@ouro.bot/cli 0.1.0-alpha.465 → 0.1.0-alpha.467

package/README.md

@@ -180,6 +180,8 @@ ouro vault unlock --agent <name>
 ouro vault status --agent <name>
 ouro vault config set --agent <name> --key teams.clientSecret
 ouro vault config status --agent <name> --scope all
+ouro vault item set --agent <name> --item <path> --secret-field <field>
+ouro vault item status --agent <name> --item <path>
 ouro vault ops porkbun set --agent <name> --account <account>
 ouro connect --agent <name>
 ouro connect providers --agent <name>
@@ -208,6 +210,8 @@ ouro mcp-serve --agent <name>             # start MCP server on stdin/stdout (us
 ouro hook <event> --agent <name>          # fire a lifecycle hook (SessionStart, Stop, PostToolUse)
 ```
 
+The generic secret primitive is a vault item / credential in the owning agent vault: stable item name/path, hidden secret material, optional public fields, notes, timestamps/provenance, and no assumed use. `ouro connect` is for harness-managed workflows; workflow bindings reference ordinary vault items when they need secret material.
+
 ## Setting Up On Another Machine
 
 To clone an existing agent onto a new machine (macOS, Linux, or Windows via WSL2), see **[docs/cross-machine-setup.md](docs/cross-machine-setup.md)**. The short version is bundle plus vault: `npx ouro.bot@latest`, open the home deck, choose clone, enter the bundle's git remote URL, unlock the agent vault, refresh/verify credentials, and start with `ouro up`.

package/changelog.json

@@ -1,6 +1,22 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.467",
+      "changes": [
+        "`ouro dns certificate` can now retrieve the TLS bundle named by a DNS workflow binding and store it as an ordinary workflow-managed vault item without printing private key material.",
+        "DNS workflow bindings now reject unknown certificate sources instead of silently treating typos as Porkbun SSL, while preserving the future `acme-dns-01` shape as an explicit not-yet-implemented source.",
+        "Porkbun record verification now ignores the provider's default priority zero on non-MX records while still treating real MX priority drift as a planned update."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.466",
+      "changes": [
+        "`ouro vault item set/status/list` is now the generic human-facing path for storing ordinary agent-owned vault items with hidden secret fields, optional public fields, freeform notes, metadata-only status/list output, and no assumed provider semantics.",
+        "`ouro vault ops porkbun` remains as a deprecated compatibility alias over ordinary vault items, while docs and help teach vault item -> managed workflow -> non-secret binding instead of treating Porkbun, DNS, or ops credentials as separate credential species.",
+        "Vault item guardrails now keep harness-managed provider/runtime items on `ouro auth`, `ouro connect`, and `ouro vault config`, and coverage locks no-secret logging, notes-as-orientation, reserved item errors, compatibility behavior, and 100% branch coverage for the new surface."
+      ]
+    },
     {
       "version": "0.1.0-alpha.465",
       "changes": [