@ouro.bot/cli 0.1.0-alpha.54 → 0.1.0-alpha.56

package/README.md

@@ -96,6 +96,17 @@ Task docs do not live in this repo anymore. Planning and doing docs live in the
   - `running`
   - `error`
 
+When a model provider needs first-time setup, reauth, or an explicit switch, use:
+
+```bash
+ouro auth --agent <name>
+ouro auth --agent <name> --provider <provider>
+```
+
+The default form reauths the provider already selected in `agent.json`. The explicit
+`--provider` form is for adding or switching providers, and it updates `agent.json`
+to use the newly authenticated provider.
+
 ## Quickstart
 
 ### Use The Published Runtime
@@ -134,6 +145,8 @@ ouro up
 ouro status
 ouro logs
 ouro stop
+ouro auth --agent <name>
+ouro auth --agent <name> --provider <provider>
 ouro hatch
 ouro chat <agent>
 ouro msg --to <agent> [--session <id>] [--task <ref>] <message>

package/changelog.json

@@ -1,6 +1,22 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.56",
+      "changes": [
+        "The installed runtime now supports `ouro auth --agent <name>` as the normal provider auth and reauth path, with `--provider <provider>` available for explicit provider add/switch flows.",
+        "Anthropic and OpenAI Codex hatch/signup now share the same runtime auth backbone as later reauth, so first-time setup and recovery follow one consistent mental model.",
+        "Provider auth failures now point at the supported `ouro auth` recovery path and tell you what to do after reauth, including retrying the failed `ouro` command or reconnecting the errored session."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.55",
+      "changes": [
+        "Memory fact dedup now catches paraphrased duplicates via cosine similarity on existing embeddings, so semantically equivalent facts no longer slip past the word-overlap check.",
+        "Semantic dedup gracefully handles corrupt JSONL entries with missing or undefined embeddings instead of crashing on bad data.",
+        "Cosine similarity is now imported from associative-recall instead of duplicated in the memory module."
+      ]
+    },
     {
       "version": "0.1.0-alpha.54",
       "changes": [

