@ouro.bot/cli 0.1.0-alpha.5 → 0.1.0-alpha.500

package/dist/repertoire/coding/tools.js

@@ -1,8 +1,13 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.codingToolDefinitions = void 0;
+exports.countFilesInSessionOutput = countFilesInSessionOutput;
 const index_1 = require("./index");
+const context_pack_1 = require("./context-pack");
+const identity_1 = require("../../heart/identity");
+const obligations_1 = require("../../arc/obligations");
 const runtime_1 = require("../../nerves/runtime");
+const scrutiny_1 = require("../../mind/scrutiny");
 const RUNNERS = ["claude", "codex"];
 function requireArg(args, key) {
     const value = args[key];
@@ -29,11 +34,112 @@ function emitCodingToolEvent(toolName) {
         meta: { toolName },
     });
 }
+/**
+ * Count distinct file paths mentioned in a coding session's stdout output.
+ * Looks for path-like tokens (containing / and a file extension).
+ * Returns the count of unique paths found.
+ */
+function countFilesInSessionOutput(session) {
+    const text = `${session.stdoutTail}\n${session.stderrTail}`;
+    // Match path-like tokens: contain at least one / and a file extension
+    const pathPattern = /(?:^|\s)((?:\/|\.\/|\.\.\/)?(?:[\w.@-]+\/)+[\w.-]+\.[\w]+)/gm;
+    const paths = new Set();
+    let match;
+    while ((match = pathPattern.exec(text)) !== null) {
+        paths.add(match[1]);
+    }
+    return paths.size;
+}
+/**
+ * If a coding session is completed, append scrutiny to the result.
+ * Returns the original result with scrutiny appended, or unchanged if
+ * the session is not completed or has no file changes.
+ */
+function appendCompletionScrutiny(result, session) {
+    if (session.status !== "completed")
+        return result;
+    const fileCount = countFilesInSessionOutput(session);
+    const scrutiny = (0, scrutiny_1.getCodingCompletionScrutiny)(fileCount);
+    return scrutiny ? `${result}\n\n${scrutiny}` : result;
+}
+function sameOriginSession(left, right) {
+    if (!left && !right)
+        return true;
+    if (!left || !right)
+        return false;
+    return left.friendId === right.friendId && left.channel === right.channel && left.key === right.key;
+}
+function matchesReusableCodingSession(session, request) {
+    if (session.status !== "spawning" && session.status !== "running" && session.status !== "waiting_input" && session.status !== "stalled") {
+        return false;
+    }
+    const scopeMatches = request.scopeFile ? session.scopeFile === request.scopeFile : true;
+    const stateMatches = request.stateFile ? session.stateFile === request.stateFile : true;
+    return (session.runner === request.runner &&
+        session.workdir === request.workdir &&
+        session.taskRef === request.taskRef &&
+        scopeMatches &&
+        stateMatches &&
+        session.obligationId === request.obligationId &&
+        sameOriginSession(request.originSession, session.originSession));
+}
+function latestSessionFirst(left, right) {
+    const lastActivityDelta = Date.parse(right.lastActivityAt) - Date.parse(left.lastActivityAt);
+    if (lastActivityDelta !== 0)
+        return lastActivityDelta;
+    return right.id.localeCompare(left.id);
+}
+function findReusableCodingSession(sessions, request) {
+    const matches = sessions.filter((session) => matchesReusableCodingSession(session, request)).sort(latestSessionFirst);
+    return matches[0] ?? null;
+}
+function isLiveCodingStatus(status) {
+    return status === "spawning" || status === "running" || status === "waiting_input" || status === "stalled";
+}
+function rankCodingStatusSession(session, currentSession) {
+    return sameOriginSession({
+        friendId: currentSession.friendId,
+        channel: currentSession.channel,
+        key: currentSession.key,
+    }, session.originSession)
+        ? 0
+        : 1;
+}
+function selectCodingStatusSessions(sessions, currentSession) {
+    if (sessions.length === 0)
+        return [];
+    if (!currentSession) {
+        return sessions;
+    }
+    const activeSessions = sessions.filter((session) => isLiveCodingStatus(session.status)).sort(latestSessionFirst);
+    if (activeSessions.length > 0) {
+        return activeSessions.sort((left, right) => {
+            const rankDelta = rankCodingStatusSession(left, currentSession) - rankCodingStatusSession(right, currentSession);
+            if (rankDelta !== 0)
+                return rankDelta;
+            return latestSessionFirst(left, right);
+        });
+    }
+    const matchingClosedSessions = sessions
+        .filter((session) => sameOriginSession({
