@ouro.bot/cli 0.1.0-alpha.472 → 0.1.0-alpha.474

package/changelog.json

@@ -1,6 +1,22 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.474",
+      "changes": [
+        "DNS workflow planning now handles duplicate-capable records safely by matching exact type/name/content identity before singleton replacement, so adding an ACS apex TXT verification record cannot rewrite unrelated Google, Microsoft, or SPF TXT records.",
+        "DNS rollback planning can now delete only the extra allowlisted duplicate record that was not present in the backup while preserving sibling TXT records with the same name.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the DNS duplicate-record safety release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.473",
+      "changes": [
+        "`mail_send` now resolves Azure Communication Services outbound provider clients from explicit generic vault-item bindings, so production ACS sends can leave the agent mailbox after `CONFIRM_SEND` without parsing vault notes.",
+        "Outbound provider bindings now require an explicit credential item and secret field for ACS access keys, with tests covering missing, blank, malformed, non-object, and legacy-shaped vault payloads without leaking secret values.",
+        "The `ouro.bot` wrapper stays version-synced for the outbound provider-client release."
+      ]
+    },
     {
       "version": "0.1.0-alpha.472",
       "changes": [

package/dist/heart/daemon/dns-workflow.js

@@ -266,28 +266,57 @@ function recordsEqual(left, right) {
         left.ttl === right.ttl &&
         priorityEqual;
 }
+function recordIdentityKey(record) {
+    const priority = record.type === "MX" ? String(record.priority ?? 0) : "";
+    return `${recordKey(record)}:${record.content}:${priority}`;
+}
+function sameRecordIdentity(left, right) {
+    return recordIdentityKey(left) === recordIdentityKey(right);
+}
+function recordsWithKey(records, key) {
+    return records.filter((record) => recordKey(record) === key);
+}
+function findCurrentRecordForDesired(input) {
+    const key = recordKey(input.desired);
+    const currentSameKey = recordsWithKey(input.currentRecords, key);
+    const exact = currentSameKey.find((record) => sameRecordIdentity(record, input.desired));
+    if (exact)
+        return exact;
+    const desiredSameKey = recordsWithKey(input.desiredRecords, key);
+    if (currentSameKey.length === 1 && desiredSameKey.length === 1)
+        return currentSameKey[0];
+    return undefined;
+}
 function planDnsWorkflow(input) {
     assertDesiredRecordsAllowed(input.binding);
     const allowedKeys = new Set(input.binding.resources.records.map(recordKey));
-    const desiredKeys = new Set(input.binding.desired.records.map(recordKey));
     const changes = [];
+    const matchedCurrentRecords = new Set();
     for (const desired of input.binding.desired.records) {
-        const current = input.currentRecords.find((record) => recordKey(record) === recordKey(desired));
+        const current = findCurrentRecordForDesired({
+            desired,
+            desiredRecords: input.binding.desired.records,
+            currentRecords: input.currentRecords,
+        });
         if (!current) {
             changes.push({ action: "create", record: desired, reason: "desired record is missing" });
         }
         else if (!recordsEqual(current, desired)) {
+            matchedCurrentRecords.add(current);
             changes.push({ action: "update", record: desired, currentRecord: current, reason: "desired record differs from current provider record" });
         }
+        else {
+            matchedCurrentRecords.add(current);
+        }
     }
     if (input.deleteExtraAllowedRecords) {
         for (const current of input.currentRecords) {
-            if (allowedKeys.has(recordKey(current)) && !desiredKeys.has(recordKey(current))) {
+            if (allowedKeys.has(recordKey(current)) && !matchedCurrentRecords.has(current)) {
                 changes.push({ action: "delete", record: current, currentRecord: current, reason: "allowlisted record is absent from rollback backup" });
             }
         }
     }
-    const preservedRecords = input.currentRecords.filter((record) => !desiredKeys.has(recordKey(record)));
+    const preservedRecords = input.currentRecords.filter((record) => !matchedCurrentRecords.has(record));
     return {
         backup: { domain: input.binding.domain, records: input.currentRecords },
         changes,

