@ouro.bot/cli 0.1.0-alpha.436 → 0.1.0-alpha.438

package/changelog.json

@@ -1,6 +1,22 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.438",
+      "changes": [
+        "Live provider failures now keep their real diagnosis all the way through startup, repair, and the connect bay: expired credentials still prompt re-auth, but busy providers, provider outages, rate limits, quota failures, and network trouble now point humans toward retrying later, checking usage, or switching lanes instead of being mislabeled as an auth problem.",
+        "The readiness board and connect bay now share one classification-aware repair model, so a lane only says `needs credentials` when the live ping actually came back as an auth failure; other live-check failures stay in the broader `needs attention` bucket with matching next actions.",
+        "New daemon, connect-bay, human-readiness, hermetic-runtime, and full-suite coverage lock in the truthful failure guidance, and packaged-install verification confirms the fix survives beyond the repo checkout into the shipped CLI."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.437",
+      "changes": [
+        "Provider-credential refresh now reads the known `providers/<provider>` vault items directly instead of starting with a full `bw list items` scan, so startup, repair, and connect-bay readiness stop paying whole-vault latency just to inspect the handful of provider records Ouro already names exactly.",
+        "Structured Ouro vault items now treat an exact-item `not found` from Bitwarden as a real miss instead of falling back into a fuzzy filtered search, which removes the slow retrying scan path for absent `providers/*` and `runtime/*` records without changing the safety fallback for malformed direct responses.",
+        "This closes the remaining real-world `connect` slowdown found after the live-ping work: local dogfood dropped the branch connect-bay readiness run from 127 seconds in the shipped path to 18 seconds after the direct provider-read fix, with new coverage locking the direct-read contract in place."
+      ]
+    },
     {
       "version": "0.1.0-alpha.436",
       "changes": [

package/dist/heart/daemon/agent-config-check.js

@@ -298,12 +298,18 @@ function failedPingResult(agentName, lane, provider, model, result) {
     return {
         ok: false,
         error: `${lane} provider ${provider} model ${model} failed live check: ${result.message}`,
-        fix: `Run 'ouro auth --agent ${agentName} --provider ${provider}' to refresh credentials.`,
+        fix: (0, readiness_repair_1.providerLiveCheckFix)({
+            agentName,
+            lane,
+            provider,
+            classification: result.classification,
+        }),
         issue: (0, readiness_repair_1.providerLiveCheckFailedIssue)({
             agentName,
             lane,
             provider,
             model,
+            classification: result.classification,
             message: result.message,
         }),
     };

