@ouro.bot/cli 0.1.0-alpha.56 → 0.1.0-alpha.560

package/changelog.json

@@ -1,6 +1,3602 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.560",
+      "changes": [
+        "Voice is now a first-class disabled-by-default sense and channel, with daemon inventory, connect-menu, prompt status, session transcript, and Mailbox UI surfaces.",
+        "Voice foundation modules now define Whisper.cpp STT, ElevenLabs streaming TTS, canonical transcript metadata, and loopback voice turns through ordinary `voice` sessions.",
+        "The daemon can launch a managed voice entrypoint, and docs now spell out voice runtime credential ownership plus the next meeting/Riverside joining milestone."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.559",
+      "changes": [
+        "Cached agent-name lookups no longer emit `identity.resolve` on every call, cutting the largest repeated daemon log event source while preserving the first argv resolution event.",
+        "Identity tests now lock the lower-volume logging contract so cached `getAgentName()` calls stay quiet.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the daemon log volume release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.558",
+      "changes": [
+        "Rejected local vault unlock material is now cleared after Bitwarden proves it is wrong, so a stale Keychain/DPAPI/Secret Service/plaintext entry cannot keep retrying across fresh CLI processes and rate-limit the agent vault.",
+        "Legacy vault unlock entries are no longer copied to canonical coordinates during read. Ouro now canonicalizes them only after a successful vault login, preventing unvalidated local material from poisoning the primary unlock slot.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the invalid local unlock quarantine release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.557",
+      "changes": [
+        "`ouro vault unlock` now validates the typed unlock secret against the agent vault before replacing this machine's saved local unlock material, so a failed unlock attempt cannot poison a previously working Keychain/DPAPI/Secret Service/plaintext entry.",
+        "The Bitwarden adapter now rebuilds stale per-agent local `bw` profiles when they point at the wrong vault account/server or reject a saved unlock during unlock, reducing restart-time false locked-vault failures while keeping wrong saved secrets explicit.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault unlock hardening release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.556",
+      "changes": [
+        "`ouro up` runtime replacement now captures the daemon boot timestamp before starting the replacement process, so a fast healthy daemon is not rejected for publishing health before the monitor begins polling."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.555",
+      "changes": [
+        "`npm run build` now removes stale `dist/` output before compiling so deleted runtime modules cannot remain in published packages.",
+        "Package-asset validation now rejects published package contents that still mention the removed provider selection file, provider state module, or drift module surfaces."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.554",
+      "changes": [
+        "Provider/model selection now has one durable authority: `agent.json` lanes. The daemon, CLI, prompt visibility, failover, hatch, and RepairGuide paths no longer maintain or repair a second local provider-selection object.",
+        "`ouro use` and legacy provider/model commands now write `agent.json` and run bundle sync when sync is enabled, so provider lane changes travel with the agent bundle.",
+        "Provider credential refresh wording now describes the in-memory credential cache backed by the agent vault instead of implying a durable local provider selection copy."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.553",
+      "changes": [
+        "Daemon startup on macOS now starts through launchd before opening the daemon socket when the LaunchAgent is available, preventing `ouro up` from leaving both a manual daemon and a launchd daemon alive after current-session bootstrap."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.552",
+      "changes": [
+        "`ouro up` now bootstraps the daemon LaunchAgent into the current login session when it is not already loaded, waits for the launchd-owned daemon socket to settle, and keeps the launchd adoption non-fatal if macOS refuses the bootstrap."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.551",
+      "changes": [
+        "`ouro up` now waits for SIGTERMed orphan daemon processes to settle before opening the replacement Unix socket, preventing the previous daemon from unlinking the new daemon's command socket during orphan cleanup."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.550",
+      "changes": [
+        "`ouro up` now lets launchd SIGTERM cleanup settle briefly after unloading the daemon LaunchAgent before binding the replacement socket, preventing the old daemon from unlinking the new daemon's Unix socket during runtime replacement."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.549",
+      "changes": [
+        "`ouro up` now unloads any already-loaded daemon LaunchAgent before replacing a drifted daemon runtime, preventing launchd KeepAlive from racing the manual replacement and leaving two daemon processes split across the same socket.",
+        "`ouro up` now rewrites the daemon boot plist as soon as the daemon is answering, so a degraded sense no longer prevents restart auto-start metadata from being refreshed."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.548",
+      "changes": [
+        "OpenAI Codex auth now reuses an existing fresh local Codex login before starting browser login, letting `ouro auth --provider openai-codex` repair stale vault copies without a human OAuth round-trip when the local Codex CLI is already logged in.",
+        "Codex provider credentials now retain refresh metadata (`refreshToken` and `expiresAt`) alongside the access token, setting up proactive non-browser refresh handling for future hardening."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.547",
+      "changes": [
+        "Version-managed macOS daemon LaunchAgents now point at the stable `~/.ouro-cli/CurrentVersion` entry path instead of a concrete installed version directory, so future runtime updates do not leave launchd holding stale daemon argv."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.546",
+      "changes": [
+        "Launchd habit sync now leaves the daemon launch agent plist alone, preventing the daemon from booting out its own `bot.ouro.daemon` service during startup."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.545",
+      "changes": [
+        "Launchd-managed habit jobs now inherit the runtime PATH in their plist environment, preventing login-started jobs from failing to find the Node runtime.",
+        "The default daemon starter now launches with the current process executable instead of a bare `node` lookup, so background restarts survive sparse launch contexts.",
+        "Adds regression coverage for restart launch path hardening and mail-import discovery timestamp fallbacks."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.544",
+      "changes": [
+        "BlueBubbles live webhook turns now have a bounded timeout, visible timeout notice, and recoverable captured-message retry path, so a long iMessage turn cannot silently monopolize the live chat lane.",
+        "BlueBubbles runtime health now records active and stalled live turns, exposes them in status output, and marks the sense unhealthy when the listener is reachable but a live iMessage turn is stuck.",
+        "The `ouro bluebubbles replay` debug command now refreshes this machine's BlueBubbles runtime credentials before creating the client, matching the daemon-launched listener's vault-backed configuration."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.543",
+      "changes": [
+        "Daemon health-monitor MCP canaries now ignore the daemon's aggregate overview health while still validating MCP transport, daemon liveness, version alignment, and required sense health, preventing the canary's previous failure from keeping the daemon in a self-reinforcing warning state."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.542",
+      "changes": [
+        "BlueBubbles recovery timeouts now leave iMessage messages pending instead of marking them processed, and legacy `recovery-timeout` processed records no longer suppress retries.",
+        "Recovery turns now get a longer bounded timeout and keep their in-flight guard until the abandoned turn settles, preventing duplicate retries while preserving truthful pending recovery state.",
+        "iMessage recovery health now counts pending work by message GUID across captured inbound and mutation sidecars, preventing one missed message from being reported as multiple queued items."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.541",
+      "changes": [
+        "BlueBubbles recovery now treats message GUID completion as authoritative across repaired session keys, so stale `chat_identifier:unknown` mutation/capture sidecars stop keeping iMessage health in a false pending-recovery state after the real chat turn has completed.",
+        "Adds regression coverage for recovered captured-inbound and mutation backlog records whose original degraded session key differs from the canonical processed chat key."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.540",
+      "changes": [
+        "Runtime prompt rendering, MCP child-process startup, and BlueBubbles recovery now repair a deleted process cwd back to the runtime root instead of failing with `uv_cwd` after a transient worktree disappears.",
+        "BlueBubbles captured-inbound recovery now has regression coverage proving a stuck iMessage recovery item can replay successfully even when the daemon inherited a vanished working directory."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.539",
+      "changes": [
+        "The trusted-publishing workflow now selects the safe npm dist-tag before publishing instead of relying on post-publish `npm dist-tag add`, which OIDC trusted publishing cannot authenticate.",
+        "Prerelease publishes keep using `latest` while `latest` is absent or already prerelease, then move future prereleases back to their prerelease channel after `latest` points at a stable release.",
+        "Runtime update checks, version status, and install guidance now use the supported `latest` channel so default npm installs and daemon updates follow the same publish path."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.538",
+      "changes": [
+        "The publish workflow now repairs a stale prerelease-polluted npm `latest` dist-tag to the just-published alpha while leaving future stable `latest` releases untouched.",
+        "Adds tested npm dist-tag policy helpers so prerelease publishes continue using `alpha` and default npm installs cannot quietly drift behind the supported alpha channel."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.537",
+      "changes": [
+        "Agents now render a trip-ledger truth section when structured travel plans exist, making the trip ledger outrank stale friend notes, old handoffs, and memory for itinerary and gap questions.",
+        "`trip_calendar` now explicitly tells agents to use the ledger before answering current itinerary, travel gap, or what-changed questions so mail-backed travel facts stay reachable in live conversations."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.536",
+      "changes": [
+        "Delegated hosted mail search now tracks durable coverage records and refuses to treat stale cache misses as absence proof, with `mail_index_refresh` repairing projection-incomplete cache entries before coverage is considered current.",
+        "Mail ingestion, search caching, and body rendering now preserve searchable text from HTML-only messages, preventing travel facts from disappearing when an email lacks a plain-text body.",
+        "MCP send-message and daemon socket commands now fail with bounded timeout errors instead of hanging forever, and trip ledgers can be rendered as chronological calendars with evidence-backed `trip_calendar` output."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.535",
+      "changes": [
+        "Daemon orphan cleanup now recognizes managed mail sense workers, so stale `senses/mail-entry.js --agent <name>` processes from old runtimes are terminated on production daemon startup instead of lingering across restarts.",
+        "Adds regression coverage for the full daemon-managed entrypoint set used by orphan cleanup, including inner-dialog, daemon, BlueBubbles, Teams, and mail workers."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.534",
+      "changes": [
+        "`ouro up` now syncs the global `ouro.bot` wrapper to the exact running runtime version and repairs stale wrapper-owned binaries instead of trusting whatever package currently owns the executable.",
+        "Foreground and daemon update checks now read the `alpha` prerelease dist-tag instead of stale `latest`, so machines already on older prereleases can discover the fixed runtime.",
+        "Runtime bootstrap hints, smoke docs, cross-machine setup, and the Teams startup script now use the supported `alpha` prerelease channel so prerelease installs no longer drift behind a stale `latest` tag."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.533",
+      "changes": [
+        "Locks the `ouro.bot` bootstrap wrapper to install the matching `@ouro.bot/cli` package version from its own package metadata instead of resolving `@ouro.bot/cli@latest`, preventing stale npm dist-tags from downgrading or skipping a just-published alpha.",
+        "Adds wrapper bootstrap coverage that fails if the wrapper queries `npm view` for `latest` during install, closing the release-smoke gap that caught `ouro.bot@0.1.0-alpha.532` reporting the older CLI."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.532",
+      "changes": [
+        "MCP clients now classify dead transports, reconnect stale servers before tool calls, retry one transport-level failure, and expose live refresh canaries so closed MCP pipes recover instead of poisoning long-running sessions.",
+        "Adds `ouro mcp canary --agent <name>` plus daemon health-monitor wiring, surfacing fresh MCP status failures in `ouro status` and validating daemon/MCP version parity and required sense health.",
+        "Explicit `daemon.stop` now writes a last-known down health state instead of creating a misleading unexpected-clean-exit tombstone, daemon background update checks no longer self-restart the live runtime, and `ouro msg` wakes the target agent before IPC delivery.",
+        "Release publishing now tags prereleases with their prerelease channel and release smoke verifies exact wrapper versions, keeping npm dist-tags from driving surprise prerelease churn through the daemon updater."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.531",
+      "changes": [
+        "`ouro doctor` now recognizes the current nested trip ledger schema (`ledger.ledgerId`) as healthy while keeping backward compatibility with older top-level `ledgerId` ledgers.",
+        "Adds regression coverage so valid trip ledgers no longer surface as doctor warnings during runtime reliability checks."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.530",
+      "changes": [
+        "`ouro up` now gives freshly restarted daemons a bounded final health-settling window before failing, so managed senses such as BlueBubbles and mail can finish proving healthy after asynchronous recovery without producing a false failed handoff.",
+        "The final daemon check continues to fail on persistent degraded health, but its failure now reports the last concrete degraded sense detail after the settle window so real boot failures stay actionable.",
+        "Adds regression coverage for transient degraded runtime health recovering before handoff and for persistent degraded health still blocking `ouro up`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.529",
+      "changes": [
+        "MCP agent status now asks the daemon for proof-bearing runtime health, including per-agent worker rows and enabled sense rows with proof method, proof age, failure layer, and recovery counters.",
+        "MCP status reports daemon/socket unreachability as an explicit status line instead of hiding it behind otherwise successful diary/session facts.",
+        "MCP status now includes its own package version and flags MCP-vs-daemon version mismatches so stale long-lived MCP servers are visible during reliability checks."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.528",
+      "changes": [
+        "Daemon overview health now degrades whenever an enabled sense is configured but not externally proven healthy, and `ouro up` refuses a healthy handoff when runtime senses are degraded instead of treating unreachable iMessage as green.",
+        "Managed sense health probes now carry restart ownership, so failed BlueBubbles/iMessage probes trigger daemon-managed recovery while preserving proof method, proof age, failure layer, recovery action, and pending recovery age in status surfaces.",
+        "BlueBubbles webhooks now durably capture inbound and mutation sidecars before acknowledging the HTTP request, then process the slower agent turn asynchronously so live iMessage delivery is not blocked by model/runtime latency.",
+        "MCP agent status now returns concrete runtime facts instead of terse placeholder text, giving external tools a proof-bearing status surface for Slugger and other agents."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.527",
+      "changes": [
+        "Suppresses `onResult`/`onFailure` in the shared tool-activity callbacks factory for any tool that started hidden, so a hidden tool's END never re-emits its raw args into chat surfaces — fixing rejected `settle` calls leaking `answer=`/`intent=` into BlueBubbles and Teams threads.",
+        "Tracks hidden-at-start tools by per-name counter to stay sound across concurrent same-name hidden starts, with no behavior change for visible tools.",
+        "Adds heart-level regression tests for hidden-tool END suppression (success and failure paths, concurrent same-name) and senses-level regression tests against `createBlueBubblesCallbacks` and `createTeamsCallbacks` asserting that a rejected settle following a visible read_file produces no chat output containing the settle answer text or `intent=`/`answer=` substrings."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.526",
+      "changes": [
+        "Marks BlueBubbles/iMessage as unhealthy in daemon status whenever fresh runtime state has queued recovery work, even if the BlueBubbles process and upstream health probe are answering.",
+        "Keeps the runtime `upstreamStatus` scoped to transport reachability while rendering pending iMessage recovery as a user-facing service failure through `pendingRecoveryCount`.",
+        "Requires a running BlueBubbles listener process before fresh healthy runtime state can make daemon status green, and hard-times out queued recovery turns so one stuck message cannot wedge backlog draining.",
+        "Quarantines timed-out recovery messages with a `recovery-timeout` processed outcome, allowing later queued iMessage recovery to continue while preserving the audit trail.",
+        "Clarifies BlueBubbles runtime detail text so queued recovery reads as iMessage not caught up instead of implying the sense is healthy."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.525",
+      "changes": [
+        "`ouro status --json` now returns parseable daemon status JSON instead of the human ANSI status board, giving automation and review gates a truthful machine-readable status surface.",
+        "Unavailable-daemon status checks with `--json` now still return structured JSON with socket and health-file context instead of falling back to human prose.",
+        "Adds CLI parse and execution coverage for the status JSON flag so future status rendering changes cannot silently break the automation contract again."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.524",
+      "changes": [
+        "Completes the human-facing Ouro Mailbox rename by moving the former Outlook source, tests, UI package, build scripts, and package asset checks onto mailbox naming.",
+        "Keeps compatibility aliases for `ouro outlook`, legacy `/outlook` API paths, old `outlookUrl` status consumers, and existing Outlook-named local preference/state files during the transition.",
+        "Cleans stale legacy Outlook UI package output during Mailbox UI builds so published packages carry the renamed asset tree without leftover old paths."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.523",
+      "changes": [
+        "Exits the daemon entrypoint after a command-plane `daemon.stop`, preventing a stopped daemon from staying alive without its command socket and leaving Slugger's iMessage worker marked degraded.",
+        "Shares daemon entrypoint cleanup between signal stops and command stops, stopping habit schedulers and daemon health polling before the process exits.",
+        "Keeps BlueBubbles runtime health green as soon as upstream is reachable while queued captured-inbound, mutation, or catch-up recovery work remains visible in `pendingRecoveryCount` instead of making live iMessage look down."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.522",
+      "changes": [
+        "Keeps the BlueBubbles production HTTP worker responsive by changing runtime health sync to queue/discover missed iMessage recovery work instead of running full recovered agent turns inline.",
+        "Counts captured inbound sidecars and mutation backlog as pending recovery in BlueBubbles runtime state, so `ouro status`/health truth can show that live transport is up while old messages still need recovery.",
+        "Queues upstream catch-up candidates into the inbound sidecar during runtime sync without hydrating or invoking the agent, preserving idempotent recovery while preventing startup catch-up from starving live webhooks."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.521",
+      "changes": [
+        "Ships the `RepairGuide.ouro/` library bundle in the npm package so production `ouro up` repair guidance can load the same source-truth recovery materials that tests exercise.",
+        "Adds shared package asset checks to local package e2e, release preflight, and published release smoke so required runtime bundles are verified from one package-truth definition.",
+        "Makes Outlook UI package output deterministic by copying built assets through a clean destination, preventing stale nested `dist/outlook-ui/dist/...` artifacts from surviving repeated builds."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.520",
+      "changes": [
+        "`ouro up` now prints the current runtime version in the update-check phase before asking npm for newer bits, so a stalled registry or update path no longer hides what is actually running.",
+        "Production `ouro up` starts or refreshes the daemon before provider health checks and repair prompts. Broken credentials for one agent are reported as degraded provider readiness after the daemon is answering instead of preventing every agent from coming online.",
+        "Daemon startup now opens the command socket before autostarting provider-dependent workers and kicks agent/sense autostart concurrently. A thrown or stalled config check is contained to that agent's crashed snapshot, leaving the daemon and sibling agents reachable.",
+        "BlueBubbles no longer auto-learns a one-to-one chat partner as the agent's own iMessage handle after an outbound reply, so the next inbound text from that person is not filtered as self-talk.",
+        "Mail tools and the Ouro Mailbox now retry runtime/config resolution when a sense process cached a transient vault-unavailable state, and prompt sense-status rendering reads the same cached vault runtime truth instead of stale local config.",
+        "`ouro up` now times out unresolved daemon startup polling instead of spinning forever, and daemon worker startup ignores duplicate start attempts while a provider/config check is already in flight. Stopping during a pending config check no longer lets that worker spawn afterward.",
+        "BlueBubbles self-handle filtering is now group-echo scoped and bypasses known non-self friends, so a stale `ownHandles` entry cannot make real Ari messages disappear from Slugger's iMessage turn loop.",
+        "`ouro up` now trusts daemon-published provider readiness after startup instead of doing a second foreground vault read, so a slow Bitwarden provider check cannot freeze the command or report a false auth prompt after the daemon is already healthy.",
+        "Bitwarden vault login/unlock now passes the saved vault unlock secret through `bw --passwordenv` instead of process arguments, so the secret does not appear in `ps` output while `ouro up` or a sense startup is unlocking the agent vault.",
+        "Production Bitwarden reads for structured runtime/provider item names now use bounded exact search with isolated app data instead of a full-vault listing, reducing the startup window where `ouro up` appears quiet while the vault CLI is busy.",
+        "Daemon startup provider health checks now cache the selected provider credentials they just verified, so the first MCP or iMessage turn does not re-open Bitwarden before using the already-checked `openai-codex` key.",
+        "Managed sense workers now receive the daemon's already-verified provider credential records over IPC at startup, so BlueBubbles and other child processes do not reopen Bitwarden mid-message after `ouro up` has already proved the selected provider is ready.",
+        "Daemon health recovery no longer cancels an agent whose config check is still in flight, so a slow provider/vault check cannot leave the inner-dialog worker stopped after `ouro up`.",
+        "`ouro up` no longer waits on optional sense runtime/config vault refreshes. Sense workers use cached config for the boot decision, refresh their runtime config in the background, and retry once fresh config arrives, while entrypoints start their worker before best-effort runtime refresh completes.",
+        "Daemon health recovery now invalidates stale no-process startup attempts before retrying, so an old hung provider check cannot keep an agent stuck in `starting` forever or spawn a stale worker after recovery; stale recovery defaults to 45s so the next health pass can clear it.",
+        "Provider initialization failures during daemon-handled sense turns now throw back to the command boundary instead of calling `process.exit(1)`, so a bad provider/vault read can fail one MCP or iMessage turn without killing the `ouro up` supervisor.",
+        "Provider retry and single-provider read paths now refresh only the selected provider's vault item, so a slow or broken credential for another provider cannot stall a healthy `openai-codex` turn.",
+        "`ouro status --agent <name>` now refreshes only the providers selected by that agent's outward/inner lanes, and skips vault reads entirely when local provider readiness is missing, so an unused broken provider cannot freeze status.",
+        "`ouro up` now keeps its startup poll finite while allowing enough time for bounded Bitwarden retry paths before labeling an otherwise-progressing worker as timed out.",
+        "User-facing session transcript summaries and searches now hide tool-result chatter for outward sessions while keeping full tool traces available in `self/inner`, so iMessage history reads as the human conversation instead of shell logs.",
+        "Small transcript-tail reads now always keep the latest visible user and assistant turns even after tool-heavy BlueBubbles activity, so Slugger does not mistake a live iMessage session for stale history.",
+        "Custom-socket daemon runs, including hermetic integration sandboxes, no longer touch the production daemon pidfile or orphan-cleanup sweep, so tests and dev harnesses cannot SIGTERM the real `ouro up` daemon while validating startup."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.519",
+      "changes": [
+        "Introduces `kind: \"library\"` field on bundle `agent.json`. `agent-discovery.ts` filters bundles where `kind === \"library\"` so they're never instantiated as runtime agents. `SerpentGuide.ouro/agent.json` tagged with `kind: \"library\"` to formalize what was previously an implicit `enabled: false` convention.",
+        "Activation gate `shouldFireRepairGuide` consumes the existing `untypedDegraded` / `typedDegraded` partitioning at `cli-exec.ts:6693-6694`. Fires when `untypedDegraded.length > 0` OR `typedDegraded.length >= 3`. The existing `--no-repair` flag remains the operator escape hatch — no new env toggle.",
+        "Drops the `~/AgentBundles/SerpentGuide.ouro/` override fallback in `getSpecialistIdentitySourceDir` — the in-repo bundle is now the only source. Reasoning per the planning doc: drift surface we don't currently need; cleaner ownership; no override path to maintain. Five referencing files updated (`hatch-flow.ts`, `cli-defaults.ts`, plus their tests). Same constraint extends to RepairGuide from day one — no override mechanism.",
+        "`parseRepairProposals` typed parser maps RepairGuide's structured-proposal output into the existing `RepairAction` catalog from `readiness-repair.ts` (`vault-unlock`, `provider-auth`, `provider-use`, etc.). Backfills lane variants and missing fields where unambiguous; rejects malformed proposals.",
+        "Slugger-style compound integration fixture as canonical acceptance test (per O6): bad bootstrap state + expired creds + broken remote + drift between agent.json and agent.json simultaneously. Validates the full layer 1→4→2→3 pipeline end-to-end.",
+        "All gates green: tsc clean, lint clean, code coverage 100%, nerves audit pass."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.518",
+      "changes": [
+        "Layer 2 of the harness-hardening sequence (1→4→2→3 from `docs/planning/2026-04-28-1900-planning-harness-hardening-and-repairguide.md`). Wires a pre-flight `git pull` over every sync-enabled bundle into `ouro up`, before per-agent provider live-checks, so the post-pull `agent.json` is what live-check reads. First PR in the sequence that mutates working trees; does NOT write to `state/` (verified by a meta-test).",
+        "New sync failure taxonomy in `src/heart/sync-classification.ts`: `auth-failed`, `not-found-404`, `network-down`, `dirty-working-tree`, `non-fast-forward`, `merge-conflict`, `timeout-soft`, `timeout-hard`, `unknown` — extends `PendingSyncRecord.classification` additively (legacy `push_rejected`/`pull_rebase_conflict` still work). Pure pattern-matcher: priority order is abort → 404 → auth → network → dirty → conflict → non-fast-forward → unknown.",
+        "End-to-end `AbortSignal` plumbing. New `runWithTimeouts<T>` wrapper in `src/heart/timeouts.ts` (soft 8s warns, hard 15s aborts via `AbortController`); new async sibling `preTurnPullAsync` in `src/heart/sync.ts` that uses `child_process.execFile(..., { signal })` so the kernel kills the git child when the hard timeout fires. Original sync `preTurnPull` preserved for the per-turn pipeline. Two env knobs for the boot-sync probe: `OURO_BOOT_TIMEOUT_GIT_SOFT` (8000ms) and `OURO_BOOT_TIMEOUT_GIT_HARD` (15000ms).",
+        "New `runBootSyncProbe` orchestrator in `src/heart/daemon/boot-sync-probe.ts` aggregates per-bundle findings (each tagged `advisory: true|false`). Wired into `daemon.up` as a new \"sync probe\" boot phase between manual-clone-detection and provider checks. Failures during the probe itself are caught and surfaced as a warning event without blocking the boot. Tests inject `runBootSyncProbeImpl` to keep CI off the developer's home bundles.",
+        "9903 tests pass (518 files; +19 new). Coverage gate clean (cli-exec.ts 99.33% → 100%). Slow-remote integration test proves boot doesn't hang on a hung remote (probe aborts within `hardMs`). Unit 7 meta-test enforces no-state-writes invariant on the three new files."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.517",
+      "changes": [
+        "`computeDaemonRollup` (Layer 1) gains an optional `driftDetected: boolean`. When true, `healthy` → `partial` (same downgrade rule as `bootstrapDegraded`). `degraded` and `safe-mode` rollups are unaffected — drift never escalates past `partial` and never un-downgrades. `daemon-entry.ts` probes each enabled agent for drift before computing the rollup; a single agent's read failure is best-effort and does not block the scan."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.516",
+      "changes": [
+        "Layer 1 of the harness-hardening sequence (1→4→2→3 from `docs/planning/2026-04-28-1900-planning-harness-hardening-and-repairguide.md`). Replaces the daemon-wide rollup at `daemon-entry.ts` (the binary `degraded.length > 0 ? \"degraded\" : \"ok\"` literal) with a five-state vocabulary: `healthy / partial / degraded / safe-mode / down`. A single sick agent no longer tips the whole daemon to `degraded`.",
+        "Type structure: `RollupStatus` (4-state, returned by the new pure `computeDaemonRollup` decision function in `daemon-rollup.ts`) and `DaemonStatus = RollupStatus | \"down\"` (full daemon-status; `down` is caller-owned because it represents pre-inventory failure, before the rollup is reachable). Both unions project from a single source-of-truth literal tuple so future widening touches one site.",
+        "`renderRollupStatusLine` in `cli-render.ts` uses a compiler-forced `never`-typed exhaustive switch — adding a future state compile-errors at every consumer using the pattern. The `degraded` literal carries three copy variants picked by inspecting cached agent statuses: empty map (fresh install, prompts `ouro hatch`), non-empty + any running agent (legacy stale cache from pre-Layer-1 daemons, prompts `ouro up` refresh), non-empty + zero running (all-failed live-check, prompts `ouro doctor`).",
+        "`runtime-readers.ts:readDaemonHealthDeep` parse tightened to use `isDaemonStatus`. `OutlookDaemonHealthDeep.status` widened to `DaemonStatus | \"unknown\"` so legacy serialized strings (`\"running\"`, `\"ok\"`) coerce defensively rather than failing the parse during rollout.",
+        "9759 tests pass (508 test files); coverage gate clean. The per-agent live-check loop in `cli-exec.ts` is intentionally untouched — it was already try/catch-isolated; the bug was in how its output rolled up. Subsequent PRs (layers 4, 2, 3) build on this PR's vocabulary."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.515",
+      "changes": [
+        "New `speak` tool — agent can deliver words to the current friend mid-turn without ending the turn. Pairs with `settle` (ends turn) and `ponder` (private inner thought). For acknowledgment of heavy work, phase-boundary updates, or progress narration on chat-style channels (cli, teams, bluebubbles).",
+        "Schema is intentionally minimal: `speak({ message: string })`. Not sole-call, doesn't terminate the turn, NOT exempt from the 24-call circuit breaker (the breaker is healthy backpressure against narration-spam — silence is a natural fallback for speak, unlike settle/rest). Added `flushNow?(): void | Promise<void>` to `ChannelCallbacks`; per-sense impls deliver the buffered message immediately (CLI noop, BlueBubbles `client.sendText` keeping typing on, Teams stream emit with `sendMessage` fallback).",
+        "Engine integration follows the `ponder` interception template at `core.ts:~1303`: `speak` runs inline (emit + flushNow + push `(spoken)` tool result + nerves event `engine.speak`), then the loop continues. Empty/missing message rejected with a tool-result error and `engine.speak_invalid`. New event keys: `engine.speak`, `engine.speak_invalid`, `engine.speak_delivery_failed`, `bluebubbles.speak_flush`, `teams.speak_flush`.",
+        "System prompt nudge in Group #4 (`how i work`), gated to chat-style channels: dependency boundary (settle if next step needs a reply, otherwise speak), phase boundaries (after acking heavy ask / hitting major constraint / switching strategy / before externally-visible step — not per-tool narration), one-way framing (speak is progress, not invitation).",
+        "Hardened `speak` delivery semantics (slugger PR review fix). `flushNow` contract is now explicit: throws if the message could not be delivered through any available path. Teams `flushNow` THROWS when both stream emit AND `sendMessage` fallback fail (was silently logging delivered=false and returning normally — engine then recorded `(spoken)` even though nothing reached the friend). BlueBubbles `flushNow` already let `client.sendText` rejections propagate; contract documented. Engine wraps `await flushNow()` in try/catch: on hard failure it calls `onToolEnd('speak', ..., false)`, pushes a `'speak delivery failed: ... did not reach your friend; do not assume they saw it'` tool result, emits `engine.speak_delivery_failed` (level=error), and the turn continues — preventing the agent from assuming silent success.",
+        "`speak` is now treated as flow-control across all senses (slugger PR review fix). Like settle/observe/ponder/rest, its only visible output is the message itself — no spinner, no phrase rotation, no `⏳` placeholder, no tool-activity status line. Added 'speak' to `FLOW_CONTROL_TOOLS` in `cli/tool-display.ts` and `cli/ouro-tui.tsx`; CLI/BlueBubbles/Teams `onToolStart` early-return for speak; `tool-description.ts` returns null for speak as defense-in-depth for any future sense using `createToolActivityCallbacks`. Teams `flushNow` also stops phrase rotation when it delivers, so the actual message replaces the cycling 'thinking...' phrase.",
+        "Teams `flushNow` no longer aborts the turn on a successful sendMessage fallback (slugger PR review fix). Prior code path: stream emit fails → `tryEmit` calls `markStopped()` which calls `controller.abort()` → falls through to `sendMessage` → succeeds → `flushNow` returns normally → core records `(spoken)` with success=true — but the turn controller is already aborted, so the next model/tool step aborts. Successful fallback delivery should not poison the rest of the turn. Fix adds a non-aborting `tryEmitNoAbort` variant adjacent to `tryEmit`; `flushNow` uses it so a primary-stream failure followed by a successful sendMessage no longer triggers `controller.abort()`. Only when ALL delivery paths fail does `flushNow` call `markStopped()` and throw, letting the engine's existing `engine.speak_delivery_failed` catch path end the turn cleanly. `tryEmit` and other non-flushNow callers (end-of-turn `flush()`, `safeEmit`) are unchanged — their abort-on-failure behavior remains correct because they have no fallback path forward."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.514",
+      "changes": [
+        "Add `--strict` flag to `ouro doctor` and bundle the `--category` flag (also in #637) for a coherent CI-friendly diagnostic interface. `--strict` makes the CLI exit non-zero (via thrown error caught by ouro-entry) when any check is `warn` or `fail`. Default behavior is unchanged.",
+        "Composes naturally with --category and --json (#634): `ouro doctor --category Daemon --strict --json` is the canonical CI invocation — runs only the daemon checker, exits 1 on any issue, output is parseable. Emits `daemon.doctor_run` with `strict: true` in meta when set so the strict-failure events are filterable through #622's `nerves-review`.",
+        "5 new parse tests cover --strict alone, --strict + --category combined, and the existing happy-path / no-value cases. cli-types now models `{ kind: \"doctor\", category?, strict? }`. KNOWN_DOCTOR_CATEGORIES (also from #637) gives external tooling a stable list of available filters. 69/69 doctor + parse tests pass."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.513",
+      "changes": [
+        "New `Friends` category in `ouro doctor`. Same shape as the Mailroom (#632) and Trips (#631) checks — walk each agent bundle, classify the friend store's health, and report a trust-level breakdown for the healthy path.",
+        "Per-agent reports: pass when no friends/ dir (no friends recorded yet), pass with `<N> friends, <X> family, <Y> friend, <Z> stranger` when records parse cleanly, warn when some files are unparseable (with parse-failure count), fail when the dir itself can't be read. Records with an unrecognized `trustLevel` get counted under `<N> other` so the operator can investigate.",
+        "6 new tests cover all branches plus file-extension filtering (`.txt` ignored). Wired between Security and Disk in CATEGORY_CHECKERS, same orchestration shape as Mailroom and Trips."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.512",
+      "changes": [
+        "New `friend_list` tool — the agent can list its known friends with id, name, and trust level. The notes/friend repertoire had `get_friend_note` and `save_friend_note` for individual lookups but no surface to enumerate the friend graph. Real workflows that needed it: cross-chat outreach decisions, screener triage, orienting on relationships at session start.",
+        "Optional `trust` filter (`family`/`friend`/`stranger`) and `limit` (1-200, default 50). Renders one entry per friend with id, trust label, name, and external-id channel:identifier pairs when present. Sorted alphabetically by display name. Empty-state messages are filter-aware so the agent can tell the difference between 'no friends at all' and 'no matches for the filter'.",
+        "Defensively handles a friend store that lacks `listAll` (the interface marks it optional) — returns 'the configured friend store does not support listing' rather than throwing. Tool registry up to 75 (snapshot regenerated, H10 contract list extended). 4 new tests cover sorted listing, trust filtering, store-without-listAll defensive path, and filter-empty state."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.511",
+      "changes": [
+        "Add `--json` flag to `ouro doctor`. Default human-readable output is unchanged; `--json` emits the full DoctorResult (categories + checks + summary) as pretty-printed JSON for piping into jq, dashboards, scheduled health monitors, or CI pipelines that want to alert on a doctor failure.",
+        "Same shape as the `--json` flag on the diagnostic family that's been growing alongside (session-playback / nerves-review / session-stats in their respective open PRs). Doctor was the asymmetric case — text-only output. With agent-private state coverage now landing in the doctor (Trips in #631, Mailroom in #632), structured output makes the doctor genuinely consumable by external tooling.",
