@ouro.bot/cli 0.1.0-alpha.465 → 0.1.0-alpha.467

package/dist/heart/daemon/cli-exec.js

@@ -103,7 +103,7 @@ const provider_ping_1 = require("../provider-ping");
 const agent_discovery_1 = require("./agent-discovery");
 const connect_bay_1 = require("./connect-bay");
 const runtime_capability_check_1 = require("../runtime-capability-check");
-const porkbun_ops_1 = require("./porkbun-ops");
+const vault_items_1 = require("./vault-items");
 // ── ensureDaemonRunning ──
 const DEFAULT_DAEMON_STARTUP_TIMEOUT_MS = 60_000;
 const DEFAULT_DAEMON_STARTUP_POLL_INTERVAL_MS = 500;
@@ -326,8 +326,10 @@ function agentResolutionFailureMode(command) {
         case "vault.status":
         case "vault.config.set":
         case "vault.config.status":
-        case "vault.ops.porkbun.set":
-        case "vault.ops.porkbun.status":
+        case "vault.item.set":
+        case "vault.item.status":
+        case "vault.item.list":
+        case "dns.workflow":
         case "connect":
         case "account.ensure":
         case "mail.import-mbox":
@@ -2012,72 +2014,287 @@ async function executeVaultConfigStatus(command, deps) {
     deps.writeStdout(message);
     return message;
 }
-async function executeVaultOpsPorkbunSet(command, deps) {
+function parseVaultItemPublicFields(fields) {
+    const parsed = {};
+    for (const field of fields ?? []) {
+        const separator = field.indexOf("=");
+        const key = (0, vault_items_1.normalizeVaultItemFieldName)(field.slice(0, separator));
+        parsed[key] = field.slice(separator + 1);
+    }
+    return parsed;
+}
+function uniqueVaultItemSecretFields(command) {
+    const fields = command.template ? (0, vault_items_1.vaultItemTemplateSecretFields)(command.template) : [];
+    for (const field of command.secretFields ?? []) {
+        if (!fields.includes(field))
+            fields.push(field);
+    }
+    return fields;
+}
+function vaultItemCompatibilityNotice(command) {
+    if (command.compatibilityAlias !== vault_items_1.PORKBUN_OPS_COMPATIBILITY_ALIAS)
+        return [];
+    return ["deprecated compatibility alias: use ouro vault item set --template porkbun-api"];
+}
+function freeformVaultItemReservedMessage(itemName) {
+    if (itemName.startsWith("providers/")) {
+        return `Vault item "${itemName}" is reserved for harness-managed workflows. Use ouro auth or ouro connect for provider credentials.`;
+    }
+    if (itemName === "runtime/config" || /^runtime\/machines\/[^/]+\/config$/.test(itemName)) {
+        return `Vault item "${itemName}" is reserved for harness-managed workflows. Use ouro connect or ouro vault config for runtime and sense configuration.`;
+    }
+    return undefined;
+}
+function assertFreeformVaultItemWritable(itemName) {
+    const reservedMessage = freeformVaultItemReservedMessage(itemName);
+    if (reservedMessage)
+        throw new Error(reservedMessage);
+}
+function porkbunAccountForCompatibility(command) {
+    if (command.compatibilityAlias !== vault_items_1.PORKBUN_OPS_COMPATIBILITY_ALIAS)
+        return undefined;
+    return (0, vault_items_1.normalizePorkbunOpsAccount)((0, vault_items_1.porkbunOpsAccountFromItemName)(command.item));
+}
+const PORKBUN_OPS_PROMPT_LABELS = {
+    apiKey: (account) => `Porkbun API key for ${account}: `,
+    secretApiKey: (account) => `Porkbun Secret API key for ${account}: `,
+};
+const PORKBUN_OPS_VALIDATION_LABELS = {
+    apiKey: "Porkbun API key",
+    secretApiKey: "Porkbun Secret API key",
+};
+function vaultItemTemplatePromptLabel(command, field, account) {
+    if (command.compatibilityAlias === vault_items_1.PORKBUN_OPS_COMPATIBILITY_ALIAS) {
+        return PORKBUN_OPS_PROMPT_LABELS[field](account);
+    }
+    return `Secret field ${field} for ${command.item}: `;
+}
+function vaultItemSecretValidationLabel(command, field) {
+    if (command.compatibilityAlias === vault_items_1.PORKBUN_OPS_COMPATIBILITY_ALIAS) {
+        return PORKBUN_OPS_VALIDATION_LABELS[field];
+    }
+    return `Secret field ${field}`;
+}
+async function executeVaultItemSet(command, deps) {
