@ouro.bot/cli 0.1.0-alpha.409 → 0.1.0-alpha.410

package/dist/heart/daemon/cli-help.js

@@ -163,6 +163,13 @@ exports.COMMAND_REGISTRY = {
         example: "ouro auth --agent ouroboros",
         subcommands: ["verify", "switch"],
     },
+    connect: {
+        category: "Auth",
+        description: "Connect integrations and local senses such as Perplexity search and BlueBubbles iMessage",
+        usage: "ouro connect [perplexity|bluebubbles] --agent <name>",
+        example: "ouro connect perplexity --agent ouroboros",
+        subcommands: ["perplexity", "bluebubbles"],
+    },
     use: {
         category: "Auth",
         description: "Choose this machine's provider/model lane for an agent",
@@ -265,6 +272,16 @@ const SUBCOMMAND_HELP = {
         usage: "ouro auth switch --agent <name> --provider <provider> [--facing human|agent]",
         example: "ouro auth switch --agent ouroboros --provider minimax",
     },
+    "connect perplexity": {
+        description: "Connect Perplexity search for this agent",
+        usage: "ouro connect perplexity --agent <name>",
+        example: "ouro connect perplexity --agent ouroboros",
+    },
+    "connect bluebubbles": {
+        description: "Attach BlueBubbles iMessage to this machine only",
+        usage: "ouro connect bluebubbles --agent <name>",
+        example: "ouro connect bluebubbles --agent ouroboros",
+    },
     "provider refresh": {
         description: "Reload this agent's provider credentials from its vault into daemon memory",
         usage: "ouro provider refresh --agent <name>",
@@ -296,14 +313,14 @@ const SUBCOMMAND_HELP = {
         example: "ouro vault status --agent ouroboros",
     },
     "vault config set": {
-        description: "Write runtime configuration into the agent credential vault",
-        usage: "ouro vault config set --agent <name> --key <path> [--value <value>]",
-        example: "ouro vault config set --agent ouroboros --key senses/outlook/clientId",
+        description: "Write runtime configuration into the agent credential vault without printing values",
+        usage: "ouro vault config set --agent <name> --key <path> [--value <value>] [--scope agent|machine]",
+        example: "ouro vault config set --agent ouroboros --key teams.clientSecret",
     },
     "vault config status": {
         description: "List runtime configuration keys stored in the agent credential vault",
-        usage: "ouro vault config status --agent <name>",
-        example: "ouro vault config status --agent ouroboros",
+        usage: "ouro vault config status --agent <name> [--scope agent|machine|all]",
+        example: "ouro vault config status --agent ouroboros --scope all",
     },
 };
 // ── Levenshtein distance ──