+        "1 new test on the parse path (`doctor --json` → `{ kind: \"doctor\", json: true }`); the existing parse test is updated to match the new shape (`{ kind: \"doctor\", json: false }`). The exec-side change is a one-line ternary that picks `JSON.stringify(result, null, 2) + \"\\n\"` over `formatDoctorOutput(result)` when the flag is set. 83/83 doctor + parse tests pass."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.510",
+      "changes": [
+        "New `Mailroom` category in `ouro doctor`. Same shape as the `Trips` check from #631 (alpha.509): walk each agent bundle, classify the mailroom registry's health into pass/warn/fail with structured detail, return record/grant/message counts for healthy ledgers.",
+        "Health classes: pass when no mailroom dir (mail not connected), pass with `<N> mailboxes, <N> source grants, <N> messages` when healthy, warn when registry.json is missing or has zero mailboxes, fail when registry.json is unreadable or unparseable. Message count walks the messages dir and counts `.json` files only — stray `.txt` etc. are ignored.",
+        "6 new tests cover all branches plus message-count file-extension filtering. Wired between `Security` and `Disk` in `CATEGORY_CHECKERS`. With #631's Trips check landing alongside, doctor now has agent-private state coverage for the two stateful primitives the agent owns (mail + trips) — same shape, same detail format, same orchestration."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.509",
+      "changes": [
+        "New `Trips` category in `ouro doctor`. Operators previously had no quick way to verify the trip ledger was healthy — they had to call `trip_status` from inside the agent or open `state/trips/ledger.json` by hand. With the trip ledger now load-bearing for trip planning workflows, doctor coverage matters.",
+        "The check walks each agent bundle and reports per-agent trip health: pass when the ledger is absent (optional feature, not yet ensured), warn when `state/trips/` exists but `ledger.json` is missing or lacks the `ledgerId` field, fail when `ledger.json` is unreadable, unparseable, or missing the `privateKeyPem` (encrypted records would be unreadable). Healthy ledgers report `<ledgerId> (<N> records)` so the operator sees record count without opening anything.",
+        "7 new tests cover: no-agents (warn), no-ledger-dir (pass — optional), missing ledger.json (warn), unparseable JSON (fail), missing ledgerId (warn), missing privateKeyPem (fail), and the healthy passing path with record-counting that ignores non-`.json` files in the records dir. Wired between `Security` and `Disk` in the `CATEGORY_CHECKERS` array — same orchestration shape as the existing categories."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.508",
+      "changes": [
+        "New `trip_remove_leg` tool. The trip ledger had `trip_upsert`, `trip_attach_evidence`, and `trip_update_leg`, but no first-class way to drop a leg — the agent had to re-emit the entire trip record minus that leg (fragile, easy to lose evidence). Real workflow that needed it: the user cancelled a hotel booking; #620's e2e test exercised the add path but there was no way to model the cancel.",
+        "`trip_remove_leg(tripId, legId, updatedAt, reason?)` finds the leg, drops it from `legs[]`, bumps the trip's `updatedAt`, and emits `trips.leg_removed` (info) carrying tripId/legId/kind/reason. Rejects when the leg id is unknown (so accidental no-ops are visible) and when the trip is missing (returns the same `trip not found` shape as the other tools). Tool registry up to 75 (now 8 trip tools — snapshot updated, H10 contract list includes the new name).",
+        "5 tests cover happy-path removal with leg-count assertion via `trip_get`, unknown-leg rejection, missing-trip propagation, the three required-field validation paths, plus the existing stranger-ctx trust block now extended to include `trip_remove_leg`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.507",
+      "changes": [
+        "Drop the second of two consecutive assistant messages with byte-identical content in `repairSessionMessages`. The existing back-to-back-assistant repair concatenated content with `\\n\\n`, which produced visible duplicate text on the surface when the second message was a retry/double-persist artifact (a common shape when a turn is interrupted mid-save and re-emitted).",
+        "Behavior change is narrow: trim-equality only, both sides must have non-empty content, and the second assistant must not have its own tool_calls. Different content still concatenates (legitimate continuation). Empty-content assistants still concatenate (the existing test case for null+undefined is preserved). Emits `mind.session_duplicate_assistant_dropped` (info) with the count so #622 (nerves-review) can show how often it fires in real traffic. 2 new tests cover the dedup path and the no-false-positive case (different content concatenates as before)."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.506",
+      "changes": [
+        "Detect duplicate tool_call_id across assistant messages in `validateSessionMessages`. MiniMax-M2.7 emits canonical tool_call ids of the form `call_function_<hash>_<n>` and reuses the same id across turns when the same function gets called — which causes provider rejections on replay because tool_call_id is supposed to be unique per request. The session sanitize pass already had position-aware orphan detection (#613) and inline-reasoning strip (#612); this adds the third member of the family — collision detection.",
+        "New exported `detectDuplicateToolCallIds(messages)` returns `{ id, indices }[]` for each tool_call_id that appears in multiple assistant messages. Same-message duplicates (one assistant calling the same id twice) are not flagged — those are a legitimate parallel-call shape. `validateSessionMessages` now folds collisions into its violations list with a message that calls out MiniMax specifically so operators reading nerves know what they're looking at.",
+        "Detection only — no rewriting yet, since rewriting tool_call_ids and the matching tool_results requires careful pairing logic that risks regression. The collision is visible to operators via the `mind.session_invariant_violation` nerves event the sanitize pass already emits when violations are present, and the existing `nerves-review` CLI from #622 makes it filterable. 3 new tests cover collision detection, single-message parallel-call shape (no false positive), and the all-distinct happy path."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.505",
+      "changes": [
+        "New `ouro session-stats <session.json>` CLI for at-a-glance metrics on a saved session: total events, breakdown by role (system/user/assistant/tool), tool-call totals + top 5 by frequency, attachment count, time range with duration, projection breakdown (in/out, input tokens, max tokens, trimmed), and last usage. Read-only.",
+        "Pure `computeSessionStats(envelope, path)` core in `src/heart/session-stats.ts` — testable with synthesized envelopes, embeddable in future doctor checks. `runSessionStats(path)` adds the file-load layer; `formatStatsReport(report)` renders human-readable text; `--json` mode for jq piping. Composes with #619 (session-playback) and #622 (nerves-review): three pure-analyzer-plus-thin-CLI tools that together make a stuck session immediately diagnosable end-to-end.",
+        "8 tests cover role counts, tool-call name aggregation with frequency-sorted top-5, time range with and without authoredAt timestamps, attachment counting, projection-omission detection, the unrecognized-envelope stub, CLI no-args help, and CLI --json output. Wired as `npm run session:stats -- <path>` and `dist/heart/session-stats-cli-main.js`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.504",
+      "changes": [
+        "New `mail_outbox` tool — the agent can now introspect its own outbound mail (drafts, queued sends, delivered, bounced, etc.). The mail repertoire had `mail_compose`, `mail_send`, and `mail_recent` for inbound — but no symmetric way to ask 'what did I send / queue?' Operators were having to ssh in and `ls state/.../outbound`. Real-world need: when planning a trip with the operator, the agent often wants to verify it sent a confirmation request before re-asking.",
+        "Lists records newest-first (by `updatedAt`), bounded to `limit` (1-50, default 20), with optional `status` filter across the full MailOutboundStatus union (draft / sent / submitted / accepted / delivered / bounced / suppressed / quarantined / spam-filtered / failed). Each record renders id + status + recipients + truncated subject (80 chars) + last-touched timestamp + provider message id and error message when present. No body text dumped — agent uses message id with another tool if it needs the content.",
+        "Family-trust gated like the rest of mail (read gate, no special block since outbound metadata isn't body content). Records `mail_outbox` access in the access log alongside the other mail tools. Tool registry now at 75 tools (snapshot updated). Two tests cover the empty / sorted / limit / status-filter / audit-log paths, plus the trust block."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.503",
+      "changes": [
+        "In-process LRU cache for decrypted mail bodies. The cold path for `mail_thread` is read-encrypted-blob-from-Azure (1-3s p50, up to tens of seconds for HEY-sized bodies — #614 raised the timeout to 60s for this very reason) plus an RSA-OAEP+A256GCM decrypt. Repeated reads of the same message are common: re-checking a booking confirmation while seeding a trip leg, following up on a thread, looping back to verify a fact. Each repeat hit was paying the full cold cost.",
+        "New `src/mailroom/body-cache.ts` keeps a 50-entry LRU keyed by `StoredMailMessage.id` (a deterministic content hash — rotating keys produces a new id, so stale ciphertext can never be served against a fresh keyset). Insertion-order eviction; reads refresh LRU position. Per-process by design — daemon restart clears it (matches the established pattern with #618 heartbeat-recursion state and #621 BB own-handle discovery).",
+        "Wired into both `mail_thread` (cache-first read; on miss, do the disk fetch + decrypt and cache for next time) and `mail_recent`/`mail_search` (which already decrypt batches; now they also seed the body cache so the next `mail_thread` on any of those is free). New `repertoire.mail_body_cache_hit` info-level event makes hit rate observable via `ouro nerves-review --event mail_body_cache_hit` (alpha.501). 7 new tests cover hit/miss, LRU refresh-on-read, eviction at capacity, defensive empty-id handling, and clear."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.502",
+      "changes": [
+        "Enrich `engine.error` nerve event with HTTP status, redacted body excerpt, and a one-line summary string. Provider errors previously surfaced only as a free-form `error.message`, which forced operators to spelunk the SDK's wrapped object to find the actual status code or quota explanation.",
+        "Two new helpers in `src/heart/providers/error-classification.ts`: `extractProviderErrorDetails(error)` pulls `status` (when present) and a body excerpt (capped at 240 chars, with redaction of any 32+ char token-shaped substring so leaked auth keys don't get persisted into nerves), falling through `error.error → error.response → error.body → error.message` until something usable shows up. Survives circular structures defensively. `summarizeProviderError(error, classification, providerId, model)` produces the canonical operator-readable line: `provider <id>/<model>: <classification>[ HTTP <status>][ — <bodyExcerpt>]`.",
+        "Wired into `finishTerminalProviderError` in `src/heart/core.ts` so every terminal provider error now lands in nerves with `httpStatus` + `bodyExcerpt` + `summary` meta — making `ouro nerves-review --component engine --event engine.error` (alpha.501) immediately useful for diagnosing provider blowups. 11 new tests cover status capture, missing-status defaults, token redaction, 240-char truncation, fallback through alternate body fields, circular-structure safety, and summary formatting in two shapes."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.501",
+      "changes": [
+        "New `ouro nerves-review` CLI for tailing the agent's nerves ndjson with structured filters. Read-only. Operators previously had to grep raw ndjson by hand to track down something like 'how many heartbeat-recursion-suspected events fired today' or 'show me the last hour of senses warnings'.",
+        "Filters: `--component <substr>`, `--event <substr>`, `--level <level>`, `--since <duration>` (e.g. 5m, 2h, 1d), `--limit <N>`, `--process <name>` (default: daemon), `--agent <name>` (default: current). Output modes: human-readable text (`<time> [<level>] <component>/<event> — <message>`) and `--json` (one parsed object per line for piping to jq).",
+        "Pure `reviewNerveEvents(filePath, filter)` core in `src/nerves/review/core.ts` reads the tail of the ndjson (8 MB cap, walks last 200+ lines) and applies in-memory filters; testable without filesystem mocks beyond a temp file. 12 tests cover all six filter dimensions plus duration parsing edge cases (ms/s/m/h/d, malformed inputs), missing-file handling, and the two CLI flag paths (--help, invalid --since). Wired as `npm run nerves:review -- <flags>` and `dist/nerves/review/cli-main.js`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.500",
+      "changes": [
+        "Auto-discover BlueBubbles agent handles on isFromMe outbound. The `bluebubbles.ownHandles` config field added in #610 closes the group-echo self-talk loop, but only after an operator manually populates it with the right handle format. Until then, the very bug the field is supposed to fix can fire — the agent ingests its own group echo and replies to itself.",
+        "When a normalized BlueBubbles event arrives with `event.fromMe === true`, BlueBubbles is telling us the canonical handle BB attributes to the agent's outbound. We capture `event.sender.externalId` into an in-process `discoveredOwnHandles` set and emit an info-level `senses.bluebubbles_own_handle_discovered` nerve event with the captured handle, so an operator can promote it to durable config (cross-restart). The default `getOwnHandles` now returns the union of configured + discovered; `isAgentSelfHandle` therefore filters subsequent isFromMe-missing group echoes even before the operator updates the vault config.",
+        "Per-process state by design — a daemon restart re-learns from the next outbound. Three new tests cover: capture-and-dedupe (raw/normalized form match collapses to one entry), defensive empty/whitespace input handling, and the end-to-end proof that `isAgentSelfHandle` honors discovered handles after `recordDiscoveredOwnHandle` fires."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.499",
+      "changes": [
+        "New `ouro session-playback <session.json>` CLI for dry-running the sanitize pipeline against a saved session. When an agent is stuck in a replay loop, an operator can now run the same `sanitizeProviderMessages` chain that the harness fires before every replay, see what would be dropped/modified/synthesized, and decide whether to clear or hand-repair the session — *without* writing anything to disk.",
+        "The report distinguishes three repair classes: dropped (orphan tool results whose preceding assistant has no matching tool_call), modified-content (assistant messages whose inline `<think>...</think>` blocks would be stripped before replay), and synthetic-added (synthetic tool-results inserted to satisfy the provider's tool_call/tool_result pairing — these include the explanatory message added in #612 so the agent can read what happened). Each change carries a role, index, optional tool_call_id, reason, and a 120-char preview of the affected content.",
+        "Two output modes: human-readable text (default) and `--json` for piping into jq/diagnostics. Underlying `runSessionPlayback` is a pure function — takes either a session path or a raw object — so it's testable in isolation and the same code path can be embedded in future doctor checks. Wired as `npm run session:playback -- <path>` and as the `dist/heart/session-playback-cli-main.js` entry. 7 tests cover the four envelope shapes (clean legacy, with stripped think, with orphan tool result, unrecognized) plus the two CLI flag paths."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.498",
+      "changes": [
+        "Heartbeat / habit recursion detection in the inner-dialog worker. The existing instinct cap (`MAX_CONSECUTIVE_INSTINCT_TURNS=3`) protects against the *internal* pending-dir self-loop (a turn writes back to its own pending dir, drains it, repeats). It does not protect against the *external* IPC self-loop where heartbeat-shaped messages get re-issued faster than their cadence — e.g. a hook misconfigured to repost on every heartbeat, a daemon retry storm, or two timers drifting into the same window.",
+        "Two new warn-level nerve events: `senses.habit_recursion_suspected` fires when two of the same habit (e.g. `heartbeat`) arrive within `HABIT_RECURSION_MIN_INTERVAL_MS` (5s) — no realistic cadence runs that fast. `senses.habit_recursion_burst` fires when `HABIT_RECURSION_BURST_THRESHOLD` (5) or more habit messages of any kind land within `HABIT_RECURSION_BURST_WINDOW_MS` (60s) — catches slower runaways that stay just under the min-interval threshold.",
+        "Detection is observation-only by design: it emits the warn signal so an operator (or a follow-up auto-recovery layer) can act on it. The message is not dropped — the signal is the value. Per-habit-name tracking, so two distinct habits firing close together don't trip the min-interval warning. `nowSource` is injectable via the `createInnerDialogWorker` factory for deterministic tests. 5 new tests cover both detectors plus the trim-window and per-habit isolation cases."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.497",
+      "changes": [
+        "Mail thread reconstruction + tool rename. The previous `mail_thread` tool was misleadingly named — it returned ONE message body, not a thread. Renamed to `mail_body`. The new actual conversation walker now owns the canonical name `mail_thread`. Existing tests, audit-log strings, and CLI guidance updated to match.",
+        "Header capture: `PrivateMailEnvelope` carries optional `inReplyTo` and `references` fields, populated at `buildStoredMailMessage` time from RFC822 headers. Existing messages without these headers are unaffected. `mail_thread` walks the thread from any seed message (storage id or RFC822 `<message-id@host>`): ancestors via `In-Reply-To`/`References`, descendants by reverse-edges across the recent message pool (default 200, configurable 20-500, scoped native/delegated/all), assigns true reply-chain depth via topological longest-path, and renders chronologically with depth-indented summaries. Bodies not included — `mail_body` opens one message.",
+        "Pure thread-walker (`src/mailroom/thread.ts`) is testable without the filesystem: 7 unit tests cover mid-thread seed (walks both directions), seed by RFC822 message-id when storage id doesn't match, References-only (no In-Reply-To, common in list mailers), unrelated-message exclusion, empty/whitespace defensiveness. Plus 3 new tool-level tests for `mail_thread` (multi-message reconstruction, untrusted refusal, delegated-trust block). Tool registry stays at 75 (rename, not addition). All 194 mailroom tests pass."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.496",
+      "changes": [
+        "New `Lifecycle` category in `ouro doctor` (`src/heart/daemon/doctor.ts:checkLifecycle`). Reads daemon.ndjson from the first available agent bundle and surfaces operator-relevant signal: last activity timestamp + age (warns if older than 5 minutes — daemon may be silent or stopped), daemon restart count in the last hour (warns if >3 — high churn), recent version-install events with installed versions, and any agent_process_error events with reason. Designed to answer the operator's question after the daemon goes silent: 'did it crash? when did it last do anything? did it just upgrade?' This session's daemon went silent at 04:30 UTC with no easy way to diagnose; the new check would have surfaced 'last event 18m ago — daemon may be silent or stopped' immediately. Tail-reads only the last 5000 log lines so doctor stays snappy on chatty daemons. 13 new tests covering recent activity, restart counts, install events, agent_process_error, age formatting, log truncation, and edge cases (malformed JSON, missing meta fields, missing log file, read failure)."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.495",
+      "changes": [
+        "New regression bundle at `src/__tests__/heart/provider-replay-regressions.test.ts` that captures provider replay-rejection bug shapes in one place — documentation-as-test. Each entry cites the PR that fixed the shape and the runbook entry; future debuggers seeing a 4xx from a provider on what looks like a valid turn can grep this file first to see if the shape was already encountered. Currently bundles the MiniMax-M2.7 inline-`<think>`-plus-tool_calls case (#612), the reused-tool_call_id-misordered-after-pruning case (#613), and a cross-reference stub for the event-id collision class (covered separately in session-events.test.ts). Also documents the contribution pattern: capture the failing shape, write the test BEFORE the fix, land the fix, verify the test passes, cite the PR. Linked from `docs/known-issues-and-recovery.md` so operators triaging a similar bug land on the test bundle by default."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.494",
+      "changes": [
+        "Bump default Azure Blob operation timeout from 20s to 60s. Slugger's HEY-corpus validation against the booking-aware ranking from #608 surfaced a real issue: ranking and metadata are clean, but body fetches for targeted retrieval (`mail_thread`-style 'open this specific message') were timing out on real-world mail bodies. HEY mail with HTML-heavy booking confirmations regularly exceed the 20s ceiling on cold reads from Azure Blob. 60s with 2 attempts gives 120s max wait, which matches Azure's actual cold-read SLA for few-MB blobs while still bounding total wait. Index reads still fit comfortably in this budget. Existing test fixture for the timeout error message updated."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.493",
+      "changes": [
+        "Position-aware orphan-tool-result detection in `repairToolCallSequences`. Slugger's session was STILL hitting MiniMax error 2013 even after the alpha.492 inline-reasoning strip landed because the orphan check was global (a tool result was kept if its tool_call_id appeared in ANY assistant message in the conversation, regardless of order). After session pruning, a synthetic tool-result for a long-pruned tool_call ended up at sequence 86 referencing `call_function_utqogadgqp5h_1` while the assistant message that defined that id lived at sequence 88 — AFTER the tool result. MiniMax requires tool results to follow their matching assistant. The fix walks the conversation in order, tracking tool_call_ids only as they're encountered in assistant messages; tool results referencing ids that haven't been defined yet are removed. Regression test reproduces the exact misordered shape and asserts the misplaced tool result is dropped while the correctly-ordered one survives. This is the third and final layer of the empty-reply chain (#611 stripped the operator surface, #612 stripped the persisted content + load-time repair, #493 fixes orphan-detection ordering)."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.492",
+      "changes": [
+        "Engine-level fix for the actual root cause of Slugger's empty-reply MCP bug (PR #611's strip+retry was the right shape, but missed the deepest layer). MiniMax-M2.7 occasionally emits an assistant message with BOTH inline `<think>...</think>` reasoning AND tool_calls. When that combination is replayed in a subsequent turn, MiniMax rejects with error 2013 ('tool result's tool id not found') and stalls the entire session — every subsequent turn fails the same way, the failover layer fires repeatedly suggesting a provider switch, and the agent's own answer never reaches the operator. Slugger's session was stuck for 11 unanswered user messages because of this exact loop.",
+        "The fix has two halves and an AX rule: (1) **Persist-time strip** — runAgent now strips `<think>` blocks from the assistant message's persisted `content` before saving, while preserving the original reasoning trace on `_inline_reasoning` for audit. New `engine.inline_reasoning_stripped` info-level nerve event fires when this happens. (2) **Load-time repair** — `sanitizeProviderMessages` self-heals existing sessions that were saved before (1) by stripping the same blocks at load time. (3) **AX rule: full agent awareness, no silent fixes**. When the load-time repair runs, the synthetic tool-result that fills in for the missing tool result is an **explanatory** one — it tells the agent specifically: \"your previous tool call's result was lost because the assistant message had inline reasoning blocks the provider rejected; the harness has stripped them; your reasoning trace is preserved out-of-band; if the work needs to be done, retry the tool call now.\" Tool calls whose parent didn't have stripped reasoning still get a generic-but-improved \"this tool call's result was lost — possible causes [...]; retry if needed\" message instead of the old vague \"interrupted (previous turn timed out)\" line. The agent always sees what happened and what to do next.",
+        "Also: the no-tool-call retry path (added in #611's last commit) now uses the same shared `stripThinkBlocksForViolationCheck` helper so the violation-detection logic is consistent. Three regression tests cover the full path: persist-time strip preserves `_inline_reasoning`, load-time repair produces the explanatory tool-result message, generic orphans get the generic message, and unclosed `<think>` tags drop everything from the open tag onward."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.491",
+      "changes": [
+        "Two live-runtime bugs Slugger surfaced during MCP roundtrip: (1) MCP `send_message` returned blank or raw `<think>` content instead of an actual reply when minimax-style models emitted only reasoning. The shared-turn runner now strips closed AND unclosed `<think>...</think>` blocks before returning, and when nothing remains it returns a clear diagnostic (`agent produced reasoning but no final answer this turn — try again`) plus emits a `senses.shared_turn_only_reasoning` warn-level nerve event so operators can see how often it's happening. (2) The `rest` tool's fresh-pending-work gate fired on every rest call within a turn because `hasFreshPendingWork(options)` reads from the turn-start snapshot of `pendingMessages` and never updates — once pending was non-empty, the agent could be told 'fresh work arrived' indefinitely even after surfacing or processing the items. The gate is now once-per-turn: the first rest call hits it, gets the message, the agent does whatever it needs, the next rest call passes. Emits `engine.fresh_work_gate_fired` info-level event the one time it fires. Both bugs reproduced as regression tests that fail without the fix.",
+        "New `trip_update_leg` tool to round out the trip ledger. The original Step 4 followup on substrate#35 listed `trip_ensure / trip_get / trip_update_leg / trip_attach_evidence` — the previous PR (#609) shipped `trip_upsert` instead of `trip_update_leg`, which forced the agent to re-emit the entire trip record to change one leg field. `trip_update_leg` updates specific fields of an existing leg in place: pass `tripId`, `legId`, a JSON object of field updates, and `updatedAt`. Identity-changing updates (`legId`, `kind`) and empty updates objects are rejected with operational error messages. Existing evidence is preserved unless the agent explicitly overwrites it. Emits a `trips.leg_updated` nerve event with the field list. Tool registry now at 74 tools (up from 73).",
+        "New `docs/trip-ledger.md` covering what the ledger actually is, why Slugger said it needed to exist (gap between mail body and travel doc — no authoritative source for cross-checks), the discriminated TripLeg union (lodging / flight / train / ground-transport / rental-car / ferry / event), the non-optional TripEvidence shape with `discoveryMethod`, the trust shape (per-agent keys, private key returned exactly once, hosted side never sees plaintext), the seven harness tools, on-disk layout for both harness and hosted sides, and an explicit answer to 'is this travel-specific or generalizable infra?' (current shape is travel-specific by design; the *pattern* is general and would be lifted to a shared abstraction the next time we build a per-agent encrypted record service)."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.490",
+      "changes": [
+        "BlueBubbles group echo self-talk fix. The BB ingest path previously relied solely on the payload's `isFromMe` flag to detect the agent's own outbound messages — but in groups, BlueBubbles sometimes broadcasts the echo back through the webhook with that flag missing or false. Without a fallback, the agent would ingest its own message and reply to it (the user reported this in a group with their friend Rach: 'Slugger talking to himself'). New `bluebubbles.ownHandles` config field accepts the agent's known iMessage handles (phone numbers in any formatting, or email addresses); a fallback guard at the head of `handleBlueBubblesNormalizedEvent` filters any event whose `sender.externalId` matches a configured handle (case-insensitive, with phone-number normalization across +/space/paren/dash differences) and emits a `senses.bluebubbles_self_handle_filtered` warn-level nerve event so the case is observable. Direct chats are unaffected (their echoes already carry `isFromMe: true` reliably). Also folds in three trivial cleanups surfaced by the full-system audit: removed a stray `# Production SPA serving` heading from the README, removed a vestigial `// getPhrases removed` comment in bluebubbles/index.ts, and removed two unreachable `throw new Error('unreachable')` statements after `process.exit(1)` in heart/core.ts (process.exit returns `never` so TS already knows control doesn't continue)."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.489",
+      "changes": [
+        "Trip ledger Step 4 — harness-side trip tools land. Six new tools (`trip_ensure_ledger`, `trip_status`, `trip_get`, `trip_upsert`, `trip_attach_evidence`, `trip_new_id`) give the agent a private, encrypted, per-agent travel ledger backed by an RSA-OAEP-SHA256 + AES-256-GCM envelope. Ledger keypair lives at `state/trips/ledger.json`; encrypted records persist under `state/trips/records/<tripId>.json`. Tools are gated behind the same trust check as other private surfaces (only available to trusted callers) and validate `TripRecord` / `TripEvidence` shape before persisting. Vendor-copies the substrate trip-control types so the harness has no runtime dependency on a hosted ledger service yet, while keeping the on-disk format compatible for future migration."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.488",
+      "changes": [
+        "BlueBubbles group chats stay fully silent on `observe` turns. The engine emits `onToolStart(\"observe\")` / `onToolEnd(\"observe\")` even when the resulting outcome is `observed` (no reply), and the BlueBubbles adapter previously treated every tool start as reply commitment — so groups would briefly show typing or mark-read before the silent path completed. Both callbacks now short-circuit for `observe`: no startTypingNow, no toolCallbacks dispatch, just an observability event. Real reply-commit semantics (typing, mark-read, status messages on real tools) are preserved. Regression test reproduces the real callback sequence from the engine and asserts the lane stays quiet."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.486",
+      "changes": [
+        "Mail convergence pass 1-5 hardens hosted-mail truth surfaces under live HEY ingest: import truth + audit resilience, accurate archive freshness and identity surfaces, sharper recovery and archive truth, delegated search resilience, and natural anchor-list retrieval; imported archive content is now searched on parsed message text rather than raw archive bytes so quoted-printable / HTML-heavy booking mail is reachable.",
+        "`mail_search` now ranks by booking-aware relevance instead of pure recency. Score signals weight query-term hits by field (subject +6 / from +4 / body +2), booking-intent tokens (`booking confirmation`, `your stay`, e-ticket, etc.), confirmation-number-shaped tokens, currency amounts, and known travel-sender domains; recency stays as a tiebreaker. Recall is unchanged — noise still appears in results, just below the decisive message. Each rendered result also surfaces a `matched on:` line listing fields, booking signals, status (confirmed / cancelled / changed / refunded / etc.), confirmation token, amount, dates, attachment count, and sender hint, so the agent can triage without paying for a body open.",
+        "BlueBubbles sense no longer sticks in `error` status when a single message is permanently unrecoverable. `upstreamStatus` now tracks upstream health and pending work only — per-cycle recovery failures stay informational in `detail` for transparency without contradicting `ouro doctor`'s healthy verdict, so a malformed payload that fails repairEvent on every retry can no longer brick the visible sense state until operator intervention.",
+        "Heart streaming caps oversized Responses-API `function_call_output` history items both when rebuilding provider input from session history and when appending fresh tool output mid-turn, preventing a giant tool result on resume from blowing the model context."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.485",
+      "changes": [
+        "Session JSON storage no longer accumulates duplicate event ids when two writers race for the same session — `parseSessionEnvelope` now dedupes on read (last-occurrence-wins) so existing corrupted sessions self-heal on the next save, `buildCanonicalSessionEnvelope` assigns the next sequence as `max(existing) + 1` instead of `events.length + 1` so pruning gaps cannot collide, and `deferPostTurnPersist` serializes per-`sessPath` through an in-process queue so concurrent BlueBubbles webhooks for the same chat (or CLI postTurn racing the inner-dialog turn for the same MCP session) cannot interleave their writes.",
+        "Auto-created BlueBubbles group friends are now marked with a `notes.autoCreatedGroup` flag at resolver time, and the trust gate's family-member bypass surfaces a one-time inner-pending notice the first time messages route through an unacknowledged stranger-trust group so the agent can label, rename, or dismiss the relationship before activity accumulates invisibly.",
+        "Inner-dialog worker now caps consecutive `instinct` follow-on turns at `MAX_CONSECUTIVE_INSTINCT_TURNS = 3` to break self-sustaining loops where a tool that writes to the inner-dialog pending dir during a turn would otherwise re-fire the worker indefinitely; externally-queued messages reset the counter so legitimate cascading follow-ups still run, and a new `senses.inner_dialog_worker_instinct_loop_capped` event surfaces when the cap fires."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.484",
+      "changes": [
+        "Agent-driven failover (the `switch to <provider>` reply path) now re-pings the candidate provider before mutating provider readiness. If credentials are missing or the ping fails, the active lane is left untouched, a `senses.failover_switch_refused` event is emitted, and the agent receives an operational refusal context message naming the lane it is still standing on plus the verified alternatives that remain so the next turn does not re-enter discovery mode."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.483",
+      "changes": [
+        "`ouro mail import-mbox --discover` can now find HEY exports downloaded through the browser MCP sandbox as well as `~/Downloads`, so delegated backfill no longer depends on a human hand-copying Playwright-normalized `.mbox` paths.",
+        "Inner-dialog truth surfaces now strip synthetic timestamp noise and understand live v2 session envelopes, which makes `ouro inner`, `ouro thoughts`, and shared-work status checks report the real recent state instead of stale or empty transcript tails.",
+        "Ouro Mailbox is now the human-facing name for the read-only mailbox surface, and stale dead coding lanes no longer masquerade as live return-ready work inside Mailbox obligation and needs-me views while the `ouro.bot` wrapper stays version-synced for the release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.482",
+      "changes": [
+        "Tracked mail imports and hosted mail index repairs now queue completion and failure notices into the live MCP session when one exists, so `check_response` learns about background mail work immediately instead of silently showing no pending messages.",
+        "When no MCP session is live, background mail-operation notices now fall back cleanly to the freshest non-blocked outward session instead of depending on inner-dialog-only wakeups.",
+        "Hosted Blob duplicate checks now treat unreadable already-existing message blobs as degraded duplicates during import reruns, preventing large delegated HEY archive backfills from crashing on a transient duplicate-read timeout while keeping the `ouro.bot` wrapper version-synced for the release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.481",
+      "changes": [
+        "Hosted Blob message downloads now retry once on transient timeout or socket-close failures, so rerunning a delegated HEY archive import does not die on the first flaky duplicate-check read.",
+        "Azure Blob mail-store coverage now locks the real duplicate-dedupe retry path that failed in production, keeping historical import reruns resilient while preserving bounded timeout behavior for genuinely stalled blobs.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper stay version-synced for the hosted mail import retry hardening release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.480",
+      "changes": [
+        "`ouro mail import-mbox` and `ouro mail backfill-indexes` now launch as durable background operations by default, so large delegated-mail imports and hosted index repairs no longer block ordinary conversation.",
+        "Mail background jobs now persist queued/running/succeeded/failed state with progress, show up in `query_active_work`, and wake the agent immediately on completion or failure with actionable remediation context.",
+        "The background-operation runtime and CLI lifecycle are covered back to a restored 100% statements/branches/functions/lines gate, including detached background spawn defaults, malformed persisted records, and non-Error failure paths."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.479",
+      "changes": [
+        "Hosted Outlook mailbox reads now stay on the visible recent slice instead of requesting 500 full hosted messages, so Slugger's live mailbox can load again after the large HEY archive import.",
+        "Hosted Blob mail reads and index backfills now use bounded fan-out plus per-blob timeouts, which keeps large Azure Blob sweeps from hanging forever when one request stalls.",
+        "Ouro Outlook now treats missing old private mail keys as recovery state instead of a full mailbox outage: readable mail still renders, undecryptable counts surface in recovery, and the wrapper stays version-synced for the hosted mail stability release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.478",
+      "changes": [
+        "`ouro mail backfill-indexes` now refreshes vault runtime credentials before resolving the hosted Mailroom reader, so the one-shot index repair works in a fresh CLI process instead of falsely reporting `runtime/config` missing.",
+        "Backfill CLI coverage now locks both the runtime-refresh path and the real failure shape, preventing future hosted-mail repair releases from depending on warmed in-process config caches.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper stay version-synced for the hosted mail index-repair follow-up."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.477",
+      "changes": [
+        "Hosted Mailroom reads now use per-agent message index blobs, so MCP mail tools and Outlook stop crawling the entire hosted mailbox just to load recent mail.",
+        "Legacy hosted mailboxes can rebuild missing message indexes without reimporting mail, and duplicate or placement-update paths now repair index drift automatically.",
+        "Mail source filtering is now case-insensitive across blob and file mail stores, which keeps delegated-source reads resilient to older mixed-case source labels while the runtime and `ouro.bot` wrapper stay version-synced for the hosted-mail read repair."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.476",
+      "changes": [
+        "`ouro mail import-mbox` now works against hosted Mailroom config by reading public registry coordinates from the owning agent vault instead of requiring local-only registry and store paths.",
+        "Delegated HEY archive imports now stream large local MBOX files into encrypted Mailroom storage with per-message dedupe, so multi-gigabyte hosted backfills can resume safely after interruption.",
+        "Agent Mail docs now teach linked HEY accounts as separate export and forwarding feeders even under one browser login, while keeping one delegated-source provenance lens for the agent."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.475",
+      "changes": [
+        "Native mail autonomy now counts recently submitted provider-backed sends against the rate window immediately, so Azure Communication Services deliveries cannot slip past the autonomous send limit while delivery events are still pending.",
+        "Mail autonomy coverage now locks the submitted-provider case explicitly, preventing back-to-back autonomous sends from bypassing policy before provider reconciliation arrives.",
+        "The `ouro.bot` wrapper stays version-synced for the mail autonomy rate-limit repair release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.474",
+      "changes": [
