@ouro.bot/cli 0.1.0-alpha.436 → 0.1.0-alpha.437

package/changelog.json

@@ -1,6 +1,14 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.437",
+      "changes": [
+        "Provider-credential refresh now reads the known `providers/<provider>` vault items directly instead of starting with a full `bw list items` scan, so startup, repair, and connect-bay readiness stop paying whole-vault latency just to inspect the handful of provider records Ouro already names exactly.",
+        "Structured Ouro vault items now treat an exact-item `not found` from Bitwarden as a real miss instead of falling back into a fuzzy filtered search, which removes the slow retrying scan path for absent `providers/*` and `runtime/*` records without changing the safety fallback for malformed direct responses.",
+        "This closes the remaining real-world `connect` slowdown found after the live-ping work: local dogfood dropped the branch connect-bay readiness run from 127 seconds in the shipped path to 18 seconds after the direct provider-read fix, with new coverage locking the direct-read contract in place."
+      ]
+    },
     {
       "version": "0.1.0-alpha.436",
       "changes": [

package/dist/heart/provider-credentials.js

@@ -96,6 +96,11 @@ function isPresentCredentialValue(value) {
         return value.trim().length > 0;
     return Number.isFinite(value) && value !== 0;
 }
+function isMissingProviderCredentialError(message, itemName) {
+    const normalized = message.toLowerCase();
+    return normalized.includes(itemName.toLowerCase())
+        && (normalized.includes("no credential found") || normalized.includes("missing") || normalized.includes("not found"));
+}
 function copyKnownFields(source, fields) {
     const result = {};
     for (const field of fields) {
@@ -225,17 +230,21 @@ async function refreshProviderCredentialPool(agentName, options = {}) {
     try {
         const store = (0, credential_access_1.getCredentialStore)(agentName);
         options.onProgress?.(`reading vault items for ${agentName}...`);
-        const items = await store.list();
         const providers = {};
         let updatedAt = new Date(0).toISOString();
-        for (const item of items) {
-            if (!item.domain.startsWith(VAULT_ITEM_PREFIX))
-                continue;
-            const provider = item.domain.slice(VAULT_ITEM_PREFIX.length);
-            if (!isAgentProvider(provider))
-                continue;
+        for (const provider of VALID_PROVIDERS) {
+            const itemName = providerCredentialItemName(provider);
             options.onProgress?.(`reading ${provider} credentials...`);
-            const raw = await store.getRawSecret(item.domain, "password");
+            let raw;
+            try {
+                raw = await store.getRawSecret(itemName, "password");
+            }
+            catch (error) {
+                const message = error instanceof Error ? error.message : String(error);
+                if (isMissingProviderCredentialError(message, itemName))
+                    continue;
+                throw error;
+            }
             const payload = validateProviderCredentialPayload(JSON.parse(raw), provider);
             const record = recordFromPayload(payload);
             providers[provider] = record;