package/dist/heart/daemon/auth-flow.js

@@ -0,0 +1,351 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readAgentConfigForAgent = readAgentConfigForAgent;
+exports.writeAgentProviderSelection = writeAgentProviderSelection;
+exports.loadAgentSecrets = loadAgentSecrets;
+exports.writeProviderCredentials = writeProviderCredentials;
+exports.collectRuntimeAuthCredentials = collectRuntimeAuthCredentials;
+exports.resolveHatchCredentials = resolveHatchCredentials;
+exports.runRuntimeAuthFlow = runRuntimeAuthFlow;
+const child_process_1 = require("child_process");
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+const runtime_1 = require("../../nerves/runtime");
+const identity_1 = require("../identity");
+const ANTHROPIC_SETUP_TOKEN_PREFIX = "sk-ant-oat01-";
+const ANTHROPIC_SETUP_TOKEN_MIN_LENGTH = 80;
+const DEFAULT_SECRETS_TEMPLATE = {
+    providers: {
+        azure: {
+            modelName: "gpt-4o-mini",
+            apiKey: "",
+            endpoint: "",
+            deployment: "",
+            apiVersion: "2025-04-01-preview",
+        },
+        minimax: {
+            model: "minimax-text-01",
+            apiKey: "",
+        },
+        anthropic: {
+            model: "claude-opus-4-6",
+            setupToken: "",
+        },
+        "openai-codex": {
+            model: "gpt-5.4",
+            oauthAccessToken: "",
+        },
+    },
+    teams: {
+        clientId: "",
+        clientSecret: "",
+        tenantId: "",
+    },
+    oauth: {
+        graphConnectionName: "graph",
+        adoConnectionName: "ado",
+        githubConnectionName: "",
+    },
+    teamsChannel: {
+        skipConfirmation: true,
+        port: 3978,
+    },
+    integrations: {
+        perplexityApiKey: "",
+        openaiEmbeddingsApiKey: "",
+    },
+};
+function deepMerge(defaults, partial) {
+    const result = { ...defaults };
+    for (const key of Object.keys(partial)) {
+        const left = result[key];
+        const right = partial[key];
+        if (right !== null &&
+            typeof right === "object" &&
+            !Array.isArray(right) &&
+            left !== null &&
+            typeof left === "object" &&
+            !Array.isArray(left)) {
+            result[key] = deepMerge(left, right);
+            continue;
+        }
+        result[key] = right;
+    }
+    return result;
+}
+function readJsonRecord(filePath, label) {
+    try {
+        const raw = fs.readFileSync(filePath, "utf8");
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+            throw new Error("expected object");
+        }
+        return parsed;
+    }
+    catch (error) {
+        throw new Error(`Failed to read ${label} at ${filePath}: ${String(error)}`);
+    }
+}
+function readAgentConfigForAgent(agentName, bundlesRoot = (0, identity_1.getAgentBundlesRoot)()) {
+    const configPath = path.join(bundlesRoot, `${agentName}.ouro`, "agent.json");
+    const parsed = readJsonRecord(configPath, "agent config");
+    const provider = parsed.provider;
+    if (provider !== "azure" &&
+        provider !== "anthropic" &&
+        provider !== "minimax" &&
+        provider !== "openai-codex") {
+        throw new Error(`agent.json at ${configPath} has unsupported provider '${String(provider)}'`);
+    }
+    return {
+        configPath,
+        config: parsed,
+    };
+}
+function writeAgentProviderSelection(agentName, provider, bundlesRoot = (0, identity_1.getAgentBundlesRoot)()) {
+    const { configPath, config } = readAgentConfigForAgent(agentName, bundlesRoot);
+    const nextConfig = { ...config, provider };
+    fs.writeFileSync(configPath, `${JSON.stringify(nextConfig, null, 2)}\n`, "utf8");
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.auth_provider_selected",
+        message: "updated agent provider selection after auth flow",
+        meta: { agentName, provider, configPath },
+    });
+    return configPath;
+}
+function resolveAgentSecretsPath(agentName, deps = {}) {
+    if (deps.secretsRoot)
+        return path.join(deps.secretsRoot, agentName, "secrets.json");
+    const homeDir = deps.homeDir ?? os.homedir();
+    return (0, identity_1.getAgentSecretsPath)(agentName).replace(os.homedir(), homeDir);