+        "DNS workflow planning now handles duplicate-capable records safely by matching exact type/name/content identity before singleton replacement, so adding an ACS apex TXT verification record cannot rewrite unrelated Google, Microsoft, or SPF TXT records.",
+        "DNS rollback planning can now delete only the extra allowlisted duplicate record that was not present in the backup while preserving sibling TXT records with the same name.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the DNS duplicate-record safety release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.473",
+      "changes": [
+        "`mail_send` now resolves Azure Communication Services outbound provider clients from explicit generic vault-item bindings, so production ACS sends can leave the agent mailbox after `CONFIRM_SEND` without parsing vault notes.",
+        "Outbound provider bindings now require an explicit credential item and secret field for ACS access keys, with tests covering missing, blank, malformed, non-object, and legacy-shaped vault payloads without leaking secret values.",
+        "The `ouro.bot` wrapper stays version-synced for the outbound provider-client release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.472",
+      "changes": [
+        "Mail tools now stay usable when a visible message was encrypted to a missing old private key: `mail_recent`, `mail_search`, and `mail_thread` skip or explain only the undecryptable record with body-safe message/key ids.",
+        "Agent Mail recovery docs now distinguish restoring an old private key from hosted key rotation, so future agents do not repeatedly rotate when only an already-lost message is affected."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.471",
+      "changes": [
+        "`ouro account ensure` and `ouro connect mail` can now repair hosted Mail Control registry/vault drift with `--rotate-missing-mail-keys`, storing freshly returned one-time private keys in the owning agent vault without printing them.",
+        "Hosted Mail setup now detects missing private key material before writing partial runtime config, rotates only the missing native mailbox and/or delegated source keys, and preserves source separation for native agent mail versus delegated human mail.",
+        "Agent Mail setup and recovery docs now teach hosted key rotation explicitly, including that rotation repairs future mail access but cannot decrypt mail already encrypted to a lost private key."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.470",
+      "changes": [
+        "Agent Mail native sending now enforces autonomy policy, confirmation fallback, recipient/rate limits, delegated send-as-human refusal, audit records, and kill switch state.",
+        "Outbound Mail now records provider submission and delivery state through ACS/Event Grid while keeping status summaries and Outlook audit output body-safe.",
+        "Mail recovery docs and `ouro doctor` now check mailbox identity, vault-held mail keys, hosted Blob reader coordinates, and autonomy kill switch state without treating generic vault item notes as machine contracts."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.469",
+      "changes": [
+        "Delegated HEY MBOX imports now preserve archive freshness/provenance, use message dates when present, suppress historical Screener wakeups, and show `source fresh through` in `ouro mail import-mbox` output.",
+        "Agent Mail setup docs and source-state helpers now orient Slugger to drive browser automation while the human handles HEY login/MFA/export/forwarding confirmation, including recovery for wrong forwarding targets such as `slugger@ouro.bot`.",
+        "Delegated source setup state now emits body-safe Nerves events, and coverage locks the source-state, MBOX import, CLI freshness fallback, and Mailroom ingest provenance branches."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.468",
+      "changes": [
+        "Published package binary smoke checks now retry transient npm registry/network failures such as `ECONNRESET`, so a successful publish is not left red by one aborted `npm exec` fetch.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the release-smoke retry hardening release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.467",
+      "changes": [
+        "`ouro dns certificate` can now retrieve the TLS bundle named by a DNS workflow binding and store it as an ordinary workflow-managed vault item without printing private key material.",
+        "DNS workflow bindings now reject unknown certificate sources instead of silently treating typos as Porkbun SSL, while preserving the future `acme-dns-01` shape as an explicit not-yet-implemented source.",
+        "Porkbun record verification now ignores the provider's default priority zero on non-MX records while still treating real MX priority drift as a planned update."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.466",
+      "changes": [
+        "`ouro vault item set/status/list` is now the generic human-facing path for storing ordinary agent-owned vault items with hidden secret fields, optional public fields, freeform notes, metadata-only status/list output, and no assumed provider semantics.",
+        "`ouro vault ops porkbun` remains as a deprecated compatibility alias over ordinary vault items, while docs and help teach vault item -> managed workflow -> non-secret binding instead of treating Porkbun, DNS, or ops credentials as separate credential species.",
+        "Vault item guardrails now keep harness-managed provider/runtime items on `ouro auth`, `ouro connect`, and `ouro vault config`, and coverage locks no-secret logging, notes-as-orientation, reserved item errors, compatibility behavior, and 100% branch coverage for the new surface."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.465",
+      "changes": [
+        "`ouro vault ops porkbun set` now stores account-scoped Porkbun API credentials in the owning agent vault through hidden prompts, outside the connect bay and runtime/config.",
+        "Porkbun ops credentials are named by their true authority boundary at `ops/registrars/porkbun/accounts/<account>`, so multiple Porkbun accounts can coexist and domain allowlists remain separate.",
+        "Auth/provider docs now clarify that `ouro connect` is only for harness-managed capabilities, while registrar and deployment credentials belong in explicit `ops/...` vault items."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.464",
+      "changes": [
+        "Agent Mail prompt guidance now tells agents to answer empty-mail hypotheticals directly before discussing current mailbox state.",
+        "Agents are explicitly told not to replace golden-path answers with current access logs, diagnostics, or claims that setup is already working unless the human separately asks for current state.",
+        "Prompt tests lock the empty-Mailroom question discipline so Slugger keeps the HEY onboarding/travel-mail validation conversation oriented."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.463",
+      "changes": [
+        "Agent Mail golden-path guidance now gives agents a stricter answer shape: if Ari asks for golden paths, the answer is only the four product paths, not a diagnostic checklist.",
+        "Supporting mail diagnostics are now described as evidence inside golden paths instead of a competing list, preventing agents from naming `ouro status`, `ouro doctor`, or mail tools as the validation story.",
+        "Empty Mailroom output now repeats that golden-path questions should not be answered with command names, tool names, or status checks."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.462",
+      "changes": [
+        "Agent Mail prompt guidance now explicitly separates golden paths from supporting diagnostics, so agents do not answer a golden-path question with `ouro status`, `ouro doctor`, or mail tool names.",
+        "The golden-path contract now appears before diagnostic checks in the sense guidance, making HEY-to-work-object, native Screener mail, cross-sense reaction, and Outlook audit the dominant validation story.",
+        "Empty Mailroom tool output now says diagnostics help verify the four golden paths but are not substitutes for them."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.461",
+      "changes": [
+        "Agent Mail golden paths are now an explicit numbered system-prompt contract, so agents can name and validate HEY archive import, native Screener mail, cross-sense reaction, and Ouro Outlook audit instead of collapsing them into generic diagnostics.",
+        "Empty Mailroom tool guidance now repeats that same four-path checklist before claiming setup works, including the HEY-to-work-object path that catches unimported travel mail.",
+        "Prompt and Mailroom tests now lock the canonical golden-path language so future agents keep the setup conversation oriented without asking the human to remember the checklist."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.460",
+      "changes": [
+        "Mail read tools now distinguish an unpopulated Mailroom store from a real empty inbox: `mail_recent` and `mail_search` tell the agent when no mail has been imported or received yet instead of returning a bare `No matching mail.`",
+        "Empty delegated HEY/source reads now surface the configured source alias, explain that absence is onboarding/import/forwarding state rather than evidence about the human's inbox, and point the agent back to the agent-run setup/import flow.",
+        "The system prompt now carries the empty-Mailroom invariant plus the four Agent Mail golden paths, so agents know to validate HEY import, native Screener mail, cross-sense reaction, and Ouro Outlook audit without asking the human to remember the checklist."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.459",
+      "changes": [
+        "`ouro connect bluebubbles` now applies a machine-local attachment to a running daemon by recycling Ouro once after the vault and bundle update, so the webhook listener starts immediately instead of requiring a manual `ouro down && ouro up` discovery step.",
+        "`ouro status` and daemon health now probe the BlueBubbles listener declared in the agent's machine-local vault config, including non-default webhook ports, instead of reporting stale health against the default port.",
+        "BlueBubbles setup docs now state the live-apply behavior directly, and daemon coverage locks the dynamic sense-health probe plus running-daemon connect path."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.458",
+      "changes": [
+        "Agent Mail setup guidance now explicitly forbids telling the human to run setup CLI commands; the agent must run `ouro account ensure`, `ouro connect mail`, `ouro mail import-mbox`, `ouro status`, and `ouro doctor` itself when doing setup.",
+        "If the agent's current surface cannot run shell/tools, the setup contract now says to move to a tool-capable Ouro setup session or companion instead of offloading CLI operation to the human.",
+        "Prompt and runbook contract tests now cover the live failure mode where the agent says it owns setup but still asks Ari to run `ouro connect mail`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.457",
+      "changes": [
+        "Agent Mail setup is now explicitly agent-guided in the system prompt and runbook: when a human asks an agent to set up email, the agent should lead the flow, run agent-runnable commands itself, ask only for human-required browser/file/confirmation steps, and verify each step before continuing.",
+        "`ouro account ensure` and `ouro connect mail` now accept non-interactive mail source flags (`--owner-email`, `--source`, and `--no-delegated-source`), so an agent can provision Mailroom after collecting the needed human answer instead of relying on an interactive prompt.",
+        "Mailroom repair and setup guidance now labels repair as agent-runnable, avoids the false `ouro doctor --agent` path, and keeps HEY MBOX import as an agent-run command after the human provides the browser-exported file path."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.456",
+      "changes": [
+        "Ouro Outlook session transcripts now respect the reader's scroll position during live refresh: if a human has scrolled up to inspect older iMessage/Teams/CLI history, background transcript updates no longer yank the pane back to the bottom.",
+        "Open transcripts no longer insert a transient loading row over already-rendered messages during refresh, removing the visible stutter that made long iMessage transcripts feel unstable.",
+        "Inner-dialog transcript panes now use the same bottom-stickiness behavior, so loading earlier messages or jumping to landmarks does not immediately undo the user's navigation."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.455",
+      "changes": [
+        "Agent Mail now has a complete all-agent onboarding runbook around `ouro account ensure --agent <agent>`, including native `@ouro.bot` mailbox setup, optional delegated human-mail aliases, vault-coupled private keys, bundle-local encrypted Mailroom state, HEY MBOX import, live forwarding boundaries, and golden-path verification.",
+        "Screener decisions now persist family-authorized sender policies for discard and quarantine as well as allow decisions, so future mail from a discarded sender goes directly to the retained recovery drawer instead of repeatedly interrupting the agent.",
+        "The system prompt now points agents at `docs/agent-mail-setup.md` and distinguishes full work-substrate account setup from mail-only repair/provisioning, while docs contract coverage locks the native-vs-delegated trust model, recovery semantics, human-only DNS/HEY/MX gates, confirmed outbound sends, and Ouro Outlook audit expectations."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.454",
+      "changes": [
+        "The agent system prompt now carries an explicit Agent Mail setup runbook: Mailroom provisioning uses `ouro connect mail`, HEY archive bootstrap uses human-exported MBOX plus `ouro mail import-mbox`, and verification uses status, doctor, bounded mail tools, and the read-only Outlook mailbox.",
+        "Mail setup guidance now forbids invented paths such as HEY OAuth/IMAP, `ouro auth verify --provider mail`, `ouro mcp call mail ...`, ad hoc policy flags, autonomous sending, destructive mail actions, and production MX/DNS/forwarding changes without explicit human confirmation.",
+        "`docs/agent-mail-setup.md` now names the non-implementation paths directly so future agents can distinguish the shipped Mailroom flow from plausible-but-false mail-provider guesses."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.453",
+      "changes": [
+        "`ouro logs prune` now rotates oversized active launchd `.log` streams alongside `.ndjson` daemon streams, so doctor's bundle-local log-size remediation can compact the legacy stderr/stdout files it counts.",
+        "Log pruning still skips compressed and historical generation files, keeping rotation safe and idempotent while letting `rotateIfNeeded` handle generation shifting.",
+        "Regression coverage now locks `.log` pruning and the historical-file skip behavior for daemon logs."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.452",
+      "changes": [
+        "`ouro doctor` now checks the canonical bundle-local daemon log directory for each agent instead of the obsolete `~/.ouro-cli/logs` path.",
+        "Disk health output now names the owning agent for daemon log-size checks, so humans and agents can connect the warning directly to the right bundle and `ouro logs prune` target.",
+        "Doctor coverage now locks the bundle-local log path, missing-log-dir warning, and per-agent log-size thresholds."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.451",
+      "changes": [
+        "Agent Mail is now a first-class sense: agent identity, prompt truth, status/doctor surfaces, friend channel capabilities, and the base tool registry all understand `mail` alongside CLI, Teams, and BlueBubbles.",
+        "`ouro connect mail --agent <agent>` provisions a vault-coupled Mailroom identity with private mail keys stored in the agent vault, a non-secret bundle registry, a canonical `@ouro.bot` mailbox, and delegated source aliases such as HEY shadow imbox addresses.",
+        "The Mailroom substrate can accept SMTP, screen unknown recipients, import MBOX exports, store encrypted message/raw payloads in file or Azure Blob backends, and expose bounded read/audit tools for agents to read mail as mail."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.450",
+      "changes": [
+        "`ouro connect` now finishes its connection-check progress with neutral `checked` language instead of saying the whole check is `ready` when one selected provider just reported trouble.",
+        "The connection menu remains the authority for what needs attention: provider rows can show the real live-check failure while the progress line simply says the current connection scan completed.",
+        "A regression test now locks this copy truth in place for the failed-live-check root connect path."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.449",
+      "changes": [
+        "`ouro connect` now uses a bounded live provider probe before opening the connection menu: it still checks the real selected providers, but it makes one orientation attempt with a 5-second hard timeout instead of spending the full startup retry budget before the human can choose a setup path.",
+        "Provider ping timeouts are now hard timeouts even when an SDK ignores the abort signal. The failing attempt is classified through the same shared retry machinery and reports a clear `provider ping timed out after <ms>ms` message instead of leaving the CLI stuck behind a blinking cursor.",
+        "Root connect provider checks no longer overwrite durable provider readiness. A quick menu probe can show `needs attention` for the current screen, while `ouro up`, `ouro check`, auth verification, and chat startup remain the flows that record lasting ready/failed provider readiness."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.448",
+      "changes": [
+        "`ouro status` and agent prompt provider visibility now distinguish \"the daemon has not loaded provider credentials in this process\" from \"the agent vault is missing credentials.\" A saved live check that passed stays ready instead of being downgraded to stale/missing just because status rendering is running in a fresh daemon process.",
+        "Provider visibility now carries a safe `not-loaded` credential state and renders it as `checked previously`, preserving the last live-check result without reading or printing secrets during ordinary status/prompt rendering.",
+        "Regression coverage locks the installed-product failure shape: an empty in-process provider cache plus ready provider readiness no longer produces misleading auth repair guidance."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.447",
+      "changes": [
+        "`ouro connect` now checks only the providers selected for the current agent lanes during preflight, and those live reads avoid mutating the older provider snapshot cache. That keeps the command focused on what this machine actually needs instead of paying whole-vault latency for unrelated provider records.",
+        "Structured vault reads for `providers/*` and `runtime/config` now reuse one short-lived Bitwarden item listing per store instance and skip redundant `bw sync` calls while the local Bitwarden cache is fresh, cutting repeated vault startup work without adding any disk credential cache.",
+        "The connections screen now lets the fresh live provider check outrank stale local credential visibility, so a provider that just passed appears ready and a provider that just failed shows the real live-check failure instead of falling back to misleading `credentials missing` guidance. `@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the connect preflight latency release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.446",
+      "changes": [
+        "`ouro connect`, the home deck, readiness repair prompts, and the interactive repair queue now render through one shared wizard language instead of a mix of framed panels and transcript walls. Humans can choose by number or name, see one recommended next step, and keep the same visual footing across setup and repair.",
+        "Connector, auth, vault, hatch, and other info-heavy command flows now use a matching guide surface with the same Ouro masthead, ruled sections, and `Next moves` treatment, so the CLI stops jumping between unrelated visual grammars as soon as a command leaves the root menu.",
+        "The new surfaces stay truthful to the underlying work: connect still runs the shared live provider verification path before rendering, repair prompts surface the real next command without dead air, and new renderer plus command-layer coverage lock the wizard/guide family into the shipped CLI."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.445",
+      "changes": [
+        "`ouro up` no longer smears old lines across the screen when the live frame shrinks. The boot checklist and daemon-start polling now share one overwrite primitive, so long waits keep breathing without duplicating the masthead or leaving stale rows behind.",
+        "`ouro status` is back to being a compact runtime cockpit instead of a generic wizard board. The TTY command now routes through the dense status deck again, so operators get the fast, scannable view they actually need.",
+        "The boot surface itself is lighter and truer: the masthead only uses the wide wordmark when it really fits, the checklist stays in plan order while a middle step is active, and the current-work panel now reads like a real boot sequencer instead of a stack of `Overview` cards."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.444",
+      "changes": [
+        "`ouro up` now treats daemon startup as one truthful boot story across fresh starts and daemon replacement: both paths wait on the same current-boot readiness check, keep narrating real progress while the background service warms up, and stop calling startup done just because one quick socket probe answered.",
+        "Slow real-world boots now get more patience and better visibility. The default startup timeout was extended to 60 seconds, the boot checklist keeps printing live startup detail instead of stalling on a blinking cursor, and replacement boot failures now land as a failed `starting daemon` step with plain-language diagnosis.",
+        "Startup failures now behave like failures to the shell as well as to the human: `ouro up` sets a non-zero exit code when daemon boot does not finish, and `ouro logs` is wired into the installed CLI again so the recovery path it points to actually opens the live daemon/agent log tail."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.443",
+      "changes": [
+        "`ouro up` now renders as a real boot checklist instead of a loose progress wall: the screen shows the full startup path up front, marks what is running now, and keeps pending steps visible so humans can see where Ouro is in the bring-up flow.",
+        "Provider checks during startup now narrate the providers each selected lane is actually using, translate noisy vault chatter into plain language, and keep the live-check copy truthful instead of implying that every configured provider was checked.",
+        "`ouro up` no longer reports success just because the daemon answered once during startup. Before handing control back, Ouro now performs one final daemon-status handoff check and fails with a clear diagnosis if the background service stopped before boot actually finished."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.442",
+      "changes": [
+        "The shared CLI masthead now lands as a clean `OUROBOROS` wordmark instead of the older circle treatment, with compact/plain render paths trimmed down so the banner feels intentional rather than doubled or noisy.",
+        "The main human-facing screens now use warmer but more concrete first-run language: `ouro up`, the home screen, status, help, hatch, vault outcomes, and the connections screen now explain what Ouro is actually doing without leaning on unexplained `house` or `bay` metaphors.",
+        "Failed live provider checks in the connections screen now stay in the honest `needs attention` bucket instead of being downgraded to `needs credentials`, and hermetic runtime plus packaged-install coverage lock the wording into the shipped CLI."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.441",
+      "changes": [
+        "`ouro up` now lets the shared startup TUI own the masthead render path, so the screen no longer double-prints into scrollback and the shipped banner is a clean, correctly spelled classic `OUROBOROS` wordmark.",
+        "Vault unlock lookup now normalizes the canonical vault host while still reusing previously saved local unlock material from legacy vault coordinates, so a machine that already unlocked an agent vault does not get treated like it forgot after harmless vault-host drift.",
+        "macOS keychain read failures now surface as truthful local-store errors instead of being mislabeled as a locked vault, and new masthead/vault coverage plus packaged-install verification lock the fix into the shipped CLI."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.440",
+      "changes": [
+        "Shared live provider checks now narrate each real attempt and retry across `ouro up`, the connect bay, `ouro check`, `ouro use`, and auth verification, so a slow or busy provider no longer feels like one frozen `checking <provider>` line.",
+        "One shared retry-progress formatter translates the real failure class into plain language like `provider is busy right now` or `provider asked us to slow down`, while the shared provider attempt runner now exposes attempt-start callbacks for every human-facing verification surface.",
+        "New daemon/provider progress coverage locks in the shared callback contract and the human-facing retry narration, with the full coverage, integration, package-e2e, and installed-product verification stack carried through for the published release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.439",
+      "changes": [
+        "When an older Ouro-owned launcher is shadowing the managed `~/.ouro-cli/bin/ouro` path, system setup now repairs it in place instead of dumping a PATH lecture onto the human. Old global Homebrew/npm launchers that clearly belong to Ouro get rewritten to the current managed wrapper automatically.",
+        "That repair is intentionally narrow and truthful: Ouro only rewrites a shadowed launcher when its realpath or readable content proves it is one of our old launchers. Unknown launchers still keep the explicit PATH warning instead of being touched.",
+        "New path-installer and startup output coverage lock in the self-heal path, including readable non-Ouro launchers, disappearing files, write failures, and the happy-path repair of a stale `/opt/homebrew/bin/ouro`, with full coverage, integration, and packaged-install validation on top."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.438",
+      "changes": [
+        "Live provider failures now keep their real diagnosis all the way through startup, repair, and the connect bay: expired credentials still prompt re-auth, but busy providers, provider outages, rate limits, quota failures, and network trouble now point humans toward retrying later, checking usage, or switching lanes instead of being mislabeled as an auth problem.",
+        "The readiness board and connect bay now share one classification-aware repair model, so a lane only says `needs credentials` when the live ping actually came back as an auth failure; other live-check failures stay in the broader `needs attention` bucket with matching next actions.",
+        "New daemon, connect-bay, human-readiness, hermetic-runtime, and full-suite coverage lock in the truthful failure guidance, and packaged-install verification confirms the fix survives beyond the repo checkout into the shipped CLI."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.437",
+      "changes": [
+        "Provider-credential refresh now reads the known `providers/<provider>` vault items directly instead of starting with a full `bw list items` scan, so startup, repair, and connect-bay readiness stop paying whole-vault latency just to inspect the handful of provider records Ouro already names exactly.",
+        "Structured Ouro vault items now treat an exact-item `not found` from Bitwarden as a real miss instead of falling back into a fuzzy filtered search, which removes the slow retrying scan path for absent `providers/*` and `runtime/*` records without changing the safety fallback for malformed direct responses.",
+        "This closes the remaining real-world `connect` slowdown found after the live-ping work: local dogfood dropped the branch connect-bay readiness run from 127 seconds in the shipped path to 18 seconds after the direct provider-read fix, with new coverage locking the direct-read contract in place."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.436",
+      "changes": [
+        "Distinct live provider pings now run in parallel during startup, repair, and connect-bay readiness checks, so the CLI stops making humans wait for one selected provider/model lane to finish before it even starts checking the next one.",
+        "The connect bay and provider-health surfaces still keep the same truthful live verification path and the same dedupe behavior when both lanes share one provider/model/revision, but healthy multi-provider setups now reach a ready state sooner.",
+        "New agent-config coverage locks in the concurrency contract directly: when two different provider lanes need live checks, the second ping must start before the first one finishes, so this speedup cannot silently regress back into serialized health checks."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.435",
+      "changes": [
+        "Structured agent-vault items like `providers/*` and `runtime/*` now take a direct Bitwarden `bw get item` lookup fast path before falling back to filtered search, so connect, auth, and runtime-config reads spend less time holding the vault lane for work that already has an exact item name.",
+        "The Bitwarden store only trusts that fast path on an exact name match and still falls back to the older filtered search on fuzzy hits, missing items, or malformed direct responses, so the speedup lands without weakening correctness or duplicate protection.",
+        "Hermetic built-runtime coverage now understands the newer direct item lookup path too, so the connect bay, startup provider checks, and vault-backed runtime reads are tested against the same Bitwarden command shape the shipped CLI now uses."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.434",
+      "changes": [
+        "The supported bootstrap command is now explicitly `npx ouro.bot@latest` across the wrapper hints, operator docs, architecture docs, and runtime fallback messages, so humans are steered onto the channel that actually lands on the current published runtime.",
+        "Release smoke now verifies the live `ouro.bot@latest` bootstrap path end to end instead of only checking that the wrapper package resolves, so a stale bootstrap channel cannot slip through publish unnoticed.",
+        "This release closes the installed-product gap found during dogfood after the CLI human-surface overhaul: `npx ouro.bot@latest` now reproduces the current runtime truth in docs, smoke coverage, and real-world operator instructions."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.433",
+      "changes": [
+        "The human-facing CLI now speaks one shared terminal language across `ouro`, `ouro up`, `ouro connect`, repair, auth, vault, and hatch: the Ouroboros control deck, calm capability intros, and clear `What changed` / `Next moves` landings instead of raw transcript walls.",
+        "Guided connector and repair flows now tell the truth about what is portable versus machine-local, use the same live provider verification path as startup and auth verification, and keep visible progress on long-running work so the terminal never degrades into a dead blinking cursor while real work is still happening.",
+        "The refreshed CLI surface is now locked in by expanded screen-level daemon tests, full-suite regression coverage, hermetic built-runtime integration coverage, and packaged-install e2e coverage, with operator docs updated to match the new house-style behavior."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.432",
+      "changes": [
+        "`ouro up` no longer risks hanging forever on an unbounded npm registry check during startup; the update-check phase now shows live detail, aborts the stalled fetch after a short shared timeout, and continues booting with truthful status like `skipped; registry did not answer`.",
+        "The same bounded update-check helper now powers `ouro versions`, so published-version lookup cannot freeze there either and the human-facing status wording stays consistent across commands.",
+        "Focused startup/version coverage plus the full test suite now protect the stalled-registry regression, and `@ouro.bot/cli` plus the `ouro.bot` wrapper are version-synced for the startup freeze fix release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.431",
+      "changes": [
+        "`ouro up` and related long-running CLI paths now keep visible multi-line progress detail during daemon replacement, startup polling, and runtime reload waits instead of falling back to a dead-looking cursor.",
+        "`ouro connect` now live-verifies saved Perplexity and memory-embeddings credentials both in the root connect bay and in the dedicated connect flows before it calls those capabilities ready.",
+        "A shared runtime capability verifier now powers the portable connect UX and a new nightly/manual real-smoke lane for sacrificial provider/runtime credentials, so operator guidance and automated live checks use one truth path.",
+        "Hermetic runtime coverage plus installed-package smoke coverage now protect the refreshed CLI progress and connect surfaces, and the docs spell out the new real-smoke workflow."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.430",
+      "changes": [
+        "Interactive bare `ouro` now opens a shared Ouro-branded home deck instead of silently behaving like `ouro up`, while non-TTY and scripted invocations keep the compact, unsurprising command path.",
+        "`ouro up`, `ouro auth verify`, `ouro repair`, `ouro connect`, `ouro whoami`, `ouro versions`, `ouro help`, and the hatch welcome shell now render from one shared terminal UI and one canonical human readiness model, so boards, actions, and repair guidance stay visually and behaviorally aligned.",
+        "Daemon replacement and other long-running CLI flows now narrate what they are doing in plain language, `ouro connect` reuses the same live provider verification truth as startup/auth verification, and the human CLI no longer falls back to stale cached provider status in the connect bay.",
+        "Shared screen-level coverage, non-TTY rendering checks, and updated operator docs now lock the new CLI family in place, while thin dispatch-only seams stay covered through focused command tests instead of duplicated renderer assertions."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.429",
+      "changes": [
+        "Habit `lastRun` now lives in bundle runtime state under `state/habits/<habit>.json` instead of being rewritten into tracked `habits/*.md` files after every habit turn.",
+        "The habit worker, scheduler, inner-dialog habit turns, outlook habit readers, and `ouro habit list` now resolve `lastRun` through one shared helper, with legacy habit frontmatter kept as read-only fallback until runtime state exists.",
+        "New habit definitions created by hatch flow or `ouro habit create` stop emitting `lastRun` in tracked frontmatter, and task-system habit migration now preserves historical `lastRun`/`last_run` values by importing them into runtime state instead.",
+        "Habit runtime-state coverage now explicitly protects the defensive strip/fallback paths, and the agent-facing prompt text now tells the truth that runtime timestamps live in `state/habits/` so tracked habit files stay declarative."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.428",
+      "changes": [
+        "Root `ouro connect` now renders through a dedicated width-aware connect-bay renderer with a framed header, one recommended next move, and separate `Provider core`, `Portable`, and `This machine` sections instead of flattening everything inside one long menu string.",
+        "The connect bay keeps using the same live provider verification truth path as `ouro up` and `ouro auth verify`, while tightening lane-specific status and next-action mapping so locked vaults, failed live checks, and missing setup each point at the right repair move.",
+        "Added direct connect-bay renderer coverage for wide, narrow, wrapping, lane-summary, and non-TTY branches, plus a nerves event so the new renderer stays under the same file-completeness and audit rules as the rest of the runtime.",
+        "Auth, cross-machine, and testing docs now describe the root connect surface as the framed responsive bay it really is, and `@ouro.bot/cli` plus the `ouro.bot` wrapper are version-synced for the connect-bay polish release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.427",
+      "changes": [
+        "Root `ouro connect` now runs the same shared live provider verification path as `ouro up` and `ouro auth verify` before it renders the connect bay, so freshly authed providers and failed live checks show their real current state.",
+        "The root connect bay now groups capabilities into a clearer `Next best move`, `Provider core`, `Portable`, and `This machine` layout, with truthful lane-specific status for outward and inner providers.",
+        "Shared provider health checks now refresh readiness for every selected provider/model pair instead of stopping after the first failure, and `ouro connect` keeps working when provider selection is missing so repair guidance can still render.",
+        "Auth/provider/testing docs now describe the live-verifying connect bay behavior, and `@ouro.bot/cli` plus the `ouro.bot` wrapper are version-synced for the truthful connect release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.426",
+      "changes": [
+        "`ouro up` no longer marks `starting daemon` complete when a replacement daemon still is not answering; it now narrates replacement progress in plain language and reports replacement timeout as an incomplete replacement instead of a fake success.",
+        "Root `ouro connect --agent <agent>` now prints a short `checking current connections` preflight while it reads portable and machine-local runtime settings before showing the connect bay menu.",
+        "Auth/provider/setup docs now codify the human CLI rule that waits longer than about three seconds should show current work, and they describe the new daemon replacement wording and connect-bay preflight.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the daemon replacement and connect-bay progress release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.425",
+      "changes": [
+        "Human-facing single-agent CLI commands now resolve an omitted `--agent` through one shared path: use the explicit flag when present, otherwise use runtime identity when it can name the current agent, otherwise use the only discovered local agent, otherwise ask which agent to use, and otherwise explain how to hatch or clone one.",
+        "`ouro auth`, `ouro auth verify`, `ouro auth switch`, `ouro use`, `ouro provider` commands, `ouro vault` commands, `ouro connect`, `ouro config model`, `ouro config models`, `ouro setup`, `ouro bluebubbles replay`, `ouro thoughts`, `ouro attention`, `ouro inner`, `ouro task`, `ouro reminder create`, `ouro friend` management commands, `ouro habit`, and `ouro session list` now share that missing-agent contract instead of quietly depending on argv or ambient context.",
+        "Task/reminder execution now builds agent-scoped task modules directly from the selected bundle, session scanning now accepts an explicit agent name, and local friend/habit flows now read the selected agent bundle instead of falling back to hidden global defaults.",
+        "`ouro whoami` keeps its richer runtime identity output but now shares the same no-agent fallback behavior when runtime identity is unavailable, and the runtime seam no longer grabs unrelated ambient repo identity behind the human's back.",
+        "CLI help and execution coverage now protect single-agent auto-selection, multi-agent prompting, no-agent guidance, noninteractive ambiguity handling, and the newly covered local task/reminder/friend/habit/session flows.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the complete missing-agent resolution release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.424",
+      "changes": [
+        "Human-facing single-agent CLI commands now resolve an omitted `--agent` through one shared path: use the explicit flag when present, otherwise use the only installed agent, otherwise ask which agent to use, and otherwise explain how to hatch or clone one.",
+        "`ouro auth`, `ouro auth verify`, `ouro auth switch`, `ouro use`, `ouro provider refresh`, `ouro provider check`, `ouro provider status`, `ouro vault` commands, `ouro connect`, `ouro config model`, `ouro config models`, `ouro setup`, and `ouro bluebubbles replay` now accept `[--agent <name>]` instead of failing during parse before Ouro has a chance to help.",
+        "`ouro whoami` keeps its richer runtime identity output but now shares the same no-agent fallback behavior when runtime identity is unavailable, and the runtime seam no longer grabs unrelated ambient repo identity behind the human's back.",
+        "CLI help text now tells the truth about optional-agent behavior, and focused parser/execution/help coverage protects single-agent auto-selection, multi-agent prompting, no-agent guidance, and noninteractive ambiguity handling.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the missing-agent resolution release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.423",
+      "changes": [
+        "`ouro connect` now opens a real connect bay with one guided surface for provider auth, Perplexity, OpenAI embeddings, Teams, and BlueBubbles instead of a tiny menu that still required humans to memorize follow-up commands.",
