npm - @ouro.bot/cli - Versions diffs - 0.1.0-alpha.409 → 0.1.0-alpha.410 - Mend

@ouro.bot/cli 0.1.0-alpha.409 → 0.1.0-alpha.410

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/README.md +11 -4
package/changelog.json +12 -0
package/dist/heart/config.js +14 -5
package/dist/heart/daemon/bluebubbles-health-diagnostics.js +1 -1
package/dist/heart/daemon/cli-exec.js +334 -43
package/dist/heart/daemon/cli-help.js +22 -5
package/dist/heart/daemon/cli-parse.js +37 -4
package/dist/heart/daemon/cli-render.js +1 -0
package/dist/heart/daemon/doctor.js +12 -4
package/dist/heart/daemon/process-manager.js +13 -0
package/dist/heart/daemon/sense-manager.js +35 -11
package/dist/heart/hatch/specialist-prompt.js +2 -2
package/dist/heart/hatch/specialist-tools.js +6 -4
package/dist/heart/runtime-credentials.js +96 -17
package/dist/heart/sense-truth.js +3 -0
package/dist/heart/turn-context.js +1 -1
package/dist/mind/prompt.js +3 -2
package/dist/repertoire/vault-unlock.js +30 -0
package/dist/senses/bluebubbles/entry.js +4 -1
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -11,10 +11,11 @@ Ouroboros is a TypeScript harness for daemon-managed agents that live in externa
 - `ouro up` starts the daemon from the installed production version, syncs the launcher, installs workflow helpers, and reconciles stale runtime state.
 - `ouro dev` starts the daemon from a local repo build. It auto-builds from source, disables launchd auto-restart (so the installed daemon doesn't respawn underneath you), persists the repo path in `~/.ouro-cli/dev-config.json` for next time, and force-restarts the daemon. If you run `ouro dev` from inside the repo, it detects the CWD automatically. Run `ouro up` to return to production mode (this also cleans up `dev-config.json`).
 - Agent bundles live outside the repo at `~/AgentBundles/<agent>.ouro/`.
-- Credentials live in the owning agent's Bitwarden/Vaultwarden vault. Provider credentials use `providers/<provider>`, runtime/sense/integration credentials use `runtime/config`, and travel/tool credentials use ordinary vault credential items.
+- Credentials live in the owning agent's Bitwarden/Vaultwarden vault: the agent's password manager. Provider credentials use `providers/<provider>`, portable runtime/integration credentials use `runtime/config`, local attachments use `runtime/machines/<machine-id>/config`, and travel/tool credentials use ordinary vault credential items.
 - Vault coordinates and local runtime state live in the agent bundle; raw credentials do not.
 - The only Ouro-owned durable credential locations are the bundle and the agent vault. Local unlock material is a machine-local cache, not a credential source of truth.
-- Machine-scoped test and runtime spillover lives under `~/.agentstate/...`.
+- Creating or replacing a vault asks for the unlock secret twice without echoing it, and requires at least 8 characters with uppercase and lowercase letters, one number, and one special character.
+- Machine-scoped harness state lives under `~/.ouro-cli/...`; agent-owned runtime/session/log/PII state lives under the bundle.
 Current first-class senses:
@@ -96,7 +97,9 @@ Task docs do not live in this repo anymore. Planning and doing docs live in the
 - `state/providers.json` is the local source of truth for provider+model selection on this machine. It has two lanes: `outward` for CLI, Teams, and BlueBubbles turns, and `inner` for inner dialogue.
 - Each agent has one credential vault for provider, runtime, sense, integration, travel, and tool credentials. There is no machine-wide credential pool.
 - Vault unlock material is local machine state. Prefer macOS Keychain, Windows DPAPI, or Linux Secret Service; plaintext fallback is allowed only by explicit human choice.
+- New vault unlock secrets are confirmed before use and rejected if they do not meet the minimum strength requirements.
 - Provider and runtime credentials are loaded into process memory at startup/auth/unlock/refresh and reused. The remote vault is not queried for every model or sense request.
+- CLI commands that mutate bundle config, such as vault setup or `ouro connect bluebubbles`, run bundle sync after the change when `sync.enabled` is true and report a compact `bundle sync:` line.
 - The daemon discovers bundles dynamically from `~/AgentBundles`.
 - `ouro status` reports version, last-updated time, discovered agents, senses, and workers.
 - `bundle-meta.json` tracks the runtime version that last touched a bundle.
