@ouro.bot/cli 0.1.0-alpha.41 → 0.1.0-alpha.411

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (334) hide show
  1. package/README.md +117 -15
  2. package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/agent.json +3 -2
  3. package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/SOUL.md +2 -2
  4. package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/the-serpent.md +1 -1
  5. package/changelog.json +2549 -8
  6. package/dist/arc/attention-types.js +8 -0
  7. package/dist/arc/cares.js +140 -0
  8. package/dist/arc/episodes.js +117 -0
  9. package/dist/arc/intentions.js +133 -0
  10. package/dist/arc/json-store.js +117 -0
  11. package/dist/arc/obligations.js +237 -0
  12. package/dist/arc/packets.js +193 -0
  13. package/dist/arc/presence.js +185 -0
  14. package/dist/arc/task-lifecycle.js +65 -0
  15. package/dist/heart/active-work.js +832 -0
  16. package/dist/heart/agent-entry.js +58 -3
  17. package/dist/heart/attachments/image-normalize.js +194 -0
  18. package/dist/heart/attachments/materialize.js +97 -0
  19. package/dist/heart/attachments/originals.js +88 -0
  20. package/dist/heart/attachments/render.js +29 -0
  21. package/dist/heart/attachments/sources/adapter.js +2 -0
  22. package/dist/heart/attachments/sources/bluebubbles.js +156 -0
  23. package/dist/heart/attachments/sources/cli-local-file.js +78 -0
  24. package/dist/heart/attachments/sources/index.js +16 -0
  25. package/dist/heart/attachments/store.js +103 -0
  26. package/dist/heart/attachments/types.js +93 -0
  27. package/dist/heart/auth/auth-flow.js +424 -0
  28. package/dist/heart/bridges/manager.js +358 -0
  29. package/dist/heart/bridges/state-machine.js +135 -0
  30. package/dist/heart/bridges/store.js +123 -0
  31. package/dist/heart/bundle-state.js +168 -0
  32. package/dist/heart/commitments.js +111 -0
  33. package/dist/heart/config-registry.js +304 -0
  34. package/dist/heart/config.js +110 -128
  35. package/dist/heart/core.js +801 -217
  36. package/dist/heart/cross-chat-delivery.js +131 -0
  37. package/dist/heart/daemon/agent-config-check.js +405 -0
  38. package/dist/heart/daemon/agent-discovery.js +79 -3
  39. package/dist/heart/daemon/agent-service.js +360 -0
  40. package/dist/heart/daemon/agentic-repair.js +214 -0
  41. package/dist/heart/daemon/bluebubbles-health-diagnostics.js +122 -0
  42. package/dist/heart/daemon/cadence.js +70 -0
  43. package/dist/heart/daemon/cli-defaults.js +599 -0
  44. package/dist/heart/daemon/cli-exec.js +3962 -0
  45. package/dist/heart/daemon/cli-help.js +413 -0
  46. package/dist/heart/daemon/cli-parse.js +1151 -0
  47. package/dist/heart/daemon/cli-render-doctor.js +57 -0
  48. package/dist/heart/daemon/cli-render.js +561 -0
  49. package/dist/heart/daemon/cli-types.js +8 -0
  50. package/dist/heart/daemon/daemon-cli.js +28 -1582
  51. package/dist/heart/daemon/daemon-entry.js +356 -3
  52. package/dist/heart/daemon/daemon-health.js +141 -0
  53. package/dist/heart/daemon/daemon-runtime-sync.js +157 -12
  54. package/dist/heart/daemon/daemon-tombstone.js +236 -0
  55. package/dist/heart/daemon/daemon.js +684 -58
  56. package/dist/heart/daemon/doctor-types.js +8 -0
  57. package/dist/heart/daemon/doctor.js +427 -0
  58. package/dist/heart/daemon/health-monitor.js +79 -1
  59. package/dist/heart/daemon/hooks/agent-config-v2.js +33 -0
  60. package/dist/heart/daemon/hooks/bundle-meta.js +115 -1
  61. package/dist/heart/daemon/http-health-probe.js +80 -0
  62. package/dist/heart/daemon/inner-status.js +89 -0
  63. package/dist/heart/daemon/interactive-repair.js +307 -0
  64. package/dist/heart/daemon/launchd.js +46 -9
  65. package/dist/heart/daemon/log-tailer.js +82 -12
  66. package/dist/heart/daemon/logs-prune.js +105 -0
  67. package/dist/heart/daemon/message-router.js +2 -2
  68. package/dist/heart/daemon/os-cron-deps.js +134 -0
  69. package/dist/heart/daemon/ouro-bot-entry.js +4 -2
  70. package/dist/heart/daemon/ouro-entry.js +3 -1
  71. package/dist/heart/daemon/process-manager.js +214 -0
  72. package/dist/heart/daemon/provider-discovery.js +137 -0
  73. package/dist/heart/daemon/pulse.js +475 -0
  74. package/dist/heart/daemon/readiness-repair.js +250 -0
  75. package/dist/heart/daemon/run-hooks.js +2 -0
  76. package/dist/heart/daemon/runtime-logging.js +67 -16
  77. package/dist/heart/daemon/runtime-metadata.js +73 -0
  78. package/dist/heart/daemon/runtime-mode.js +67 -0
  79. package/dist/heart/daemon/safe-mode.js +161 -0
  80. package/dist/heart/daemon/sense-manager.js +145 -32
  81. package/dist/heart/daemon/session-id-resolver.js +131 -0
  82. package/dist/heart/daemon/skill-management-installer.js +94 -0
  83. package/dist/heart/daemon/socket-client.js +307 -0
  84. package/dist/heart/daemon/stale-bundle-prune.js +96 -0
  85. package/dist/heart/daemon/startup-tui.js +237 -0
  86. package/dist/heart/daemon/task-scheduler.js +3 -25
  87. package/dist/heart/daemon/thoughts.js +510 -0
  88. package/dist/heart/daemon/up-progress.js +135 -0
  89. package/dist/heart/delegation.js +62 -0
  90. package/dist/heart/habits/habit-migration.js +181 -0
  91. package/dist/heart/habits/habit-parser.js +140 -0
  92. package/dist/heart/habits/habit-scheduler.js +371 -0
  93. package/dist/heart/{daemon → hatch}/hatch-flow.js +53 -117
  94. package/dist/heart/{daemon → hatch}/hatch-specialist.js +3 -3
