@ouro.bot/cli 0.1.0-alpha.40 → 0.1.0-alpha.401

package/dist/repertoire/bitwarden-store.js

@@ -0,0 +1,519 @@
+"use strict";
+/**
+ * Bitwarden CLI credential store — wraps `bw` CLI for the agent's own vault.
+ *
+ * This store authenticates directly as the agent using its own master password.
+ * The agent owns the vault, so no human-in-the-loop is needed.
+ *
+ * Requires the `bw` CLI to be installed. Session tokens are cached process-local.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BitwardenCredentialStore = void 0;
+const node_child_process_1 = require("node:child_process");
+const fs = __importStar(require("node:fs"));
+const runtime_1 = require("../nerves/runtime");
+const bw_installer_1 = require("./bw-installer");
+// ---------------------------------------------------------------------------
+// bw CLI wrapper
+// ---------------------------------------------------------------------------
+function isBwSessionUnavailableMessage(message) {
+    return (/master password/i.test(message) ||
+        /vault is locked/i.test(message) ||
+        /not logged in/i.test(message) ||
+        /session key/i.test(message) ||
+        /local bitwarden session/i.test(message));
+}
+function isBwInvalidUnlockSecretMessage(message) {
+    return /invalid master password/i.test(message) || /saved vault unlock secret/i.test(message);
+}
+function sanitizeBwErrorDetail(message) {
+    if (isBwInvalidUnlockSecretMessage(message)) {
+        return "bw CLI rejected the saved vault unlock secret for this machine";
+    }
+    if (isBwSessionUnavailableMessage(message)) {
+        return "bw CLI could not use the local Bitwarden session because it is locked, missing, or expired";
+    }
+    const withoutCommandLine = message
+        .split(/\r?\n/)
+        .filter((line) => !line.trim().startsWith("Command failed:"))
+        .join("\n")
+        .trim();
+    return (withoutCommandLine || "command failed")
+        .replace(/[A-Za-z0-9+/=]{80,}/g, "[redacted]")
+        .slice(0, 500);
+}
+function formatBwCliError(err, stderr = "") {
+    const detail = sanitizeBwErrorDetail(stderr.trim() || err.message);
+    return new Error(`bw CLI error: ${detail}`);
+}
+function isBwSessionAuthError(err) {
+    return isBwSessionUnavailableMessage(err.message) || isBwInvalidUnlockSecretMessage(err.message);
+}
+function isBwConfigLogoutRequired(err) {
+    const message = err.message.toLowerCase();
+    return message.includes("logout") && message.includes("required");
+}
+function execBw(args, sessionToken, appDataDir, stdin) {
+    const env = {
+        ...process.env,
+        ...(sessionToken ? { BW_SESSION: sessionToken } : {}),
+        ...(appDataDir ? { BITWARDENCLI_APPDATA_DIR: appDataDir } : {}),
+    };
+    return new Promise((resolve, reject) => {
+        const child = (0, node_child_process_1.execFile)("bw", args, { timeout: 30_000, env }, (err, stdout, stderr) => {
+            if (err) {
+                if (isBwNotInstalled(err)) {
+                    reject(new Error("bw CLI not found. Install from https://bitwarden.com/help/cli/"));
+                    return;
+                }
+                reject(formatBwCliError(err, stderr));
+                return;
+            }
+            resolve(stdout);
+        });
+        if (stdin !== undefined) {
+            child?.stdin?.end(stdin);
+        }
+    });
+}
+/** Check if the error indicates the bw CLI binary is not installed. */
+function isBwNotInstalled(err) {
+    const msg = err.message.toLowerCase();
+    const code = err.code;
+    return code === "ENOENT" || msg.includes("enoent") || msg.includes("not found") || msg.includes("command not found");
+}
+/** Check if the error is transient (network/timeout) and worth retrying. */
+function isTransientError(err) {
+    const msg = err.message.toLowerCase();
+    return (msg.includes("econnrefused") ||
+        msg.includes("etimedout") ||
+        msg.includes("enotfound") ||
+        msg.includes("socket hang up") ||
+        msg.includes("503") ||
+        msg.includes("server unavailable"));
+}
+const MAX_RETRIES = 3;
+const BASE_BACKOFF_MS = 1000;
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isBwLoginItem(value) {
+    if (!value || typeof value !== "object" || Array.isArray(value))
+        return false;
+    const item = value;
+    if (typeof item.id !== "string" || item.id.trim().length === 0)
+        return false;
+    if (typeof item.name !== "string" || item.name.trim().length === 0)
+        return false;
+    if (item.login !== undefined) {
+        if (!item.login || typeof item.login !== "object" || Array.isArray(item.login))
+            return false;
+        const login = item.login;
+        if (login.username !== undefined && typeof login.username !== "string")
+            return false;
+        if (login.password !== undefined && typeof login.password !== "string")
+            return false;
+        if (login.uris !== undefined) {
+            if (!Array.isArray(login.uris))
+                return false;
+            for (const uri of login.uris) {
+                if (!uri || typeof uri !== "object" || Array.isArray(uri))
+                    return false;