     if (command.agent === "SerpentGuide") {
-        throw new Error("SerpentGuide has no persistent credential vault. Store ops credentials in the owning agent vault.");
+        throw new Error("SerpentGuide has no persistent credential vault. Store vault items in the owning agent vault.");
+    }
+    if (!command.compatibilityAlias)
+        assertFreeformVaultItemWritable(command.item);
+    const account = porkbunAccountForCompatibility(command);
+    const promptSecret = requirePromptSecret(deps, command.compatibilityAlias === vault_items_1.PORKBUN_OPS_COMPATIBILITY_ALIAS ? "Porkbun ops credential entry" : "Vault item secret entry");
+    const secretFieldNames = uniqueVaultItemSecretFields(command);
+    const publicFields = parseVaultItemPublicFields(command.publicFields);
+    if (account && !publicFields.account)
+        publicFields.account = account;
+    const secretFields = {};
+    for (const field of secretFieldNames) {
+        const normalized = (0, vault_items_1.normalizeVaultItemFieldName)(field);
+        const value = await promptSecret(vaultItemTemplatePromptLabel(command, normalized, account));
+        secretFields[normalized] = (0, vault_items_1.requireVaultItemSecret)(value, vaultItemSecretValidationLabel(command, normalized));
     }
-    const account = (0, porkbun_ops_1.normalizePorkbunOpsAccount)(command.account);
-    const promptSecret = requirePromptSecret(deps, "Porkbun ops credential entry");
-    const apiKey = (0, porkbun_ops_1.requirePorkbunOpsSecret)(await promptSecret(`Porkbun API key for ${account}: `), "Porkbun API key");
-    const secretApiKey = (0, porkbun_ops_1.requirePorkbunOpsSecret)(await promptSecret(`Porkbun Secret API key for ${account}: `), "Porkbun Secret API key");
-    const itemName = (0, porkbun_ops_1.porkbunOpsCredentialItemName)(account);
     const payload = {
         schemaVersion: 1,
-        kind: porkbun_ops_1.PORKBUN_OPS_CREDENTIAL_KIND,
         updatedAt: providerCliNow(deps).toISOString(),
-        account,
-        apiKey,
-        secretApiKey,
+        publicFields,
+        secretFields,
     };
-    const progress = createHumanCommandProgress(deps, "vault ops porkbun");
+    const progress = createHumanCommandProgress(deps, command.compatibilityAlias === vault_items_1.PORKBUN_OPS_COMPATIBILITY_ALIAS ? "vault ops porkbun" : "vault item set");
     try {
-        await runCommandProgressPhase(progress, "storing Porkbun ops credentials", async () => {
+        await runCommandProgressPhase(progress, command.compatibilityAlias === vault_items_1.PORKBUN_OPS_COMPATIBILITY_ALIAS ? "storing ordinary vault item" : "storing vault item", async () => {
             const store = (0, credential_access_1.getCredentialStore)(command.agent);
-            await store.store(itemName, {
-                username: account,
+            await store.store(command.item, {
+                ...(account ? { username: account } : {}),
                 password: JSON.stringify(payload),
-                notes: "Operational Porkbun account API credential. Domain API access and Ouro DNS allowlists live outside this secret item.",
+                ...(command.note !== undefined
+                    ? { notes: command.note }
+                    : command.compatibilityAlias === vault_items_1.PORKBUN_OPS_COMPATIBILITY_ALIAS
+                        ? { notes: "Ordinary vault item written by a deprecated Porkbun compatibility alias. Notes are for human/agent orientation only; workflow bindings live outside this item." }
+                        : {}),
             });
-            return itemName;
+            return command.item;
         }, () => "secret stored");
     }
     finally {
         progress.end();
     }
     const message = [
-        `stored Porkbun ops credentials for ${command.agent}`,
-        `item: vault:${command.agent}:${itemName}`,
-        `account: ${account}`,
-        "authority: Porkbun account-level API credential",
-        "domain bindings and DNS allowlists live outside this secret item",