package/dist/repertoire/bitwarden-store.js

@@ -134,11 +134,13 @@ function isBwConfigLogoutRequired(err) {
 function shouldPreferExactItemLookup(domain) {
     return domain.includes("/");
 }
+function isBwDirectLookupMissingError(err) {
+    const message = err.message.toLowerCase();
+    return message.includes("bw cli error: not found") || message.includes("bw cli error: item not found");
+}
 function isBwDirectLookupFallbackError(err) {
     const message = err.message.toLowerCase();
-    return (message.includes("bw cli error: not found") ||
-        message.includes("bw cli error: item not found") ||
-        message.includes("invalid json from bw get item") ||
+    return (message.includes("invalid json from bw get item") ||
         message.includes("invalid item from bw get item"));
 }
 // ---------------------------------------------------------------------------
@@ -246,14 +248,14 @@ async function withBwLock(appDataDir, fn) {
         }
     }
 }
-function execBw(args, sessionToken, appDataDir, stdin) {
+function execBw(args, sessionToken, appDataDir, stdin, bwBinaryPath = "bw") {
     const env = {
         ...process.env,
         ...(sessionToken ? { BW_SESSION: sessionToken } : {}),
         ...(appDataDir ? { BITWARDENCLI_APPDATA_DIR: appDataDir } : {}),
     };
     const runCommand = () => new Promise((resolve, reject) => {
-        const child = (0, node_child_process_1.execFile)("bw", args, { timeout: 30_000, env }, (err, stdout, stderr) => {
+        const child = (0, node_child_process_1.execFile)(bwBinaryPath, args, { timeout: 30_000, env }, (err, stdout, stderr) => {
             if (err) {
                 if (isBwNotInstalled(err)) {
                     reject(new Error("bw CLI not found. Install from https://bitwarden.com/help/cli/"));
@@ -274,7 +276,7 @@ function execBw(args, sessionToken, appDataDir, stdin) {
 function isBwNotInstalled(err) {
     const msg = err.message.toLowerCase();
     const code = err.code;
-    return code === "ENOENT" || msg.includes("enoent") || msg.includes("not found") || msg.includes("command not found");
+    return code === "ENOENT" || /\bspawn\b.*\benoent\b/.test(msg) || msg.includes("command not found");
 }
 /** Check if the error is transient (network/timeout) and worth retrying. */
 function isTransientError(err) {
@@ -385,6 +387,7 @@ class BitwardenCredentialStore {
     masterPassword;
     appDataDir;
     sessionToken = null;
+    bwBinaryPath = "bw";
     constructor(serverUrl, email, masterPassword, options = {}) {
         this.serverUrl = serverUrl;
         this.email = email;
@@ -394,6 +397,9 @@ class BitwardenCredentialStore {
     isReady() {
         return true;
     }
+    execBw(args, sessionToken, stdin) {
+        return execBw(args, sessionToken, this.appDataDir, stdin, this.bwBinaryPath);
+    }
     /**
      * Ensure the bw CLI is authenticated and unlocked.
      * Handles three states: logged out → login, locked → unlock, already unlocked → no-op.
@@ -401,7 +407,7 @@ class BitwardenCredentialStore {
      */
     async login() {
         // Ensure bw CLI is installed before any bw commands
-        await (0, bw_installer_1.ensureBwCli)();
+        this.bwBinaryPath = await (0, bw_installer_1.ensureBwCli)();
         if (this.appDataDir) {
             fs.mkdirSync(this.appDataDir, { recursive: true, mode: 0o700 });
         }
@@ -438,7 +444,7 @@ class BitwardenCredentialStore {
         // Check current status
         let status = {};
         try {
-            const raw = await execBw(["status"], undefined, this.appDataDir);
+            const raw = await this.execBw(["status"]);
             status = JSON.parse(raw);
         }
         catch (err) {
@@ -451,7 +457,7 @@ class BitwardenCredentialStore {
         // Configure server URL if needed (only works when logged out)
         if (status.status === "unauthenticated" || !status.serverUrl) {
             try {
-                await execBw(["config", "server", this.serverUrl], undefined, this.appDataDir);
+                await this.execBw(["config", "server", this.serverUrl]);
             }
             catch (error) {
                 const err = error;
@@ -463,12 +469,12 @@ class BitwardenCredentialStore {
         }
         if (status.status === "locked") {
             // Already logged in, just needs unlock
-            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"], undefined, this.appDataDir);
+            const unlockOutput = await this.execBw(["unlock", this.masterPassword, "--raw"]);
             this.sessionToken = unlockOutput.trim();
         }
         else if (status.status === "unauthenticated" || !status.status) {
             // Not logged in — full login
