@ouro.bot/cli 0.1.0-alpha.407 → 0.1.0-alpha.409

package/changelog.json

@@ -1,6 +1,26 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.409",
+      "changes": [
+        "`ouro up` interactive repair now presents each agent's next step as a compact panel with `needs`, `run`, and `note` lines, followed by a short human prompt like `Unlock it now?` or `Open the auth flow now?` instead of embedding commands and warnings into one long question.",
+        "Declined repair output now collapses into short `next` / `or` follow-up commands, so vault unlock, replace, recover, and provider-auth paths stay visible without reprinting a wall of explanatory prose.",
+        "Guided readiness repair and no-repair summaries now use blank-line grouping plus calmer `Provider checks need attention` and `Still needs attention` headings, and stale-daemon restart output now splits its repair handoff onto a second line instead of bolting it onto one overlong sentence.",
+        "Added regression coverage for the new interactive repair copy, grouped repair queue, readiness summary spacing, no-repair output, and the revised stale-daemon restart message.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the repair UX polish release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.408",
+      "changes": [
+        "Existing agents without a `vault` block in `agent.json` now fail fast with explicit `ouro vault create --agent <agent>` guidance instead of silently deriving a stable vault account and misreporting missing provider credentials.",
+        "`ouro auth`, `ouro up`, and `ouro repair` now treat a missing agent vault locator as a first-class readiness state with create/recover choices, then continue through the normal provider-auth repair path after the vault exists.",
+        "Runtime credential access now requires an explicit agent vault locator before opening Bitwarden or Vaultwarden, which keeps provider, runtime, travel, and tool credential flows truthful for pre-vault agent migrations.",
+        "Added regression coverage for missing-vault-locator auth, provider readiness, guided repair, and the real Bitwarden-backed auth path, plus the default local `spawnSync` fallback used by Linux secure-store probing.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the pre-vault agent locator repair release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.407",
       "changes": [

package/dist/heart/auth/auth-flow.js

@@ -389,7 +389,10 @@ async function runRuntimeAuthFlow(input, deps = {}) {
     writeAuthProgress(input, `checking ${input.agentName}'s vault access...`);
     const vault = await (0, provider_credentials_1.refreshProviderCredentialPool)(input.agentName);
     if (!vault.ok && vault.reason === "unavailable") {
-        throw new Error(`${vault.error}\n${(0, vault_unlock_1.vaultUnlockReplaceRecoverFix)(input.agentName, `Then retry 'ouro auth --agent ${input.agentName} --provider ${input.provider}'.`)}`);
+        const fix = (0, vault_unlock_1.isCredentialVaultNotConfiguredError)(vault.error)
+            ? (0, vault_unlock_1.vaultCreateRecoverFix)(input.agentName, `Then retry 'ouro auth --agent ${input.agentName} --provider ${input.provider}'.`)
+            : (0, vault_unlock_1.vaultUnlockReplaceRecoverFix)(input.agentName, `Then retry 'ouro auth --agent ${input.agentName} --provider ${input.provider}'.`);
+        throw new Error(`${vault.error}\n${fix}`);
     }
     const credentials = await collectRuntimeAuthCredentials(input, deps);
     let credentialPath;

package/dist/heart/daemon/agent-config-check.js

@@ -252,6 +252,14 @@ function invalidPoolResult(agentName, lane, provider, model, pool) {
             issue: (0, readiness_repair_1.vaultLockedIssue)(agentName),
         };
     }
+    if (pool.reason === "unavailable" && (0, vault_unlock_1.isCredentialVaultNotConfiguredError)(pool.error)) {
+        return {
+            ok: false,
+            error: `${lane} provider ${provider} model ${model} cannot read provider credentials because ${agentName}'s credential vault is not configured in agent.json.`,
+            fix: (0, vault_unlock_1.vaultCreateRecoverFix)(agentName, `Then run 'ouro auth --agent ${agentName} --provider ${provider}' and rerun 'ouro up'.`),
+            issue: (0, readiness_repair_1.vaultUnconfiguredIssue)(agentName),
+        };
+    }
     if (pool.reason === "invalid") {
         return {
             ok: false,

