@ouro.bot/cli 0.1.0-alpha.519 → 0.1.0-alpha.520

package/dist/heart/runtime-credentials.js

@@ -39,6 +39,8 @@ exports.readRuntimeCredentialConfig = readRuntimeCredentialConfig;
 exports.readMachineRuntimeCredentialConfig = readMachineRuntimeCredentialConfig;
 exports.cacheRuntimeCredentialConfig = cacheRuntimeCredentialConfig;
 exports.cacheMachineRuntimeCredentialConfig = cacheMachineRuntimeCredentialConfig;
+exports.applyRuntimeCredentialBootstrapMessage = applyRuntimeCredentialBootstrapMessage;
+exports.waitForRuntimeCredentialBootstrap = waitForRuntimeCredentialBootstrap;
 exports.refreshRuntimeCredentialConfig = refreshRuntimeCredentialConfig;
 exports.refreshMachineRuntimeCredentialConfig = refreshMachineRuntimeCredentialConfig;
 exports.upsertRuntimeCredentialConfig = upsertRuntimeCredentialConfig;
@@ -48,6 +50,7 @@ const crypto = __importStar(require("node:crypto"));
 const runtime_1 = require("../nerves/runtime");
 const credential_access_1 = require("../repertoire/credential-access");
 const identity_1 = require("./identity");
+const provider_credentials_1 = require("./provider-credentials");
 exports.RUNTIME_CONFIG_ITEM_NAME = "runtime/config";
 exports.MACHINE_RUNTIME_CONFIG_ITEM_PREFIX = "runtime/machines";
 let cachedRuntimeConfigs = new Map();
@@ -55,6 +58,36 @@ let cachedMachineRuntimeConfigs = new Map();
 function isRecord(value) {
     return !!value && typeof value === "object" && !Array.isArray(value);
 }
+function isCredentialValue(value) {
+    return typeof value === "string" || typeof value === "number";
+}
+function isCredentialRecord(value) {
+    if (!isRecord(value))
+        return false;
+    return Object.values(value).every(isCredentialValue);
+}
+function isProviderCredentialRecord(value) {
+    if (!isRecord(value))
+        return false;
+    if (typeof value.provider !== "string")
+        return false;
+    if (typeof value.revision !== "string" || value.revision.trim().length === 0)
+        return false;
+    if (typeof value.updatedAt !== "string" || value.updatedAt.trim().length === 0)
+        return false;
+    if (!isCredentialRecord(value.credentials))
+        return false;
+    if (!isCredentialRecord(value.config))
+        return false;
+    const provenance = value.provenance;
+    if (!isRecord(provenance))
+        return false;
+    if (provenance.source !== "auth-flow" && provenance.source !== "manual")
+        return false;
+    if (typeof provenance.updatedAt !== "string" || provenance.updatedAt.trim().length === 0)
+        return false;
+    return true;
+}
 function stableJson(value) {
     if (Array.isArray(value))
         return `[${value.map(stableJson).join(",")}]`;
@@ -159,6 +192,80 @@ function cacheMachineRuntimeCredentialConfig(agentName, config, now = new Date()
     };
     return cacheMachineResult(agentName, resultFromPayloadForItem(agentName, machineRuntimeConfigItemName(machineId), payload));
 }
+function isRuntimeCredentialBootstrapMessage(value) {
+    if (!value || typeof value !== "object" || Array.isArray(value))
+        return false;
+    const record = value;
+    if (record.type !== "ouro.runtimeCredentialBootstrap")
+        return false;
+    if (typeof record.agentName !== "string" || record.agentName.trim().length === 0)
