@ouro.bot/cli 0.1.0-alpha.483 → 0.1.0-alpha.484

package/changelog.json

@@ -1,6 +1,12 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.484",
+      "changes": [
+        "Agent-driven failover (the `switch to <provider>` reply path) now re-pings the candidate provider before mutating provider state. If credentials are missing or the ping fails, the active lane is left untouched, a `senses.failover_switch_refused` event is emitted, and the agent receives an operational refusal context message naming the lane it is still standing on plus the verified alternatives that remain so the next turn does not re-enter discovery mode."
+      ]
+    },
     {
       "version": "0.1.0-alpha.483",
       "changes": [

package/dist/heart/provider-failover.js

@@ -5,6 +5,7 @@ exports.formatReadyProviderLabel = formatReadyProviderLabel;
 exports.buildFailoverContext = buildFailoverContext;
 exports.handleFailoverReply = handleFailoverReply;
 exports.runMachineProviderFailoverInventory = runMachineProviderFailoverInventory;
+exports.validateFailoverSwitchCandidate = validateFailoverSwitchCandidate;
 const identity_1 = require("./identity");
 const provider_ping_1 = require("./provider-ping");
 const provider_models_1 = require("./provider-models");
@@ -170,6 +171,7 @@ function buildFailoverContext(errorMessage, classification, currentProvider, cur
         errorSummary,
         classification,
         currentProvider,
+        currentModel,
         currentLane,
         agentName,
         workingProviders,
@@ -264,3 +266,36 @@ async function runMachineProviderFailoverInventory(agentName, currentProvider, o
     });
     return inventory;
 }
+/**
+ * Re-verify a failover candidate is actually reachable right before we mutate
+ * provider state. The inventory ping that produced the candidate may be stale
+ * (creds revoked between inventory and reply); without this preflight, an
+ * agent-driven "switch to <provider>" can move the lane onto an unreachable
+ * provider and brick the next turn.
+ */
+async function validateFailoverSwitchCandidate(agentName, candidate, options = {}) {
+    const ping = options.ping ?? provider_ping_1.pingProvider;
+    const refreshPool = options.refreshPool ?? provider_credentials_1.refreshProviderCredentialPool;
+    const poolResult = await refreshPool(agentName);
+    if (!poolResult.ok) {
+        return {
+            ok: false,
+            classification: "auth-failure",
+            message: `provider credential pool unavailable (${poolResult.reason}): ${poolResult.error}`,
+        };
+    }
+    const record = poolResult.pool.providers[candidate.provider];
+    if (!record) {
+        return {
+            ok: false,
+            classification: "auth-failure",
+            message: `no credentials configured for ${candidate.provider}`,
+        };
+    }
+    const config = { ...record.credentials, ...record.config };
+    const result = await ping(candidate.provider, config, { model: candidate.model });
+    if (!result.ok) {
+        return { ok: false, classification: result.classification, message: result.message };
+    }
+    return { ok: true };
+}

