@ouro.bot/cli 0.1.0-alpha.406 → 0.1.0-alpha.407

package/changelog.json

@@ -1,6 +1,15 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.407",
+      "changes": [
+        "`credential_store` now uses the same Bitwarden-derived error scrubber as provider auth, so agent-saved secret flows redact raw `bw ...` command lines, encoded payload blobs, and hidden prompt echoes instead of free-styling their own failure cleanup.",
+        "The shared sanitizer now collapses fully scrubbed failures back to `command failed`, so redaction does not leave behind useless `[redacted]` noise when the only surviving text was secret-shaped.",
+        "Added regression coverage for the shared sanitizer itself plus the `credential_store` path that agents hit after signups and manual secret saves.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the shared credential error sanitization release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.406",
       "changes": [

package/dist/repertoire/bitwarden-store.js

@@ -42,10 +42,39 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.BitwardenCredentialStore = void 0;
+exports.sanitizeCredentialErrorDetail = sanitizeCredentialErrorDetail;
 const node_child_process_1 = require("node:child_process");
 const fs = __importStar(require("node:fs"));
 const runtime_1 = require("../nerves/runtime");
 const bw_installer_1 = require("./bw-installer");
+const MAX_ERROR_DETAIL_LENGTH = 500;
+const LONG_ENCODED_TOKEN_PATTERN = /[A-Za-z0-9+/=]{32,}/g;
+function uniqueSecrets(secrets) {
+    return [...new Set(secrets.filter((value) => typeof value === "string" && value.length >= 4))].sort((left, right) => right.length - left.length);
+}
+function sanitizeCredentialErrorDetail(message, options = {}) {
+    const filtered = message
+        .split(/\r?\n/)
+        .filter((line) => {
+        const trimmed = line.trim();
+        if (trimmed.startsWith("Command failed:"))
+            return false;
+        if (trimmed.includes("[input is hidden]"))
+            return false;
+        return true;
+    })
+        .join("\n")
+        .trim();
+    let sanitized = filtered || "command failed";
+    for (const secret of uniqueSecrets(options.secrets ?? [])) {
+        sanitized = sanitized.split(secret).join("[redacted]");
+    }
+    sanitized = sanitized.replace(LONG_ENCODED_TOKEN_PATTERN, "[redacted]");
+    if (sanitized.replace(/\[redacted\]/g, "").trim().length === 0) {
+        return "command failed";
+    }
+    return sanitized.slice(0, MAX_ERROR_DETAIL_LENGTH);
+}
 // ---------------------------------------------------------------------------
 // bw CLI wrapper
 // ---------------------------------------------------------------------------
@@ -81,14 +110,7 @@ function sanitizeBwErrorDetail(message) {
     if (isBwSessionUnavailableMessage(message)) {
         return "bw CLI could not use the local Bitwarden session because it is locked, missing, or expired";
     }
-    const withoutCommandLine = message
-        .split(/\r?\n/)
-        .filter((line) => !line.trim().startsWith("Command failed:"))
-        .join("\n")
-        .trim();
-    return (withoutCommandLine || "command failed")
-        .replace(/[A-Za-z0-9+/=]{80,}/g, "[redacted]")
-        .slice(0, 500);
+    return sanitizeCredentialErrorDetail(message);
 }
 function formatBwCliError(err, stderr = "", args = []) {
     const operation = formatBwOperation(args);

package/dist/repertoire/tools-credential.js

@@ -36,11 +36,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.credentialToolDefinitions = void 0;
 const crypto = __importStar(require("node:crypto"));
 const credential_access_1 = require("./credential-access");
+const bitwarden_store_1 = require("./bitwarden-store");
 const runtime_1 = require("../nerves/runtime");
 const DEFAULT_PASSWORD_LENGTH = 24;
 const MIN_PASSWORD_LENGTH = 12;
 const MAX_PASSWORD_LENGTH = 128;
-const MAX_ERROR_DETAIL_LENGTH = 500;
 const PASSWORD_CHARSETS = {
     lower: "abcdefghijkmnopqrstuvwxyz",
     upper: "ABCDEFGHJKLMNPQRSTUVWXYZ",
@@ -49,20 +49,7 @@ const PASSWORD_CHARSETS = {
 };
 function sanitizeCredentialToolError(err, secrets = []) {
     const raw = err instanceof Error ? err.message : String(err);
-    const scrubbed = raw
-        .split(/\r?\n/)
-        .filter((line) => !line.trim().startsWith("Command failed:"))
-        .join("\n")
-        .trim();
-    let sanitized = scrubbed || "command failed";
-    const uniqueSecrets = [...new Set(secrets.filter((value) => typeof value === "string" && value.length >= 4))]
-        .sort((left, right) => right.length - left.length);
-    for (const secret of uniqueSecrets) {
-        sanitized = sanitized.split(secret).join("[redacted]");
-    }
-    return sanitized
-        .replace(/[A-Za-z0-9+/=]{80,}/g, "[redacted]")
-        .slice(0, MAX_ERROR_DETAIL_LENGTH);
+    return (0, bitwarden_store_1.sanitizeCredentialErrorDetail)(raw, { secrets });
 }
 function requireTrimmedText(value, fieldName) {
     if (typeof value !== "string" || value.trim().length === 0) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.406",
+  "version": "0.1.0-alpha.407",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",