@@ -104,6 +107,7 @@ Task docs do not live in this repo anymore. Planning and doing docs live in the
 - Sense availability is explicit:
   - `interactive`
   - `disabled`
+  - `not_attached`
   - `needs_config`
   - `ready`
   - `running`
@@ -171,8 +175,11 @@ ouro logs
 ouro stop
 ouro vault unlock --agent <name>
 ouro vault status --agent <name>
-ouro vault config set --agent <name> --key bluebubbles.password
-ouro vault config status --agent <name>
+ouro vault config set --agent <name> --key teams.clientSecret
+ouro vault config status --agent <name> --scope all
+ouro connect --agent <name>
+ouro connect perplexity --agent <name>
+ouro connect bluebubbles --agent <name>
 ouro auth --agent <name>
 ouro auth --agent <name> --provider <provider>
 ouro auth verify --agent <name> [--provider <provider>]

package/changelog.json CHANGED Viewed

@@ -1,6 +1,18 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.410",
+      "changes": [
+        "Added guided `ouro connect` onboarding for Perplexity search and local BlueBubbles attachment setup, with hidden secret prompts and compact success output.",
+        "Runtime credentials now distinguish portable `runtime/config` from machine-scoped `runtime/machines/<machine-id>/config`, so BlueBubbles local Mac bridge settings do not travel as universal agent config.",
+        "BlueBubbles can now be enabled but `not_attached` on a machine without degrading the agent, while incomplete or broken local attachment config still reports repairable guidance.",
+        "Sync-enabled bundle config mutations now run the existing post-change bundle sync path after vault setup/recovery/replacement, BlueBubbles attachment, and clone success, surfacing a compact `bundle sync:` result.",
+        "New vault unlock secret flows now require hidden confirmation and minimum strength checks before creating, replacing, recovering, or hatching an agent vault.",
+        "Updated auth/provider, cross-machine, README, AGENTS, and testing docs to lock the agent-vault-as-password-manager model and the portable-vs-local credential split.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the runtime credential onboarding release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.409",
       "changes": [

package/dist/heart/config.js CHANGED Viewed

@@ -36,6 +36,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.loadConfig = loadConfig;
 exports.resetConfigCache = resetConfigCache;
 exports.cacheRuntimeConfigForTests = cacheRuntimeConfigForTests;
+exports.cacheMachineRuntimeConfigForTests = cacheMachineRuntimeConfigForTests;
 exports.patchRuntimeConfig = patchRuntimeConfig;
 exports.getAzureConfig = getAzureConfig;
 exports.getMinimaxConfig = getMinimaxConfig;
@@ -142,12 +143,16 @@ function localRuntimeFields(config) {
     return localFields;
 }
 function loadConfig() {
-    const runtimeResult = (0, runtime_credentials_1.readRuntimeCredentialConfig)((0, identity_1.getAgentName)());
+    const agentName = (0, identity_1.getAgentName)();
+    const runtimeResult = (0, runtime_credentials_1.readRuntimeCredentialConfig)(agentName);
+    const machineRuntimeResult = (0, runtime_credentials_1.readMachineRuntimeCredentialConfig)(agentName);
     const vaultData = runtimeResult.ok ? localRuntimeFields(runtimeResult.config) : {};
+    const machineVaultData = machineRuntimeResult.ok ? localRuntimeFields(machineRuntimeResult.config) : {};
     const mergedConfig = deepMerge(defaultRuntimeConfig(), vaultData);
+    const mergedWithMachineConfig = deepMerge(mergedConfig, machineVaultData);
     const config = _runtimeConfigOverride
-        ? deepMerge(mergedConfig, _runtimeConfigOverride)
-        : mergedConfig;
+        ? deepMerge(mergedWithMachineConfig, _runtimeConfigOverride)
+        : mergedWithMachineConfig;
     (0, runtime_1.emitNervesEvent)({
         event: "config.load",
         component: "config/identity",
@@ -155,6 +160,7 @@ function loadConfig() {
         meta: {
             source: runtimeResult.ok ? "vault-cache" : "defaults",
             used_defaults_only: !runtimeResult.ok,
+            machine_runtime_credentials: machineRuntimeResult.ok ? "available" : machineRuntimeResult.reason,
             override_applied: _runtimeConfigOverride !== null,
             runtime_credentials: runtimeResult.ok ? "available" : runtimeResult.reason,
         },
@@ -171,6 +177,9 @@ function resetConfigCache() {
 function cacheRuntimeConfigForTests(agentName, config) {
     (0, runtime_credentials_1.cacheRuntimeCredentialConfig)(agentName, config, new Date(0));
 }
+function cacheMachineRuntimeConfigForTests(agentName, config) {
+    (0, runtime_credentials_1.cacheMachineRuntimeCredentialConfig)(agentName, config, new Date(0), "machine_test");
+}
 function seedProviderCredentialCache(providers) {