package/dist/heart/daemon/cli-parse.js

@@ -83,6 +83,7 @@ function usage() {
         "  ouro config model --agent <name> <model-name>",
         "  ouro config models --agent <name>",
         "  ouro auth --agent <name> [--provider <provider>]",
+        "  ouro connect [perplexity|bluebubbles] --agent <name>",
         "  ouro auth verify --agent <name> [--provider <provider>]",
         "  ouro auth switch --agent <name> --provider <provider>",
         "  ouro vault create --agent <name> --email <email> [--server <url>] [--store <store>]",
@@ -90,8 +91,8 @@ function usage() {
         "  ouro vault recover --agent <name> --from <json> [--from <json>] [--email <email>] [--server <url>] [--store <store>]",
         "  ouro vault unlock --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
         "  ouro vault status --agent <name> [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
-        "  ouro vault config set --agent <name> --key <path> [--value <value>]",
-        "  ouro vault config status --agent <name>",
+        "  ouro vault config set --agent <name> --key <path> [--value <value>] [--scope agent|machine]",
+        "  ouro vault config status --agent <name> [--scope agent|machine|all]",
         "  ouro chat <agent>",
         "  ouro msg --to <agent> [--session <id>] [--task <ref>] <message>",
         "  ouro poke <agent> --task <task-id>",
@@ -544,6 +545,7 @@ function parseVaultConfigCommand(args) {
     const { agent, rest } = extractAgentFlag(args.slice(1));
     let key;
     let value;
+    let scope;
     for (let i = 0; i < rest.length; i += 1) {
         const token = rest[i];
         if (token === "--key") {
@@ -556,6 +558,15 @@ function parseVaultConfigCommand(args) {
             i += 1;
             continue;
         }
+        if (token === "--scope") {
+            const raw = rest[i + 1];
+            if (raw !== "agent" && raw !== "machine" && raw !== "all") {
+                throw new Error("vault config --scope must be agent, machine, or all");
+            }
+            scope = raw;
+            i += 1;
+            continue;
+        }
         throw new Error("Usage: ouro vault config set --agent <name> --key <path> [--value <value>] OR ouro vault config status --agent <name>");
     }
     if (!agent || (sub !== "set" && sub !== "status")) {
@@ -565,12 +576,32 @@ function parseVaultConfigCommand(args) {
         if (key || value) {
             throw new Error("Usage: ouro vault config status --agent <name>");
         }
-        return { kind: "vault.config.status", agent };
+        return { kind: "vault.config.status", agent, ...(scope ? { scope } : {}) };
     }
+    if (scope === "all")
+        throw new Error("vault config --scope all is only valid for status");
     if (!key) {
         throw new Error("Usage: ouro vault config set --agent <name> --key <path> [--value <value>]");
     }
-    return { kind: "vault.config.set", agent, key, ...(value !== undefined ? { value } : {}) };
+    return { kind: "vault.config.set", agent, key, ...(value !== undefined ? { value } : {}), ...(scope ? { scope } : {}) };
+}
+function normalizeConnectTarget(value) {
+    if (!value)
+        return undefined;
+    if (value === "perplexity" || value === "perplexity-search")
+        return "perplexity";
+    if (value === "bluebubbles" || value === "imessage" || value === "messages")
+        return "bluebubbles";
+    throw new Error("Usage: ouro connect [perplexity|bluebubbles] --agent <name>");
+}
+function parseConnectCommand(args) {
+    const { agent, rest } = extractAgentFlag(args);
+    if (!agent)
+        throw new Error("Usage: ouro connect --agent <name> [perplexity|bluebubbles]");
+    if (rest.length > 1)
+        throw new Error("Usage: ouro connect [perplexity|bluebubbles] --agent <name>");
+    const target = normalizeConnectTarget(rest[0]);
+    return { kind: "connect", agent, ...(target ? { target } : {}) };
 }
 function parseProviderUseCommand(args) {
     const { agent, rest: afterAgent } = extractAgentFlag(args);
@@ -1053,6 +1084,8 @@ function parseOuroCommand(args) {
         return parseHatchCommand(args.slice(1));
     if (head === "auth")
         return parseAuthCommand(args.slice(1));
+    if (head === "connect")
+        return parseConnectCommand(args.slice(1));
     if (head === "vault")
         return parseVaultCommand(args.slice(1));
     if (head === "task")

package/dist/heart/daemon/cli-render.js

@@ -248,6 +248,7 @@ function statusDot(status) {
         case "failed":
             return red("●");
         case "needs_config":
+        case "not_attached":
         case "stale":
             return yellow("●");
         case "disabled":

package/dist/heart/daemon/doctor.js

@@ -19,6 +19,7 @@ const runtime_1 = require("../../nerves/runtime");
 const bluebubbles_health_diagnostics_1 = require("./bluebubbles-health-diagnostics");
 const ouro_path_installer_1 = require("../versioning/ouro-path-installer");
 const runtime_credentials_1 = require("../runtime-credentials");
+const machine_identity_1 = require("../machine-identity");
 const DEFAULT_BLUEBUBBLES_REQUEST_TIMEOUT_MS = 30_000;
 // ── Category checkers ──
 function checkCliPath(deps) {
@@ -201,14 +202,21 @@ async function checkSenses(deps) {
                 });
             }
             if (sense === "bluebubbles" && senseObj.enabled === true) {
-                const runtimeConfig = await (0, runtime_credentials_1.refreshRuntimeCredentialConfig)(agentName, { preserveCachedOnFailure: true });
+                const machineId = (0, machine_identity_1.loadOrCreateMachineIdentity)({ homeDir: deps.homedir }).machineId;
+                const runtimeConfig = await (0, runtime_credentials_1.refreshMachineRuntimeCredentialConfig)(agentName, machineId, { preserveCachedOnFailure: true });
                 if (!runtimeConfig.ok) {
+                    if (runtimeConfig.reason === "missing") {
+                        checks.push({
+                            label: `${agentDir} bluebubbles config`,
+                            status: "pass",
+                            detail: "not attached on this machine",
+                        });
+                        continue;
+                    }
                     checks.push({
                         label: `${agentDir} bluebubbles config`,
                         status: "fail",
-                        detail: runtimeConfig.reason === "missing"
-                            ? "missing vault runtime/config"
-                            : `vault runtime/config unavailable: ${runtimeConfig.error}`,
+                        detail: `machine runtime config unavailable: ${runtimeConfig.error}`,
                     });
                     continue;
                 }