+                const uriRecord = uri;
+                if (uriRecord.uri !== undefined && typeof uriRecord.uri !== "string")
+                    return false;
+            }
+        }
+    }
+    if (item.notes !== undefined && item.notes !== null && typeof item.notes !== "string")
+        return false;
+    if (item.revisionDate !== undefined && typeof item.revisionDate !== "string")
+        return false;
+    return true;
+}
+function parseBwItems(stdout, context) {
+    let parsed;
+    try {
+        parsed = JSON.parse(stdout);
+        if (!Array.isArray(parsed)) {
+            throw new Error("expected item array");
+        }
+        const items = parsed;
+        if (!items.every(isBwLoginItem)) {
+            throw new Error("expected login items");
+        }
+        return items;
+    }
+    catch {
+        if (Array.isArray(parsed)) {
+            throw new Error(`bw CLI error: invalid item from ${context}`);
+        }
+        throw new Error(`bw CLI error: invalid JSON from ${context}`);
+    }
+}
+function parseBwItem(stdout, context) {
+    let parsed;
+    try {
+        parsed = JSON.parse(stdout);
+        if (!isBwLoginItem(parsed)) {
+            throw new Error("expected login item");
+        }
+        return parsed;
+    }
+    catch {
+        if (parsed !== undefined) {
+            throw new Error(`bw CLI error: invalid item from ${context}`);
+        }
+        throw new Error(`bw CLI error: invalid JSON from ${context}`);
+    }
+}
+function parseBwItemId(stdout) {
+    try {
+        const parsed = JSON.parse(stdout);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return null;
+        const id = parsed.id;
+        return typeof id === "string" && id.trim().length > 0 ? id : null;
+    }
+    catch {
+        return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// BitwardenCredentialStore
+// ---------------------------------------------------------------------------
+class BitwardenCredentialStore {
+    serverUrl;
+    email;
+    masterPassword;
+    appDataDir;
+    sessionToken = null;
+    constructor(serverUrl, email, masterPassword, options = {}) {
+        this.serverUrl = serverUrl;
+        this.email = email;
+        this.masterPassword = masterPassword;
+        this.appDataDir = options.appDataDir;
+    }
+    isReady() {
+        return true;
+    }
+    /**
+     * Ensure the bw CLI is authenticated and unlocked.
+     * Handles three states: logged out → login, locked → unlock, already unlocked → no-op.
+     * Retries transient failures (network/timeout) up to MAX_RETRIES with exponential backoff.
+     */
+    async login() {
+        // Ensure bw CLI is installed before any bw commands
+        await (0, bw_installer_1.ensureBwCli)();
+        if (this.appDataDir) {
+            fs.mkdirSync(this.appDataDir, { recursive: true, mode: 0o700 });
+        }
+        let lastError;
+        for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
+            try {
+                await this.loginAttempt();
+                return;
+            }
+            catch (err) {
+                /* v8 ignore next -- defensive: loginAttempt always throws Error instances @preserve */
+                lastError = err instanceof Error ? err : new Error(String(err));
+                // Don't retry non-transient errors (auth failures, bw not installed)
+                if (!isTransientError(lastError)) {
+                    throw lastError;
+                }
+                // Don't retry after final attempt
+                if (attempt === MAX_RETRIES - 1)
+                    break;
+                const backoffMs = BASE_BACKOFF_MS * Math.pow(2, attempt);
+                (0, runtime_1.emitNervesEvent)({
+                    event: "repertoire.bw_login_retry",
+                    component: "repertoire",
+                    message: `bw login attempt ${attempt + 1} failed, retrying in ${backoffMs}ms`,
+                    meta: { attempt: attempt + 1, backoffMs, reason: lastError.message },
+                });
+                await delay(backoffMs);
+            }
+        }
+        throw lastError;
+    }
+    /** Single login attempt — called by login() retry loop. */
+    async loginAttempt() {
+        // Check current status
+        let status = {};
+        try {
+            const raw = await execBw(["status"], undefined, this.appDataDir);
+            status = JSON.parse(raw);
+        }
+        catch (err) {
+            // If bw CLI is not installed or a transient error, propagate it for retry
+            if (err instanceof Error && (isBwNotInstalled(err) || isTransientError(err))) {
+                throw err;
+            }
+            // CLI not configured or broken — proceed with full setup
+        }
+        // Configure server URL if needed (only works when logged out)
+        if (status.status === "unauthenticated" || !status.serverUrl) {
+            try {
+                await execBw(["config", "server", this.serverUrl], undefined, this.appDataDir);
+            }
+            catch (error) {
+                const err = error;
+                // "Logout required" means already logged in — that's fine, skip config.
