@ouro.bot/cli 0.1.0-alpha.464 → 0.1.0-alpha.465

package/README.md

@@ -180,6 +180,7 @@ ouro vault unlock --agent <name>
 ouro vault status --agent <name>
 ouro vault config set --agent <name> --key teams.clientSecret
 ouro vault config status --agent <name> --scope all
+ouro vault ops porkbun set --agent <name> --account <account>
 ouro connect --agent <name>
 ouro connect providers --agent <name>
 ouro connect perplexity --agent <name>

package/changelog.json

@@ -1,6 +1,14 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.465",
+      "changes": [
+        "`ouro vault ops porkbun set` now stores account-scoped Porkbun API credentials in the owning agent vault through hidden prompts, outside the connect bay and runtime/config.",
+        "Porkbun ops credentials are named by their true authority boundary at `ops/registrars/porkbun/accounts/<account>`, so multiple Porkbun accounts can coexist and domain allowlists remain separate.",
+        "Auth/provider docs now clarify that `ouro connect` is only for harness-managed capabilities, while registrar and deployment credentials belong in explicit `ops/...` vault items."
+      ]
+    },
     {
       "version": "0.1.0-alpha.464",
       "changes": [

package/dist/heart/daemon/cli-exec.js

@@ -103,6 +103,7 @@ const provider_ping_1 = require("../provider-ping");
 const agent_discovery_1 = require("./agent-discovery");
 const connect_bay_1 = require("./connect-bay");
 const runtime_capability_check_1 = require("../runtime-capability-check");
+const porkbun_ops_1 = require("./porkbun-ops");
 // ── ensureDaemonRunning ──
 const DEFAULT_DAEMON_STARTUP_TIMEOUT_MS = 60_000;
 const DEFAULT_DAEMON_STARTUP_POLL_INTERVAL_MS = 500;
@@ -325,6 +326,8 @@ function agentResolutionFailureMode(command) {
         case "vault.status":
         case "vault.config.set":
         case "vault.config.status":
+        case "vault.ops.porkbun.set":
+        case "vault.ops.porkbun.status":
         case "connect":
         case "account.ensure":
         case "mail.import-mbox":
@@ -2009,6 +2012,75 @@ async function executeVaultConfigStatus(command, deps) {
     deps.writeStdout(message);
     return message;
 }
+async function executeVaultOpsPorkbunSet(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        throw new Error("SerpentGuide has no persistent credential vault. Store ops credentials in the owning agent vault.");
+    }
+    const account = (0, porkbun_ops_1.normalizePorkbunOpsAccount)(command.account);
+    const promptSecret = requirePromptSecret(deps, "Porkbun ops credential entry");
+    const apiKey = (0, porkbun_ops_1.requirePorkbunOpsSecret)(await promptSecret(`Porkbun API key for ${account}: `), "Porkbun API key");
+    const secretApiKey = (0, porkbun_ops_1.requirePorkbunOpsSecret)(await promptSecret(`Porkbun Secret API key for ${account}: `), "Porkbun Secret API key");
+    const itemName = (0, porkbun_ops_1.porkbunOpsCredentialItemName)(account);
+    const payload = {
+        schemaVersion: 1,
+        kind: porkbun_ops_1.PORKBUN_OPS_CREDENTIAL_KIND,
+        updatedAt: providerCliNow(deps).toISOString(),
+        account,
+        apiKey,
+        secretApiKey,
+    };
+    const progress = createHumanCommandProgress(deps, "vault ops porkbun");
+    try {
+        await runCommandProgressPhase(progress, "storing Porkbun ops credentials", async () => {
+            const store = (0, credential_access_1.getCredentialStore)(command.agent);
+            await store.store(itemName, {
+                username: account,
+                password: JSON.stringify(payload),
+                notes: "Operational Porkbun account API credential. Domain API access and Ouro DNS allowlists live outside this secret item.",
+            });
+            return itemName;
+        }, () => "secret stored");
+    }
+    finally {
+        progress.end();
+    }
+    const message = [
+        `stored Porkbun ops credentials for ${command.agent}`,
+        `item: vault:${command.agent}:${itemName}`,
+        `account: ${account}`,
+        "authority: Porkbun account-level API credential",
+        "domain bindings and DNS allowlists live outside this secret item",
+        "secret values were not printed",
+    ].join("\n");
+    deps.writeStdout(message);
+    return message;
+}
+async function executeVaultOpsPorkbunStatus(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        const message = "SerpentGuide has no persistent credential vault. Ops credentials belong in the owning agent vault.";
+        deps.writeStdout(message);
+        return message;
+    }
+    const store = (0, credential_access_1.getCredentialStore)(command.agent);
+    const lines = [`agent: ${command.agent}`, "ops credentials: Porkbun"];
+    if (command.account) {
+        const account = (0, porkbun_ops_1.normalizePorkbunOpsAccount)(command.account);
+        const itemName = (0, porkbun_ops_1.porkbunOpsCredentialItemName)(account);
+        const meta = await store.get(itemName);
+        lines.push(`item: vault:${command.agent}:${itemName}`);
+        lines.push(`status: ${meta ? "present" : "missing"}`);
+        if (meta?.username)
+            lines.push(`account: ${meta.username}`);
+    }
+    else {
+        const items = (await store.list()).filter((item) => item.domain.startsWith(`${porkbun_ops_1.PORKBUN_OPS_CREDENTIAL_PREFIX}/`));
+        lines.push(`items: ${items.length === 0 ? "none stored" : items.map((item) => item.domain).sort().join(", ")}`);
+    }
+    lines.push("secret values were not printed");
+    const message = lines.join("\n");
+    deps.writeStdout(message);
+    return message;
+}
 function requirePromptSecret(deps, purpose) {
     if (deps.promptSecret)
         return deps.promptSecret;
@@ -5354,6 +5426,12 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
     if (command.kind === "vault.config.status") {
         return executeVaultConfigStatus(command, deps);
     }
+    if (command.kind === "vault.ops.porkbun.set") {
+        return executeVaultOpsPorkbunSet(command, deps);
+    }
+    if (command.kind === "vault.ops.porkbun.status") {
+        return executeVaultOpsPorkbunStatus(command, deps);
+    }
     // ── auth (local, no daemon socket needed) ──
     if (command.kind === "auth.run") {
         return executeAuthRun(command, deps);