package/dist/heart/daemon/process-manager.js

@@ -158,6 +158,19 @@ class DaemonProcessManager {
         state.snapshot.status = "starting";
         if (this.configCheckFn) {
             const result = await this.configCheckFn(agent);
+            if (result.skip) {
+                state.snapshot.status = "stopped";
+                state.snapshot.errorReason = null;
+                state.snapshot.fixHint = null;
+                (0, runtime_1.emitNervesEvent)({
+                    component: "daemon",
+                    event: "daemon.agent_config_skipped",
+                    message: result.error ?? "agent start skipped by config check",
+                    meta: { agent, fix: result.fix ?? null },
+                });
+                this.notifySnapshotChange(state.snapshot);
+                return;
+            }
             if (!result.ok) {
                 state.snapshot.status = "crashed";
                 // Surface the error and fix to the snapshot so sibling agents can

package/dist/heart/daemon/sense-manager.js

@@ -41,6 +41,7 @@ const runtime_1 = require("../../nerves/runtime");
 const identity_1 = require("../identity");
 const runtime_credentials_1 = require("../runtime-credentials");
 const sense_truth_1 = require("../sense-truth");
+const machine_identity_1 = require("../machine-identity");
 const process_manager_1 = require("./process-manager");
 const DEFAULT_TEAMS_PORT = 3978;
 const DEFAULT_BLUEBUBBLES_PORT = 18790;
@@ -106,11 +107,12 @@ function compactRuntimeConfigError(agent, error) {
 function runtimeConfigUnavailableDetail(agent, runtimeConfig) {
     if (runtimeConfig.ok)
         return "";
+    const itemName = /^vault:[^:]+:(.+)$/.exec(runtimeConfig.itemPath)?.[1] ?? "runtime/config";
     if (runtimeConfig.reason === "missing")
-        return `missing vault runtime/config (${agent})`;
-    return `vault runtime/config unavailable (${compactRuntimeConfigError(agent, runtimeConfig.error)})`;
+        return `missing vault ${itemName} (${agent})`;
+    return `vault ${itemName} unavailable (${compactRuntimeConfigError(agent, runtimeConfig.error)})`;
 }
-function senseFactsFromRuntimeConfig(agent, senses, runtimeConfig) {
+function senseFactsFromRuntimeConfig(agent, senses, runtimeConfig, machineRuntimeConfig = (0, runtime_credentials_1.readMachineRuntimeCredentialConfig)(agent)) {
     const base = {
         cli: { configured: true, detail: "local interactive terminal" },
         teams: { configured: false, detail: "not enabled in agent.json" },
@@ -120,8 +122,9 @@ function senseFactsFromRuntimeConfig(agent, senses, runtimeConfig) {
     const unavailableDetail = runtimeConfigUnavailableDetail(agent, runtimeConfig);
     const teams = payload.teams;
     const teamsChannel = payload.teamsChannel;
-    const bluebubbles = payload.bluebubbles;
-    const bluebubblesChannel = payload.bluebubblesChannel;
+    const machinePayload = machineRuntimeConfig.ok ? machineRuntimeConfig.config : {};
+    const bluebubbles = machinePayload.bluebubbles;
+    const bluebubblesChannel = machinePayload.bluebubblesChannel;
     if (senses.teams.enabled) {
         const missing = [];
         if (!textField(teams, "clientId"))
@@ -137,7 +140,9 @@ function senseFactsFromRuntimeConfig(agent, senses, runtimeConfig) {
             }
             : {
                 configured: false,
-                detail: runtimeConfig.ok ? `missing ${missing.join("/")}` : unavailableDetail,
+                detail: runtimeConfig.ok
+                    ? `missing ${missing.join("/")}`
+                    : unavailableDetail,
             };
     }
     if (senses.bluebubbles.enabled) {
@@ -153,7 +158,12 @@ function senseFactsFromRuntimeConfig(agent, senses, runtimeConfig) {
             }
             : {
                 configured: false,
-                detail: runtimeConfig.ok ? `missing ${missing.join("/")}` : unavailableDetail,
+                optional: !machineRuntimeConfig.ok && machineRuntimeConfig.reason === "missing",
+                detail: !machineRuntimeConfig.ok && machineRuntimeConfig.reason === "missing"
+                    ? "not attached on this machine"
+                    : machineRuntimeConfig.ok