package/dist/heart/daemon/cli-exec.js

@@ -166,7 +166,7 @@ function writeProviderRepairSummary(deps, title, degraded) {
 function providerRepairCountSummary(count) {
     if (count === 0)
         return "ok";
-    return `${count} ${count === 1 ? "needs" : "need"} repair`;
+    return `${count} ${count === 1 ? "needs" : "need"} attention`;
 }
 async function reportPostRepairProviderHealth(deps, repairedAgents) {
     const remainingDegraded = await checkAgentProviders(deps, repairedAgents);
@@ -180,10 +180,10 @@ async function reportPostRepairProviderHealth(deps, repairedAgents) {
         meta: { degradedCount: remainingDegraded.length, repairedAgents },
     });
     if (remainingDegraded.length === 0) {
-        deps.writeStdout("provider checks recovered after repair");
+        deps.writeStdout("All set. Provider checks recovered after repair.");
         return remainingDegraded;
     }
-    writeProviderRepairSummary(deps, "Still blocked:", remainingDegraded);
+    writeProviderRepairSummary(deps, "Still needs attention", remainingDegraded);
     deps.writeStdout("Run `ouro up` again after these are fixed.");
     return remainingDegraded;
 }
@@ -1396,6 +1396,10 @@ async function readinessReportForAgent(agent, deps) {
     }
 }
 async function executeReadinessRepairAction(agent, action, deps) {
+    if (action.kind === "vault-create") {
+        await executeVaultCreate({ kind: "vault.create", agent }, deps);
+        return;
+    }
     if (action.kind === "vault-unlock") {
         await executeVaultUnlock({ kind: "vault.unlock", agent }, deps);
         return;
@@ -2291,26 +2295,26 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             if (preflightProviderDegraded.length > 0) {
                 progress.end();
                 if (command.noRepair) {
-                    writeProviderRepairSummary(deps, "Provider checks need repair:", preflightProviderDegraded);
+                    writeProviderRepairSummary(deps, "Provider checks need attention", preflightProviderDegraded);
                     const message = "daemon not started: provider checks need repair. Run `ouro repair` or rerun `ouro up` to choose a repair path.";
                     deps.writeStdout(message);
                     return message;
                 }
                 const repairResult = await runReadinessRepairForDegraded(preflightProviderDegraded, deps);
                 if (!repairResult.repairsAttempted) {
-                    writeProviderRepairSummary(deps, "Provider checks still need repair:", repairResult.remainingDegraded);
+                    writeProviderRepairSummary(deps, "Provider checks still need attention", repairResult.remainingDegraded);
                     const message = "daemon not started: provider checks need repair. Run `ouro repair` or rerun `ouro up` to choose a repair path.";
                     deps.writeStdout(message);
                     return message;
                 }
                 const remainingDegraded = repairResult.remainingDegraded;
                 if (remainingDegraded.length > 0) {
-                    writeProviderRepairSummary(deps, "Still blocked:", remainingDegraded);
+                    writeProviderRepairSummary(deps, "Still needs attention", remainingDegraded);
                     const message = "daemon not started: provider checks still need repair.";
                     deps.writeStdout(message);
                     return message;
                 }
-                deps.writeStdout("provider checks recovered after repair");
+                deps.writeStdout("All set. Provider checks recovered after repair.");
             }
         }
         progress.startPhase("starting daemon");
@@ -2333,7 +2337,7 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
         if (daemonResult.stability?.degraded && daemonResult.stability.degraded.length > 0) {
             if (command.noRepair) {
                 // --no-repair: write degraded summary and skip interactive repair
-                writeProviderRepairSummary(deps, "Provider checks need repair:", daemonResult.stability.degraded);
+                writeProviderRepairSummary(deps, "Provider checks need attention", daemonResult.stability.degraded);
                 (0, runtime_1.emitNervesEvent)({
                     level: "warn",
                     component: "daemon",