  95. package/dist/heart/{daemon → hatch}/specialist-prompt.js +12 -9
  96. package/dist/heart/{daemon → hatch}/specialist-tools.js +35 -12
  97. package/dist/heart/identity.js +161 -65
  98. package/dist/heart/kept-notes.js +357 -0
  99. package/dist/heart/kicks.js +1 -1
  100. package/dist/heart/machine-identity.js +161 -0
  101. package/dist/heart/mcp/mcp-server.js +653 -0
  102. package/dist/heart/migrate-config.js +100 -0
  103. package/dist/heart/model-capabilities.js +59 -0
  104. package/dist/heart/outlook/outlook-http-hooks.js +64 -0
  105. package/dist/heart/outlook/outlook-http-response.js +7 -0
  106. package/dist/heart/outlook/outlook-http-routes.js +232 -0
  107. package/dist/heart/outlook/outlook-http-static.js +99 -0
  108. package/dist/heart/outlook/outlook-http-transport.js +116 -0
  109. package/dist/heart/outlook/outlook-http.js +99 -0
  110. package/dist/heart/outlook/outlook-read.js +28 -0
  111. package/dist/heart/outlook/outlook-types.js +27 -0
  112. package/dist/heart/outlook/outlook-view.js +195 -0
  113. package/dist/heart/outlook/readers/agent-machine.js +359 -0
  114. package/dist/heart/outlook/readers/continuity-readers.js +332 -0
  115. package/dist/heart/outlook/readers/runtime-readers.js +660 -0
  116. package/dist/heart/outlook/readers/sessions.js +232 -0
  117. package/dist/heart/outlook/readers/shared.js +111 -0
  118. package/dist/heart/platform.js +81 -0
  119. package/dist/heart/progress-story.js +42 -0
  120. package/dist/heart/provider-attempt.js +133 -0
  121. package/dist/heart/provider-binding-resolver.js +239 -0
  122. package/dist/heart/provider-credentials.js +386 -0
  123. package/dist/heart/provider-failover.js +266 -0
  124. package/dist/heart/provider-models.js +81 -0
  125. package/dist/heart/provider-ping.js +237 -0
  126. package/dist/heart/provider-state.js +216 -0
  127. package/dist/heart/provider-visibility.js +186 -0
  128. package/dist/heart/providers/anthropic-token.js +131 -0
  129. package/dist/heart/providers/anthropic.js +193 -55
  130. package/dist/heart/providers/azure.js +103 -12
  131. package/dist/heart/providers/error-classification.js +63 -0
  132. package/dist/heart/providers/github-copilot.js +145 -0
  133. package/dist/heart/providers/minimax-vlm.js +189 -0
  134. package/dist/heart/providers/minimax.js +29 -7
  135. package/dist/heart/providers/openai-codex.js +39 -29
  136. package/dist/heart/runtime-credentials.js +260 -0
  137. package/dist/heart/sense-truth.js +3 -0
  138. package/dist/heart/session-activity.js +190 -0
  139. package/dist/heart/session-events.js +855 -0
  140. package/dist/heart/session-transcript.js +167 -0
  141. package/dist/heart/start-of-turn-packet.js +345 -0
  142. package/dist/heart/streaming.js +36 -27
  143. package/dist/heart/sync.js +332 -0
  144. package/dist/heart/target-resolution.js +127 -0
  145. package/dist/heart/tempo.js +93 -0
  146. package/dist/heart/temporal-view.js +41 -0
  147. package/dist/heart/tool-activity-callbacks.js +36 -0
  148. package/dist/heart/tool-description.js +135 -0
  149. package/dist/heart/tool-friction.js +55 -0
  150. package/dist/heart/tool-loop.js +200 -0
  151. package/dist/heart/turn-context.js +351 -0
  152. package/dist/heart/turn-coordinator.js +28 -0
  153. package/dist/heart/{daemon → versioning}/ouro-bot-global-installer.js +1 -1
  154. package/dist/heart/{daemon → versioning}/ouro-bot-wrapper.js +1 -1
  155. package/dist/heart/versioning/ouro-path-installer.js +301 -0
  156. package/dist/heart/versioning/ouro-version-manager.js +295 -0
  157. package/dist/heart/{daemon → versioning}/staged-restart.js +40 -8
  158. package/dist/heart/{daemon → versioning}/update-checker.js +3 -1
  159. package/dist/heart/{daemon → versioning}/update-hooks.js +63 -59
  160. package/dist/mind/bundle-manifest.js +7 -1
  161. package/dist/mind/context.js +134 -87
  162. package/dist/mind/diary-integrity.js +60 -0
  163. package/dist/mind/{memory.js → diary.js} +74 -93
  164. package/dist/mind/embedding-provider.js +60 -0
  165. package/dist/mind/file-state.js +179 -0
  166. package/dist/mind/first-impressions.js +14 -1
  167. package/dist/mind/friends/channel.js +21 -0
  168. package/dist/mind/friends/group-context.js +144 -0
  169. package/dist/mind/friends/resolver.js +38 -1
  170. package/dist/mind/friends/store-file.js +39 -3
  171. package/dist/mind/friends/trust-explanation.js +74 -0
  172. package/dist/mind/friends/types.js +1 -1
  173. package/dist/mind/journal-index.js +161 -0
  174. package/dist/mind/note-search.js +268 -0
  175. package/dist/mind/obligation-steering.js +221 -0
  176. package/dist/mind/pending.js +66 -7
  177. package/dist/mind/prompt-refresh.js +3 -2
  178. package/dist/mind/prompt.js +948 -168
  179. package/dist/mind/provenance-trust.js +26 -0
  180. package/dist/mind/scrutiny.js +173 -0
  181. package/dist/nerves/cli-logging.js +7 -1
  182. package/dist/nerves/coverage/audit-rules.js +15 -6
  183. package/dist/nerves/coverage/audit.js +28 -2
  184. package/dist/nerves/coverage/cli.js +1 -1
  185. package/dist/nerves/coverage/contract.js +5 -5
  186. package/dist/nerves/coverage/file-completeness.js +83 -5
  187. package/dist/nerves/coverage/run-artifacts.js +1 -1
  188. package/dist/nerves/event-buffer.js +111 -0
  189. package/dist/nerves/index.js +224 -4
  190. package/dist/nerves/observation.js +20 -0