     if (!providers)
         return;
@@ -277,10 +286,10 @@ function getBlueBubblesConfig() {
     const config = loadConfig();
     const { serverUrl, password, accountId } = config.bluebubbles;
     if (!serverUrl.trim()) {
-        throw new Error("bluebubbles.serverUrl is required in the agent vault runtime/config item to run the BlueBubbles sense.");
+        throw new Error("bluebubbles.serverUrl is required in this machine's agent-vault runtime config. Run `ouro connect bluebubbles --agent <agent>`.");
     }
     if (!password.trim()) {
-        throw new Error("bluebubbles.password is required in the agent vault runtime/config item to run the BlueBubbles sense.");
+        throw new Error("bluebubbles.password is required in this machine's agent-vault runtime config. Run `ouro connect bluebubbles --agent <agent>`.");
     }
     return {
         serverUrl: serverUrl.trim(),

package/dist/heart/daemon/bluebubbles-health-diagnostics.js CHANGED Viewed

@@ -46,7 +46,7 @@ function formatBlueBubblesHealthcheckFailure(serverUrlInput, error) {
         case "network-error":
             return `Cannot reach BlueBubbles at ${serverUrl}. Check \`bluebubbles.serverUrl\`, confirm the BlueBubbles app/API is running, and verify this machine can reach it. Raw error: ${rawReason}`;
         case "auth-failure":
-            return `BlueBubbles auth failed at ${serverUrl} (HTTP ${status}). Check \`bluebubbles.password\` in the agent vault runtime/config item and confirm the server accepts it. Raw error: ${rawReason}`;
+            return `BlueBubbles auth failed at ${serverUrl} (HTTP ${status}). Check this machine's BlueBubbles attachment with \`ouro connect bluebubbles --agent <agent>\` and confirm the server accepts the password. Raw error: ${rawReason}`;
         case "server-error":
             return `BlueBubbles upstream returned HTTP ${status} at ${serverUrl}. Check the BlueBubbles app/server logs and confirm the upstream API is healthy. Raw error: ${rawReason}`;
         default:

package/dist/heart/daemon/cli-exec.js CHANGED Viewed

@@ -75,6 +75,7 @@ const provider_state_1 = require("../provider-state");
 const machine_identity_1 = require("../machine-identity");
 const provider_models_1 = require("../provider-models");
 const ouro_version_manager_1 = require("../versioning/ouro-version-manager");
+const sync_1 = require("../sync");
 const cli_parse_1 = require("./cli-parse");
 const cli_parse_2 = require("./cli-parse");
 const cli_help_1 = require("./cli-help");
@@ -611,6 +612,35 @@ function providerCliAgentRoot(command, deps) {
 function providerCliNow(deps) {
     return new Date((deps.now ?? Date.now)());
 }
+function readAgentSyncConfigForCliMutation(agent, deps) {
+    try {
+        const configPath = path.join(providerCliAgentRoot({ agent }, deps), "agent.json");
+        const parsed = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+        return {
+            enabled: parsed.sync?.enabled === true,
+            remote: typeof parsed.sync?.remote === "string" && parsed.sync.remote.trim() ? parsed.sync.remote : "origin",
+        };
+    }
+    catch {
+        /* v8 ignore next -- defensive: post-mutation sync should not break an already-successful CLI repair if agent.json becomes unreadable @preserve */
+        return { enabled: false, remote: "origin" };
+    }
+}
+function pushAgentBundleAfterCliMutation(agent, deps) {
+    const sync = readAgentSyncConfigForCliMutation(agent, deps);
+    if (!sync.enabled)
+        return null;
+    const agentRoot = providerCliAgentRoot({ agent }, deps);
+    const result = (0, sync_1.postTurnPush)(agentRoot, { enabled: true, remote: sync.remote });
+    if (result.ok) {
+        return `bundle sync: ran post-change sync (remote: ${sync.remote})`;
+    }
+    return `bundle sync: could not push bundle changes (${result.error})`;
+}
+function appendBundleSyncSummary(message, agent, deps) {
+    const syncSummary = pushAgentBundleAfterCliMutation(agent, deps);
+    return syncSummary ? `${message}\n${syncSummary}` : message;
+}
 function writeAgentVaultConfig(agentName, configPath, config, vault) {
     const nextConfig = {
         ...config,
@@ -674,6 +704,7 @@ function recoverProviderImports(raw) {
     return imports;
 }
 const RECOVER_RUNTIME_EXCLUDED_TOP_LEVEL = new Set(["providers", "vault", "context", "schemaVersion", "updatedAt"]);
+const MACHINE_RUNTIME_CONFIG_TOP_LEVEL = new Set(["bluebubbles", "bluebubblesChannel"]);
 function recoverRuntimeConfig(raw) {
     const config = {};
     for (const [key, value] of Object.entries(raw)) {
@@ -695,6 +726,15 @@ function mergeRuntimeConfig(a, b) {
     }
     return merged;
 }
+function splitRuntimeConfigByScope(config) {
+    const agentConfig = {};
+    const machineConfig = {};