package/dist/heart/daemon/daemon-runtime-sync.js

@@ -134,11 +134,11 @@ async function ensureCurrentDaemonRuntime(deps) {
             const pid = started.pid ?? "unknown";
             const verified = await verifyDaemonStarted(deps);
             /* v8 ignore next -- daemon liveness failure: requires real daemon crash timing @preserve */
-            const suffix = verified ? "" : " — but daemon failed to respond, check logs";
+            const suffix = verified ? "" : "\ndaemon did not answer yet, so Ouro is checking repair paths next.";
             result = {
                 alreadyRunning: false,
                 message: includesVersionDrift
-                    ? `restarted stale daemon from ${runningVersion} to ${deps.localVersion} (pid ${pid})${suffix}`
+                    ? `restarted stale daemon ${runningVersion} -> ${deps.localVersion} (pid ${pid})${suffix}`
                     : `restarted drifted daemon (${driftSummary}) (pid ${pid})${suffix}`,
                 verifyStartupStatus: verified,
                 startedPid: started.pid ?? null,

package/dist/heart/daemon/interactive-repair.js

@@ -64,11 +64,83 @@ function vaultUnlockCommandFor(degraded) {
 function isAffirmativeAnswer(answer) {
     return /^(y|yes)$/i.test(answer.trim());
 }
-function writeDeclinedRepair(degraded, command, deps) {
-    deps.writeStdout(`repair skipped for ${degraded.agent}; run \`${command}\` later.`);
-    if (degraded.fixHint.includes("ouro vault replace") || degraded.fixHint.includes("ouro vault recover")) {
-        deps.writeStdout(`repair options for ${degraded.agent}: ${degraded.fixHint}`);
+function uniqueCommands(commands) {
+    const seen = new Set();
+    const unique = [];
+    commands.forEach((command) => {
+        if (!command)
+            return;
+        if (seen.has(command))
+            return;
+        seen.add(command);
+        unique.push(command);
+    });
+    return unique;
+}
+function fallbackCommandsFor(degraded, primaryCommand) {
+    const issueCommands = degraded.issue?.actions.map((action) => action.command) ?? [];
+    return uniqueCommands([
+        primaryCommand,
+        ...issueCommands,
+        extractRepairCommand(degraded.fixHint, "ouro vault replace"),
+        extractRepairCommand(degraded.fixHint, "ouro vault recover"),
+        extractRepairCommand(degraded.fixHint, "ouro use"),
+    ]);
+}
+function renderRepairChoices(prefix, commands) {
+    return commands.map((command, index) => `  ${index === 0 ? prefix : "or"}: ${command}`);
+}
+function renderRepairQueueSummaryLines(degraded) {
+    const repairable = degraded
+        .map((entry) => ({ entry, action: runnableRepairActionFor(entry) }))
+        .filter((item) => item.action !== undefined);
+    if (repairable.length < 2)
+        return [];
+    const lines = [
+        "Repair queue",
+        `${repairable.length} agents need attention before startup can finish.`,
+        "",
+    ];
+    repairable.forEach(({ entry, action }, index) => {
+        lines.push(`${entry.agent} - ${action.label}`);
+        lines.push(`  ${action.command}`);
+        if (index < repairable.length - 1)
+            lines.push("");
+    });
+    return lines;
+}
+function renderActionPromptLines(agent, action) {
+    const lines = [
+        `${agent}`,
+        `  needs: ${action.label}`,
+        `  run:   ${action.command}`,
+    ];
+    if (action.kind === "vault-unlock") {
+        lines.push("  note:  use the saved vault unlock secret");
     }
+    return lines;
+}
+function renderDeferredRepair(agent, commands) {
+    return [
+        `Leaving ${agent} for later.`,
+        ...renderRepairChoices("next", commands),
+    ].join("\n");
+}
+function renderManualRepairHint(agent, fixHint) {
+    return [
+        `${agent}`,
+        "  needs manual attention",
+        `  next: ${fixHint}`,
+    ].join("\n");
+}
+function renderUnknownRepair(agent, errorReason) {
+    return [
+        `${agent}`,
+        `  ${errorReason}`,
+    ].join("\n");
+}
+function writeDeclinedRepair(degraded, command, deps) {