package/dist/heart/daemon/connect-bay.js

@@ -6,6 +6,7 @@ exports.connectEntryNeedsAttention = connectEntryNeedsAttention;
 exports.renderConnectBay = renderConnectBay;
 const runtime_1 = require("../../nerves/runtime");
 const terminal_ui_1 = require("./terminal-ui");
+const readiness_repair_1 = require("./readiness-repair");
 const CONNECT_STATUS_PRIORITY = {
     "needs attention": 0,
     locked: 1,
@@ -79,6 +80,16 @@ function extractCommand(fixHint, commandPrefix) {
 function resolveProviderHealthStatus(providerHealth) {
     if (!providerHealth || providerHealth.ok)
         return undefined;
+    const issue = providerHealth.issue;
+    if (issue?.kind === "vault-locked")
+        return "locked";
+    if (issue?.kind === "vault-unconfigured")
+        return "needs setup";
+    if (issue?.kind === "provider-credentials-missing")
+        return "needs credentials";
+    if (issue?.kind === "provider-live-check-failed") {
+        return issue.actions[0]?.kind === "provider-auth" ? "needs credentials" : "needs attention";
+    }
     const error = String(providerHealth.error).toLowerCase();
     const fix = String(providerHealth.fix).toLowerCase();
     if (error.includes("failed live check"))
@@ -99,7 +110,11 @@ function resolveProviderHealthStatus(providerHealth) {
         return "locked";
     return "needs attention";
 }
-function resolveProviderHealthCommand(fixHint, status) {
+function resolveProviderHealthCommand(providerHealth, status) {
+    const issueCommand = (0, readiness_repair_1.preferredConnectRepairAction)(providerHealth?.issue)?.command;
+    if (issueCommand)
+        return issueCommand;
+    const fixHint = providerHealth?.fix;
     if (!fixHint)
         return undefined;
     const prefixes = status === "locked"
@@ -329,7 +344,7 @@ function renderNonTtyBay(entries, options) {
 }
 function summarizeProviderLane(agent, lane, providerHealth) {
     const providerHealthStatus = resolveProviderHealthStatus(providerHealth);
-    const providerHealthCommand = resolveProviderHealthCommand(providerHealth?.fix, providerHealthStatus);
+    const providerHealthCommand = resolveProviderHealthCommand(providerHealth, providerHealthStatus);
     if (lane.status === "unconfigured") {
         return {
             lane: lane.lane,
@@ -372,7 +387,7 @@ function summarizeProviderLane(agent, lane, providerHealth) {
             status: "needs attention",
             title: `${lane.provider} / ${lane.model}`,
             detail: `failed live check: ${lane.readiness.error ?? "unknown error"}`,
-            action: providerHealth?.fix ?? `ouro auth --agent ${agent} --provider ${lane.provider}`,
+            action: providerHealthCommand ?? providerHealth?.fix ?? `ouro auth --agent ${agent} --provider ${lane.provider}`,
         };
     }
     if (lane.readiness.status === "stale") {
@@ -404,7 +419,7 @@ function summarizeProvidersForConnect(agent, visibility, providerHealth) {
     const laneSummaries = visibility.lanes.map((lane) => summarizeProviderLane(agent, lane, providerHealth));
     const worstLaneStatus = laneSummaries.reduce((worst, lane) => CONNECT_STATUS_PRIORITY[lane.status] < CONNECT_STATUS_PRIORITY[worst] ? lane.status : worst, "ready");
     const providerHealthStatus = resolveProviderHealthStatus(providerHealth);
-    const providerHealthCommand = resolveProviderHealthCommand(providerHealth?.fix, providerHealthStatus);
+    const providerHealthCommand = resolveProviderHealthCommand(providerHealth, providerHealthStatus);
     const nextLane = laneSummaries.find((lane) => isProblemStatus(lane.status));
     return {
         status: providerHealthStatus ?? worstLaneStatus,

package/dist/heart/daemon/human-readiness.js

@@ -22,7 +22,7 @@ function statusFromIssue(issue) {
         case "provider-credentials-missing":
             return "needs credentials";
         case "provider-live-check-failed":
-            return "needs attention";
+            return issue.actions[0]?.kind === "provider-auth" ? "needs credentials" : "needs attention";
         case "generic":
             return "needs attention";
     }