+    for (const [key, value] of Object.entries(config)) {
+        const target = MACHINE_RUNTIME_CONFIG_TOP_LEVEL.has(key) ? machineConfig : agentConfig;
+        target[key] = isJsonRecord(value) ? cloneJsonRecord(value) : value;
+    }
+    return { agentConfig, machineConfig };
+}
 function readVaultRecoverSource(sourcePath) {
     const resolved = path.resolve(sourcePath);
     let parsed;
@@ -791,10 +831,12 @@ async function executeVaultCreate(command, deps) {
     const email = command.email ?? config.vault?.email ?? configuredVault.email;
     const promptSecret = ensureVaultSecretPrompt(deps.promptSecret, "create");
     const serverUrl = command.serverUrl ?? config.vault?.serverUrl ?? configuredVault.serverUrl;
-    const unlockSecret = (await promptSecret(`Choose Ouro vault unlock secret for ${email}: `)).trim();
-    if (!unlockSecret) {
-        throw new Error("vault create requires an unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.");
-    }
+    const unlockSecret = await (0, vault_unlock_1.promptConfirmedVaultUnlockSecret)({
+        promptSecret,
+        question: `Choose Ouro vault unlock secret for ${email}: `,
+        confirmQuestion: `Confirm Ouro vault unlock secret for ${email}: `,
+        emptyError: "vault create requires an unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.",
+    });
     const result = await (0, vault_setup_1.createVaultAccount)("Ouro credential vault", serverUrl, email, unlockSecret);
     if (!result.success) {
         const message = [
@@ -814,13 +856,13 @@ async function executeVaultCreate(command, deps) {
     }, unlockSecret, { homeDir: deps.homeDir, store: command.store });
     (0, credential_access_1.resetCredentialStore)();
     await (0, credential_access_1.getCredentialStore)(command.agent).get("__ouro_vault_probe__");
-    const message = [
+    const message = appendBundleSyncSummary([
         `vault created for ${command.agent}`,
         `vault: ${email} at ${serverUrl}`,
         `local unlock store: ${store.kind}${store.secure ? "" : " (explicit plaintext fallback)"}`,
         "All raw credentials for this agent will be stored in this Ouro credential vault.",
         "Keep the vault unlock secret saved outside Ouro. Another machine will need it once.",
-    ].join("\n");
+    ].join("\n"), command.agent, deps);
     deps.writeStdout(message);
     return message;
 }
@@ -835,10 +877,12 @@ async function executeVaultReplace(command, deps) {
     const configuredVault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
     const email = command.email ?? defaultRepairVaultEmail(command.agent, config);
     const serverUrl = command.serverUrl ?? config.vault?.serverUrl ?? configuredVault.serverUrl;
-    const unlockSecret = (await promptSecret(`Choose new Ouro vault unlock secret for ${email}: `)).trim();
-    if (!unlockSecret) {
-        throw new Error("vault replace requires an unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.");
-    }
+    const unlockSecret = await (0, vault_unlock_1.promptConfirmedVaultUnlockSecret)({
+        promptSecret,
+        question: `Choose new Ouro vault unlock secret for ${email}: `,
+        confirmQuestion: `Confirm new Ouro vault unlock secret for ${email}: `,
+        emptyError: "vault replace requires an unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.",
+    });
     const repair = await createRepairVaultForAgent({
         action: "replace",
         agentName: command.agent,
@@ -852,14 +896,14 @@ async function executeVaultReplace(command, deps) {
     });
     if (!repair.ok)
         return repair.message;
-    const message = [
+    const message = appendBundleSyncSummary([
         `vault replaced for ${command.agent}`,
         `vault: ${email} at ${serverUrl}`,
         `local unlock store: ${repair.store.kind}${repair.store.secure ? "" : " (explicit plaintext fallback)"}`,
         "imported: none",
         `next: ouro repair --agent ${command.agent}`,
         "Keep the vault unlock secret saved outside Ouro. Another machine will need it once.",
-    ].join("\n");
+    ].join("\n"), command.agent, deps);
     deps.writeStdout(message);
     return message;
 }
@@ -876,10 +920,12 @@ async function executeVaultRecover(command, deps) {
     const configuredVault = (0, identity_1.resolveVaultConfig)(command.agent, config.vault);
     const email = command.email ?? defaultRepairVaultEmail(command.agent, config);
     const serverUrl = command.serverUrl ?? config.vault?.serverUrl ?? configuredVault.serverUrl;
-    const unlockSecret = (await promptSecret(`Choose new Ouro vault unlock secret for ${email}: `)).trim();
-    if (!unlockSecret) {
-        throw new Error("vault recover requires an unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.");
-    }