+        friendId: currentSession.friendId,
+        channel: currentSession.channel,
+        key: currentSession.key,
+    }, session.originSession))
+        .sort(latestSessionFirst);
+    if (matchingClosedSessions.length > 0) {
+        return matchingClosedSessions;
+    }
+    return [...sessions].sort(latestSessionFirst);
+}
+function buildCodingObligationContent(taskRef) {
+    return `finish ${taskRef} and bring the result back`;
+}
 const codingSpawnTool = {
     type: "function",
     function: {
         name: "coding_spawn",
-        description: "spawn a coding session using claude/codex and explicit task-threaded guidance",
+        description: "Spawn a coding session using claude or codex with task-threaded guidance. The coding session runs as a separate process with its own context. Give it a COMPLETE, SELF-CONTAINED task description -- it cannot see this conversation, doesn't know what you've tried, doesn't understand the broader context. Include: what to do, why, what files are involved, what 'done' looks like. Never delegate understanding -- don't write 'based on the conversation, fix the bug.' Write the specific file paths, line numbers, and what to change. Include any required verification steps or tests in the task description so the coding session knows how to prove the work is done.",
         parameters: {
             type: "object",
             properties: {
@@ -52,7 +158,7 @@ const codingStatusTool = {
     type: "function",
     function: {
         name: "coding_status",
-        description: "inspect coding sessions; omit sessionId to list all active/known sessions",
+        description: "Inspect coding sessions. Omit sessionId to list all active/known sessions with their status. Use this to check progress before asking the human for a status update.",
         parameters: {
             type: "object",
             properties: {
@@ -61,6 +167,20 @@ const codingStatusTool = {
         },
     },
 };
+const codingTailTool = {
+    type: "function",
+    function: {
+        name: "coding_tail",
+        description: "Show recent stdout/stderr output from a coding session. Use this to understand what the session is doing or why it might be stuck. Read the actual output before reporting status -- don't guess.",
+        parameters: {
+            type: "object",
+            properties: {
+                sessionId: { type: "string" },
+            },
+            required: ["sessionId"],
+        },
+    },
+};
 const codingSendInputTool = {
     type: "function",
     function: {
@@ -93,7 +213,7 @@ const codingKillTool = {
 exports.codingToolDefinitions = [
     {
         tool: codingSpawnTool,
-        handler: async (args) => {
+        handler: async (args, ctx) => {
             emitCodingToolEvent("coding_spawn");
             const rawRunner = requireArg(args, "runner");
             if (!rawRunner)
@@ -116,30 +236,110 @@ exports.codingToolDefinitions = [
                 prompt,
                 taskRef,
             };
+            if (ctx?.currentSession && ctx.currentSession.channel !== "inner") {
+                request.originSession = {
+                    friendId: ctx.currentSession.friendId,
+                    channel: ctx.currentSession.channel,
+                    key: ctx.currentSession.key,
+                };
+                const obligation = (0, obligations_1.findPendingObligationForOrigin)((0, identity_1.getAgentRoot)(), request.originSession);
+                if (obligation) {
+                    request.obligationId = obligation.id;
+                }
+            }
             const scopeFile = optionalArg(args, "scopeFile");
             if (scopeFile)
                 request.scopeFile = scopeFile;
             const stateFile = optionalArg(args, "stateFile");
             if (stateFile)
                 request.stateFile = stateFile;
-            const session = await (0, index_1.getCodingSessionManager)().spawnSession(request);
+            const manager = (0, index_1.getCodingSessionManager)();
+            const existingSessions = manager.listSessions();
+            const existingSession = findReusableCodingSession(existingSessions, request);
+            if (existingSession) {
+                (0, runtime_1.emitNervesEvent)({
+                    component: "repertoire",
+                    event: "repertoire.coding_session_reused",
+                    message: "reused active coding session",
+                    meta: { id: existingSession.id, runner: existingSession.runner, taskRef: existingSession.taskRef },
+                });
+                if (ctx?.codingFeedback) {