+                if (!isBwConfigLogoutRequired(err)) {
+                    throw err;
+                }
+            }
+        }
+        if (status.status === "locked") {
+            // Already logged in, just needs unlock
+            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"], undefined, this.appDataDir);
+            this.sessionToken = unlockOutput.trim();
+        }
+        else if (status.status === "unauthenticated" || !status.status) {
+            // Not logged in — full login
+            const loginOutput = await execBw(["login", this.email, this.masterPassword, "--raw"], undefined, this.appDataDir);
+            try {
+                const parsed = JSON.parse(loginOutput);
+                this.sessionToken = parsed.access_token ?? loginOutput.trim();
+            }
+            catch {
+                this.sessionToken = loginOutput.trim();
+            }
+        }
+        else {
+            // Status is "unlocked" — already good, just need the session token
+            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"], undefined, this.appDataDir);
+            this.sessionToken = unlockOutput.trim();
+        }
+    }
+    async ensureSession() {
+        if (!this.sessionToken) {
+            await this.login();
+        }
+        /* v8 ignore next -- defensive: login() always sets sessionToken on success @preserve */
+        return this.sessionToken ?? undefined;
+    }
+    async withSessionRetry(operation) {
+        let attemptedFreshSession = false;
+        while (true) {
+            const session = await this.ensureSession();
+            try {
+                return await operation(session);
+            }
+            catch (error) {
+                const err = error;
+                if (attemptedFreshSession || !isBwSessionAuthError(err)) {
+                    throw err;
+                }
+                this.sessionToken = null;
+                attemptedFreshSession = true;
+            }
+        }
+    }
+    async get(domain) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_get_start",
+            component: "repertoire",
+            message: `getting credential via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+        const item = await this.withSessionRetry((session) => this.findItemByDomain(domain, session));
+        if (!item) {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_credential_get_end",
+                component: "repertoire",
+                message: `no bw credential for ${domain}`,
+                meta: { domain, found: false, backend: "bitwarden" },
+            });
+            return null;
+        }
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_get_end",
+            component: "repertoire",
+            message: `bw credential found for ${domain}`,
+            meta: { domain, found: true, backend: "bitwarden" },
+        });
+        return {
+            domain: item.name,
+            username: item.login?.username,
+            notes: item.notes ?? undefined,
+            createdAt: item.revisionDate ?? new Date().toISOString(),
+        };
+    }
+    async getRawSecret(domain, field) {
+        const item = await this.withSessionRetry((session) => this.findItemByDomain(domain, session));
+        if (!item) {
+            throw new Error(`no credential found for domain "${domain}"`);
+        }
+        // Map common field names to bw item structure
+        let value;
+        if (field === "password") {
+            value = item.login?.password;
+        }
+        else if (field === "username") {
+            value = item.login?.username;
+        }
+        else {
+            value = item[field];
+        }
+        if (value === undefined || value === null) {
+            throw new Error(`field "${field}" not found for domain "${domain}"`);
+        }
+        return String(value);
+    }
+    async store(domain, data) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_store_start",
+            component: "repertoire",
+            message: `storing credential via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+        await this.withSessionRetry(async (session) => {
+            const existing = await this.findItemByDomain(domain, session);
+            const item = {
+                ...(existing ?? {}),
+                type: 1, // Login type
+                name: domain,
+                login: {
+                    username: data.username ?? "",
+                    password: data.password,
+                    uris: [{ match: null, uri: `https://${domain}` }],
+                },
+                notes: data.notes ?? null,
+            };
+            const encoded = Buffer.from(JSON.stringify(item)).toString("base64");
+            let savedItem;
+            if (existing) {
+                const stdout = await execBw(["edit", "item", existing.id], session, this.appDataDir, encoded);