+    const unlockSecret = await (0, vault_unlock_1.promptConfirmedVaultUnlockSecret)({
+        promptSecret,
+        question: `Choose new Ouro vault unlock secret for ${email}: `,
+        confirmQuestion: `Confirm new Ouro vault unlock secret for ${email}: `,
+        emptyError: "vault recover requires an unlock secret. Re-run in an interactive terminal and enter a human-chosen unlock secret.",
+    });
     const repair = await createRepairVaultForAgent({
         action: "recover",
         agentName: command.agent,
@@ -894,7 +940,7 @@ async function executeVaultRecover(command, deps) {
     if (!repair.ok)
         return repair.message;
     const importedProviders = new Set();
-    let mergedRuntimeConfig = {};
+    let mergedRecoveredRuntimeConfig = {};
     for (const source of sourceImports) {
         for (const provider of source.providers) {
             await (0, provider_credentials_1.upsertProviderCredential)({
@@ -907,23 +953,29 @@ async function executeVaultRecover(command, deps) {
             });
             importedProviders.add(provider.provider);
         }
-        mergedRuntimeConfig = mergeRuntimeConfig(mergedRuntimeConfig, source.runtimeConfig);
+        mergedRecoveredRuntimeConfig = mergeRuntimeConfig(mergedRecoveredRuntimeConfig, source.runtimeConfig);
     }
+    const { agentConfig: mergedRuntimeConfig, machineConfig: mergedMachineRuntimeConfig } = splitRuntimeConfigByScope(mergedRecoveredRuntimeConfig);
     const runtimeFields = summarizeRuntimeConfigFields(mergedRuntimeConfig);
+    const machineRuntimeFields = summarizeRuntimeConfigFields(mergedMachineRuntimeConfig);
     if (runtimeFields.length > 0) {
         await (0, runtime_credentials_1.upsertRuntimeCredentialConfig)(command.agent, mergedRuntimeConfig, now);
     }
+    if (machineRuntimeFields.length > 0) {
+        await (0, runtime_credentials_1.upsertMachineRuntimeCredentialConfig)(command.agent, currentMachineId(deps), mergedMachineRuntimeConfig, now);
+    }
     const providerList = [...importedProviders].sort();
-    const message = [
+    const message = appendBundleSyncSummary([
         `vault recovered for ${command.agent}`,
         `vault: ${email} at ${serverUrl}`,
         `local unlock store: ${repair.store.kind}${repair.store.secure ? "" : " (explicit plaintext fallback)"}`,
         `sources imported: ${sourceImports.length}`,
         `provider credentials imported: ${providerList.length === 0 ? "none" : providerList.join(", ")}`,
         `runtime credentials imported: ${runtimeFields.length === 0 ? "none" : runtimeFields.join(", ")}`,
+        `machine runtime credentials imported: ${machineRuntimeFields.length === 0 ? "none" : machineRuntimeFields.join(", ")}`,
         "credential values were not printed",
         "Keep the vault unlock secret saved outside Ouro. Another machine will need it once.",
-    ].join("\n");
+    ].join("\n"), command.agent, deps);
     deps.writeStdout(message);
     return message;
 }
@@ -1033,24 +1085,65 @@ function summarizeRuntimeConfigFields(config) {
     visit("", config);
     return fields.filter(Boolean).sort();
 }
+function isSensitiveRuntimeConfigKey(key) {
+    const lastSegment = key.split(".").pop();
+    return /(password|secret|token|api[-_]?key|key)$/i.test(lastSegment);
+}
+function currentMachineId(deps) {
+    return (0, machine_identity_1.loadOrCreateMachineIdentity)({
+        homeDir: providerCliHomeDir(deps),
+        now: () => providerCliNow(deps),
+    }).machineId;
+}
+async function promptRuntimeConfigValue(command, deps) {
+    if (command.value !== undefined)
+        return command.value;
+    if (isSensitiveRuntimeConfigKey(command.key)) {
+        if (!deps.promptSecret) {
+            throw new Error("secret entry requires an interactive terminal so the value can be hidden. Re-run without --value in a terminal, or pass --value only from a trusted non-logged script.");
+        }
+        return deps.promptSecret(`Value for ${command.key}: `);
+    }
+    const prompt = deps.promptInput;
+    return prompt ? prompt(`Value for ${command.key}: `) : "";
+}
+function runtimeScopeLabel(scope) {
+    return scope === "machine" ? "this machine's vault runtime config item" : "the agent vault runtime/config item";
+}
+async function storeRuntimeConfigKey(input) {
+    const machineId = input.scope === "machine" ? currentMachineId(input.deps) : undefined;
+    const current = input.scope === "machine"
+        ? await (0, runtime_credentials_1.refreshMachineRuntimeCredentialConfig)(input.agent, machineId, { preserveCachedOnFailure: true })
+        : await (0, runtime_credentials_1.refreshRuntimeCredentialConfig)(input.agent, { preserveCachedOnFailure: true });
+    if (!current.ok && current.reason !== "missing") {