+        return false;
+    if (record.runtimeConfig !== undefined && !isRecord(record.runtimeConfig))
+        return false;
+    if (record.machineRuntimeConfig !== undefined && !isRecord(record.machineRuntimeConfig))
+        return false;
+    if (record.machineId !== undefined && (typeof record.machineId !== "string" || record.machineId.trim().length === 0))
+        return false;
+    if (record.providerCredentialRecords !== undefined
+        && (!Array.isArray(record.providerCredentialRecords)
+            || !record.providerCredentialRecords.every(isProviderCredentialRecord)))
+        return false;
+    return true;
+}
+function applyRuntimeCredentialBootstrapMessage(message) {
+    if (!isRuntimeCredentialBootstrapMessage(message))
+        return false;
+    const agentName = message.agentName.trim();
+    const now = new Date();
+    if (message.runtimeConfig) {
+        cacheRuntimeCredentialConfig(agentName, message.runtimeConfig, now);
+    }
+    if (message.machineRuntimeConfig) {
+        cacheMachineRuntimeCredentialConfig(agentName, message.machineRuntimeConfig, now, message.machineId ?? "<this-machine>");
+    }
+    if (message.providerCredentialRecords && message.providerCredentialRecords.length > 0) {
+        (0, provider_credentials_1.cacheProviderCredentialRecords)(agentName, message.providerCredentialRecords, now);
+    }
+    (0, runtime_1.emitNervesEvent)({
+        component: "config/identity",
+        event: "config.runtime_credentials_bootstrapped",
+        message: "loaded runtime credentials from daemon bootstrap",
+        meta: {
+            agentName,
+            runtimeConfig: !!message.runtimeConfig,
+            machineRuntimeConfig: !!message.machineRuntimeConfig,
+            providerCredentialRecords: message.providerCredentialRecords?.length ?? 0,
+        },
+    });
+    return true;
+}
+function waitForRuntimeCredentialBootstrap(agentName, options = {}) {
+    const timeoutMs = options.timeoutMs ?? 1_500;
+    return new Promise((resolve) => {
+        let settled = false;
+        let timer = null;
+        const finish = (value) => {
+            /* v8 ignore next -- defensive: listener cleanup and timer cleanup prevent double settlement @preserve */
+            if (settled)
+                return;
+            settled = true;
+            /* v8 ignore next -- defensive: timer is assigned immediately after listener registration @preserve */
+            if (timer)
+                clearTimeout(timer);
+            process.off?.("message", onMessage);
+            resolve(value);
+        };
+        const onMessage = (message) => {
+            if (!isRuntimeCredentialBootstrapMessage(message))
+                return;
+            if (message.agentName.trim() !== agentName.trim())
+                return;
+            finish(applyRuntimeCredentialBootstrapMessage(message));
+        };
+        process.on?.("message", onMessage);
+        timer = setTimeout(() => finish(false), timeoutMs);
+    });
+}
 async function refreshRuntimeCredentialConfigItem(agentName, itemName, cache, options = {}) {
     try {
         const store = (0, credential_access_1.getCredentialStore)(agentName);

