout(`verifying ${provider} credentials...`);
             const credential = await readProviderCredentialRecord(command.agent, provider, deps);
             const status = credential.ok
                 ? await verifyProviderCredentials(provider, {

package/dist/nerves/coverage/contract.js CHANGED Viewed

@@ -12,11 +12,11 @@ exports.REQUIRED_ENVELOPE_FIELDS = [
     "meta",
 ];
 exports.SENSITIVE_PATTERNS = [
-    /\btoken\s*[:=]/i,
-    /\bapi[_-]?key\b/i,
-    /\bpassword\b/i,
-    /\bsecret\b/i,
-    /\bauthorization\b/i,
+    /\btoken\b["']?\s*[:=]/i,
+    /\bapi[_-]?key\b["']?\s*[:=]/i,
+    /\bpassword\b["']?\s*[:=]/i,
+    /\bsecret\b["']?\s*[:=]/i,
+    /\bauthorization\b["']?\s*[:=]/i,
 ];
 function eventKey(component, event) {
     return `${component}:${event}`;

package/dist/repertoire/bitwarden-store.js CHANGED Viewed

@@ -49,24 +49,44 @@ const bw_installer_1 = require("./bw-installer");
 // ---------------------------------------------------------------------------
 // bw CLI wrapper
 // ---------------------------------------------------------------------------
-function execBw(args, sessionToken, appDataDir) {
+function sanitizeBwErrorDetail(message) {
+    if (/master password/i.test(message)) {
+        return "bw CLI requested a master password; the local Bitwarden session is locked or expired";
+    }
+    const withoutCommandLine = message
+        .split(/\r?\n/)
+        .filter((line) => !line.trim().startsWith("Command failed:"))
+        .join("\n")
+        .trim();
+    return (withoutCommandLine || "command failed")
+        .replace(/[A-Za-z0-9+/=]{80,}/g, "[redacted]")
+        .slice(0, 500);
+}
+function formatBwCliError(err, stderr = "") {
+    const detail = sanitizeBwErrorDetail(stderr.trim() || err.message);
+    return new Error(`bw CLI error: ${detail}`);
+}
+function execBw(args, sessionToken, appDataDir, stdin) {
     const env = {
         ...process.env,
         ...(sessionToken ? { BW_SESSION: sessionToken } : {}),
         ...(appDataDir ? { BITWARDENCLI_APPDATA_DIR: appDataDir } : {}),
     };
     return new Promise((resolve, reject) => {
-        (0, node_child_process_1.execFile)("bw", args, { timeout: 30_000, env }, (err, stdout) => {
+        const child = (0, node_child_process_1.execFile)("bw", args, { timeout: 30_000, env }, (err, stdout, stderr) => {
             if (err) {
                 if (isBwNotInstalled(err)) {
                     reject(new Error("bw CLI not found. Install from https://bitwarden.com/help/cli/"));
                     return;
                 }
-                reject(new Error(`bw CLI error: ${err.message}`));
+                reject(formatBwCliError(err, stderr));
                 return;
             }
             resolve(stdout);
         });
+        if (stdin !== undefined) {
+            child?.stdin?.end(stdin);
+        }
     });
 }
 /** Check if the error indicates the bw CLI binary is not installed. */
@@ -275,10 +295,10 @@ class BitwardenCredentialStore {
         };
         const encoded = Buffer.from(JSON.stringify(item)).toString("base64");
         if (existing) {
-            await execBw(["edit", "item", existing.id, encoded], session, this.appDataDir);
+            await execBw(["edit", "item", existing.id], session, this.appDataDir, encoded);
         }
         else {
-            await execBw(["create", "item", encoded], session, this.appDataDir);
+            await execBw(["create", "item"], session, this.appDataDir, encoded);
         }
         (0, runtime_1.emitNervesEvent)({
             event: "repertoire.bw_credential_store_end",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.397",
+  "version": "0.1.0-alpha.399",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",