+    deps.writeStdout(renderDeferredRepair(degraded.agent, fallbackCommandsFor(degraded, command)));
 }
 function runnableRepairActionFor(degraded) {
     const typedAction = degraded.issue?.actions
@@ -106,16 +178,9 @@ function typedActionToRunnable(degraded, action) {
     return undefined;
 }
 function writeRepairQueueSummary(degraded, deps) {
-    const repairable = degraded
-        .map((entry) => ({ entry, action: runnableRepairActionFor(entry) }))
-        .filter((item) => item.action !== undefined);
-    if (repairable.length < 2)
-        return;
-    const lines = [
-        "repair queue:",
-        ...repairable.map(({ entry, action }) => `  - ${entry.agent}: ${action.label}: \`${action.command}\``),
-    ];
-    deps.writeStdout(lines.join("\n"));
+    const lines = renderRepairQueueSummaryLines(degraded);
+    if (lines.length > 0)
+        deps.writeStdout(lines.join("\n"));
 }
 async function runInteractiveRepair(degraded, deps) {
     (0, runtime_1.emitNervesEvent)({
@@ -133,11 +198,12 @@ async function runInteractiveRepair(degraded, deps) {
     for (const entry of degraded) {
         const action = runnableRepairActionFor(entry);
         if (action?.kind === "vault-unlock") {
-            const answer = await deps.promptInput(`run \`${action.command}\` now? Only say yes if you have the saved unlock secret. [y/n] `);
+            deps.writeStdout(renderActionPromptLines(entry.agent, action).join("\n"));
+            const answer = await deps.promptInput("Unlock it now? [y/N] ");
             if (isAffirmativeAnswer(answer)) {
                 try {
                     if (!deps.runVaultUnlock) {
-                        deps.writeStdout(`fix hint for ${entry.agent}: ${entry.fixHint}`);
+                        deps.writeStdout(renderManualRepairHint(entry.agent, entry.fixHint));
                     }
                     else {
                         await deps.runVaultUnlock(entry.agent);
@@ -146,7 +212,7 @@ async function runInteractiveRepair(degraded, deps) {
                 }
                 catch (error) {
                     const msg = error instanceof Error ? error.message : String(error);
-                    deps.writeStdout(`vault unlock error for ${entry.agent}: ${msg}`);
+                    deps.writeStdout(`Vault unlock did not finish for ${entry.agent}.\n  ${msg}`);
                     repairsAttempted = true;
                     (0, runtime_1.emitNervesEvent)({
                         level: "error",
@@ -162,7 +228,8 @@ async function runInteractiveRepair(degraded, deps) {
             }
         }
         else if (action?.kind === "provider-auth") {
-            const answer = await deps.promptInput(`run \`${action.command}\` now? [y/n] `);
+            deps.writeStdout(renderActionPromptLines(entry.agent, action).join("\n"));
+            const answer = await deps.promptInput("Open the auth flow now? [y/N] ");
             if (isAffirmativeAnswer(answer)) {
                 try {
                     if (action.provider) {
@@ -175,7 +242,7 @@ async function runInteractiveRepair(degraded, deps) {
                 }
                 catch (error) {
                     const msg = error instanceof Error ? error.message : String(error);
-                    deps.writeStdout(`auth flow error for ${entry.agent}: ${msg}`);
+                    deps.writeStdout(`Auth did not finish for ${entry.agent}.\n  ${msg}`);
                     repairsAttempted = true;
                     (0, runtime_1.emitNervesEvent)({
                         level: "error",
@@ -191,11 +258,11 @@ async function runInteractiveRepair(degraded, deps) {
             }
         }
         else if (isConfigError(entry)) {
-            deps.writeStdout(`fix hint for ${entry.agent}: ${entry.fixHint}`);
+            deps.writeStdout(renderManualRepairHint(entry.agent, entry.fixHint));
         }
         else {
             // Unknown error with no actionable fix hint
-            deps.writeStdout(`${entry.agent}: ${entry.errorReason}`);
+            deps.writeStdout(renderUnknownRepair(entry.agent, entry.errorReason));
         }
     }
     (0, runtime_1.emitNervesEvent)({