package/dist/heart/daemon/cli-help.js

@@ -212,9 +212,9 @@ exports.COMMAND_REGISTRY = {
     vault: {
         category: "Auth",
         description: "Create, replace, recover, unlock, inspect, and populate the agent credential vault",
-        usage: "ouro vault <create|replace|recover|unlock|status|config> [--agent <name>]",
+        usage: "ouro vault <create|replace|recover|unlock|status|config|ops> [--agent <name>]",
         example: "ouro vault status",
-        subcommands: ["create", "replace", "recover", "unlock", "status", "config set", "config status"],
+        subcommands: ["create", "replace", "recover", "unlock", "status", "config set", "config status", "ops porkbun set", "ops porkbun status"],
     },
     thoughts: {
         category: "Internal",
@@ -366,6 +366,16 @@ const SUBCOMMAND_HELP = {
         usage: "ouro vault config status [--agent <name>] [--scope agent|machine|all]",
         example: "ouro vault config status --scope all",
     },
+    "vault ops porkbun set": {
+        description: "Store account-scoped Porkbun API credentials as an ops vault item, outside connect/runtime config",
+        usage: "ouro vault ops porkbun set [--agent <name>] --account <account>",
+        example: "ouro vault ops porkbun set --agent slugger --account ari@mendelow.me",
+    },
+    "vault ops porkbun status": {
+        description: "Check whether Porkbun ops credentials are present without printing secret values",
+        usage: "ouro vault ops porkbun status [--agent <name>] [--account <account>]",
+        example: "ouro vault ops porkbun status --agent slugger --account ari@mendelow.me",
+    },
 };
 // ── Levenshtein distance ──
 function levenshteinDistance(a, b) {