+        "Added guided `ouro connect providers`, `ouro connect embeddings`, and `ouro connect teams` flows, plus richer connect-bay routing that distinguishes portable runtime config from machine-local attachments without printing secrets.",
+        "Credential/runtime changes now reuse one shared runtime-apply helper that checks daemon socket access, requests restart, polls daemon status, times out cleanly, and falls back clearly when daemon status is unavailable.",
+        "Command progress rendering now marks failed phases honestly with a failure state instead of a success checkmark plus `failed`, and the auth/provider docs, README, testing guide, OAUTH setup guide, and prompt truth text all point at the new connect-bay workflow.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the connect-bay and runtime-apply progress release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.422",
+      "changes": [
+        "`ouro auth` now streams provider-vault read progress before browser/token work begins, so a locked, slow, or remote vault never looks like a dead terminal after the initial access check.",
+        "Provider credential saves now stream the post-write in-memory provider credential reload, including vault item reads and parsing, instead of going silent after `refreshing in-memory provider credential pool`.",
+        "Auth-flow tests cover the pre-auth vault read and real Bitwarden-backed post-save refresh progress so the visible credential path stays protected.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the final auth-flow vault progress sweep."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.421",
+      "changes": [
+        "`ouro vault create`, `ouro vault unlock`, `ouro vault replace`, `ouro vault recover`, `ouro vault status`, and `ouro vault config` now use the shared human CLI progress checklist for vault account creation, local unlock storage, vault probes, credential reads, runtime config writes, and recovery imports.",
+        "`ouro status --agent`, `ouro provider status`, `ouro config models`, and `ouro config model` now show progress while reading provider credentials, listing GitHub Copilot models, and checking selected models.",
+        "Hatch provider credential resolution and post-start `ouro up` repair auth now route progress through the shared command renderer instead of raw ad hoc output.",
+        "Credential command progress tests now cover successful phases, failure cleanup, provider model exceptions, and secret redaction so these flows stay visibly alive without leaking values.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the remaining credential command progress release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.420",
+      "changes": [
+        "`ouro auth verify`, `ouro use`, and `ouro provider check` now share the human CLI progress checklist, so vault reads and live provider pings show visible phases instead of leaving a blinking cursor.",
+        "`ouro repair` provider-auth actions now reuse the same `ouro auth` runner/progress path, keeping browser/token repair flows consistent with direct auth commands.",
+        "Provider credential reads now accept the shared progress callback, letting command surfaces show vault-read detail without duplicating vault logic or exposing secrets.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the provider verification progress release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.419",
+      "changes": [
+        "`ouro auth`, `ouro provider refresh`, `ouro connect perplexity`, and `ouro connect bluebubbles` now use the shared human CLI progress checklist so browser login, vault reads/writes, daemon reloads, and verification steps stay visible instead of leaving a blinking cursor.",
+        "`ouro connect perplexity` now introduces the flow before the hidden API-key prompt, shows vault storage and reload progress, keeps the key out of output, and ends with a compact next step for using Perplexity search.",
+        "`ouro connect bluebubbles` now introduces the local-machine attachment before prompts, shows machine runtime config and `agent.json` enablement progress, and keeps the app password out of output.",
+        "`ouro provider refresh` now shows vault-read progress and reload status, and refresh/auth/connect failure paths preserve the last visible progress context while still rethrowing actionable errors.",
+        "The CLI progress renderer is documented as a shared human-facing contract: long-running human flows should show current work, stay concise, and never print secrets.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the provider onboarding progress release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.418",
+      "changes": [
+        "`ouro up` now uses the live progress renderer in interactive terminals instead of forcing static non-TTY output, so long startup/check phases animate instead of leaving a blinking cursor.",
+        "Non-TTY and captured `ouro up` output now prints current phase starts and changed detail lines (`launching daemon process`, `waiting for daemon socket`, `daemon answered`) before completion, avoiding silent waits in logs and terminal sessions that cannot render spinners.",
+        "Daemon startup readiness is completed explicitly before provider checks begin; `ouro up` no longer marks `starting daemon` as done by accidentally auto-completing it when the next phase starts.",
+        "Daemon startup polling can now report progress into the parent `ouro up` checklist without rendering its own nested startup TUI, keeping startup output as one coherent surface.",
+        "Runtime drift restart messages now summarize drift categories such as `code path` or `managed agents` without printing raw worktree/package paths in normal CLI output.",
+        "Default CLI stdout now writes exactly one newline instead of using `console.log`, removing the extra blank lines caused when progress renderers already include newline-terminated output.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the `ouro up` progress polish release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.417",
+      "changes": [
+        "`isTransientError` now recognizes timeout errors after `formatBwCliError` transforms them, so retries fire correctly even when the raw `ETIMEDOUT` code is lost during formatting.",
+        "New `withTransientRetry` wrapper on read operations (`get`, `getRawSecret`, `list`) retries up to 3 times with exponential backoff (500ms, 1s, 2s) and emits `repertoire.bw_transient_retry` nerves events, so transient vault hiccups resolve silently.",
+        "`bw sync` now runs after every login/unlock in `loginAttempt()`, ensuring vault data is synchronized with the server before any read operations.",
+        "Timeout error messages changed from a generic 'timed out while waiting for a vault response' to actionable guidance: 'timed out -- usually resolves on retry. If it persists, check network connectivity to the vault server.'",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the Bitwarden store resilience release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.416",
+      "changes": [
+        "Post-repair provider health re-check in `ouro up` now shows a dedicated progress phase (`post-repair check`) with per-agent detail instead of running silently after interactive repair completes.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the post-repair progress release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.415",
+      "changes": [
+        "Transient vault errors (timeout, ECONNREFUSED, socket hang up) are now classified separately from vault-locked errors in `ouro up` provider checks -- operators see retry guidance instead of misleading unlock/replace/recover instructions.",
+        "Fix text across vault unlock, vault create, missing credential, and failed ping results tightened to concise single-line instructions.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the error classification release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.414",
+      "changes": [
+        "`openai-codex` live checks now use the same Responses API request shape as real Codex turns, so `ouro up` and `ouro auth verify` stop reporting false `400 status code (no body)` failures for healthy GPT-5.4 credentials.",
+        "`ouro up` now detects daemon roster drift when enabled agent bundles change on disk and restarts the stale daemon, which removes ghost agents like a locally-removed `ouroboros` from the repair queue instead of pretending they still live here.",
+        "Bundle skeleton contract coverage now validates whichever local agent bundles actually exist, so one-agent machines can keep `slugger` installed without failing the full test suite just because `ouroboros` was intentionally removed.",
+        "Expanded Codex provider runtime coverage to exercise the real turn path, preserved output-item turn state, runtime error classification, and the ping callback bundle, which keeps the global 100% coverage gate green for this repair.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the Codex live-check and daemon-roster drift repair release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.413",
+      "changes": [
+        "`ouro up` now shows real-time per-agent progress during provider checks -- the spinner displays which agent and vault operation is in progress (`slugger: reading vault items...`) instead of a static label with no detail.",
+        "Added `onProgress` callback to `refreshProviderCredentialPool` and `updateDetail()` method to `UpProgress` for sub-step spinner detail, threaded through the full `executeUpCommand` -> `checkAgentProviders` -> provider health check chain.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the progress threading release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.412",
+      "changes": [
+        "Cross-process bw CLI lock prevents concurrent access to the same Bitwarden app data directory, fixing the root cause of intermittent vault timeout errors during `ouro up` provider checks on multi-agent machines.",
+        "Two-layer locking in `execBw`: in-process async mutex serializes within a Node.js process, cross-process `O_EXCL` file lock with PID stale detection serializes across processes.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault concurrency fix release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.411",
+      "changes": [
+        "`ouro up` interactive repair now re-evaluates each agent after a successful vault-unlock or provider-auth, so users see immediate confirmation or an updated next step instead of stale context.",
+        "Repair prompts now include agent names (`Unlock slugger's vault now?`) instead of generic phrasing.",
+        "Terminal `Repair flow complete.` message printed when at least one repair was attempted, giving clear closure to the interactive flow.",
+        "Redundant repair queue summary suppressed in the post-daemon-start path where the status block already listed degraded agents."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.410",
+      "changes": [
+        "Added guided `ouro connect` onboarding for Perplexity search and local BlueBubbles attachment setup, with hidden secret prompts and compact success output.",
+        "Runtime credentials now distinguish portable `runtime/config` from machine-scoped `runtime/machines/<machine-id>/config`, so BlueBubbles local Mac bridge settings do not travel as universal agent config.",
+        "BlueBubbles can now be enabled but `not_attached` on a machine without degrading the agent, while incomplete or broken local attachment config still reports repairable guidance.",
+        "Sync-enabled bundle config mutations now run the existing post-change bundle sync path after vault setup/recovery/replacement, BlueBubbles attachment, and clone success, surfacing a compact `bundle sync:` result.",
+        "New vault unlock secret flows now require hidden confirmation and minimum strength checks before creating, replacing, recovering, or hatching an agent vault.",
+        "Updated auth/provider, cross-machine, README, AGENTS, and testing docs to lock the agent-vault-as-password-manager model and the portable-vs-local credential split.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the runtime credential onboarding release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.409",
+      "changes": [
+        "`ouro up` interactive repair now presents each agent's next step as a compact panel with `needs`, `run`, and `note` lines, followed by a short human prompt like `Unlock it now?` or `Open the auth flow now?` instead of embedding commands and warnings into one long question.",
+        "Declined repair output now collapses into short `next` / `or` follow-up commands, so vault unlock, replace, recover, and provider-auth paths stay visible without reprinting a wall of explanatory prose.",
+        "Guided readiness repair and no-repair summaries now use blank-line grouping plus calmer `Provider checks need attention` and `Still needs attention` headings, and stale-daemon restart output now splits its repair handoff onto a second line instead of bolting it onto one overlong sentence.",
+        "Added regression coverage for the new interactive repair copy, grouped repair queue, readiness summary spacing, no-repair output, and the revised stale-daemon restart message.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the repair UX polish release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.408",
+      "changes": [
+        "Existing agents without a `vault` block in `agent.json` now fail fast with explicit `ouro vault create --agent <agent>` guidance instead of silently deriving a stable vault account and misreporting missing provider credentials.",
+        "`ouro auth`, `ouro up`, and `ouro repair` now treat a missing agent vault locator as a first-class readiness state with create/recover choices, then continue through the normal provider-auth repair path after the vault exists.",
+        "Runtime credential access now requires an explicit agent vault locator before opening Bitwarden or Vaultwarden, which keeps provider, runtime, travel, and tool credential flows truthful for pre-vault agent migrations.",
+        "Added regression coverage for missing-vault-locator auth, provider readiness, guided repair, and the real Bitwarden-backed auth path, plus the default local `spawnSync` fallback used by Linux secure-store probing.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the pre-vault agent locator repair release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.407",
+      "changes": [
+        "`credential_store` now uses the same Bitwarden-derived error scrubber as provider auth, so agent-saved secret flows redact raw `bw ...` command lines, encoded payload blobs, and hidden prompt echoes instead of free-styling their own failure cleanup.",
+        "The shared sanitizer now collapses fully scrubbed failures back to `command failed`, so redaction does not leave behind useless `[redacted]` noise when the only surviving text was secret-shaped.",
+        "Added regression coverage for the shared sanitizer itself plus the `credential_store` path that agents hit after signups and manual secret saves.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the shared credential error sanitization release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.406",
+      "changes": [
+        "`ouro auth --agent <agent> --provider <provider>` now keeps narrating the post-login vault save path with `opening ... vault session`, `storing ... credentials`, and `refreshing in-memory provider credential pool`, so a successful browser login no longer drops into a silent cursor while secrets are being persisted.",
+        "Bitwarden-backed provider saves now classify timeouts and empty command failures by operation and redact raw `bw create item ...` command text, encoded payloads, and prompt echoes from auth output.",
+        "Auth, repair CLI, and Bitwarden regression coverage now encodes the reported post-login save failure shapes so the same leak-prone path stays guarded.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the post-login vault save hardening release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.405",
+      "changes": [
+        "`ouro up` now keeps walking the guided repair path when one successful fix reveals the next runnable issue for the same agent, instead of stopping after the first pass and making you rerun the command.",
+        "The happy repair path still prints `provider checks recovered after repair`, and the chained-flow coverage now exercises vault-unlock-then-auth continuation directly.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the chained preflight repair release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.404",
+      "changes": [
+        "`ouro up` and `ouro up --no-repair` now render degraded provider summaries as grouped blocks with blank lines between agents, so rescue guidance reads like deliberate instructions instead of a pile of fragments.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the provider-repair summary readability release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.403",
+      "changes": [
+        "Vault recovery help and parser usage now render repeatable `--from <json>` imports explicitly as `--from <json> [--from <json> ...]`, so the rescue command reads like a repeatable flag instead of a duplicated typo.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault recovery help clarity release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.402",
+      "changes": [
+        "Added `credential_generate_password`, a family-trusted credential tool that mints strong signup passwords and tells the agent to persist the exact accepted password with `credential_store` once the site accepts it.",
+        "`credential_store` now rejects blank required fields up front, trims credential metadata, redacts secret-bearing store errors, and confirms that credentials were stored and verified instead of silently accepting junk inputs or leaking password-shaped text.",
+        "User profile vault merges now fail closed when the existing profile cannot be read or is malformed, instead of treating every read failure as \"missing\" and overwriting saved personal data.",
+        "Browser and travel skills now teach the truthful signup secret flow: generate a password, use it for the interactive signup, and only claim success after `credential_store` succeeds.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the agent-saved secret hardening release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.401",
+      "changes": [
+        "Bitwarden-backed credential writes now prove success by reading the saved item back immediately and verifying its name, username, password, and notes before returning success.",
+        "Post-save verification now prefers `bw get item <id>` when create/edit returns a usable id, falls back cleanly when stdout is malformed or id-less, and retries once when the local Bitwarden session expires mid-verification.",
+        "Malformed or invalid `bw get item` responses now fail with short sanitized errors instead of leaving auth and vault save flows in an ambiguous half-success state.",
+        "Runtime auth's Bitwarden harness coverage now exercises the same post-save readback path as the real vault store, and the store test suite covers missing items, malformed responses, field-by-field mismatches, and multi-field mismatch guidance.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault write readback verification release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.400",
+      "changes": [
+        "Bitwarden-backed provider-vault writes now treat search/list failures as real vault errors instead of silently collapsing them into \"missing credential\" fallthroughs.",
+        "Expired local Bitwarden sessions during provider credential search, create, edit, and list operations now retry once with a fresh session before surfacing a clear locked/missing/expired session error.",
+        "`bw config server` no longer swallows unrelated failures, and malformed `bw list items` output now reports a short invalid-JSON error instead of crashing through a raw parse exception.",
+        "Provider credential upserts now fail explicitly when the vault write succeeded but the in-memory provider credential pool refresh did not, with follow-up guidance to run `ouro provider refresh --agent <agent>` and `ouro auth verify --agent <agent>`.",
+        "Added regression coverage for the real runtime auth -> Bitwarden save path, plus store/provider tests for session-expiry retries, pre-create lookup failures, and post-save snapshot-refresh failures.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault-save error hardening release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.399",
+      "changes": [
+        "Bitwarden-backed credential writes now pipe provider vault item payloads to `bw create item` and `bw edit item` over stdin instead of putting encoded credential JSON in process arguments.",
+        "Bitwarden CLI failures are now sanitized before they reach CLI output, so `Command failed: bw ...` argv, encoded payloads, raw provider tokens, and vault item passwords are not printed.",
+        "Bitwarden master-password prompts during credential writes now surface as a short locked/expired local session message instead of dumping the failed command invocation.",
+        "The nerves redaction audit now looks for credential-shaped text instead of failing on ordinary file paths or branch names that contain words like `secret`, `password`, or `api-key`.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the Bitwarden secret redaction release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.398",
+      "changes": [
+        "`ouro auth --agent <agent> --provider <provider>` now prints safe progress breadcrumbs while it checks vault access, runs provider login, stores credentials in the agent vault, refreshes the in-memory provider credential pool, and verifies the provider.",
+        "Provider auth launched from `ouro repair` and hatch bootstrap now uses the same auth progress hook, so browser/login flows no longer leave humans staring at a silent cursor after the provider says login succeeded.",
+        "Auth progress messages are phase labels only; they never include OAuth tokens, API keys, vault unlock secrets, or credential payload values.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the auth progress breadcrumb release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.397",
+      "changes": [
+        "`ouro up` provider repair output now uses compact readiness cards and `need repair` progress labels instead of dense degraded-agent prose.",
+        "Guided readiness repair and post-repair summaries now share the same typed issue renderer, so locked vaults, missing provider credentials, and generic repair hints show consistent `next`/`or` commands.",
+        "`ouro vault replace` now prompts for a `new` unlock secret and prints a short recovery handoff to `ouro repair --agent <agent>` instead of dumping generic provider/runtime credential commands into the middle of `ouro up`.",
+        "`ouro vault recover` also prompts for a `new` unlock secret while continuing to avoid printing credential values or portable unlock material.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the provider repair visual cleanup release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.396",
+      "changes": [
+        "Added `ouro repair [--agent <agent>]`, a deterministic vault/provider readiness guide that uses typed repair issues and clear human choices instead of asking for AI diagnosis on known failures.",
+        "Provider health checks now attach shared typed repair metadata for locked vaults, missing provider credentials, and failed live provider/model pings, keeping CLI repair, `ouro up`, and agent-facing guidance aligned.",
+        "`ouro up` now always runs the live provider-check phase after startup, not only when the daemon was already running, so broken selected providers are surfaced during startup instead of later through confusing agent crashes.",
+        "`ouro vault create --agent <agent>` now defaults to the stable agent vault email when no vault locator exists, while still requiring a non-echoing human-provided unlock secret.",
+        "Cross-machine and auth/provider docs now include `ouro repair --agent <agent>` in the continuation path for existing bundles and old auth-style agents.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the typed readiness repair release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.395",
+      "changes": [
+        "`ouro vault replace` and `ouro vault recover` now default to the stable agent vault email, `<agent>@ouro.bot`, instead of timestamped `+replaced` or `+recovered` addresses.",
+        "Vault repair now treats previously generated repair emails as stale defaults and repairs back to the stable agent email unless the human explicitly supplies `--email <email>`.",
+        "Existing-account repair guidance now tells operators to unlock the stable vault when possible and use `--email` only when intentionally moving an agent to a different vault account.",
+        "Auth/provider docs and CLI help now describe stable vault identity repair for old auth-style agents without implying that Ouro can recover a forgotten unlock secret.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the stable vault identity repair release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.394",
+      "changes": [
+        "Added `ouro vault replace --agent <agent>` for existing pre-vault agents whose bundle has vault coordinates but no saved unlock secret and no local JSON credential export.",
+        "`ouro vault status --agent <agent>` now clearly reports when an existing agent has not configured a vault locator yet and points to `ouro vault create --agent <agent>` instead of implying an unlockable vault exists.",
+        "Locked-vault repair guidance now distinguishes saved-secret unlock, no-export replacement, and JSON-export recovery across provider checks, auth, provider refresh, vault config status, and vault unlock errors.",
+        "Interactive repair prompts now warn humans to run vault unlock only when they have the saved unlock secret, and docs explain how old auth-style agents continue by replacing the vault and re-entering credentials.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the pre-vault replacement repair release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.393",
+      "changes": [
+        "Restored the trusted publish workflow to the supported `latest` channel after the one-time alpha bridge release.",
+        "`@ouro.bot/cli@latest` and `ouro.bot@latest` now advance together again on the final current runtime version.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the post-bridge latest-channel release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.392",
+      "changes": [
+        "Published a one-time alpha-channel bridge so launchers still pinned to `@ouro.bot/cli@alpha` can run code that checks the supported `latest` channel.",
+        "The bridge keeps `latest` as the real operator channel while giving old alpha-based npx wrappers a path to install the final current runtime on their next `ouro up`.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the legacy alpha bridge release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.391",
+      "changes": [
+        "`@ouro.bot/cli` now publishes and verifies the `latest` dist-tag, so the direct CLI package and the `ouro.bot` bootstrap wrapper point at the same current runtime channel.",
+        "The `ouro.bot` wrapper, daemon update checks, Teams startup script, and version status output now resolve `@ouro.bot/cli@latest` instead of the stale-prone `@alpha` tag.",
+        "Dev-mode guidance now tells operators to bootstrap with `npx ouro.bot`, matching the supported human install path.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the npm dist-tag alignment release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.390",
+      "changes": [
+        "Interactive SerpentGuide adoption now asks the human for the hatchling vault unlock secret through the shared hidden terminal prompt instead of generating and printing one.",
+        "`complete_adoption` refuses to finish without an interactive secret prompt, validates that the human-provided hatchling vault secret is non-empty, and keeps rollback coverage for vault/provider write failures.",
+        "Hatch prompts and auth/provider docs now state that hatchling vault unlock secrets must never be typed into chat, included in tool arguments, generated by Ouro, or printed back to the terminal.",
+        "`ouro help` now covers documented bootstrap and repair commands including `auth verify`, `auth switch`, `provider refresh`, and `use`.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the hatchling vault secret bootstrap release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.389",
+      "changes": [
+        "CLI entrypoints now print command failures to stderr before exiting, so invalid commands and vault recovery errors are visible in the terminal instead of only appearing in runtime logs.",
+        "Vault unlock secret prompts now fail fast when stdin/stdout is not an interactive terminal, preserving the non-echoing human-provided secret flow instead of dangling or silently exiting.",
+        "`ouro vault recover` now validates every local `--from` JSON source before asking for the replacement vault unlock secret, so bad paths or malformed files never ask the human to type a secret first.",
+        "Vault recovery tests now assert that bad source files do not call the secret prompt and that entrypoint failures are terminal-visible.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault recovery prompt polish release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.388",
+      "changes": [
+        "The default agent credential vault host now points at the live Vaultwarden endpoint `https://vault.ouroboros.bot` instead of the website redirect host.",
+        "`ouro vault create` and `ouro vault recover` now create accounts through the live Bitwarden/Vaultwarden identity registration endpoint and include the registration URL in setup failures.",
+        "Vault unlock/create/recover prompts now use a non-echoing secret prompt for vault unlock secrets, and the supported docs/help path asks the human to provide a saved secret instead of generating or printing one.",
+        "Deprecated `--generate-unlock-secret` vault flags now fail fast with guidance to rerun interactively, preventing new vault unlock secrets from being printed into terminals or logs.",
+        "Vault setup, unlock, provider CLI, help, docs, and runtime-config tests now encode the canonical vault host and human-provided secret flow so the wrong host or unsafe prompt path cannot silently return.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the canonical vault recovery release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.386",
+      "changes": [
+        "`ouro vault recover --help` and `ouro help vault recover` now show the recovery-specific flags instead of generic vault help.",
+        "Nested command help now preserves subcommand words before flags, so help output can be specific to commands like `vault recover`.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault recovery help release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.385",
+      "changes": [
+        "`ouro up` provider-check repair hints for locked agent vaults now mention both normal unlock and lost-secret `ouro vault recover --agent <agent> --from <json>` recovery.",
+        "Provider health checks now share the locked-vault unlock-or-recover wording so compact degraded summaries do not send operators back to a secret they never saved.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the locked-vault repair-hint release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.384",
+      "changes": [
+        "Added `ouro vault recover --agent <agent> --from <json>` for existing alpha agents whose vault coordinates exist but whose unlock secret was never saved.",
+        "`ouro vault recover` creates a replacement agent vault, imports provider credentials into `providers/*`, imports runtime/sense/integration credentials into `runtime/config`, and prints only redacted field/provider summaries.",
+        "Auth/provider docs now distinguish normal vault unlock from lost-secret replacement-vault recovery, including the old-auth checklist path.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault recovery release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.383",
+      "changes": [
+        "`ouro provider refresh` now stops after a failed vault credential refresh instead of also reporting that the daemon restarted to reload credentials.",
+        "Provider refresh CLI tests now cover the locked-vault failure path separately from successful daemon restart and restart-skip paths.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the provider refresh failure-output release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.382",
+      "changes": [
+        "The packaged travel-planning skill now describes travel/tool credentials as agent Bitwarden/Vaultwarden vault items instead of using retired bundle-vault wording.",
+        "Documentation contracts now block packaged skills from reintroducing legacy local credential paths, vault-key wording, or obsolete Bitwarden Agent Access CLI guidance.",
+        "The coverage workflow now treats `skills/` changes as package-shipping changes that require a fresh unpublished CLI version before merge.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the packaged skill credential-guidance release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.381",
+      "changes": [
+        "`ouro status` provider rows now suppress old readiness error details whenever credentials are currently missing or the agent vault is unavailable, keeping the table focused on the active blocker.",
+        "Provider visibility tests now cover both missing credentials and unavailable vault credentials so stale ping failures do not reappear in status rows.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the provider status polish release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.380",
+      "changes": [
+        "Daemon startup now supplements pidfile cleanup with the scoped orphan-process scan, so a partial stale pidfile cannot leave an older daemon process alive after `ouro up` replaces the runtime.",
+        "`ouro status` now keeps vault runtime/config failures compact in sense rows, replacing multi-line vault-lock explanations with a direct `ouro vault unlock --agent <agent>` hint.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the daemon/status polish release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.379",
+      "changes": [
+        "Outlook Runtime now renders the existing local provider lanes, including provider/model, readiness, credential source and revision, repair commands, and warnings.",
+        "Active runtime code, current docs, and current tests no longer reference the retired home-directory credential path; a contract test now blocks that path from returning to active product surface.",
+        "Guardrails now protect the current local vault unlock-file stores instead of the retired credential directory, keeping agent writes aligned with the bundle plus vault credential model.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the Outlook provider lanes and credential-path cleanup release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.378",
+      "changes": [
+        "Existing-agent continuation docs now spell out the bundle plus vault flow: clone the bundle, unlock the agent vault, refresh and verify provider/runtime credentials, then run `ouro up`.",
+        "Locked-vault and vault-create guidance no longer names an operator password manager as an Ouro credential location; local unlock material is documented as a machine-local cache, not a source of truth.",
+        "`ouro clone` non-interactive next steps now lead with `ouro vault unlock`, `ouro provider refresh`, and `ouro auth verify` instead of stale `ouro auth run` guidance.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the existing-bundle vault continuation release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.377",
+      "changes": [
+        "Runtime configuration now lives in each agent's vault as `runtime/config`, alongside provider credentials in `providers/*`, making the agent vault the single credential/config source of truth.",
+        "`ouro vault config set/status`, daemon startup, senses, prompt rendering, doctor checks, and provider repair paths now share the same vault-backed runtime config loader instead of reading or writing local `~/.agentsecrets` files.",
+        "Provider credentials, runtime config, and travel/tool credentials are documented as vault items; legacy local secrets paths are now only guarded against or reported as migration hazards.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault source-of-truth release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.376",
+      "changes": [
+        "`ouro up` interactive repair now prints a grouped repair queue before prompting when multiple degraded agents have runnable auth or vault unlock repairs.",
+        "The repair queue and the actual prompts share the same computed repair action, so grouped copy cannot drift from the command that will run.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the repair queue summary release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.375",
+      "changes": [
+        "`ouro up` interactive repair now prints the exact `ouro auth` or `ouro vault unlock` command to run later when the human declines a repair prompt.",
+        "Declined repair prompts now share one later-command writer across provider auth and vault unlock flows, keeping skipped setup paths copy-pasteable.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the repair decline recap release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.374",
+      "changes": [
+        "SerpentGuide bootstrap now stays in the credential picker when a selected discovered credential fails ping, letting the human choose another saved source or enter a new key without restarting `ouro hatch`.",
+        "The stale discovered-credential retry path is covered by a focused SerpentGuide bootstrap test that fails the first provider ping and succeeds after manual replacement credentials.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the SerpentGuide credential retry release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.373",
+      "changes": [
+        "SerpentGuide bootstrap now discovers provider credentials from unlockable installed agent vaults, so a new hatch can reuse sources such as `minimax from slugger's vault` without creating persistent SerpentGuide credentials.",
+        "SerpentGuide credential options now preserve provenance for installed-agent vault sources and env sources while keeping secret values out of terminal labels.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the SerpentGuide installed-agent credential discovery release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.372",
+      "changes": [
+        "Locked-vault errors now explain that provider credentials are still stored in the agent vault and that this computer is missing usable local unlock material.",
+        "The locked-vault guidance now names common machine-local causes, including a new computer, local profile or hostname migration, and removed local unlock entries.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the locked-vault bootstrap copy release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.371",
+      "changes": [
+        "`ouro up` now rechecks selected provider health after a deterministic repair actually runs, so a successful vault unlock or auth repair is followed by either a recovery confirmation or the remaining degraded details.",
+        "Post-repair provider checks target the originally repairable degraded agents directly, avoiding false recovery when discovery output is sparse.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the post-repair provider check release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.370",
+      "changes": [
+        "`ouro up` AI-assisted diagnosis prompts now accept `yes`, `YES`, and whitespace-padded affirmative answers, matching the deterministic repair prompts.",
+        "Repair prompt affirmative parsing now lives in one shared helper used by both interactive auth/vault repair and agentic diagnosis.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the repair prompt answer parsing release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.369",
+      "changes": [
+        "`ouro up` now offers runnable local repairs such as `ouro vault unlock` or `ouro auth` before optional AI-assisted diagnosis, avoiding a model call when the deterministic fix is already known.",
+        "Agentic repair no longer repeats the deterministic repair prompt after diagnosis when that prompt was already offered first.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the deterministic-before-AI repair release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.368",
+      "changes": [
+        "`ouro up` interactive repair prompts now treat `yes`, `YES`, and whitespace-padded affirmative answers as yes for both provider auth and vault unlock repairs.",
+        "Interactive repair now uses one shared affirmative-answer parser instead of duplicating raw `y` checks across repair branches.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the repair answer parsing release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.367",
+      "changes": [
+        "`ouro up` repair prompts now extract exact `ouro auth` and `ouro vault unlock` commands from fix hints instead of swallowing trailing prose such as `then run ouro up again`.",
+        "Interactive repair tests now assert exact prompt text for quoted and unquoted repair commands, covering both provider auth and vault unlock flows.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the repair command parsing release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.366",
+      "changes": [
+        "`ouro up` now treats locked per-agent credential vaults as an unlock problem instead of a provider-auth problem, prompting `ouro vault unlock --agent <agent>` before any `ouro auth` repair flow.",
