@ouro.bot/cli 0.1.0-alpha.410 → 0.1.0-alpha.412

package/changelog.json

@@ -1,6 +1,23 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.412",
+      "changes": [
+        "Cross-process bw CLI lock prevents concurrent access to the same Bitwarden app data directory, fixing the root cause of intermittent vault timeout errors during `ouro up` provider checks on multi-agent machines.",
+        "Two-layer locking in `execBw`: in-process async mutex serializes within a Node.js process, cross-process `O_EXCL` file lock with PID stale detection serializes across processes.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault concurrency fix release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.411",
+      "changes": [
+        "`ouro up` interactive repair now re-evaluates each agent after a successful vault-unlock or provider-auth, so users see immediate confirmation or an updated next step instead of stale context.",
+        "Repair prompts now include agent names (`Unlock slugger's vault now?`) instead of generic phrasing.",
+        "Terminal `Repair flow complete.` message printed when at least one repair was attempted, giving clear closure to the interactive flow.",
+        "Redundant repair queue summary suppressed in the post-daemon-start path where the status block already listed degraded agents."
+      ]
+    },
     {
       "version": "0.1.0-alpha.410",
       "changes": [

package/dist/heart/daemon/agentic-repair.js

@@ -51,6 +51,7 @@ function makeInteractiveRepairDeps(deps) {
         /* v8 ignore next -- fallback no-op: tests always inject runAuthFlow; default is for production @preserve */
         runAuthFlow: deps.runAuthFlow ?? (async () => undefined),
         runVaultUnlock: deps.runVaultUnlock,
+        skipQueueSummary: deps.skipQueueSummary,
     };
 }
 async function runDeterministicRepair(degraded, deps) {

package/dist/heart/daemon/cli-exec.js

@@ -2677,6 +2677,7 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
                     runVaultUnlock: async (agent) => {
                         await executeVaultUnlock({ kind: "vault.unlock", agent }, deps);
                     },
+                    skipQueueSummary: true,
                 });
                 if (repairResult.repairsAttempted) {
                     const repairedAgents = daemonResult.stability.degraded