+        ...vaultItemCompatibilityNotice(command),
+        `stored ordinary vault item for ${command.agent}`,
+        `item: vault:${command.agent}:${command.item}`,
+        ...(account ? [`account: ${account}`] : []),
+        `public fields: ${Object.keys(publicFields).length === 0 ? "none" : Object.keys(publicFields).sort().join(", ")}`,
+        `secret fields: ${Object.keys(secretFields).sort().join(", ")}`,
+        `notes: ${command.note !== undefined || command.compatibilityAlias === vault_items_1.PORKBUN_OPS_COMPATIBILITY_ALIAS ? "present" : "absent"}`,
         "secret values were not printed",
     ].join("\n");
     deps.writeStdout(message);
     return message;
 }
-async function executeVaultOpsPorkbunStatus(command, deps) {
+async function executeVaultItemStatus(command, deps) {
+    if (command.agent === "SerpentGuide") {
+        const message = "SerpentGuide has no persistent credential vault. Vault items belong in the owning agent vault.";
+        deps.writeStdout(message);
+        return message;
+    }
+    const store = (0, credential_access_1.getCredentialStore)(command.agent);
+    const account = porkbunAccountForCompatibility(command);
+    const meta = await store.get(command.item);
+    const lines = [
+        ...vaultItemCompatibilityNotice(command),
+        `agent: ${command.agent}`,
+        `${command.compatibilityAlias ? "ordinary vault item" : "item"}: vault:${command.agent}:${command.item}`,
+        `status: ${meta ? "present" : "missing"}`,
+    ];
+    if (meta?.username)
+        lines.push(account ? `account: ${meta.username}` : `username: ${meta.username}`);
+    if (meta?.notes)
+        lines.push("notes: present");
+    lines.push("secret values were not printed");
+    const message = lines.join("\n");
+    deps.writeStdout(message);
+    return message;
+}
+async function executeVaultItemList(command, deps) {
     if (command.agent === "SerpentGuide") {
-        const message = "SerpentGuide has no persistent credential vault. Ops credentials belong in the owning agent vault.";
+        const message = "SerpentGuide has no persistent credential vault. Vault items belong in the owning agent vault.";
         deps.writeStdout(message);
         return message;
     }
     const store = (0, credential_access_1.getCredentialStore)(command.agent);
-    const lines = [`agent: ${command.agent}`, "ops credentials: Porkbun"];
-    if (command.account) {
-        const account = (0, porkbun_ops_1.normalizePorkbunOpsAccount)(command.account);
-        const itemName = (0, porkbun_ops_1.porkbunOpsCredentialItemName)(account);
-        const meta = await store.get(itemName);
-        lines.push(`item: vault:${command.agent}:${itemName}`);
-        lines.push(`status: ${meta ? "present" : "missing"}`);
-        if (meta?.username)
-            lines.push(`account: ${meta.username}`);
+    const prefix = command.prefix;
+    const items = (await store.list())
+        .filter((item) => !prefix || item.domain.startsWith(prefix.endsWith("/") ? prefix : `${prefix}/`))
+        .map((item) => item.domain)
+        .sort();
+    const lines = [
+        ...vaultItemCompatibilityNotice(command),
+        `agent: ${command.agent}`,
+        ...(prefix ? [`prefix: ${prefix}`] : []),
+        `items: ${items.length === 0 ? "none stored" : items.join(", ")}`,
+        "secret values were not printed",
+    ];
+    const message = lines.join("\n");
+    deps.writeStdout(message);
+    return message;
+}
+function resolveWorkflowFilePath(filePath, deps) {
+    return path.isAbsolute(filePath)
+        ? filePath
+        : path.resolve(deps.getRepoCwd?.() ?? process.cwd(), filePath);
+}
+function extractDnsBackupRecords(input) {
+    const value = input;
+    const records = value.plan?.backup?.records ?? value.backup?.records ?? value.records;
+    if (!Array.isArray(records))
+        throw new Error("dns rollback backup does not contain records");
+    return records;
+}
+async function executeDnsWorkflow(command, deps) {