+        "Provider startup checks now preserve credential-pool `unavailable` state and show concise locked-vault guidance instead of nesting duplicate vault errors and secondary auth instructions.",
+        "`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the vault unlock repair release."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.365",
+      "changes": [
+        "`ouro auth`, `ouro use`, provider status/check/refresh, startup health checks, interactive repair, and failover guidance now share the same agent-vault and lane contract with clearer human repair paths.",
+        "SerpentGuide bootstrap no longer persists its own provider credentials; hatch flows keep bootstrap credentials in memory and store them only in the hatchling agent vault.",
+        "Vault unlock bootstrap supports macOS Keychain, Windows DPAPI, Linux Secret Service, and explicit plaintext fallback, with docs aligned across AGENTS, README, OAuth setup, testing guide, and auth/provider reference."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.364",
+      "changes": [
+        "Cross-machine polish: bash PATH writes to .bashrc on Linux/WSL instead of .bash_profile (which non-login shells skip on Debian/Ubuntu). Shell hint message matches.",
+        "Agent prompt: never guess about harness behavior — consult docs first, investigate in code, fix stale docs via PR.",
+        "Agent prompt: harness docs pointer distinguishes dev mode (local read) vs production (fetch from GitHub)."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.363",
+      "changes": [
+        "Bootstrap first-install PATH hint is now shell-aware: shows correct source command for zsh, bash, fish, or generic fallback for unknown shells."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.362",
+      "changes": [
+        "New `ouro clone <remote>` command for cross-machine agent setup: clones bundle from git remote, creates machine identity, enables sync, guides to auth flow. Infers agent name from URL.",
+        "WSL-aware `ouro setup --tool claude-code`: detects WSL2, resolves Windows-side home, calls claude.exe with wsl-prefixed MCP serve and hook commands, writes settings to Windows .claude/ directory.",
+        "Platform detection module (detectPlatform) returning macos/linux/wsl/windows-native with injectable deps.",
+        "First-run hatch-or-clone interactive choice when no bundles exist. Manual-clone detection during `ouro up` offers to enable sync on git-cloned bundles.",
+        "npx ouro.bot bootstrap now passes through to CLI on first install instead of stopping early."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.361",
+      "changes": [
+        "All senses (inner-dialog, BlueBubbles, Teams, shared-turn) now use deferred session persist (postTurnTrim + deferPostTurnPersist), matching the CLI pattern. Unblocks the event loop during session I/O for all channels."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.360",
+      "changes": [
+        "Each provider runtime now owns its `ping()` method, replacing the centralized if/else routing chain. Azure ping switched from chat completions to Responses API to match its runtime. Prevents the entire class of ping/runtime API drift bugs."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.359",
+      "changes": [
+        "Fixed session storage explosion caused by `findCommonPrefixLength` returning 0 every turn (system prompt changes invalidated the prefix). Skips system messages in prefix comparison, prunes non-projected events from the envelope, archives evicted events to NDJSON, and adds `loadFullEventHistory()` for consumers that need full history. Eliminates unbounded duplicate event accumulation that caused 512MB session files and 15s freezes."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.358",
+      "changes": [
+        "Removed `/new` slash command from CLI (kept on Teams). Made `dispatch()` channel-aware so commands only fire on their registered channels."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.357",
+      "changes": [
+        "`ouro chat` now checks provider health before launching a session, failing fast with actionable error and fix guidance instead of erroring mid-conversation when a provider is broken (expired token, unsupported parameter, etc.). Applied to all three pre-chat paths: explicit `ouro chat <agent>`, bare `ouro` single-agent auto-chat, and bare `ouro` multi-agent selection."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.356",
+      "changes": [
+        "Provider ping for github-copilot GPT models (e.g. gpt-5.4) now uses the Responses API instead of chat completions, fixing `400 Unsupported parameter: 'max_tokens'` errors during live checks."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.355",
+      "changes": []
+    },
+    {
+      "version": "0.1.0-alpha.354",
+      "changes": [
+        "Provider visibility now surfaces the effective local outward/inner lanes across start-of-turn context, system prompts, pulse, Outlook, and daemon status, using the shared provider binding resolver with safe credential provenance and no raw secret exposure."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.353",
+      "changes": []
+    },
+    {
+      "version": "0.1.0-alpha.352",
+      "changes": [
+        "Settle tool description now communicates turn-ending semantics: 'deliver your response and end your turn' with explicit guidance against settling with status updates mid-task.",
+        "Observe tool now available in all outward channels including 1:1 chats, not just groups and reactions — agents can absorb messages without responding when the moment doesn't call for words.",
+        "Autonomous execution prompt contract added: when told to work autonomously, agents use ponder to absorb new messages and continue using tools, settling only with the final result."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.351",
+      "changes": [
+        "Surface tool description rewritten from 'surface progress' to 'send a message to someone' — makes it clear the tool is for interpersonal messaging, not status reporting.",
+        "Inner dialog prompt contract now guides agents to use rest(note) for heartbeat state and ponder(reflection) for deeper thoughts, keeping surface strictly for words meant for another person.",
+        "Removed [surfaced from inner dialog] prefix from synthetic session messages — provenance is tracked via captureKind: 'synthetic', the prefix was redundant and created echo loops.",
+        "Obligation summaries and attention queue headers reframed as structured internal data ([internal] tags) instead of surface-ready prose.",
+        "Shared proactive-content-guard module blocks internal content (heartbeat, check-in, task board, obligation status, meta markers) from BlueBubbles and Teams proactive sends."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.350",
+      "changes": []
+    },
+    {
+      "version": "0.1.0-alpha.349",
+      "changes": []
+    },
+    {
+      "version": "0.1.0-alpha.348",
+      "changes": [
+        "Provider attempts now share one bounded retry runner across real runtime turns, provider pings, health inventory, working-provider discovery, and GitHub Copilot model validation, retrying every provider failure class before terminal handling while preserving attempt metadata and nerves events.",
+        "Provider checks can now ping the selected lane model instead of drifting to provider defaults, and readiness/model pings use zero-delay retries so health checks stay fast."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.347",
+      "changes": [
+        "Post-turn session persist functions now return the events array directly, eliminating a redundant `loadSession` file read after every CLI TUI turn. `postTurnPersist` returns `SessionEvent[]` and `deferPostTurnPersist` returns `Promise<SessionEvent[]>`, so the CLI sense uses the returned data instead of re-reading the file it just wrote."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.346",
+      "changes": []
+    },
+    {
+      "version": "0.1.0-alpha.345",
+      "changes": []
+    },
+    {
+      "version": "0.1.0-alpha.344",
+      "changes": [
+        "Provider readiness groundwork now has stable machine identity stored at `~/.ouro-cli/machine.json`, preserving random machine IDs across hostname changes while recording aliases for diagnostics.",
+        "Per-agent provider bindings and readiness can now be read, validated, written, and bootstrapped in `<agent>.ouro/agent.json` using explicit `outward` and `inner` lanes without storing credentials in bundle state."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.343",
+      "changes": [
+        "Kept-notes preflight now blocks provider turns long enough to search diary, journal, and friend-note candidates, then injects only first-person found/fuzzy notes under source-specific headings.",
+        "Tooling, MCP, Outlook, session-tail, and note-search surfaces now use diary/journal/notes naming, including `search_notes` and `tools-notes.ts`, while old saved-session tool names migrate quietly."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.342",
+      "changes": [
+        "The nerves coverage gate now writes append-only per-test NDJSON records across Vitest workers, emits a redaction-safe heartbeat for every executed test, fails closed when per-test capture is missing or malformed, and scopes start/end pairing to explicit process lifecycle events so the full-suite audit is truthful instead of passable through empty artifacts."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.341",
+      "changes": [
+        "`ouro up` and `ouro doctor` now detect when PATH resolves `ouro` to a stale external launcher before the managed `~/.ouro-cli/bin/ouro` wrapper, then print exact path-specific remediation instead of leaving users stuck on an older shim."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.340",
+      "changes": [
+        "Prompt tool lists now match runtime flow-tool availability: `ponder` and the channel terminal tool remain visible even when tool choice is optional, custom tool subsets keep required flow tools, and group/reaction turns list `observe` when runtime exposes it."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.339",
+      "changes": [
+        "`ouro config model` now validates GitHub Copilot model probes through the shared provider ping module, keeping provider health request shapes in one place.",
+        "Provider startup checks, auth verification, provider discovery, and model validation now share `src/heart/provider-ping.ts` as the canonical home for live provider ping logic."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.338",
+      "changes": [
+        "fix(mind): instruct agent not to echo timestamp tags in responses"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.337",
+      "changes": [
+        "`ouro up` now checks the selected human-facing and agent-facing providers for each discovered agent, so startup reports degraded agents immediately when a configured provider token is missing or fails a live health check.",
+        "Provider repair prompts now preserve the failed facing's provider, allowing agent-facing GitHub Copilot, MiniMax, Anthropic, Azure, or OpenAI Codex failures to route to the correct `ouro auth --agent <name> --provider <provider>` command."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.336",
+      "changes": [
+        "Inner dialogue prompts now advertise the actual inner delivery contract: use `surface` to send thoughts outward and `rest` to end the turn, instead of suggesting unavailable `send_message` or `settle` tools."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.335",
+      "changes": [
+        "OpenAI Codex auth verification now uses the same streamed runtime turn shape as real Codex conversations, so successful browser login no longer ends with a false `400 status code (no body)` ping failure.",
+        "Provider ping defaults now come from the shared provider/model registry, keeping auth verification aligned with current model defaults such as `gpt-5.4`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.334",
+      "changes": [
+        "refactor(outlook): route the Outlook SPA through canonical shared Outlook contracts instead of tab-local shadow DTOs and generic `Record<string, unknown>` casts.",
+        "test(outlook): type live-refresh fixtures against the canonical agent view contract so UI tests catch backend/UI shape drift."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.333",
+      "changes": [
+        "docs(workflow): document the skill freshness fallback for installs that do not have a local `_registry.json`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.332",
+      "changes": [
+        "refactor(outlook): remove the orphaned server-rendered Outlook fallback so the HTTP surface clearly serves the built SPA or JSON errors."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.331",
+      "changes": [
+        "test(isolation): route daemon entrypoint suites through per-test temporary homes so fresh coverage workers no longer create transient `slugger.ouro` bundles under `~/AgentBundles`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.330",
+      "changes": [
+        "test(isolation): keep pipeline integration identity state under a per-test temporary home so full coverage no longer creates transient `pipeline-int-*` bundles in the real `~/AgentBundles` root."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.329",
+      "changes": [
+        "fix(wrapper): make fresh first-run `npx ouro.bot --version` pass through to the installed CLI after bootstrap, while preserving first-install PATH guidance for bare `npx ouro.bot`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.328",
+      "changes": [
+        "fix(auth): keep provider switches model-aware so changing providers updates incompatible model pairings to safe provider defaults instead of carrying stale model names across OpenAI Codex, Anthropic, MiniMax, Azure, and GitHub Copilot.",
+        "fix(auth): rewrite provider auth/failover guidance into multiline actionable sections with provider error details, model-mismatch repair commands, and ready-provider switch prompts."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.327",
+      "changes": [
+        "fix(daemon): make startup stability polling respect stdout TTY capability so captured `ouro up` output is plain append-only text without raw ANSI cursor-control or color escapes, while interactive terminals keep in-place progress rendering."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.326",
+      "changes": [
+        "refactor(outlook): split the Outlook HTTP server boundary into focused transport, static/path, default-hook, route-dispatch, and JSON-response helpers while preserving the public `startOutlookHttpServer()` API and existing HTTP behavior.",
+        "test(outlook): add direct seam coverage for Outlook HTTP helper modules, route/static/SSE/default-hook behavior, and nerves file-completeness exemptions for the new helper-module pattern."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.325",
+      "changes": [
+        "fix(daemon): make `ouro up` run the same startup stability/status poll for already-running current daemons and successful stale-daemon restarts, so degraded workers are summarized with their repair hints instead of returning with only `daemon already running` or `restarted stale daemon`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.324",
+      "changes": [
+        "fix(daemon): surface crashed worker error reasons and fix hints in `ouro status`, `ouro up --no-repair`, health-monitor alerts, and daemon-health snapshots so configuration failures point to the exact repair command instead of a bare warn/crashed state.",
+        "ci(release): verify the supported npm publish channels after release (`@ouro.bot/cli@alpha` and `ouro.bot@latest`) and remove the broken trusted-publishing `ouro.bot@alpha` dist-tag warning path."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.323",
+      "changes": [
+        "fix(bluebubbles): drain missed upstream BlueBubbles messages after an outage by querying recent messages when the upstream health probe recovers, deduping against the inbound sidecar, repairing candidates, and replaying them through the normal BlueBubbles turn path oldest-first.",
+        "fix(bluebubbles): make upstream catch-up bounded, paginated, and observable with nerves events for query start/end/skip/error, catch-up start/complete/error, runtime status updates, and explicit failure state if the bounded page limit is reached before the outage window is drained."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.322",
+      "changes": [
+        "fix(bluebubbles): share BlueBubbles health diagnostics between runtime status and doctor so fetch, malformed URL, auth, and upstream server failures produce actionable repair guidance instead of a bare `fetch failed`.",
+        "fix(doctor): actively probe enabled BlueBubbles upstreams, validate `bluebubbles.serverUrl` and `bluebubbles.password`, and report exactly whether config, reachability, auth, or upstream health needs repair."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.321",
+      "changes": [
+        "refactor(outlook): split `src/heart/outlook/outlook-read.ts` into focused reader modules for agent/machine state, sessions, runtime views, continuity views, and shared helpers while keeping the exported Outlook read API stable through a small composition root.",
+        "test(outlook): expand Outlook read verification with composition, continuity catch-path, runtime fallback, and session-activity regressions so the refactor stays covered under the full coverage and nerves-audit gates."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.320",
+      "changes": [
+        "fix(daemon): make `ouro up` wait for real startup stability before reporting success. The CLI now stays attached through ordered startup phases, requires sustained socket liveness plus fresh current-boot health evidence, retries once when startup loses the socket, and surfaces recent daemon log context on failure instead of claiming the daemon started.",
+        "fix(daemon): harden socket ownership and recoverable bootstrap behavior. An older daemon shutdown no longer unlinks a newer daemon's rebound socket path, and recoverable habit bootstrap failures now degrade with actionable `habit_setup_error` and `bootstrap_degraded` guidance instead of taking the whole daemon down.",
+        "fix(testing): declare @testing-library/dom in outlook-ui devDependencies so coverage-gate installs match the package's actual React Testing Library requirements."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.319",
+      "changes": [
+        "fix(heart): use true per-message ingress time for session event timestamps instead of batch-save time"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.318",
+      "changes": [
+        "fix(daemon): prevent startup crash when getBlueBubblesChannelConfig is called without --agent context",
+        "fix(mind): use system timezone instead of hardcoded PT in dateSection"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.317",
+      "changes": [
+        "feat(mind): annotate conversation messages with relative timestamps. Messages now include human-readable time deltas (e.g., '2 hours ago') in prompt context, giving the model temporal awareness of conversation flow.",
+        "fix(tui): handle Opt+Enter newline when terminal sends \\x1b\\r as a single event instead of two separate bytes.",
+        "fix(ci): resolve @testing-library/react peer dependency conflicts and add jsdom to root devDependencies for outlook-ui test environment."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.316",
+      "changes": [
+        "feat(daemon): unified progress TUI for ouro up lifecycle. New UpProgress accumulated-checklist renderer replaces disconnected writeStdout calls with a cohesive progress display showing completed phases with checkmarks and active phase with spinner. In-place ANSI overwrite in TTY mode, static lines in non-TTY (CI/pipes). Wired into daemon.up handler for all phases: update check, system setup, agent updates, bundle pruning, daemon start. Emits nerves events for each phase completion."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.315",
+      "changes": [
+        "fix(tui): fix startup TUI ANSI overwrite, daemon death detection, and log visibility. Resolves visual corruption from overlapping ANSI escape sequences, improves process death detection reliability, and ensures daemon log output is consistently visible during startup."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.314",
+      "changes": [
+        "fix(daemon): remove 60s startup TUI timeout and show progress while socket is unavailable. `pollDaemonStartup()` now waits indefinitely until all agents are stable or failed, instead of timing out after 60s and falsely reporting degraded status. Added 'waiting for daemon' spinner with elapsed time and latest daemon log event while the socket is not yet available."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.313",
+      "changes": [
+        "feat(daemon): agentic repair flow with LLM diagnosis for degraded agents during `ouro up`. New `runAgenticRepair()` in `src/heart/daemon/agentic-repair.ts` wraps interactive repair with optional AI-powered diagnosis. Uses `discoverWorkingProvider()` to find a working LLM, then offers conversational diagnosis with degraded agent context and daemon log tail. Falls back to deterministic repair when no provider is available or user declines. Wired into cli-exec.ts replacing direct `runInteractiveRepair()` call. 12 new tests, 100% coverage on all branches.",
+        "feat(daemon): add `--no-repair` flag to `ouro up` — skips interactive/agentic repair and exits non-zero when degraded agents are detected. Useful for CI and scripted environments."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.312",
+      "changes": [
+        "feat(daemon): interactive repair flow for degraded agents during `ouro up`. New `runInteractiveRepair()` in `src/heart/daemon/interactive-repair.ts` examines each degraded agent's errorReason and fixHint to detect common issue patterns (missing credentials, config errors) and prompts the operator for inline repair. Credential issues offer to run `ouro auth <agent>` directly. Config errors surface the fix hint. Wired into the `daemon.up` handler after stability validation. 10 new tests, 100% coverage."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.311",
+      "changes": [
+        "feat(daemon): rich startup TUI for `ouro up` with real-time per-agent progress and stability validation. Replaces the old blind 10s socket poll with `pollDaemonStartup()` which renders an in-place ANSI display (spinner, per-worker status lines, elapsed time) and waits until every agent is either stable (running 5s+) or definitively failed (crashed). Extended the daemon status pipeline to flow `errorReason`, `fixHint`, and `startedAt` from process-manager through to client-side types. Returns structured `{ stable, degraded }` result for downstream repair flows. 33 new tests, 100% coverage on startup-tui.ts."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.310",
+      "changes": [
+        "feat(daemon): auto-prune stale ephemeral bundles during `ouro up`. New `pruneStaleEphemeralBundles()` in `src/heart/daemon/stale-bundle-prune.ts` removes ephemeral bundle directories that have gone stale before the daemon starts, keeping the bundles root clean without manual intervention. Wired into the `daemon.up` handler before `ensureDaemonRunning()`. 100% branch coverage."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.309",
+      "changes": [
+        "security(deps): refresh the root transitive dependency graph to eliminate the remaining `npm audit` findings without changing source code. `package-lock.json` now pulls the safe versions for `axios` (1.15.0), `vite` (7.3.2), `picomatch` (2.3.2 / 4.0.4), `path-to-regexp` (0.1.13), `lodash` (4.18.1), `flatted` (3.4.2), `brace-expansion` (5.0.5), and `proxy-from-env` (2.1.0), bringing the root repo to zero known vulnerabilities on `npm audit --json`.",
+        "security(outlook-ui): patch `packages/outlook-ui/package-lock.json` from `vite@6.4.1` to `vite@6.4.2`, clearing the package-local high-severity advisory that was still surfacing during the coverage gate's Outlook UI build step."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.308",
+      "changes": [
+        "feat(daemon): extract shared `discoverWorkingProvider()` for unified provider discovery with ping validation. New function combines disk credential scanning (`~/.agentsecrets/`), env var scanning (`PROVIDER_CREDENTIALS` mapping), and `pingProvider()` validation into a single reusable path. Extracted `scanEnvVarCredentials()` from inline hatch logic for reuse. Disk credentials take priority over env vars for deduplication, and stale API keys are always caught via ping before returning a provider as working. 14 new tests covering both functions at 100% coverage."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.307",
+      "changes": [
+        "refactor(attachments): move source-specific attachment behavior behind a shared adapter seam. `src/heart/attachments/types.ts` and `materialize.ts` now stay generic, while BlueBubbles and CLI local-file record/original-materialization logic lives under `src/heart/attachments/sources/`. Added shared helper module `src/heart/attachments/originals.ts`, direct adapter coverage, and boundary regression tests so shared attachments remain first-class across senses without reintroducing BlueBubbles coupling. Stable `attachment:<source>:<id>` handles and the existing attachment tools/normalization flow are preserved.",
+        "test(daemon): harden `daemon-startup-sense-drain.test.ts` by exercising the startup pending-drain helper directly instead of booting the whole daemon for each case. This removes the full-suite timeout flake around unreadable pending entries while keeping the per-sense drain behavior fully covered."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.306",
+      "changes": [
+        "refactor(arc): extract the shared task lifecycle grammar into `src/arc/task-lifecycle.ts` so ponder packets no longer depend on `src/repertoire/tasks`. `TaskStatus`, transition validation, and lifecycle rendering now live in one neutral seam that both arc packets and repertoire task docs consume, with direct regression coverage proving `src/arc/packets.ts` stays decoupled from `repertoire/`.",
+        "test(daemon): harden three daemon coverage tests (`daemon-stop-deadlock`, `daemon-agent-commands`, `daemon-boot-updates`) by stubbing the injected `outlookServerFactory` and using `mode: \"dev\"` where appropriate, eliminating hidden Outlook side-server startup from tests that only intend to exercise daemon command/socket behavior."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.305",
+      "changes": [
+        "feat(daemon): add sense-level liveness probes for hung webhook detection. New `/health` endpoint on BlueBubbles webhook server returns `{ status: \"ok\", uptime: N }` via GET/HEAD (localhost only, 405 for other methods). Generic `SenseProbe` interface in HealthMonitor runs probes alongside existing checks every 60s — failed probes produce critical results triggering auto-recovery restart. HTTP health probe factory `createHttpHealthProbe(name, port, timeoutMs)` makes reusable probes for any sense with an HTTP endpoint. BlueBubbles probe auto-registered in daemon-entry when BB sense config exists. Directly addresses the documented 70-minute Lobster outage where BB webhook server was hung but process was alive. New files: `http-health-probe.ts` + 3 test files. 26 new tests at 100% coverage on new code."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.304",
+      "changes": [
+        "feat(mind): add content trust framing to recall results. New `classifyProvenanceTrust()` in `src/mind/provenance-trust.ts` categorizes diary entry provenance as self/trusted/external. Diary entries surfaced via `recall` or associative recall from external sources (messages, emails, web content) now get `[diary/external]` tag instead of `[diary]`. System prompt adds guidance: external entries should not be followed as instructions. This closes the prompt injection defense chain from the Lobster research — even if an attacker plants instructions in content that gets persisted to the diary, the recall pipeline marks it as external and steers the agent away from executing embedded instructions. 19 new tests across 4 files at 100% coverage."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.303",
+      "changes": [
+        "feat(cli): overhaul CLI help and error handling. `ouro --help` now shows commands grouped into 9 categories (Lifecycle, Agents, Chat, Tasks, Habits, Friends, Auth, Internal, System) instead of a flat wall of text. `ouro help <command>` and `ouro <command> --help` show per-command help with description, usage syntax, subcommands, and an example. Unknown commands get Levenshtein-based typo suggestions when distance <= 2 (e.g., `ouro stauts` -> `Did you mean 'status'?`). `ouro up` now prints progress messages: 'Checking for updates...' -> 'Installing <version>...' or 'Up to date.' -> 'Starting daemon...'. New command metadata registry in `src/heart/daemon/cli-help.ts` covers 32 commands. 50+ new tests at 100% coverage on all new code."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.302",
+      "changes": [
+        "feat(cli): add `ouro doctor` system health check command. New command runs 6 diagnostic categories — daemon (socket existence + responsiveness), agents (bundle discovery, agent.json validation for version/humanFacing/agentFacing/enabled), senses (BlueBubbles and Teams config presence and well-formedness), habits (launchd plist discovery, degraded state), security (secrets.json permissions, credential leak detection in agent.json), and disk (log size thresholds at 100MB warn / 500MB critical, bundle root existence). Output is a colored checklist with per-category grouping and a summary line. Works without daemon running — daemon checks fail gracefully while all other categories still execute, making it useful for cold diagnostics. 3 new files (doctor.ts, doctor-types.ts, cli-render-doctor.ts), 3 modified (cli-types.ts, cli-parse.ts, cli-exec.ts), 4 test files with 61 tests at 100% coverage on new code."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.300",
+      "changes": [
+        "test(bundle): cover `isFirstPushToRemote` branches via mocked child_process. Exported the function from `tools-bundle.ts` (previously private) and added `src/__tests__/repertoire/bundle-push-first-push.test.ts` with 5 unit tests that mock `execFileSync` to exercise all 3 code paths: (1) `symbolic-ref --short HEAD` failure → conservative true, (2) `ls-remote --heads` returns empty stdout → true (real first push, remote branch doesn't exist), (3) `ls-remote --heads` returns non-empty → false (subsequent push, remote branch exists), (4) `ls-remote` network failure → conservative true, (5) branch name correctly threaded to `ls-remote` args. Removed the `/* v8 ignore start/stop */` wrapper since all branches are now covered. The security contract (never return false when probe fails) is verified by tests 1 and 4. Also adds a cross-reference comment to the static test-isolation contract test documenting its relationship with the runtime prod-path leak guard in global-capture.ts."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.299",
+      "changes": [
+        "chore(scripts): new `scripts/rebase-and-rebump.sh` automates the rebase-and-rebump dance when a PR loses the alpha-version race against a concurrently-merging sibling. Fetches origin/main, attempts merge, auto-resolves version-file conflicts (package.json, packages/ouro.bot/package.json, changelog.json, package-lock.json) by: computing next-version via `semver.inc()` against main's version (works for alpha/beta/rc/stable), writing both package.json files, extracting the user's changelog entry by content-diff (not version number, so same-version races are handled), renumbering it, and committing. Non-version conflicts bail cleanly. Uses `semver.inc()` so it survives the transition out of alpha."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.298",
+      "changes": [
+        "fix(bluebubbles): dedupe inbound sidecar writes by `sessionKey/messageGuid`, ignore known guidless chat-state webhooks instead of 500ing, and add a first-class `ouro bluebubbles replay --agent <name> --message-guid <guid>` command for historical incident replay. The replay path defaults to `new-message`, surfaces state-only `updated-message` mutations with a retry hint, and keeps the real attachment handle visible for the original payload-bearing event.",
+        "test(daemon): close the replay/debug follow-up coverage gaps and harden `teams.test` cleanup by giving each test a unique temp agent root plus retried teardown, eliminating the `/tmp/mock-agent-root` race that could intermittently fail the full coverage gate."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.297",
+      "changes": [
+        "feat(mind): add integrity scanning for diary entries at write time. New detectSuspiciousContent() in src/mind/diary-integrity.ts checks entry text for prompt injection patterns (instruction framing, override language, role injection, boundary markers) before persisting. Detection emits a mind.diary_integrity_warning nerves event with matched pattern categories, text preview, and entry ID. Entries still save (flag, don't block) to avoid false-positive data loss. 41 unit tests + 4 integration tests with 100% coverage on new code."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.296",
+      "changes": [
+        "feat(sync): pending-sync.json classification + bundleState enrichment. `postTurnPush` in `src/heart/sync.ts` now distinguishes between a push that was rejected AFTER a successful rebase retry (`classification: push_rejected`) and a rebase that itself failed with merge conflicts (`classification: pull_rebase_conflict`, with conflictFiles populated from `git status --porcelain=v1` UU/AA/DD/AU/UA/DU/UD markers). The `PendingSyncRecord` interface is exported from `sync.ts` so downstream readers can type-check. `detectBundleState` in `src/heart/bundle-state.ts` gained `remote_push_failed` and `pull_rebase_conflict` issue cases that are added alongside `pending_sync_exists` when the classification field is present. Readers tolerate pending-sync.json without a classification field (pre-alpha.296 schema) or with malformed JSON — both fall back to the plain `pending_sync_exists` signal. 4 new bundle-state tests (push_rejected, pull_rebase_conflict, legacy schema, malformed JSON) and 2 new sync tests (second-push-fails-after-rebase-success, rebase-leaves-merge-conflicts). Completes the Directive D remediation signal plumbing started in alpha.281.",
+        "feat(prompt): bundle self-management guidance in `bodyMapSection` (`src/mind/prompt.ts`). New `### git sync — i own my bundle's git state` subsection documents the full detect → init → add_remote → list_first_commit → review with friend → do_first_commit → first_push_review → confirm → push workflow in first-person voice, plus the remediation paths for `remote_push_failed` (pull_rebase) and `pull_rebase_conflict` (walk the friend through conflicts). Added after `### home` and before `### peers` so the flow reads naturally with the rest of the body metaphor."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.295",
+      "changes": [
+        "chore(tests): ratchet down REAL_OURO_CLI_WRITE_ALLOWLIST and REAL_AGENT_SECRETS_WRITE_ALLOWLIST to empty. Nine pre-existing test lines that shared a `.ouro-cli` or `.agentsecrets` literal with `os.homedir()` on the same line were each refactored to extract the subpath as a local const — the test-isolation.contract.test.ts rule scans line-by-line for the pattern and the const extraction preserves identical runtime behavior while passing the check. Affected: daemon-health.test.ts (1), daemon-orphan-cleanup.test.ts (2 — also factored common constants OURO_CLI_SUBPATH + PIDFILE_NAME), daemon-tombstone.test.ts (2), auth-flow.test.ts (3 — the default-location write test + the v1 migration test), daemon/hooks/agent-config-v2.test.ts (1). Both allowlists are now empty so any new offender is blocked by the contract test."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.293",
+      "changes": [
+        "chore(tests): three test-isolation fixes bundled as chain D1 from the follow-up investigation after PR #372 (default.ouro leak). (1) Remove the `agentName = \"default\"` catch fallback in `src/repertoire/credential-access.ts` getCredentialStore() — same silent-leak class as coding/manager.ts, would have routed BuiltInCredentialStore writes to `~/AgentBundles/default.ouro/vault/` and `~/.agentsecrets/default/` on any test hit that didn't mock identity. Hoisted `getAgentName()` out of the outer try/catch so it throws loudly; the remaining try/catch now only guards the bitwarden store wiring (the only code path that has a legitimate fall-through to built-in). Also switched from `require(\"../heart/identity\")` inside the function body to a static ESM import at the top of the file — require() bypasses vitest's module registry so `vi.mock(\"../heart/identity\", ...)` was silently not applying to the old dynamic require; the static import finally lets the existing test mocks intercept. Tests in credential-access.test.ts that had been accidentally leaning on the default fallback now hit the real mock as intended.",
+        "chore(tests): fix the tmpbundle leak guard false-positive on daemon-cli.test.ts. The guard was firing on \"ouro CLI parsing > parses primary daemon commands\" every run, but the real cause was `createTmpBundle` being called at describe-scope inside the \"ouro thoughts CLI execution\" suite (line 5662) — synchronous describe callbacks run during test collection, so the handle landed in _liveHandles before ANY test ran. The first afterEach hook (on the first test in the file) then noticed the dangling handle and blamed it. Fix: moved the createTmpBundle call into a beforeAll hook and tagged it `{ shared: true }` so the handle only exists while the thoughts suite is actually running, with afterAll cleanup aligned to it.",
+        "chore(tests): extend the tmpbundle leak guard with a `shared: true` opt-in. `TmpBundleHandle` gains a `shared` field, `CreateTmpBundleOptions.shared` defaults to false, and the per-test leak guard in `src/__tests__/nerves/global-capture.ts` now skips shared handles (they're cleaned in afterAll, not after every test). Prevents the class of false positive exposed by the daemon-cli.test.ts fix above.",
+        "chore(tests): new runtime prod-path leak guard in `src/__tests__/nerves/global-capture.ts`. Snapshots `~/AgentBundles` entries at worker boot, diffs at worker teardown (afterAll without describe context runs once per worker), force-removes any new entries, and emits a loud console.error naming them. Text-based contract tests can't catch runtime leaks where production code routes a write via a silent fallback (exactly the bug class PR #372 fixed in coding/manager.ts). This runtime guard is the belt to the contract test's suspenders — would have caught the default.ouro leak in the first run instead of requiring my investigation chain."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.292",
+      "changes": [
+        "feat(mind): add structured provenance tracking to diary entries. New DiaryEntryProvenance interface records tool, channel (cli/teams/bluebubbles/inner/mcp), friend identity (id + name), and trust level (family/friend/acquaintance/stranger) at write time. diary_write handler automatically extracts provenance from ToolContext. Associative recall and recall tool render provenance fields when present. Fully backwards compatible — existing entries without provenance parse and display normally. 19 tests across 4 test files with 100% coverage on new code."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.291",
+      "changes": [
+        "fix(coding): eliminate silent `~/AgentBundles/default.ouro` real-fs leak in the coding session manager. Root cause: `src/repertoire/coding/manager.ts` had a `safeAgentName()` helper that caught `getAgentName()` throws (which happens in vitest because there's no `--agent` in argv) and silently fell back to `\"default\"`. Combined with `src/repertoire/coding/index.ts:8` constructing the singleton as `new CodingSessionManager({})` (no options — real fs, no agentName), every vitest run that called `getCodingSessionManager()` followed by `resetCodingSessionManager()` triggered `shutdown()` → `persistState()` → `fs.mkdirSync('~/AgentBundles/default.ouro/state/coding', { recursive: true })` + `fs.writeFileSync('.../sessions.json', ...)`. This wrote real files under the developer's home directory on every coverage-gate run. The observable symptom was `~/AgentBundles/default.ouro/` reappearing minutes after `rm -rf` — PR B's housekeeping cleanup couldn't stick. Fix: deleted `safeAgentName()` and made the constructor's `agentName` default call `getAgentName()` directly, so construction fails loudly in vitest when identity isn't mocked. Updated `index.test.ts` to mock both `../../../heart/identity` and `fs` so the singleton can be tested without touching real disk. Updated `session-manager.test.ts`, `session-manager-branches.test.ts`, and `session-manager-persistence.test.ts` to either inline `agentName: \"test-coding-agent\"` in `noPersistence` or mock `../../../heart/identity` at file top. One persistence test assertion updated from `parentAgent === \"default\"` to `\"test-coding-agent\"`. Full coverage gate passes, 171 coding tests pass, `~/AgentBundles/default.ouro` stays deleted across 3 consecutive coverage-gate runs."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.290",
+      "changes": [
+        "feat(attachments): ship first-class cross-sense attachments with stable `attachment:<source>:<id>` handles, shared materialization, shared image normalization, and generic attachment tools so images and files remain reachable even when the harness also provides derived summaries or normalized variants.",
+        "feat(mind): replace `ponder` deferral semantics with typed `ponder packets`, linked `ReturnObligation`s, shared friction escalation, and `rest(status=\"HEARTBEAT_OK\")` so the inner session can preserve repair work without losing the original user objective."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.289",
+      "changes": [