  191. package/dist/nerves/redact.js +79 -0
  192. package/dist/nerves/runtime.js +5 -1
  193. package/dist/outlook-ui/assets/index-BAcU08c-.css +1 -0
  194. package/dist/outlook-ui/assets/index-D7l3l4vY.js +61 -0
  195. package/dist/outlook-ui/index.html +15 -0
  196. package/dist/repertoire/ado-client.js +15 -56
  197. package/dist/repertoire/ado-semantic.js +11 -10
  198. package/dist/repertoire/api-client.js +97 -0
  199. package/dist/repertoire/bitwarden-store.js +563 -0
  200. package/dist/repertoire/bundle-templates.js +72 -0
  201. package/dist/repertoire/bw-installer.js +79 -0
  202. package/dist/repertoire/coding/codex-jsonl.js +64 -0
  203. package/dist/repertoire/coding/context-pack.js +330 -0
  204. package/dist/repertoire/coding/feedback.js +197 -30
  205. package/dist/repertoire/coding/manager.js +158 -9
  206. package/dist/repertoire/coding/spawner.js +55 -9
  207. package/dist/repertoire/coding/tools.js +170 -7
  208. package/dist/repertoire/commerce-errors.js +109 -0
  209. package/dist/repertoire/commerce-self-test.js +156 -0
  210. package/dist/repertoire/credential-access.js +111 -0
  211. package/dist/repertoire/duffel-client.js +185 -0
  212. package/dist/repertoire/github-client.js +14 -55
  213. package/dist/repertoire/graph-client.js +11 -52
  214. package/dist/repertoire/guardrails.js +371 -0
  215. package/dist/repertoire/mcp-client.js +255 -0
  216. package/dist/repertoire/mcp-manager.js +305 -0
  217. package/dist/repertoire/mcp-tools.js +63 -0
  218. package/dist/repertoire/shell-sessions.js +133 -0
  219. package/dist/repertoire/skills.js +15 -24
  220. package/dist/repertoire/stripe-client.js +131 -0
  221. package/dist/repertoire/tasks/board.js +43 -5
  222. package/dist/repertoire/tasks/fix.js +182 -0
  223. package/dist/repertoire/tasks/index.js +26 -1
  224. package/dist/repertoire/tasks/lifecycle.js +2 -2
  225. package/dist/repertoire/tasks/parser.js +3 -2
  226. package/dist/repertoire/tasks/scanner.js +194 -37
  227. package/dist/repertoire/tasks/transitions.js +16 -78
  228. package/dist/repertoire/tool-results.js +29 -0
  229. package/dist/repertoire/tools-attachments.js +317 -0
  230. package/dist/repertoire/tools-base.js +42 -687
  231. package/dist/repertoire/tools-bluebubbles.js +1 -0
  232. package/dist/repertoire/tools-bridge.js +141 -0
  233. package/dist/repertoire/tools-bundle.js +984 -0
  234. package/dist/repertoire/tools-config.js +185 -0
  235. package/dist/repertoire/tools-continuity.js +248 -0
  236. package/dist/repertoire/tools-credential.js +361 -0
  237. package/dist/repertoire/tools-files.js +342 -0
  238. package/dist/repertoire/tools-flight.js +224 -0
  239. package/dist/repertoire/tools-flow.js +105 -0
  240. package/dist/repertoire/tools-github.js +1 -7
  241. package/dist/repertoire/tools-notes.js +376 -0
  242. package/dist/repertoire/tools-session.js +739 -0
  243. package/dist/repertoire/tools-shell.js +120 -0
  244. package/dist/repertoire/tools-stripe.js +180 -0
  245. package/dist/repertoire/tools-surface.js +243 -0
  246. package/dist/repertoire/tools-teams.js +9 -39
  247. package/dist/repertoire/tools-travel.js +125 -0
  248. package/dist/repertoire/tools-user-profile.js +144 -0
  249. package/dist/repertoire/tools-vault.js +40 -0
  250. package/dist/repertoire/tools.js +144 -113
  251. package/dist/repertoire/travel-api-client.js +360 -0
  252. package/dist/repertoire/user-profile.js +131 -0
  253. package/dist/repertoire/vault-setup.js +246 -0
  254. package/dist/repertoire/vault-unlock.js +430 -0
  255. package/dist/scripts/claude-code-hook.js +41 -0
  256. package/dist/scripts/claude-code-stop-hook.js +47 -0
  257. package/dist/senses/attention-queue.js +116 -0
  258. package/dist/senses/bluebubbles/attachment-cache.js +53 -0
  259. package/dist/senses/bluebubbles/attachment-download.js +137 -0
  260. package/dist/senses/{bluebubbles-client.js → bluebubbles/client.js} +260 -9
  261. package/dist/senses/bluebubbles/entry.js +73 -0
  262. package/dist/senses/bluebubbles/inbound-log.js +113 -0
  263. package/dist/senses/bluebubbles/index.js +1620 -0
  264. package/dist/senses/{bluebubbles-media.js → bluebubbles/media.js} +121 -70
  265. package/dist/senses/{bluebubbles-model.js → bluebubbles/model.js} +33 -12
  266. package/dist/senses/{bluebubbles-mutation-log.js → bluebubbles/mutation-log.js} +45 -3
  267. package/dist/senses/bluebubbles/replay.js +129 -0
  268. package/dist/senses/bluebubbles/runtime-state.js +109 -0
  269. package/dist/senses/{bluebubbles-session-cleanup.js → bluebubbles/session-cleanup.js} +1 -1
  270. package/dist/senses/cli/bracketed-paste.js +82 -0
  271. package/dist/senses/cli/image-paste.js +287 -0
  272. package/dist/senses/cli/image-ref-navigation.js +75 -0
  273. package/dist/senses/cli/ink-app.js +156 -0
  274. package/dist/senses/cli/inline-diff.js +64 -0
  275. package/dist/senses/cli/input-keys.js +174 -0
  276. package/dist/senses/cli/kill-ring.js +86 -0
  277. package/dist/senses/cli/message-list.js +51 -0
  278. package/dist/senses/cli/ouro-tui.js +605 -0
  279. package/dist/senses/cli/spinner-imperative.js +135 -0
  280. package/dist/senses/cli/spinner.js +101 -0
  281. package/dist/senses/cli/status-line.js +60 -0
  282. package/dist/senses/cli/streaming-markdown.js +526 -0
  283. package/dist/senses/cli/tool-display.js +83 -0
