@ouro.bot/cli 0.1.0-alpha.456 → 0.1.0-alpha.458

package/changelog.json

@@ -1,6 +1,22 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.458",
+      "changes": [
+        "Agent Mail setup guidance now explicitly forbids telling the human to run setup CLI commands; the agent must run `ouro account ensure`, `ouro connect mail`, `ouro mail import-mbox`, `ouro status`, and `ouro doctor` itself when doing setup.",
+        "If the agent's current surface cannot run shell/tools, the setup contract now says to move to a tool-capable Ouro setup session or companion instead of offloading CLI operation to the human.",
+        "Prompt and runbook contract tests now cover the live failure mode where the agent says it owns setup but still asks Ari to run `ouro connect mail`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.457",
+      "changes": [
+        "Agent Mail setup is now explicitly agent-guided in the system prompt and runbook: when a human asks an agent to set up email, the agent should lead the flow, run agent-runnable commands itself, ask only for human-required browser/file/confirmation steps, and verify each step before continuing.",
+        "`ouro account ensure` and `ouro connect mail` now accept non-interactive mail source flags (`--owner-email`, `--source`, and `--no-delegated-source`), so an agent can provision Mailroom after collecting the needed human answer instead of relying on an interactive prompt.",
+        "Mailroom repair and setup guidance now labels repair as agent-runnable, avoids the false `ouro doctor --agent` path, and keeps HEY MBOX import as an agent-run command after the human provides the browser-exported file path."
+      ]
+    },
     {
       "version": "0.1.0-alpha.456",
       "changes": [

package/dist/heart/daemon/cli-exec.js

@@ -2698,7 +2698,16 @@ function mailroomPrivateKeys(mailroom) {
     const keys = isPlainRecord(mailroom?.privateKeys) ? mailroom.privateKeys : {};
     return Object.fromEntries(Object.entries(keys).filter((entry) => typeof entry[1] === "string"));
 }
-async function promptDelegatedMailSource(deps) {
+async function promptDelegatedMailSource(deps, input = {}) {
+    if (input.noDelegatedSource)
+        return { ownerEmail: "", source: "" };
+    if (input.ownerEmail !== undefined) {
+        const ownerEmail = input.ownerEmail.trim();
+        return {
+            ownerEmail,
+            source: ownerEmail ? (input.source?.trim() || "hey") : "",
+        };
+    }
     const promptInput = requirePromptInput(deps, "Agent Mail setup");
     const ownerEmail = (await promptInput("Delegated owner email for first source alias [blank to skip]: ")).trim();
     const source = ownerEmail
@@ -2768,7 +2777,7 @@ async function ensureAgentMailroom(agent, input, deps, progressLabel) {
     const syncSummary = pushAgentBundleAfterCliMutation(agent, deps);
     return { mailboxAddress, sourceAlias, registryPath, storePath, stored, syncSummary };
 }
-async function executeConnectMail(agent, deps) {
+async function executeConnectMail(agent, deps, input = {}) {
     writeConnectorIntro(deps, {
         title: "Connect Agent Mail",
         subtitle: `${agent} gets a private Mailroom identity and delegated source lane.`,
@@ -2803,7 +2812,7 @@ async function executeConnectMail(agent, deps) {
             "The registry and encrypted local store live under the agent bundle state.",
         ],
     });
-    const setup = await promptDelegatedMailSource(deps);
+    const setup = await promptDelegatedMailSource(deps, input);
     const outcome = await ensureAgentMailroom(agent, setup, deps, "connect mail");
     return writeCapabilityOutcome(deps, {
         subtitle: `${agent}'s Mail sense is configured.`,
@@ -2865,7 +2874,7 @@ async function executeAccountEnsure(command, deps) {
             "This creates or preserves runtime/config Mailroom coordinates and enables the Mail sense.",
         ],
     });
-    const setup = await promptDelegatedMailSource(deps);
+    const setup = await promptDelegatedMailSource(deps, command);
     const outcome = await ensureAgentMailroom(command.agent, setup, deps, "account ensure");
     return writeCapabilityOutcome(deps, {
         subtitle: `${command.agent}'s work substrate account is configured.`,
@@ -2912,13 +2921,13 @@ async function executeMailImportMbox(command, deps) {
         const mailroom = runtime.config.mailroom;
         if (!mailroom || typeof mailroom !== "object" || Array.isArray(mailroom)) {
             progress.end();
-            throw new Error(`missing mailroom config for ${command.agent}; run 'ouro connect mail --agent ${command.agent}' first`);
+            throw new Error(`missing mailroom config for ${command.agent}; agent-runnable repair: 'ouro connect mail --agent ${command.agent}'`);
         }
         const registryPath = stringField(mailroom, "registryPath");
         const storePath = stringField(mailroom, "storePath");
         if (!registryPath || !storePath) {
             progress.end();
-            throw new Error(`mailroom config for ${command.agent} is missing registryPath/storePath; run 'ouro connect mail --agent ${command.agent}' again`);
+            throw new Error(`mailroom config for ${command.agent} is missing registryPath/storePath; agent-runnable repair: 'ouro connect mail --agent ${command.agent}'`);
         }
         progress.updateDetail("reading registry and MBOX");
         const registry = JSON.parse(fs.readFileSync(registryPath, "utf-8"));
@@ -3009,7 +3018,7 @@ async function executeConnect(command, deps) {
     if (command.target === "bluebubbles")
         return executeConnectBlueBubbles(command.agent, deps);
     if (command.target === "mail")
-        return executeConnectMail(command.agent, deps);
+        return executeConnectMail(command.agent, deps, command);
     const progress = createHumanCommandProgress(deps, "connect");
     let menu;
     try {

