@ouro.bot/cli 0.1.0-alpha.440 → 0.1.0-alpha.441

package/changelog.json

@@ -1,6 +1,14 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.441",
+      "changes": [
+        "`ouro up` now lets the shared startup TUI own the masthead render path, so the screen no longer double-prints into scrollback and the shipped banner is a clean, correctly spelled classic `OUROBOROS` wordmark.",
+        "Vault unlock lookup now normalizes the canonical vault host while still reusing previously saved local unlock material from legacy vault coordinates, so a machine that already unlocked an agent vault does not get treated like it forgot after harmless vault-host drift.",
+        "macOS keychain read failures now surface as truthful local-store errors instead of being mislabeled as a locked vault, and new masthead/vault coverage plus packaged-install verification lock the fix into the shipped CLI."
+      ]
+    },
     {
       "version": "0.1.0-alpha.440",
       "changes": [

package/dist/heart/daemon/cli-exec.js

@@ -91,7 +91,6 @@ const agentic_repair_1 = require("./agentic-repair");
 const readiness_repair_1 = require("./readiness-repair");
 const human_readiness_1 = require("./human-readiness");
 const human_command_screens_1 = require("./human-command-screens");
-const terminal_ui_1 = require("./terminal-ui");
 const startup_tui_1 = require("./startup-tui");
 const stale_bundle_prune_1 = require("./stale-bundle-prune");
 const up_progress_1 = require("./up-progress");
@@ -3933,13 +3932,6 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
         }
         const linkedVersionBeforeUp = deps.getCurrentCliVersion?.() ?? null;
         const outputIsTTY = deps.isTTY ?? process.stdout.isTTY === true;
-        if (outputIsTTY && deps.writeRaw) {
-            deps.writeRaw(`${(0, terminal_ui_1.renderOuroMasthead)({
-                isTTY: true,
-                columns: deps.stdoutColumns ?? process.stdout.columns,
-                subtitle: "Preparing the house.",
-            }).trimEnd()}\n\n`);
-        }
         const progress = new up_progress_1.UpProgress({
             write: deps.writeRaw ?? deps.writeStdout,
             isTTY: outputIsTTY,

package/dist/heart/daemon/terminal-ui.js

@@ -17,6 +17,14 @@ const GLOW = "\x1b[38;2;74;227;108m";
 const BONE = "\x1b[38;2;237;242;238m";
 const MIST = "\x1b[38;2;154;174;159m";
 const ANSI_RE = /\x1b\[[0-9;]*m/g;
+const MASTHEAD_WORD = "OUROBOROS";
+const CLASSIC_WORDMARK_GLYPHS = {
+    O: ["  ___  ", " / _ \\ ", "| | | |", "| |_| |", " \\___/ "],
+    U: [" _   _ ", "| | | |", "| | | |", "| |_| |", " \\___/ "],
+    R: [" ____  ", "|  _ \\ ", "| |_) |", "|  _ < ", "|_| \\_\\"],
+    B: [" ____  ", "| __ ) ", "|  _ \\ ", "| |_) |", "|____/ "],
+    S: [" ____  ", "/ ___| ", "\\___ \\ ", " ___) |", "|____/ "],
+};
 function color(text, tone, bold = false) {
     if (!text)
         return text;
@@ -87,16 +95,14 @@ function renderPanelPlain(title, lines) {
 }
 function mastheadArt(columns) {
     if ((columns ?? 88) >= 74) {
-        return [
-            "              .----------------------------.",
-            "          .--'    O U R O B O R O S        '--.",
-            "        .'       .--------------------.       '.",
-            "       /        /  .--------------.   \\        \\",
-            "       \\        \\  '--------------'   /        /",
-            "        '.       '--------------------'      .'",
-            "          '--._                          _.--'",
-            "               '------------------------'",
-        ];
+        const rows = Array.from({ length: 5 }, () => []);
+        for (const letter of MASTHEAD_WORD.split("")) {
+            const glyph = CLASSIC_WORDMARK_GLYPHS[letter];
+            for (const [index, line] of glyph.entries()) {
+                rows[index].push(line);
+            }
+        }
+        return rows.map((row) => row.join(" "));
     }
     return [
         "  O U R O B O R O S",
@@ -108,7 +114,7 @@ function renderOuroMasthead(options) {
     const subtitle = options.subtitle ?? "the house wakes when called";
     const branded = [
         ...lines,
-        "OUROBOROS",
+        MASTHEAD_WORD,
         subtitle,
     ];
     if (!options.isTTY) {
@@ -116,7 +122,7 @@ function renderOuroMasthead(options) {
     }
     const ttyLines = [
         ...lines.map((line, index) => color(line, index < 2 ? GLOW : SCALE, true)),
-        color("OUROBOROS", BONE, true),
+        color(MASTHEAD_WORD, BONE, true),
         color(subtitle, MIST),
     ];
     return `${ttyLines.join("\n")}\n`;