+}
+function loadAgentSecrets(agentName, deps = {}) {
+    const secretsPath = resolveAgentSecretsPath(agentName, deps);
+    const secretsDir = path.dirname(secretsPath);
+    fs.mkdirSync(secretsDir, { recursive: true });
+    let onDisk = {};
+    try {
+        onDisk = readJsonRecord(secretsPath, "secrets config");
+    }
+    catch (error) {
+        const message = error.message;
+        if (!message.includes("ENOENT"))
+            throw error;
+    }
+    return {
+        secretsPath,
+        secrets: deepMerge(DEFAULT_SECRETS_TEMPLATE, onDisk),
+    };
+}
+function writeSecrets(secretsPath, secrets) {
+    fs.writeFileSync(secretsPath, `${JSON.stringify(secrets, null, 2)}\n`, "utf8");
+}
+function writeProviderCredentials(agentName, provider, credentials, deps = {}) {
+    const { secretsPath, secrets } = loadAgentSecrets(agentName, deps);
+    applyCredentials(secrets, provider, credentials);
+    writeSecrets(secretsPath, secrets);
+    return { secretsPath, secrets };
+}
+function readCodexAccessToken(homeDir) {
+    const authPath = path.join(homeDir, ".codex", "auth.json");
+    try {
+        const raw = fs.readFileSync(authPath, "utf8");
+        const parsed = JSON.parse(raw);
+        const token = parsed?.tokens?.access_token;
+        return typeof token === "string" ? token.trim() : "";
+    }
+    catch {
+        return "";
+    }
+}
+function ensurePromptInput(promptInput, provider) {
+    if (promptInput)
+        return promptInput;
+    throw new Error(`No prompt input is available for ${provider} authentication.`);
+}
+function validateAnthropicToken(token) {
+    const trimmed = token.trim();
+    if (!trimmed) {
+        throw new Error("No Anthropic setup token was provided.");
+    }
+    if (!trimmed.startsWith(ANTHROPIC_SETUP_TOKEN_PREFIX)) {
+        throw new Error(`Invalid Anthropic setup token format. Expected prefix ${ANTHROPIC_SETUP_TOKEN_PREFIX}.`);
+    }
+    if (trimmed.length < ANTHROPIC_SETUP_TOKEN_MIN_LENGTH) {
+        throw new Error("Anthropic setup token looks too short.");
+    }
+    return trimmed;
+}
+async function collectRuntimeAuthCredentials(input, deps) {
+    const spawnSync = deps.spawnSync ?? child_process_1.spawnSync;
+    const homeDir = deps.homeDir ?? os.homedir();
+    if (input.provider === "openai-codex") {
+        let token = readCodexAccessToken(homeDir);
+        if (!token) {
+            (0, runtime_1.emitNervesEvent)({
+                component: "daemon",
+                event: "daemon.auth_codex_login_start",
+                message: "starting codex login for runtime auth",
+                meta: { agentName: input.agentName },
+            });
+            const result = spawnSync("codex", ["login"], { stdio: "inherit" });
+            if (result.error) {
+                throw new Error(`Failed to run 'codex login': ${result.error.message}`);
+            }
+            if (result.status !== 0) {
+                throw new Error(`'codex login' exited with status ${result.status}.`);
+            }
+            token = readCodexAccessToken(homeDir);
+            if (!token) {
+                throw new Error("Codex login completed but no token was found in ~/.codex/auth.json. Re-run `codex login` and try again.");
+            }
+        }
+        return { oauthAccessToken: token };
+    }
+    if (input.provider === "anthropic") {
+        (0, runtime_1.emitNervesEvent)({
+            component: "daemon",
+            event: "daemon.auth_claude_setup_start",
+            message: "starting claude setup-token for runtime auth",
+            meta: { agentName: input.agentName },
+        });
+        const result = spawnSync("claude", ["setup-token"], { stdio: "inherit" });
+        if (result.error) {
+            throw new Error(`Failed to run 'claude setup-token': ${result.error.message}`);
+        }
+        if (result.status !== 0) {
+            throw new Error(`'claude setup-token' exited with status ${result.status}.`);
+        }
+        const prompt = ensurePromptInput(input.promptInput, input.provider);
+        const setupToken = validateAnthropicToken(await prompt("Paste the setup token from `claude setup-token`: "));
