@ouro.bot/cli 0.1.0-alpha.407 → 0.1.0-alpha.408

package/changelog.json

@@ -1,6 +1,16 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.408",
+      "changes": [
+        "Existing agents without a `vault` block in `agent.json` now fail fast with explicit `ouro vault create --agent <agent>` guidance instead of silently deriving a stable vault account and misreporting missing provider credentials.",
+        "`ouro auth`, `ouro up`, and `ouro repair` now treat a missing agent vault locator as a first-class readiness state with create/recover choices, then continue through the normal provider-auth repair path after the vault exists.",
+        "Runtime credential access now requires an explicit agent vault locator before opening Bitwarden or Vaultwarden, which keeps provider, runtime, travel, and tool credential flows truthful for pre-vault agent migrations.",
+        "Added regression coverage for missing-vault-locator auth, provider readiness, guided repair, and the real Bitwarden-backed auth path, plus the default local `spawnSync` fallback used by Linux secure-store probing.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the pre-vault agent locator repair release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.407",
       "changes": [

package/dist/heart/auth/auth-flow.js

@@ -389,7 +389,10 @@ async function runRuntimeAuthFlow(input, deps = {}) {
     writeAuthProgress(input, `checking ${input.agentName}'s vault access...`);
     const vault = await (0, provider_credentials_1.refreshProviderCredentialPool)(input.agentName);
     if (!vault.ok && vault.reason === "unavailable") {
-        throw new Error(`${vault.error}\n${(0, vault_unlock_1.vaultUnlockReplaceRecoverFix)(input.agentName, `Then retry 'ouro auth --agent ${input.agentName} --provider ${input.provider}'.`)}`);
+        const fix = (0, vault_unlock_1.isCredentialVaultNotConfiguredError)(vault.error)
+            ? (0, vault_unlock_1.vaultCreateRecoverFix)(input.agentName, `Then retry 'ouro auth --agent ${input.agentName} --provider ${input.provider}'.`)
+            : (0, vault_unlock_1.vaultUnlockReplaceRecoverFix)(input.agentName, `Then retry 'ouro auth --agent ${input.agentName} --provider ${input.provider}'.`);
+        throw new Error(`${vault.error}\n${fix}`);
     }
     const credentials = await collectRuntimeAuthCredentials(input, deps);
     let credentialPath;

package/dist/heart/daemon/agent-config-check.js

@@ -252,6 +252,14 @@ function invalidPoolResult(agentName, lane, provider, model, pool) {
             issue: (0, readiness_repair_1.vaultLockedIssue)(agentName),
         };
     }
+    if (pool.reason === "unavailable" && (0, vault_unlock_1.isCredentialVaultNotConfiguredError)(pool.error)) {
+        return {
+            ok: false,
+            error: `${lane} provider ${provider} model ${model} cannot read provider credentials because ${agentName}'s credential vault is not configured in agent.json.`,
+            fix: (0, vault_unlock_1.vaultCreateRecoverFix)(agentName, `Then run 'ouro auth --agent ${agentName} --provider ${provider}' and rerun 'ouro up'.`),
+            issue: (0, readiness_repair_1.vaultUnconfiguredIssue)(agentName),
+        };
+    }
     if (pool.reason === "invalid") {
         return {
             ok: false,

package/dist/heart/daemon/cli-exec.js

@@ -1396,6 +1396,10 @@ async function readinessReportForAgent(agent, deps) {
     }
 }
 async function executeReadinessRepairAction(agent, action, deps) {
+    if (action.kind === "vault-create") {
+        await executeVaultCreate({ kind: "vault.create", agent }, deps);
+        return;
+    }
     if (action.kind === "vault-unlock") {
         await executeVaultUnlock({ kind: "vault.unlock", agent }, deps);
         return;

package/dist/heart/daemon/readiness-repair.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.vaultLockedIssue = vaultLockedIssue;
+exports.vaultUnconfiguredIssue = vaultUnconfiguredIssue;
 exports.providerCredentialMissingIssue = providerCredentialMissingIssue;
 exports.providerLiveCheckFailedIssue = providerLiveCheckFailedIssue;
 exports.genericReadinessIssue = genericReadinessIssue;
@@ -39,6 +40,30 @@ function vaultLockedIssue(agentName) {
         ],
     };
 }
+function vaultUnconfiguredIssue(agentName) {
+    return {
+        kind: "vault-unconfigured",
+        severity: "blocked",
+        actor: "human-required",
+        summary: `${agentName}: vault not configured`,
+        detail: "This bundle does not have a vault locator in agent.json yet. Create the agent vault before authenticating providers.",
+        actions: [
+            {
+                kind: "vault-create",
+                label: "Create this agent's vault",
+                command: `ouro vault create --agent ${agentName}`,
+                actor: "human-required",
+            },
+            {
+                kind: "vault-recover",
+                label: "Recover from JSON export",
+                command: `ouro vault recover --agent ${agentName} --from <json>`,
+                actor: "human-required",
+                executable: false,
+            },
+        ],
+    };
+}
 function providerCredentialMissingIssue(input) {
     return {
         kind: "provider-credentials-missing",