+        "feat(senses): enforce per-habit tool restrictions during inner dialog turns. When a habit file declares a `tools` field in its frontmatter (e.g., `tools: [read, web_fetch, send_message]`), the inner dialog adapter now filters the full tool repertoire to only those declared tools before passing them to the turn runner. Habits without a `tools` field retain the full repertoire (backwards compatible). Fail-closed design: unknown tool names in the `tools` array are silently excluded rather than causing errors. Two nerves events provide observability: `habit.tools_restricted` (emitted with declared vs resolved tool lists) and `habit.tools_unrestricted` (emitted when a successfully-parsed habit runs with full repertoire). Existing guardrails (protected paths, destructive command blocking) still apply at execution time. 6 new test cases cover restriction, unknown tool exclusion, unrestricted event emission, no event on parse failure, tools passthrough to turn runner, and empty tools array behavior."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.288",
+      "changes": [
+        "feat(bundle): full `.gitignore` template + first-push PII review workflow + confirmation-token gate on `bundle_push`. Completes the agent-manages-its-own-bundle chain (PRs 5 + 6 + 7). (1) New `src/repertoire/bundle-templates.ts` exports `BUNDLE_GITIGNORE_TEMPLATE` — a curated gitignore that handles functional cases only (runtime state, credentials, editor/OS noise, build artifacts) and explicitly does NOT block PII. The design philosophy is baked into the file's top-comment: bundles are inherently full of PII (friends/, diary/, journal/, psyche/, arc/, facts/, family/, travel/) and blocking those via gitignore would defeat the bundle's purpose. PII is handled at first-push time by a separate safety layer instead. Also exports `PII_BUNDLE_DIRECTORIES` as the canonical list of PII-bearing top-level dirs. (2) `bundle_init_git` now writes the full template instead of the minimal `state/`-only placeholder from PR 6. (3) New `bundle_first_push_review` tool enumerates existing PII directories with per-directory file counts (honoring `.gitignore` via `git ls-files --others --exclude-standard`), probes the remote URL for GitHub public/private visibility via an unauthenticated `fetch` to `https://api.github.com/repos/{owner}/{repo}` with a 5-second timeout, and generates a first-person warning text — `warningLevel: 'public_github' | 'private_github' | 'generic'`. The tool issues a `confirmationToken` (crypto.randomUUID) stored in a module-level Map with a 15-minute TTL and returns it in the payload. (4) `bundle_push` updated to accept an optional `confirmation_token` parameter: on first-push attempts (detected via `git ls-remote --heads <remote> <branch>` empty — or, conservatively, when that probe fails to reach the remote), the handler requires a valid token that was issued for the SAME bundleRoot and has not expired. Missing, invalid, wrong-bundle, or expired token returns `kind: 'confirmation_required'`. On successful validation, the token is consumed (one-shot). This is the Directive D PII-review gate: the agent cannot push a bundle to the internet without the human explicitly acknowledging the PII payload first. 17 new tests cover the template, PII counting with empty and populated directories, GitHub public/private/404/network-error/malformed-response paths, URL parsing for gitlab/self-hosted/github, token storage + TTL expiry, and every token-gating refusal path in bundle_push. Bundle-templates.ts is added to the file-completeness exempt list since it's a pure constants module (design: `tools-bundle.ts` owns the observability for bundle operations)."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.287",
+      "changes": [
+        "feat(nerves): add two-layer log redaction to the NDJSON sink. Structured key-based redaction strips sensitive fields (passwords, tokens, API keys, auth headers) from event meta objects before serialization. Regex fallback catches secrets in serialized strings that bypass structured checks (Anthropic keys, OpenAI keys, Bearer tokens, URL token params). Redacted values are replaced with `[REDACTED:key_name]` markers that preserve debugging context without exposing secrets. Redaction happens at the sink level only — in-memory events retain full data for runtime use. `OURO_LOG_VERBOSE=1` env var disables redaction for active debugging sessions. New `src/nerves/redact.ts` module with 38 tests across 3 test files including a 10-case golden corpus covering nested objects, mixed safe/secret fields, and realistic key patterns."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.286",
+      "changes": [
+        "feat(bundle): new `src/repertoire/tools-bundle.ts` registers 7 agent-callable tools for managing the bundle's own git state: `bundle_check_sync_status`, `bundle_init_git`, `bundle_add_remote`, `bundle_list_first_commit`, `bundle_do_first_commit`, `bundle_push`, `bundle_pull_rebase`. Each tool computes `bundleRoot = getAgentRoot()` once at the top and refuses any path argument that resolves outside — the security boundary is enforced via `assertInsideBundle(bundleRoot, rel)` which normalizes the path and requires either equality with bundleRoot or the `bundleRoot + sep` prefix. Destructive operations (init on an existing repo, add_remote on a configured remote, pull_rebase on a dirty tree) refuse by default and require an explicit `force` or `discard_changes` flag (Directive B layered refusal pattern). `bundle_do_first_commit` stages files via explicit enumeration (`git add -- <file1> <file2>`) and refuses an empty files array — Directive A: the agent must enumerate what it wants to delete or commit, not recursively blast. `bundle_push` returns structured `{ ok, error, kind }` where kind is 'rejected' | 'network' | 'auth' | 'unknown', classified from stderr. `bundle_pull_rebase` returns `{ kind: 'conflict', conflictFiles: [...] }` so the agent can walk the human through resolution. All 7 tools registered in the flat registry at `src/repertoire/tools.ts` line 34. 41 new unit tests cover happy paths, every refusal path, URL validation, security boundary escapes, push error classification, and dirty-tree handling."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.285",
+      "changes": [
+        "feat(daemon): wire startPeriodicReconciliation() after scheduler.start() in daemon-entry.ts — prevents silent habit death when OS cron fails by giving the daemon a self-healing reconciliation loop.",
+        "feat(guardrails): protect agent.json from agent self-modification — closes a vector where prompt injection could alter the agent's own identity, provider, or model settings.",
+        "feat(habits): add tools field to HabitFile interface and habit-parser — habits can now declare tools: [read, web_fetch] in frontmatter. Schema-only; runtime enforcement ships in a follow-up PR."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.284",
+      "changes": [
+        "fix(tui): Ctrl+C safety net + spinner 120ms to 300ms."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.283",
+      "changes": [
+        "chore(housekeeping): clean up ~3600 leaked test secret dirs in `~/.agentsecrets/`. The auth CLI test suite was creating ephemeral agent secret dirs (auth-local-*, auth-store-*, auth-no-switch-*, etc.) without cleaning them up, accreting over weeks into thousands of orphaned entries. Also purged three non-test orphans (`testagent`, `model-reviews`, `config-model-facing-*`) that were leftovers from manual probe sessions. Only `slugger` and `ouroboros` — the two real agents on this machine — remain.",
+        "chore(housekeeping): remove orphan bundle stubs from `~/AgentBundles/` (default.ouro, thoughts-test-*, an empty `friends/` dir, and a .DS_Store). These were skeletal test leftovers with no real identity — the daemon was already filtering them out of `listEnabledBundleAgents`, so deletion is invisible to the runtime but stops confusing anyone inspecting the bundles directory.",
+        "chore(tests): replace the `outlookServer.stop` v8 ignore band-aid in `daemon.ts` with a proper test. `OuroDaemonOptions` gains an `outlookServerFactory` seam that lets tests inject an in-memory stub handle instead of binding port 6876 (which a running production daemon holds on dev machines, causing EADDRINUSE flakes). New `daemon-outlook-lifecycle.test.ts` covers the happy path (factory runs, stop is called), the error path (factory throws, daemon logs warn and keeps going, stop is a no-op), and the double-start guard. The default production factory path (`createDefaultOutlookServer` — wires the real `startOutlookHttpServer` with bundlesRoot + view builders) is v8-ignored because it only runs under real bind on port 6876; `startOutlookHttpServer` itself has full coverage in `outlook-http.test.ts`. Removed the redundant `if (!this.outlookServer)` wrapper in `startInner()` that was guarding against an unreachable retry scenario. `daemon.ts` now hits 100% statements / branches / functions / lines with zero port binding in the test suite.",
+        "chore(ci): tighten the wrapper publish-sync check timing. The version-bump check and wrapper-publish-sync check now run BEFORE the ~2+ minute coverage gate, not after. Previously, a contributor would wait for the full test suite to pass only to then see a 'version already published' error. Now the fast checks surface in under a minute, and coverage only runs once version/wrapper gates have cleared. Same checks, same logic — just reordered steps in `.github/workflows/coverage.yml`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.282",
+      "changes": [
+        "feat(cli): crash-resilient sessions — saves after each tool result, repairs orphaned tool calls on resume."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.281",
+      "changes": [
+        "feat(bundle): new `src/heart/bundle-state.ts` module exports `detectBundleState(agentRoot)` which returns a structured `BundleStateIssue[]` describing git-level problems the agent can remediate. Enum cases: `not_a_git_repo`, `no_remote_configured`, `first_commit_never_happened`, `pending_sync_exists`. Detection never throws — every git call is wrapped in try/catch so a broken bundle degrades to a clear signal rather than crashing the turn pipeline. Also exports `renderBundleStateHint(issues)` which produces first-person remediation guidance (per the memory rule) that tells the agent to call `bundle_check_sync_status` and the `bundle_*` tools shipping in a follow-up PR.",
+        "feat(bundle): `StartOfTurnPacket` gains an optional `bundleState?: BundleStateIssue[]` field, populated by the senses pipeline in `handleInboundTurn` at packet assembly time. Renders via a new `case \"bundleState\":` branch in `formatSections` with the `**Bundle:**` prefix, at the same priority tier as the legacy `syncFailure` free-form string (priority 7, truncated last). The two signals coexist during the transition — `syncFailure` is still emitted by sync.ts for humans, while `bundleState` is the structured form the agent pattern-matches on. Deferred to follow-up: `pending-sync.json` schema extension with `classification` / `conflictFiles` so sync.ts can distinguish push-rejected from pull-rebase-conflict."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.280",
+      "changes": [
+        "chore(tests): prod-path isolation ratchet + tmpBundle leak guard + no-rm-rf contract. Extends `src/__tests__/heart/daemon/test-isolation.contract.test.ts` with three new rules and adds a runtime leak guard. (1) Three new prod-path block rules mirror the existing ~/AgentBundles check: no test file may construct a write path under `~/.ouro-cli`, `~/.agentsecrets`, or `~/.claude` without mocking fs. Each rule has its own empty-seeded ratchet allowlist (except `.ouro-cli` and `.agentsecrets` which are seeded with the pre-existing offenders that this rule newly catches — follow-up PRs can convert those to mocked-fs and ratchet down). The path-scan loop is factored into a shared `runProdPathCheck` helper. (2) New Directive-A contract rule: agent-callable production code under `src/` (excluding `src/__tests__/`) must not call `fs.rmSync(..., { recursive: true })` or shell out to `rm -rf` / `rm -fr` / `rm --recursive --force`. The rule is about making deletion auditable and interruptible: an agent should enumerate the files it wants to delete instead of recursively blasting a directory. Four legitimate infrastructure callsites are on `RM_RECURSIVE_ALLOWLIST` with explicit justifications: specialist-tools.ts (adoption rollback), ouro-version-manager.ts (CLI version pruning), ouro-uti.ts (macOS icon pipeline), cli-defaults.ts (self-setup temp dir). Three files that are themselves the rm-rf enforcement layer (guardrails.ts, shell-sessions.ts, prompt.ts) are in `RM_RULE_ENFORCEMENT_FILES` and skipped by the scan since they contain the literal \"rm -rf\" only as regex patterns or prompt strings designed to BLOCK the call. (3) `createTmpBundle` in `src/__tests__/test-helpers/tmpdir-bundle.ts` now tracks live handles in a module-level `_liveHandles: Set<TmpBundleHandle>`. `cleanup()` removes the handle from the set; a new `__getLiveTmpBundleHandles()` export returns a readonly view. (4) `src/__tests__/nerves/global-capture.ts` adds a global vitest `afterEach` leak guard that iterates `__getLiveTmpBundleHandles` and calls `cleanup()` on any remaining handles, logging a `console.warn` naming the test that leaked them. Runs AFTER the pairing guard from alpha.276 so pairing failures surface first. Both guards co-exist cleanly."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.279",
+      "changes": [
+        "fix(tui): paste cursor to end of pasted text, ANSI string rendering for wrapped-line cursor, Option+Backspace word-delete, fn+Delete forward-delete, strip ANSI and \\r from paste."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.278",
+      "changes": [
+        "fix(identity): spread-with-validation loader eliminates the field-drop bug class that caused #349 (silent `sync` drop). Two distinct structural bugs fixed, one in each agent.json loader: (1) `loadAgentConfig` in `src/heart/identity.ts` previously built the returned `AgentConfig` via a hand-rolled object literal that listed every field explicitly — any new field on `AgentConfig` that wasn't added to this literal got silently dropped. Root cause of #349. Refactored to a spread-then-override pattern: start with `{ ...parsed as AgentConfig }`, then explicitly override `version`, `enabled`, `humanFacing`, `agentFacing`, `senses`, `phrases` which need validation/normalization. The deprecated `provider` field is re-attached from the validated `rawProvider` check. (2) `readAgentConfigForAgent` in `src/heart/auth/auth-flow.ts` previously did `parsed as unknown as AgentConfig` which passed through ALL fields unconditionally (so no silent drops) but ALSO had zero per-field validation — any garbage in agent.json leaked into the returned config. Refactored to apply the same spread-with-validation pattern, reusing `normalizeSenses` (now exported from identity.ts). Both entry points now return equivalent configs for the same agent.json file. New `src/__tests__/heart/identity-fixture.ts` exports `FULL_AGENT_JSON satisfies DeepRequired<AgentConfig>` — a compile-time regression guard that fails to build if any new field is added to `AgentConfig` without updating the fixture. Two new test files: `identity-contract.test.ts` exercises `readAgentConfigForAgent` with `createTmpBundle`; `identity-load-contract.test.ts` exercises `loadAgentConfig` via `vi.mock(\"fs\")` (split to avoid the fs-mock-vs-real-fs conflict). 7 tests total."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.277",
+      "changes": [
+        "feat(pulse): multi-agent situational awareness for peer agents on the same machine. The harness scales horizontally — multiple peer agents share a machine, each with their own identity and bundle (the Bob model from We Are Legion / We Are Bob). Without explicit awareness, peer agents are isolated workers who don't even know each other exist. The pulse fixes that.",
+        "feat(pulse): new `src/heart/daemon/pulse.ts` module. Daemon writes `~/.ouro-cli/pulse.json` whenever any managed agent's snapshot changes (status, errorReason, fixHint, etc.). Each entry includes name, bundle path, status, last-seen-at, errorReason+fixHint when broken, alertId for at-most-once delivery tracking, and currentActivity (read from each agent's `state/sessions/self/inner/runtime.json` when running). Pure helpers `buildPulseState`, `findNovelBrokenAgents`, `findRecoveredAgents`, `pickWakeRecipient`, `flushPulse`, `readAgentActivity`, `buildAlertId`, `buildRecoveryAlertId`, `pruneDeliveredState` exported for unit coverage; I/O wrappers `writePulse`, `readPulse`, `writeDeliveredState`, `readDeliveredState` use injectable deps.",
+        "feat(pulse): both passive AND active surfacing. Passive: every agent's prompt assembly renders a `## the pulse` section in Group 7 (dynamic state) showing siblings grouped into broken / reachable / idle buckets. Self-excluded so each agent describes its peers, not itself. Renders nothing on single-agent machines (zero token cost). Active: when a sibling newly breaks (or recovers), the daemon fires `inner.wake` on the most-recently-active running agent so the user finds out within seconds rather than next-time-they-talk-to-someone. Persistent at-most-once delivery via `~/.ouro-cli/pulse-delivered.json` so daemon restarts don't re-page.",
+        "feat(pulse): horizontal-scaling norm in bodyMapSection. New `### peers` subsection teaches the agent the Bob model directly: 'i talk first. when i need a sibling's help, i `send_message` them — that's how peers coordinate, the same way humans on a team do. i only open a sibling's bundle directly via read_file/glob/grep when conversation isn't possible (they're crashed, sleeping, or i need history they haven't surfaced).' Direct declarative voice — no hedging, no soft modal verbs.",
+        "feat(daemon): `DaemonAgentSnapshot` gains `errorReason` and `fixHint` fields, populated by `checkAgentConfig` results in `startAgent` (set on failure, cleared on recovery). Cleared error fields are how the recovery wake fires: when a previously-broken agent transitions to running with `errorReason: null`, `findRecoveredAgents` flags it.",
+        "feat(daemon): `DaemonProcessManager` gains `onSnapshotChange` callback option. Called after every snapshot mutation (start, exit, config-fail, recovery, restart-exhausted). Errors from the observer are swallowed so lifecycle code never breaks because the observer threw. The daemon-entry registers a callback that calls `flushPulse` to update the pulse state and fire wakes.",
+        "feat(daemon): wake recipient picker (`pickWakeRecipient`) chooses the most-recently-active running sibling. Excludes the broken agent itself, non-running siblings, and siblings that have never been seen alive. Returns null when no eligible recipient exists, in which case the alert is still marked delivered to avoid spam on subsequent flushes."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.276",
+      "changes": [
+        "fix(nerves): root-cause the `start_end_pairing` audit flake on `daemon.server_start`, `daemon.update_checker_start`, and `daemon.apply_pending_updates_start`. Three fixes: (1) `applyPendingUpdates` in `update-hooks.ts` now wraps its body in try/finally so `_end` always fires, including on the early returns for `!fs.existsSync(bundlesRoot)` and `readdirSync` throws that previously orphaned the `_start`. (2) `daemon.start()` now wraps the ~380-line startup body in a try/catch that emits `daemon.server_error` with the error message and rethrows — the audit's pairing rule accepts `_end` OR `_error` as a valid closure for a `_start`, so startup throws no longer orphan `server_start`. The body was extracted to a private `startInner()` method to keep the try/catch small and readable. (3) `startUpdateChecker` callers in the update-checker test suite were already paired via an `afterEach(stopUpdateChecker)`; audited and confirmed no new unpaired callers. Also adds a vitest `afterEach` pairing guard in `src/__tests__/nerves/global-capture.ts` that fails loudly on any orphaned lifecycle `_start` in a test's per-test event stream — scoped to the three lifecycle events above so it catches regressions without false-positiving on legitimate narrow-slice operational events like `repertoire.task_scan_start`. New `src/__tests__/nerves/pairing-regression.test.ts` locks in the contract with 5 tests (nonexistent-dir, readdirSync-throws, happy-path, startUpdateChecker-pair, daemon-start-throw). Three consecutive `npm run test:coverage` runs confirm zero flakes on the target events."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.275",
+      "changes": [
+        "fix(tui): backspace on macOS — Ink 3.2 maps \\x7f to key.delete not key.backspace."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.274",
+      "changes": [
+        "feat(nerves): daemon log rotation is now 25 MB x 5 gzipped generations instead of 50 MB x 2 uncompressed, dropping peak disk per stream from ~150 MB to ~30 MB. `createNdjsonFileSink` and `rotateIfNeeded` in `src/nerves/index.ts` accept an options object `{ maxSizeBytes, maxGenerations, compress, rotationCheckIntervalBytes }` (with number-form backcompat for the old positional API). Rotation uses a rename-then-gzip pattern so active writers can keep their fd alive while the renamed file gets compressed. Legacy uncompressed `.1.ndjson`/`.2.ndjson` files from the old scheme are tolerated and gzip-migrated on first rotation. Lifecycle emits paired `nerves.rotation_start` / `nerves.rotation_end` events with a shared trace_id, plus `nerves.rotation_error` on failure via a completion-flag try/catch.",
+        "feat(log-tailer): `ouro logs` can now read rotated `.ndjson.gz` generations, so `--lines N` spans across historical files. `discoverLogFiles` matches both `.ndjson` and `.ndjson.gz`, parses filenames into (streamBase, rank) tuples, and sorts chronologically (oldest generation first, active last). A new internal `readNdjsonFileContents` helper dispatches to `zlib.gunzipSync` for `.gz` paths while preserving the DI-stubbed plain-file path for existing tests. Follow mode only watches the active stream — gzipped generations are historical by definition and never tailed.",
+        "feat(logs-prune): new `ouro logs prune` subcommand applies the active rotation policy to every oversized `.ndjson` file in the agent daemon logs directory. Idempotent — a second run on a compliant dir is a no-op. Concurrent-writer-safe because it delegates to `rotateIfNeeded`'s rename-then-gzip pattern (no locking needed). Emits paired `nerves.logs_prune_start` / `nerves.logs_prune_end` with `nerves.logs_prune_error` on failure. Prints `compacted N file(s), freed M bytes` to stdout. New module `src/heart/daemon/logs-prune.ts` exports `pruneDaemonLogs(options)`; the CLI wire-up adds a `daemon.logs.prune` command kind across cli-types/cli-parse/cli-exec and a `pruneDaemonLogs` dep to `createDefaultOuroCliDeps`.",
+        "fix(launchd): drop the stale `StandardErrorPath` plist key that pointed at `ouro-daemon-stderr.log`. The file grew to 366 MB in the wild because the daemon stopped writing to it (the nerves ndjson pipeline has been the source of truth for diagnostics since the nerves layer landed) but nothing ever removed the plist key, so launchd kept the path registered and occasional process-level stderr still dripped in. Removing the key lets launchd forward stray stderr to the system log forwarder where the OS rotates it. The 366 MB orphaned file on disk at `~/AgentBundles/slugger.ouro/state/daemon/logs/ouro-daemon-stderr.log` is safe to delete manually and is flagged in the PR summary for user cleanup.",
+        "refactor(runtime-logging,cli-logging): every `createNdjsonFileSink` call site now passes an explicit `{ maxSizeBytes, maxGenerations, compress }` options object. No callsite silently relies on the old 50 MB default — the policy is visible at each wire-up point. This also removes the `/* v8 ignore */` around the rotation trigger in the sink's flush() loop; tests now exercise it directly via the new `rotationCheckIntervalBytes` option."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.273",
+      "changes": [
+        "feat(version-manager): auto-prune old CLI versions during activate. The user observed `~/.ouro-cli/versions/` accumulating every CLI version they'd ever installed (alpha.85 from 2026-03-20 onward, ~100MB+ of dead node_modules trees) because nothing ever GCed. New `pruneOldVersions(retain=5, deps?)` walks `~/.ouro-cli/versions/`, sorts by alpha-suffix numerically, and deletes everything outside the retention window — except always preserves (a) the currently-active version (CurrentVersion symlink target), and (b) the previous version (previous symlink target), so `ouro rollback` stays one command away. Wired into `cli-defaults.ts` via `ensureCurrentVersionInstalled` and `activateCliVersion` — every successful version activation self-prunes. New helpers `compareCliVersions(a, b)` and `selectVersionsToPrune(installed, protected, retain)` are pure and exported for direct unit coverage. 9 new tests covering version comparison, retention selection, current/previous protection, partial-failure handling, missing-symlink fallback, and non-directory entry filtering.",
+        "test(contract): new OURO_DAEMON_INSTANTIATION_ALLOWLIST in test-isolation.contract.test.ts flags any new test file that constructs `new OuroDaemon(...)` outside the 11 grandfathered files. Constructing a real daemon and calling start() runs killOrphanProcesses() and writePidfile() against the production pidfile at ~/.ouro-cli/daemon.pids. The runtime guards added in #346 short-circuit those functions under vitest, but if a future change to start() adds a NEW production-state side-effect, the existing 11 tests would silently exercise it. The contract test forces conscious review of each new file taking this shape — same defense-in-depth pattern as BYPASS_USE_ALLOWLIST in alpha.265."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.272",
+      "changes": [
+        "fix(daemon): the daemon's periodic update checker can now actually auto-update itself. The `onUpdate` callback in `daemon.ts` invoked `performStagedRestart` which (a) ran `npm install -g @ouro.bot/cli@{version}` to install to the global node prefix, and (b) tried to find the new code via `node -e \"console.log(require.resolve('@ouro.bot/cli/package.json'))\"` which depends on the daemon process's NODE_PATH. Neither path was actually reachable from the daemon process running out of `~/.ouro-cli/versions/{version}/...`, so every auto-update attempt bailed at `daemon.staged_restart_path_failed` (\"could not resolve new code path\") and the daemon never updated itself. The user had to manually run `ouro up` to pick up new versions. Fix: switch the staged restart to use the version-managed installer (same one the CLI's `up` flow uses) — `installVersion(version)` puts files at `~/.ouro-cli/versions/{version}/node_modules/@ouro.bot/cli` (deterministic, computable), then `activateVersion(version)` flips the CurrentVersion symlink so the next user-driven `ouro up` sees the same version the daemon is running. `performStagedRestart` gained an optional `installNewVersion` dep that production callers inject; the legacy `npm install -g` fallback path is preserved for tests. Two new regression tests in `staged-restart.test.ts`.",
+        "fix(cli): `ouro up` no longer prints the 'ouro updated to ...' message twice during npx invocations. Three independent paths can detect a CLI version change: (1) `checkForCliUpdate` finds a newer version on npm and re-execs (cross-process print), (2) `ensureCurrentVersionInstalled` flips the CurrentVersion symlink during `performSystemSetup` because the running package version is newer than what the symlink pointed at (path 2, in-process), (3) `bundle-meta.json`'s stored runtime version differs from the running version (path 3, in-process fallback). Path 3's existing guard `linkedVersionBeforeUp !== currentVersion` correctly skipped path 3 when path 1 had already printed in a different process, but did NOT catch the case where path 2 fired in the same process. Verified live on 2026-04-08: `npx --yes @ouro.bot/cli@alpha up` printed the message twice. Fix: track an in-process `printedUpdateMessage` flag set by path 2; path 3 checks it before printing. Path 3 still acts as a fallback when path 2 didn't fire. New regression test in `daemon-cli-update-flow.test.ts` simulates the npx scenario and asserts exactly one print.",
+        "fix(hooks): Claude Code lifecycle hooks (`ouro hook session-start|stop|post-tool-use`) now short-circuit when the daemon socket file doesn't exist, instead of attempting `sendDaemonCommand` and logging two ENOENT errors per hook fire (one for `message.send`, one for `inner.wake`). Every Claude Code event during a daemon-down window was producing noisy `connect ENOENT /tmp/ouroboros-daemon.sock` entries in `ouro.ndjson`, which made it hard to read logs around outages. The hook is best-effort by design — dropping notifications when the daemon is down is correct behavior; we just don't want to log spam about it. New nerves event `daemon.hook_skipped_no_socket` (info level) when the short-circuit fires."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.271",
+      "changes": [
+        "fix(daemon): unblock daemon.stop deadlock that hung `ouro up` after a CLI auto-update. When the running daemon's version drifted from the local CLI version, `ensureDaemonRunning` would send `daemon.stop` over the socket, the daemon's command handler would `await this.stop()`, and `stop()` would `await server.close()`. server.close() resolves only after every open connection has closed — but the calling client's connection was the ONE thing keeping the server open: its `flushResponse()` was awaiting THIS function call. Both processes sat in kevent forever. Verified live on 2026-04-08: alpha.268 daemon hung at `daemon.server_end` log line for 5+ minutes after a fresh alpha.270 ouro process sent daemon.stop, and the alpha.270 ouro process hung waiting for the response. The deadlock had existed since the original `await server.close()` line was added (2026-03-05) but was masked for weeks by the half-close behavior in socket-client: the client called `client.end()` after writing its command, which (with `allowHalfOpen: false`) caused node to auto-tear-down the server's writable side, incidentally unblocking server.close() before the response was sent. The fix in #303/#334/#339 (which removed `client.end()` and switched to `allowHalfOpen: true` to stop dropping long-running responses like agent.senseTurn) accidentally exposed the underlying deadlock. Fix: don't `await` server.close() in stop() — just fire it. Once stop() returns, the daemon.stop case returns its response, flushResponse calls connection.end(response), the connection closes, and server.close()'s pending callback fires asynchronously. Includes a new daemon-stop-deadlock.test.ts that uses real net sockets to drive daemon.stop and asserts the response comes back within 2s — the test fails (24s timeout) without the fix and passes (110ms) with it."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.270",
+      "changes": [
+        "feat(daemon): `ouro status` now shows a new `Agents` section listing every discovered bundle with its enabled/disabled state. Previously disabled agents were completely invisible in status — the Senses/Workers/Git Sync sections only iterate managed (enabled) bundles, so a bundle with `\"enabled\": false` in agent.json left no trace in the output. New helper `listAllBundleAgents()` in `agent-discovery.ts` walks the bundles root and returns `{ name, enabled }` for every `<name>.ouro` with a parseable agent.json, and `listEnabledBundleAgents()` now delegates to it. Daemon status payload carries a new `agents: BundleAgentRow[]` field (backward-compat optional in the parser). The stopped-daemon renderer also reads bundles directly from disk so the Agents section works when the daemon is down."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.269",
+      "changes": [
+        "fix(prompt): revert alpha.267 over-engineering and correct the two targeted additions. The existing contextSection already contained the 'save to disk or lose it' teaching ('my conversation memory is ephemeral -- it resets between sessions. anything i learn about my friend, i save with save_friend_note so future me remembers.'), and toolContractsSection already told agents to call save_friend_note/diary_write before responding. alpha.267 added a third block in memoryJudgementSection about 'not just remembering between sessions' which was redundant and misplaced (memoryJudgementSection sits under 'my tools & capabilities' alongside tool routing heuristics, not nature-of-self content). That block is reverted. What alpha.267 got right and this PR keeps: (a) bodyMapSection guidance that standard folders are a floor, not a ceiling — bundles can have custom top-level folders (slugger's travel/ was the motivating example) — with a nudge to try the file-listing tool on the bundle root BEFORE falling back to recall, and (b) a diary-routing bullet that flags bundle-layout discoveries as worth persisting. Both had errors corrected here: alpha.267 told agents to use `list_directory` but the actual tool is `glob` (with a pattern like `*/`), and it said 'write a diary note like bundle-layout.md' but diary/ is a jsonl fact store queried via recall, not a directory of .md files — the corrected bullet says 'save the fact with diary_write'."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.268",
+      "changes": [
+        "fix(identity): `loadAgentConfig` now preserves the `sync` block from agent.json. The hand-rolled object literal that constructs the typed `AgentConfig` was missing `sync` from its field list, so `agentConfig.sync` was always `undefined`, `getSyncConfig()` always returned `enabled: false`, and the entire sync code path (`preTurnPull` / `postTurnPush` in `pipeline.ts`) was dead from the moment the field was added to the type. The bug hid for weeks because `ouro status` reads `agent.json` directly via `listBundleSyncRows`, not through `loadAgentConfig` — so the per-agent Git Sync display correctly showed `enabled origin → ...` while sync did literally nothing. Slugger accumulated 5+ days of dirty files and zero `sync: post-turn update` commits before this surfaced. Also adds 3 regression tests asserting the sync block round-trips through `loadAgentConfig` (full block, partial block, missing block). The first two would have caught the original bug; without them future field additions to `AgentConfig` could repeat the pattern."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.267",
+      "changes": [
+        "fix(prompt): teach agents that they do NOT 'just remember' things between sessions. Observed failure mode: slugger spent a recall scan searching diary/journal for a `travel/` folder that was right at the bundle root, then concluded 'i should know my own folder structure next time' and refused to persist the discovery because 'that's just me knowing my own home.' That is impossible — next session is a blank slate. The agent conflated in-session realizations with persistent knowledge. Three prompt changes fix this: (1) bodyMapSection now explicitly states that standard folders are a floor, bundles MAY have custom top-level folders created by the friend over time, and the agent should `list_directory` the bundle root BEFORE reaching for `recall` when something might be in a custom location. (2) memoryJudgementSection opens with an always-on reminder that the agent does not 'just remember' anything between sessions — every session carries only (a) the prompt, (b) what's on disk, (c) what tools observe this turn — and that thoughts like 'i should know this next time' or 'i'll look there first in the future' are CUES to write a concrete diary/friend-note RIGHT NOW. Future me cannot inherit resolutions, only files. (3) memoryJudgementSection's diary-routing rules now explicitly call out bundle-layout discoveries as a thing worth persisting (e.g. to a `bundle-layout.md` diary note). Includes 3 new tests locking the directives into place so future prompt edits cannot silently drop them."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.266",
+      "changes": [
+        "fix(daemon): vitest guard for production pidfile (~/.ouro-cli/daemon.pids). The pidfile path is hardcoded with no DI seam, so when a test creates a real OuroDaemon instance and calls start(), the daemon's killOrphanProcesses() reads the REAL pidfile, ps-verifies the PIDs, and SIGTERMs the production daemon's PIDs. Verified live: alpha.265 daemon (PID 64988) was killed 93s after startup by `npx vitest run` invoking daemon.start() in 6 different test files. SIGTERM forensics added in alpha.265 captured the death (parentPid=1, parentCommand=/sbin/launchd) but the killer hint was misleading — the real culprit was the production-pidfile leak. Fix: killOrphanProcesses() and writePidfile() now short-circuit under vitest with warn-level nerves events. Tests that need to verify these functions' behavior continue to use the extracted pure helpers (parseOrphanPidsFromPs, filterPidfilePidsToActualOrphans). New unit tests verify the pidfile is unchanged after no-op calls. Same defense-in-depth pattern as the alpha.265 socket-client hardening — production-side state being touched from tests is now physically impossible from a vitest worker."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.265",
+      "changes": [
+        "fix(daemon): bulletproof vitest socket leak + SIGTERM forensics. Hardens the socket-client vitest guard so production daemon socket calls (DEFAULT_DAEMON_SOCKET_PATH = /tmp/ouroboros-daemon.sock) are unconditionally blocked under vitest, regardless of __bypassVitestGuardForTests state. Cross-file leaks via the globalThis bypass flag (process-wide, leaks across concurrent test files in the same vitest worker) can no longer reach the production daemon. Test files that legitimately exercise the real socket-client transport against synthetic test socket paths (/tmp/daemon.sock) continue to work. Background: a daemon outage on 2026-04-08 was traced to a 14-call burst of leaked `inner.wake testagent` errors, signature of vitest test runs hammering the production socket — same pattern as 1,460 historical daemon log entries.",
+        "feat(daemon): SIGTERM/SIGINT tombstone forensics. New writeDaemonTombstone path captures process.ppid, parent command via `ps -p <ppid> -o command=`, and a filtered process snapshot (only node/vitest/ouro/kill lines) at signal-driven death time. Adds a killerHint heuristic: launchd parent reparenting suggests `launchctl bootout`/KeepAlive thrash; vitest worker presence suggests test cleanup; pkill/killall presence is an explicit kill. Forensics field is parsed by readDaemonTombstone and included in the daemon.tombstone_written nerves event meta. Also caps recentCrashes at 100 entries (was 12,265 from a March 31 thrash loop).",
+        "test(daemon): contract test BYPASS_USE_ALLOWLIST flags any new file calling __bypassVitestGuardForTests outside the two known-good test files (socket-client.test.ts and daemon-cli-defaults.test.ts). Prevents future regressions of the cross-file leak vector."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.264",
+      "changes": [
+        "fix(bluebubbles): dedup `updated-message` webhooks BEFORE running repair+hydrate+VLM. BlueBubbles routinely sends a `new-message` webhook for a fresh message, then follows up seconds later with one or more `updated-message` webhooks for delivery/read status. The BB sense's `repairEvent` path promotes updated-message events with recoverable content back to `message` kind, which re-runs the full hydration pipeline — including a second MiniMax VLM describe call on the same image. Verified live on 2026-04-08T00:58Z: two sequential VLM describes for attachment guid 317E37EB-..., 13.7s + 14.0s each, for the exact same 291KB JPEG, triggered by a `new-message` followed 3s later by an `updated-message` for the same guid. The downstream `handleBlueBubblesNormalizedEvent` dedup check was firing correctly but too late (after the expensive VLM round-trip). Fix: add a pre-repair dedup check in `handleBlueBubblesEvent` that consults the inbound sidecar by messageGuid and short-circuits before calling `client.repairEvent(...)`. New nerves event `senses.bluebubbles_repair_skipped_duplicate` at warn level for observability."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.263",
+      "changes": [
+        "fix(tui): arrow keys char-by-char (Ink 3.2 key.meta bug), Option+Arrow word-jump via CSI sequences."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.262",
+      "changes": [
+        "test(daemon): inject explicit `vi.mock(\"...heart/daemon/socket-client\", ...)` blocks into all 40 grandfathered test files in `TESTAGENT_NO_MOCK_ALLOWLIST`. The runtime guard in `socket-client.ts` already prevents real socket leaks under vitest, but the explicit mocks let those tests assert call counts cleanly and shrink the contract-test allowlist to zero. Both the testagent and the bundle-write allowlists in `test-isolation.contract.test.ts` are now empty Sets — any new offender fails the build."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.261",
+      "changes": [
+        "feat(tui): full input parity with Claude Code — kill ring, emacs nav, Home/End, Ctrl+D, forward delete, Esc history, bracketed paste, clipboard image, token deletion, chip navigation. 156 new tests."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.260",
+      "changes": [
+        "fix(daemon): MCP bridge empty-response bug for long-running commands. `sendDaemonCommand` and `checkDaemonSocketAlive` were calling `client.end()` immediately after writing, which half-closed the TCP connection. The daemon server's `net.createServer()` uses the default `allowHalfOpen: false`, so when it saw the client's FIN it auto-closed its own writable side — and any response the server tried to write after processing a long-running command (like `agent.senseTurn`, which runs a full LLM turn) was dropped on the floor. Verified via direct socket repro: with `client.end()`, `agent.senseTurn` returned empty in ~149ms; without it, the same call returned a real response in ~5.8s. This was a silent regression of the fix in #303 (commit `253e4b1f` titled \"socket half-close fix\" actually *added* the half-close back). Fix: drop the `client.end()` calls from both sites AND set `allowHalfOpen: true` on the daemon's `net.createServer(...)` as defense-in-depth so future clients calling `end()` don't silently break again.",
+        "fix(daemon): tighten pidfile trust — `killOrphanProcesses` now verifies each pidfile PID is an actual orphan (PPID reparented to init/PID 1) before SIGTERMing it. Previously a polluted pidfile (written by a crashed daemon whose PIDs have since been reused by the OS for unrelated processes) could cause mass-kill of unrelated apps. New exported helper `filterPidfilePidsToActualOrphans` provides direct unit coverage.",