  284. package/dist/senses/cli/tool-render.js +85 -0
  285. package/dist/senses/cli/tui-store.js +240 -0
  286. package/dist/senses/cli/virtual-list.js +35 -0
  287. package/dist/senses/cli-entry.js +60 -8
  288. package/dist/senses/cli-layout.js +187 -0
  289. package/dist/senses/cli.js +526 -211
  290. package/dist/senses/commands.js +66 -3
  291. package/dist/senses/continuity.js +94 -0
  292. package/dist/senses/habit-turn-message.js +108 -0
  293. package/dist/senses/inner-dialog-worker.js +112 -19
  294. package/dist/senses/inner-dialog.js +596 -94
  295. package/dist/senses/pipeline.js +539 -61
  296. package/dist/senses/proactive-content-guard.js +51 -0
  297. package/dist/senses/shared-turn.js +205 -0
  298. package/dist/senses/surface-tool.js +68 -0
  299. package/dist/senses/teams-entry.js +60 -8
  300. package/dist/senses/teams.js +569 -237
  301. package/dist/senses/trust-gate.js +5 -5
  302. package/package.json +29 -7
  303. package/skills/agent-commerce.md +106 -0
  304. package/skills/browser-navigation.md +117 -0
  305. package/skills/commerce-setup-guide.md +116 -0
  306. package/skills/commerce-setup.md +84 -0
  307. package/skills/configure-dev-tools.md +101 -0
  308. package/skills/travel-planning.md +138 -0
  309. package/dist/heart/daemon/ouro-path-installer.js +0 -178
  310. package/dist/heart/daemon/subagent-installer.js +0 -134
  311. package/dist/mind/associative-recall.js +0 -197
  312. package/dist/senses/bluebubbles-entry.js +0 -11
  313. package/dist/senses/bluebubbles.js +0 -832
  314. package/dist/senses/debug-activity.js +0 -127
  315. package/subagents/README.md +0 -60
  316. package/subagents/work-doer.md +0 -235
  317. package/subagents/work-merger.md +0 -618
  318. package/subagents/work-planner.md +0 -382
  319. /package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/basilisk.md +0 -0
  320. /package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/jafar.md +0 -0
  321. /package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/jormungandr.md +0 -0
  322. /package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/kaa.md +0 -0
  323. /package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/medusa.md +0 -0
  324. /package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/monty.md +0 -0
  325. /package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/nagini.md +0 -0
  326. /package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/ouroboros.md +0 -0
  327. /package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/python.md +0 -0
  328. /package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/quetzalcoatl.md +0 -0
  329. /package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/sir-hiss.md +0 -0
  330. /package/{AdoptionSpecialist.ouro → SerpentGuide.ouro}/psyche/identities/the-snake.md +0 -0
  331. /package/dist/heart/{daemon → hatch}/hatch-animation.js +0 -0
  332. /package/dist/heart/{daemon → hatch}/specialist-orchestrator.js +0 -0
  333. /package/dist/heart/{daemon → versioning}/ouro-uti.js +0 -0
  334. /package/dist/heart/{daemon → versioning}/wrapper-publish-guard.js +0 -0
package/dist/repertoire/bitwarden-store.js ADDED
@@ -0,0 +1,563 @@
1
+ "use strict";
2
+ /**
3
+ * Bitwarden CLI credential store — wraps `bw` CLI for the agent's own vault.
4
+ *
5
+ * This store authenticates directly as the agent using its own master password.
6
+ * The agent owns the vault, so no human-in-the-loop is needed.
7
+ *
8
+ * Requires the `bw` CLI to be installed. Session tokens are cached process-local.
9
+ */
10
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
11
+ if (k2 === undefined) k2 = k;
12
+ var desc = Object.getOwnPropertyDescriptor(m, k);
13
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
14
+ desc = { enumerable: true, get: function() { return m[k]; } };
15
+ }
16
+ Object.defineProperty(o, k2, desc);
17
+ }) : (function(o, m, k, k2) {
18
+ if (k2 === undefined) k2 = k;
19
+ o[k2] = m[k];
20
+ }));
21
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
22
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
23
+ }) : function(o, v) {
24
+ o["default"] = v;
25
+ });
26
+ var __importStar = (this && this.__importStar) || (function () {
27
+ var ownKeys = function(o) {
28
+ ownKeys = Object.getOwnPropertyNames || function (o) {
29
+ var ar = [];
30
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
31
+ return ar;
32
+ };
33
+ return ownKeys(o);
34
+ };
35
+ return function (mod) {
36
+ if (mod && mod.__esModule) return mod;
37
+ var result = {};
38
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
39
+ __setModuleDefault(result, mod);
40
+ return result;
41
+ };
42
+ })();
43
+ Object.defineProperty(exports, "__esModule", { value: true });
44
+ exports.BitwardenCredentialStore = void 0;
45
+ exports.sanitizeCredentialErrorDetail = sanitizeCredentialErrorDetail;
46
+ const node_child_process_1 = require("node:child_process");
47
+ const fs = __importStar(require("node:fs"));
48
+ const runtime_1 = require("../nerves/runtime");
49
+ const bw_installer_1 = require("./bw-installer");
50
+ const MAX_ERROR_DETAIL_LENGTH = 500;
51
+ const LONG_ENCODED_TOKEN_PATTERN = /[A-Za-z0-9+/=]{32,}/g;
52
+ function uniqueSecrets(secrets) {
53
+ return [...new Set(secrets.filter((value) => typeof value === "string" && value.length >= 4))].sort((left, right) => right.length - left.length);