package/dist/heart/daemon/readiness-repair.js

@@ -3,6 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.vaultLockedIssue = vaultLockedIssue;
 exports.vaultUnconfiguredIssue = vaultUnconfiguredIssue;
 exports.providerCredentialMissingIssue = providerCredentialMissingIssue;
+exports.providerLiveCheckFix = providerLiveCheckFix;
+exports.preferredConnectRepairAction = preferredConnectRepairAction;
 exports.providerLiveCheckFailedIssue = providerLiveCheckFailedIssue;
 exports.genericReadinessIssue = genericReadinessIssue;
 exports.isKnownReadinessIssue = isKnownReadinessIssue;
@@ -92,6 +94,110 @@ function providerCredentialMissingIssue(input) {
         ],
     };
 }
+function normalizeProviderLiveCheckClassification(classification) {
+    switch (classification) {
+        case "auth-failure":
+        case "usage-limit":
+        case "rate-limit":
+        case "server-error":
+        case "network-error":
+        case "unknown":
+            return classification;
+        default:
+            return "unknown";
+    }
+}
+function providerUseAction(input) {
+    return {
+        kind: "provider-use",
+        label: "Choose a different working provider/model",
+        command: `ouro use --agent ${input.agentName} --lane ${input.lane} --provider <provider> --model <model>`,
+        actor: "human-choice",
+        executable: false,
+        lane: input.lane,
+    };
+}
+function providerAuthAction(input) {
+    return {
+        kind: "provider-auth",
+        label: `Refresh ${input.provider} credentials`,
+        command: `ouro auth --agent ${input.agentName} --provider ${input.provider}`,
+        actor: "human-required",
+        provider: input.provider,
+    };
+}
+function providerRetryAction(input) {
+    return {
+        kind: "provider-retry",
+        label: input.label,
+        command: `ouro repair --agent ${input.agentName}`,
+        actor: "human-choice",
+        executable: false,
+    };
+}
+function providerLiveCheckFix(input) {
+    const classification = normalizeProviderLiveCheckClassification(input.classification);
+    const authCommand = `ouro auth --agent ${input.agentName} --provider ${input.provider}`;
+    const useCommand = `ouro use --agent ${input.agentName} --lane ${input.lane} --provider <provider> --model <model>`;
+    switch (classification) {
+        case "auth-failure":
+            return `Run '${authCommand}' to refresh credentials, or run '${useCommand}' to choose another provider/model for this lane.`;
+        case "usage-limit":
+            return `This usually means ${input.provider} hit a usage limit. Restore quota, then run 'ouro up' again. Or run '${useCommand}' to choose another provider/model for this lane.`;
+        case "rate-limit":
+            return `Run 'ouro up' again after a short wait. Or run '${useCommand}' to choose another provider/model for this lane.`;
+        case "server-error":
+            return `Run 'ouro up' again in a moment. If ${input.provider} keeps failing, run '${useCommand}' to choose another provider/model for this lane.`;
+        case "network-error":
+            return `Check the network or provider availability, then run 'ouro up' again. Or run '${useCommand}' to choose another provider/model for this lane.`;
+        case "unknown":
+            return `Run 'ouro up' again. If it keeps failing, run '${authCommand}' to refresh credentials or '${useCommand}' to choose another provider/model for this lane.`;
+    }
+}
+function providerLiveCheckActions(input) {
+    const classification = normalizeProviderLiveCheckClassification(input.classification);
+    const useAction = providerUseAction(input);
+    const authAction = providerAuthAction(input);
+    switch (classification) {
+        case "auth-failure":
+            return [authAction, useAction];
+        case "usage-limit":
+            return [
+                providerRetryAction({ agentName: input.agentName, label: "After restoring quota, check again" }),
+                useAction,
+            ];
+        case "rate-limit":
+            return [
+                providerRetryAction({ agentName: input.agentName, label: "Give it a minute, then check again" }),
+                useAction,
+            ];
+        case "server-error":
+            return [
+                providerRetryAction({ agentName: input.agentName, label: "Check again in a moment" }),
+                useAction,
+            ];
+        case "network-error":
+            return [
+                providerRetryAction({ agentName: input.agentName, label: "Check again after the network settles" }),
+                useAction,
+                authAction,
+            ];
+        case "unknown":
+            return [
+                providerRetryAction({ agentName: input.agentName, label: "Check again" }),
+                authAction,
+                useAction,
+            ];
+    }
+}
+function preferredConnectRepairAction(issue) {
+    if (!issue)
+        return undefined;
+    if (issue.kind === "provider-live-check-failed" && issue.actions[0]?.kind === "provider-retry") {
+        return issue.actions.find((action) => action.kind !== "provider-retry") ?? issue.actions[0];
+    }
+    return issue.actions[0];
+}
 function providerLiveCheckFailedIssue(input) {
     return {
         kind: "provider-live-check-failed",
@@ -99,23 +205,7 @@ function providerLiveCheckFailedIssue(input) {
         actor: "human-choice",
         summary: `${input.agentName}: ${input.lane} provider ${input.provider} / ${input.model} failed live check`,
         detail: input.message,
-        actions: [
-            {
-                kind: "provider-auth",
-                label: `Refresh ${input.provider} credentials`,
-                command: `ouro auth --agent ${input.agentName} --provider ${input.provider}`,
-                actor: "human-required",
-                provider: input.provider,
-            },
-            {
-                kind: "provider-use",
-                label: "Choose a different working provider/model for this lane",
-                command: `ouro use --agent ${input.agentName} --lane ${input.lane} --provider <provider> --model <model>`,
-                actor: "human-choice",
-                executable: false,
-                lane: input.lane,
-            },
-        ],
+        actions: providerLiveCheckActions(input),
     };
 }
 function genericReadinessIssue(input) {