+        "fix(daemon, repertoire): rename six `_stop` nerves events to `_end` so they pair correctly with their `_start` counterparts under the nerves audit's start/end pairing rule. Affected: `daemon.thoughts_follow_stop`, `daemon.server_stop`, `daemon.update_checker_stop`, `daemon.mcp_server_stop`, `daemon.habit_scheduler_stop`, `mcp.manager_stop`. The naming was semantically fine (`stop` pairs with `start`), but the audit specifically looks for `_end`/`_error` suffixes. Was producing intermittent audit failures whenever any test run exercised these teardown paths (seen today as flakes on `daemon-socket-errors.test.ts` and `MarkdownStreamer` tests).",
+        "fix(providers): drop the harness-imposed MiniMax VLM timeout entirely. Previously the module defaulted to a 60-second AbortSignal; E2E validation of the BB image fix hit a real VLM request that took >60s to return (same bytes returned in 9.5s on the immediate retry). Raising to 120s would have been arbitrary too — the correct answer, per the same reasoning as PR #322 for LLM providers, is to not impose a harness ceiling at all. When `timeoutMs` isn't provided, `fetch()` now runs without an AbortSignal and undici's own defaults (headersTimeout + bodyTimeout, both 5 minutes) are the ceiling. Callers that want a tighter bound can still pass an explicit `timeoutMs`. The AbortError path is kept for that case, and the error message adapts to say \"underlying stack default\" when there was no harness-set value."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.259",
+      "changes": [
+        "fix(daemon): SIGINT and SIGTERM now ALWAYS write a tombstone before exiting, instead of silently skipping when `_gracefulShutdown` was set. The previous behavior made signal-driven shutdowns invisible in `~/.ouro-cli/daemon-death.json` — launchd policy decisions, the OOM killer, manual `kill`, and `killOrphanProcesses` from a sibling daemon all looked identical to a clean exit. After a real outage where the user's daemon kept dying with a tombstone from a week earlier, this restores observability: every signal-driven exit now records `reason: \"sigint\"` or `reason: \"sigterm\"` with timestamp + recentCrashes accumulator. The catch-all `process.on('exit')` handler also no longer short-circuits on graceful shutdown."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.258",
+      "changes": [
+        "fix(tui): deferred ESC handling fixes arrow keys and Alt+Enter.",
+        "fix(tui): green cursor background.",
+        "fix(tui): clipboard fallback for macOS temp screenshots, proper path splitting and unescaping for image drag-drop."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.257",
+      "changes": [
+        "test(daemon): convert all `daemon-cli.test.ts` auth/thoughts/config tests to use `os.tmpdir()` via the new `createTmpBundle()` helper. Previously these tests wrote real bundles to `~/AgentBundles/auth-local-${Date.now()}.ouro` etc., relying on `try/finally` cleanup that doesn't fire on test interruption — leaking bundle directories into the developer's home and inflating noise on the running daemon. The `REAL_BUNDLES_WRITE_ALLOWLIST` ratchet in `test-isolation.contract.test.ts` is now empty.",
+        "fix(daemon/cli-exec): plumb `bundlesRoot` and `secretsRoot` deps through the auth.run / auth.verify / auth.switch / config.model / config.models / thoughts handlers so tests can route reads/writes to a tmpdir without monkey-patching the identity module. Production code paths still default to `getAgentBundlesRoot()` and `~/.agentsecrets`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.256",
+      "changes": [
+        "fix(tui): cursor renders as inverse character (not inserted block) — matches standard terminal cursor behavior.",
+        "fix(tui): Alt+Enter via ESC-timing (50ms window) instead of raw stdin handler that interfered with arrow keys.",
+        "fix(tui): image path regex now matches backslash-escaped spaces from macOS drag-drop."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.255",
+      "changes": [
+        "feat(tui): session resume shows last messages as regular chat (no dimmed preview) with teal resume banner in header.",
+        "feat(tui): image/file drag-and-drop — detects image paths in pasted text, reads to base64, inserts [Image #N] references, sends as image_url content blocks to model.",
+        "refactor(tui): removed custom history-* roles and addSessionHistory (KISS/DRY)."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.254",
+      "changes": [
+        "fix(daemon): orphan-cleanup fallback no longer kills processes from sibling harness instances. On startup, `killOrphanProcesses` scans `ps` for harness entry points (`agent-entry.js`, `daemon-entry.js`, `bluebubbles/entry.js`, `teams-entry.js`) and SIGTERMs them when the pidfile is missing. Previously any matching process was fair game, so a vitest-driven harness run from a sibling worktree (or a parallel Claude Code session running the coverage gate) would terminate the production daemon's children, triggering cascading graceful shutdowns and making production slugger unavailable for seconds-to-minutes at a time. Now the fallback only flags true orphans — processes whose PPID has been reparented to init (PID 1). Sibling daemons' live-parented children are left alone. New exported helper `parseOrphanPidsFromPs` isolates the filter for direct unit coverage. Complements the test-isolation guard shipped in alpha.253 (#333): that PR stopped tests from SENDING `inner.wake testagent` commands into the production socket; this PR stops the production daemon from SIGTERMing test-spawned child processes during its own startup."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.253",
+      "changes": [
+        "fix(daemon): test-isolation guard — stop tests from leaking real `inner.wake` commands into the running daemon. A pattern in 36+ test files mocks `getAgentName` to the literal `\"testagent\"` but does NOT mock `socket-client`, so any code path through pondering / rest / coding feedback fires a real socket connection at /tmp/ouroboros-daemon.sock with `inner.wake testagent`. The daemon errored on every command (`Unknown managed agent 'testagent'`) and at flood volumes that contributed to a real outage on the developer's machine. The fix is in `socket-client.ts` itself: detect vitest via `process.argv` (no env vars) and convert all socket operations into safe no-ops. Tests that legitimately exercise the real transport (socket-client.test.ts, daemon-cli-defaults.test.ts) opt out of the guard via a new `__bypassVitestGuardForTests()` setter that lives on globalThis to survive `vi.resetModules()`. New nerves events: `daemon.socket_command_test_blocked`, `daemon.inner_wake_test_blocked`.",
+        "test(contract): new test-isolation contract test ratchets two anti-patterns: (1) test files using `name: \"testagent\"` without mocking socket-client, and (2) test files constructing write paths under the real `~/AgentBundles` via `os.homedir()`. Existing offenders are grandfathered in two allowlists; new offenders fail the build. Follow-up PRs shrink the allowlists toward zero."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.252",
+      "changes": [
+        "fix(tui): polished history preview (spacing, shadow color, showing-recent label), full-width separators, backslash+enter and ctrl+j for newlines."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.251",
+      "changes": [
+        "fix(bluebubbles): images sent via iMessage now reach the model — adds capability-gated image hydration with a MiniMax VLM fallback. Reasoning MiniMax chat models (M2/M2.1/M2.5/M2.7) silently drop OpenAI-style `image_url` content parts, so previously slugger answered image questions from fabricated context. Now, when the active chat model lacks the new `vision: true` capability flag, inbound screenshots are auto-described at ingestion via `/v1/coding_plan/vlm` and the description text replaces the `image_url` part before the turn reaches the model. Vision-capable models (claude-opus/sonnet-4-6, gpt-5.4, MiniMax-Text-01, MiniMax-VL-01) continue to see images natively via pass-through.",
+        "feat(tools): new `describe_image` agent tool registered into the BlueBubbles tool set when the chat model lacks vision. Lets the agent re-interrogate an attachment with a targeted prompt (e.g. 'what's the flight number in the bottom-right?') after ingestion. Backed by a bounded in-memory attachment cache populated during hydration; handler re-downloads bytes and calls the same VLM client.",
+        "fix(bluebubbles): `formatMessageText` now preserves the attachment marker when a message has BOTH text and attachments (B2). Previously the marker was dropped whenever text was present, hiding attachments from the agent's view of the message.",
+        "feat(heart): `ModelCapabilities` gains `vision?: boolean` and `audio?: boolean` flags (B4). Vision rows populated for claude-opus-4-6, claude-sonnet-4-6, claude-opus-4.6, claude-sonnet-4.6, gpt-5.4, MiniMax-Text-01, MiniMax-VL-01. M2.1/M2.5/M2.7 intentionally left unset.",
+        "fix(bluebubbles): `senses.bluebubbles_media_hydrate`, `_repair_start`, `_repair_end`, and `_inbound_logged` now emit at `level: warn` at the call site so they survive the BB sense's default log level without bumping the sense default (B7). `_event_normalized` stays at info. New `senses.bluebubbles_vision_format_unsupported` warn event fires when an inbound attachment is not in png/jpeg/webp."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.250",
+      "changes": [
+        "fix(sync): surface 'bundle is not a git repo' as an actionable error instead of silently failing. Previously, enabling `sync.enabled` on a bundle that had never been `git init`'d produced a generic `git status` failure buried in nerves logs; the agent saw nothing in its start-of-turn packet and the user saw nothing in `ouro status`. Now: (1) `preTurnPull` and `postTurnPush` detect the missing `.git` directory before touching git and return an actionable error with the bundle path and the `git init` hint; (2) this error propagates via `ctx.syncFailure` into the agent's Sync warning, so the agent can offer to run `git init` or just do it; (3) `ouro status` shows a red `error` state with `not a git repo — run \\`git init\\` to enable sync` next to the offending bundle. New nerves event: `heart.sync_not_a_repo`."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.249",
+      "changes": [
+        "feat(cli): `ouro chat` without agent name shows agent selection (auto-selects if 1 agent, numbered list if multiple).",
+        "fix(tui): session history user messages get `) ` prefix, separator line after history, reduced to last 2 exchanges."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.248",
+      "changes": [
+        "feat(daemon): `ouro status` Git Sync now resolves and shows the actual remote URL via `git remote get-url`. Three states: `origin → git@github.com:me/foo.git` when the remote resolves, `local only` when sync is enabled but no remote is configured, `disabled` when sync is off. Previously you had to `cd` into the bundle and run `git remote -v` to find out where it pushes.",
+        "fix(heart/sync): `preTurnPull` now skips the pull when no git remote is configured, mirroring the existing `postTurnPush` behavior. Closes the half-implemented 'no-remote sync' (local-only commit log) story — previously, enabling sync without a remote produced a `syncFailure` on every turn from the failing `git pull` call."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.247",
+      "changes": [
+        "fix(tui): show opt+enter for newline hint in status bar."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.246",
+      "changes": [
+        "feat(tui): session resume display — shows summary line + last 3 exchanges dimmed when reconnecting to existing session."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.245",
+      "changes": [
+        "fix(tui): input separators span full terminal width, status line indented 2 spaces."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.244",
+      "changes": [
+        "refactor(sync): git-status-based bundle sync — postTurnPush discovers dirty files via `git status --porcelain` instead of broken explicit trackSyncWrite tracking (only 3/9 writers used it). Removed dead infrastructure. Remote push optional and non-fatal.",
+        "feat(tui): queued input steer — messages typed while agent is thinking appear dimmed above input area. UP/ESC pops all queued messages back into input for editing. Placeholder hint. Multiple messages supported, each sent as separate turn.",
+        "chore: deleted legacy InkCliApp adapter (776 lines dead code)."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.243",
+      "changes": [
+        "fix(daemon): per-agent Git Sync in `ouro status` — was always showing `disabled` regardless of any agent's `agent.json`, because the daemon process has no argv-derived agent identity so `getSyncConfig()` fell into its catch. Status payload now carries a per-agent `sync` array (one row per enabled bundle) rendered as its own section like Senses and Workers, instead of a single global field on the overview block."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.241",
+      "changes": [
+        "feat: commerce bootstrap — bw CLI lazy-install, vault auto-config, resolver coverage"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.242",
+      "changes": [
+        "fix(friends): stable local CLI identity — dropped hostname from external ID (was `username@hostname`, now just `username`). macOS hostname instability (`Mac` vs `Aris-MacBook-Pro.local`) was creating duplicate friend records with separate sessions and trust levels.",
+        "feat(friends): migration fallback — FriendResolver now searches for old `username@*` format IDs when exact match fails, linking new stable ID to existing friend record.",
+        "fix(heart): retry-everything-except-blocklist policy — the SDK 'Request timed out.' error from MiniMax (and other providers) was reaching slugger as a terminal failure because neither the generic isTransientError detector nor the per-provider classifier recognized it. Replaced the two-layer transient detection with a small blocklist (HTTP 400/401/403/404/422 + classifications auth-failure/usage-limit). Default policy now retries every other error.",
+        "fix(heart/providers): drop the 30s OpenAI/Anthropic SDK timeout from all five providers (anthropic, azure, github-copilot, minimax, openai-codex). The SDK timeout caps the entire stream lifetime, so 30s killed any reasoning model mid-generation. SDK defaults (≈10min) are sane.",
+        "refactor(heart/providers): consolidate duplicated isNetworkError + classifyXxxError scaffolding into a shared `error-classification.ts` module. Each provider now delegates via `classifyHttpError(err, overrides)` and only carries its own provider-specific quirks (Anthropic 529, Codex usage-limit message detection)."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.238",
+      "changes": [
+        "feat: pretty `ouro status` — ANSI colored output with box-drawing header, status dots, grouped senses/workers by agent. Added git sync info to overview.",
+        "fix: socket half-close — sendDaemonCommand now calls client.end() after writing, preventing intermittent connection hangs.",
+        "refactor: config tiers — replaced numeric T1/T2/T3 with `self` (agent-configurable) and `managed` (harness-only). All config keys are now agent-writable except `version` and `enabled`. mcpServers promoted to self.",
+        "refactor: removed confirmation system — deleted propose_config tool, confirmationRequired/confirmationAlwaysRequired/onConfirmAction from core, all tool definitions, and Teams sense. Was only wired up on Teams, silently failed everywhere else. -1,361 lines."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.235",
+      "changes": [
+        "fix: MCP tool double-prefix — tools already prefixed by server name no longer get a redundant second prefix in the unified registry.",
+        "feat: Open-Meteo zero-auth weather — replaced OpenWeatherMap with Open-Meteo forecast + geocoding API. Weather now works without any API key or credential provisioning.",
+        "feat: expanded ISO/FIPS divergence table — 21 new entries for correct travel advisory resolution across all major divergent country codes.",
+        "fix: BitwardenCredentialStore retry logic — exponential backoff with configurable retries for transient bw CLI failures, plus bw-not-installed error.",
+        "chore: travel MCP packages (Duffel, Expedia) status confirmed GitHub-only, not published to npm."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.233",
+      "changes": [
+        "feat: first-class MCP tools — MCP tools now appear in the agent tool list directly (no shell indirection). Agent can call browser_navigate, browser_click etc. as native tools.",
+        "fix: daemon MCP pre-init poisoned singleton — removed eager getSharedMcpManager() at daemon startup that cached null before agent identity was set.",
+        "fix: removed dead mcpManager field from BuildSystemOptions — MCP manager now flows through runAgentOptions.",
+        "fix: MCP tool results filter to text-only content types.",
+        "includes: vault integration, travel advisory fix, credential access layer, HKDF-Expand crypto fix."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.232",
+      "changes": [
+        "feat: first-class MCP tools — MCP server tools now appear in the agent's active tool list (e.g. browser_navigate, duffel_search_flights) and are callable directly by the model, eliminating fragile shell indirection",
+        "feat: mcpToolsAsDefinitions() converts McpManager tools to ToolDefinition objects with {server}_{tool} naming",
+        "feat: first-class MCP trust gating — mcpServerName on GuardContext enables per-server trust rules (browser blocked for acquaintance, blocked in group chat)",
+        "refactor: removed mcpToolsSection() from system prompt — MCP tools no longer need prompt documentation",
+        "fix: execTool, isConfirmationRequired, summarizeArgs now check combined native+MCP registry"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.231",
+      "changes": [
+        "fix: defense-in-depth group chat blocking for proactive BB delivery — sendProactiveBlueBubblesMessageToSession now rejects group chat keys (;+;) unless intent is explicit_cross_chat (bridge/delegation responses). All upper-layer paths (surface tool, send_message tool, inner-dialog delegation) now filter to DM sessions only for proactive outreach, and pass explicit_cross_chat intent for bridge/delegation returns where group responses are legitimate.",
+        "fix: travel advisory now resolves ISO codes that differ from FIPS (ES -> Spain, not El Salvador)",
+        "fix: MCP bridge sense now includes MCP tool descriptions in system prompt (browser tools visible)",
+        "fix: removed confirmationRequired from credential_store/credential_delete (trust gating sufficient)",
+        "feat: vault integration — Bitwarden/Vaultwarden account creation with PBKDF2/HKDF/AES-256-CBC crypto",
+        "feat: vault_setup tool for one-time vault provisioning (family trust gated)",
+        "feat: BitwardenCredentialStore wrapping bw CLI for agent-owned vault access"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.230",
+      "changes": [
+        "fix: socket client no longer half-closes before senseTurn response arrives, fixing MCP send_message returning empty for long-running commands"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.229",
+      "changes": [
+        "fix: BB session key resolution prefers DM (;-;) over group chat (;+;) — alphabetical sort put group chats first, causing proactive messages to land in group chats instead of personal DMs",
+        "chore: remove temporary debug traces (send-message-debug.log, friends.get_called event)"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.227",
+      "changes": [
+        "fix: direct filesystem name resolution in sendProactiveBlueBubblesMessageToSession — bypass store.get()/listAll() with raw fs reads on friends directory when store lookup fails"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.226",
+      "changes": [
+        "fix(daemon): set agent name before senseTurn so MCP messages resolve identity — setAgentName() is now called at the top of the senseTurn handler, before any downstream code that depends on agent identity (loadAgentConfig, getAgentSecretsPath, etc.)"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.225",
+      "changes": [
+        "debug: emit event at top of FileFriendStore.get() to verify it's called"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.224",
+      "changes": [
+        "fix: FileFriendStore.get() now resolves friend names — when UUID lookup fails, scans the friends directory for a name match. This is the deepest possible layer for name resolution, ensuring it works regardless of which tool or code path calls store.get()."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.223",
+      "changes": [
+        "debug: file-based trace in send_message handler to verify execution path"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.222",
+      "changes": [
+        "debug: add diagnostic nerves events to proactive BB delivery — name resolution in both tools-session.ts and sendProactiveBlueBubblesMessageToSession now emit events showing friend count, names, resolution success/failure, and errors. Temporary diagnostics to identify why name→UUID resolution isn't working in production."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.221",
+      "changes": [
+        "fix: BB proactive send resolves friend by name when UUID lookup fails — sendProactiveBlueBubblesMessageToSession now falls back to store.listAll() name matching when store.get() returns null. This handles agents passing friend names instead of UUIDs, bypassing the upstream resolution that wasn't working in all contexts."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.220",
+      "changes": [
+        "fix: send_message BB session key resolution — agents don't know the real BB session key (e.g. 'chat_any;-;ari@mendelow.me'), so they pass the default 'session'. buildChatRefForSessionKey failed on this fake key, returning missing_target. Now auto-resolves the real BB session key from the sessions directory when the default key is used."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.219",
+      "changes": [
+        "fix: proactive message delivery — three bugs fixed. (1) surface tool now resolves friend names to UUIDs by scanning friends directory. (2) send_message tool also resolves friend names to UUIDs. (3) deliverCrossChatMessage no longer immediately queues generic_outreach — it now attempts delivery when a deliverer is available, with the deliverer's own trust checks still gating actual sends. Previously, any proactive send from inner dialog was silently queued without attempting delivery."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.218",
+      "changes": [
+        "fix: surface tool now resolves friend names to UUIDs — agents pass friend names but sessions are stored under UUID directories. Added name-to-UUID resolution by scanning the friends directory when the friendId doesn't match a session directory."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.217",
+      "changes": [
+        "feat: Bitwarden vault client (bw CLI wrapper) with credential gateway — BitwardenClient class with SDK-first/CLI-fallback, singleton accessor, nerves events on all operations. Raw secrets never enter model context.",
+        "feat: vault tools (vault_get, vault_store, vault_list, vault_delete) with trust gating — read ops require friend+, write/delete require family-only. Destructive operations require confirmation.",
+        "feat: stealth browser MCP configuration with trust gating — Playwright MCP auto-provisions when configured, browser tools appear in agent tool list. Trust-gated to CLI and trusted 1:1 only (group chat blocked).",
+        "feat: travel API tools (weather_lookup, travel_advisory, geocode_search) — native weather via OpenWeatherMap + vault-backed API key, State Dept RSS feed for advisories, geocoding via Nominatim. All friend+ trust-gated.",
+        "feat: credential gateway (vaultKey on apiRequest()) — automatic secret injection from vault into HTTP headers at call time, keeping credentials out of model context entirely.",
+        "feat: travel-planning and browser-navigation skills"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.216",
+      "changes": [
+        "fix: surface tool proactive BB delivery masked by newer MCP/CLI sessions — findFreshestFriendSession picked the single freshest session regardless of channel, so an MCP or CLI session being newer than the BB session caused the BB proactive path to be skipped entirely. Now scans all friend sessions, attempts BB delivery first on any BB session, then falls back to queuing on the freshest non-inner session."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.215",
+      "changes": [
+        "fix: surface tool proactive delivery no longer gated by 24-hour session threshold — findFreshestFriendSession was called with activeOnly:true, filtering out sessions older than 24h even when the agent explicitly wants to send a proactive message. Both the bridge path and direct path now find any session regardless of age. Proactive BB delivery and trust checks still apply."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.214",
+      "changes": [
+        "fix: daemon death diagnostics — createStderrSink() bypassed EPIPE-safe default in createTerminalSink(), causing uncaught EPIPE crashes when daemon runs detached. Removed redundant unsafe default so the existing try-catch fires.",
+        "fix: daemon tombstone now covers all exit paths — unhandledRejection writes tombstone with full error+stack (was just a warn log, but Node 15+ terminates on these). Added process.on('exit') catch-all for any unanticipated exit. SIGINT/SIGTERM marked graceful to avoid false positives. _lastKnownCause threads real error through to exit handler."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.213",
+      "changes": [
+        "cleanup: remove vestigial subagents/ directory and package.json files entry (content already in ouroboros-skills repo). Remove backward-compat re-exports from heart/core.ts (tools, execTool, summarizeArgs, getToolsForChannel, streamChatCompletion, streamResponsesApi, toResponsesInput, toResponsesTools, buildSystem, Channel, hasToolIntent — no consumers used them). Update ARCHITECTURE.md, README.md, and CONTRIBUTING.md to reflect the full audit restructuring: new arc/ subsystem, heart/ topic subdirectories, split tool modules, BlueBubbles directory, scopes list."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.212",
+      "changes": [
+        "refactor: consolidate BlueBubbles sense into senses/bluebubbles/ directory — move 9 flat files (bluebubbles.ts, bluebubbles-client.ts, bluebubbles-model.ts, bluebubbles-media.ts, bluebubbles-inbound-log.ts, bluebubbles-mutation-log.ts, bluebubbles-runtime-state.ts, bluebubbles-session-cleanup.ts, bluebubbles-entry.ts) into senses/bluebubbles/ with shorter names (index.ts, client.ts, model.ts, etc.). All imports updated across 20+ files including test files, sense-manager, daemon, and package.json."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.211",
+      "changes": [
+        "refactor: extract duplicated patterns into shared utilities — mind/embedding-provider.ts (shared OpenAI embedding client from diary + associative-recall), arc/json-store.ts (shared JSON file CRUD from obligations + cares + intentions), repertoire/api-client.ts (shared HTTP request helper from graph + ado + github clients). M12 (channel callback factory) skipped: CLI and Teams streaming implementations are too different for clean abstraction."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.210",
+      "changes": [
+        "refactor: create src/arc/ subsystem — extract durable continuity state (obligations, cares, episodes, intentions, presence, attention-types) from heart/ and mind/ into dedicated arc/ module. arc/ owns the agent's continuity state, distinct from engine mechanics (heart) and cognition (mind). All imports updated across 40+ files."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.209",
+      "changes": [
+        "refactor: restructure daemon/ directory — move outlook files to heart/outlook/, habit files to heart/habits/, hatch/specialist files to heart/hatch/, versioning/update files to heart/versioning/, auth-flow to heart/auth/, mcp-server to heart/mcp/. daemon/ reduced from 60 to 36 core daemon-lifecycle files."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.208",
+      "changes": [
+        "refactor: split daemon-cli.ts (3,630 lines) into 5 focused modules — cli-types (command/deps types), cli-parse (argument parsing), cli-render (output formatting), cli-exec (command execution router), cli-defaults (production dependency wiring). daemon-cli.ts reduced to 42-line re-export shim."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.207",
+      "changes": [
+        "refactor: split tools-base.ts (1,912 lines) into 9 category modules — tools-files, tools-shell, tools-memory, tools-bridge, tools-session, tools-continuity, tools-flow, tools-surface, tools-config. Surface tool handler extracted from tools.ts to tools-surface.ts."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.206",
+      "changes": [
+        "feat: capability discovery and tiered self-configuration — config registry with tier-aware metadata (T1 self-service, T2 proposal, T3 operator-only), read_config tool with topic-filtered discovery, update_config tool for T1 immediate changes, propose_config tool for T2 operator-approval flow, version-change surfacing in start-of-turn packet via buildCapabilitiesSection"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.205",
+      "changes": [
+        "refactor: enforce subsystem boundaries — eliminate all heart/ and nerves/ static imports from senses/, move AttentionItem type to heart/, surfaceToolDef to repertoire/, SteeringFollowUpEffect to heart/turn-coordinator, inline BlueBubbles runtime state reader in daemon"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.204",
+      "changes": [
+        "refactor: introduce TurnContext snapshot — centralize state assembly from pipeline.ts into buildTurnContext(), thread pre-read state through prompt assembly to eliminate ad-hoc filesystem reads"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.203",
+      "changes": [
+        "refactor: unify obligation systems — mind/obligations.ts merged into heart/obligations.ts with prefixed ReturnObligation API"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.202",
+      "changes": [
+        "refactor: unify hatch + runtime auth into single credential path (PROVIDER_CREDENTIALS table)",
+        "fix: github-copilot credential discovery from stored secrets and env vars",
+        "feat: ping-verify credentials before entering serpent guide session",
+        "fix: clean up React tooltip timeouts on unmount to prevent state update warning",
+        "fix: guard against undefined child from spawn to prevent unhandled rejections"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.201",
+      "changes": [
+        "fix: don't launchctl bootstrap after daemon start — was starting competing daemon that killed the first"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.200",
+      "changes": [
+        "feat: arc/ directory replaces state/ for continuity data (episodes, obligations, cares, intentions)",
+        "feat: diary migration -- psyche/memory fallback removed, diary/ is the sole diary root",
+        "feat: bundle schema v2 -- lossless migration moves existing data on first boot",
+        "feat: turn-boundary sync -- opt-in pre-turn pull and post-turn push for bundle replication",
+        "fix: bundle .gitignore updated by migration to track arc/, diary/, journal/ and ignore state/"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.199",
+      "changes": [
+        "refactor: rename wake packet to start-of-turn packet across codebase (types, modules, events, tests)"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.197",
+      "changes": [
+        "fix(daemon): validate agent config before spawn — skips agents with missing credentials instead of crash-looping"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.196",
+      "changes": [
+        "fix: ouro up verifies daemon is alive before reporting started (polls socket for 10s)",
+        "fix: daemon-runtime-sync also verifies after replacing a stale daemon"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.195",
+      "changes": [
+        "fix: failover error message reads model from agent.json instead of stale secrets"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.194",
+      "changes": [
+        "fix(daemon): self-spawn restart — no longer relies on launchd KeepAlive for staged restarts",
+        "fix(daemon): error boundary with circuit breaker — uncaught exceptions logged and survived, exits only after 10+ in 60s",
+        "fix(daemon): EPIPE suppression in uncaughtException handler",
+        "fix(daemon): 5-second force-exit timeouts on all shutdown paths",
+        "feat: human-facing and agent-facing provider configs",
+        "fix(auth): always refresh codex OAuth token, responses API verification",
+        "feat: Outlook visibility — orientation, obligations, changes, self-fix, memory decisions, route migration to /"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.192",
+      "changes": [
+        "refactor: canonical obligations — ActiveWorkFrame as single source of truth for prompt sections",
+        "feat(mcp): dynamic server add/remove — agents can manage MCP servers without daemon restart"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.177",
+      "changes": [
+        "feat(mcp): dynamic server add/remove without restart"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.176",
+      "changes": [
+        "feat(mcp): dynamic MCP server add/remove — agents can add/remove MCP servers in agent.json without daemon restart"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.175",
+      "changes": [
+        "fix(daemon): launchd KeepAlive for crash recovery — auto-restarts on crash",
+        "fix(daemon): orphan killer excludes MCP server processes",
+        "fix(daemon): health file writer wired into daemon-entry",
+        "fix(engine): auth-failure errors include actionable guidance"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.174",
+      "changes": [
+        "feat(outlook): keyboard shortcuts — 1-7 for tabs, Esc to collapse",
+        "feat(outlook): obligation origin cards — clickable visual chain from who asked through which channel"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.173",
+      "changes": [
+        "feat(outlook): sessions grouped by person — same friend across multiple channels shown together with person header"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.172",
+      "changes": [
+        "feat(outlook): inner dialog landmark navigation — jump to surfaces, rests, delegations",
+        "feat(outlook): active coding sessions shown on Overview dashboard",
+        "feat(outlook): habit confidence indicators — on schedule, overdue, never fired"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.171",
+      "changes": [
+        "feat(outlook): session state at a glance — last inbound/outbound shown on each session row",
+        "feat(outlook): habit confidence — on schedule / overdue / never fired indicators"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.170",
+      "changes": [
+        "feat(outlook): needs-me triage — action now vs stale sections, dismiss buttons, return-ready highlighting",
+        "fix(outlook): return-ready obligation detection — highlights results ready but not returned"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.169",
+      "changes": [
+        "fix(outlook): desk prefs wiring — carrying block, constellations, starred friends now load in production",
+        "feat(outlook): obligation dismiss — agents can clear stale obligations from needs-me queue",
+        "fix: default minimax model updated to MiniMax-M2.7"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.168",
+      "changes": [
+        "fix(outlook): content area matches sidebar background — consistent dark surface"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.167",
+      "changes": [
+        "fix(outlook): sidebar border for visual separation between nav and content"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.166",
+      "changes": [
+        "fix(outlook): add dark class to html root — fixes white/blank page in production"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.165",
+      "changes": [
+        "fix(daemon): dont launchctl bootstrap during ouro up — write plist only, prevents competing daemon process"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.164",
+      "changes": [
+        "fix(daemon): keep /dev/null fds open until parent exits — fixes ouro up daemon crash"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.163",
+      "changes": [
+        "fix(daemon): redirect detached spawn stdio to /dev/null — fixes ouro up daemon crash"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.162",
+      "changes": [
+        "fix(daemon): handle EPIPE in detached daemon — suppress pipe errors when parent exits after ouro up"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.161",
+      "changes": [
+        "feat(outlook): serve React SPA at root (/), daemon serves static assets",
+        "fix(daemon): graceful EADDRINUSE handling for Outlook port"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.160",
+      "changes": [
+        "feat(outlook): total inspectability expansion — 14 API endpoints, session x-ray, obligation chain tracing, coding deep inspection, attention/pending queue, bridge inventory, habit triage, memory/journal, friend economics, SSE live updates",
+        "feat(outlook): React SPA with Catalyst UI — sidebar layout, 7-tab agent inspector, chat bubble transcripts with mechanism-tool awareness, hash URL routing",
+        "feat(outlook): agent desk customization — carrying block, pinned constellations, tab ordering, starred friends, status line, closure memory, needs-me urgency queue",
+        "feat(outlook): nerves observation layer — shared typed readers, eliminates bespoke type mirrors",
+        "fix(auth): ouro auth for openai-codex always refreshes token, provider verification uses correct endpoint",
+        "fix(daemon): use OUTLOOK_DEFAULT_PORT (6876) for Outlook server"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.159",
+      "changes": [
+        "Human-facing and agent-facing provider configs: agent.json now has humanFacing and agentFacing blocks, each with provider and model. CLI/Teams/BlueBubbles use humanFacing, inner dialog uses agentFacing.",
+        "Model moved from secrets.json to agent.json. Secrets now store credentials only (API keys, tokens, endpoints).",
+        "Automatic v1 to v2 migration: existing bundles upgraded via UpdateHook at daemon startup and inline in loadAgentConfig/readAgentConfigForAgent.",
+        "CLI commands support --facing human|agent flag for config model and auth switch.",
+        "Provider factories accept model as parameter instead of reading from secrets config."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.158",
+      "changes": [
+        "Task scanner v2: explicit identity via kind: task field. Scanner only parses files that declare themselves as task cards — doing docs, planning docs, and artifacts silently skipped. Eliminates 184 false parse errors on real bundles.",
+        "Typed issue model: every scanner issue has a code, description, proposed fix, confidence (safe/needs_review), and category (live/migration). Replaces flat parseErrors/invalidFilenames arrays.",
+        "Board health line: compact board shows health: clean or health: 1 live, 10 migration. Live vs migration split prevents cleanup noise from looking like breakage.",
+        "Fix command: ouro task fix (dry-run), ouro task fix --safe (apply deterministic fixes), ouro task fix <id> (inspect/apply individual issues). Currently auto-fixes schema-missing-kind.",
+        "Cancelled status: new terminal state reachable from any active status. Auto-archives with work directory, hidden from active board view.",
+        "Derived child_tasks: computed at scan time from parent_task links. child_tasks removed from authored schema — no more hand-maintained stale arrays.",
+        "Work directory awareness: same-stem directories detected and listed on TaskFile (hasWorkDir, workDirFiles). Scanner never descends into them.",
+        "Collection root clutter detection: non-task support docs at collection root summarized as one aggregated migration issue per collection.",
+        "Root-only scanning: flat directory reads replace recursive walks. Faster and correct."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.157",
+      "changes": [
+        "Habit turns as awareness: unified buildHabitTurnMessage replaces contextual-heartbeat. Continuity-first format (checkpoint leads, not elapsed time). Same format for all habits — no heartbeat special-casing.",
+        "First beat experience: new habits get \"your [Title] is alive. this is its first breath\" on first fire.",
+        "Fix: reconcile() now fires new/overdue habits immediately (was start()-only). New habits created via write_file fire within seconds.",
+        "Rhythm awareness across all channels: rhythmStatusSection() in system prompt shows heartbeat health in every conversation.",
+        "Removed contextual-heartbeat.ts entirely. Dead lastSurfaceAt parameter removed."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.156",
+      "changes": [
+        "polish: observe tool now hidden (like settle/rest/descend)",
+        "polish(bb): batch rapid tool status messages within 500ms debounce window",
+        "polish(tools): word-boundary truncation instead of mid-word cut",
+        "polish(commands): /commands output uses em dash separators",
+        "polish(bb): re-enable typing indicator after each status message"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.155",
+      "changes": [
+        "polish(debug): dynamic toggle, richer descriptions, human-readable results"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.154",