+        return { setupToken };
+    }
+    if (input.provider === "minimax") {
+        const prompt = ensurePromptInput(input.promptInput, input.provider);
+        const apiKey = (await prompt("MiniMax API key: ")).trim();
+        if (!apiKey)
+            throw new Error("MiniMax API key is required.");
+        return { apiKey };
+    }
+    const prompt = ensurePromptInput(input.promptInput, input.provider);
+    const apiKey = (await prompt("Azure API key: ")).trim();
+    const endpoint = (await prompt("Azure endpoint: ")).trim();
+    const deployment = (await prompt("Azure deployment: ")).trim();
+    if (!apiKey || !endpoint || !deployment) {
+        throw new Error("Azure API key, endpoint, and deployment are required.");
+    }
+    return { apiKey, endpoint, deployment };
+}
+async function resolveHatchCredentials(input) {
+    const prompt = input.promptInput;
+    const credentials = { ...(input.credentials ?? {}) };
+    if (input.provider === "anthropic" && !credentials.setupToken && input.runAuthFlow) {
+        const result = await input.runAuthFlow({
+            agentName: input.agentName,
+            provider: "anthropic",
+            promptInput: prompt,
+        });
+        Object.assign(credentials, result.credentials);
+    }
+    if (input.provider === "anthropic" && !credentials.setupToken && prompt) {
+        credentials.setupToken = await prompt("Anthropic setup-token: ");
+    }
+    if (input.provider === "openai-codex" && !credentials.oauthAccessToken && input.runAuthFlow) {
+        const result = await input.runAuthFlow({
+            agentName: input.agentName,
+            provider: "openai-codex",
+            promptInput: prompt,
+        });
+        Object.assign(credentials, result.credentials);
+    }
+    if (input.provider === "openai-codex" && !credentials.oauthAccessToken && prompt) {
+        credentials.oauthAccessToken = await prompt("OpenAI Codex OAuth token: ");
+    }
+    if (input.provider === "minimax" && !credentials.apiKey && prompt) {
+        credentials.apiKey = await prompt("MiniMax API key: ");
+    }
+    if (input.provider === "azure") {
+        if (!credentials.apiKey && prompt)
+            credentials.apiKey = await prompt("Azure API key: ");
+        if (!credentials.endpoint && prompt)
+            credentials.endpoint = await prompt("Azure endpoint: ");
+        if (!credentials.deployment && prompt)
+            credentials.deployment = await prompt("Azure deployment: ");
+    }
+    return credentials;
+}
+function applyCredentials(secrets, provider, credentials) {
+    if (provider === "anthropic") {
+        secrets.providers.anthropic.setupToken = credentials.setupToken.trim();
+        return;
+    }
+    if (provider === "openai-codex") {
+        secrets.providers["openai-codex"].oauthAccessToken = credentials.oauthAccessToken.trim();
+        return;
+    }
+    if (provider === "minimax") {
+        secrets.providers.minimax.apiKey = credentials.apiKey.trim();
+        return;
+    }
+    secrets.providers.azure.apiKey = credentials.apiKey.trim();
+    secrets.providers.azure.endpoint = credentials.endpoint.trim();
+    secrets.providers.azure.deployment = credentials.deployment.trim();
+}
+async function runRuntimeAuthFlow(input, deps = {}) {
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.auth_flow_start",
+        message: "starting runtime auth flow",
+        meta: { agentName: input.agentName, provider: input.provider },
+    });
+    const homeDir = deps.homeDir ?? os.homedir();
+    const credentials = await collectRuntimeAuthCredentials(input, deps);
+    const { secretsPath } = writeProviderCredentials(input.agentName, input.provider, credentials, { homeDir });
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.auth_flow_end",
+        message: "completed runtime auth flow",
+        meta: { agentName: input.agentName, provider: input.provider, secretsPath },
+    });
+    return {
+        agentName: input.agentName,
+        provider: input.provider,
+        secretsPath,
+        message: `authenticated ${input.agentName} with ${input.provider}`,
+        credentials,
+    };
+}