+    const workflow = await Promise.resolve().then(() => __importStar(require("./dns-workflow")));
+    const bindingPath = resolveWorkflowFilePath(command.bindingPath, deps);
+    const binding = workflow.loadDnsWorkflowBinding(JSON.parse(fs.readFileSync(bindingPath, "utf-8")));
+    const store = (0, credential_access_1.getCredentialStore)(command.agent);
+    const reader = {
+        readSecretField: async (item, field) => {
+            const raw = await store.getRawSecret(item, "password");
+            const payload = JSON.parse(raw);
+            const value = [payload.secretFields?.[field], payload[field]]
+                .find((candidate) => typeof candidate === "string" && candidate.trim() !== "");
+            if (!value) {
+                throw new Error(`vault item ${item} is missing required secret field ${field}`);
+            }
+            return value;
+        },
+    };
+    const secrets = await workflow.resolveDnsWorkflowSecrets(binding, reader);
+    const driver = workflow.createPorkbunDnsDriver({ fetchImpl: deps.fetchImpl ?? fetch });
+    if (command.action === "certificate") {
+        if (!binding.certificate)
+            throw new Error("DNS workflow binding does not define a certificate");
+        if (binding.certificate.source !== "porkbun-ssl") {
+            throw new Error(`DNS workflow certificate source ${binding.certificate.source} is not implemented`);
+        }
+        const certificate = await driver.retrieveCertificate({ domain: binding.domain, secrets });
+        const payload = {
+            schemaVersion: 1,
+            updatedAt: providerCliNow(deps).toISOString(),
+            publicFields: {
+                domain: binding.domain,
+                host: binding.certificate.host,
+                source: binding.certificate.source,
+            },
+            secretFields: certificate,
+        };
+        await store.store(binding.certificate.storeItem, {
+            username: binding.certificate.host,
+            password: JSON.stringify(payload),
+            notes: "TLS certificate bundle retrieved by DNS workflow. Notes are for human/agent orientation only; workflow bindings and deploy config remain the machine contract.",
+        });
+        const artifactPayload = workflow.redactDnsWorkflowArtifact({
+            action: command.action,
+            binding,
+            certificate: {
+                host: binding.certificate.host,
+                storeItem: binding.certificate.storeItem,
+                ...certificate,
+            },
+        });
+        if (command.outputPath) {
+            const outputPath = resolveWorkflowFilePath(command.outputPath, deps);
+            fs.mkdirSync(path.dirname(outputPath), { recursive: true });
+            fs.writeFileSync(outputPath, `${JSON.stringify(artifactPayload, null, 2)}\n`, "utf-8");
+        }
+        const message = [
+            `dns certificate for ${binding.domain}`,
+            `driver: ${binding.driver}`,
+            `credential item: vault:${command.agent}:${binding.credentialItem}`,
+            `certificate item: vault:${command.agent}:${binding.certificate.storeItem}`,
+            command.outputPath ? `artifact: ${command.outputPath}` : "artifact: not written",
+            "secret values were not printed",
+        ].join("\n");
+        deps.writeStdout(message);
+        return message;
+    }
+    const currentRecords = await driver.retrieveRecords({ domain: binding.domain, secrets });
+    let plan;
+    if (command.action === "rollback") {
+        const backupPath = command.backupPath;
+        plan = workflow.planDnsRollback({
+            binding,
+            currentRecords,
+            backupRecords: extractDnsBackupRecords(JSON.parse(fs.readFileSync(resolveWorkflowFilePath(backupPath, deps), "utf-8"))),
+        });
     }
     else {
-        const items = (await store.list()).filter((item) => item.domain.startsWith(`${porkbun_ops_1.PORKBUN_OPS_CREDENTIAL_PREFIX}/`));
-        lines.push(`items: ${items.length === 0 ? "none stored" : items.map((item) => item.domain).sort().join(", ")}`);