package/dist/heart/session-events.js

@@ -1090,15 +1090,14 @@ function loadFullEventHistory(sessPath) {
     catch {
         // Archive file doesn't exist or can't be read -- that's fine
     }
-    // Merge, deduplicate by id, sort by sequence
-    const seen = new Set();
-    const merged = [];
-    for (const event of [...archiveEvents, ...envelopeEvents]) {
-        if (seen.has(event.id))
-            continue;
-        seen.add(event.id);
-        merged.push(event);
-    }
+    // Merge, deduplicate by id, sort by sequence. The live envelope is the
+    // current projection, so it wins if an older archive line has a colliding id.
+    const mergedById = new Map();
+    for (const event of archiveEvents)
+        mergedById.set(event.id, event);
+    for (const event of envelopeEvents)
+        mergedById.set(event.id, event);
+    const merged = [...mergedById.values()];
     merged.sort((a, b) => a.sequence - b.sequence);
     return merged;
 }

package/dist/heart/session-transcript.js

@@ -4,15 +4,62 @@ exports.summarizeSessionTail = summarizeSessionTail;
 exports.searchSessionTranscript = searchSessionTranscript;
 const runtime_1 = require("../nerves/runtime");
 const session_events_1 = require("./session-events");
-function normalizeSessionMessages(events) {
-    return events
+function shouldIncludeToolMessages(friendId, channel) {
+    return friendId === "self" && channel === "inner";
+}
+function sortEventsForTranscript(events) {
+    return [...events].sort((a, b) => {
+        const byTime = Date.parse((0, session_events_1.bestEventTimestamp)(a)) - Date.parse((0, session_events_1.bestEventTimestamp)(b));
+        return byTime === 0 ? a.sequence - b.sequence : byTime;
+    });
+}
+function parseToolArguments(toolCall) {
+    try {
+        const parsed = JSON.parse(toolCall.function.arguments);
+        return parsed && typeof parsed === "object" && !Array.isArray(parsed)
+            ? parsed
+            : null;
+    }
+    catch {
+        return null;
+    }
+}
+function extractHumanVisibleToolText(event, context) {
+    if (event.role !== "assistant" || event.toolCalls.length === 0)
+        return "";
+    for (const toolCall of event.toolCalls) {
+        const args = parseToolArguments(toolCall);
+        if (!args)
+            continue;
+        if (toolCall.function.name === "settle" && typeof args.answer === "string") {
+            return args.answer.trim();
+        }
+        if (toolCall.function.name === "send_message" && typeof args.content === "string") {
+            const targetChannel = typeof args.channel === "string" ? args.channel : "";
+            const targetFriendId = typeof args.friendId === "string" ? args.friendId : "";
+            const targetKey = typeof args.key === "string" ? args.key : "session";
+            if (targetChannel === context.channel && targetFriendId === context.friendId && targetKey === context.key) {
+                return args.content.trim();
+            }
+        }
+    }
+    return "";
+}
+function normalizeSessionMessages(events, context) {
+    return sortEventsForTranscript(events)
         .map((event) => ({
         id: event.id,
         role: event.role,
-        content: (0, session_events_1.extractEventText)(event),
+        content: (0, session_events_1.extractEventText)(event) || extractHumanVisibleToolText(event, context),
         timestamp: (0, session_events_1.formatSessionEventTimestamp)(event),
     }))
-        .filter((message) => message.role !== "system" && message.content.length > 0);
+        .filter((message) => {
+        if (message.role === "system")
+            return false;
+        if (message.role === "tool" && !context.includeToolMessages)
+            return false;
+        return message.content.length > 0;
+    });
 }
 function buildSummaryInstruction(friendId, channel, trustLevel) {
     if (friendId === "self" && channel === "inner") {
@@ -36,6 +83,18 @@ function buildSnapshot(summary, tailMessages) {
     }
     return lines.join("\n");
 }
+function selectSessionTailMessages(messages, messageCount) {
+    const requestedCount = Number.isFinite(messageCount) && messageCount > 0 ? Math.floor(messageCount) : 20;
+    const tail = messages.slice(-requestedCount);
+    const selectedIds = new Set(tail.map((message) => message.id));
+    const latestUser = [...messages].reverse().find((message) => message.role === "user");
+    const latestAssistant = [...messages].reverse().find((message) => message.role === "assistant");
+    if (latestUser)
+        selectedIds.add(latestUser.id);
+    if (latestAssistant)
+        selectedIds.add(latestAssistant.id);
+    return messages.filter((message) => selectedIds.has(message.id));
+}
 function buildSearchSnapshot(query, messages, includeLatestTurn = true) {
     const lines = [`history query: "${clip(query, 120)}"`];
     if (!includeLatestTurn) {
@@ -106,7 +165,19 @@ async function summarizeSessionTail(options) {
     const envelope = (0, session_events_1.loadSessionEnvelopeFile)(options.sessionPath);
     if (!envelope)
         return { kind: "missing" };
-    const tailMessages = normalizeSessionMessages(envelope.events).slice(-options.messageCount);
+    const transcriptContext = {
+        friendId: options.friendId,
+        channel: options.channel,
+        key: options.key,
+        includeToolMessages: shouldIncludeToolMessages(options.friendId, options.channel),
+    };
+    let visibleMessages = normalizeSessionMessages(envelope.events, transcriptContext);
+    if (options.archiveFallback && !visibleMessages.some((message) => message.role === "user")) {
+        const fullHistoryMessages = normalizeSessionMessages((0, session_events_1.loadFullEventHistory)(options.sessionPath), transcriptContext);
+        if (fullHistoryMessages.length > 0)
+            visibleMessages = fullHistoryMessages;
+    }
+    const tailMessages = selectSessionTailMessages(visibleMessages, options.messageCount);
     if (tailMessages.length === 0) {
         return { kind: "empty" };
     }
@@ -145,7 +216,12 @@ async function searchSessionTranscript(options) {
             return { kind: "missing" };
         return { kind: "empty" };
     }
-    const messages = normalizeSessionMessages(allEvents);
+    const messages = normalizeSessionMessages(allEvents, {
+        friendId: options.friendId,
+        channel: options.channel,
+        key: options.key,
+        includeToolMessages: shouldIncludeToolMessages(options.friendId, options.channel),
+    });
     if (messages.length === 0) {
         return { kind: "empty" };
     }

