npm - @ouro.bot/cli - Versions diffs - 0.1.0-alpha.547 → 0.1.0-alpha.549 - Mend

@ouro.bot/cli 0.1.0-alpha.547 → 0.1.0-alpha.549

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/changelog.json +14 -0
package/dist/heart/auth/auth-flow.js +62 -10
package/dist/heart/daemon/cli-defaults.js +10 -0
package/dist/heart/daemon/cli-exec.js +15 -17
package/dist/heart/daemon/daemon-runtime-sync.js +18 -0
package/dist/heart/daemon/launchd.js +22 -5
package/dist/heart/provider-credentials.js +1 -1
package/package.json +1 -1

package/changelog.json CHANGED Viewed

@@ -1,6 +1,20 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.549",
+      "changes": [
+        "`ouro up` now unloads any already-loaded daemon LaunchAgent before replacing a drifted daemon runtime, preventing launchd KeepAlive from racing the manual replacement and leaving two daemon processes split across the same socket.",
+        "`ouro up` now rewrites the daemon boot plist as soon as the daemon is answering, so a degraded sense no longer prevents restart auto-start metadata from being refreshed."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.548",
+      "changes": [
+        "OpenAI Codex auth now reuses an existing fresh local Codex login before starting browser login, letting `ouro auth --provider openai-codex` repair stale vault copies without a human OAuth round-trip when the local Codex CLI is already logged in.",
+        "Codex provider credentials now retain refresh metadata (`refreshToken` and `expiresAt`) alongside the access token, setting up proactive non-browser refresh handling for future hardening."
+      ]
+    },
     {
       "version": "0.1.0-alpha.547",
       "changes": [

package/dist/heart/auth/auth-flow.js CHANGED Viewed

@@ -52,6 +52,7 @@ const provider_credentials_1 = require("../provider-credentials");
 const vault_unlock_1 = require("../../repertoire/vault-unlock");
 const ANTHROPIC_SETUP_TOKEN_PREFIX = "sk-ant-oat01-";
 const ANTHROPIC_SETUP_TOKEN_MIN_LENGTH = 80;
+const CODEX_LOCAL_TOKEN_REFRESH_MARGIN_MS = 5 * 60 * 1000;
 function assertPersistentProviderCredentialsAllowed(agentName) {
     if (agentName === "SerpentGuide") {
         throw new Error("SerpentGuide uses provider credentials in memory during hatch bootstrap; persistent SerpentGuide auth is not supported.");
@@ -171,18 +172,64 @@ function writeAgentModel(agentName, facing, modelName, deps = {}) {
     });
     return { configPath, provider, previousModel };
 }
-function readCodexAccessToken(homeDir) {
+function decodeJwtPayload(token) {
+    const parts = token.split(".");
+    if (parts.length < 2 || !parts[1])
+        return null;
+    try {
+        const base64 = parts[1]
+            .replace(/-/g, "+")
+            .replace(/_/g, "/")
+            .padEnd(Math.ceil(parts[1].length / 4) * 4, "=");
+        const parsed = JSON.parse(Buffer.from(base64, "base64").toString("utf8"));
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+function readJwtExpiresAt(token) {
+    const payload = decodeJwtPayload(token);
+    const exp = payload?.exp;
+    if (typeof exp !== "number" || !Number.isFinite(exp) || exp <= 0)
+        return undefined;
+    return Math.floor(exp * 1000);
+}
+function isFreshCodexToken(credentials, now) {
+    if (!credentials.oauthAccessToken)
+        return false;
+    if (typeof credentials.expiresAt !== "number")
+        return false;
+    return credentials.expiresAt > now.getTime() + CODEX_LOCAL_TOKEN_REFRESH_MARGIN_MS;
+}
+function readCodexLocalAuthCredentials(homeDir) {
     const authPath = path.join(homeDir, ".codex", "auth.json");
     try {
         const raw = fs.readFileSync(authPath, "utf8");
         const parsed = JSON.parse(raw);
-        const token = parsed?.tokens?.access_token;
-        return typeof token === "string" ? token.trim() : /* v8 ignore next -- defensive: codex login always writes a string token @preserve */ "";
+        const accessToken = typeof parsed.tokens?.access_token === "string" ? parsed.tokens.access_token.trim() : "";
+        if (!accessToken)
+            return {};
+        const refreshToken = typeof parsed.tokens?.refresh_token === "string" ? parsed.tokens.refresh_token.trim() : "";
+        const expiresAt = readJwtExpiresAt(accessToken);
+        return {
+            oauthAccessToken: accessToken,
+            ...(refreshToken ? { refreshToken } : {}),
+            ...(expiresAt ? { expiresAt } : {}),
+        };
     }
     catch {
-        return "";
+        return {};
     }
 }
+function isCodexLoginStatusReady(result) {
+    if (result.error || result.status !== 0)
+        return false;
+    const output = `${typeof result.stdout === "string" ? result.stdout : ""}\n${typeof result.stderr === "string" ? result.stderr : ""}`;
+    return output.toLowerCase().includes("logged in");
+}
 function ensurePromptInput(promptInput, provider) {
     if (promptInput)
         return promptInput;
@@ -224,6 +271,7 @@ function validateAnthropicToken(token) {
 async function collectRuntimeAuthCredentials(input, deps) {
     const spawnSync = deps.spawnSync ?? child_process_1.spawnSync;
     const homeDir = deps.homeDir ?? os.homedir();
+    const now = deps.now ?? (() => new Date());
     if (input.provider === "github-copilot") {
         let token = process.env.GH_TOKEN?.trim() || process.env.GITHUB_TOKEN?.trim() || "";
         if (!token) {
@@ -267,9 +315,13 @@ async function collectRuntimeAuthCredentials(input, deps) {
         return { githubToken: token, baseUrl };
     }
     if (input.provider === "openai-codex") {
-        // Always run codex login when auth is explicitly requested — stale tokens
-        // are indistinguishable from valid ones without an API call, and the user
-        // is asking to re-authenticate.
+        writeAuthProgress(input, "checking local Codex login...");
+        const localStatus = spawnSync("codex", ["login", "status"], { encoding: "utf8" });
+        const localCredentials = readCodexLocalAuthCredentials(homeDir);
+        if (isCodexLoginStatusReady(localStatus) && isFreshCodexToken(localCredentials, now())) {
+            writeAuthProgress(input, "using existing openai-codex local login...");
+            return localCredentials;
+        }
         (0, runtime_1.emitNervesEvent)({
             component: "daemon",
             event: "daemon.auth_codex_login_start",
@@ -285,11 +337,11 @@ async function collectRuntimeAuthCredentials(input, deps) {
             throw new Error(`'codex login' exited with status ${result.status}.`);
         }
         writeAuthProgress(input, "openai-codex login complete; reading local Codex token...");
-        const token = readCodexAccessToken(homeDir);
-        if (!token) {
+        const credentials = readCodexLocalAuthCredentials(homeDir);
+        if (!credentials.oauthAccessToken) {
             throw new Error("Codex login completed but no token was found in ~/.codex/auth.json. Re-run `codex login` and try again.");
         }
-        return { oauthAccessToken: token };
+        return credentials;
     }
     if (input.provider === "anthropic") {
         (0, runtime_1.emitNervesEvent)({