+                        ? `missing ${missing.join("/")}`
+                        : runtimeConfigUnavailableDetail(agent, machineRuntimeConfig),
             };
     }
     return base;
@@ -162,7 +172,10 @@ function senseRepairHint(agent, sense) {
     if (sense === "teams") {
         return `Run 'ouro vault config set --agent ${agent} --key teams.clientId', teams.clientSecret, and teams.tenantId; then run 'ouro up' again.`;
     }
-    return `Run 'ouro vault config set --agent ${agent} --key bluebubbles.serverUrl' and bluebubbles.password; then run 'ouro up' again.`;
+    return `Run 'ouro connect bluebubbles --agent ${agent}' to attach BlueBubbles on this machine; then run 'ouro up' again.`;
+}
+function currentMachineId() {
+    return (0, machine_identity_1.loadOrCreateMachineIdentity)({ homeDir: os.homedir() }).machineId;
 }
 function parseSenseSnapshotName(name) {
     const parts = name.split(":");
@@ -240,7 +253,7 @@ class DaemonSenseManager {
         this.bundlesRoot = bundlesRoot;
         this.contexts = new Map(options.agents.map((agent) => {
             const senses = readAgentSenses(path.join(bundlesRoot, `${agent}.ouro`, "agent.json"));
-            const facts = senseFactsFromRuntimeConfig(agent, senses, (0, runtime_credentials_1.readRuntimeCredentialConfig)(agent));
+            const facts = senseFactsFromRuntimeConfig(agent, senses, (0, runtime_credentials_1.readRuntimeCredentialConfig)(agent), (0, runtime_credentials_1.readMachineRuntimeCredentialConfig)(agent));
             return [agent, { senses, facts }];
         }));
         const managedSenseAgents = [...this.contexts.entries()].flatMap(([agent, context]) => {
@@ -264,10 +277,20 @@ class DaemonSenseManager {
                 if (!context)
                     return { ok: true };
                 const refreshed = await (0, runtime_credentials_1.refreshRuntimeCredentialConfig)(parsed.agent, { preserveCachedOnFailure: true });
-                context.facts = senseFactsFromRuntimeConfig(parsed.agent, context.senses, refreshed);
+                const machineRefreshed = parsed.sense === "bluebubbles"
+                    ? await (0, runtime_credentials_1.refreshMachineRuntimeCredentialConfig)(parsed.agent, currentMachineId(), { preserveCachedOnFailure: true })
+                    : (0, runtime_credentials_1.readMachineRuntimeCredentialConfig)(parsed.agent);
+                context.facts = senseFactsFromRuntimeConfig(parsed.agent, context.senses, refreshed, machineRefreshed);
                 const fact = context.facts[parsed.sense];
                 if (fact.configured)
                     return { ok: true };
+                if (fact.optional) {
+                    return {
+                        ok: false,
+                        skip: true,
+                        error: `${parsed.sense} is enabled for ${parsed.agent} but not attached on this machine`,
+                    };
+                }
                 return {
                     ok: false,
                     error: `${parsed.sense} is enabled for ${parsed.agent} but runtime credentials are not ready: ${fact.detail}`,
@@ -309,7 +332,7 @@ class DaemonSenseManager {
             runtime.set(parsed.agent, current);
         }
         const rows = [...this.contexts.entries()].flatMap(([agent, context]) => {
-            context.facts = senseFactsFromRuntimeConfig(agent, context.senses, (0, runtime_credentials_1.readRuntimeCredentialConfig)(agent));
+            context.facts = senseFactsFromRuntimeConfig(agent, context.senses, (0, runtime_credentials_1.readRuntimeCredentialConfig)(agent), (0, runtime_credentials_1.readMachineRuntimeCredentialConfig)(agent));
             const blueBubblesRuntimeFacts = readBlueBubblesRuntimeFacts(agent, this.bundlesRoot, runtime.get(agent)?.bluebubbles);
             const runtimeInfo = {
                 cli: { configured: true },
@@ -319,6 +342,7 @@ class DaemonSenseManager {
                 },
                 bluebubbles: {
                     configured: context.facts.bluebubbles.configured,
+                    optional: context.facts.bluebubbles.optional,
                     ...blueBubblesRuntimeFacts,
                 },
             };