package/dist/heart/provider-credentials.js

@@ -96,6 +96,11 @@ function isPresentCredentialValue(value) {
         return value.trim().length > 0;
     return Number.isFinite(value) && value !== 0;
 }
+function isMissingProviderCredentialError(message, itemName) {
+    const normalized = message.toLowerCase();
+    return normalized.includes(itemName.toLowerCase())
+        && (normalized.includes("no credential found") || normalized.includes("missing") || normalized.includes("not found"));
+}
 function copyKnownFields(source, fields) {
     const result = {};
     for (const field of fields) {
@@ -225,17 +230,21 @@ async function refreshProviderCredentialPool(agentName, options = {}) {
     try {
         const store = (0, credential_access_1.getCredentialStore)(agentName);
         options.onProgress?.(`reading vault items for ${agentName}...`);
-        const items = await store.list();
         const providers = {};
         let updatedAt = new Date(0).toISOString();
-        for (const item of items) {
-            if (!item.domain.startsWith(VAULT_ITEM_PREFIX))
-                continue;
-            const provider = item.domain.slice(VAULT_ITEM_PREFIX.length);
-            if (!isAgentProvider(provider))
-                continue;
+        for (const provider of VALID_PROVIDERS) {
+            const itemName = providerCredentialItemName(provider);
             options.onProgress?.(`reading ${provider} credentials...`);
-            const raw = await store.getRawSecret(item.domain, "password");
+            let raw;
+            try {
+                raw = await store.getRawSecret(itemName, "password");
+            }
+            catch (error) {
+                const message = error instanceof Error ? error.message : String(error);
+                if (isMissingProviderCredentialError(message, itemName))
+                    continue;
+                throw error;
+            }
             const payload = validateProviderCredentialPayload(JSON.parse(raw), provider);
             const record = recordFromPayload(payload);
             providers[provider] = record;