package/dist/heart/turn-context.js

@@ -57,6 +57,7 @@ const target_resolution_1 = require("./target-resolution");
 const episodes_1 = require("../arc/episodes");
 const cares_1 = require("../arc/cares");
 const config_1 = require("./config");
+const runtime_credentials_1 = require("./runtime-credentials");
 const daemon_health_1 = require("./daemon/daemon-health");
 const prompt_1 = require("../mind/prompt");
 const provider_visibility_1 = require("./provider-visibility");
@@ -140,6 +141,9 @@ function checkDaemonRunning() {
 function hasTextField(record, key) {
     return typeof record?.[key] === "string" && record[key].trim().length > 0;
 }
+function recordOrUndefined(value) {
+    return !!value && typeof value === "object" && !Array.isArray(value) ? value : undefined;
+}
 function readSenseStatusLines() {
     const config = (0, identity_1.loadAgentConfig)();
     const configuredSenses = config.senses ?? {};
@@ -151,9 +155,14 @@ function readSenseStatusLines() {
         mail: configuredSenses.mail ?? { enabled: false },
     };
     const payload = (0, config_1.loadConfig)();
-    const teams = payload.teams;
-    const bluebubbles = payload.bluebubbles;
-    const mailroom = payload.mailroom;
+    const agentName = (0, identity_1.getAgentName)();
+    const runtimeConfig = (0, runtime_credentials_1.readRuntimeCredentialConfig)(agentName);
+    const machineRuntimeConfig = (0, runtime_credentials_1.readMachineRuntimeCredentialConfig)(agentName);
+    const runtimePayload = runtimeConfig.ok ? runtimeConfig.config : {};
+    const machinePayload = machineRuntimeConfig.ok ? machineRuntimeConfig.config : {};
+    const teams = recordOrUndefined(runtimePayload.teams) ?? recordOrUndefined(payload.teams);
+    const bluebubbles = recordOrUndefined(machinePayload.bluebubbles) ?? recordOrUndefined(payload.bluebubbles);
+    const mailroom = recordOrUndefined(runtimePayload.mailroom) ?? recordOrUndefined(payload.mailroom);
     const privateKeys = mailroom?.privateKeys;
     const configured = {
         cli: true,

package/dist/mailroom/reader.js

@@ -37,6 +37,7 @@ exports.parseMailroomConfig = parseMailroomConfig;
 exports.readMailroomRegistry = readMailroomRegistry;
 exports.writeMailroomRegistry = writeMailroomRegistry;
 exports.resolveMailroomReader = resolveMailroomReader;
+exports.resolveMailroomReaderWithRefresh = resolveMailroomReaderWithRefresh;
 const fs = __importStar(require("node:fs"));
 const path = __importStar(require("node:path"));
 const storage_blob_1 = require("@azure/storage-blob");
@@ -217,3 +218,11 @@ function resolveMailroomReader(agentName = (0, identity_2.getAgentName)()) {
     });
     return result;
 }
+async function resolveMailroomReaderWithRefresh(agentName = (0, identity_2.getAgentName)()) {
+    const resolved = resolveMailroomReader(agentName);
+    if (resolved.ok || resolved.reason !== "auth-required" || !resolved.error.includes(" is unavailable")) {
+        return resolved;
+    }
+    await (0, runtime_credentials_1.refreshRuntimeCredentialConfig)(agentName, { preserveCachedOnFailure: true }).catch(() => undefined);
+    return resolveMailroomReader(agentName);
+}