package/dist/heart/daemon/interactive-repair.js

@@ -182,6 +182,97 @@ function writeRepairQueueSummary(degraded, deps) {
     if (lines.length > 0)
         deps.writeStdout(lines.join("\n"));
 }
+async function attemptVaultUnlock(entry, action, deps) {
+    deps.writeStdout(renderActionPromptLines(entry.agent, action).join("\n"));
+    const answer = await deps.promptInput(`Unlock ${entry.agent}'s vault now? [y/N] `);
+    if (!isAffirmativeAnswer(answer)) {
+        writeDeclinedRepair(entry, action.command, deps);
+        return { succeeded: false, attempted: false };
+    }
+    try {
+        if (!deps.runVaultUnlock) {
+            deps.writeStdout(renderManualRepairHint(entry.agent, entry.fixHint));
+            return { succeeded: false, attempted: false };
+        }
+        await deps.runVaultUnlock(entry.agent);
+        return { succeeded: true, attempted: true };
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        deps.writeStdout(`Vault unlock did not finish for ${entry.agent}.\n  ${msg}`);
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            component: "daemon",
+            event: "daemon.interactive_repair_vault_unlock_error",
+            message: `vault unlock failed for ${entry.agent}`,
+            meta: { agent: entry.agent, error: msg },
+        });
+        return { succeeded: false, attempted: true };
+    }
+}
+async function attemptProviderAuth(entry, action, deps) {
+    deps.writeStdout(renderActionPromptLines(entry.agent, action).join("\n"));
+    const answer = await deps.promptInput(`Open the auth flow for ${entry.agent} now? [y/N] `);
+    if (!isAffirmativeAnswer(answer)) {
+        writeDeclinedRepair(entry, action.command, deps);
+        return { succeeded: false, attempted: false };
+    }
+    try {
+        if (action.provider) {
+            await deps.runAuthFlow(entry.agent, action.provider);
+        }
+        else {
+            await deps.runAuthFlow(entry.agent);
+        }
+        return { succeeded: true, attempted: true };
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        deps.writeStdout(`Auth did not finish for ${entry.agent}.\n  ${msg}`);
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            component: "daemon",
+            event: "daemon.interactive_repair_auth_error",
+            message: `auth flow failed for ${entry.agent}`,
+            meta: { agent: entry.agent, error: msg },
+        });
+        return { succeeded: false, attempted: true };
+    }
+}
+async function processEntry(entry, deps) {
+    let current = entry;
+    while (current) {
+        const action = runnableRepairActionFor(current);
+        let outcome;
+        if (action?.kind === "vault-unlock") {
+            outcome = await attemptVaultUnlock(current, action, deps);
+        }
+        else if (action?.kind === "provider-auth") {
+            outcome = await attemptProviderAuth(current, action, deps);
+        }
+        else if (isConfigError(current)) {
+            deps.writeStdout(renderManualRepairHint(current.agent, current.fixHint));
+            return { attempted: false };
+        }
+        else {
+            deps.writeStdout(renderUnknownRepair(current.agent, current.errorReason));
+            return { attempted: false };
+        }
+        if (!outcome.succeeded || !deps.recheckAgent) {
+            return { attempted: outcome.attempted };
+        }
+        // Re-evaluate the agent after successful repair
+        const recheckResult = await deps.recheckAgent(current.agent);
+        if (recheckResult === null) {
+            deps.writeStdout(`${current.agent} recovered.`);
+            return { attempted: true };
+        }
+        // Agent still degraded with a new error -- loop to present the new action
+        current = recheckResult;
+    }
+    /* v8 ignore next -- unreachable: loop always returns from within @preserve */
+    return { attempted: false };
+}
 async function runInteractiveRepair(degraded, deps) {
     (0, runtime_1.emitNervesEvent)({
         level: "info",
@@ -194,76 +285,16 @@ async function runInteractiveRepair(degraded, deps) {
         return { repairsAttempted: false };
     }
     let repairsAttempted = false;
-    writeRepairQueueSummary(degraded, deps);
+    if (!deps.skipQueueSummary) {
+        writeRepairQueueSummary(degraded, deps);
+    }
     for (const entry of degraded) {
-        const action = runnableRepairActionFor(entry);
-        if (action?.kind === "vault-unlock") {
-            deps.writeStdout(renderActionPromptLines(entry.agent, action).join("\n"));
-            const answer = await deps.promptInput("Unlock it now? [y/N] ");
-            if (isAffirmativeAnswer(answer)) {
-                try {
-                    if (!deps.runVaultUnlock) {
-                        deps.writeStdout(renderManualRepairHint(entry.agent, entry.fixHint));
-                    }
-                    else {
-                        await deps.runVaultUnlock(entry.agent);
-                        repairsAttempted = true;
-                    }
-                }
-                catch (error) {
-                    const msg = error instanceof Error ? error.message : String(error);
-                    deps.writeStdout(`Vault unlock did not finish for ${entry.agent}.\n  ${msg}`);
-                    repairsAttempted = true;
-                    (0, runtime_1.emitNervesEvent)({
-                        level: "error",
-                        component: "daemon",
-                        event: "daemon.interactive_repair_vault_unlock_error",
-                        message: `vault unlock failed for ${entry.agent}`,
-                        meta: { agent: entry.agent, error: msg },
-                    });
-                }
-            }
-            else {
-                writeDeclinedRepair(entry, action.command, deps);
-            }
-        }
-        else if (action?.kind === "provider-auth") {
-            deps.writeStdout(renderActionPromptLines(entry.agent, action).join("\n"));
-            const answer = await deps.promptInput("Open the auth flow now? [y/N] ");
-            if (isAffirmativeAnswer(answer)) {
-                try {
-                    if (action.provider) {
-                        await deps.runAuthFlow(entry.agent, action.provider);
-                    }
-                    else {
-                        await deps.runAuthFlow(entry.agent);
-                    }
-                    repairsAttempted = true;
-                }
-                catch (error) {
-                    const msg = error instanceof Error ? error.message : String(error);
-                    deps.writeStdout(`Auth did not finish for ${entry.agent}.\n  ${msg}`);
-                    repairsAttempted = true;
-                    (0, runtime_1.emitNervesEvent)({
-                        level: "error",
-                        component: "daemon",
-                        event: "daemon.interactive_repair_auth_error",
-                        message: `auth flow failed for ${entry.agent}`,
-                        meta: { agent: entry.agent, error: msg },
-                    });
-                }
-            }
-            else {
-                writeDeclinedRepair(entry, action.command, deps);
-            }
-        }
-        else if (isConfigError(entry)) {
-            deps.writeStdout(renderManualRepairHint(entry.agent, entry.fixHint));
-        }
-        else {
-            // Unknown error with no actionable fix hint
-            deps.writeStdout(renderUnknownRepair(entry.agent, entry.errorReason));
-        }
+        const result = await processEntry(entry, deps);
+        if (result.attempted)
+            repairsAttempted = true;
+    }
+    if (repairsAttempted) {
+        deps.writeStdout("Repair flow complete.");
     }
     (0, runtime_1.emitNervesEvent)({
         level: "info",