package/dist/heart/daemon/daemon-cli.js

@@ -67,6 +67,7 @@ const ouro_bot_global_installer_1 = require("./ouro-bot-global-installer");
 const launchd_1 = require("./launchd");
 const socket_client_1 = require("./socket-client");
 const session_activity_1 = require("../session-activity");
+const auth_flow_1 = require("./auth-flow");
 function stringField(value) {
     return typeof value === "string" ? value : null;
 }
@@ -268,6 +269,7 @@ function usage() {
         "  ouro [up]",
         "  ouro stop|down|status|logs|hatch",
         "  ouro -v|--version",
+        "  ouro auth --agent <name> [--provider <provider>]",
         "  ouro chat <agent>",
         "  ouro msg --to <agent> [--session <id>] [--task <ref>] <message>",
         "  ouro poke <agent> --task <task-id>",
@@ -536,6 +538,23 @@ function parseTaskCommand(args) {
         return { kind: "task.sessions", ...(agent ? { agent } : {}) };
     throw new Error(`Usage\n${usage()}`);
 }
+function parseAuthCommand(args) {
+    const { agent, rest } = extractAgentFlag(args);
+    let provider;
+    for (let i = 0; i < rest.length; i += 1) {
+        if (rest[i] === "--provider") {
+            const value = rest[i + 1];
+            if (!isAgentProvider(value))
+                throw new Error(`Usage\n${usage()}`);
+            provider = value;
+            i += 1;
+            continue;
+        }
+    }
+    if (!agent)
+        throw new Error(`Usage\n${usage()}`);
+    return provider ? { kind: "auth.run", agent, provider } : { kind: "auth.run", agent };
+}
 function parseReminderCommand(args) {
     const { agent, rest: cleaned } = extractAgentFlag(args);
     const [sub, ...rest] = cleaned;
@@ -670,6 +689,8 @@ function parseOuroCommand(args) {
         return { kind: "daemon.logs" };
     if (head === "hatch")
         return parseHatchCommand(args.slice(1));
+    if (head === "auth")
+        return parseAuthCommand(args.slice(1));
     if (head === "task")
         return parseTaskCommand(args.slice(1));
     if (head === "reminder")
@@ -1059,6 +1080,7 @@ function createDefaultOuroCliDeps(socketPath = socket_client_1.DEFAULT_DAEMON_SO
         runHatchFlow: hatch_flow_1.runHatchFlow,
         promptInput: defaultPromptInput,
         runAdoptionSpecialist: defaultRunAdoptionSpecialist,
+        runAuthFlow: auth_flow_1.runRuntimeAuthFlow,
         registerOuroBundleType: ouro_uti_1.registerOuroBundleUti,
         installOuroCommand: ouro_path_installer_1.installOuroCommand,
         syncGlobalOuroBotWrapper: ouro_bot_global_installer_1.syncGlobalOuroBotWrapper,
@@ -1095,24 +1117,13 @@ async function resolveHatchInput(command, deps) {
     if (!agentName || !humanName || !isAgentProvider(providerRaw)) {
         throw new Error(`Usage\n${usage()}`);
     }
-    const credentials = { ...(command.credentials ?? {}) };
-    if (providerRaw === "anthropic" && !credentials.setupToken && prompt) {
-        credentials.setupToken = await prompt("Anthropic setup-token: ");
-    }
-    if (providerRaw === "openai-codex" && !credentials.oauthAccessToken && prompt) {
-        credentials.oauthAccessToken = await prompt("OpenAI Codex OAuth token: ");
-    }
-    if (providerRaw === "minimax" && !credentials.apiKey && prompt) {
-        credentials.apiKey = await prompt("MiniMax API key: ");
-    }
-    if (providerRaw === "azure") {
-        if (!credentials.apiKey && prompt)
-            credentials.apiKey = await prompt("Azure API key: ");
-        if (!credentials.endpoint && prompt)
-            credentials.endpoint = await prompt("Azure endpoint: ");
-        if (!credentials.deployment && prompt)
-            credentials.deployment = await prompt("Azure deployment: ");
-    }
+    const credentials = await (0, auth_flow_1.resolveHatchCredentials)({
+        agentName,
+        provider: providerRaw,
+        credentials: command.credentials,
+        promptInput: prompt,
+        runAuthFlow: deps.runAuthFlow,
+    });
     return {
         agentName,
         humanName,
@@ -1512,6 +1523,21 @@ async function runOuroCli(args, deps = createDefaultOuroCliDeps()) {
         deps.writeStdout(message);
         return message;
     }
+    // ── auth (local, no daemon socket needed) ──
+    if (command.kind === "auth.run") {
+        const provider = command.provider ?? (0, auth_flow_1.readAgentConfigForAgent)(command.agent).config.provider;
+        const authRunner = deps.runAuthFlow ?? auth_flow_1.runRuntimeAuthFlow;
+        const result = await authRunner({
+            agentName: command.agent,
+            provider,
+            promptInput: deps.promptInput,
+        });
+        if (command.provider) {
+            (0, auth_flow_1.writeAgentProviderSelection)(command.agent, command.provider);
+        }
+        deps.writeStdout(result.message);
+        return result.message;
+    }
     // ── whoami (local, no daemon socket needed) ──
     if (command.kind === "whoami") {
         if (command.agent) {