package/dist/heart/hatch/specialist-prompt.js

@@ -92,8 +92,8 @@ function buildSpecialistSystemPrompt(soulText, identityText, existingBundles, co
         "- `read_file`: Read a file from disk. Useful for reviewing existing agent bundles or migration sources.",
         "- `list_directory`: List directory contents. Useful for exploring existing agent bundles.",
         "- I also have the normal local harness tools when useful here, including `shell`, `ouro task create`, `ouro reminder create`, note tools, coding tools, and repo helpers.",
-        "- `complete_adoption`: Finalize the bundle. Validates, asks the harness to collect the hatchling vault unlock secret through a hidden terminal prompt, scaffolds structural dirs, moves to ~/AgentBundles/, writes secrets, plays hatch animation. I call this with `name` (PascalCase) and `handoff_message` (warm message for the human).",
-        "- The complete_adoption tool triggers a hidden terminal prompt for the hatchling vault unlock secret. I must never ask the human to type the vault unlock secret into chat, and I must never include it in tool arguments.",
+        "- `complete_adoption`: Finalize the bundle. Validates, asks the harness to collect and confirm the hatchling vault unlock secret through hidden terminal prompts, scaffolds structural dirs, moves to ~/AgentBundles/, writes secrets, plays hatch animation. I call this with `name` (PascalCase) and `handoff_message` (warm message for the human).",
+        "- The complete_adoption tool triggers hidden terminal prompts for the hatchling vault unlock secret. I must never ask the human to type the vault unlock secret into chat, and I must never include it in tool arguments.",
         "- `settle`: End the conversation with a final message. I call this after complete_adoption succeeds.",
         "",
         "I must call `settle` when I am done to end the session cleanly.",

package/dist/heart/hatch/specialist-tools.js

@@ -174,14 +174,16 @@ async function execCompleteAdoption(args, deps) {
     const vault = (0, identity_1.resolveVaultConfig)(name);
     let vaultUnlockSecret;
     try {
-        vaultUnlockSecret = (await deps.promptSecret(`Choose Ouro vault unlock secret for ${vault.email}: `)).trim();
+        vaultUnlockSecret = await (0, vault_unlock_1.promptConfirmedVaultUnlockSecret)({
+            promptSecret: deps.promptSecret,
+            question: `Choose Ouro vault unlock secret for ${vault.email}: `,
+            confirmQuestion: `Confirm Ouro vault unlock secret for ${vault.email}: `,
+            emptyError: "hatchling vault creation requires an unlock secret. Re-run `ouro hatch` in an interactive terminal and enter a human-chosen unlock secret.",
+        });
     }
     catch (error) {
         return `error: failed to read hatchling vault unlock secret: ${error instanceof Error ? error.message : /* v8 ignore next -- defensive: non-Error catch branch @preserve */ String(error)}`;
     }
-    if (!vaultUnlockSecret) {
-        return "error: hatchling vault creation requires an unlock secret. Re-run `ouro hatch` in an interactive terminal and enter a human-chosen unlock secret.";
-    }
     // Scaffold structural dirs into tempDir
     scaffoldBundle(deps.tempDir);
     // Move tempDir -> final bundle location

