@ouro.bot/cli 0.1.0-alpha.447 → 0.1.0-alpha.448

package/changelog.json

@@ -1,6 +1,14 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.448",
+      "changes": [
+        "`ouro status` and agent prompt provider visibility now distinguish \"the daemon has not loaded provider credentials in this process\" from \"the agent vault is missing credentials.\" A saved live check that passed stays ready instead of being downgraded to stale/missing just because status rendering is running in a fresh daemon process.",
+        "Provider visibility now carries a safe `not-loaded` credential state and renders it as `checked previously`, preserving the last live-check result without reading or printing secrets during ordinary status/prompt rendering.",
+        "Regression coverage locks the installed-product failure shape: an empty in-process provider cache plus ready provider state no longer produces misleading auth repair guidance."
+      ]
+    },
     {
       "version": "0.1.0-alpha.447",
       "changes": [

package/dist/heart/daemon/cli-exec.js

@@ -2966,7 +2966,7 @@ async function executeProviderCheck(command, deps) {
         throw error;
     }
 }
-function renderProviderCredentialLine(credential) {
+function renderProviderCredentialLine(agentName, credential) {
     if (credential.status === "present") {
         const credentialFields = credential.credentialFields.length > 0 ? ` credentials: ${credential.credentialFields.join(", ")}` : " credentials: none";
         const configFields = credential.configFields.length > 0 ? ` config: ${credential.configFields.join(", ")}` : " config: none";
@@ -2975,6 +2975,9 @@ function renderProviderCredentialLine(credential) {
     if (credential.status === "invalid-pool") {
         return `credentials: vault unavailable (${credential.error}); repair: ${credential.repair.command}`;
     }
+    if (credential.status === "not-loaded") {
+        return `credentials: not loaded in this process; run \`ouro provider refresh --agent ${agentName}\` to read the vault now`;
+    }
     return `credentials: missing; repair: ${credential.repair.command}`;
 }
 async function executeProviderStatus(command, deps) {
@@ -3010,7 +3013,7 @@ async function executeProviderStatus(command, deps) {
         const binding = resolved.binding;
         lines.push(`  ${lane}: ${binding.provider} / ${binding.model} (${binding.source})`);
         lines.push(`    readiness: ${binding.readiness.status}${binding.readiness.error ? ` (${binding.readiness.error})` : ""}`);
-        lines.push(`    ${renderProviderCredentialLine(binding.credential)}`);
+        lines.push(`    ${renderProviderCredentialLine(command.agent, binding.credential)}`);
         for (const warning of binding.warnings) {
             lines.push(`    warning: ${warning.message}`);
         }

package/dist/heart/provider-binding-resolver.js

@@ -89,6 +89,16 @@ function resolveCredential(poolResult, provider, agentName) {
             warnings: [missingCredentialWarning(provider)],
         };
     }
+    if ((0, provider_credentials_1.isProviderCredentialPoolNotLoaded)(poolResult)) {
+        return {
+            credential: {
+                status: "not-loaded",
+                provider,
+                poolPath: poolResult.poolPath,
+            },
+            warnings: [],
+        };
+    }
     if (poolResult.reason === "invalid" || poolResult.reason === "unavailable") {
         return {
             credential: {
@@ -130,6 +140,9 @@ function staleReadiness(readiness, reason) {
 }
 function resolveReadiness(input) {
     if (!input.readiness) {
+        if (input.credential.status === "not-loaded") {
+            return { readiness: { status: "unknown" }, warnings: [] };
+        }
         if (input.credential.status === "missing") {
             return { readiness: { status: "unknown", reason: "credential-missing" }, warnings: [] };
         }
@@ -170,6 +183,9 @@ function resolveReadiness(input) {
             warnings: [],
         };
     }
+    if (input.credential.status === "not-loaded") {
+        return { readiness: readinessFromState(input.readiness), warnings: [] };
+    }
     return { readiness: readinessFromState(input.readiness), warnings: [] };
 }
 function resolveEffectiveProviderBinding(input) {

package/dist/heart/provider-credentials.js

@@ -33,10 +33,12 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.PROVIDER_CREDENTIAL_POOL_NOT_LOADED_ERROR = void 0;
 exports.splitProviderCredentialFields = splitProviderCredentialFields;
 exports.providerCredentialsVaultPath = providerCredentialsVaultPath;
 exports.providerCredentialItemName = providerCredentialItemName;
 exports.providerCredentialMachineHomeDir = providerCredentialMachineHomeDir;
+exports.isProviderCredentialPoolNotLoaded = isProviderCredentialPoolNotLoaded;
 exports.readProviderCredentialPool = readProviderCredentialPool;
 exports.refreshProviderCredentialPool = refreshProviderCredentialPool;
 exports.createProviderCredentialRecord = createProviderCredentialRecord;
@@ -54,6 +56,7 @@ const credential_access_1 = require("../repertoire/credential-access");
 const VALID_PROVIDERS = ["azure", "minimax", "anthropic", "openai-codex", "github-copilot"];
 const VALID_PROVENANCE_SOURCES = ["auth-flow", "manual"];
 const VAULT_ITEM_PREFIX = "providers/";
+exports.PROVIDER_CREDENTIAL_POOL_NOT_LOADED_ERROR = "provider credentials have not been loaded from vault";
 const PROVIDER_FIELD_SPLITS = {
     anthropic: {
         credentials: ["setupToken", "refreshToken", "expiresAt"],
@@ -197,7 +200,7 @@ function recordFromPayload(payload) {
         provenance: { ...payload.provenance },
     };
 }
-function missingPool(agentName, error = "provider credentials have not been loaded from vault") {
+function missingPool(agentName, error = exports.PROVIDER_CREDENTIAL_POOL_NOT_LOADED_ERROR) {
     return {
         ok: false,
         reason: "missing",
@@ -205,6 +208,11 @@ function missingPool(agentName, error = "provider credentials have not been load
         error,
     };
 }
+function isProviderCredentialPoolNotLoaded(result) {
+    return !result.ok
+        && result.reason === "missing"
+        && result.error === exports.PROVIDER_CREDENTIAL_POOL_NOT_LOADED_ERROR;
+}
 function cacheResult(agentName, result) {
     cachedPools.set(agentName, result);
     return result;

package/dist/heart/provider-visibility.js

@@ -21,7 +21,7 @@ function credentialVisibility(binding) {
     }
     return {
         status: credential.status,
-        repairCommand: credential.repair.command,
+        ...("repair" in credential ? { repairCommand: credential.repair.command } : {}),
     };
 }
 function readinessVisibility(binding) {
@@ -87,6 +87,8 @@ function credentialLabel(credential) {
         return credential.source ?? "vault";
     if (credential.status === "invalid-pool")
         return "vault unavailable";
+    if (credential.status === "not-loaded")
+        return "checked previously";
     return "missing";
 }
 function readinessLabel(readiness) {
@@ -102,7 +104,7 @@ function readinessLabel(readiness) {
     return readiness.status;
 }
 function providerStatusDetail(lane) {
-    if (lane.credential.status !== "present")
+    if (lane.credential.status === "missing" || lane.credential.status === "invalid-pool")
         return undefined;
     return lane.readiness.error;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.447",
+  "version": "0.1.0-alpha.448",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",