+        plan = workflow.planDnsWorkflow({ binding, currentRecords });
+    }
+    const applied = command.action === "apply" || command.action === "rollback"
+        ? await workflow.applyDnsWorkflowPlan({ driver, domain: binding.domain, secrets, plan })
+        : [];
+    const payload = workflow.redactDnsWorkflowArtifact({
+        action: command.action,
+        binding,
+        plan,
+        applied,
+    });
+    if (command.outputPath) {
+        const outputPath = resolveWorkflowFilePath(command.outputPath, deps);
+        fs.mkdirSync(path.dirname(outputPath), { recursive: true });
+        fs.writeFileSync(outputPath, `${JSON.stringify(payload, null, 2)}\n`, "utf-8");
     }
-    lines.push("secret values were not printed");
-    const message = lines.join("\n");
+    const changed = plan.changes.length;
+    const preserved = plan.preservedRecords.length;
+    const message = [
+        `dns ${command.action} for ${binding.domain}`,
+        `driver: ${binding.driver}`,
+        `credential item: vault:${command.agent}:${binding.credentialItem}`,
+        `changes: ${changed}`,
+        ...(applied.length > 0 ? [`applied: ${applied.length}`] : []),
+        `preserved records: ${preserved}`,
+        command.outputPath ? `artifact: ${command.outputPath}` : "artifact: not written",
+        "secret values were not printed",
+    ].join("\n");
     deps.writeStdout(message);
     return message;
 }
@@ -2798,6 +3015,53 @@ function mailroomPrivateKeys(mailroom) {
     const keys = isPlainRecord(mailroom?.privateKeys) ? mailroom.privateKeys : {};
     return Object.fromEntries(Object.entries(keys).filter((entry) => typeof entry[1] === "string"));
 }
+function hostedMailControlConfig(config) {
+    const workSubstrate = isPlainRecord(config.workSubstrate) ? config.workSubstrate : undefined;
+    if (!workSubstrate || stringField(workSubstrate, "mode") !== "hosted")
+        return null;
+    const mailControl = isPlainRecord(workSubstrate.mailControl) ? workSubstrate.mailControl : undefined;
+    const url = mailControl ? stringField(mailControl, "url").replace(/\/+$/, "") : "";
+    const token = mailControl ? (stringField(mailControl, "token") || stringField(mailControl, "adminToken")) : "";
+    if (!url || !token) {
+        throw new Error("hosted workSubstrate.mailControl requires url and token in the agent vault runtime/config item");
+    }
+    return { url, token };
+}
+function cleanHostedMailroomBase(existingMailroom) {
+    const base = { ...(existingMailroom ?? {}) };
+    delete base.registryPath;
+    delete base.storePath;
+    return base;
+}
+function requiredResponseRecord(value, label) {
+    if (!isPlainRecord(value))
+        throw new Error(`Mail Control response missing ${label}`);
+    return value;
+}
+function requiredResponseText(record, key, label) {
+    const value = stringField(record, key);
+    if (!value)
+        throw new Error(`Mail Control response missing ${label}`);
+    return value;
+}
+function responsePrivateKeys(value) {
+    if (!isPlainRecord(value))
+        return {};
+    return Object.fromEntries(Object.entries(value).filter((entry) => typeof entry[0] === "string" && typeof entry[1] === "string" && entry[1].trim().length > 0));
+}
+function requiredHostedKeyIds(body) {
+    return [body.mailbox, body.sourceGrant]
+        .filter(isPlainRecord)
+        .map((record) => stringField(record, "keyId"))
+        .filter((keyId) => keyId.length > 0);
+}
+function assertHostedPrivateKeys(input) {
+    for (const keyId of input.requiredKeyIds) {
+        if (input.keys[keyId])
+            continue;
+        throw new Error(`hosted Mail Control references private mail key ${keyId}, but it was not returned and is not present in ${input.agent}'s vault runtime/config. Repair requires a fresh Mail Control one-time key response or key rotation.`);
+    }
+}
 async function promptDelegatedMailSource(deps, input = {}) {
     if (input.noDelegatedSource)
         return { ownerEmail: "", source: "" };