package/dist/mind/prompt.js

@@ -66,6 +66,7 @@ const tools_1 = require("../repertoire/tools");
 const skills_1 = require("../repertoire/skills");
 const identity_1 = require("../heart/identity");
 const config_1 = require("../heart/config");
+const runtime_credentials_1 = require("../heart/runtime-credentials");
 const runtime_mode_1 = require("../heart/daemon/runtime-mode");
 const types_1 = require("./friends/types");
 const trust_explanation_1 = require("./friends/trust-explanation");
@@ -88,7 +89,6 @@ function flattenSystemPrompt(sp) {
 }
 // Lazy-loaded psyche text cache
 let _psycheCache = null;
-let _senseStatusLinesCache = null;
 function loadPsycheFile(name) {
     try {
         const psycheDir = path.join((0, identity_1.getAgentRoot)(), "psyche");
@@ -112,7 +112,6 @@ function loadPsyche() {
 }
 function resetPsycheCache() {
     _psycheCache = null;
-    _senseStatusLinesCache = null;
 }
 const DEFAULT_ACTIVE_THRESHOLD_MS = 24 * 60 * 60 * 1000; // 24 hours
 function buildSessionSummary(options) {
@@ -409,10 +408,10 @@ function runtimeInfoSection(channel, options) {
 function hasTextField(record, key) {
     return typeof record?.[key] === "string" && record[key].trim().length > 0;
 }
+function recordOrUndefined(value) {
+    return !!value && typeof value === "object" && !Array.isArray(value) ? value : undefined;
+}
 function localSenseStatusLines() {
-    if (_senseStatusLinesCache) {
-        return [..._senseStatusLinesCache];
-    }
     const config = (0, identity_1.loadAgentConfig)();
     const configuredSenses = config.senses ?? {};
     const senses = {
@@ -423,9 +422,13 @@ function localSenseStatusLines() {
         mail: configuredSenses.mail ?? { enabled: false },
     };
     const payload = (0, config_1.loadConfig)();
-    const teams = payload.teams;
-    const bluebubbles = payload.bluebubbles;
-    const mailroom = payload.mailroom;
+    const runtimeConfig = (0, runtime_credentials_1.readRuntimeCredentialConfig)((0, identity_1.getAgentName)());
+    const machineRuntimeConfig = (0, runtime_credentials_1.readMachineRuntimeCredentialConfig)((0, identity_1.getAgentName)());
+    const runtimePayload = runtimeConfig.ok ? runtimeConfig.config : {};
+    const machinePayload = machineRuntimeConfig.ok ? machineRuntimeConfig.config : {};
+    const teams = recordOrUndefined(runtimePayload.teams) ?? recordOrUndefined(payload.teams);
+    const bluebubbles = recordOrUndefined(machinePayload.bluebubbles) ?? recordOrUndefined(payload.bluebubbles);
+    const mailroom = recordOrUndefined(runtimePayload.mailroom) ?? recordOrUndefined(payload.mailroom);
     const privateKeys = mailroom?.privateKeys;
     const configured = {
         cli: true,
@@ -448,8 +451,7 @@ function localSenseStatusLines() {
             status: !senses.mail.enabled ? "disabled" : configured.mail ? "ready" : "needs_config",
         },
     ];
-    _senseStatusLinesCache = rows.map((row) => `- ${row.label}: ${row.status}`);
-    return [..._senseStatusLinesCache];
+    return rows.map((row) => `- ${row.label}: ${row.status}`);
 }
 function senseRuntimeGuidance(channel, preReadStatusLines) {
     const lines = ["available senses:"];