package/dist/heart/daemon/hatch-flow.js

@@ -41,6 +41,7 @@ const path = __importStar(require("path"));
 const identity_1 = require("../identity");
 const config_1 = require("../config");
 const runtime_1 = require("../../nerves/runtime");
+const auth_flow_1 = require("./auth-flow");
 const hatch_specialist_1 = require("./hatch-specialist");
 function requiredCredentialKeys(provider) {
     if (provider === "anthropic")
@@ -67,70 +68,8 @@ function validateCredentials(provider, credentials) {
         throw new Error(`Missing required credentials for ${provider}: ${missing.join(", ")}`);
     }
 }
-function buildSecretsTemplate() {
-    return {
-        providers: {
-            azure: {
-                modelName: "gpt-4o-mini",
-                apiKey: "",
-                endpoint: "",
-                deployment: "",
-                apiVersion: "2025-04-01-preview",
-            },
-            minimax: {
-                model: "minimax-text-01",
-                apiKey: "",
-            },
-            anthropic: {
-                model: "claude-opus-4-6",
-                setupToken: "",
-            },
-            "openai-codex": {
-                model: "gpt-5.4",
-                oauthAccessToken: "",
-            },
-        },
-        teams: {
-            clientId: "",
-            clientSecret: "",
-            tenantId: "",
-        },
-        oauth: {
-            graphConnectionName: "graph",
-            adoConnectionName: "ado",
-            githubConnectionName: "",
-        },
-        teamsChannel: {
-            skipConfirmation: true,
-            port: 3978,
-        },
-        integrations: {
-            perplexityApiKey: "",
-            openaiEmbeddingsApiKey: "",
-        },
-    };
-}
 function writeSecretsFile(agentName, provider, credentials, secretsRoot) {
-    const secrets = buildSecretsTemplate();
-    if (provider === "anthropic") {
-        secrets.providers.anthropic.setupToken = credentials.setupToken.trim();
-    }
-    else if (provider === "openai-codex") {
-        secrets.providers["openai-codex"].oauthAccessToken = credentials.oauthAccessToken.trim();
-    }
-    else if (provider === "minimax") {
-        secrets.providers.minimax.apiKey = credentials.apiKey.trim();
-    }
-    else {
-        secrets.providers.azure.apiKey = credentials.apiKey.trim();
-        secrets.providers.azure.endpoint = credentials.endpoint.trim();
-        secrets.providers.azure.deployment = credentials.deployment.trim();
-    }
-    const secretsDir = path.join(secretsRoot, agentName);
-    fs.mkdirSync(secretsDir, { recursive: true });
-    const secretsPath = path.join(secretsDir, "secrets.json");
-    fs.writeFileSync(secretsPath, `${JSON.stringify(secrets, null, 2)}\n`, "utf-8");
-    return secretsPath;
+    return (0, auth_flow_1.writeProviderCredentials)(agentName, provider, credentials, { secretsRoot }).secretsPath;
 }
 function writeReadme(dir, purpose) {
     fs.mkdirSync(dir, { recursive: true });

package/dist/heart/providers/anthropic.js

@@ -24,10 +24,10 @@ function getAnthropicSetupTokenInstructions() {
     const agentName = getAnthropicAgentNameForGuidance();
     return [
         "Fix:",
-        `  1. Run \`npm run auth:claude-setup-token -- --agent ${agentName}\``,
-        "     (or run `claude setup-token` and paste the token manually)",
+        `  1. Run \`ouro auth --agent ${agentName}\``,
         `  2. Open ${getAnthropicSecretsPathForGuidance()}`,
         "  3. Confirm providers.anthropic.setupToken is set",
+        "  4. After reauth, retry the failed ouro command or reconnect this session.",
     ].join("\n");
 }
 function getAnthropicReauthGuidance(reason) {

package/dist/heart/providers/openai-codex.js

@@ -28,11 +28,11 @@ function getOpenAICodexOAuthInstructions() {
     const agentName = getOpenAICodexAgentNameForGuidance();
     return [
         "Fix:",
-        `  1. Run \`npm run auth:openai-codex -- --agent ${agentName}\``,
-        "     (or run `codex login` and set the OAuth token manually)",
+        `  1. Run \`ouro auth --agent ${agentName}\``,
         `  2. Open ${getOpenAICodexSecretsPathForGuidance()}`,
         "  3. Confirm providers.openai-codex.oauthAccessToken is set",
         "  4. This provider uses chatgpt.com/backend-api/codex/responses (not api.openai.com/responses).",
+        "  5. After reauth, retry the failed ouro command or reconnect this session.",
     ].join("\n");
 }
 function getOpenAICodexReauthGuidance(reason) {