package/dist/heart/identity.js

@@ -33,7 +33,9 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.HARNESS_CANONICAL_REPO_URL = exports.DEFAULT_AGENT_SENSES = exports.DEFAULT_VAULT_SERVER_URL = exports.DEFAULT_AGENT_PHRASES = exports.DEFAULT_AGENT_CONTEXT = exports.PROVIDER_CREDENTIALS = void 0;
+exports.HARNESS_CANONICAL_REPO_URL = exports.DEFAULT_AGENT_SENSES = exports.LEGACY_VAULT_SERVER_URL_ALIASES = exports.DEFAULT_VAULT_SERVER_URL = exports.DEFAULT_AGENT_PHRASES = exports.DEFAULT_AGENT_CONTEXT = exports.PROVIDER_CREDENTIALS = void 0;
+exports.normalizeVaultServerUrl = normalizeVaultServerUrl;
+exports.getVaultServerUrlCandidates = getVaultServerUrlCandidates;
 exports.defaultStableVaultEmail = defaultStableVaultEmail;
 exports.resolveVaultConfig = resolveVaultConfig;
 exports.normalizeSenses = normalizeSenses;
@@ -77,6 +79,40 @@ exports.DEFAULT_AGENT_PHRASES = {
     followup: ["processing"],
 };
 exports.DEFAULT_VAULT_SERVER_URL = "https://vault.ouroboros.bot";
+exports.LEGACY_VAULT_SERVER_URL_ALIASES = [
+    "https://vault.ouro.bot",
+    "https://ouro-vault.gentleflower-74452a1e.eastus2.azurecontainerapps.io",
+];
+function normalizeVaultServerUrl(serverUrl) {
+    const trimmed = serverUrl.trim();
+    const withoutTrailingSlash = trimmed.replace(/\/+$/, "");
+    if (!withoutTrailingSlash) {
+        return exports.DEFAULT_VAULT_SERVER_URL;
+    }
+    if (exports.LEGACY_VAULT_SERVER_URL_ALIASES.includes(withoutTrailingSlash)) {
+        return exports.DEFAULT_VAULT_SERVER_URL;
+    }
+    return withoutTrailingSlash;
+}
+function getVaultServerUrlCandidates(serverUrl) {
+    const raw = serverUrl.trim();
+    const withoutTrailingSlash = raw.replace(/\/+$/, "");
+    const normalized = normalizeVaultServerUrl(serverUrl);
+    const candidates = [normalized];
+    for (const candidate of [withoutTrailingSlash, raw]) {
+        if (candidate && !candidates.includes(candidate)) {
+            candidates.push(candidate);
+        }
+    }
+    if (normalized === exports.DEFAULT_VAULT_SERVER_URL) {
+        for (const alias of exports.LEGACY_VAULT_SERVER_URL_ALIASES) {
+            if (!candidates.includes(alias)) {
+                candidates.push(alias);
+            }
+        }
+    }
+    return candidates;
+}
 function defaultStableVaultEmail(agentName) {
     const local = agentName
         .toLowerCase()
@@ -91,7 +127,7 @@ function defaultStableVaultEmail(agentName) {
 function resolveVaultConfig(agentName, config) {
     return {
         email: config?.email ?? defaultStableVaultEmail(agentName),
-        serverUrl: config?.serverUrl ?? exports.DEFAULT_VAULT_SERVER_URL,
+        serverUrl: normalizeVaultServerUrl(config?.serverUrl ?? exports.DEFAULT_VAULT_SERVER_URL),
     };
 }
 exports.DEFAULT_AGENT_SENSES = {