54
+ }
55
+ function sanitizeCredentialErrorDetail(message, options = {}) {
56
+ const filtered = message
57
+ .split(/\r?\n/)
58
+ .filter((line) => {
59
+ const trimmed = line.trim();
60
+ if (trimmed.startsWith("Command failed:"))
61
+ return false;
62
+ if (trimmed.includes("[input is hidden]"))
63
+ return false;
64
+ return true;
65
+ })
66
+ .join("\n")
67
+ .trim();
68
+ let sanitized = filtered || "command failed";
69
+ for (const secret of uniqueSecrets(options.secrets ?? [])) {
70
+ sanitized = sanitized.split(secret).join("[redacted]");
71
+ }
72
+ sanitized = sanitized.replace(LONG_ENCODED_TOKEN_PATTERN, "[redacted]");
73
+ if (sanitized.replace(/\[redacted\]/g, "").trim().length === 0) {
74
+ return "command failed";
75
+ }
76
+ return sanitized.slice(0, MAX_ERROR_DETAIL_LENGTH);
77
+ }
78
+ // ---------------------------------------------------------------------------
79
+ // bw CLI wrapper
80
+ // ---------------------------------------------------------------------------
81
+ function isBwSessionUnavailableMessage(message) {
82
+ return (/master password/i.test(message) ||
83
+ /vault is locked/i.test(message) ||
84
+ /not logged in/i.test(message) ||
85
+ /session key/i.test(message) ||
86
+ /local bitwarden session/i.test(message));
87
+ }
88
+ function isBwInvalidUnlockSecretMessage(message) {
89
+ return /invalid master password/i.test(message) || /saved vault unlock secret/i.test(message);
90
+ }
91
+ function isBwTimeoutError(err) {
92
+ const timeoutErr = err;
93
+ const message = err.message.toLowerCase();
94
+ return (timeoutErr.code === "ETIMEDOUT" ||
95
+ timeoutErr.killed === true ||
96
+ timeoutErr.signal === "SIGTERM" ||
97
+ message.includes("timed out"));
98
+ }
99
+ function formatBwOperation(args) {
100
+ const [command, target] = args;
101
+ /* v8 ignore next -- defensive: all execBw call sites pass a concrete bw subcommand @preserve */
102
+ if (!command)
103
+ return "bw command";
104
+ return [command, target].filter(Boolean).join(" ");
105
+ }
106
+ function sanitizeBwErrorDetail(message) {
107
+ if (isBwInvalidUnlockSecretMessage(message)) {
108
+ return "bw CLI rejected the saved vault unlock secret for this machine";
109
+ }
110
+ if (isBwSessionUnavailableMessage(message)) {
111
+ return "bw CLI could not use the local Bitwarden session because it is locked, missing, or expired";
112
+ }
113
+ return sanitizeCredentialErrorDetail(message);
114
+ }
115
+ function formatBwCliError(err, stderr = "", args = []) {
116
+ const operation = formatBwOperation(args);
117
+ if (isBwTimeoutError(err)) {
118
+ return new Error(`bw CLI error: ${operation} timed out while waiting for a vault response`);
119
+ }
120
+ const detail = sanitizeBwErrorDetail(stderr.trim() || err.message);
121
+ if (detail === "command failed") {
122
+ return new Error(`bw CLI error: ${operation} failed without error detail`);
123
+ }
124
+ return new Error(`bw CLI error: ${detail}`);
125
+ }
126
+ function isBwSessionAuthError(err) {
127
+ return isBwSessionUnavailableMessage(err.message) || isBwInvalidUnlockSecretMessage(err.message);
128
+ }
129
+ function isBwConfigLogoutRequired(err) {
130
+ const message = err.message.toLowerCase();
131
+ return message.includes("logout") && message.includes("required");
132
+ }
133
+ function execBw(args, sessionToken, appDataDir, stdin) {
134
+ const env = {
135
+ ...process.env,
136
+ ...(sessionToken ? { BW_SESSION: sessionToken } : {}),
137
+ ...(appDataDir ? { BITWARDENCLI_APPDATA_DIR: appDataDir } : {}),
138
+ };
139
+ return new Promise((resolve, reject) => {
140
+ const child = (0, node_child_process_1.execFile)("bw", args, { timeout: 30_000, env }, (err, stdout, stderr) => {
141
+ if (err) {
142
+ if (isBwNotInstalled(err)) {
143
+ reject(new Error("bw CLI not found. Install from https://bitwarden.com/help/cli/"));
144
+ return;
145
+ }
146
+ reject(formatBwCliError(err, stderr, args));
147
+ return;
148
+ }
149
+ resolve(stdout);
150
+ });
151
+ if (stdin !== undefined) {
152
+ child?.stdin?.end(stdin);
153
+ }
154
+ });
155
+ }
156
+ /** Check if the error indicates the bw CLI binary is not installed. */
157
+ function isBwNotInstalled(err) {
158
+ const msg = err.message.toLowerCase();
159
+ const code = err.code;
160
+ return code === "ENOENT" || msg.includes("enoent") || msg.includes("not found") || msg.includes("command not found");
161
+ }
162
+ /** Check if the error is transient (network/timeout) and worth retrying. */
163
+ function isTransientError(err) {
164
+ const msg = err.message.toLowerCase();
165
+ return (msg.includes("econnrefused") ||
166
+ msg.includes("etimedout") ||
167
+ msg.includes("enotfound") ||
168
+ msg.includes("socket hang up") ||
169
+ msg.includes("503") ||
170
+ msg.includes("server unavailable"));
171
+ }
172
+ const MAX_RETRIES = 3;
173
+ const BASE_BACKOFF_MS = 1000;
174
+ function delay(ms) {
175
+ return new Promise((resolve) => setTimeout(resolve, ms));
176
+ }
177
+ function isBwLoginItem(value) {
178
+ if (!value || typeof value !== "object" || Array.isArray(value))
179
+ return false;
180
+ const item = value;
181
+ if (typeof item.id !== "string" || item.id.trim().length === 0)
182
+ return false;
183
+ if (typeof item.name !== "string" || item.name.trim().length === 0)
184
+ return false;
185