package/dist/repertoire/bitwarden-store.js

@@ -45,6 +45,7 @@ exports.BitwardenCredentialStore = void 0;
 exports.sanitizeCredentialErrorDetail = sanitizeCredentialErrorDetail;
 const node_child_process_1 = require("node:child_process");
 const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
 const runtime_1 = require("../nerves/runtime");
 const bw_installer_1 = require("./bw-installer");
 const MAX_ERROR_DETAIL_LENGTH = 500;
@@ -130,13 +131,118 @@ function isBwConfigLogoutRequired(err) {
     const message = err.message.toLowerCase();
     return message.includes("logout") && message.includes("required");
 }
+// ---------------------------------------------------------------------------
+// Cross-process bw CLI lock
+// ---------------------------------------------------------------------------
+// The bw CLI cannot handle concurrent access to the same app data directory.
+// Two processes (e.g. daemon worker + ouro up CLI) hitting the same dir
+// simultaneously corrupt bw's local state, producing empty/garbled output.
+//
+// We use two layers:
+//   1. In-process async mutex: a Map<string, Promise<void>> keyed by appDataDir
+//      serializes calls within a single Node.js process.
+//   2. Cross-process file lock: fs.openSync(lockPath, 'wx') with PID stale
+//      detection serializes across processes.
+// ---------------------------------------------------------------------------
+const BW_LOCK_FILENAME = ".ouro-bw.lock";
+const BW_LOCK_TIMEOUT_MS = 30_000;
+const BW_LOCK_POLL_MS = 100;
+/** In-process async mutex keyed by appDataDir. */
+const inProcessLocks = new Map();
+function isPidAlive(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function acquireFileLock(lockPath) {
+    const content = `${process.pid}\n`;
+    const deadline = Date.now() + BW_LOCK_TIMEOUT_MS;
+    while (true) {
+        try {
+            const fd = fs.openSync(lockPath, fs.constants.O_WRONLY | fs.constants.O_CREAT | fs.constants.O_EXCL);
+            fs.writeSync(fd, content);
+            fs.closeSync(fd);
+            return;
+        }
+        catch (err) {
+            if (err.code !== "EEXIST") {
+                throw err;
+            }
+            // Lock file exists -- check for stale lock
+            try {
+                const existing = fs.readFileSync(lockPath, "utf8").trim();
+                const pid = parseInt(existing, 10);
+                if (!isNaN(pid) && !isPidAlive(pid)) {
+                    // Stale lock -- remove and retry immediately
+                    try {
+                        fs.unlinkSync(lockPath);
+                    }
+                    catch { /* race with another cleaner is fine */ }
+                    continue;
+                }
+            }
+            catch { /* v8 ignore next -- race: lock file disappeared between openSync and readFileSync @preserve */
+                continue;
+            }
+            if (Date.now() >= deadline) {
+                throw new Error(`bw CLI lock timeout: could not acquire ${lockPath} within ${BW_LOCK_TIMEOUT_MS}ms`);
+            }
+            // Yield to the event loop before retrying
+            await delay(BW_LOCK_POLL_MS);
+        }
+    }
+}
+function releaseFileLock(lockPath) {
+    try {
+        fs.unlinkSync(lockPath);
+    }
+    catch {
+        // Already removed or never created -- safe to ignore
+    }
+}
+async function withBwLock(appDataDir, fn) {
+    if (!appDataDir) {
+        // No appDataDir means the default bw data location. Still need in-process
+        // serialization but cannot do cross-process file lock without a dir.
+        return fn();
+    }
+    const lockKey = appDataDir;
+    const lockPath = path.join(appDataDir, BW_LOCK_FILENAME);
+    // In-process serialization: chain onto the previous promise for this key
+    const previous = inProcessLocks.get(lockKey) ?? Promise.resolve();
+    let releaseLock;
+    const current = new Promise((resolve) => { releaseLock = resolve; });
+    inProcessLocks.set(lockKey, current);
+    await previous;
+    let fileLockAcquired = false;
+    try {
+        // Cross-process file lock
+        await acquireFileLock(lockPath);
+        fileLockAcquired = true;
+        return await fn();
+    }
+    finally {
+        if (fileLockAcquired) {
+            releaseFileLock(lockPath);
+        }
+        releaseLock();
+        // Clean up the map entry if we are the latest
+        if (inProcessLocks.get(lockKey) === current) {
+            inProcessLocks.delete(lockKey);
+        }
+    }
+}
 function execBw(args, sessionToken, appDataDir, stdin) {
     const env = {
         ...process.env,
         ...(sessionToken ? { BW_SESSION: sessionToken } : {}),
         ...(appDataDir ? { BITWARDENCLI_APPDATA_DIR: appDataDir } : {}),
     };
-    return new Promise((resolve, reject) => {
+    const runCommand = () => new Promise((resolve, reject) => {
         const child = (0, node_child_process_1.execFile)("bw", args, { timeout: 30_000, env }, (err, stdout, stderr) => {
             if (err) {
                 if (isBwNotInstalled(err)) {
@@ -152,6 +258,7 @@ function execBw(args, sessionToken, appDataDir, stdin) {
             child?.stdin?.end(stdin);
         }
     });
+    return withBwLock(appDataDir, runCommand);
 }
 /** Check if the error indicates the bw CLI binary is not installed. */
 function isBwNotInstalled(err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.410",
+  "version": "0.1.0-alpha.412",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",