+                const savedItemId = parseBwItemId(stdout) ?? existing.id;
+                savedItem = await this.findItemById(savedItemId, session);
+            }
+            else {
+                const stdout = await execBw(["create", "item"], session, this.appDataDir, encoded);
+                const savedItemId = parseBwItemId(stdout);
+                savedItem = savedItemId
+                    ? await this.findItemById(savedItemId, session)
+                    : await this.findItemByDomain(domain, session);
+            }
+            this.assertStoredCredentialMatches(domain, data, savedItem);
+        });
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_store_end",
+            component: "repertoire",
+            message: `credential stored via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+    }
+    async list() {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_list_start",
+            component: "repertoire",
+            message: "listing bw credentials",
+            meta: { backend: "bitwarden" },
+        });
+        const stdout = await this.withSessionRetry((session) => execBw(["list", "items"], session, this.appDataDir));
+        const items = parseBwItems(stdout, "bw list items");
+        const results = items.map((item) => ({
+            domain: item.name,
+            username: item.login?.username,
+            notes: item.notes ?? undefined,
+            createdAt: item.revisionDate ?? new Date().toISOString(),
+        }));
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_list_end",
+            component: "repertoire",
+            message: "bw credentials listed",
+            meta: { backend: "bitwarden", count: results.length },
+        });
+        return results;
+    }
+    async delete(domain) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_delete_start",
+            component: "repertoire",
+            message: `deleting credential via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+        const item = await this.withSessionRetry((session) => this.findItemByDomain(domain, session));
+        if (!item) {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_credential_delete_end",
+                component: "repertoire",
+                message: `no bw credential to delete for ${domain}`,
+                meta: { domain, deleted: false, backend: "bitwarden" },
+            });
+            return false;
+        }
+        await this.withSessionRetry((session) => execBw(["delete", "item", item.id], session, this.appDataDir));
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_delete_end",
+            component: "repertoire",
+            message: `credential deleted via bw for ${domain}`,
+            meta: { domain, deleted: true, backend: "bitwarden" },
+        });
+        return true;
+    }
+    // --- Private ---
+    async findItemByDomain(domain, session) {
+        const stdout = await execBw(["list", "items", "--search", domain], session, this.appDataDir);
+        const items = parseBwItems(stdout, "bw list items --search");
+        // Find exact match by name
+        return items.find((item) => item.name === domain) ?? null;
+    }
+    async findItemById(id, session) {
+        const stdout = await execBw(["get", "item", id], session, this.appDataDir);
+        return parseBwItem(stdout, "bw get item");
+    }
+    assertStoredCredentialMatches(domain, data, item) {
+        if (!item) {
+            throw new Error(`bw CLI error: credential save verification failed for ${domain}: saved item could not be read back after write`);
+        }
+        const mismatches = [];
+        if (item.name !== domain)
+            mismatches.push("name");
+        if ((item.login?.username ?? "") !== (data.username ?? ""))
+            mismatches.push("username");
+        if ((item.login?.password ?? "") !== data.password)
+            mismatches.push("password");
+        if ((item.notes ?? null) !== (data.notes ?? null))
+            mismatches.push("notes");
+        if (mismatches.length > 0) {
+            const label = mismatches.length === 1 ? "field" : "fields";
+            throw new Error(`bw CLI error: credential save verification failed for ${domain}: saved item did not match requested ${label} ${mismatches.join(", ")}`);
+        }
+    }
+}
+exports.BitwardenCredentialStore = BitwardenCredentialStore;

package/dist/repertoire/bundle-templates.js

@@ -0,0 +1,72 @@
+"use strict";
+/**
+ * Templates for agent bundle scaffolding.
+ *
+ * ## .gitignore design philosophy
+ *
+ * The bundle .gitignore handles FUNCTIONAL "shouldn't track" cases only:
+ *
+ *   - Runtime state (sessions, logs, runtime files) — stale data with no
+ *     value for review or history.
+ *   - Credentials — real secrets live in the agent vault, but defense
+ *     in depth in case anything leaks into the bundle.
+ *   - Editor / OS noise (.DS_Store, .idea/, etc.).
+ *   - Build artifacts (rare in bundles, but possible).