+ if (item.login !== undefined) {
186
+ if (!item.login || typeof item.login !== "object" || Array.isArray(item.login))
187
+ return false;
188
+ const login = item.login;
189
+ if (login.username !== undefined && typeof login.username !== "string")
190
+ return false;
191
+ if (login.password !== undefined && typeof login.password !== "string")
192
+ return false;
193
+ if (login.uris !== undefined) {
194
+ if (!Array.isArray(login.uris))
195
+ return false;
196
+ for (const uri of login.uris) {
197
+ if (!uri || typeof uri !== "object" || Array.isArray(uri))
198
+ return false;
199
+ const uriRecord = uri;
200
+ if (uriRecord.uri !== undefined && typeof uriRecord.uri !== "string")
201
+ return false;
202
+ }
203
+ }
204
+ }
205
+ if (item.notes !== undefined && item.notes !== null && typeof item.notes !== "string")
206
+ return false;
207
+ if (item.revisionDate !== undefined && typeof item.revisionDate !== "string")
208
+ return false;
209
+ return true;
210
+ }
211
+ function parseBwItems(stdout, context) {
212
+ let parsed;
213
+ try {
214
+ parsed = JSON.parse(stdout);
215
+ if (!Array.isArray(parsed)) {
216
+ throw new Error("expected item array");
217
+ }
218
+ const items = parsed;
219
+ if (!items.every(isBwLoginItem)) {
220
+ throw new Error("expected login items");
221
+ }
222
+ return items;
223
+ }
224
+ catch {
225
+ if (Array.isArray(parsed)) {
226
+ throw new Error(`bw CLI error: invalid item from ${context}`);
227
+ }
228
+ throw new Error(`bw CLI error: invalid JSON from ${context}`);
229
+ }
230
+ }
231
+ function parseBwItem(stdout, context) {
232
+ let parsed;
233
+ try {
234
+ parsed = JSON.parse(stdout);
235
+ if (!isBwLoginItem(parsed)) {
236
+ throw new Error("expected login item");
237
+ }
238
+ return parsed;
239
+ }
240
+ catch {
241
+ if (parsed !== undefined) {
242
+ throw new Error(`bw CLI error: invalid item from ${context}`);
243
+ }
244
+ throw new Error(`bw CLI error: invalid JSON from ${context}`);
245
+ }
246
+ }
247
+ function parseBwItemId(stdout) {
248
+ try {
249
+ const parsed = JSON.parse(stdout);
250
+ if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
251
+ return null;
252
+ const id = parsed.id;
253
+ return typeof id === "string" && id.trim().length > 0 ? id : null;
254
+ }
255
+ catch {
256
+ return null;
257
+ }
258
+ }
259
+ // ---------------------------------------------------------------------------
260
+ // BitwardenCredentialStore
261
+ // ---------------------------------------------------------------------------
262
+ class BitwardenCredentialStore {
263
+ serverUrl;
264
+ email;
265
+ masterPassword;
266
+ appDataDir;
267
+ sessionToken = null;
268
+ constructor(serverUrl, email, masterPassword, options = {}) {
269
+ this.serverUrl = serverUrl;
270
+ this.email = email;
271
+ this.masterPassword = masterPassword;
272
+ this.appDataDir = options.appDataDir;
273
+ }
274
+ isReady() {
275
+ return true;
276
+ }
277
+ /**
278
+ * Ensure the bw CLI is authenticated and unlocked.
279
+ * Handles three states: logged out → login, locked → unlock, already unlocked → no-op.
280
+ * Retries transient failures (network/timeout) up to MAX_RETRIES with exponential backoff.
281
+ */
282
+ async login() {
283
+ // Ensure bw CLI is installed before any bw commands
284
+ await (0, bw_installer_1.ensureBwCli)();
285
+ if (this.appDataDir) {
286
+ fs.mkdirSync(this.appDataDir, { recursive: true, mode: 0o700 });
287
+ }
288
+ let lastError;
289
+ for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
290
+ try {
291
+ await this.loginAttempt();
292
+ return;
293
+ }
294
+ catch (err) {
295
+ /* v8 ignore next -- defensive: loginAttempt always throws Error instances @preserve */
296
+ lastError = err instanceof Error ? err : new Error(String(err));
297
+ // Don't retry non-transient errors (auth failures, bw not installed)
298
+ if (!isTransientError(lastError)) {
299
+ throw lastError;
300
+ }
301
+ // Don't retry after final attempt
302
+ if (attempt === MAX_RETRIES - 1)
303
+ break;
304
+ const backoffMs = BASE_BACKOFF_MS * Math.pow(2, attempt);
305
+ (0, runtime_1.emitNervesEvent)({
306
+ event: "repertoire.bw_login_retry",
307
+ component: "repertoire",
308
+ message: `bw login attempt ${attempt + 1} failed, retrying in ${backoffMs}ms`,
309
+ meta: { attempt: attempt + 1, backoffMs, reason: lastError.message },
310
+ });
311
+ await delay(backoffMs);
312
+ }
313
+ }
314
+ throw lastError;
315
+ }
316
+ /** Single login attempt — called by login() retry loop. */
317
+ async loginAttempt() {
318
+ // Check current status
319
+ let status = {};
320
+ try {
321
+ const raw = await execBw(["status"], undefined, this.appDataDir);
322
+ status = JSON.parse(raw);
323
+ }
324
+ catch (err) {
325
+ // If bw CLI is not installed or a transient error, propagate it for retry
326
+ if (err instanceof Error && (isBwNotInstalled(err) || isTransientError(err))) {
327
+ throw err;
328
+ }
329
+ // CLI not configured or broken — proceed with full setup
330
+ }
331
+ // Configure server URL if needed (only works when logged out)
332
+ if (status.status === "unauthenticated" || !status.serverUrl) {
333
+ try {
334
+ await execBw(["config", "server", this.serverUrl], undefined, this.appDataDir);
335
+ }
336
+ catch (error) {
337
+ const err = error;
338
+ // "Logout required" means already logged in — that's fine, skip config.