package/dist/repertoire/bitwarden-store.js

@@ -134,11 +134,13 @@ function isBwConfigLogoutRequired(err) {
 function shouldPreferExactItemLookup(domain) {
     return domain.includes("/");
 }
+function isBwDirectLookupMissingError(err) {
+    const message = err.message.toLowerCase();
+    return message.includes("bw cli error: not found") || message.includes("bw cli error: item not found");
+}
 function isBwDirectLookupFallbackError(err) {
     const message = err.message.toLowerCase();
-    return (message.includes("bw cli error: not found") ||
-        message.includes("bw cli error: item not found") ||
-        message.includes("invalid json from bw get item") ||
+    return (message.includes("invalid json from bw get item") ||
         message.includes("invalid item from bw get item"));
 }
 // ---------------------------------------------------------------------------
@@ -246,14 +248,14 @@ async function withBwLock(appDataDir, fn) {
         }
     }
 }
-function execBw(args, sessionToken, appDataDir, stdin) {
+function execBw(args, sessionToken, appDataDir, stdin, bwBinaryPath = "bw") {
     const env = {
         ...process.env,
         ...(sessionToken ? { BW_SESSION: sessionToken } : {}),
         ...(appDataDir ? { BITWARDENCLI_APPDATA_DIR: appDataDir } : {}),
     };
     const runCommand = () => new Promise((resolve, reject) => {
-        const child = (0, node_child_process_1.execFile)("bw", args, { timeout: 30_000, env }, (err, stdout, stderr) => {
+        const child = (0, node_child_process_1.execFile)(bwBinaryPath, args, { timeout: 30_000, env }, (err, stdout, stderr) => {
             if (err) {
                 if (isBwNotInstalled(err)) {
                     reject(new Error("bw CLI not found. Install from https://bitwarden.com/help/cli/"));
@@ -274,7 +276,7 @@ function execBw(args, sessionToken, appDataDir, stdin) {
 function isBwNotInstalled(err) {
     const msg = err.message.toLowerCase();
     const code = err.code;
-    return code === "ENOENT" || msg.includes("enoent") || msg.includes("not found") || msg.includes("command not found");
+    return code === "ENOENT" || /\bspawn\b.*\benoent\b/.test(msg) || msg.includes("command not found");
 }
 /** Check if the error is transient (network/timeout) and worth retrying. */
 function isTransientError(err) {
@@ -385,6 +387,7 @@ class BitwardenCredentialStore {
     masterPassword;
     appDataDir;
     sessionToken = null;
+    bwBinaryPath = "bw";
     constructor(serverUrl, email, masterPassword, options = {}) {
         this.serverUrl = serverUrl;
         this.email = email;
@@ -394,6 +397,9 @@ class BitwardenCredentialStore {
     isReady() {
         return true;
     }
+    execBw(args, sessionToken, stdin) {
+        return execBw(args, sessionToken, this.appDataDir, stdin, this.bwBinaryPath);
+    }
     /**
      * Ensure the bw CLI is authenticated and unlocked.
      * Handles three states: logged out → login, locked → unlock, already unlocked → no-op.
@@ -401,7 +407,7 @@ class BitwardenCredentialStore {
      */
     async login() {
         // Ensure bw CLI is installed before any bw commands
-        await (0, bw_installer_1.ensureBwCli)();
+        this.bwBinaryPath = await (0, bw_installer_1.ensureBwCli)();
         if (this.appDataDir) {
             fs.mkdirSync(this.appDataDir, { recursive: true, mode: 0o700 });
         }
@@ -438,7 +444,7 @@ class BitwardenCredentialStore {
         // Check current status
         let status = {};
         try {
-            const raw = await execBw(["status"], undefined, this.appDataDir);
+            const raw = await this.execBw(["status"]);
             status = JSON.parse(raw);
         }
         catch (err) {
@@ -451,7 +457,7 @@ class BitwardenCredentialStore {
         // Configure server URL if needed (only works when logged out)
         if (status.status === "unauthenticated" || !status.serverUrl) {
             try {
-                await execBw(["config", "server", this.serverUrl], undefined, this.appDataDir);
+                await this.execBw(["config", "server", this.serverUrl]);
             }
             catch (error) {
                 const err = error;
@@ -463,12 +469,12 @@ class BitwardenCredentialStore {
         }
         if (status.status === "locked") {
             // Already logged in, just needs unlock
-            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"], undefined, this.appDataDir);
+            const unlockOutput = await this.execBw(["unlock", this.masterPassword, "--raw"]);
             this.sessionToken = unlockOutput.trim();
         }
         else if (status.status === "unauthenticated" || !status.status) {
             // Not logged in — full login