package/dist/heart/daemon/cli-help.js

@@ -313,13 +313,13 @@ const SUBCOMMAND_HELP = {
     },
     "connect mail": {
         description: "Provision portable Agent Mail / Mailroom access and enable the Mail sense",
-        usage: "ouro connect mail [--agent <name>]",
-        example: "ouro connect mail",
+        usage: "ouro connect mail [--agent <name>] [--owner-email <email> --source <label>|--no-delegated-source]",
+        example: "ouro connect mail --agent slugger --owner-email ari@mendelow.me --source hey",
     },
     "account ensure": {
         description: "Idempotently prepare an agent's vault-backed work substrate account and private Mailroom mailbox",
-        usage: "ouro account ensure [--agent <name>]",
-        example: "ouro account ensure --agent slugger",
+        usage: "ouro account ensure [--agent <name>] [--owner-email <email> --source <label>|--no-delegated-source]",
+        example: "ouro account ensure --agent slugger --owner-email ari@mendelow.me --source hey",
     },
     "mail import-mbox": {
         description: "Import a HEY or other MBOX export into an existing delegated Mailroom source grant",

package/dist/heart/daemon/cli-parse.js

@@ -83,8 +83,8 @@ function usage() {
         "  ouro config model [--agent <name>] <model-name>",
         "  ouro config models [--agent <name>]",
         "  ouro auth [--agent <name>] [--provider <provider>]",
-        "  ouro account ensure [--agent <name>]",
-        "  ouro connect [providers|perplexity|embeddings|teams|bluebubbles|mail] [--agent <name>]",
+        "  ouro account ensure [--agent <name>] [--owner-email <email> --source <label>|--no-delegated-source]",
+        "  ouro connect [providers|perplexity|embeddings|teams|bluebubbles|mail] [--agent <name>] [--owner-email <email> --source <label>|--no-delegated-source]",
         "  ouro mail import-mbox --file <path> [--owner-email <email>] [--source <label>] [--agent <name>]",
         "  ouro auth verify [--agent <name>] [--provider <provider>]",
         "  ouro auth switch [--agent <name>] --provider <provider>",
@@ -606,12 +606,67 @@ function normalizeConnectTarget(value) {
         return "mail";
     throw new Error("Usage: ouro connect [providers|perplexity|embeddings|teams|bluebubbles|mail] [--agent <name>]");
 }
+function extractMailSourceFlags(args, usageText) {
+    const rest = [];
+    let ownerEmail;
+    let source;
+    let noDelegatedSource = false;
+    let hasMailSourceFlags = false;
+    for (let i = 0; i < args.length; i += 1) {
+        const token = args[i];
+        if (token === "--owner-email") {
+            if (args[i + 1] === undefined)
+                throw new Error(usageText);
+            ownerEmail = args[++i];
+            hasMailSourceFlags = true;
+            continue;
+        }
+        if (token === "--source") {
+            if (args[i + 1] === undefined)
+                throw new Error(usageText);
+            source = args[++i];
+            hasMailSourceFlags = true;
+            continue;
+        }
+        if (token === "--no-delegated-source") {
+            noDelegatedSource = true;
+            hasMailSourceFlags = true;
+            continue;
+        }
+        rest.push(token);
+    }
+    if (noDelegatedSource && (ownerEmail !== undefined || source !== undefined)) {
+        throw new Error("--no-delegated-source cannot be combined with --owner-email or --source");
+    }
+    if (source !== undefined && ownerEmail === undefined) {
+        throw new Error("--source requires --owner-email");
+    }
+    return {
+        rest,
+        ...(ownerEmail !== undefined ? { ownerEmail } : {}),
+        ...(source !== undefined ? { source } : {}),
+        ...(noDelegatedSource ? { noDelegatedSource: true } : {}),
+        hasMailSourceFlags,
+    };
+}
 function parseConnectCommand(args) {
-    const { agent, rest } = extractAgentFlag(args);
-    if (rest.length > 1)