+                    (0, index_1.attachCodingSessionFeedback)(manager, existingSession, ctx.codingFeedback);
+                }
+                return JSON.stringify({ ...existingSession, reused: true });
+            }
+            if (request.originSession && !request.obligationId) {
+                const created = (0, obligations_1.createObligation)((0, identity_1.getAgentRoot)(), {
+                    origin: request.originSession,
+                    content: buildCodingObligationContent(taskRef),
+                });
+                request.obligationId = created.id;
+            }
+            if (!request.scopeFile || !request.stateFile) {
+                const generated = (0, context_pack_1.prepareCodingContextPack)({
+                    request: { ...request },
+                    existingSessions,
+                    activeWorkFrame: ctx?.activeWorkFrame,
+                });
+                if (!request.scopeFile)
+                    request.scopeFile = generated.scopeFile;
+                if (!request.stateFile)
+                    request.stateFile = generated.stateFile;
+            }
+            const session = await manager.spawnSession(request);
+            if (session.obligationId) {
+                (0, obligations_1.advanceObligation)((0, identity_1.getAgentRoot)(), session.obligationId, {
+                    status: "investigating",
+                    currentSurface: { kind: "coding", label: `${session.runner} ${session.id}` },
+                    latestNote: session.originSession
+                        ? `coding session started for ${session.originSession.channel}/${session.originSession.key}`
+                        : "coding session started",
+                });
+            }
+            if (args.runner === "codex" && args.taskRef) {
+                (0, runtime_1.emitNervesEvent)({
+                    component: "repertoire",
+                    event: "repertoire.coding_codex_spawned",
+                    message: "spawned codex coding session",
+                    meta: { sessionId: session.id, taskRef: args.taskRef },
+                });
+            }
+            if (ctx?.codingFeedback) {
+                (0, index_1.attachCodingSessionFeedback)(manager, session, ctx.codingFeedback);
+            }
             return JSON.stringify(session);
         },
+        summaryKeys: ["runner", "workdir", "taskRef"],
     },
     {
         tool: codingStatusTool,
-        handler: (args) => {
+        handler: (args, ctx) => {
             emitCodingToolEvent("coding_status");
             const manager = (0, index_1.getCodingSessionManager)();
             const sessionId = requireArg(args, "sessionId");
             if (!sessionId) {
-                return JSON.stringify(manager.listSessions());
+                return JSON.stringify(selectCodingStatusSessions(manager.listSessions(), ctx?.currentSession));
             }
             const session = manager.getSession(sessionId);
             if (!session)
                 return `session not found: ${sessionId}`;
-            return JSON.stringify(session);
+            return appendCompletionScrutiny(JSON.stringify(session), session);
+        },
+        summaryKeys: ["sessionId"],
+    },
+    {
+        tool: codingTailTool,
+        handler: (args) => {
+            emitCodingToolEvent("coding_tail");
+            const sessionId = requireArg(args, "sessionId");
+            if (!sessionId)
+                return "sessionId is required";
+            const session = (0, index_1.getCodingSessionManager)().getSession(sessionId);
+            if (!session)
+                return `session not found: ${sessionId}`;
+            return appendCompletionScrutiny((0, index_1.formatCodingTail)(session), session);
         },
+        summaryKeys: ["sessionId"],
     },
     {
         tool: codingSendInputTool,
@@ -153,6 +353,7 @@ exports.codingToolDefinitions = [
                 return "input is required";
             return JSON.stringify((0, index_1.getCodingSessionManager)().sendInput(sessionId, input));
         },
+        summaryKeys: ["sessionId", "input"],
     },
     {
         tool: codingKillTool,
@@ -163,5 +364,6 @@ exports.codingToolDefinitions = [
                 return "sessionId is required";
             return JSON.stringify((0, index_1.getCodingSessionManager)().killSession(sessionId));
         },
+        summaryKeys: ["sessionId"],
     },
 ];

package/dist/repertoire/commerce-errors.js

@@ -0,0 +1,109 @@
+"use strict";
+/**
+ * Commerce-specific error types and helpers.