package/dist/heart/daemon/readiness-repair.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.vaultLockedIssue = vaultLockedIssue;
+exports.vaultUnconfiguredIssue = vaultUnconfiguredIssue;
 exports.providerCredentialMissingIssue = providerCredentialMissingIssue;
 exports.providerLiveCheckFailedIssue = providerLiveCheckFailedIssue;
 exports.genericReadinessIssue = genericReadinessIssue;
@@ -39,6 +40,30 @@ function vaultLockedIssue(agentName) {
         ],
     };
 }
+function vaultUnconfiguredIssue(agentName) {
+    return {
+        kind: "vault-unconfigured",
+        severity: "blocked",
+        actor: "human-required",
+        summary: `${agentName}: vault not configured`,
+        detail: "This bundle does not have a vault locator in agent.json yet. Create the agent vault before authenticating providers.",
+        actions: [
+            {
+                kind: "vault-create",
+                label: "Create this agent's vault",
+                command: `ouro vault create --agent ${agentName}`,
+                actor: "human-required",
+            },
+            {
+                kind: "vault-recover",
+                label: "Recover from JSON export",
+                command: `ouro vault recover --agent ${agentName} --from <json>`,
+                actor: "human-required",
+                executable: false,
+            },
+        ],
+    };
+}
 function providerCredentialMissingIssue(input) {
     return {
         kind: "provider-credentials-missing",
@@ -117,20 +142,28 @@ function renderReadinessIssue(issue) {
     if (issue.detail) {
         lines.push(`  ${issue.detail}`);
     }
+    if (issue.actions.length > 0) {
+        lines.push("");
+    }
     issue.actions.forEach((action, index) => {
+        if (index > 0)
+            lines.push("");
         lines.push(`${index + 1}. ${action.label}`);
         lines.push(`   ${action.command}`);
     });
+    if (issue.actions.length > 0) {
+        lines.push("");
+    }
     lines.push(`${issue.actions.length + 1}. Skip for now`);
     return lines.join("\n");
 }
 function renderReadinessIssueNextSteps(issue) {
-    const lines = [`  ${issue.summary}`];
+    const lines = [issue.summary];
     if (issue.detail && issue.kind !== "vault-locked") {
-        lines.push(`    ${issue.detail}`);
+        lines.push(`  ${issue.detail}`);
     }
     issue.actions.forEach((action, index) => {
-        lines.push(`    ${index === 0 ? "next" : "or"}: ${action.command}`);
+        lines.push(`  ${index === 0 ? "next" : "or"}: ${action.command}`);
     });
     return lines;
 }

package/dist/repertoire/credential-access.js

@@ -58,10 +58,10 @@ function loadVaultSectionForAgent(agentName) {
     const configPath = path.join(identity.getAgentRoot(agentName), "agent.json");
     try {
         const parsed = JSON.parse(fs.readFileSync(configPath, "utf-8"));
-        return parsed.vault;
+        return { configPath, vault: parsed.vault };
     }
     catch {
-        return undefined;
+        return { configPath };
     }
 }
 function bitwardenAppDataDir(agentName, vaultConfig) {
@@ -77,7 +77,11 @@ function getCredentialStore(agentNameInput) {
     if (agentName === "SerpentGuide") {
         throw new Error("SerpentGuide does not have a persistent credential vault; hatch bootstrap uses provider credentials in memory only.");
     }
-    const vaultConfig = identity.resolveVaultConfig(agentName, loadVaultSectionForAgent(agentName));
+    const { configPath, vault } = loadVaultSectionForAgent(agentName);
+    if (!vault || typeof vault.email !== "string" || vault.email.trim().length === 0) {
+        throw new Error((0, vault_unlock_1.credentialVaultNotConfiguredError)(agentName, configPath));
+    }
+    const vaultConfig = identity.resolveVaultConfig(agentName, vault);
     const cacheKey = `${agentName}:${vaultConfig.serverUrl}:${vaultConfig.email}`;
     const cached = stores.get(cacheKey);
     if (cached)