-        throw new Error("Usage: ouro connect [providers|perplexity|embeddings|teams|bluebubbles|mail] [--agent <name>]");
-    const target = normalizeConnectTarget(rest[0]);
-    return { kind: "connect", ...(agent ? { agent } : {}), ...(target ? { target } : {}) };
+    const usageText = "Usage: ouro connect [providers|perplexity|embeddings|teams|bluebubbles|mail] [--agent <name>] [--owner-email <email> --source <label>|--no-delegated-source]";
+    const { agent, rest: afterAgent } = extractAgentFlag(args);
+    const mailFlags = extractMailSourceFlags(afterAgent, usageText);
+    if (mailFlags.rest.length > 1)
+        throw new Error(usageText);
+    const target = normalizeConnectTarget(mailFlags.rest[0]);
+    if (mailFlags.hasMailSourceFlags && target !== "mail") {
+        throw new Error("Mail source flags require `ouro connect mail`.");
+    }
+    return {
+        kind: "connect",
+        ...(agent ? { agent } : {}),
+        ...(target ? { target } : {}),
+        ...(mailFlags.ownerEmail !== undefined ? { ownerEmail: mailFlags.ownerEmail } : {}),
+        ...(mailFlags.source !== undefined ? { source: mailFlags.source } : {}),
+        ...(mailFlags.noDelegatedSource ? { noDelegatedSource: true } : {}),
+    };
 }
 function parseMailCommand(args) {
     const [sub, ...subArgs] = args;
@@ -651,13 +706,21 @@ function parseMailCommand(args) {
 }
 function parseAccountCommand(args) {
     const [sub, ...subArgs] = args;
+    const usageText = "Usage: ouro account ensure [--agent <name>] [--owner-email <email> --source <label>|--no-delegated-source]";
     if (sub !== "ensure") {
-        throw new Error("Usage: ouro account ensure [--agent <name>]");
+        throw new Error(usageText);
     }
-    const { agent, rest } = extractAgentFlag(subArgs);
-    if (rest.length > 0)
-        throw new Error("Usage: ouro account ensure [--agent <name>]");
-    return { kind: "account.ensure", ...(agent ? { agent } : {}) };
+    const { agent, rest: afterAgent } = extractAgentFlag(subArgs);
+    const mailFlags = extractMailSourceFlags(afterAgent, usageText);
+    if (mailFlags.rest.length > 0)
+        throw new Error(usageText);
+    return {
+        kind: "account.ensure",
+        ...(agent ? { agent } : {}),
+        ...(mailFlags.ownerEmail !== undefined ? { ownerEmail: mailFlags.ownerEmail } : {}),
+        ...(mailFlags.source !== undefined ? { source: mailFlags.source } : {}),
+        ...(mailFlags.noDelegatedSource ? { noDelegatedSource: true } : {}),
+    };
 }
 function parseProviderUseCommand(args) {
     const { agent, rest: afterAgent } = extractAgentFlag(args);

package/dist/heart/daemon/sense-manager.js

@@ -194,7 +194,7 @@ function senseRepairHint(agent, sense) {
         return `Run 'ouro vault config set --agent ${agent} --key teams.clientId', teams.clientSecret, and teams.tenantId; then run 'ouro up' again.`;
     }
     if (sense === "mail") {
-        return `Run 'ouro connect mail --agent ${agent}' to provision Mailroom access; then run 'ouro up' again.`;
+        return `Agent-runnable: provision Mailroom access with 'ouro connect mail --agent ${agent}', then restart with 'ouro up'.`;
     }
     return `Run 'ouro connect bluebubbles --agent ${agent}' to attach BlueBubbles on this machine; then run 'ouro up' again.`;
 }

package/dist/mailroom/reader.js

@@ -121,7 +121,7 @@ function resolveMailroomReader(agentName = (0, identity_2.getAgentName)()) {
             ok: false,
             agentName,
             reason: "auth-required",
-            error: `AUTH_REQUIRED:mailroom -- Mail is not available because ${runtime.itemPath} is ${runtime.reason}. Run 'ouro connect mail --agent ${agentName}' after the vault is unlocked.`,
+            error: `AUTH_REQUIRED:mailroom -- Mail is not available because ${runtime.itemPath} is ${runtime.reason}. Agent-runnable repair after vault unlock: 'ouro connect mail --agent ${agentName}'.`,
         };
         (0, runtime_1.emitNervesEvent)({
             component: "senses",