339
+ if (!isBwConfigLogoutRequired(err)) {
340
+ throw err;
341
+ }
342
+ }
343
+ }
344
+ if (status.status === "locked") {
345
+ // Already logged in, just needs unlock
346
+ const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"], undefined, this.appDataDir);
347
+ this.sessionToken = unlockOutput.trim();
348
+ }
349
+ else if (status.status === "unauthenticated" || !status.status) {
350
+ // Not logged in — full login
351
+ const loginOutput = await execBw(["login", this.email, this.masterPassword, "--raw"], undefined, this.appDataDir);
352
+ try {
353
+ const parsed = JSON.parse(loginOutput);
354
+ this.sessionToken = parsed.access_token ?? loginOutput.trim();
355
+ }
356
+ catch {
357
+ this.sessionToken = loginOutput.trim();
358
+ }
359
+ }
360
+ else {
361
+ // Status is "unlocked" — already good, just need the session token
362
+ const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"], undefined, this.appDataDir);
363
+ this.sessionToken = unlockOutput.trim();
364
+ }
365
+ }
366
+ async ensureSession() {
367
+ if (!this.sessionToken) {
368
+ await this.login();
369
+ }
370
+ /* v8 ignore next -- defensive: login() always sets sessionToken on success @preserve */
371
+ return this.sessionToken ?? undefined;
372
+ }
373
+ async withSessionRetry(operation) {
374
+ let attemptedFreshSession = false;
375
+ while (true) {
376
+ const session = await this.ensureSession();
377
+ try {
378
+ return await operation(session);
379
+ }
380
+ catch (error) {
381
+ const err = error;
382
+ if (attemptedFreshSession || !isBwSessionAuthError(err)) {
383
+ throw err;
384
+ }
385
+ this.sessionToken = null;
386
+ attemptedFreshSession = true;
387
+ }
388
+ }
389
+ }
390
+ async get(domain) {
391
+ (0, runtime_1.emitNervesEvent)({
392
+ event: "repertoire.bw_credential_get_start",
393
+ component: "repertoire",
394
+ message: `getting credential via bw for ${domain}`,
395
+ meta: { domain, backend: "bitwarden" },
396
+ });
397
+ const item = await this.withSessionRetry((session) => this.findItemByDomain(domain, session));
398
+ if (!item) {
399
+ (0, runtime_1.emitNervesEvent)({
400
+ event: "repertoire.bw_credential_get_end",
401
+ component: "repertoire",
402
+ message: `no bw credential for ${domain}`,
403
+ meta: { domain, found: false, backend: "bitwarden" },
404
+ });
405
+ return null;
406
+ }
407
+ (0, runtime_1.emitNervesEvent)({
408
+ event: "repertoire.bw_credential_get_end",
409
+ component: "repertoire",
410
+ message: `bw credential found for ${domain}`,
411
+ meta: { domain, found: true, backend: "bitwarden" },
412
+ });
413
+ return {
414
+ domain: item.name,
415
+ username: item.login?.username,
416
+ notes: item.notes ?? undefined,
417
+ createdAt: item.revisionDate ?? new Date().toISOString(),
418
+ };
419
+ }
420
+ async getRawSecret(domain, field) {
421
+ const item = await this.withSessionRetry((session) => this.findItemByDomain(domain, session));
422
+ if (!item) {
423
+ throw new Error(`no credential found for domain "${domain}"`);
424
+ }
425
+ // Map common field names to bw item structure
426
+ let value;
427
+ if (field === "password") {
428
+ value = item.login?.password;
429
+ }
430
+ else if (field === "username") {
431
+ value = item.login?.username;
432
+ }
433
+ else {
434
+ value = item[field];
435
+ }
436
+ if (value === undefined || value === null) {
437
+ throw new Error(`field "${field}" not found for domain "${domain}"`);
438
+ }
439
+ return String(value);
440
+ }
441
+ async store(domain, data) {
442
+ (0, runtime_1.emitNervesEvent)({
443
+ event: "repertoire.bw_credential_store_start",
444
+ component: "repertoire",
445
+ message: `storing credential via bw for ${domain}`,
446
+ meta: { domain, backend: "bitwarden" },
447
+ });
448
+ await this.withSessionRetry(async (session) => {
449
+ const existing = await this.findItemByDomain(domain, session);
450
+ const item = {
451
+ ...(existing ?? {}),
452
+ type: 1, // Login type
453
+ name: domain,
454
+ login: {
455
+ username: data.username ?? "",
456
+ password: data.password,
457
+ uris: [{ match: null, uri: `https://${domain}` }],
458
+ },
459
+ notes: data.notes ?? null,
460
+ };
461
+ const encoded = Buffer.from(JSON.stringify(item)).toString("base64");
462
+ let savedItem;
463
+ if (existing) {
464
+ const stdout = await execBw(["edit", "item", existing.id], session, this.appDataDir, encoded);
465
+ const savedItemId = parseBwItemId(stdout) ?? existing.id;
466
+ savedItem = await this.findItemById(savedItemId, session);
467
+ }
468
+ else {
469
+ const stdout = await execBw(["create", "item"], session, this.appDataDir, encoded);
470
+ const savedItemId = parseBwItemId(stdout);
471
+ savedItem = savedItemId
472
+ ? await this.findItemById(savedItemId, session)
473
+ : await this.findItemByDomain(domain, session);
474
+ }
475
+ this.assertStoredCredentialMatches(domain, data, savedItem);
476
+ });
477
+ (0, runtime_1.emitNervesEvent)({
478
+ event: "repertoire.bw_credential_store_end",
479
+ component: "repertoire",
480
+ message: `credential stored via bw for ${domain}`,
481
+ meta: { domain, backend: "bitwarden" },
482
+ });
483
+ }
484
+ async list() {
485
+ (0, runtime_1.emitNervesEvent)({
486
+ event: "repertoire.bw_credential_list_start",
487
+ component: "repertoire",
488
+ message: "listing bw credentials",
489
+ meta: { backend: "bitwarden" },
490
+ });
491
+ const stdout = await this.withSessionRetry((session) => execBw(["list", "items"], session, this.appDataDir));
492
+ const items = parseBwItems(stdout, "bw list items");
493
+ const results = items.map((item) => ({