+ *
+ * These errors carry structured `code` and `meta` fields for nerves event
+ * compatibility and provide patterns for common commerce failure modes:
+ * retry, price change detection, and partial failure reporting.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProfileError = exports.BookingError = exports.PaymentError = exports.CommerceError = void 0;
+exports.retryOnce = retryOnce;
+exports.priceChangeGuard = priceChangeGuard;
+exports.partialFailureReport = partialFailureReport;
+// ---------------------------------------------------------------------------
+// Error types
+// ---------------------------------------------------------------------------
+class CommerceError extends Error {
+    code;
+    meta;
+    constructor(message, code, meta = {}) {
+        super(message);
+        this.name = "CommerceError";
+        this.code = code;
+        this.meta = meta;
+    }
+}
+exports.CommerceError = CommerceError;
+class PaymentError extends CommerceError {
+    constructor(message, code, meta = {}) {
+        super(message, code, meta);
+        this.name = "PaymentError";
+    }
+}
+exports.PaymentError = PaymentError;
+class BookingError extends CommerceError {
+    constructor(message, code, meta = {}) {
+        super(message, code, meta);
+        this.name = "BookingError";
+    }
+}
+exports.BookingError = BookingError;
+class ProfileError extends CommerceError {
+    constructor(message, code, meta = {}) {
+        super(message, code, meta);
+        this.name = "ProfileError";
+    }
+}
+exports.ProfileError = ProfileError;
+// ---------------------------------------------------------------------------
+// Transient error detection
+// ---------------------------------------------------------------------------
+const TRANSIENT_CODES = new Set(["COMMERCE_TRANSIENT", "COMMERCE_TIMEOUT", "COMMERCE_NETWORK"]);
+function isTransient(err) {
+    return err instanceof CommerceError && TRANSIENT_CODES.has(err.code);
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/**
+ * Retry a function once on transient failure, then throw.
+ * Non-transient errors are thrown immediately without retry.
+ */
+async function retryOnce(fn) {
+    try {
+        return await fn();
+    }
+    catch (err) {
+        if (!isTransient(err))
+            throw err;
+        // One retry
+        return fn();
+    }
+}
+/**
+ * Throw PaymentError if the actual price differs from the approved price
+ * by more than 5%. Used to protect against price changes between search
+ * and booking.
+ */
+function priceChangeGuard(approved, actual) {
+    if (approved === 0 && actual === 0)
+        return;
+    if (approved === 0) {
+        throw new PaymentError(`price changed from $0 to $${actual} — cannot verify percentage change`, "PAYMENT_PRICE_CHANGED", { approved, actual });
+    }
+    const delta = Math.abs(actual - approved) / approved;
+    if (delta > 0.05) {
+        throw new PaymentError(`price changed by ${(delta * 100).toFixed(1)}% (approved: $${approved}, actual: $${actual})`, "PAYMENT_PRICE_CHANGED", { approved, actual, deltaPercent: delta * 100 });
+    }
+}
+/**
+ * Format a human-readable status report for multi-service booking attempts.
+ * Each entry has a service name, status, and optional error message.
+ */
+function partialFailureReport(results) {
+    if (results.length === 0) {
+        return "no services attempted.";
+    }
+    const lines = results.map((r) => {
+        const status = r.status === "success" ? "success" : "failed";
+        const detail = r.error ? ` — ${r.error}` : "";
+        return `  ${r.service}: ${status}${detail}`;
+    });
+    const succeeded = results.filter((r) => r.status === "success").length;
+    const failed = results.length - succeeded;
+    return [
+        `booking status: ${succeeded} succeeded, ${failed} failed`,
+        ...lines,
+    ].join("\n");
+}

package/dist/repertoire/commerce-self-test.js

@@ -0,0 +1,156 @@
+"use strict";
+/**
+ * Commerce self-test — per-service health checks for the agent's
+ * commerce infrastructure (Stripe, Duffel, LiteAPI).