package/dist/heart/runtime-credentials.js

@@ -33,18 +33,25 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.RUNTIME_CONFIG_ITEM_NAME = void 0;
+exports.MACHINE_RUNTIME_CONFIG_ITEM_PREFIX = exports.RUNTIME_CONFIG_ITEM_NAME = void 0;
+exports.machineRuntimeConfigItemName = machineRuntimeConfigItemName;
 exports.readRuntimeCredentialConfig = readRuntimeCredentialConfig;
+exports.readMachineRuntimeCredentialConfig = readMachineRuntimeCredentialConfig;
 exports.cacheRuntimeCredentialConfig = cacheRuntimeCredentialConfig;
+exports.cacheMachineRuntimeCredentialConfig = cacheMachineRuntimeCredentialConfig;
 exports.refreshRuntimeCredentialConfig = refreshRuntimeCredentialConfig;
+exports.refreshMachineRuntimeCredentialConfig = refreshMachineRuntimeCredentialConfig;
 exports.upsertRuntimeCredentialConfig = upsertRuntimeCredentialConfig;
+exports.upsertMachineRuntimeCredentialConfig = upsertMachineRuntimeCredentialConfig;
 exports.resetRuntimeCredentialConfigCache = resetRuntimeCredentialConfigCache;
 const crypto = __importStar(require("node:crypto"));
 const runtime_1 = require("../nerves/runtime");
 const credential_access_1 = require("../repertoire/credential-access");
 const identity_1 = require("./identity");
 exports.RUNTIME_CONFIG_ITEM_NAME = "runtime/config";
+exports.MACHINE_RUNTIME_CONFIG_ITEM_PREFIX = "runtime/machines";
 let cachedRuntimeConfigs = new Map();
+let cachedMachineRuntimeConfigs = new Map();
 function isRecord(value) {
     return !!value && typeof value === "object" && !Array.isArray(value);
 }
@@ -56,8 +63,14 @@ function stableJson(value) {
     }
     return JSON.stringify(value);
 }
-function runtimeConfigVaultPath(agentName) {
-    return `vault:${agentName}:${exports.RUNTIME_CONFIG_ITEM_NAME}`;
+function runtimeConfigVaultPath(agentName, itemName = exports.RUNTIME_CONFIG_ITEM_NAME) {
+    return `vault:${agentName}:${itemName}`;
+}
+function machineRuntimeConfigItemName(machineId) {
+    const normalized = machineId.trim();
+    if (!normalized)
+        throw new Error("machineId must be non-empty");
+    return `${exports.MACHINE_RUNTIME_CONFIG_ITEM_PREFIX}/${normalized}/config`;
 }
 function runtimeConfigRevision(payload) {
     return `runtime_${crypto
@@ -89,21 +102,45 @@ function resultFromPayload(agentName, payload) {
         updatedAt: payload.updatedAt,
     };
 }
-function missingRuntimeConfig(agentName) {
+function resultFromPayloadForItem(agentName, itemName, payload) {
+    return {
+        ok: true,
+        itemPath: runtimeConfigVaultPath(agentName, itemName),
+        config: { ...payload.config },
+        revision: runtimeConfigRevision(payload),
+        updatedAt: payload.updatedAt,
+    };
+}
+function missingRuntimeConfig(agentName, itemName = exports.RUNTIME_CONFIG_ITEM_NAME) {
     return {
         ok: false,
         reason: "missing",
-        itemPath: runtimeConfigVaultPath(agentName),
-        error: `no runtime credentials stored at ${runtimeConfigVaultPath(agentName)}`,
+        itemPath: runtimeConfigVaultPath(agentName, itemName),
+        error: `no runtime credentials stored at ${runtimeConfigVaultPath(agentName, itemName)}`,
     };
 }
 function cacheResult(agentName, result) {
     cachedRuntimeConfigs.set(agentName, result);
     return result;
 }
+function cacheMachineResult(agentName, result) {
+    cachedMachineRuntimeConfigs.set(agentName, result);
+    return result;
+}
+function missingMachineRuntimeConfig(agentName) {
+    return {
+        ok: false,
+        reason: "missing",
+        itemPath: `vault:${agentName}:${exports.MACHINE_RUNTIME_CONFIG_ITEM_PREFIX}/<this-machine>/config`,
+        error: `no machine runtime credentials loaded for ${agentName}`,
+    };
+}
 function readRuntimeCredentialConfig(agentName = (0, identity_1.getAgentName)()) {
     return cachedRuntimeConfigs.get(agentName) ?? missingRuntimeConfig(agentName);
 }
+function readMachineRuntimeCredentialConfig(agentName = (0, identity_1.getAgentName)()) {
+    return cachedMachineRuntimeConfigs.get(agentName) ?? missingMachineRuntimeConfig(agentName);
+}
 function cacheRuntimeCredentialConfig(agentName, config, now = new Date()) {
     const payload = {
         schemaVersion: 1,
@@ -113,24 +150,35 @@ function cacheRuntimeCredentialConfig(agentName, config, now = new Date()) {
     };
     return cacheResult(agentName, resultFromPayload(agentName, payload));
 }
-async function refreshRuntimeCredentialConfig(agentName, options = {}) {
+function cacheMachineRuntimeCredentialConfig(agentName, config, now = new Date(), machineId = "<this-machine>") {
+    const payload = {
+        schemaVersion: 1,
+        kind: "runtime-config",
+        updatedAt: now.toISOString(),
+        config: { ...config },
+    };
+    return cacheMachineResult(agentName, resultFromPayloadForItem(agentName, machineRuntimeConfigItemName(machineId), payload));
