@ouro.bot/cli 0.1.0-alpha.404 → 0.1.0-alpha.406

package/changelog.json

@@ -1,6 +1,23 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.406",
+      "changes": [
+        "`ouro auth --agent <agent> --provider <provider>` now keeps narrating the post-login vault save path with `opening ... vault session`, `storing ... credentials`, and `refreshing local provider snapshot`, so a successful browser login no longer drops into a silent cursor while secrets are being persisted.",
+        "Bitwarden-backed provider saves now classify timeouts and empty command failures by operation and redact raw `bw create item ...` command text, encoded payloads, and prompt echoes from auth output.",
+        "Auth, repair CLI, and Bitwarden regression coverage now encodes the reported post-login save failure shapes so the same leak-prone path stays guarded.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the post-login vault save hardening release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.405",
+      "changes": [
+        "`ouro up` now keeps walking the guided repair path when one successful fix reveals the next runnable issue for the same agent, instead of stopping after the first pass and making you rerun the command.",
+        "The happy repair path still prints `provider checks recovered after repair`, and the chained-flow coverage now exercises vault-unlock-then-auth continuation directly.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the chained preflight repair release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.404",
       "changes": [

package/dist/heart/auth/auth-flow.js

@@ -148,6 +148,7 @@ async function storeProviderCredentials(agentName, provider, credentials, deps =
         config: split.config,
         provenance: { source: "auth-flow" },
         now: deps.now,
+        onProgress: deps.onProgress,
     });
     return { credentialPath: (0, provider_credentials_1.providerCredentialItemName)(provider) };
 }
@@ -391,11 +392,14 @@ async function runRuntimeAuthFlow(input, deps = {}) {
         throw new Error(`${vault.error}\n${(0, vault_unlock_1.vaultUnlockReplaceRecoverFix)(input.agentName, `Then retry 'ouro auth --agent ${input.agentName} --provider ${input.provider}'.`)}`);
     }
     const credentials = await collectRuntimeAuthCredentials(input, deps);
-    writeAuthProgress(input, `${input.provider} credentials collected; storing in ${input.agentName}'s vault...`);
     let credentialPath;
     try {
         ;
-        ({ credentialPath } = await storeProviderCredentials(input.agentName, input.provider, credentials));
+        ({
+            credentialPath,
+        } = await storeProviderCredentials(input.agentName, input.provider, credentials, {
+            onProgress: (message) => writeAuthProgress(input, message),
+        }));
     }
     catch (error) {
         throw formatVaultStoreError(input.agentName, input.provider, error);

package/dist/heart/daemon/cli-exec.js

@@ -1459,13 +1459,65 @@ function readinessReportsFromDegraded(degraded) {
         issues: [readinessIssueFromDegraded(entry)],
     }));
 }
-async function runReadinessRepairForDegraded(degraded, deps) {
-    return (0, readiness_repair_1.runGuidedReadinessRepair)(readinessReportsFromDegraded(degraded), {
-        promptInput: deps.promptInput,
-        writeStdout: deps.writeStdout,
-        runRepairAction: async (agentName, action) => executeReadinessRepairAction(agentName, action, deps),
+function degradedEntrySignature(entry) {
+    const issue = readinessIssueFromDegraded(entry);
+    return JSON.stringify({
+        agent: entry.agent,
+        kind: issue.kind,
+        summary: issue.summary,
+        detail: issue.detail ?? "",
+        actions: issue.actions.map((action) => `${action.kind}:${action.command}:${action.executable === false ? "manual" : "run"}`),
     });
 }
+function mergeRemainingDegraded(untouched, rechecked) {
+    const byAgent = new Map();
+    for (const entry of untouched)
+        byAgent.set(entry.agent, entry);
+    for (const entry of rechecked)
+        byAgent.set(entry.agent, entry);
+    return [...byAgent.values()];
+}
+async function runReadinessRepairForDegraded(degraded, deps) {
+    let current = degraded;
+    let repairsAttempted = false;
+    for (let pass = 0; pass < 3; pass += 1) {
+        const attemptedAgents = new Set();
+        const result = await (0, readiness_repair_1.runGuidedReadinessRepair)(readinessReportsFromDegraded(current), {
+            promptInput: deps.promptInput,
+            writeStdout: deps.writeStdout,
+            onActionAttempted: (agentName) => {
+                attemptedAgents.add(agentName);
+            },
+            runRepairAction: async (agentName, action) => executeReadinessRepairAction(agentName, action, deps),
+        });
+        if (!result.repairsAttempted) {
+            return { repairsAttempted, remainingDegraded: current };
+        }
+        repairsAttempted = true;
+        /* v8 ignore next -- onActionAttempted runs before any runnable repair action, so repairsAttempted implies at least one attempted agent @preserve */
+        if (attemptedAgents.size === 0) {
+            return { repairsAttempted, remainingDegraded: current };
+        }
+        const previousByAgent = new Map();
+        for (const entry of current) {
+            if (attemptedAgents.has(entry.agent)) {
+                previousByAgent.set(entry.agent, degradedEntrySignature(entry));
+            }
+        }
+        const untouched = current.filter((entry) => !attemptedAgents.has(entry.agent));
+        const rechecked = await checkAgentProviders(deps, [...attemptedAgents]);
+        const remaining = mergeRemainingDegraded(untouched, rechecked);
+        if (remaining.length === 0) {
+            return { repairsAttempted, remainingDegraded: remaining };
+        }
+        const nextPrompt = rechecked.filter((entry) => previousByAgent.get(entry.agent) !== degradedEntrySignature(entry));
+        if (nextPrompt.length === 0) {
+            return { repairsAttempted, remainingDegraded: remaining };
+        }
+        current = nextPrompt;
+    }
+    return { repairsAttempted, remainingDegraded: current };
+}
 async function executeLegacyAuthSwitch(command, deps) {
     const { state } = readOrBootstrapProviderState(command.agent, deps);
     const lanes = command.facing
@@ -2246,17 +2298,19 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
                 }
                 const repairResult = await runReadinessRepairForDegraded(preflightProviderDegraded, deps);
                 if (!repairResult.repairsAttempted) {
-                    writeProviderRepairSummary(deps, "Provider checks still need repair:", preflightProviderDegraded);
+                    writeProviderRepairSummary(deps, "Provider checks still need repair:", repairResult.remainingDegraded);
                     const message = "daemon not started: provider checks need repair. Run `ouro repair` or rerun `ouro up` to choose a repair path.";
                     deps.writeStdout(message);
                     return message;
                 }
-                const remainingDegraded = await reportPostRepairProviderHealth(deps, preflightProviderDegraded.map((entry) => entry.agent));
+                const remainingDegraded = repairResult.remainingDegraded;
                 if (remainingDegraded.length > 0) {
+                    writeProviderRepairSummary(deps, "Still blocked:", remainingDegraded);
                     const message = "daemon not started: provider checks still need repair.";
                     deps.writeStdout(message);
                     return message;
                 }
+                deps.writeStdout("provider checks recovered after repair");
             }
         }
         progress.startPhase("starting daemon");