package/dist/repertoire/bitwarden-store.js

@@ -50,6 +50,7 @@ const runtime_1 = require("../nerves/runtime");
 const bw_installer_1 = require("./bw-installer");
 const MAX_ERROR_DETAIL_LENGTH = 500;
 const LONG_ENCODED_TOKEN_PATTERN = /[A-Za-z0-9+/=]{32,}/g;
+const BW_PASSWORD_ENV = "OURO_BW_MASTER_PASSWORD";
 function uniqueSecrets(secrets) {
     return [...new Set(secrets.filter((value) => typeof value === "string" && value.length >= 4))].sort((left, right) => right.length - left.length);
 }
@@ -131,9 +132,19 @@ function isBwConfigLogoutRequired(err) {
     const message = err.message.toLowerCase();
     return message.includes("logout") && message.includes("required");
 }
-function shouldPreferExactItemLookup(domain) {
+function isBwAlreadyLoggedInError(err) {
+    return err.message.toLowerCase().includes("already logged in");
+}
+function shouldUseStructuredItemLookup(domain) {
     return domain.includes("/");
 }
+function shouldUseFullListForStructuredLookup(domain, appDataDir) {
+    return domain.includes("/") && !appDataDir;
+}
+function isBwItemNotFoundError(error) {
+    const message = error.message.toLowerCase();
+    return message.includes("not found") || message.includes("no item");
+}
 // ---------------------------------------------------------------------------
 // Cross-process bw CLI lock
 // ---------------------------------------------------------------------------
@@ -242,11 +253,12 @@ async function withBwLock(appDataDir, fn) {
         }
     }
 }
-function execBw(args, sessionToken, appDataDir, stdin, bwBinaryPath = "bw") {
+function execBw(args, sessionToken, appDataDir, stdin, bwBinaryPath = "bw", extraEnv = {}) {
     const env = {
         ...process.env,
         ...(sessionToken ? { BW_SESSION: sessionToken } : {}),
         ...(appDataDir ? { BITWARDENCLI_APPDATA_DIR: appDataDir } : {}),
+        ...extraEnv,
     };
     const runCommand = () => new Promise((resolve, reject) => {
         const child = (0, node_child_process_1.execFile)(bwBinaryPath, args, { timeout: 30_000, env }, (err, stdout, stderr) => {
@@ -395,6 +407,9 @@ class BitwardenCredentialStore {
     execBw(args, sessionToken, stdin) {
         return execBw(args, sessionToken, this.appDataDir, stdin, this.bwBinaryPath);
     }
+    execBwWithPasswordEnv(args) {
+        return execBw([...args, "--passwordenv", BW_PASSWORD_ENV], undefined, this.appDataDir, undefined, this.bwBinaryPath, { [BW_PASSWORD_ENV]: this.masterPassword });
+    }
     /**
      * Ensure the bw CLI is authenticated and unlocked.
      * Handles three states: logged out → login, locked → unlock, already unlocked → no-op.
@@ -464,12 +479,22 @@ class BitwardenCredentialStore {
         }
         if (status.status === "locked") {
             // Already logged in, just needs unlock
-            const unlockOutput = await this.execBw(["unlock", this.masterPassword, "--raw"]);
+            const unlockOutput = await this.execBwWithPasswordEnv(["unlock", "--raw"]);
             this.sessionToken = unlockOutput.trim();
         }
         else if (status.status === "unauthenticated" || !status.status) {
             // Not logged in — full login
-            const loginOutput = await this.execBw(["login", this.email, this.masterPassword, "--raw"]);
+            let loginOutput;
+            try {
+                loginOutput = await this.execBwWithPasswordEnv(["login", this.email, "--raw"]);
+            }
+            catch (error) {
+                const err = error;
+                if (!isBwAlreadyLoggedInError(err)) {
+                    throw err;
+                }
+                loginOutput = await this.execBwWithPasswordEnv(["unlock", "--raw"]);
+            }
             try {
                 const parsed = JSON.parse(loginOutput);
                 this.sessionToken = parsed.access_token ?? loginOutput.trim();
@@ -480,7 +505,7 @@ class BitwardenCredentialStore {
         }
         else {
             // Status is "unlocked" — already good, just need the session token