-            const loginOutput = await execBw(["login", this.email, this.masterPassword, "--raw"], undefined, this.appDataDir);
+            const loginOutput = await this.execBw(["login", this.email, this.masterPassword, "--raw"]);
             try {
                 const parsed = JSON.parse(loginOutput);
                 this.sessionToken = parsed.access_token ?? loginOutput.trim();
@@ -479,12 +485,12 @@ class BitwardenCredentialStore {
         }
         else {
             // Status is "unlocked" — already good, just need the session token
-            const unlockOutput = await execBw(["unlock", this.masterPassword, "--raw"], undefined, this.appDataDir);
+            const unlockOutput = await this.execBw(["unlock", this.masterPassword, "--raw"]);
             this.sessionToken = unlockOutput.trim();
         }
         // Sync vault data after obtaining a fresh session token
         /* v8 ignore next -- defensive: loginAttempt always sets sessionToken before sync @preserve */
-        await execBw(["sync"], this.sessionToken ?? undefined, this.appDataDir);
+        await this.execBw(["sync"], this.sessionToken ?? undefined);
     }
     async ensureSession() {
         if (!this.sessionToken) {
@@ -610,12 +616,12 @@ class BitwardenCredentialStore {
             const encoded = Buffer.from(JSON.stringify(item)).toString("base64");
             let savedItem;
             if (existing) {
-                const stdout = await execBw(["edit", "item", existing.id], session, this.appDataDir, encoded);
+                const stdout = await this.execBw(["edit", "item", existing.id], session, encoded);
                 const savedItemId = parseBwItemId(stdout) ?? existing.id;
                 savedItem = await this.findItemById(savedItemId, session);
             }
             else {
-                const stdout = await execBw(["create", "item"], session, this.appDataDir, encoded);
+                const stdout = await this.execBw(["create", "item"], session, encoded);
                 const savedItemId = parseBwItemId(stdout);
                 savedItem = savedItemId
                     ? await this.findItemById(savedItemId, session)
@@ -637,7 +643,7 @@ class BitwardenCredentialStore {
             message: "listing bw credentials",
             meta: { backend: "bitwarden" },
         });
-        const stdout = await this.withTransientRetry(() => this.withSessionRetry((session) => execBw(["list", "items"], session, this.appDataDir)));
+        const stdout = await this.withTransientRetry(() => this.withSessionRetry((session) => this.execBw(["list", "items"], session)));
         const items = parseBwItems(stdout, "bw list items");
         const results = items.map((item) => ({
             domain: item.name,
@@ -670,7 +676,7 @@ class BitwardenCredentialStore {
             });
             return false;
         }
-        await this.withSessionRetry((session) => execBw(["delete", "item", item.id], session, this.appDataDir));
+        await this.withSessionRetry((session) => this.execBw(["delete", "item", item.id], session));
         (0, runtime_1.emitNervesEvent)({
             event: "repertoire.bw_credential_delete_end",
             component: "repertoire",
@@ -683,24 +689,26 @@ class BitwardenCredentialStore {
     async findItemByDomain(domain, session) {
         if (shouldPreferExactItemLookup(domain)) {
             try {
-                const stdout = await execBw(["get", "item", domain], session, this.appDataDir);
+                const stdout = await this.execBw(["get", "item", domain], session);
                 const item = parseBwItem(stdout, "bw get item");
                 if (item.name === domain)
                     return item;
             }
             catch (error) {
                 const err = error;
+                if (isBwDirectLookupMissingError(err))
+                    return null;
                 if (!isBwDirectLookupFallbackError(err))
                     throw err;
             }
         }
-        const stdout = await execBw(["list", "items", "--search", domain], session, this.appDataDir);
+        const stdout = await this.execBw(["list", "items", "--search", domain], session);
         const items = parseBwItems(stdout, "bw list items --search");
         // Find exact match by name
         return items.find((item) => item.name === domain) ?? null;
     }
     async findItemById(id, session) {
-        const stdout = await execBw(["get", "item", id], session, this.appDataDir);
+        const stdout = await this.execBw(["get", "item", id], session);
         return parseBwItem(stdout, "bw get item");
     }
     assertStoredCredentialMatches(domain, data, item) {