package/dist/heart/daemon/cli-defaults.js CHANGED Viewed

@@ -251,6 +251,15 @@ function defaultEnsureDaemonBootPersistence(socketPath) {
         envPath: process.env.PATH,
     });
 }
+function defaultPrepareDaemonRuntimeReplacement() {
+    if (process.platform !== "darwin") {
+        return;
+    }
+    (0, launchd_1.bootoutLaunchAgentByLabel)({
+        exec: (cmd) => { (0, child_process_1.execSync)(cmd, { stdio: "ignore" }); },
+        userUid: process.getuid?.() ?? 0,
+    });
+}
 async function defaultPromptInput(question) {
     const readline = await Promise.resolve().then(() => __importStar(require("readline/promises")));
     const rl = readline.createInterface({
@@ -615,6 +624,7 @@ function createDefaultOuroCliDeps(socketPath = socket_client_1.DEFAULT_DAEMON_SO
         syncGlobalOuroBotWrapper: ouro_bot_global_installer_1.syncGlobalOuroBotWrapper,
         pruneDaemonLogs: logs_prune_1.pruneDaemonLogs,
         ensureSkillManagement: skill_management_installer_1.ensureSkillManagement,
+        prepareDaemonRuntimeReplacement: defaultPrepareDaemonRuntimeReplacement,
         ensureDaemonBootPersistence: defaultEnsureDaemonBootPersistence,
         /* v8 ignore start -- dev-mode defaults: tests inject mocks for mode detection and binary resolution @preserve */
         detectMode: () => (0, runtime_mode_1.detectRuntimeMode)((0, identity_1.getRepoRoot)()),