+        throw new Error(`cannot read existing runtime credentials from ${current.itemPath}: ${current.error}`);
+    }
+    const nextConfig = setRuntimeConfigValue(current.ok ? current.config : {}, input.key, input.value);
+    const stored = input.scope === "machine"
+        ? await (0, runtime_credentials_1.upsertMachineRuntimeCredentialConfig)(input.agent, machineId, nextConfig, providerCliNow(input.deps))
+        : await (0, runtime_credentials_1.upsertRuntimeCredentialConfig)(input.agent, nextConfig, providerCliNow(input.deps));
+    return { revision: stored.revision, itemPath: stored.itemPath, ...(machineId ? { machineId } : {}) };
+}
 async function executeVaultConfigSet(command, deps) {
     if (command.agent === "SerpentGuide") {
         throw new Error("SerpentGuide does not have persistent runtime credentials. Store credentials in the hatchling agent vault.");
     }
-    const prompt = deps.promptInput;
-    const value = command.value ?? (prompt ? await prompt(`Value for ${command.key}: `) : "");
+    const scope = command.scope ?? "agent";
+    const value = await promptRuntimeConfigValue(command, deps);
     if (!value) {
         throw new Error("vault config set requires --value <value> or an interactive prompt");
     }
-    const current = await (0, runtime_credentials_1.refreshRuntimeCredentialConfig)(command.agent, { preserveCachedOnFailure: true });
-    if (!current.ok && current.reason !== "missing") {
-        throw new Error(`cannot read existing runtime credentials from ${current.itemPath}: ${current.error}`);
-    }
-    const nextConfig = setRuntimeConfigValue(current.ok ? current.config : {}, command.key, value);
-    const stored = await (0, runtime_credentials_1.upsertRuntimeCredentialConfig)(command.agent, nextConfig, providerCliNow(deps));
+    const stored = await storeRuntimeConfigKey({
+        agent: command.agent,
+        key: command.key,
+        value,
+        scope,
+        deps,
+    });
     const message = [
-        `stored ${command.key} for ${command.agent} in the agent vault runtime/config item`,
+        `stored ${command.key} for ${command.agent} in ${runtimeScopeLabel(scope)}`,
         `runtime credentials: ${stored.revision}`,
+        `item: ${stored.itemPath}`,
         "value was not printed",
     ].join("\n");
     deps.writeStdout(message);
@@ -1062,24 +1155,217 @@ async function executeVaultConfigStatus(command, deps) {
         deps.writeStdout(message);
         return message;
     }
-    const runtime = await (0, runtime_credentials_1.refreshRuntimeCredentialConfig)(command.agent, { preserveCachedOnFailure: true });
-    const lines = [`agent: ${command.agent}`, `runtime config item: ${runtime.itemPath}`];
-    if (runtime.ok) {
-        lines.push(`status: available (${runtime.revision})`);
-        const fields = summarizeRuntimeConfigFields(runtime.config);
-        lines.push(`fields: ${fields.length === 0 ? "none stored" : fields.join(", ")}`);
-    }
-    else {
-        lines.push(`status: ${runtime.reason}`);
-        lines.push(`error: ${runtime.error}`);
-        lines.push(runtime.reason === "missing"
-            ? `fix: Run 'ouro vault config set --agent ${command.agent} --key <field>' to store runtime credentials.`
-            : `fix: ${(0, vault_unlock_1.vaultUnlockReplaceRecoverFix)(command.agent, "Then retry 'ouro vault config status'.")}`);
+    const scopes = command.scope === "all" ? ["agent", "machine"] : [command.scope ?? "agent"];
+    const lines = [`agent: ${command.agent}`];
+    for (const scope of scopes) {
+        const machineId = scope === "machine" ? currentMachineId(deps) : undefined;
+        const runtime = scope === "machine"
+            ? await (0, runtime_credentials_1.refreshMachineRuntimeCredentialConfig)(command.agent, machineId, { preserveCachedOnFailure: true })
+            : await (0, runtime_credentials_1.refreshRuntimeCredentialConfig)(command.agent, { preserveCachedOnFailure: true });
+        if (scopes.length > 1)
+            lines.push("");
+        lines.push(`${scope} runtime config item: ${runtime.itemPath}`);
+        if (runtime.ok) {
+            lines.push(`status: available (${runtime.revision})`);
+            const fields = summarizeRuntimeConfigFields(runtime.config);
+            lines.push(`fields: ${fields.length === 0 ? "none stored" : fields.join(", ")}`);
+        }
+        else {
+            lines.push(`status: ${runtime.reason}`);
+            lines.push(`error: ${runtime.error}`);
+            lines.push(runtime.reason === "missing"
+                ? `fix: Run 'ouro vault config set --agent ${command.agent} --key <field>${scope === "machine" ? " --scope machine" : ""}' to store runtime credentials.`
+                : `fix: ${(0, vault_unlock_1.vaultUnlockReplaceRecoverFix)(command.agent, "Then retry 'ouro vault config status'.")}`);