package/dist/repertoire/credential-access.js

@@ -58,10 +58,10 @@ function loadVaultSectionForAgent(agentName) {
     const configPath = path.join(identity.getAgentRoot(agentName), "agent.json");
     try {
         const parsed = JSON.parse(fs.readFileSync(configPath, "utf-8"));
-        return parsed.vault;
+        return { configPath, vault: parsed.vault };
     }
     catch {
-        return undefined;
+        return { configPath };
     }
 }
 function bitwardenAppDataDir(agentName, vaultConfig) {
@@ -77,7 +77,11 @@ function getCredentialStore(agentNameInput) {
     if (agentName === "SerpentGuide") {
         throw new Error("SerpentGuide does not have a persistent credential vault; hatch bootstrap uses provider credentials in memory only.");
     }
-    const vaultConfig = identity.resolveVaultConfig(agentName, loadVaultSectionForAgent(agentName));
+    const { configPath, vault } = loadVaultSectionForAgent(agentName);
+    if (!vault || typeof vault.email !== "string" || vault.email.trim().length === 0) {
+        throw new Error((0, vault_unlock_1.credentialVaultNotConfiguredError)(agentName, configPath));
+    }
+    const vaultConfig = identity.resolveVaultConfig(agentName, vault);
     const cacheKey = `${agentName}:${vaultConfig.serverUrl}:${vaultConfig.email}`;
     const cached = stores.get(cacheKey);
     if (cached)

package/dist/repertoire/vault-unlock.js

@@ -34,6 +34,9 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.vaultUnlockReplaceRecoverFix = vaultUnlockReplaceRecoverFix;
+exports.credentialVaultNotConfiguredError = credentialVaultNotConfiguredError;
+exports.isCredentialVaultNotConfiguredError = isCredentialVaultNotConfiguredError;
+exports.vaultCreateRecoverFix = vaultCreateRecoverFix;
 exports.resolveVaultUnlockStore = resolveVaultUnlockStore;
 exports.readVaultUnlockSecret = readVaultUnlockSecret;
 exports.storeVaultUnlockSecret = storeVaultUnlockSecret;
@@ -45,6 +48,7 @@ const os = __importStar(require("node:os"));
 const path = __importStar(require("node:path"));
 const runtime_1 = require("../nerves/runtime");
 const VAULT_UNLOCK_SERVICE = "ouro.vault";
+const CREDENTIAL_VAULT_NOT_CONFIGURED_PREFIX = "credential vault is not configured in ";
 const PLAINTEXT_UNLOCK_DIR = path.join(".ouro-cli", "vault-unlock");
 const WINDOWS_DPAPI_UNLOCK_DIR = path.join(".ouro-cli", "vault-unlock-dpapi");
 const SUPPORTED_STORES = ["auto", "macos-keychain", "windows-dpapi", "linux-secret-service", "plaintext-file"];
@@ -104,6 +108,20 @@ function vaultUnlockReplaceRecoverFix(agentName, nextStep = "Then run 'ouro up'
         nextStep,
     ].join(" ");
 }
+function credentialVaultNotConfiguredError(agentName, configPath) {
+    return (`${CREDENTIAL_VAULT_NOT_CONFIGURED_PREFIX}${configPath}. ` +
+        `Run 'ouro vault create --agent ${agentName}' to create this agent's vault before loading or storing credentials.`);
+}
+function isCredentialVaultNotConfiguredError(message) {
+    return message.includes(CREDENTIAL_VAULT_NOT_CONFIGURED_PREFIX);
+}
+function vaultCreateRecoverFix(agentName, nextStep = "Then run 'ouro up' again.") {
+    return [
+        `Run 'ouro vault create --agent ${agentName}' to create this agent's vault.`,
+        `If you still have a local JSON credential export from an earlier alpha, run 'ouro vault recover --agent ${agentName} --from <json>' instead.`,
+        nextStep,
+    ].join(" ");
+}
 function lostUnlockSecretGuidance(config) {
     if (!config.agentName) {
         return "If nobody saved that unlock secret, run `ouro vault replace --agent <agent>` to create a new empty vault and re-enter credentials. If you do have a local JSON credential export, run `ouro vault recover --agent <agent> --from <json>` to import it.";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.407",
+  "version": "0.1.0-alpha.408",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",
@@ -32,6 +32,7 @@
     "test:coverage": "node scripts/run-coverage-gate.cjs",
     "build": "tsc && (cd packages/outlook-ui && npm install --ignore-scripts 2>/dev/null && npm run build && cp -r dist ../../dist/outlook-ui) || echo 'outlook-ui build skipped'",
     "lint": "eslint src/",
+    "release:preflight": "node scripts/release-preflight.cjs",
     "release:smoke": "node scripts/release-smoke.cjs",
     "audit:nerves": "npm run build && node dist/nerves/coverage/cli-main.js"
   },