package/dist/heart/daemon/cli-exec.js CHANGED Viewed

@@ -943,6 +943,7 @@ async function ensureDaemonRunning(deps, options = {}) {
             stopDaemon: async () => {
                 await deps.sendCommand(deps.socketPath, { kind: "daemon.stop" });
             },
+            prepareDaemonRuntimeReplacement: deps.prepareDaemonRuntimeReplacement,
             cleanupStaleSocket: deps.cleanupStaleSocket,
             startDaemonProcess: deps.startDaemonProcess,
             checkSocketAlive: deps.checkSocketAlive,
@@ -5901,6 +5902,20 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             return returnCliFailure(deps, daemonResult.message);
         }
         progress.completePhase("starting daemon", daemonProgressSummary(daemonResult));
+        if (deps.ensureDaemonBootPersistence) {
+            try {
+                await Promise.resolve(deps.ensureDaemonBootPersistence(deps.socketPath));
+            }
+            catch (error) {
+                (0, runtime_1.emitNervesEvent)({
+                    level: "warn",
+                    component: "daemon",
+                    event: "daemon.system_setup_launchd_error",
+                    message: "failed to persist daemon boot startup",
+                    meta: { error: error instanceof Error ? error.message : String(error), socketPath: deps.socketPath },
+                });
+            }
+        }
         progress.startPhase("provider checks");
         const providerDegraded = await checkAlreadyRunningAgentProviders(deps, (msg) => progress.updateDetail(msg));
         daemonResult.stability = mergeStartupStability(daemonResult.stability, providerDegraded);
@@ -6069,23 +6084,6 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             const driftAdvisories = await collectAgentDriftAdvisories(deps);
             writeDriftAdvisorySummary(deps, driftAdvisories);
         }
-        // Persist boot startup AFTER daemon is running — bootstrap is safe now
-        // because the daemon socket exists, so launchd's KeepAlive registers
-        // for crash recovery without starting a competing process.
-        if (deps.ensureDaemonBootPersistence) {
-            try {
-                await Promise.resolve(deps.ensureDaemonBootPersistence(deps.socketPath));
-            }
-            catch (error) {
-                (0, runtime_1.emitNervesEvent)({
-                    level: "warn",
-                    component: "daemon",
-                    event: "daemon.system_setup_launchd_error",
-                    message: "failed to persist daemon boot startup",
-                    meta: { error: error instanceof Error ? error.message : String(error), socketPath: deps.socketPath },
-                });
-            }
-        }
         return daemonResult.message;
     }
     if (command.kind === "daemon.dev") {

package/dist/heart/daemon/daemon-runtime-sync.js CHANGED Viewed

@@ -107,6 +107,24 @@ async function ensureCurrentDaemonRuntime(deps) {
             try {
                 deps.onProgress?.("stopping the older background service");
                 await deps.stopDaemon();
+                if (deps.prepareDaemonRuntimeReplacement) {
+                    deps.onProgress?.("disabling daemon auto-restart during replacement");
+                    try {
+                        await Promise.resolve(deps.prepareDaemonRuntimeReplacement());
+                    }
+                    catch (error) {
+                        (0, runtime_1.emitNervesEvent)({
+                            level: "warn",
+                            component: "daemon",
+                            event: "daemon.runtime_sync_replacement_prepare_error",
+                            message: "daemon runtime replacement preparation failed",
+                            meta: {
+                                socketPath: deps.socketPath,
+                                reason: formatErrorReason(error),
+                            },
+                        });
+                    }
+                }
             }
             catch (error) {
                 const reason = formatErrorReason(error);

package/dist/heart/daemon/launchd.js CHANGED Viewed

@@ -34,6 +34,7 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DAEMON_PLIST_LABEL = void 0;
+exports.bootoutLaunchAgentByLabel = bootoutLaunchAgentByLabel;
 exports.generateDaemonPlist = generateDaemonPlist;
 exports.writeLaunchAgentPlist = writeLaunchAgentPlist;
 exports.installLaunchAgent = installLaunchAgent;
@@ -48,6 +49,26 @@ function plistFilePath(homeDir) {
 function userLaunchDomain(userUid) {
     return `gui/${userUid}`;
 }
+function bootoutLaunchAgentByLabel(deps) {
+    const domain = userLaunchDomain(deps.userUid);
+    try {
+        deps.exec(`launchctl bootout ${domain}/${exports.DAEMON_PLIST_LABEL}`);
+        (0, runtime_1.emitNervesEvent)({
+            component: "daemon",
+            event: "daemon.launchd_label_bootout",
+            message: "booted out daemon launch agent by label",
+            meta: { label: exports.DAEMON_PLIST_LABEL, domain },
+        });
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            component: "daemon",
+            event: "daemon.launchd_label_bootout_skipped",
+            message: "daemon launch agent label bootout skipped",
+            meta: { label: exports.DAEMON_PLIST_LABEL, domain, reason: error instanceof Error ? error.message : String(error) },
+        });
+    }
+}
 function generateDaemonPlist(options) {
     (0, runtime_1.emitNervesEvent)({
         component: "daemon",
@@ -145,12 +166,8 @@ function uninstallLaunchAgent(deps) {
         meta: {},
     });
     const fullPath = plistFilePath(deps.homeDir);
-    const domain = userLaunchDomain(deps.userUid);
+    bootoutLaunchAgentByLabel(deps);
     if (deps.existsFile(fullPath)) {
-        try {
-            deps.exec(`launchctl bootout ${domain} "${fullPath}"`);
-        }
-        catch { /* best effort */ }
         deps.removeFile(fullPath);
     }
     (0, runtime_1.emitNervesEvent)({

package/dist/heart/provider-credentials.js CHANGED Viewed

@@ -63,7 +63,7 @@ const PROVIDER_FIELD_SPLITS = {
         config: [],
     },
     "openai-codex": {
-        credentials: ["oauthAccessToken"],
+        credentials: ["oauthAccessToken", "refreshToken", "expiresAt"],
         config: [],
     },
     azure: {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.547",
+  "version": "0.1.0-alpha.549",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",