+        }
     }
     const message = lines.join("\n");
     deps.writeStdout(message);
     return message;
 }
+function requirePromptSecret(deps, purpose) {
+    if (deps.promptSecret)
+        return deps.promptSecret;
+    throw new Error(`${purpose} requires an interactive terminal so the secret can be hidden.`);
+}
+function requirePromptInput(deps, purpose) {
+    if (deps.promptInput)
+        return deps.promptInput;
+    throw new Error(`${purpose} requires an interactive terminal.`);
+}
+function parseOptionalPort(value, fallback, label) {
+    const trimmed = value.trim();
+    if (!trimmed)
+        return fallback;
+    const parsed = Number(trimmed);
+    if (!Number.isInteger(parsed) || parsed < 1 || parsed > 65535) {
+        throw new Error(`${label} must be an integer between 1 and 65535`);
+    }
+    return parsed;
+}
+function parseOptionalPositiveInteger(value, fallback, label) {
+    const trimmed = value.trim();
+    if (!trimmed)
+        return fallback;
+    const parsed = Number(trimmed);
+    if (!Number.isInteger(parsed) || parsed < 1) {
+        throw new Error(`${label} must be a positive integer`);
+    }
+    return parsed;
+}
+function normalizeWebhookPath(value, fallback) {
+    const trimmed = value.trim();
+    if (!trimmed)
+        return fallback;
+    return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
+}
+function enableAgentSense(agent, sense, deps) {
+    const { configPath } = (0, auth_flow_1.readAgentConfigForAgent)(agent, deps.bundlesRoot);
+    const raw = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+    const senses = raw.senses && typeof raw.senses === "object" && !Array.isArray(raw.senses)
+        ? raw.senses
+        : {};
+    const existing = senses[sense] && typeof senses[sense] === "object" && !Array.isArray(senses[sense])
+        ? senses[sense]
+        : {};
+    raw.senses = {
+        ...senses,
+        cli: senses.cli ?? { enabled: true },
+        teams: senses.teams ?? { enabled: false },
+        [sense]: { ...existing, enabled: true },
+    };
+    fs.writeFileSync(configPath, `${JSON.stringify(raw, null, 2)}\n`, "utf-8");
+}
+function connectMenu(agent) {
+    return [
+        `Connect ${agent}`,
+        "",
+        "Portable agent capabilities",
+        "  1. Perplexity search",
+        "     stores: agent vault runtime/config -> integrations.perplexityApiKey",
+        "",
+        "This machine only",
+        "  2. BlueBubbles iMessage",
+        "     stores: agent vault runtime/machines/<this-machine>/config",
+        "",
+        "Model providers",
+        "  3. Provider auth",
+        `     runs separately: ouro auth --agent ${agent} --provider <provider>`,
+        "",
+        "  4. Cancel",
+        "",
+        "Choose [1-4]: ",
+    ].join("\n");
+}
+async function executeConnectPerplexity(agent, deps) {
+    if (agent === "SerpentGuide") {
+        throw new Error("SerpentGuide has no persistent runtime credentials. Connect Perplexity on the hatchling agent instead.");
+    }
+    const promptSecret = requirePromptSecret(deps, "Perplexity API key entry");
+    const key = (await promptSecret("Perplexity API key: ")).trim();
+    if (!key)
+        throw new Error("Perplexity API key cannot be blank");
+    const stored = await storeRuntimeConfigKey({
+        agent,
+        key: "integrations.perplexityApiKey",
+        value: key,
+        scope: "agent",
+        deps,
+    });
+    const message = [
+        `Perplexity connected for ${agent}`,
+        "capability: Perplexity search",
+        `stored: ${stored.itemPath}`,
+        "secret was not printed",
+        "",
+        "Next: ask the agent to search, or run `ouro up` again if the daemon was already running.",
+    ].join("\n");
+    deps.writeStdout(message);
+    return message;
+}
+async function executeConnectBlueBubbles(agent, deps) {
+    if (agent === "SerpentGuide") {
+        throw new Error("SerpentGuide has no persistent runtime credentials. Attach BlueBubbles on the hatchling agent instead.");
+    }
+    const promptInput = requirePromptInput(deps, "BlueBubbles setup");
+    const promptSecret = requirePromptSecret(deps, "BlueBubbles password entry");
+    const serverUrl = (await promptInput("BlueBubbles server URL for this machine: ")).trim();
+    if (!serverUrl)
+        throw new Error("BlueBubbles server URL cannot be blank");
+    const password = (await promptSecret("BlueBubbles app password: ")).trim();
+    if (!password)
+        throw new Error("BlueBubbles app password cannot be blank");
+    const port = parseOptionalPort(await promptInput("Local webhook port [18790]: "), 18790, "BlueBubbles webhook port");