package/dist/heart/daemon/cli-parse.js

@@ -16,6 +16,7 @@ exports.parseMcpServeCommand = parseMcpServeCommand;
 exports.parseOuroCommand = parseOuroCommand;
 const types_1 = require("../../mind/friends/types");
 const cli_help_1 = require("./cli-help");
+const porkbun_ops_1 = require("./porkbun-ops");
 // ── Shared helpers ──
 function extractAgentFlag(args) {
     const idx = args.indexOf("--agent");
@@ -95,6 +96,8 @@ function usage() {
         "  ouro vault status [--agent <name>] [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
         "  ouro vault config set [--agent <name>] --key <path> [--value <value>] [--scope agent|machine]",
         "  ouro vault config status [--agent <name>] [--scope agent|machine|all]",
+        "  ouro vault ops porkbun set [--agent <name>] --account <account>",
+        "  ouro vault ops porkbun status [--agent <name>] [--account <account>]",
         "  ouro chat <agent>",
         "  ouro msg --to <agent> [--session <id>] [--task <ref>] <message>",
         "  ouro poke <agent> --task <task-id>",
@@ -458,6 +461,8 @@ function parseVaultCommand(args) {
     const sub = args[0];
     if (sub === "config")
         return parseVaultConfigCommand(args.slice(1));
+    if (sub === "ops")
+        return parseVaultOpsCommand(args.slice(1));
     const { agent, rest } = extractAgentFlag(args.slice(1));
     let email;
     let serverUrl;
@@ -544,6 +549,33 @@ function parseVaultCommand(args) {
     }
     return { kind: "vault.status", ...(agent ? { agent } : {}), ...(store ? { store } : {}) };
 }
+function parseVaultOpsCommand(args) {
+    const provider = args[0];
+    const action = args[1];
+    if (provider !== "porkbun") {
+        throw new Error("Usage: ouro vault ops porkbun set|status [--agent <name>] [--account <account>]");
+    }
+    if (action !== "set" && action !== "status") {
+        throw new Error("Usage: ouro vault ops porkbun set|status [--agent <name>] [--account <account>]");
+    }
+    const { agent, rest } = extractAgentFlag(args.slice(2));
+    let account;
+    for (let i = 0; i < rest.length; i += 1) {
+        const token = rest[i];
+        if (token === "--account") {
+            account = (0, porkbun_ops_1.normalizePorkbunOpsAccount)(rest[i + 1]);
+            i += 1;
+            continue;
+        }
+        throw new Error(`Usage: ouro vault ops porkbun ${action} [--agent <name>] [--account <account>]`);
+    }
+    if (action === "set") {
+        if (!account)
+            throw new Error("Usage: ouro vault ops porkbun set [--agent <name>] --account <account>");
+        return { kind: "vault.ops.porkbun.set", ...(agent ? { agent } : {}), account };
+    }
+    return { kind: "vault.ops.porkbun.status", ...(agent ? { agent } : {}), ...(account ? { account } : {}) };
+}
 function parseVaultConfigCommand(args) {
     const sub = args[0];
     const { agent, rest } = extractAgentFlag(args.slice(1));

package/dist/heart/daemon/porkbun-ops.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PORKBUN_OPS_CREDENTIAL_PREFIX = exports.PORKBUN_OPS_CREDENTIAL_KIND = void 0;
+exports.normalizePorkbunOpsAccount = normalizePorkbunOpsAccount;
+exports.porkbunOpsCredentialItemName = porkbunOpsCredentialItemName;
+exports.requirePorkbunOpsSecret = requirePorkbunOpsSecret;
+exports.PORKBUN_OPS_CREDENTIAL_KIND = "ops-credential/porkbun";
+exports.PORKBUN_OPS_CREDENTIAL_PREFIX = "ops/registrars/porkbun/accounts";
+const PORKBUN_OPS_ACCOUNT_FORBIDDEN = /[\/\r\n\t]/;
+function normalizePorkbunOpsAccount(account) {
+    const normalized = account?.trim() ?? "";
+    if (!normalized || PORKBUN_OPS_ACCOUNT_FORBIDDEN.test(normalized)) {
+        throw new Error("Porkbun account must be a non-empty account label without slashes or control characters.");
+    }
+    return normalized;
+}
+function porkbunOpsCredentialItemName(account) {
+    return `${exports.PORKBUN_OPS_CREDENTIAL_PREFIX}/${normalizePorkbunOpsAccount(account)}`;
+}
+function requirePorkbunOpsSecret(value, label) {
+    const trimmed = value.trim();
+    if (!trimmed)
+        throw new Error(`${label} cannot be blank`);
+    return trimmed;
+}

package/dist/nerves/coverage/file-completeness.js

@@ -59,10 +59,11 @@ const DISPATCH_EXEMPT_PATTERNS = [
     "repertoire/tools-config",
     "repertoire/tools-base",
     // CLI sub-modules: cli-exec.ts is the router with emitNervesEvent calls;
-    // cli-parse, cli-render, and cli-help are pure functions/data with no side effects.
+    // cli-parse, cli-render, cli-help, and their small helpers are pure functions/data with no side effects.
     "daemon/cli-parse",
     "daemon/cli-render",
     "daemon/cli-help",
+    "daemon/porkbun-ops",
     // Shared utility modules: pure helpers consumed by modules that own observability.
     "arc/json-store",
     "repertoire/api-client",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.464",
+  "version": "0.1.0-alpha.465",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",