package/dist/repertoire/vault-unlock.js

@@ -48,6 +48,7 @@ const fs = __importStar(require("node:fs"));
 const os = __importStar(require("node:os"));
 const path = __importStar(require("node:path"));
 const runtime_1 = require("../nerves/runtime");
+const identity_1 = require("../heart/identity");
 const VAULT_UNLOCK_SERVICE = "ouro.vault";
 const CREDENTIAL_VAULT_NOT_CONFIGURED_PREFIX = "credential vault is not configured in ";
 const PLAINTEXT_UNLOCK_DIR = path.join(".ouro-cli", "vault-unlock");
@@ -68,6 +69,19 @@ function vaultKey(config) {
 function vaultLabel(config) {
     return `${config.email} at ${config.serverUrl}`;
 }
+function canonicalizeVaultUnlockConfig(config) {
+    return {
+        ...config,
+        serverUrl: (0, identity_1.normalizeVaultServerUrl)(config.serverUrl),
+    };
+}
+function vaultConfigCandidates(config) {
+    const canonical = canonicalizeVaultUnlockConfig(config);
+    return (0, identity_1.getVaultServerUrlCandidates)(config.serverUrl).map((serverUrl) => ({
+        ...canonical,
+        serverUrl,
+    }));
+}
 function plaintextUnlockPath(config, deps) {
     const digest = crypto.createHash("sha256").update(vaultKey(config)).digest("hex").slice(0, 24);
     return path.join(homeDir(deps), PLAINTEXT_UNLOCK_DIR, `${digest}.secret`);
@@ -179,6 +193,7 @@ function validateStoreKind(store) {
     return requested;
 }
 function resolveVaultUnlockStore(config, deps = {}) {
+    const canonicalConfig = canonicalizeVaultUnlockConfig(config);
     const requested = validateStoreKind(deps.store);
     const currentPlatform = platform(deps);
     if (requested === "macos-keychain") {
@@ -200,33 +215,89 @@ function resolveVaultUnlockStore(config, deps = {}) {
         if (currentPlatform !== "win32") {
             throw new Error(`windows-dpapi unlock store is only available on Windows; this machine is ${currentPlatform}.`);
         }
-        return { kind: "windows-dpapi", secure: true, location: windowsDpapiUnlockPath(config, deps) };
+        return { kind: "windows-dpapi", secure: true, location: windowsDpapiUnlockPath(canonicalConfig, deps) };
     }
     if (requested === "plaintext-file") {
-        return { kind: "plaintext-file", secure: false, location: plaintextUnlockPath(config, deps) };
+        return { kind: "plaintext-file", secure: false, location: plaintextUnlockPath(canonicalConfig, deps) };
     }
     if (currentPlatform === "darwin") {
         return { kind: "macos-keychain", secure: true, location: "macOS Keychain" };
     }
     if (currentPlatform === "win32") {
-        return { kind: "windows-dpapi", secure: true, location: windowsDpapiUnlockPath(config, deps) };
+        return { kind: "windows-dpapi", secure: true, location: windowsDpapiUnlockPath(canonicalConfig, deps) };
     }
     if (currentPlatform === "linux" && commandExists("secret-tool", deps)) {
         return { kind: "linux-secret-service", secure: true, location: "Secret Service via secret-tool" };
     }
-    throw new Error(missingSecureStoreMessage(config));
+    throw new Error(missingSecureStoreMessage(canonicalConfig));
 }
-function readFromMacosKeychain(config, deps) {
+function readFromMacosKeychainExact(accountKey, deps) {
     const result = spawnSync(deps)("security", [
         "find-generic-password",
         "-s",
         VAULT_UNLOCK_SERVICE,
         "-a",
-        vaultKey(config),
+        accountKey,
         "-w",
     ], { encoding: "utf8" });
     const secret = typeof result.stdout === "string" ? result.stdout.trim() : "";
-    return result.status === 0 && secret ? secret : null;
+    if (result.status === 0) {
+        return secret || null;
+    }
+    const stderr = typeof result.stderr === "string" ? result.stderr.trim() : "";
+    const error = result.error instanceof Error ? result.error.message : "";
+    const detail = stderr || error;
+    if (!detail || /could not be found in the keychain/i.test(detail)) {
+        return null;
+    }
+    throw new Error(`failed to read vault unlock secret from macOS Keychain: ${detail}`);
+}
+function noteVaultUnlockSelfHeal(config, storeKind, sourceServerUrl) {
+    (0, runtime_1.emitNervesEvent)({
+        component: "repertoire",
+        event: "repertoire.vault_unlock_self_healed",
+        message: "rewrote local unlock material using canonical vault coordinates",
+        meta: {