+ *
+ * Used by the setup wizard to verify configuration and provide
+ * actionable error messages when services are misconfigured.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.commerceSelfTest = commerceSelfTest;
+const stripe_client_1 = require("./stripe-client");
+const duffel_client_1 = require("./duffel-client");
+const credential_access_1 = require("./credential-access");
+const runtime_1 = require("../nerves/runtime");
+// ---------------------------------------------------------------------------
+// Per-service tests
+// ---------------------------------------------------------------------------
+async function testStripe() {
+    try {
+        const client = await (0, stripe_client_1.createStripeClient)();
+        // Create a test card and immediately deactivate it
+        const card = await client.createVirtualCard({
+            type: "single_use",
+            spendLimit: 1,
+            currency: "usd",
+        });
+        await client.deactivateCard(card.cardId);
+        return { status: "ok", message: "Stripe Issuing working. Test card created and deactivated." };
+    }
+    catch (err) {
+        /* v8 ignore next -- reason @preserve */
+        const reason = err instanceof Error ? err.message : String(err);
+        if (reason.includes("no credential found") || reason.includes("restrictedKey")) {
+            return {
+                status: "error",
+                message: `Stripe key missing. Add your restricted key at https://dashboard.stripe.com/apikeys and store it in the vault as stripe.com/restrictedKey.`,
+            };
+        }
+        if (reason.includes("401") || reason.includes("Invalid API Key")) {
+            return {
+                status: "error",
+                message: `Stripe key returned 401. Verify it at https://dashboard.stripe.com/apikeys.`,
+            };
+        }
+        return {
+            status: "error",
+            message: `Stripe error: ${reason}`,
+        };
+    }
+}
+async function testDuffel() {
+    try {
+        const client = await (0, duffel_client_1.createDuffelClient)();
+        await client.searchFlights({
+            origin: "SFO",
+            destination: "JFK",
+            departureDate: new Date(Date.now() + 30 * 86400000).toISOString().split("T")[0],
+            passengers: [{ type: "adult" }],
+        });
+        return { status: "ok", message: "Duffel Flights working. Test search completed." };
+    }
+    catch (err) {
+        /* v8 ignore next -- reason @preserve */
+        const reason = err instanceof Error ? err.message : String(err);
+        if (reason.includes("no credential found") || reason.includes("apiKey")) {
+            return {
+                status: "error",
+                message: `Duffel key missing. Add your API key from https://app.duffel.com/tokens and store it in the vault as duffel.com/apiKey.`,
+            };
+        }
+        if (reason.includes("401") || reason.includes("Unauthorized")) {
+            return {
+                status: "error",
+                message: `Your Duffel key returned 401. Verify it at https://app.duffel.com/tokens.`,
+            };
+        }
+        return {
+            status: "error",
+            message: `Duffel error: ${reason}`,
+        };
+    }
+}
+async function testLiteApi() {
+    try {
+        const store = (0, credential_access_1.getCredentialStore)();
+        await store.getRawSecret("liteapi.travel", "apiKey");
+        // If we can retrieve the key, the config is present.
+        // LiteAPI is accessed via MCP, so we can't do a direct API call here.
+        // The actual health check happens when the MCP server starts.
+        return { status: "ok", message: "LiteAPI key found in vault. MCP server will use vault:liteapi.travel/apiKey." };
+    }
+    catch (err) {
+        /* v8 ignore next -- reason @preserve */
+        const reason = err instanceof Error ? err.message : String(err);
+        if (reason.includes("no credential found")) {
+            return {
+                status: "error",
+                message: `LiteAPI key missing. Get your API key from https://dashboard.liteapi.travel and store it in the vault as liteapi.travel/apiKey.`,
+            };
+        }
+        return {
+            status: "error",
+            message: `LiteAPI error: ${reason}`,
+        };
+    }
+}
+// ---------------------------------------------------------------------------
+// Main self-test
+// ---------------------------------------------------------------------------
+async function commerceSelfTest() {
+    (0, runtime_1.emitNervesEvent)({
+        component: "repertoire",
+        event: "repertoire.commerce_self_test_start",
+        message: "starting commerce self-test",
+        meta: {},
+    });
+    const [stripe, duffel, liteapi] = await Promise.all([
+        testStripe(),
+        testDuffel(),
+        testLiteApi(),
+    ]);
+    const services = { stripe, duffel, liteapi };
+    const okCount = Object.values(services).filter((s) => s.status === "ok").length;
+    const total = Object.keys(services).length;
+    let overall;
+    if (okCount === total) {
+        overall = "healthy";
+    }
+    else if (okCount > 0) {
+        overall = "partial";
+    }
+    else {
+        overall = "unhealthy";
+    }
+    const lines = [];
+    if (stripe.status === "ok")
+        lines.push("Stripe: working");
+    else
+        lines.push(`Stripe: ${stripe.message}`);
+    if (duffel.status === "ok")
+        lines.push("Duffel: working");
+    else
+        lines.push(`Duffel: ${duffel.message}`);
+    if (liteapi.status === "ok")
+        lines.push("LiteAPI: working");
+    else
+        lines.push(`LiteAPI: ${liteapi.message}`);
+    const summary = `Commerce health: ${okCount}/${total} services ok.\n${lines.join("\n")}`;
+    (0, runtime_1.emitNervesEvent)({
+        component: "repertoire",
+        event: "repertoire.commerce_self_test_end",
+        message: "commerce self-test complete",
+        meta: { overall, okCount, total },
+    });
+    return { overall, services, summary };
+}

package/dist/repertoire/credential-access.js

@@ -0,0 +1,111 @@
+"use strict";
+/**
+ * Credential access layer.