-            const loginOutput = await execBw(["login", this.email, this.masterPassword, "--raw"], undefined, this.appDataDir);
+            const loginOutput = await this.execBw(["login", this.email, this.masterPassword, "--raw"]);
             try {
                 const parsed = JSON.parse(loginOutput);
                 this.sessionToken = parsed.access_token ?? loginOutput.trim();
@@ -479,12 +485,12 @@ class BitwardenCredentialStore {
         }
         else {
             // Status is "unlocked" — already good, just need the session token
-            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"], undefined, this.appDataDir);
+            const unlockOutput = await this.execBw(["unlock", this.masterPassword, "--raw"]);
             this.sessionToken = unlockOutput.trim();
         }
         // Sync vault data after obtaining a fresh session token
         /* v8 ignore next -- defensive: loginAttempt always sets sessionToken before sync @preserve */
-        await execBw(["sync"], this.sessionToken ?? undefined, this.appDataDir);
+        await this.execBw(["sync"], this.sessionToken ?? undefined);
     }
     async ensureSession() {
         if (!this.sessionToken) {
@@ -610,12 +616,12 @@ class BitwardenCredentialStore {
             const encoded = Buffer.from(JSON.stringify(item)).toString("base64");
             let savedItem;
             if (existing) {
-                const stdout = await execBw(["edit", "item", existing.id], session, this.appDataDir, encoded);
+                const stdout = await this.execBw(["edit", "item", existing.id], session, encoded);
                 const savedItemId = parseBwItemId(stdout) ?? existing.id;
                 savedItem = await this.findItemById(savedItemId, session);
             }
             else {
-                const stdout = await execBw(["create", "item"], session, this.appDataDir, encoded);
+                const stdout = await this.execBw(["create", "item"], session, encoded);
                 const savedItemId = parseBwItemId(stdout);
                 savedItem = savedItemId
                     ? await this.findItemById(savedItemId, session)
@@ -637,7 +643,7 @@ class BitwardenCredentialStore {
             message: "listing bw credentials",
             meta: { backend: "bitwarden" },
         });
-        const stdout = await this.withTransientRetry(() => this.withSessionRetry((session) => execBw(["list", "items"], session, this.appDataDir)));
+        const stdout = await this.withTransientRetry(() => this.withSessionRetry((session) => this.execBw(["list", "items"], session)));
         const items = parseBwItems(stdout, "bw list items");
         const results = items.map((item) => ({
             domain: item.name,
@@ -670,7 +676,7 @@ class BitwardenCredentialStore {
             });
             return false;
         }
-        await this.withSessionRetry((session) => execBw(["delete", "item", item.id], session, this.appDataDir));
+        await this.withSessionRetry((session) => this.execBw(["delete", "item", item.id], session));
         (0, runtime_1.emitNervesEvent)({
             event: "repertoire.bw_credential_delete_end",
             component: "repertoire",
@@ -683,24 +689,26 @@ class BitwardenCredentialStore {
     async findItemByDomain(domain, session) {
         if (shouldPreferExactItemLookup(domain)) {
             try {
-                const stdout = await execBw(["get", "item", domain], session, this.appDataDir);
+                const stdout = await this.execBw(["get", "item", domain], session);
                 const item = parseBwItem(stdout, "bw get item");
                 if (item.name === domain)
                     return item;
             }
             catch (error) {
                 const err = error;
+                if (isBwDirectLookupMissingError(err))
+                    return null;
                 if (!isBwDirectLookupFallbackError(err))
                     throw err;
             }
         }
-        const stdout = await execBw(["list", "items", "--search", domain], session, this.appDataDir);
+        const stdout = await this.execBw(["list", "items", "--search", domain], session);
         const items = parseBwItems(stdout, "bw list items --search");
         // Find exact match by name
         return items.find((item) => item.name === domain) ?? null;
     }
     async findItemById(id, session) {
-        const stdout = await execBw(["get", "item", id], session, this.appDataDir);
+        const stdout = await this.execBw(["get", "item", id], session);
         return parseBwItem(stdout, "bw get item");
     }
     assertStoredCredentialMatches(domain, data, item) {