494
+ domain: item.name,
495
+ username: item.login?.username,
496
+ notes: item.notes ?? undefined,
497
+ createdAt: item.revisionDate ?? new Date().toISOString(),
498
+ }));
499
+ (0, runtime_1.emitNervesEvent)({
500
+ event: "repertoire.bw_credential_list_end",
501
+ component: "repertoire",
502
+ message: "bw credentials listed",
503
+ meta: { backend: "bitwarden", count: results.length },
504
+ });
505
+ return results;
506
+ }
507
+ async delete(domain) {
508
+ (0, runtime_1.emitNervesEvent)({
509
+ event: "repertoire.bw_credential_delete_start",
510
+ component: "repertoire",
511
+ message: `deleting credential via bw for ${domain}`,
512
+ meta: { domain, backend: "bitwarden" },
513
+ });
514
+ const item = await this.withSessionRetry((session) => this.findItemByDomain(domain, session));
515
+ if (!item) {
516
+ (0, runtime_1.emitNervesEvent)({
517
+ event: "repertoire.bw_credential_delete_end",
518
+ component: "repertoire",
519
+ message: `no bw credential to delete for ${domain}`,
520
+ meta: { domain, deleted: false, backend: "bitwarden" },
521
+ });
522
+ return false;
523
+ }
524
+ await this.withSessionRetry((session) => execBw(["delete", "item", item.id], session, this.appDataDir));
525
+ (0, runtime_1.emitNervesEvent)({
526
+ event: "repertoire.bw_credential_delete_end",
527
+ component: "repertoire",
528
+ message: `credential deleted via bw for ${domain}`,
529
+ meta: { domain, deleted: true, backend: "bitwarden" },
530
+ });
531
+ return true;
532
+ }
533
+ // --- Private ---
534
+ async findItemByDomain(domain, session) {
535
+ const stdout = await execBw(["list", "items", "--search", domain], session, this.appDataDir);
536
+ const items = parseBwItems(stdout, "bw list items --search");
537
+ // Find exact match by name
538
+ return items.find((item) => item.name === domain) ?? null;
539
+ }
540
+ async findItemById(id, session) {
541
+ const stdout = await execBw(["get", "item", id], session, this.appDataDir);
542
+ return parseBwItem(stdout, "bw get item");
543
+ }
544
+ assertStoredCredentialMatches(domain, data, item) {
545
+ if (!item) {
546
+ throw new Error(`bw CLI error: credential save verification failed for ${domain}: saved item could not be read back after write`);
547
+ }
548
+ const mismatches = [];
549
+ if (item.name !== domain)
550
+ mismatches.push("name");
551
+ if ((item.login?.username ?? "") !== (data.username ?? ""))
552
+ mismatches.push("username");
553
+ if ((item.login?.password ?? "") !== data.password)
554
+ mismatches.push("password");
555
+ if ((item.notes ?? null) !== (data.notes ?? null))
556
+ mismatches.push("notes");
557
+ if (mismatches.length > 0) {
558
+ const label = mismatches.length === 1 ? "field" : "fields";
559
+ throw new Error(`bw CLI error: credential save verification failed for ${domain}: saved item did not match requested ${label} ${mismatches.join(", ")}`);
560
+ }
561
+ }
562
+ }
563
+ exports.BitwardenCredentialStore = BitwardenCredentialStore;
package/dist/repertoire/bundle-templates.js ADDED
@@ -0,0 +1,72 @@
1
+ "use strict";
2
+ /**
3
+ * Templates for agent bundle scaffolding.
4
+ *
5
+ * ## .gitignore design philosophy
6
+ *
7
+ * The bundle .gitignore handles FUNCTIONAL "shouldn't track" cases only:
8
+ *
9
+ * - Runtime state (sessions, logs, runtime files) — stale data with no
10
+ * value for review or history.
11
+ * - Credentials — real secrets live in the agent vault, but defense
12
+ * in depth in case anything leaks into the bundle.
13
+ * - Editor / OS noise (.DS_Store, .idea/, etc.).
14
+ * - Build artifacts (rare in bundles, but possible).
15
+ *
16
+ * It DOES NOT handle PII. The bundle is inherently full of PII — `friends/`,
17
+ * `diary/`, `journal/`, `psyche/`, `arc/`, `facts/`, `family/`, `travel/`
18
+ * etc. That's the point of the bundle; blocking those via .gitignore would
19
+ * defeat the purpose.
20
+ *
21
+ * PII is handled at first-push time by `bundle_first_push_review`, which
22
+ * enumerates PII-bearing directories, shows the agent counts, probes the
23
+ * remote URL for GitHub visibility, and hard-pauses until the human
24
+ * confirms. See Directive D in the planning doc.
25
+ *
26
+ * No content-pattern blocks (no `**\/sk-ant-*` or similar). Content-review
27
+ * failures are a different safety layer — credential scanning at commit
28
+ * time would be a follow-up feature.
29
+ */
30
+ Object.defineProperty(exports, "__esModule", { value: true });
31
+ exports.PII_BUNDLE_DIRECTORIES = exports.BUNDLE_GITIGNORE_TEMPLATE = void 0;
32
+ exports.BUNDLE_GITIGNORE_TEMPLATE = `# Runtime state — sessions, logs, runtime files, never tracked
33
+ state/
34
+
35
+ # Credentials — never tracked. Real secrets live in the agent vault, but
36
+ # defense in depth in case anything leaks into the bundle.
37
+ .env
38
+ .env.*
39
+ secrets/
40
+ **/*.key
41
+ **/*.pem
42
+ **/*.credentials
43
+ **/*.pfx
44
+
45
+ # Editor and OS noise
46
+ .DS_Store
47
+ .idea/
48
+ .vscode/
49
+ *.swp
50
+ *.swo
51
+
52
+ # Build artifacts (rare in bundles, but possible if a workspace lands here)
53
+ node_modules/
54
+ dist/
55
+ `;
56
+ /**
57
+ * PII-sensitive top-level directories. Enumerated here so `bundle_first_push_review`
58
+ * can categorize and count. Adding a new PII bucket to the bundle means adding
59
+ * it here so the first-push warning includes it.
60
+ */
61
+ exports.PII_BUNDLE_DIRECTORIES = [
62
+ "friends",
63
+ "diary",
64
+ "journal",
65
+ "psyche",
66
+ "arc",
67
+ "facts",
68
+ "family",
69
+ "travel",
70
+ "notes",
71
+ "sessions",
72
+ ];