-            const unlockOutput = await this.execBw(["unlock", this.masterPassword, "--raw"]);
+            const unlockOutput = await this.execBwWithPasswordEnv(["unlock", "--raw"]);
             this.sessionToken = unlockOutput.trim();
         }
         if (this.shouldSyncVaultAfterSession(status)) {
@@ -555,7 +580,7 @@ class BitwardenCredentialStore {
             message: `getting credential via bw for ${domain}`,
             meta: { domain, backend: "bitwarden" },
         });
-        const item = await this.withTransientRetry(() => this.withSessionRetry((session) => this.findItemByDomain(domain, session)));
+        const item = await this.withTransientRetry(() => this.withSessionRetry((session) => this.findItemByDomain(domain, session, { preferExactStructured: true })));
         if (!item) {
             (0, runtime_1.emitNervesEvent)({
                 event: "repertoire.bw_credential_get_end",
@@ -579,7 +604,7 @@ class BitwardenCredentialStore {
         };
     }
     async getRawSecret(domain, field) {
-        const item = await this.withTransientRetry(() => this.withSessionRetry((session) => this.findItemByDomain(domain, session)));
+        const item = await this.withTransientRetry(() => this.withSessionRetry((session) => this.findItemByDomain(domain, session, { preferExactStructured: true })));
         if (!item) {
             throw new Error(`no credential found for domain "${domain}"`);
         }
@@ -695,8 +720,11 @@ class BitwardenCredentialStore {
         return true;
     }
     // --- Private ---
-    async findItemByDomain(domain, session) {
-        if (shouldPreferExactItemLookup(domain)) {
+    async findItemByDomain(domain, session, options = {}) {
+        if (options.preferExactStructured && shouldUseStructuredItemLookup(domain)) {
+            return this.findStructuredItemByName(domain, session);
+        }
+        if (shouldUseFullListForStructuredLookup(domain, this.appDataDir)) {
             const items = await this.readStructuredItemCache(session);
             return items.get(domain) ?? null;
         }
@@ -705,6 +733,20 @@ class BitwardenCredentialStore {
         // Find exact match by name
         return items.find((item) => item.name === domain) ?? null;
     }
+    async findStructuredItemByName(domain, session) {
+        try {
+            const stdout = await this.execBw(["get", "item", domain], session);
+            const item = parseBwItem(stdout, "bw get item");
+            return item.name === domain ? item : null;
+        }
+        catch (error) {
+            /* v8 ignore next -- defensive: execBw rejects with Error instances @preserve */
+            const err = error instanceof Error ? error : new Error(String(error));
+            if (isBwItemNotFoundError(err))
+                return null;
+            throw err;
+        }
+    }
     shouldSyncVaultAfterSession(status) {
         if (status.status === "unauthenticated" || !status.status)
             return true;
@@ -740,6 +782,10 @@ class BitwardenCredentialStore {
             // If the marker cannot be written, fall back to syncing next time.
         }
     }
+    async findItemById(id, session) {
+        const stdout = await this.execBw(["get", "item", id], session);
+        return parseBwItem(stdout, "bw get item");
+    }
     async readStructuredItemCache(session) {
         if (this.structuredItemCache)
             return this.structuredItemCache;
@@ -748,10 +794,6 @@ class BitwardenCredentialStore {
         this.structuredItemCache = new Map(items.map((item) => [item.name, item]));
         return this.structuredItemCache;
     }
-    async findItemById(id, session) {
-        const stdout = await this.execBw(["get", "item", id], session);
-        return parseBwItem(stdout, "bw get item");
-    }
     assertStoredCredentialMatches(domain, data, item) {
         if (!item) {
             throw new Error(`bw CLI error: credential save verification failed for ${domain}: saved item could not be read back after write`);