package/dist/mailroom/outbound.js

@@ -35,6 +35,7 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.parseAcsEmailDeliveryReportEvent = void 0;
 exports.createAcsEmailProviderClient = createAcsEmailProviderClient;
+exports.resolveOutboundProviderClient = resolveOutboundProviderClient;
 exports.resolveOutboundTransport = resolveOutboundTransport;
 exports.createMailDraft = createMailDraft;
 exports.confirmMailDraftSend = confirmMailDraftSend;
@@ -148,6 +149,25 @@ function createAcsEmailProviderClient(input) {
         },
     };
 }
+async function resolveOutboundProviderClient(transport, reader, options = {}) {
+    if (transport.kind !== "azure-communication-services")
+        return undefined;
+    const credentialItem = transport.credentialItem?.trim();
+    if (!credentialItem) {
+        throw new Error("outbound Azure Communication Services transport is missing credentialItem");
+    }
+    const accessKeyField = transport.credentialFields?.accessKey?.trim() || "accessKey";
+    const accessKey = (await reader.readSecretField(credentialItem, accessKeyField)).trim();
+    if (!accessKey) {
+        throw new Error(`outbound Azure Communication Services required secret field ${accessKeyField} is blank`);
+    }
+    return createAcsEmailProviderClient({
+        endpoint: transport.endpoint,
+        accessKey,
+        ...(options.fetch ? { fetch: options.fetch } : {}),
+        ...(options.now ? { now: options.now } : {}),
+    });
+}
 function draftId() {
     return `draft_${crypto.randomBytes(12).toString("hex")}`;
 }

package/dist/repertoire/tools-mail.js

@@ -42,6 +42,7 @@ const outbound_1 = require("../mailroom/outbound");
 const policy_1 = require("../mailroom/policy");
 const core_1 = require("../mailroom/core");
 const runtime_1 = require("../nerves/runtime");
+const credential_access_1 = require("./credential-access");
 function trustAllowsMailRead(ctx) {
     const trustLevel = ctx?.context?.friend?.trustLevel;
     const allowed = trustLevel === undefined || (0, types_1.isTrustedLevel)(trustLevel);
@@ -133,6 +134,34 @@ function appendDecryptSkips(body, skipped) {
     const warning = renderDecryptSkips(skipped);
     return warning ? `${body}\n\n${warning}` : body;
 }
+function isRecord(value) {
+    return !!value && typeof value === "object" && !Array.isArray(value);
+}
+function vaultItemSecretField(rawSecret, item, field) {
+    let payload;
+    try {
+        payload = JSON.parse(rawSecret);
+    }
+    catch {
+        throw new Error(`vault item ${item} secret payload must be valid JSON`);
+    }
+    if (!isRecord(payload))
+        throw new Error(`vault item ${item} secret payload must be an object`);
+    const secretFields = isRecord(payload.secretFields) ? payload.secretFields : {};
+    const value = [secretFields[field], payload[field]]
+        .find((candidate) => typeof candidate === "string" && candidate.trim().length > 0);
+    if (!value)
+        throw new Error(`vault item ${item} is missing required secret field ${field}`);
+    return value;
+}
+async function outboundProviderClientForTransport(agentName, transport) {
+    return (0, outbound_1.resolveOutboundProviderClient)(transport, {
+        readSecretField: async (item, field) => {
+            const rawSecret = await (0, credential_access_1.getCredentialStore)(agentName).getRawSecret(item, "password");
+            return vaultItemSecretField(rawSecret, item, field);
+        },
+    });
+}
 function renderUndecryptableThread(message, keyId) {
     return [
         `Mail message ${message.id} could not be decrypted because this agent's vault is missing private mail key ${keyId}.`,
@@ -536,14 +565,16 @@ exports.mailToolDefinitions = [
             if (!resolved.ok)
                 return resolved.error;
             try {
+                const transport = (0, outbound_1.resolveOutboundTransport)(resolved.config);
                 const sent = await (0, outbound_1.confirmMailDraftSend)({
                     store: resolved.store,
                     agentId: resolved.agentName,
                     draftId,
-                    transport: (0, outbound_1.resolveOutboundTransport)(resolved.config),
+                    transport,
                     confirmation: args.confirmation ?? "",
                     autonomous: args.autonomous === "true",
                     autonomyPolicy: resolved.config.autonomousSendPolicy,
+                    providerClient: await outboundProviderClientForTransport(resolved.agentName, transport),
                     actor: actorFromContext(ctx, resolved.agentName),
                     reason: args.reason ?? "confirmed outbound send",
                 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.472",
+  "version": "0.1.0-alpha.474",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",