+            store: storeKind,
+            email: config.email,
+            sourceServerUrl,
+            targetServerUrl: config.serverUrl,
+        },
+    });
+}
+function warnVaultUnlockSelfHealFailure(config, storeKind, sourceServerUrl, error) {
+    (0, runtime_1.emitNervesEvent)({
+        level: "warn",
+        component: "repertoire",
+        event: "repertoire.vault_unlock_self_heal_failed",
+        message: "failed to rewrite local unlock material using canonical vault coordinates",
+        meta: {
+            store: storeKind,
+            email: config.email,
+            sourceServerUrl,
+            targetServerUrl: config.serverUrl,
+            error: error instanceof Error ? error.message : String(error),
+        },
+    });
+}
+function readFromMacosKeychain(config, deps) {
+    const candidates = vaultConfigCandidates(config);
+    for (const [index, candidate] of candidates.entries()) {
+        const secret = readFromMacosKeychainExact(vaultKey(candidate), deps);
+        if (!secret)
+            continue;
+        if (index > 0) {
+            try {
+                writeToMacosKeychain(config, secret, deps);
+                noteVaultUnlockSelfHeal(config, "macos-keychain", candidate.serverUrl);
+            }
+            catch (error) {
+                warnVaultUnlockSelfHealFailure(config, "macos-keychain", candidate.serverUrl, error);
+            }
+        }
+        return secret;
+    }
+    return null;
 }
 function writeToMacosKeychain(config, secret, deps) {
     const result = spawnSync(deps)("security", [
@@ -244,16 +315,44 @@ function writeToMacosKeychain(config, secret, deps) {
         throw new Error(`failed to store vault unlock secret in macOS Keychain${stderr ? `: ${stderr}` : ""}`);
     }
 }
-function readFromLinuxSecretService(config, deps) {
+function readFromLinuxSecretServiceExact(accountKey, deps) {
     const result = spawnSync(deps)("secret-tool", [
         "lookup",
         "service",
         VAULT_UNLOCK_SERVICE,
         "account",
-        vaultKey(config),
+        accountKey,
     ], { encoding: "utf8" });
     const secret = typeof result.stdout === "string" ? result.stdout.trim() : "";
-    return result.status === 0 && secret ? secret : null;
+    if (result.status === 0) {
+        return secret || null;
+    }
+    const stderr = typeof result.stderr === "string" ? result.stderr.trim() : "";
+    const error = result.error instanceof Error ? result.error.message : "";
+    const detail = stderr || error;
+    if (!detail || /not found/i.test(detail)) {
+        return null;
+    }
+    throw new Error(`failed to read vault unlock secret from Linux Secret Service: ${detail}`);
+}
+function readFromLinuxSecretService(config, deps) {
+    const candidates = vaultConfigCandidates(config);
+    for (const [index, candidate] of candidates.entries()) {
+        const secret = readFromLinuxSecretServiceExact(vaultKey(candidate), deps);
+        if (!secret)
+            continue;
+        if (index > 0) {
+            try {
+                writeToLinuxSecretService(config, secret, deps);
+                noteVaultUnlockSelfHeal(config, "linux-secret-service", candidate.serverUrl);
+            }
+            catch (error) {
+                warnVaultUnlockSelfHealFailure(config, "linux-secret-service", candidate.serverUrl, error);
+            }
+        }
+        return secret;
+    }
+    return null;
 }
 function writeToLinuxSecretService(config, secret, deps) {
     const result = spawnSync(deps)("secret-tool", [
@@ -306,7 +405,7 @@ if ($payload.mode -eq "protect") {
     }
     return typeof result.stdout === "string" ? result.stdout : "";
 }
-function readFromWindowsDpapi(config, deps) {
+function readFromWindowsDpapiExact(config, deps) {
     const filePath = windowsDpapiUnlockPath(config, deps);
     if (!fs.existsSync(filePath))
         return null;
@@ -316,13 +415,32 @@ function readFromWindowsDpapi(config, deps) {
     const secret = runWindowsDpapi("unprotect", { ciphertext }, deps).trim();
     return secret || null;
 }
+function readFromWindowsDpapi(config, deps) {
+    const candidates = vaultConfigCandidates(config);
+    for (const [index, candidate] of candidates.entries()) {
+        const secret = readFromWindowsDpapiExact(candidate, deps);
+        if (!secret)
+            continue;
+        if (index > 0) {