package/dist/repertoire/tools-bridge.js

@@ -103,6 +103,7 @@ exports.bridgeToolDefinitions = [
                     messageCount: 20,
                     trustLevel: ctx?.context?.friend?.trustLevel,
                     summarize: ctx?.summarize,
+                    archiveFallback: true,
                 });
                 if (sessionTail.kind === "missing") {
                     return NO_SESSION_FOUND_MESSAGE;

package/dist/repertoire/tools-mail.js

@@ -747,7 +747,7 @@ exports.mailToolDefinitions = [
             const blocked = delegatedHumanMailBlocked(ctx);
             if (blocked)
                 return blocked;
-            const resolved = (0, reader_1.resolveMailroomReader)();
+            const resolved = await (0, reader_1.resolveMailroomReaderWithRefresh)();
             if (!resolved.ok)
                 return resolved.error;
             await resolved.store.recordAccess({
@@ -786,7 +786,7 @@ exports.mailToolDefinitions = [
                 if (blocked)
                     return blocked;
             }
-            const resolved = (0, reader_1.resolveMailroomReader)();
+            const resolved = await (0, reader_1.resolveMailroomReaderWithRefresh)();
             if (!resolved.ok)
                 return resolved.error;
             const scope = requestedScope === "all"
@@ -845,7 +845,7 @@ exports.mailToolDefinitions = [
         handler: async (args, ctx) => {
             if (!trustAllowsMailRead(ctx))
                 return "mail is private; this tool is only available in trusted contexts.";
-            const resolved = (0, reader_1.resolveMailroomReader)();
+            const resolved = await (0, reader_1.resolveMailroomReaderWithRefresh)();
             if (!resolved.ok)
                 return resolved.error;
             try {
@@ -907,7 +907,7 @@ exports.mailToolDefinitions = [
             const draftId = (args.draft_id ?? "").trim();
             if (!draftId)
                 return "draft_id is required.";
-            const resolved = (0, reader_1.resolveMailroomReader)();
+            const resolved = await (0, reader_1.resolveMailroomReaderWithRefresh)();
             if (!resolved.ok)
                 return resolved.error;
             try {
@@ -971,7 +971,7 @@ exports.mailToolDefinitions = [
         handler: async (args, ctx) => {
             if (!trustAllowsMailRead(ctx))
                 return "mail is private; this tool is only available in trusted contexts.";
-            const resolved = (0, reader_1.resolveMailroomReader)();
+            const resolved = await (0, reader_1.resolveMailroomReaderWithRefresh)();
             /* v8 ignore next -- defensive: reader resolution covered separately for read tools; mail_outbox tests use cached config @preserve */
             if (!resolved.ok)
                 return resolved.error;
@@ -1046,7 +1046,7 @@ exports.mailToolDefinitions = [
             if (!familyOrAgentSelf(ctx) && explicitScope && requestedScope !== "native") {
                 return "delegated human mail requires family trust.";
             }
-            const resolved = (0, reader_1.resolveMailroomReader)();
+            const resolved = await (0, reader_1.resolveMailroomReaderWithRefresh)();
             if (!resolved.ok)
                 return resolved.error;
             const scope = requestedScope === "all"
@@ -1151,7 +1151,7 @@ exports.mailToolDefinitions = [
             const messageId = (args.message_id ?? "").trim();
             if (!messageId)
                 return "message_id is required.";
-            const resolved = (0, reader_1.resolveMailroomReader)();
+            const resolved = await (0, reader_1.resolveMailroomReaderWithRefresh)();
             if (!resolved.ok)
                 return resolved.error;
             const cached = (0, body_cache_1.getCachedMailBody)(messageId);
@@ -1260,7 +1260,7 @@ exports.mailToolDefinitions = [
                 if (blocked)
                     return blocked;
             }
-            const resolved = (0, reader_1.resolveMailroomReader)();
+            const resolved = await (0, reader_1.resolveMailroomReaderWithRefresh)();
             if (!resolved.ok)
                 return resolved.error;
             const seedStored = await resolved.store.getMessage(messageId);
@@ -1347,7 +1347,7 @@ exports.mailToolDefinitions = [
             const blocked = delegatedHumanMailBlocked(ctx);
             if (blocked)
                 return blocked;
-            const resolved = (0, reader_1.resolveMailroomReader)();
+            const resolved = await (0, reader_1.resolveMailroomReaderWithRefresh)();
             if (!resolved.ok)
                 return resolved.error;
             const candidates = await resolved.store.listScreenerCandidates({
@@ -1398,7 +1398,7 @@ exports.mailToolDefinitions = [
             const reason = (args.reason ?? "").trim();
             if (!reason)
                 return "reason is required.";
-            const resolved = (0, reader_1.resolveMailroomReader)();
+            const resolved = await (0, reader_1.resolveMailroomReaderWithRefresh)();
             if (!resolved.ok)
                 return resolved.error;
             let messageId = (args.message_id ?? "").trim();
@@ -1467,7 +1467,7 @@ exports.mailToolDefinitions = [
             const blocked = delegatedHumanMailBlocked(ctx);
             if (blocked)
                 return blocked;
-            const resolved = (0, reader_1.resolveMailroomReader)();
+            const resolved = await (0, reader_1.resolveMailroomReaderWithRefresh)();
             if (!resolved.ok)
                 return resolved.error;
             return renderAccessLog(await resolved.store.listAccessLog(resolved.agentName));