@ouro.bot/cli 0.1.0-alpha.405 → 0.1.0-alpha.406

package/changelog.json

@@ -1,6 +1,15 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.406",
+      "changes": [
+        "`ouro auth --agent <agent> --provider <provider>` now keeps narrating the post-login vault save path with `opening ... vault session`, `storing ... credentials`, and `refreshing local provider snapshot`, so a successful browser login no longer drops into a silent cursor while secrets are being persisted.",
+        "Bitwarden-backed provider saves now classify timeouts and empty command failures by operation and redact raw `bw create item ...` command text, encoded payloads, and prompt echoes from auth output.",
+        "Auth, repair CLI, and Bitwarden regression coverage now encodes the reported post-login save failure shapes so the same leak-prone path stays guarded.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the post-login vault save hardening release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.405",
       "changes": [

package/dist/heart/auth/auth-flow.js

@@ -148,6 +148,7 @@ async function storeProviderCredentials(agentName, provider, credentials, deps =
         config: split.config,
         provenance: { source: "auth-flow" },
         now: deps.now,
+        onProgress: deps.onProgress,
     });
     return { credentialPath: (0, provider_credentials_1.providerCredentialItemName)(provider) };
 }
@@ -391,11 +392,14 @@ async function runRuntimeAuthFlow(input, deps = {}) {
         throw new Error(`${vault.error}\n${(0, vault_unlock_1.vaultUnlockReplaceRecoverFix)(input.agentName, `Then retry 'ouro auth --agent ${input.agentName} --provider ${input.provider}'.`)}`);
     }
     const credentials = await collectRuntimeAuthCredentials(input, deps);
-    writeAuthProgress(input, `${input.provider} credentials collected; storing in ${input.agentName}'s vault...`);
     let credentialPath;
     try {
         ;
-        ({ credentialPath } = await storeProviderCredentials(input.agentName, input.provider, credentials));
+        ({
+            credentialPath,
+        } = await storeProviderCredentials(input.agentName, input.provider, credentials, {
+            onProgress: (message) => writeAuthProgress(input, message),
+        }));
     }
     catch (error) {
         throw formatVaultStoreError(input.agentName, input.provider, error);

package/dist/heart/provider-credentials.js

@@ -328,12 +328,15 @@ async function upsertProviderCredential(input) {
         },
     };
     const record = recordFromPayload(payload);
+    input.onProgress?.(`opening ${input.agentName}'s vault session...`);
     const store = (0, credential_access_1.getCredentialStore)(input.agentName);
+    input.onProgress?.(`storing ${input.provider} credentials in ${input.agentName}'s vault...`);
     await store.store(providerCredentialItemName(input.provider), {
         username: input.provider,
         password: JSON.stringify(payload),
         notes: "Ouro provider credentials. The vault item password is a versioned JSON payload.",
     });
+    input.onProgress?.(`refreshing local provider snapshot from ${input.agentName}'s vault...`);
     const refreshResult = await refreshProviderCredentialPool(input.agentName);
     if (!refreshResult.ok) {
         throw new Error(`credential stored in vault, but the local provider snapshot could not be refreshed: ${refreshResult.error}. ` +

package/dist/repertoire/bitwarden-store.js

@@ -59,6 +59,21 @@ function isBwSessionUnavailableMessage(message) {
 function isBwInvalidUnlockSecretMessage(message) {
     return /invalid master password/i.test(message) || /saved vault unlock secret/i.test(message);
 }
+function isBwTimeoutError(err) {
+    const timeoutErr = err;
+    const message = err.message.toLowerCase();
+    return (timeoutErr.code === "ETIMEDOUT" ||
+        timeoutErr.killed === true ||
+        timeoutErr.signal === "SIGTERM" ||
+        message.includes("timed out"));
+}
+function formatBwOperation(args) {
+    const [command, target] = args;
+    /* v8 ignore next -- defensive: all execBw call sites pass a concrete bw subcommand @preserve */
+    if (!command)
+        return "bw command";
+    return [command, target].filter(Boolean).join(" ");
+}
 function sanitizeBwErrorDetail(message) {
     if (isBwInvalidUnlockSecretMessage(message)) {
         return "bw CLI rejected the saved vault unlock secret for this machine";
@@ -75,8 +90,15 @@ function sanitizeBwErrorDetail(message) {
         .replace(/[A-Za-z0-9+/=]{80,}/g, "[redacted]")
         .slice(0, 500);
 }
-function formatBwCliError(err, stderr = "") {
+function formatBwCliError(err, stderr = "", args = []) {
+    const operation = formatBwOperation(args);
+    if (isBwTimeoutError(err)) {
+        return new Error(`bw CLI error: ${operation} timed out while waiting for a vault response`);
+    }
     const detail = sanitizeBwErrorDetail(stderr.trim() || err.message);
+    if (detail === "command failed") {
+        return new Error(`bw CLI error: ${operation} failed without error detail`);
+    }
     return new Error(`bw CLI error: ${detail}`);
 }
 function isBwSessionAuthError(err) {
@@ -99,7 +121,7 @@ function execBw(args, sessionToken, appDataDir, stdin) {
                     reject(new Error("bw CLI not found. Install from https://bitwarden.com/help/cli/"));
                     return;
                 }
-                reject(formatBwCliError(err, stderr));
+                reject(formatBwCliError(err, stderr, args));
                 return;
             }
             resolve(stdout);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.405",
+  "version": "0.1.0-alpha.406",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",