@@ -2825,8 +3089,11 @@ async function ensureAgentMailroom(agent, input, deps, progressLabel) {
     let stored;
     let mailboxAddress = `${agent.toLowerCase()}@ouro.bot`;
     let sourceAlias = null;
+    let mode = "local";
     let registryPath = path.join(mailStateDir, "registry.json");
     let storePath = mailStateDir;
+    let hostedControlUrl;
+    let blobStoreLabel;
     try {
         progress.startPhase("checking Mailroom runtime config");
         const current = await (0, runtime_credentials_1.refreshRuntimeCredentialConfig)(agent, { preserveCachedOnFailure: true });
@@ -2835,31 +3102,94 @@ async function ensureAgentMailroom(agent, input, deps, progressLabel) {
         }
         const currentConfig = current.ok ? current.config : {};
         const existingMailroom = isPlainRecord(currentConfig.mailroom) ? currentConfig.mailroom : undefined;
+        const hostedConfig = hostedMailControlConfig(currentConfig);
         registryPath = stringField(existingMailroom ?? {}, "registryPath") || registryPath;
         storePath = stringField(existingMailroom ?? {}, "storePath") || storePath;
-        progress.updateDetail("ensuring Mailroom identity");
-        const ensured = (0, core_1.ensureMailboxRegistry)({
-            agentId: agent,
-            registry: readMailroomRegistryFromDisk(registryPath),
-            keys: mailroomPrivateKeys(existingMailroom),
-            ownerEmail: input.ownerEmail || undefined,
-            source: input.source || undefined,
-        });
-        mailboxAddress = ensured.mailboxAddress;
-        sourceAlias = ensured.sourceAlias;
-        fs.mkdirSync(path.dirname(registryPath), { recursive: true });
-        fs.mkdirSync(storePath, { recursive: true });
-        fs.writeFileSync(registryPath, `${JSON.stringify(ensured.registry, null, 2)}\n`, "utf-8");
-        const nextConfig = {
-            ...currentConfig,
-            mailroom: {
-                ...(existingMailroom ?? {}),
-                mailboxAddress,
-                registryPath,
-                storePath,
-                privateKeys: ensured.keys,
-            },
-        };
+        let nextConfig;
+        if (hostedConfig) {
+            progress.updateDetail("calling hosted Mail Control");
+            const fetchImpl = deps.fetchImpl ?? fetch;
+            const response = await fetchImpl(`${hostedConfig.url}/v1/mailboxes/ensure`, {
+                method: "POST",
+                headers: {
+                    authorization: `Bearer ${hostedConfig.token}`,
+                    "content-type": "application/json",
+                },
+                body: JSON.stringify({
+                    agentId: agent,
+                    ...(input.ownerEmail ? { ownerEmail: input.ownerEmail } : {}),
+                    ...(input.source ? { source: input.source } : {}),
+                }),
+            });
+            const body = await response.json();
+            if (!response.ok || body.ok === false) {
+                throw new Error(`hosted Mail Control ensure failed (${response.status}): ${body.error ?? response.statusText}`);
+            }
+            const publicRegistry = requiredResponseRecord(body.publicRegistry, "publicRegistry");
+            const blobStore = requiredResponseRecord(body.blobStore, "blobStore");
+            mailboxAddress = typeof body.mailboxAddress === "string" && body.mailboxAddress.trim()
+                ? body.mailboxAddress.trim()
+                : requiredResponseText(requiredResponseRecord(body.mailbox, "mailbox"), "canonicalAddress", "mailboxAddress");
+            sourceAlias = typeof body.sourceAlias === "string" && body.sourceAlias.trim() ? body.sourceAlias.trim() : null;
+            const generatedPrivateKeys = responsePrivateKeys(body.generatedPrivateKeys);
+            const privateKeys = {
+                ...mailroomPrivateKeys(existingMailroom),
+                ...generatedPrivateKeys,
+            };
+            assertHostedPrivateKeys({
+                agent,
+                keys: privateKeys,