package/dist/repertoire/bw-installer.js

@@ -5,12 +5,50 @@
  * Mirrors the whisper-cpp pattern in senses/bluebubbles/media.ts:
  * check PATH first, install via npm if missing, emit nerves event.
  */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.findExecutableOnPath = findExecutableOnPath;
+exports.findExecutableViaNpmPrefix = findExecutableViaNpmPrefix;
 exports.ensureBwCli = ensureBwCli;
 const node_child_process_1 = require("node:child_process");
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
 const runtime_1 = require("../nerves/runtime");
 const INSTALL_TIMEOUT_MS = 120_000;
 const WHICH_TIMEOUT_MS = 5_000;
+const DEFAULT_WINDOWS_PATHEXT = ".EXE;.CMD;.BAT;.COM";
 function execFileAsync(cmd, args, timeout) {
     return new Promise((resolve, reject) => {
         (0, node_child_process_1.execFile)(cmd, args, { timeout }, (err, stdout) => {
@@ -22,20 +60,88 @@ function execFileAsync(cmd, args, timeout) {
         });
     });
 }
+function stripWrappingQuotes(value) {
+    const trimmed = value.trim();
+    if (trimmed.startsWith("\"") && trimmed.endsWith("\"")) {
+        return trimmed.slice(1, -1);
+    }
+    return trimmed;
+}
+function isExecutableFile(targetPath, platform) {
+    try {
+        fs.accessSync(targetPath, platform === "win32" ? fs.constants.F_OK : fs.constants.X_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function executableNames(command, platform, pathExt) {
+    if (platform !== "win32")
+        return [command];
+    if (path.extname(command))
+        return [command];
+    const extensions = pathExt
+        .split(";")
+        .map((entry) => entry.trim())
+        .filter((entry) => entry.length > 0);
+    return extensions.length === 0
+        ? [command]
+        : extensions.map((extension) => (extension.startsWith(".") ? `${command}${extension}` : `${command}.${extension}`));
+}
+function findExecutableInDirectory(command, directory, platform, pathExt) {
+    const cleanDirectory = stripWrappingQuotes(directory);
+    if (!cleanDirectory)
+        return null;
+    for (const candidateName of executableNames(command, platform, pathExt)) {
+        const candidatePath = path.isAbsolute(candidateName)
+            ? candidateName
+            : path.join(cleanDirectory, candidateName);
+        if (isExecutableFile(candidatePath, platform)) {
+            return candidatePath;
+        }
+    }
+    return null;
+}
+function findExecutableOnPath(command, envPath = process.env.PATH ?? "", platform = process.platform, pathExt = process.env.PATHEXT ?? DEFAULT_WINDOWS_PATHEXT) {
+    if (path.isAbsolute(command) || command.includes(path.sep)) {
+        return isExecutableFile(command, platform) ? command : null;
+    }
+    for (const directory of envPath.split(path.delimiter)) {
+        const found = findExecutableInDirectory(command, directory, platform, pathExt);
+        if (found)
+            return found;
+    }
+    return null;
+}
+async function findExecutableViaNpmPrefix(command, platform = process.platform, pathExt = process.env.PATHEXT ?? DEFAULT_WINDOWS_PATHEXT) {
+    try {
+        const prefix = stripWrappingQuotes((await execFileAsync("npm", ["prefix", "-g"], WHICH_TIMEOUT_MS)).trim());
+        if (!prefix)
+            return null;
+        const searchDirs = platform === "win32"
+            ? [prefix, path.join(prefix, "bin")]
+            : [path.join(prefix, "bin"), prefix];
+        for (const directory of searchDirs) {
+            const found = findExecutableInDirectory(command, directory, platform, pathExt);
+            if (found)
+                return found;
+        }
+    }
+    catch {
+        // Prefix lookup is only a post-install fallback.
+    }
+    return null;
+}
 /**
  * Ensure the `bw` CLI is available, installing it via npm if needed.
  * Returns the path to the `bw` binary.
  */
 async function ensureBwCli() {
     // 1. Check if bw is already in PATH
-    try {
-        const existing = (await execFileAsync("which", ["bw"], WHICH_TIMEOUT_MS)).trim();
-        if (existing) {
-            return existing;
-        }
-    }
-    catch {
-        // Not found — fall through to install
+    const existing = findExecutableOnPath("bw");
+    if (existing) {
+        return existing;
     }
     // 2. Install via npm
     (0, runtime_1.emitNervesEvent)({
@@ -60,20 +166,15 @@ async function ensureBwCli() {
         throw new Error(`failed to install bw CLI via npm: ${reason}`);
     }
     // 3. Verify installation and return path
-    try {
-        const installed = (await execFileAsync("which", ["bw"], WHICH_TIMEOUT_MS)).trim();
-        if (installed) {
-            (0, runtime_1.emitNervesEvent)({
-                event: "repertoire.bw_cli_install_end",
-                component: "repertoire",
-                message: "bw CLI installed successfully",
-                meta: { path: installed },
-            });
-            return installed;
-        }
-    }
-    catch {
-        // Fall through to error
+    const installed = findExecutableOnPath("bw") ?? await findExecutableViaNpmPrefix("bw");
+    if (installed) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_cli_install_end",
+            component: "repertoire",
+            message: "bw CLI installed successfully",
+            meta: { path: installed },
+        });
+        return installed;
     }
-    throw new Error("bw CLI installed via npm but binary not found in PATH");
+    throw new Error("bw CLI installed via npm but binary not found in PATH or npm global bin");
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.436",
+  "version": "0.1.0-alpha.438",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",