+}
+async function refreshRuntimeCredentialConfigItem(agentName, itemName, cache, options = {}) {
     try {
         const store = (0, credential_access_1.getCredentialStore)(agentName);
-        const raw = await store.getRawSecret(exports.RUNTIME_CONFIG_ITEM_NAME, "password");
+        const raw = await store.getRawSecret(itemName, "password");
         const payload = validateRuntimeCredentialPayload(JSON.parse(raw));
-        const result = resultFromPayload(agentName, payload);
+        const result = resultFromPayloadForItem(agentName, itemName, payload);
         (0, runtime_1.emitNervesEvent)({
             component: "config/identity",
             event: "config.runtime_credentials_loaded",
             message: "loaded runtime credentials from vault",
             meta: { agentName, itemPath: result.itemPath, revision: result.revision },
         });
-        return cacheResult(agentName, result);
+        return cache(agentName, result);
     }
     catch (error) {
         const message = error instanceof Error ? error.message : String(error);
-        const cached = cachedRuntimeConfigs.get(agentName);
-        const reason = message.includes(`no credential found for domain "${exports.RUNTIME_CONFIG_ITEM_NAME}"`)
+        const existing = cache === cacheMachineResult
+            ? cachedMachineRuntimeConfigs.get(agentName)
+            : cachedRuntimeConfigs.get(agentName);
+        const reason = message.includes(`no credential found for domain "${itemName}"`)
             ? "missing"
             : message.includes("runtime credential payload")
                 ? "invalid"
@@ -138,8 +186,8 @@ async function refreshRuntimeCredentialConfig(agentName, options = {}) {
         const result = {
             ok: false,
             reason,
-            itemPath: runtimeConfigVaultPath(agentName),
-            error: reason === "missing" ? `no runtime credentials stored at ${runtimeConfigVaultPath(agentName)}` : message,
+            itemPath: runtimeConfigVaultPath(agentName, itemName),
+            error: reason === "missing" ? `no runtime credentials stored at ${runtimeConfigVaultPath(agentName, itemName)}` : message,
         };
         (0, runtime_1.emitNervesEvent)({
             level: reason === "missing" ? "warn" : "error",
@@ -148,11 +196,17 @@ async function refreshRuntimeCredentialConfig(agentName, options = {}) {
             message: "runtime credentials unavailable",
             meta: { agentName, reason, itemPath: result.itemPath },
         });
-        if (options.preserveCachedOnFailure && cached?.ok)
-            return cached;
-        return cacheResult(agentName, result);
+        if (options.preserveCachedOnFailure && existing?.ok)
+            return existing;
+        return cache(agentName, result);
     }
 }
+async function refreshRuntimeCredentialConfig(agentName, options = {}) {
+    return refreshRuntimeCredentialConfigItem(agentName, exports.RUNTIME_CONFIG_ITEM_NAME, cacheResult, options);
+}
+async function refreshMachineRuntimeCredentialConfig(agentName, machineId, options = {}) {
+    return refreshRuntimeCredentialConfigItem(agentName, machineRuntimeConfigItemName(machineId), cacheMachineResult, options);
+}
 async function upsertRuntimeCredentialConfig(agentName, config, now = new Date()) {
     const payload = {
         schemaVersion: 1,
@@ -176,6 +230,31 @@ async function upsertRuntimeCredentialConfig(agentName, config, now = new Date()
     cacheResult(agentName, result);
     return result;
 }
+async function upsertMachineRuntimeCredentialConfig(agentName, machineId, config, now = new Date()) {
+    const payload = {
+        schemaVersion: 1,
+        kind: "runtime-config",
+        updatedAt: now.toISOString(),
+        config: { ...config },
+    };
+    const itemName = machineRuntimeConfigItemName(machineId);
+    const store = (0, credential_access_1.getCredentialStore)(agentName);
+    await store.store(itemName, {
+        username: itemName,
+        password: JSON.stringify(payload),
+        notes: "Ouro machine-local runtime credentials for senses attached to one machine. Portable runtime credentials live in runtime/config.",
+    });
+    const result = resultFromPayloadForItem(agentName, itemName, payload);
+    (0, runtime_1.emitNervesEvent)({
+        component: "config/identity",
+        event: "config.runtime_credentials_upserted",
+        message: "upserted machine runtime credential config in vault",
+        meta: { agentName, itemPath: result.itemPath, revision: result.revision },
+    });
+    cacheMachineResult(agentName, result);
+    return result;
+}
 function resetRuntimeCredentialConfigCache() {
     cachedRuntimeConfigs = new Map();
+    cachedMachineRuntimeConfigs = new Map();
 }