+                requiredKeyIds: requiredHostedKeyIds(body),
+            });
+            mode = "hosted";
+            registryPath = null;
+            storePath = null;
+            hostedControlUrl = hostedConfig.url;
+            blobStoreLabel = `${requiredResponseText(blobStore, "azureAccountUrl", "blobStore.azureAccountUrl")}/${requiredResponseText(blobStore, "container", "blobStore.container")}`;
+            nextConfig = {
+                ...currentConfig,
+                mailroom: {
+                    ...cleanHostedMailroomBase(existingMailroom),
+                    mode,
+                    mailboxAddress,
+                    sourceAlias,
+                    azureAccountUrl: requiredResponseText(blobStore, "azureAccountUrl", "blobStore.azureAccountUrl"),
+                    azureContainer: requiredResponseText(blobStore, "container", "blobStore.container"),
+                    registryAzureAccountUrl: requiredResponseText(publicRegistry, "azureAccountUrl", "publicRegistry.azureAccountUrl"),
+                    registryContainer: requiredResponseText(publicRegistry, "container", "publicRegistry.container"),
+                    registryBlob: requiredResponseText(publicRegistry, "blob", "publicRegistry.blob"),
+                    registryDomain: requiredResponseText(publicRegistry, "domain", "publicRegistry.domain"),
+                    registryRevision: requiredResponseText(publicRegistry, "revision", "publicRegistry.revision"),
+                    privateKeys,
+                },
+            };
+        }
+        else {
+            progress.updateDetail("ensuring local Mailroom identity");
+            const ensured = (0, core_1.ensureMailboxRegistry)({
+                agentId: agent,
+                registry: readMailroomRegistryFromDisk(registryPath),
+                keys: mailroomPrivateKeys(existingMailroom),
+                ownerEmail: input.ownerEmail || undefined,
+                source: input.source || undefined,
+            });
+            mailboxAddress = ensured.mailboxAddress;
+            sourceAlias = ensured.sourceAlias;
+            fs.mkdirSync(path.dirname(registryPath), { recursive: true });
+            fs.mkdirSync(storePath, { recursive: true });
+            fs.writeFileSync(registryPath, `${JSON.stringify(ensured.registry, null, 2)}\n`, "utf-8");
+            nextConfig = {
+                ...currentConfig,
+                mailroom: {
+                    ...(existingMailroom ?? {}),
+                    mode,
+                    mailboxAddress,
+                    registryPath,
+                    storePath,
+                    privateKeys: ensured.keys,
+                },
+            };
+        }
         progress.updateDetail("storing private mail keys in vault");
         stored = await (0, runtime_credentials_1.upsertRuntimeCredentialConfig)(agent, nextConfig, providerCliNow(deps));
         progress.updateDetail("enabling Mail sense in agent.json");
@@ -2875,7 +3205,7 @@ async function ensureAgentMailroom(agent, input, deps, progressLabel) {
     if (!stored)
         throw new Error("Mailroom setup did not store runtime credentials");
     const syncSummary = pushAgentBundleAfterCliMutation(agent, deps);
-    return { mailboxAddress, sourceAlias, registryPath, storePath, stored, syncSummary };
+    return { mailboxAddress, sourceAlias, mode, registryPath, storePath, hostedControlUrl, blobStoreLabel, stored, syncSummary };
 }
 async function executeConnectMail(agent, deps, input = {}) {
     writeConnectorIntro(deps, {
@@ -2920,8 +3250,10 @@ async function executeConnectMail(agent, deps, input = {}) {
         whatChanged: [
             `Mailbox: ${outcome.mailboxAddress}`,
             ...(outcome.sourceAlias ? [`Delegated alias: ${outcome.sourceAlias}`] : []),
-            `Registry: ${outcome.registryPath}`,
-            `Encrypted store: ${outcome.storePath}`,
+            ...(outcome.hostedControlUrl ? [`Hosted Mail Control: ${outcome.hostedControlUrl}`] : []),
+            ...(outcome.blobStoreLabel ? [`Blob store: ${outcome.blobStoreLabel}`] : []),