package/dist/heart/daemon/readiness-repair.js

@@ -187,6 +187,7 @@ async function runGuidedReadinessRepair(reports, deps) {
                 continue;
             }
             try {
+                deps.onActionAttempted?.(report.agent, action, issue);
                 await deps.runRepairAction(report.agent, action, issue);
                 repairsAttempted = true;
                 deps.writeStdout(`repair step finished for ${report.agent}.`);

package/dist/heart/provider-credentials.js

@@ -328,12 +328,15 @@ async function upsertProviderCredential(input) {
         },
     };
     const record = recordFromPayload(payload);
+    input.onProgress?.(`opening ${input.agentName}'s vault session...`);
     const store = (0, credential_access_1.getCredentialStore)(input.agentName);
+    input.onProgress?.(`storing ${input.provider} credentials in ${input.agentName}'s vault...`);
     await store.store(providerCredentialItemName(input.provider), {
         username: input.provider,
         password: JSON.stringify(payload),
         notes: "Ouro provider credentials. The vault item password is a versioned JSON payload.",
     });
+    input.onProgress?.(`refreshing local provider snapshot from ${input.agentName}'s vault...`);
     const refreshResult = await refreshProviderCredentialPool(input.agentName);
     if (!refreshResult.ok) {
         throw new Error(`credential stored in vault, but the local provider snapshot could not be refreshed: ${refreshResult.error}. ` +

package/dist/repertoire/bitwarden-store.js

@@ -59,6 +59,21 @@ function isBwSessionUnavailableMessage(message) {
 function isBwInvalidUnlockSecretMessage(message) {
     return /invalid master password/i.test(message) || /saved vault unlock secret/i.test(message);
 }
+function isBwTimeoutError(err) {
+    const timeoutErr = err;
+    const message = err.message.toLowerCase();
+    return (timeoutErr.code === "ETIMEDOUT" ||
+        timeoutErr.killed === true ||
+        timeoutErr.signal === "SIGTERM" ||
+        message.includes("timed out"));
+}
+function formatBwOperation(args) {
+    const [command, target] = args;
+    /* v8 ignore next -- defensive: all execBw call sites pass a concrete bw subcommand @preserve */
+    if (!command)
+        return "bw command";
+    return [command, target].filter(Boolean).join(" ");
+}
 function sanitizeBwErrorDetail(message) {
     if (isBwInvalidUnlockSecretMessage(message)) {
         return "bw CLI rejected the saved vault unlock secret for this machine";
@@ -75,8 +90,15 @@ function sanitizeBwErrorDetail(message) {
         .replace(/[A-Za-z0-9+/=]{80,}/g, "[redacted]")
         .slice(0, 500);
 }
-function formatBwCliError(err, stderr = "") {
+function formatBwCliError(err, stderr = "", args = []) {
+    const operation = formatBwOperation(args);
+    if (isBwTimeoutError(err)) {
+        return new Error(`bw CLI error: ${operation} timed out while waiting for a vault response`);
+    }
     const detail = sanitizeBwErrorDetail(stderr.trim() || err.message);
+    if (detail === "command failed") {
+        return new Error(`bw CLI error: ${operation} failed without error detail`);
+    }
     return new Error(`bw CLI error: ${detail}`);
 }
 function isBwSessionAuthError(err) {
@@ -99,7 +121,7 @@ function execBw(args, sessionToken, appDataDir, stdin) {
                     reject(new Error("bw CLI not found. Install from https://bitwarden.com/help/cli/"));
                     return;
                 }
-                reject(formatBwCliError(err, stderr));
+                reject(formatBwCliError(err, stderr, args));
                 return;
             }
             resolve(stdout);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.404",
+  "version": "0.1.0-alpha.406",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",