+    const webhookPath = normalizeWebhookPath(await promptInput("Local webhook path [/bluebubbles-webhook]: "), "/bluebubbles-webhook");
+    const requestTimeoutMs = parseOptionalPositiveInteger(await promptInput("Request timeout ms [30000]: "), 30000, "BlueBubbles request timeout");
+    const machineId = currentMachineId(deps);
+    const current = await (0, runtime_credentials_1.refreshMachineRuntimeCredentialConfig)(agent, machineId, { preserveCachedOnFailure: true });
+    if (!current.ok && current.reason !== "missing") {
+        throw new Error(`cannot read existing machine runtime credentials from ${current.itemPath}: ${current.error}`);
+    }
+    const nextConfig = {
+        ...(current.ok ? current.config : {}),
+        bluebubbles: {
+            serverUrl,
+            password,
+            accountId: "default",
+        },
+        bluebubblesChannel: {
+            port,
+            webhookPath,
+            requestTimeoutMs,
+        },
+    };
+    const stored = await (0, runtime_credentials_1.upsertMachineRuntimeCredentialConfig)(agent, machineId, nextConfig, providerCliNow(deps));
+    enableAgentSense(agent, "bluebubbles", deps);
+    const message = appendBundleSyncSummary([
+        `BlueBubbles attached for ${agent} on this machine`,
+        `machine: ${machineId}`,
+        `stored: ${stored.itemPath}`,
+        "agent.json: senses.bluebubbles.enabled = true",
+        "secret was not printed",
+        "",
+        "Next: point BlueBubbles at this machine's webhook, then run `ouro up`.",
+    ].join("\n"), agent, deps);
+    deps.writeStdout(message);
+    return message;
+}
+async function executeConnect(command, deps) {
+    if (command.target === "perplexity")
+        return executeConnectPerplexity(command.agent, deps);
+    if (command.target === "bluebubbles")
+        return executeConnectBlueBubbles(command.agent, deps);
+    const promptInput = deps.promptInput;
+    if (!promptInput) {
+        const message = [
+            connectMenu(command.agent).replace(/\nChoose \[1-4\]: $/, ""),
+            "",
+            `Run: ouro connect perplexity --agent ${command.agent}`,
+            `Or:  ouro connect bluebubbles --agent ${command.agent}`,
+        ].join("\n");
+        deps.writeStdout(message);
+        return message;
+    }
+    const answer = (await promptInput(connectMenu(command.agent))).trim().toLowerCase();
+    if (answer === "1" || answer === "perplexity" || answer === "perplexity-search") {
+        return executeConnectPerplexity(command.agent, deps);
+    }
+    if (answer === "2" || answer === "bluebubbles" || answer === "imessage" || answer === "messages") {
+        return executeConnectBlueBubbles(command.agent, deps);
+    }
+    if (answer === "3" || answer === "provider" || answer === "providers" || answer === "auth") {
+        const message = [
+            "Provider auth is its own flow:",
+            `  ouro auth --agent ${command.agent} --provider <provider>`,
+            "",
+            "Use `ouro connect` for integrations and local senses after provider auth is ready.",
+        ].join("\n");
+        deps.writeStdout(message);
+        return message;
+    }
+    const message = "connect cancelled.";
+    deps.writeStdout(message);
+    return message;
+}
 function readOrBootstrapProviderState(agentName, deps) {
     const agentRoot = providerCliAgentRoot({ agent: agentName }, deps);
     const readResult = (0, provider_state_1.readProviderState)(agentRoot);
@@ -2130,6 +2416,9 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
         deps.writeStdout(text);
         return text;
     }
+    if (command.kind === "connect") {
+        return executeConnect(command, deps);
+    }
     if (command.kind === "daemon.up") {
         // ── dev mode cleanup: delete dev-config.json so the wrapper stops dispatching to dev repo ──
         /* v8 ignore start -- dev-config cleanup: requires real filesystem state @preserve */
@@ -3577,8 +3866,10 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
         }
         // 8. Output success message
         (0, runtime_1.emitNervesEvent)({ component: "daemon", event: "daemon.clone_complete", message: "clone complete", meta: { agentName, targetPath } });
+        const syncSummary = syncEnabled ? pushAgentBundleAfterCliMutation(agentName, deps) : null;
         const syncMsg = syncEnabled ? "\nsync enabled (remote: origin)" : "\nwarning: no agent.json found — this may not be a valid agent bundle";
-        deps.writeStdout(`cloned ${agentName} to ${targetPath}${syncMsg}`);
+        const syncPushMsg = syncSummary ? `\n${syncSummary}` : "";
+        deps.writeStdout(`cloned ${agentName} to ${targetPath}${syncMsg}${syncPushMsg}`);
         // 9. Guided post-clone flow (when interactive)
         if (deps.promptInput) {
             // Auth