package/dist/senses/pipeline.js

@@ -97,7 +97,23 @@ function resolveCurrentFailoverBinding(agentName, lane) {
     const fallback = lane === "inner" ? agentConfig.agentFacing : agentConfig.humanFacing;
     return { provider: fallback.provider, model: fallback.model };
 }
-function writeFailoverProviderStateSwitch(agentName, action) {
+/**
+ * Apply an agent-driven failover switch to provider state, but only after
+ * re-pinging the candidate. The inventory ping that produced the candidate
+ * may be stale by the time the agent replies — without this preflight, a
+ * "switch to <provider>" reply can move the lane onto an unreachable provider.
+ *
+ * Returns:
+ *   { ok: true }              — preflight passed, state mutated
+ *   { ok: false, refused }    — preflight failed, state untouched, caller should
+ *                                surface the refusal to the agent
+ * Throws on disk errors only (caught by caller as before).
+ */
+async function writeFailoverProviderStateSwitch(agentName, action) {
+    const validation = await (0, provider_failover_1.validateFailoverSwitchCandidate)(agentName, { provider: action.provider, model: action.model });
+    if (!validation.ok) {
+        return { ok: false, refused: true, classification: validation.classification, message: validation.message };
+    }
     const agentRoot = (0, identity_1.getAgentRoot)(agentName);
     const stateResult = (0, provider_state_1.readProviderState)(agentRoot);
     if (!stateResult.ok) {
@@ -125,11 +141,36 @@ function writeFailoverProviderStateSwitch(agentName, action) {
         lanes,
         readiness,
     });
+    return { ok: true };
 }
 function formatFailoverSwitchLabel(action) {
     const provenance = (0, provider_failover_1.formatCredentialProvenanceLabel)(action);
     return `${action.provider} (${action.model}${provenance ? `; ${provenance}` : ""})`;
 }
+/**
+ * Build the operational refusal context message handed back to the agent when
+ * a failover switch is rejected by the preflight ping. Slugger-tested format:
+ * lead with the refusal + reason, restate the lane that's still standing, then
+ * list remaining ready alternatives so the next turn doesn't have to re-enter
+ * discovery mode.
+ */
+function buildFailoverSwitchRefusedMessage(pendingContext, refusedAction, refusal) {
+    const refusedLabel = formatFailoverSwitchLabel(refusedAction);
+    const remaining = pendingContext.readyProviders.filter((candidate) => candidate.provider !== refusedAction.provider);
+    const alternativesLine = remaining.length > 0
+        ? `available verified alternatives right now: ${remaining.map((c) => `${c.provider} (${c.model})`).join(", ")}.`
+        : "no other verified alternatives are ready right now.";
+    const nextMove = remaining.length > 0
+        ? `next move: reply "switch to <provider>" picking one of the alternatives above, or tell the user you cannot continue and why.`
+        : `next move: ask the operator to repair credentials for ${refusedAction.provider} (or another provider), or tell the user you cannot continue and why.`;
+    return [
+        `[provider switch refused: tried to switch ${refusedAction.lane} lane to ${refusedLabel}.`,
+        `reason: preflight ping failed (${refusal.classification}: ${refusal.message}).`,
+        `current lane unchanged: ${pendingContext.currentProvider} / ${pendingContext.currentModel} on the ${pendingContext.currentLane} lane.`,
+        alternativesLine,
+        nextMove + "]",
+    ].join(" ");
+}
 function prependTurnSections(message, sections) {
     /* v8 ignore next -- defensive: only user messages with non-empty sections reach here @preserve */
     if (message.role !== "user" || sections.length === 0)
@@ -176,10 +217,9 @@ async function handleInboundTurn(input) {
         const failoverAgentName = pendingContext.agentName;
         input.failoverState.pending = null; // always clear before acting
         if (failoverAction.action === "switch") {
-            let switchSucceeded = false;
+            let switchOutcome = null;
             try {
-                writeFailoverProviderStateSwitch(failoverAgentName, failoverAction);
-                switchSucceeded = true;
+                switchOutcome = await writeFailoverProviderStateSwitch(failoverAgentName, failoverAction);
                 /* v8 ignore start -- defensive: write failure during provider switch @preserve */
             }
             catch (switchError) {
@@ -192,8 +232,7 @@ async function handleInboundTurn(input) {
                 });
             }
             /* v8 ignore stop */
-            /* v8 ignore next -- false branch: write-failure fallthrough @preserve */
-            if (switchSucceeded) {
+            if (switchOutcome?.ok) {
                 (0, runtime_1.emitNervesEvent)({
                     component: "senses",
                     event: "senses.failover_switch",
@@ -217,6 +256,29 @@ async function handleInboundTurn(input) {
                     }];
                 input.switchedProvider = failoverAction.provider;
             }
+            else if (switchOutcome && !switchOutcome.ok) {
+                // Preflight refused the switch — the candidate provider is not actually
+                // reachable right now. Keep the existing lane intact and tell the agent
+                // what happened so it can pick something else next turn.
+                (0, runtime_1.emitNervesEvent)({
+                    level: "warn",
+                    component: "senses",
+                    event: "senses.failover_switch_refused",
+                    message: `refused failover switch of ${failoverAction.lane} lane to ${failoverAction.provider}: ${switchOutcome.message}`,
+                    meta: {
+                        agentName: failoverAgentName,
+                        lane: failoverAction.lane,
+                        provider: failoverAction.provider,
+                        model: failoverAction.model,
+                        classification: switchOutcome.classification,
+                        error: switchOutcome.message,
+                    },
+                });
+                input.messages = [{
+                        role: "user",
+                        content: buildFailoverSwitchRefusedMessage(pendingContext, failoverAction, switchOutcome),
+                    }];
+            }
             // Switch failed OR succeeded — either way, fall through to normal processing.
         }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.483",
+  "version": "0.1.0-alpha.484",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",