package/dist/repertoire/bw-installer.js

@@ -5,12 +5,50 @@
  * Mirrors the whisper-cpp pattern in senses/bluebubbles/media.ts:
  * check PATH first, install via npm if missing, emit nerves event.
  */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.findExecutableOnPath = findExecutableOnPath;
+exports.findExecutableViaNpmPrefix = findExecutableViaNpmPrefix;
 exports.ensureBwCli = ensureBwCli;
 const node_child_process_1 = require("node:child_process");
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
 const runtime_1 = require("../nerves/runtime");
 const INSTALL_TIMEOUT_MS = 120_000;
 const WHICH_TIMEOUT_MS = 5_000;
+const DEFAULT_WINDOWS_PATHEXT = ".EXE;.CMD;.BAT;.COM";
 function execFileAsync(cmd, args, timeout) {
     return new Promise((resolve, reject) => {
         (0, node_child_process_1.execFile)(cmd, args, { timeout }, (err, stdout) => {
@@ -22,20 +60,88 @@ function execFileAsync(cmd, args, timeout) {
         });
     });
 }
+function stripWrappingQuotes(value) {
+    const trimmed = value.trim();
+    if (trimmed.startsWith("\"") && trimmed.endsWith("\"")) {
+        return trimmed.slice(1, -1);
+    }
+    return trimmed;
+}
+function isExecutableFile(targetPath, platform) {
+    try {
+        fs.accessSync(targetPath, platform === "win32" ? fs.constants.F_OK : fs.constants.X_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function executableNames(command, platform, pathExt) {
+    if (platform !== "win32")
+        return [command];
+    if (path.extname(command))
+        return [command];
+    const extensions = pathExt
+        .split(";")
+        .map((entry) => entry.trim())
+        .filter((entry) => entry.length > 0);
+    return extensions.length === 0
+        ? [command]
+        : extensions.map((extension) => (extension.startsWith(".") ? `${command}${extension}` : `${command}.${extension}`));
+}
+function findExecutableInDirectory(command, directory, platform, pathExt) {
+    const cleanDirectory = stripWrappingQuotes(directory);
+    if (!cleanDirectory)
+        return null;
+    for (const candidateName of executableNames(command, platform, pathExt)) {
+        const candidatePath = path.isAbsolute(candidateName)
+            ? candidateName
+            : path.join(cleanDirectory, candidateName);
+        if (isExecutableFile(candidatePath, platform)) {
+            return candidatePath;
+        }
+    }
+    return null;
+}
+function findExecutableOnPath(command, envPath = process.env.PATH ?? "", platform = process.platform, pathExt = process.env.PATHEXT ?? DEFAULT_WINDOWS_PATHEXT) {
+    if (path.isAbsolute(command) || command.includes(path.sep)) {
+        return isExecutableFile(command, platform) ? command : null;
+    }
+    for (const directory of envPath.split(path.delimiter)) {
+        const found = findExecutableInDirectory(command, directory, platform, pathExt);
+        if (found)
+            return found;
+    }
+    return null;
+}
+async function findExecutableViaNpmPrefix(command, platform = process.platform, pathExt = process.env.PATHEXT ?? DEFAULT_WINDOWS_PATHEXT) {
+    try {
+        const prefix = stripWrappingQuotes((await execFileAsync("npm", ["prefix", "-g"], WHICH_TIMEOUT_MS)).trim());
+        if (!prefix)
+            return null;
+        const searchDirs = platform === "win32"
+            ? [prefix, path.join(prefix, "bin")]
+            : [path.join(prefix, "bin"), prefix];
+        for (const directory of searchDirs) {
+            const found = findExecutableInDirectory(command, directory, platform, pathExt);
+            if (found)
+                return found;
+        }
+    }
+    catch {
+        // Prefix lookup is only a post-install fallback.
+    }
+    return null;
+}
 /**
  * Ensure the `bw` CLI is available, installing it via npm if needed.
  * Returns the path to the `bw` binary.
  */
 async function ensureBwCli() {
     // 1. Check if bw is already in PATH
-    try {
-        const existing = (await execFileAsync("which", ["bw"], WHICH_TIMEOUT_MS)).trim();
-        if (existing) {
-            return existing;
-        }
-    }
-    catch {
-        // Not found — fall through to install
+    const existing = findExecutableOnPath("bw");
+    if (existing) {
+        return existing;
     }
     // 2. Install via npm
     (0, runtime_1.emitNervesEvent)({
@@ -60,20 +166,15 @@ async function ensureBwCli() {
         throw new Error(`failed to install bw CLI via npm: ${reason}`);
     }
     // 3. Verify installation and return path
-    try {
-        const installed = (await execFileAsync("which", ["bw"], WHICH_TIMEOUT_MS)).trim();
-        if (installed) {
-            (0, runtime_1.emitNervesEvent)({
-                event: "repertoire.bw_cli_install_end",
-                component: "repertoire",
-                message: "bw CLI installed successfully",
-                meta: { path: installed },
-            });
-            return installed;
-        }
-    }
-    catch {
-        // Fall through to error
+    const installed = findExecutableOnPath("bw") ?? await findExecutableViaNpmPrefix("bw");
+    if (installed) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_cli_install_end",
+            component: "repertoire",
+            message: "bw CLI installed successfully",
+            meta: { path: installed },
+        });
+        return installed;
     }
-    throw new Error("bw CLI installed via npm but binary not found in PATH");
+    throw new Error("bw CLI installed via npm but binary not found in PATH or npm global bin");
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.436",
+  "version": "0.1.0-alpha.437",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",