+            ...(outcome.registryPath ? [`Registry: ${outcome.registryPath}`] : []),
+            ...(outcome.storePath ? [`Encrypted store: ${outcome.storePath}`] : []),
             `Stored: ${outcome.stored.itemPath}`,
             "agent.json: senses.mail.enabled = true",
             "private mail keys were not printed",
@@ -2937,8 +3269,10 @@ async function executeConnectMail(agent, deps, input = {}) {
             `Agent Mail connected for ${agent}`,
             `mailbox: ${outcome.mailboxAddress}`,
             ...(outcome.sourceAlias ? [`delegated alias: ${outcome.sourceAlias}`] : []),
-            `registry: ${outcome.registryPath}`,
-            `encrypted store: ${outcome.storePath}`,
+            ...(outcome.hostedControlUrl ? [`Hosted Mail Control: ${outcome.hostedControlUrl}`] : []),
+            ...(outcome.blobStoreLabel ? [`Blob store: ${outcome.blobStoreLabel}`] : []),
+            ...(outcome.registryPath ? [`registry: ${outcome.registryPath}`] : []),
+            ...(outcome.storePath ? [`encrypted store: ${outcome.storePath}`] : []),
             `stored: ${outcome.stored.itemPath}`,
             "agent.json: senses.mail.enabled = true",
             "private mail keys were not printed",
@@ -2983,9 +3317,12 @@ async function executeAccountEnsure(command, deps) {
             "Vault item: runtime/config",
             `Mailbox: ${outcome.mailboxAddress}`,
             ...(outcome.sourceAlias ? [`Delegated alias: ${outcome.sourceAlias}`] : []),
-            `Registry: ${outcome.registryPath}`,
-            `Encrypted store: ${outcome.storePath}`,
+            ...(outcome.hostedControlUrl ? [`Hosted Mail Control: ${outcome.hostedControlUrl}`] : []),
+            ...(outcome.blobStoreLabel ? [`Blob store: ${outcome.blobStoreLabel}`] : []),
+            ...(outcome.registryPath ? [`Registry: ${outcome.registryPath}`] : []),
+            ...(outcome.storePath ? [`Encrypted store: ${outcome.storePath}`] : []),
             "agent.json: senses.mail.enabled = true",
+            "private mail keys were not printed",
             ...(outcome.syncSummary ? [outcome.syncSummary] : []),
         ],
         nextMoves: [
@@ -2998,9 +3335,12 @@ async function executeAccountEnsure(command, deps) {
             "vault: runtime/config",
             `mailbox: ${outcome.mailboxAddress}`,
             ...(outcome.sourceAlias ? [`delegated alias: ${outcome.sourceAlias}`] : []),
-            `registry: ${outcome.registryPath}`,
-            `encrypted store: ${outcome.storePath}`,
+            ...(outcome.hostedControlUrl ? [`Hosted Mail Control: ${outcome.hostedControlUrl}`] : []),
+            ...(outcome.blobStoreLabel ? [`Blob store: ${outcome.blobStoreLabel}`] : []),
+            ...(outcome.registryPath ? [`registry: ${outcome.registryPath}`] : []),
+            ...(outcome.storePath ? [`encrypted store: ${outcome.storePath}`] : []),
             "agent.json: senses.mail.enabled = true",
+            "private mail keys were not printed",
             ...(outcome.syncSummary ? [outcome.syncSummary] : []),
         ],
     });
@@ -5426,11 +5766,17 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
     if (command.kind === "vault.config.status") {
         return executeVaultConfigStatus(command, deps);
     }
-    if (command.kind === "vault.ops.porkbun.set") {
-        return executeVaultOpsPorkbunSet(command, deps);
+    if (command.kind === "vault.item.set") {
+        return executeVaultItemSet(command, deps);
+    }
+    if (command.kind === "vault.item.status") {
+        return executeVaultItemStatus(command, deps);
+    }
+    if (command.kind === "vault.item.list") {
+        return executeVaultItemList(command, deps);
     }
-    if (command.kind === "vault.ops.porkbun.status") {
-        return executeVaultOpsPorkbunStatus(command, deps);
+    if (command.kind === "dns.workflow") {
+        return executeDnsWorkflow(command, deps);
     }
     // ── auth (local, no daemon socket needed) ──
     if (command.kind === "auth.run") {