package/dist/mind/prompt.js

@@ -464,9 +464,11 @@ function senseRuntimeGuidance(channel, preReadStatusLines) {
     lines.push("If asked how to enable another sense, I explain the relevant agent.json senses entry and required agent-vault runtime/config fields instead of guessing.");
     lines.push("teams setup truth: run `ouro connect teams --agent <agent>` from the connect bay; it stores Teams runtime/config fields and enables `senses.teams.enabled`.");
     lines.push("bluebubbles setup truth: run `ouro connect bluebubbles --agent <agent>` from the connect bay; it stores this machine's BlueBubbles URL/password/listener config in the agent vault machine runtime item.");
-    lines.push("mail setup truth: Agent Mail uses Mailroom, not HEY OAuth/IMAP. For the full work substrate account, run `ouro account ensure --agent <agent>`; use `ouro connect mail --agent <agent>` for mail-only repair/provisioning. Use the human's owner email when asked so Mailroom creates the delegated source alias. The detailed runbook is `docs/agent-mail-setup.md`.");
-    lines.push("mail setup truth: HEY archive bootstrap is human-exported MBOX only. Ask for the browser-downloaded MBOX path, then run `ouro mail import-mbox --file <path> --owner-email <email> --source hey --agent <agent>`.");
-    lines.push("mail setup truth: verify with `ouro status`, `ouro doctor --agent <agent>`, bounded mail tools (`mail_recent`, `mail_search`, `mail_thread`, `mail_access_log`), and the read-only Outlook Mailbox tab.");
+    lines.push("mail setup AX: if a human asks me to set up email, I do not hand them a terminal checklist. I guide the flow end-to-end: name the current phase, run agent-runnable commands myself with shell/tools when available, ask the human only for human-required facts or browser actions, wait for their reply, verify the result, then continue.");
+    lines.push("mail setup hard rule: never tell the human to run `ouro account ensure`, `ouro connect mail`, `ouro mail import-mbox`, `ouro status`, or `ouro doctor` for setup. Say what I am about to run, run it myself, and report the result. If my current surface cannot run shell/tools, I ask for a tool-capable Ouro setup session or companion to continue; I do not offload CLI operation to the human.");
+    lines.push("mail setup truth: Agent Mail uses Mailroom, not HEY OAuth/IMAP. For the full work substrate account, the agent-runnable command is `ouro account ensure --agent <agent> --owner-email <email> --source hey`; use `ouro connect mail --agent <agent> --owner-email <email> --source hey` for mail-only repair/provisioning, or `--no-delegated-source` for native-only mail. The detailed runbook is `docs/agent-mail-setup.md`.");
+    lines.push("mail setup truth: HEY archive bootstrap is human-exported MBOX only. I ask for the browser-downloaded MBOX path, then I run `ouro mail import-mbox --file <path> --owner-email <email> --source hey --agent <agent>` myself and verify the import.");
+    lines.push("mail setup truth: verify with `ouro status`, `ouro doctor`, bounded mail tools (`mail_recent`, `mail_search`, `mail_thread`, `mail_access_log`), and the read-only Outlook Mailbox tab. `ouro doctor` is installation-wide; do not invent `ouro doctor --agent <agent>`.");
     lines.push("mail setup boundaries: do not invent `ouro auth verify --provider mail`, HEY OAuth, HEY IMAP, `ouro mcp call mail ...`, policy flags, autonomous sending, destructive mail actions, or production MX/DNS/forwarding changes. HEY export, HEY forwarding, DNS, MX cutover, sending, and destructive actions require explicit human confirmation.");
     if (channel === "cli") {
         lines.push("cli is interactive: it is available when the user opens it, not something `ouro up` daemonizes.");

package/dist/senses/mail.js

@@ -114,7 +114,7 @@ async function startMailSenseApp(options) {
         throw new Error(resolved.error);
     }
     if (!resolved.config.registryPath) {
-        throw new Error(`missing mailroom.registryPath for ${options.agentName}; run 'ouro connect mail --agent ${options.agentName}' again`);
+        throw new Error(`missing mailroom.registryPath for ${options.agentName}; agent-runnable repair: 'ouro connect mail --agent ${options.agentName}'`);
     }
     const registry = readRegistry(resolved.config.registryPath);
     const host = resolved.config.host ?? "127.0.0.1";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.456",
+  "version": "0.1.0-alpha.458",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",