+            try {
+                writeToWindowsDpapi(config, secret, deps);
+                noteVaultUnlockSelfHeal(config, "windows-dpapi", candidate.serverUrl);
+            }
+            catch (error) {
+                warnVaultUnlockSelfHealFailure(config, "windows-dpapi", candidate.serverUrl, error);
+            }
+        }
+        return secret;
+    }
+    return null;
+}
 function writeToWindowsDpapi(config, secret, deps) {
     const filePath = windowsDpapiUnlockPath(config, deps);
     const ciphertext = runWindowsDpapi("protect", { secret }, deps).trim();
     fs.mkdirSync(path.dirname(filePath), { recursive: true });
     fs.writeFileSync(filePath, `${ciphertext}\n`, "utf8");
 }
-function readFromPlaintextFile(config, deps) {
+function readFromPlaintextFileExact(config, deps) {
     const filePath = plaintextUnlockPath(config, deps);
     if (!fs.existsSync(filePath))
         return null;
@@ -335,6 +453,25 @@ function readFromPlaintextFile(config, deps) {
     const secret = fs.readFileSync(filePath, "utf8").trim();
     return secret || null;
 }
+function readFromPlaintextFile(config, deps) {
+    const candidates = vaultConfigCandidates(config);
+    for (const [index, candidate] of candidates.entries()) {
+        const secret = readFromPlaintextFileExact(candidate, deps);
+        if (!secret)
+            continue;
+        if (index > 0) {
+            try {
+                writeToPlaintextFile(config, secret, deps);
+                noteVaultUnlockSelfHeal(config, "plaintext-file", candidate.serverUrl);
+            }
+            catch (error) {
+                warnVaultUnlockSelfHealFailure(config, "plaintext-file", candidate.serverUrl, error);
+            }
+        }
+        return secret;
+    }
+    return null;
+}
 function writeToPlaintextFile(config, secret, deps) {
     const filePath = plaintextUnlockPath(config, deps);
     fs.mkdirSync(path.dirname(filePath), { recursive: true, mode: 0o700 });
@@ -369,10 +506,11 @@ function writeToStore(config, store, secret, deps) {
     writeToPlaintextFile(config, secret, deps);
 }
 function readVaultUnlockSecret(config, deps = {}) {
-    const store = resolveVaultUnlockStore(config, deps);
-    const secret = readFromStore(config, store, deps);
+    const canonicalConfig = canonicalizeVaultUnlockConfig(config);
+    const store = resolveVaultUnlockStore(canonicalConfig, deps);
+    const secret = readFromStore(canonicalConfig, store, deps);
     if (!secret) {
-        throw new Error(lockedMessage(config, store));
+        throw new Error(lockedMessage(canonicalConfig, store));
     }
     (0, runtime_1.emitNervesEvent)({
         component: "repertoire",
@@ -383,12 +521,13 @@ function readVaultUnlockSecret(config, deps = {}) {
     return { secret, store };
 }
 function storeVaultUnlockSecret(config, secret, deps = {}) {
+    const canonicalConfig = canonicalizeVaultUnlockConfig(config);
     const trimmed = secret.trim();
     if (!trimmed) {
         throw new Error("vault unlock secret is required");
     }
-    const store = resolveVaultUnlockStore(config, deps);
-    writeToStore(config, store, trimmed, deps);
+    const store = resolveVaultUnlockStore(canonicalConfig, deps);
+    writeToStore(canonicalConfig, store, trimmed, deps);
     (0, runtime_1.emitNervesEvent)({
         component: "repertoire",
         event: "repertoire.vault_unlock_stored",
@@ -399,15 +538,16 @@ function storeVaultUnlockSecret(config, secret, deps = {}) {
 }
 function getVaultUnlockStatus(config, deps = {}) {
     try {
-        const store = resolveVaultUnlockStore(config, deps);
-        const stored = !!readFromStore(config, store, deps);
+        const canonicalConfig = canonicalizeVaultUnlockConfig(config);
+        const store = resolveVaultUnlockStore(canonicalConfig, deps);
+        const stored = !!readFromStore(canonicalConfig, store, deps);
         return {
             configured: true,
             stored,
             store,
             fix: stored
                 ? "Vault unlock secret is available on this machine."
-                : lockedMessage(config, store),
+                : lockedMessage(canonicalConfig, store),
         };
     }
     catch (error) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.440",
+  "version": "0.1.0-alpha.441",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",