+ *
+ * Bitwarden/Vaultwarden is the sole runtime credential store. The only local
+ * secret is the vault unlock material held by an explicit local unlock store.
+ *
+ * Each agent owns one credential vault. getCredentialStore() returns that
+ * agent's vault directly; item names are not shared or namespaced across
+ * agents.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getCredentialStore = getCredentialStore;
+exports.resetCredentialStore = resetCredentialStore;
+const crypto = __importStar(require("node:crypto"));
+const fs = __importStar(require("node:fs"));
+const os = __importStar(require("node:os"));
+const path = __importStar(require("node:path"));
+const runtime_1 = require("../nerves/runtime");
+const identity = __importStar(require("../heart/identity"));
+const bitwarden_store_1 = require("./bitwarden-store");
+const vault_unlock_1 = require("./vault-unlock");
+let stores = new Map();
+function loadVaultSectionForAgent(agentName) {
+    const configPath = path.join(identity.getAgentRoot(agentName), "agent.json");
+    try {
+        const parsed = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+        return { configPath, vault: parsed.vault };
+    }
+    catch {
+        return { configPath };
+    }
+}
+function bitwardenAppDataDir(agentName, vaultConfig) {
+    const digest = crypto
+        .createHash("sha256")
+        .update(`${agentName}:${vaultConfig.serverUrl}:${vaultConfig.email}`)
+        .digest("hex")
+        .slice(0, 24);
+    return path.join(os.homedir(), ".ouro-cli", "bitwarden", digest);
+}
+function getCredentialStore(agentNameInput) {
+    const agentName = agentNameInput ?? identity.getAgentName();
+    if (agentName === "SerpentGuide") {
+        throw new Error("SerpentGuide does not have a persistent credential vault; hatch bootstrap uses provider credentials in memory only.");
+    }
+    const { configPath, vault } = loadVaultSectionForAgent(agentName);
+    if (!vault || typeof vault.email !== "string" || vault.email.trim().length === 0) {
+        throw new Error((0, vault_unlock_1.credentialVaultNotConfiguredError)(agentName, configPath));
+    }
+    const vaultConfig = identity.resolveVaultConfig(agentName, vault);
+    const cacheKey = `${agentName}:${vaultConfig.serverUrl}:${vaultConfig.email}`;
+    const cached = stores.get(cacheKey);
+    if (cached)
+        return cached;
+    const unlock = (0, vault_unlock_1.readVaultUnlockSecret)({
+        agentName,
+        email: vaultConfig.email,
+        serverUrl: vaultConfig.serverUrl,
+    });
+    const store = new bitwarden_store_1.BitwardenCredentialStore(vaultConfig.serverUrl, vaultConfig.email, unlock.secret, { appDataDir: bitwardenAppDataDir(agentName, vaultConfig) });
+    stores.set(cacheKey, store);
+    (0, runtime_1.emitNervesEvent)({
+        event: "repertoire.credential_store_init",
+        component: "repertoire",
+        message: "credential store initialized",
+        meta: {
+            backend: "bitwarden",
+            agentName,
+            serverUrl: vaultConfig.serverUrl,
+            email: vaultConfig.email,
+        },
+    });
+    return store;
+}
+function resetCredentialStore() {
+    stores = new Map();
+}