+ *
+ * It DOES NOT handle PII. The bundle is inherently full of PII — `friends/`,
+ * `diary/`, `journal/`, `psyche/`, `arc/`, `facts/`, `family/`, `travel/`
+ * etc. That's the point of the bundle; blocking those via .gitignore would
+ * defeat the purpose.
+ *
+ * PII is handled at first-push time by `bundle_first_push_review`, which
+ * enumerates PII-bearing directories, shows the agent counts, probes the
+ * remote URL for GitHub visibility, and hard-pauses until the human
+ * confirms. See Directive D in the planning doc.
+ *
+ * No content-pattern blocks (no `**\/sk-ant-*` or similar). Content-review
+ * failures are a different safety layer — credential scanning at commit
+ * time would be a follow-up feature.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PII_BUNDLE_DIRECTORIES = exports.BUNDLE_GITIGNORE_TEMPLATE = void 0;
+exports.BUNDLE_GITIGNORE_TEMPLATE = `# Runtime state — sessions, logs, runtime files, never tracked
+state/
+
+# Credentials — never tracked. Real secrets live in the agent vault, but
+# defense in depth in case anything leaks into the bundle.
+.env
+.env.*
+secrets/
+**/*.key
+**/*.pem
+**/*.credentials
+**/*.pfx
+
+# Editor and OS noise
+.DS_Store
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Build artifacts (rare in bundles, but possible if a workspace lands here)
+node_modules/
+dist/
+`;
+/**
+ * PII-sensitive top-level directories. Enumerated here so `bundle_first_push_review`
+ * can categorize and count. Adding a new PII bucket to the bundle means adding
+ * it here so the first-push warning includes it.
+ */
+exports.PII_BUNDLE_DIRECTORIES = [
+    "friends",
+    "diary",
+    "journal",
+    "psyche",
+    "arc",
+    "facts",
+    "family",
+    "travel",
+    "notes",
+    "sessions",
+];

package/dist/repertoire/bw-installer.js

@@ -0,0 +1,79 @@
+"use strict";
+/**
+ * Lazy bw CLI installer — auto-installs the Bitwarden CLI when not present.
+ *
+ * Mirrors the whisper-cpp pattern in senses/bluebubbles/media.ts:
+ * check PATH first, install via npm if missing, emit nerves event.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureBwCli = ensureBwCli;
+const node_child_process_1 = require("node:child_process");
+const runtime_1 = require("../nerves/runtime");
+const INSTALL_TIMEOUT_MS = 120_000;
+const WHICH_TIMEOUT_MS = 5_000;
+function execFileAsync(cmd, args, timeout) {
+    return new Promise((resolve, reject) => {
+        (0, node_child_process_1.execFile)(cmd, args, { timeout }, (err, stdout) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            resolve(stdout);
+        });
+    });
+}
+/**
+ * Ensure the `bw` CLI is available, installing it via npm if needed.
+ * Returns the path to the `bw` binary.
+ */
+async function ensureBwCli() {
+    // 1. Check if bw is already in PATH
+    try {
+        const existing = (await execFileAsync("which", ["bw"], WHICH_TIMEOUT_MS)).trim();
+        if (existing) {
+            return existing;
+        }
+    }
+    catch {
+        // Not found — fall through to install
+    }
+    // 2. Install via npm
+    (0, runtime_1.emitNervesEvent)({
+        event: "repertoire.bw_cli_install_start",
+        component: "repertoire",
+        message: "bw CLI not found, installing via npm",
+        meta: {},
+    });
+    try {
+        await execFileAsync("npm", ["install", "-g", "@bitwarden/cli"], INSTALL_TIMEOUT_MS);
+    }
+    catch (err) {
+        /* v8 ignore next -- execFileCb always throws Error instances @preserve */
+        const reason = err instanceof Error ? err.message : String(err);
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            event: "repertoire.bw_cli_install_fail",
+            component: "repertoire",
+            message: "failed to install bw CLI via npm",
+            meta: { reason },
+        });
+        throw new Error(`failed to install bw CLI via npm: ${reason}`);
+    }
+    // 3. Verify installation and return path
+    try {
+        const installed = (await execFileAsync("which", ["bw"], WHICH_TIMEOUT_MS)).trim();
+        if (installed) {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_cli_install_end",
+                component: "repertoire",
+                message: "bw CLI installed successfully",
+                meta: { path: installed },
+            });
+            return installed;
+        }
+    }
+    catch {
+        // Fall through to error
+    }
+    throw new Error("bw CLI installed via npm but binary not found in PATH");
+}