package/dist/heart/sense-truth.js

@@ -28,6 +28,9 @@ function resolveStatus(enabled, daemonManaged, runtimeInfo) {
     if (runtimeInfo?.runtime === "running") {
         return "running";
     }
+    if (runtimeInfo?.configured === false && runtimeInfo.optional) {
+        return "not_attached";
+    }
     if (runtimeInfo?.configured === false) {
         return "needs_config";
     }

package/dist/heart/turn-context.js

@@ -162,7 +162,7 @@ function readSenseStatusLines() {
         },
         {
             label: "BlueBubbles",
-            status: !senses.bluebubbles.enabled ? "disabled" : configured.bluebubbles ? "ready" : "needs_config",
+            status: !senses.bluebubbles.enabled ? "disabled" : configured.bluebubbles ? "ready" : "not_attached",
         },
     ];
     return rows.map((row) => `- ${row.label}: ${row.status}`);

package/dist/mind/prompt.js

@@ -433,7 +433,7 @@ function localSenseStatusLines() {
         },
         {
             label: "BlueBubbles",
-            status: !senses.bluebubbles.enabled ? "disabled" : configured.bluebubbles ? "ready" : "needs_config",
+            status: !senses.bluebubbles.enabled ? "disabled" : configured.bluebubbles ? "ready" : "not_attached",
         },
     ];
     _senseStatusLinesCache = rows.map((row) => `- ${row.label}: ${row.status}`);
@@ -446,12 +446,13 @@ function senseRuntimeGuidance(channel, preReadStatusLines) {
     lines.push("- interactive = available when opened by the user instead of kept running by the daemon");
     lines.push("- disabled = turned off in agent.json");
     lines.push("- needs_config = enabled but missing required vault runtime/config values");
+    lines.push("- not_attached = enabled globally but no local-machine attachment is configured here");
     lines.push("- ready = enabled and configured; `ouro up` should bring it online");
     lines.push("- running = enabled and currently active");
     lines.push("- error = enabled but unhealthy");
     lines.push("If asked how to enable another sense, I explain the relevant agent.json senses entry and required agent-vault runtime/config fields instead of guessing.");
     lines.push("teams setup truth: enable `senses.teams.enabled`, then store `teams.clientId`, `teams.clientSecret`, and `teams.tenantId` in the agent vault runtime/config item.");
-    lines.push("bluebubbles setup truth: enable `senses.bluebubbles.enabled`, then store `bluebubbles.serverUrl` and `bluebubbles.password` in the agent vault runtime/config item.");
+    lines.push("bluebubbles setup truth: run `ouro connect bluebubbles --agent <agent>`; it stores this machine's BlueBubbles URL/password/listener config in the agent vault machine runtime item.");
     if (channel === "cli") {
         lines.push("cli is interactive: it is available when the user opens it, not something `ouro up` daemonizes.");
     }

package/dist/repertoire/vault-unlock.js

@@ -37,6 +37,7 @@ exports.vaultUnlockReplaceRecoverFix = vaultUnlockReplaceRecoverFix;
 exports.credentialVaultNotConfiguredError = credentialVaultNotConfiguredError;
 exports.isCredentialVaultNotConfiguredError = isCredentialVaultNotConfiguredError;
 exports.vaultCreateRecoverFix = vaultCreateRecoverFix;
+exports.promptConfirmedVaultUnlockSecret = promptConfirmedVaultUnlockSecret;
 exports.resolveVaultUnlockStore = resolveVaultUnlockStore;
 exports.readVaultUnlockSecret = readVaultUnlockSecret;
 exports.storeVaultUnlockSecret = storeVaultUnlockSecret;
@@ -122,6 +123,35 @@ function vaultCreateRecoverFix(agentName, nextStep = "Then run 'ouro up' again."
         nextStep,
     ].join(" ");
 }
+function vaultUnlockSecretStrengthIssues(secret) {
+    const issues = [];
+    if (secret.length < 8)
+        issues.push("at least 8 characters");
+    if (!/[a-z]/.test(secret))
+        issues.push("a lowercase letter");
+    if (!/[A-Z]/.test(secret))
+        issues.push("an uppercase letter");
+    if (!/[0-9]/.test(secret))
+        issues.push("a number");
+    if (!/[^A-Za-z0-9]/.test(secret))
+        issues.push("a special character");
+    return issues;
+}
+async function promptConfirmedVaultUnlockSecret(input) {
+    const secret = (await input.promptSecret(input.question)).trim();
+    if (!secret) {
+        throw new Error(input.emptyError);
+    }
+    const issues = vaultUnlockSecretStrengthIssues(secret);
+    if (issues.length > 0) {
+        throw new Error(`vault unlock secret is too weak: add ${issues.join(", ")}. Use at least 8 characters with uppercase and lowercase letters, one number, and one special character.`);
+    }
+    const confirmation = (await input.promptSecret(input.confirmQuestion)).trim();
+    if (secret !== confirmation) {
+        throw new Error("vault unlock secrets did not match. Re-run the command and enter the same secret twice.");
+    }
+    return secret;
+}
 function lostUnlockSecretGuidance(config) {
     if (!config.agentName) {
         return "If nobody saved that unlock secret, run `ouro vault replace --agent <agent>` to create a new empty vault and re-enter credentials. If you do have a local JSON credential export, run `ouro vault recover --agent <agent> --from <json>` to import it.";