package/dist/mind/memory.js

@@ -33,7 +33,6 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.__memoryTestUtils = void 0;
 exports.ensureMemoryStorePaths = ensureMemoryStorePaths;
 exports.appendFactsWithDedup = appendFactsWithDedup;
 exports.readMemoryFacts = readMemoryFacts;
@@ -46,7 +45,9 @@ const crypto_1 = require("crypto");
 const config_1 = require("../heart/config");
 const identity_1 = require("../heart/identity");
 const runtime_1 = require("../nerves/runtime");
+const associative_recall_1 = require("./associative-recall");
 const DEDUP_THRESHOLD = 0.6;
+const SEMANTIC_DEDUP_THRESHOLD = 0.95;
 const ENTITY_TOKEN = /[a-z0-9]+/g;
 const DEFAULT_EMBEDDING_MODEL = "text-embedding-3-small";
 class OpenAIEmbeddingProvider {
@@ -177,13 +178,24 @@ function appendDailyFact(dailyDir, fact) {
     const dayPath = path.join(dailyDir, `${day}.jsonl`);
     fs.appendFileSync(dayPath, `${JSON.stringify(fact)}\n`, "utf8");
 }
-function appendFactsWithDedup(stores, incoming) {
+function appendFactsWithDedup(stores, incoming, options) {
     const existing = readExistingFacts(stores.factsPath);
     const all = [...existing];
     let added = 0;
     let skipped = 0;
+    const semanticThreshold = options?.semanticThreshold;
     for (const fact of incoming) {
-        const duplicate = all.some((prior) => overlapScore(prior.text, fact.text) > DEDUP_THRESHOLD);
+        const duplicate = all.some((prior) => {
+            if (overlapScore(prior.text, fact.text) > DEDUP_THRESHOLD)
+                return true;
+            if (semanticThreshold !== undefined &&
+                Array.isArray(fact.embedding) && fact.embedding.length > 0 &&
+                Array.isArray(prior.embedding) && prior.embedding.length > 0 &&
+                fact.embedding.length === prior.embedding.length) {
+                return (0, associative_recall_1.cosineSimilarity)(fact.embedding, prior.embedding) > semanticThreshold;
+            }
+            return false;
+        });
         if (duplicate) {
             skipped++;
             continue;
@@ -202,24 +214,6 @@ function appendFactsWithDedup(stores, incoming) {
     });
     return { added, skipped };
 }
-function cosineSimilarity(left, right) {
-    if (left.length === 0 || right.length === 0 || left.length !== right.length)
-        return 0;
-    let dot = 0;
-    let leftNorm = 0;
-    let rightNorm = 0;
-    for (let i = 0; i < left.length; i += 1) {
-        dot += left[i] * right[i];
-        leftNorm += left[i] * left[i];
-        rightNorm += right[i] * right[i];
-    }
-    if (leftNorm === 0 || rightNorm === 0)
-        return 0;
-    return dot / (Math.sqrt(leftNorm) * Math.sqrt(rightNorm));
-}
-exports.__memoryTestUtils = {
-    cosineSimilarity,
-};
 function createDefaultEmbeddingProvider() {
     const apiKey = (0, config_1.getOpenAIEmbeddingsApiKey)().trim();
     if (!apiKey)
@@ -271,7 +265,7 @@ async function saveMemoryFact(options) {
         createdAt: (options.now ?? (() => new Date()))().toISOString(),
         embedding,
     };
-    return appendFactsWithDedup(stores, [fact]);
+    return appendFactsWithDedup(stores, [fact], { semanticThreshold: SEMANTIC_DEDUP_THRESHOLD });
 }
 async function backfillEmbeddings(options) {
     const memoryRoot = options?.memoryRoot ?? path.join((0, identity_1.getAgentRoot)(), "psyche", "memory");
@@ -372,7 +366,7 @@ async function searchMemoryFacts(query, facts, embeddingProvider) {
             .filter((fact) => fact.embedding.length === queryEmbedding.length)
             .map((fact) => ({
             fact,
-            score: cosineSimilarity(queryEmbedding, fact.embedding),
+            score: (0, associative_recall_1.cosineSimilarity)(queryEmbedding, fact.embedding),
         }))
             .filter((entry) => entry.score > 0)
             .sort((left, right) => right.score - left.score)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.54",
+  "version": "0.1.0-alpha.56",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",