package/dist/repertoire/vault-unlock.js

@@ -34,6 +34,9 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.vaultUnlockReplaceRecoverFix = vaultUnlockReplaceRecoverFix;
+exports.credentialVaultNotConfiguredError = credentialVaultNotConfiguredError;
+exports.isCredentialVaultNotConfiguredError = isCredentialVaultNotConfiguredError;
+exports.vaultCreateRecoverFix = vaultCreateRecoverFix;
 exports.resolveVaultUnlockStore = resolveVaultUnlockStore;
 exports.readVaultUnlockSecret = readVaultUnlockSecret;
 exports.storeVaultUnlockSecret = storeVaultUnlockSecret;
@@ -45,6 +48,7 @@ const os = __importStar(require("node:os"));
 const path = __importStar(require("node:path"));
 const runtime_1 = require("../nerves/runtime");
 const VAULT_UNLOCK_SERVICE = "ouro.vault";
+const CREDENTIAL_VAULT_NOT_CONFIGURED_PREFIX = "credential vault is not configured in ";
 const PLAINTEXT_UNLOCK_DIR = path.join(".ouro-cli", "vault-unlock");
 const WINDOWS_DPAPI_UNLOCK_DIR = path.join(".ouro-cli", "vault-unlock-dpapi");
 const SUPPORTED_STORES = ["auto", "macos-keychain", "windows-dpapi", "linux-secret-service", "plaintext-file"];
@@ -104,6 +108,20 @@ function vaultUnlockReplaceRecoverFix(agentName, nextStep = "Then run 'ouro up'
         nextStep,
     ].join(" ");
 }
+function credentialVaultNotConfiguredError(agentName, configPath) {
+    return (`${CREDENTIAL_VAULT_NOT_CONFIGURED_PREFIX}${configPath}. ` +
+        `Run 'ouro vault create --agent ${agentName}' to create this agent's vault before loading or storing credentials.`);
+}
+function isCredentialVaultNotConfiguredError(message) {
+    return message.includes(CREDENTIAL_VAULT_NOT_CONFIGURED_PREFIX);
+}
+function vaultCreateRecoverFix(agentName, nextStep = "Then run 'ouro up' again.") {
+    return [
+        `Run 'ouro vault create --agent ${agentName}' to create this agent's vault.`,
+        `If you still have a local JSON credential export from an earlier alpha, run 'ouro vault recover --agent ${agentName} --from <json>' instead.`,
+        nextStep,
+    ].join(" ");
+}
 function lostUnlockSecretGuidance(config) {
     if (!config.agentName) {
         return "If nobody saved that unlock secret, run `ouro vault replace --agent <agent>` to create a new empty vault and re-enter credentials. If you do have a local JSON credential export, run `ouro vault recover --agent <agent> --from <json>` to import it.";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.407",
+  "version": "0.1.0-alpha.409",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",
@@ -32,6 +32,7 @@
     "test:coverage": "node scripts/run-coverage-gate.cjs",
     "build": "tsc && (cd packages/outlook-ui && npm install --ignore-scripts 2>/dev/null && npm run build && cp -r dist ../../dist/outlook-ui) || echo 'outlook-ui build skipped'",
     "lint": "eslint src/",
+    "release:preflight": "node scripts/release-preflight.cjs",
     "release:smoke": "node scripts/release-smoke.cjs",
     "audit:nerves": "npm run build && node dist/nerves/coverage/cli-main.js"
   },