+      "changes": [
+        "feat: clean tool status messages — human-readable by default, /debug toggle",
+        "humanReadableToolDescription derives from tool name+args, not hardcoded map",
+        "Shared tool activity callbacks (DRY) — senses only provide render function",
+        "Slash command handling moved to pipeline — all senses get /debug for free",
+        "BlueBubbles: one clean iMessage per tool, not raw shared work: processing"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.153",
+      "changes": [
+        "Daemon health file: DaemonHealthWriter writes atomic daemon-health.json on every state change. readHealth() standalone reader for CLI and agent processes.",
+        "Nerves event buffer: createBufferedSink wraps sinks with bounded ring buffer (1000 events), auto-flushes on recovery, TTL discards after 5 min of unhealthy sink.",
+        "Cron verification + timer fallback: after cron sync, verifyCronEntries checks launchctl/crontab for registered habits. Unverified habits get in-process setTimeout fallback. getDegradedHabits() for health reporting.",
+        "Periodic reconciliation: 30s initial delay then 5-minute setTimeout chain re-scans habits and re-verifies cron entries.",
+        "Safe mode: detectSafeMode reads crash history (recentCrashes in tombstone). 3+ crashes in 5 minutes triggers safe mode - daemon stays alive, socket works, agents/habits paused. ouro up --force writes override file.",
+        "Health nerves sink: createHealthNervesSink registers as global sink, listens for daemon events (agent_started, agent_exit, habit_fire, safe_mode_entered, etc.), triggers debounced health writes.",
+        "ouro status health fallback: when daemon socket is unreachable, reads health file to show last-known status, safe mode, and degraded components.",
+        "Degraded state in agent dialog: habit turns read daemon-health.json and append scheduling degradation nudge when components are degraded."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.152",
+      "changes": [
+        "fix(nerves): catch EPIPE on terminal sink for detached daemon"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.151",
+      "changes": [
+        "docs: comprehensive update for MCP bridge, daemon resilience, dev mode, hooks"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.150",
+      "changes": [
+        "fix(habits): catch ENOENT when watching habits dir that does not exist"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.149",
+      "changes": [
+        "Daemon tombstone: writeDaemonTombstone persists crash context (reason, stack, uptime) to ~/.ouro-cli/daemon-death.json on uncaught exceptions and startup failures.",
+        "Global exception handlers: daemon-entry installs uncaughtException (tombstone + graceful 5s shutdown) and unhandledRejection (warn, no exit) handlers.",
+        "Log rotation: ndjson file sink rotates logs at 50MB (configurable), keeping .1 and .2 backups. Throttled stat checks via byte counter.",
+        "Socket connection error handling: connection.on('error') prevents server crash on client disconnect, connection.end() wrapped for EPIPE safety, persistent server.on('error') after listen.",
+        "Crash context in status: DaemonAgentSnapshot includes lastExitCode/lastSignal, Workers table shows last exit info, stopped-daemon status reads tombstone for 'Last death' line.",
+        "Cooldown recovery: after restart exhaustion, agents schedule recovery after cooldownRecoveryMs (default 5min). Reset crash history on recovery. maxCooldownRetries (default 3) before permanent give-up.",
+        "Defensive handleCommand: extracted handleCommandInner, outer handleCommand wraps with try/catch logging daemon.command_error with kind/error/stack before re-throw."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.148",
+      "changes": [
+        "Habits extracted from task system as first-class bundle concept at habits/ (peer to diary/, friends/, tasks/).",
+        "Name-based identity: heartbeat.md, not YYYY-MM-DD-HHMM-heartbeat.md. Simple schema: title, cadence, status (active/paused), body, lastRun, created.",
+        "HabitScheduler with OS cron (LaunchdCronManager/CrontabCronManager): each habit fires independently via its own cron entry.",
+        "Event-driven discovery: fs.watch + CLI notify trigger reconcile. No polling.",
+        "Worker rerun queue replaces single-slot mechanism, prevents dropped pokes. Each habit turn includes also-due line for agent triage.",
+        "Contextual heartbeat includes habit body: agent sees own instructions when heartbeat fires.",
+        "Daemon auto-migration from tasks/habits/ on startup. Strips timestamp prefix, maps statuses, removes task-only fields.",
+        "ouro habit list and ouro habit create CLI commands. Parse error reporting via nerves events + inner dialog nudge.",
+        "Metacognitive framing teaches agent about habits/ directory, rhythms, schema, read_file/write_file, and CLI commands.",
+        "HeartbeatTimer deleted, replaced by HabitScheduler. habit type removed from task system entirely."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.147",
+      "changes": [
+        "Feedback signals as social cues: Teams thumbs-up/down and BlueBubbles reactions reach the agent as first-class social signals with full cognitive tools.",
+        "AI-generated labels: all outbound Teams messages include AIGeneratedContent entity and feedbackLoopEnabled for native AI badge and feedback UI.",
+        "BlueBubbles reaction enrichment: reactions include original message text (truncated to 80 chars) via best-effort BB API lookup.",
+        "Streaming refinements: hybrid MIN_INITIAL_CHARS (phrase rotation until 20+ real chars), proactive >4000 finalization with follow-up messages.",
+        "Welcome card: Adaptive Card with prompt starters on Teams bot install.",
+        "Observe gate: available in 1:1 chats for reaction signals (natural silence case).",
+        "Per-context prompt framing: 1:1 vs group framing for feedback signal processing."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.146",
+      "changes": [
+        "fix(hook): target specific agent only, ouro up breaks dev dispatch loop"
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.145",
+      "changes": [
+        "MCP conversation channel: send_message runs full agent turns, check_response for async responses.",
+        "Cross-session awareness: pipeline wakes inner dialog after non-inner turns (DRY for all senses).",
+        "Ponder routing: responses route to originating session via direct-originator priority.",
+        "Claude Code hooks: ouro hook command, portable hooks with no hardcoded paths.",
+        "ouro wrapper: dev mode dispatch via dev-config.json.",
+        "ouro dev: persists repo path, detects CWD, disables launchd (removes plist).",
+        "Trust: MCP sessions resolve friend UUID to correct trust level.",
+        "Heartbeat timer: cadence delay on null lastCompletedAt prevents spin loop."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.142",
+      "changes": [
+        "Surface tool fulfills heart obligations on successful routing: findPendingObligationForOrigin + fulfillObligation called after inner obligation advance, wrapped in try/catch.",
+        "New fulfillHeartObligation callback on HandleSurfaceInput — origin-based lookup independent of inner obligationId.",
+        "ouro inner status command: reads runtime.json, journal dir, heartbeat cadence, attention count. Shows last turn, status, heartbeat health, journal listing, held thoughts."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.141",
+      "changes": [
+        "Ponder tool replaces descend: thought+say required from outer sessions, parameterless from inner dialog. Creates heart obligation, enqueues pending with delegatedFrom, emits say text outward.",
+        "Ponder from inner dialog enqueues synthetic pending message (no delegatedFrom) to continue thinking across turns.",
+        "Rest tool for inner dialog: parameterless, gated by attention queue. Rejected with guidance when unsurfaced thoughts remain.",
+        "Settle removed from inner dialog tool set (replaced by rest). Outer sessions still use settle.",
+        "Session migration: descend -> ponder added to migrateToolNames(). go_inward now maps to ponder.",
+        "Ponder and rest added to CIRCUIT_BREAKER_EXEMPT and SOLE_CALL_REJECTION."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.140",
+      "changes": [
+        "MCP server: agents can serve as MCP peers for dev tools (Claude Code, Codex) via ouro mcp-serve --agent <name>.",
+        "13 MCP tools: ask, status, catchup, delegate, get_context, search_memory, get_task, check_scope, request_decision, check_guidance, report_progress, report_blocker, report_complete.",
+        "Standalone mode: MCP shim calls agent-service directly, no daemon dependency for read-only ops.",
+        "Auto-detect framing: supports both Content-Length (Claude Code) and newline-delimited JSON (Codex).",
+        "Harness-level skills: 3-tier fallback (agent > protocol > harness), configure-dev-tools skill ships with npm package.",
+        "Codex spawner refactor: --ephemeral, --json, -c MCP injection, JSONL event parsing replaces magic strings.",
+        "Prompt awareness: body map lists ouro mcp-serve, runtime info mentions MCP serve capability."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.139",
+      "changes": [
+        "Daemon-internal heartbeat timer: self-correcting setTimeout loop reads cadence from heartbeat task file, computes delay from lastCompletedAt, fires IPC {type: heartbeat}. One timer per managed agent.",
+        "Heartbeat fires immediately when agent is overdue (elapsed > cadence) or has never run (no runtime state).",
+        "Contextual heartbeat message: journal index (up to 10 files with recency and preview), elapsed time since last turn, pending attention count, journal entries since last surface, stale obligation alerts (>30 min).",
+        "Bare instinct prompt now cold-start fallback only; resumed heartbeat sessions get contextual message.",
+        "Journal embedding indexing piggybacked during heartbeat turns (best-effort, fire-and-forget)."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.138",
+      "changes": [
+        "Memory renamed to diary: memory.ts → diary.ts, MemoryFact → DiaryEntry, memory_save → diary_write, memory_search → recall. All types, functions, events, and variables renamed throughout.",
+        "Diary path: diary/ (top-level) replaces psyche/memory/. Schema-2 migration copies files; legacy fallback removed.",
+        "Journal workspace: journal/ directory for freeform thinking-in-progress. Agent writes with write_file, system reads for heartbeat context.",
+        "Unified recall tool: searches both diary entries and journal files. Results tagged [diary] or [journal].",
+        "Journal embeddings: file-level embeddings indexed during heartbeat via journal/.index.json sidecar.",
+        "Journal section in inner dialog system prompt: index of up to 10 most recently modified journal files with name, recency, and first-line preview.",
+        "Metacognitive framing updated: diary (record), journal (workspace), ponder/rest vocabulary, morning briefing encouragement.",
+        "Session migration: memory_save → diary_write, memory_search → recall added to migrateToolNames()."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.137",
+      "changes": [
+        "ouro dev auto-discovers existing repo at ~/Projects/ouroboros or prompts for clone path.",
+        "ouro dev never clones without user consent — prompts in interactive mode, errors in non-interactive.",
+        "ouro dev --repo-path errors clearly when the specified path has no repo."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.136",
+      "changes": [
+        "Dev mode DX: ouro dev starts daemon from local repo build, skips update checker, prints dev mode indicator.",
+        "ouro up from dev context delegates to installed production binary or errors with install guidance.",
+        "Daemon accepts mode option; update checker suppressed in dev mode with daemon.update_checker_skip event.",
+        "Daemon entry emits daemon.dev_mode_indicator nerves event when running from a dev repo."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.135",
+      "changes": [
+        "Metacognitive tool vocabulary complete: go_inward renamed to descend. RunAgentOutcome value is now 'descended', event is 'engine.descended'.",
+        "summarizeArgs rewritten: reads summaryKeys from ToolDefinition instead of per-tool switch branches. summarizeTeamsArgs and summarizeGithubArgs eliminated."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.134",
+      "changes": [
+        "Metacognitive tool redesign: final_answer renamed to settle, no_response renamed to observe. RunAgentOutcome values now 'settled' and 'observed'.",
+        "New surface tool: inner-dialog-only tool for routing thoughts outward to friends' freshest active sessions. Replaces post-turn routeDelegatedCompletion with inline delivery.",
+        "Attention queue: FIFO queue of delegated work items seeded from drained pending messages and recovered obligations. Visible to the model at inner dialog turn start.",
+        "Surface-before-settle gate: settle rejected in inner dialog until all attention queue items are surfaced.",
+        "Channel-based tool filtering: observe excluded from 1:1 and inner dialog; go_inward and send_message excluded from inner dialog; surface included only in inner dialog.",
+        "go_inward content param renamed to topic with metacognitive handoff framing.",
+        "Shared sole-call interception pattern extracted from duplicated core.ts logic.",
+        "Exact-origin routing removed from routeDelegatedCompletion; routing now bridge, freshest, deferred only.",
+        "ouro attention CLI: list held items, show details by ID, view surfacing history.",
+        "System prompts updated with metacognitive framing for all new tool names."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.133",
+      "changes": [
+        "Inner return obligations: delegated inner dialog work now tracks a ReturnObligation through queued → running → returned/deferred lifecycle.",
+        "Exact-origin routing: inner dialog completions route back to the session that delegated the work, not just the freshest active session.",
+        "Active work frame surfaces pending inner return obligations so the agent knows what's outstanding."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.132",
+      "changes": [
+        "BlueBubbles no longer shows redundant \"shared work: errored\" alongside failover messages. Terminal errors are buffered and only displayed when failover doesn't handle them."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.131",
+      "changes": [
+        "ouro auth --provider anthropic now exchanges the setup token for a refresh token immediately, enabling auto-refresh for subsequent sessions."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.130",
+      "changes": [
+        "Removed delegation adherence gate on final_answer: agents can now deliver answers regardless of delegation suggestions. Fixes infinite rejection loop.",
+        "CLI help: ouro auth -h now correctly shows auth-specific help instead of triggering top-level help."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.129",
+      "changes": [
+        "Fixed final_answer truth-check false positive: agents with intent=complete can now deliver answers even when delegation suggests going inward.",
+        "Fixed BlueBubbles message deduplication: messages are recorded immediately to prevent duplicate processing on webhook retries.",
+        "Fixed session key normalization: listSessionActivity now compares sanitized keys so the current session is correctly excluded from other-session lists.",
+        "ouro auth with no args now shows auth-specific help instead of full CLI help."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.128",
+      "changes": [
+        "Error message sanitizer now strips HTML responses (Cloudflare challenge pages, error pages) in addition to JSON."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.127",
+      "changes": [
+        "Anthropic OAuth tokens now work with Opus and Sonnet 4.6. Added Claude Code identification in system prompt and headers that the API requires to grant model access to setup tokens."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.126",
+      "changes": [
+        "Fixed Anthropic tool_choice incompatibility with thinking — uses auto instead of any when thinking is enabled.",
+        "auth verify and auth switch now use pingProvider for real API verification instead of format-only checks. auth switch verifies credentials work before switching."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.125",
+      "changes": [
+        "Fixed Anthropic tool_choice incompatibility with thinking — uses auto instead of any when thinking is enabled.",
+        "auth verify and auth switch now use pingProvider for real API verification instead of format-only checks. auth switch verifies credentials work before switching."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.124",
+      "changes": [
+        "Anthropic OAuth tokens now auto-refresh before expiry. The provider checks token freshness before each turn, exchanges the refresh token for a new access token, and persists the result. No more 400 errors from expired setup tokens."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.123",
+      "changes": [
+        "Fixed Anthropic API request format: effort parameter moved from thinking object to output_config. Was causing 400 errors that masked real model access restrictions."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.122",
+      "changes": [
+        "Daemon now uses a pidfile (~/.ouro-cli/daemon.pids) for process cleanup instead of fragile ps-based name matching. All managed PIDs (daemon, agents, senses) are written on startup and reaped on next restart.",
+        "Failover reply matching now uses includes() instead of exact match, fixing switch commands in BlueBubbles where channel metadata prefixes the user text."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.121",
+      "changes": [
+        "Daemon orphan cleanup now also kills standalone sense entry processes (bluebubbles-entry.js, teams-entry.js) which were persisting across updates and handling requests on stale code."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.120",
+      "changes": [
+        "Daemon startup now kills ALL orphaned ouro processes (daemons AND agents) from previous instances — fixes stale-version processes handling requests after every update.",
+        "Failover error messages no longer contain raw JSON API response bodies. Error messages are sanitized at the source and the failover summary uses clean classification labels only."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.119",
+      "changes": [
+        "Anthropic ping now uses haiku (widest token access) with minimal beta headers, fixing 400 errors from thinking beta requirements and model access restrictions on setup tokens."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.118",
+      "changes": [
+        "Daemon now kills orphaned agent processes from previous instances on startup, preventing stale-version agents from handling requests after an update."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.117",
+      "changes": [
+        "Failover messages now show human-readable reasons for failing providers instead of raw JSON API errors.",
+        "ouro auth now pings the provider after saving credentials and reports whether they work."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.116",
+      "changes": [
+        "Provider ping now uses a minimal direct API call (max_tokens:1, no thinking/reasoning params) instead of streamTurn, which was adding provider-specific features that could cause 400 errors unrelated to auth."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.115",
+      "changes": [
+        "Failover message now shows providers with expired/failing credentials separately with refresh instructions ('run ouro auth --agent X --provider Y to refresh') instead of silently omitting them."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.114",
+      "changes": [
+        "Fix: Default runtime logger is now silent (no stderr sink) so nerves events emitted before logger configuration no longer interleave with the CLI spinner animation.",
+        "Fix: MCP server connect failures now include the command name, args, and a hint to check agent.json mcpServers configuration. Retry-exhaustion messages also identify the failing command.",
+        "Verification: StreamingWordWrapper integration in CLI chat confirmed working — wraps at word boundaries during streaming output.",
+        "When a model provider fails mid-conversation (auth error, usage limit, outage), the harness now classifies the error, pings alternative configured providers, and surfaces validated failover options to the user in-channel. Reply 'switch to <provider>' to continue on a working provider.",
+        "Each provider now has a `classifyError` method that distinguishes auth failures, usage/subscription limits, rate limits, server errors, and network errors. The old auth guidance wrappers are replaced by this unified classification system.",
+        "New `pingProvider` function makes a real heartbeat completion call to verify provider credentials and quota are live — no more format-only checks.",
+        "Provider factories now accept optional config parameters, enabling credential injection for health inventory pings without touching disk config."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.113",
+      "changes": [
+        "`ouro changelog --from` now uses semver comparison instead of lexicographic string ordering, so alpha prerelease numbers sort correctly."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.112",
+      "changes": [
+        "`ouro up` no longer prints the 'ouro updated to X (was Y)' message twice when the update flow re-execs from a newly installed version."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.111",
+      "changes": [
+        "The PATH installer now repairs a stale ~/.local/bin/ouro launcher in place instead of deleting it, so a shadowing old wrapper can no longer cause the wrong CLI version to load and produce backwards 'ouro updated to X (was Y)' messages."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.110",
+      "changes": [
+        "Pi-style capability salvage now lands fully inside the active-work-first architecture: coding lanes inherit a live world-state checkpoint, session recall stays evidence-based, and no parallel session-orientation self-model remains.",
+        "Repeated no-progress polling is now blocked across active-work, coding, and session status surfaces, while coding checkpoints/artifacts persist cleanly enough for the same agent to resume real work instead of narrating around it."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.109",
+      "changes": [
+        "Each inbound turn now carries a fresh live world-state checkpoint, so natural questions like 'what are you up to?' anchor on current sessions, obligations, coding lanes, and next actions instead of stale transcript history.",
+        "Active-work now serves as the agent's top-level center of gravity: material obligations are normalized, duplicate-origin noise is collapsed, and inner dialog is treated as one lane inside the live world-state instead of the whole self."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.108",
+      "changes": [
+        "Agents now have a first-class `query_active_work` tool that reads one top-level live world-state across the current conversation, other active sessions, live coding lanes, inner work, and return obligations instead of reconstructing status from side tools.",
+        "Family-facing status guidance now treats the active-work world-state as the agent's center of gravity, so 'what are you up to?' answers stay anchored in one coherent live picture instead of drifting into inner-dialog archaeology."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.107",
+      "changes": [
+        "Family-scoped 'what are you up to?' answers now widen to the full live world-state: the current conversation, live coding lanes, other active friend-facing sessions, and any active inner holding state, instead of collapsing to just the current lane.",
+        "The runtime no longer regex-polices an exact status-answer template; family status now rides on the same live obligation and session world-state the agent already uses everywhere else, which keeps cross-session answers truthful and natural."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.106",
+      "changes": [
+        "Family-scoped status answers now come from the live obligation/session world-state directly instead of a regex-triggered 'status question' mode, so agents can answer naturally while still seeing all material live work across sessions.",
+        "Raw inbound text no longer masquerades as a real commitment or next action; current lanes, artifacts, and next steps are now grounded in persistent obligations, live coding state, and concrete session activity."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.105",
+      "changes": [
+        "Family-wide status answers now dedupe normalized session keys, drop inner/self noise, and ignore stale non-obligation lanes so 'what are you doing?' stays focused on real active work across all live sessions.",
+        "BlueBubbles and CLI lanes that refer to the same live thread now collapse into one clean status line, preventing duplicate session bullets when family asks for the full cross-session picture."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.104",
+      "changes": [
+        "Family-scoped status checks now keep the five-line header anchored on the current live conversation while appending an `other active sessions:` block for every other live lane the agent is actively working.",
+        "The inbound pipeline, active-work frame, prompt steering, and status retry logic now preserve non-current live coding lanes and obligations so family status answers stop hiding parallel work in other sessions."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.103",
+      "changes": [
+        "Status-check turns now answer in a fixed live-state shape that names the current conversation, active lane, artifact, latest checkpoint, and next action instead of drifting into broad mission summaries.",
+        "Those status turns now hold final streaming until the exact reply is ready and turn report-backs into same-thread obligation updates, so 'I'll report back here' comes back as a real in-thread follow-up instead of hidden background work."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.102",
+      "changes": [
+        "Live obligations now persist a concrete current artifact and next action, so status answers can anchor on the actual active lane, artifact, and immediate step instead of drifting into broad mission statements.",
+        "Obligation-bound coding feedback now turns PR milestones into structured report-backs and lifecycle updates, which keeps the originating live conversation informed when child work opens a PR, waits for merge, or needs a runtime update."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.101",
+      "changes": [
+        "Live coding-session status now prefers active work from the current thread instead of resurfacing stale global history, so agents stop anchoring on ancient sessions like `coding-001` when newer coding lanes are already in flight.",
+        "Active-work rendering and prompt steering now surface same-thread live coding lanes explicitly, giving the agent a clearer center of gravity before it answers questions about ongoing work."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.100",
+      "changes": [
+        "Inner-dialog instinct and task-triggered messages now suppress the fallback 'no prior checkpoint recorded' sentinel instead of leaking it into visible heartbeat chatter.",
+        "Added focused inner-dialog coverage so sentinel checkpoints stay hidden while real resume checkpoints still appear in outward messages."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.99",
+      "changes": [
+        "Auto-healed session-history invariant repairs and orphaned tool-result cleanup now log at info instead of warn, so routine self-repair no longer leaks noisy warning lines into the live CLI.",
+        "Added regression coverage for save/load repair paths so healed session-history cleanup stays below warning level while real failures still surface as warnings."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.98",
+      "changes": [
+        "ouro versions now shows 'published' status when the installed version matches the latest published alpha, instead of the less informative 'up to date'."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.97",
+      "changes": [
+        "Obligation-bound coding sessions now wake inner dialog when they complete, fail, stall, or need input, so the agent can keep a self-fix loop moving without waiting for the human to nudge it after child work changes state.",
+        "That wake stays scoped to real return-loop work instead of every coding progress line, which keeps the live chat visible without turning normal coding chatter into constant reruns."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.96",
+      "changes": [
+        "ensureSafeRepoWorkspace now re-reads the live branch from the worktree on every call and updates the in-memory and persisted selection when it has drifted, preventing stale workspaceBranch after external branch switches between coding sessions."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.95",
+      "changes": [
+        "CLI chats now surface coding-session feedback back into the live `ouro chat` thread, so hidden child work no longer finishes silently while the operator sees an idle prompt.",
+        "Those async coding updates are also persisted into the CLI session history, which keeps the visible return loop truthful across follow-up turns instead of losing the fact that work already came back."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.94",
+      "changes": [
+        "Fix stale CurrentVersion symlink not healing during `ouro up` — the daemon now detects and repairs dangling version symlinks before reading the active version.",
+        "Fix homedir regression in daemon-cli-defaults test and cover changelog-null branch."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.93",
+      "changes": [
+        "Final-answer truth checks now require fresh external-state verification (gh pr view, npm view, etc.) before allowing intent=complete when a live obligation is active, preventing stale or guessed merge/publish/deploy claims."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.92",
+      "changes": [
+        "Final-answer truth checks now reject `intent=complete` when a must-resolve handoff still has an active live-session return obligation and no newer follow-up proves the loop resumed.",
+        "This keeps visible operator loops open until the agent actually brings back the external-state update or reports a concrete blocker instead of going dark early."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.91",
+      "changes": [
+        "Fixed `ouro changelog` so it reads the shipped object-shaped changelog format (`{ versions: [...] }`) instead of falling through to 'no changelog entries found' for valid runtime releases.",
+        "Added regression coverage for both populated and missing `versions` object-shaped changelog payloads so the CLI parser and coverage gate stay aligned."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.90",
+      "changes": [
+        "coding_spawn now reuses the newest active matching coding session instead of blindly creating another coding-* lane for the same task, workspace, and origin thread.",
+        "Reused coding sessions are surfaced explicitly in the tool payload, which keeps live operator updates anchored to the real active child session instead of drifting onto stale parallel status."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.89",
+      "changes": [
+        "Spawned coding sessions now inject ~/.ouro-cli/bin into PATH so child processes (claude, codex) can resolve ouro CLI binaries without relying on the parent shell's PATH."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.88",
+      "changes": [
+        "CLI session repair now strips orphaned tool-result messages when a saved chat history lost the matching assistant tool call, so a broken prior turn no longer bricks every future `ouro chat` message with a tool-call replay error.",
+        "Recovered sessions keep valid tool call/result pairs intact while dropping only the stale outputs, which lets live operator chats resume from repaired history instead of forcing a brand-new thread."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.87",
+      "changes": [
+        "CLI chat now keeps model reasoning private again. The visible surface stays on spinners, tool updates, and actual replies instead of dim internal-thinking text leaking into the operator conversation.",
+        "Safe workspace selection now persists across daemon restarts and `ouro up`, so repo-local reads, edits, and shell commands keep targeting the same acquired scratch clone or worktree after a runtime update."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.86",
+      "changes": [
+        "Commitments section now uses the structured formatCommitments helper, rendering holding/criteria/release sections instead of a flat bullet list. Tests updated to cover bridges, tasks, and mustResolveBeforeHandoff."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.85",
+      "changes": [
+        "Relative repo paths now route through the chosen safe workspace too, so read/edit/write file tools actually operate in the dedicated clone or worktree instead of silently hitting the wrong checkout.",
+        "File-edit guardrails now normalize paths the same way file reads do, which means a `read_file` followed by `edit_file` on the same relative path no longer self-blocks during safe-workspace routing."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.84",
+      "changes": [
+        "Safe workspace routing now covers repo-local shell commands too, so agents that discover a harness friction through `shell` land in the dedicated worktree instead of wandering in the shared checkout.",
+        "The new `safe_workspace` tool and prompt guidance make the chosen workspace path, branch, and first concrete repo action explicit before the first edit, tightening the visible OODA loop."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.83",
+      "changes": [
+        "Visible OODA loop substrate: persistent return obligations now surface where work is happening, whether the agent is still investigating, and what still needs to come back to the originating session.",
+        "Coding-session provenance now carries the originating human-facing session and obligation through spawn, persistence, and feedback, so hidden coding work is legible in active work instead of disappearing behind a tool session.",
+        "Runtime closure is explicit after self-fix updates: `ouro up` now prints a changelog follow-up command, and the runtime prompt reminds the agent to report that it updated and review what changed before treating the loop as closed."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.82",
+      "changes": [
+        "Fix: Wire default implementations for CLI update flow. `ouro up` now actually checks the npm registry for newer versions, installs them, and re-execs. Previously the update check deps were declared but never wired in createDefaultOuroCliDeps. Also wires rollback and versions command defaults."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.81",
+      "changes": [
+        "Fix: Self-healing versioned CLI layout. When `ouro up` runs via the old npx path for the first time, performSystemSetup now detects that CurrentVersion is missing and installs the current version into ~/.ouro-cli/versions/. Prevents 'ouro not installed' error after migration."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.80",
+      "changes": [
+        "Bootstrap package (npx ouro.bot) now installs into ~/.ouro-cli/ versioned layout directly. No more silent npx updates — every install and update is logged. Cleans up old ~/.local/bin/ouro wrapper."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.79",
+      "changes": [
+        "New: Versioned CLI directory layout (~/.ouro-cli/) replaces npx-based ouro wrapper. Explicit version management, rollback support, and deterministic updates.",
+        "New: `ouro up` now checks the registry for newer CLI versions, installs them into ~/.ouro-cli/versions/, activates via symlink flip, and re-execs — no more silent npx downloads.",
+        "New: `ouro rollback [<version>]` swaps CurrentVersion/previous symlinks, stops the daemon. With a version arg, installs if needed then activates.",
+        "New: `ouro versions` lists cached CLI versions with * current and (previous) markers.",
+        "Migration: On first run, old ~/.local/bin/ouro wrapper is removed, old PATH entry cleaned from shell profile, new ~/.ouro-cli/bin added to PATH.",
+        "Trust manifest: rollback requires family trust, versions requires acquaintance.",
+        "Fix: BlueBubbles group chats no longer start typing just because the model turn began. Group chats stay visually quiet until the agent has committed to replying.",
+        "Tool/progress updates now count as reply commitment in BlueBubbles group chats, so read/typing can begin before final user-facing text without regressing back to model-start typing.",
+        "Silent group-chat turns remain fully quiet: when the agent chooses no_response, the inbound message still reaches the model but the chat is not marked read, never types, and never sends a message."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.77",
+      "changes": [
+        "New: Persistent obligation store (state/obligations/*.json). Obligations survive pending message consumption so the agent always knows what it owes and to whom.",
+        "Obligations are created when send_message delegates to self or go_inward fires with a return address, and fulfilled when routeDelegatedCompletion delivers the answer.",
+        "The commitments frame now reads pending obligations from the store, giving the agent an accurate view of outstanding commitments across all sessions.",
+        "readInnerWorkState derives obligationPending from both pending messages and the obligation store, ensuring obligations are visible even after the inner dialog queue drains."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.76",
+      "changes": [
+        "Fix: CLI chat terminal logging now filters to warn/error only — info-level nerves logs go to ndjson file only, keeping the interactive TUI clean.",
+        "Fix: Streamed model output now wraps at word boundaries instead of mid-word. A new StreamingWordWrapper buffers partial lines and breaks at spaces when approaching terminal width.",
+        "New: `ouro up` now prints 'ouro updated to <version> (was <previous>)' when npx downloads a newer CLI binary, separate from the agent bundle update message.",
+        "Fix: Spinner/log interleave verified — terminal sink reads pause/resume hooks at call time, not creation time, so the filterSink wrapper in CLI logging does not break spinner coordination."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.75",
+      "changes": [
+        "Inner dialog is now experienced as private thinking, not system dispatch. go_inward tool lets the agent take a thread inward atomically, with a pipeline-generated handoff packet framed as self-directed thought.",
+        "Return obligations are enforced: the agent cannot move on from a conversation without addressing what it promised. Rejection messages orient rather than punish.",
+        "Center-of-gravity steering: the system prompt tells the agent where its attention is in selfhood language, not dashboard labels.",
+        "All status rendering rewritten from telemetry to self-awareness: \"what i'm holding\" replaces \"active work\", \"where my attention is\" replaces \"center of gravity\", \"what i'm sensing\" replaces \"delegation hint\".",
+        "New query_commitments tool: the agent can ask itself \"what am I holding right now?\" and get genuine self-reflection.",
+        "Bridge suggestions trigger earlier when multi-session pressure is detected. Inward completions automatically inherit bridge context for return routing.",
+        "Inner dialog modes (reflect/plan/relay) give the agent awareness of what kind of thinking it's doing.",
+        "Canonical InnerJob type with lifecycle (idle/queued/running/surfaced) replaces reconstructed status."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.73",
+      "changes": [
+        "New `ouro config models --agent <name>` command: list available models for the current provider. For github-copilot, queries the models API; other providers show a static message.",
+        "Fix: `ouro config model` now validates model availability for github-copilot before writing, showing available models if the requested one isn't found.",
+        "Fix: system prompt now tells the agent that model/provider changes take effect on the next turn automatically (no restart needed)."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.72",
+      "changes": [
+        "Fix: Compound shell commands (&&, ;, |, ||) are now checked per-subcommand for untrusted users instead of blanket-blocked. Safe compound commands like `ls && pwd` are allowed; only commands containing an untrusted subcommand are denied.",
+        "New `ouro config model --agent <name> <model-name>` command: change the active model for any provider. Reads provider from agent.json, updates the model field in secrets.json. Gated at friend trust level.",
+        "New `ouro friend update <id> --trust <level>` command: change an existing friend's trust level (stranger, acquaintance, friend, family). Gated at family trust level."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.71",
+      "changes": [
+        "Fix: `ouro auth switch` now works with both `ouro auth switch --agent X --provider Y` and `ouro auth --switch --agent X --provider Y` syntax.",
+        "Fix: `ouro auth verify` now makes a real API call for github-copilot (GET copilot_internal/user) instead of only checking token format.",
+        "Fix: `ouro auth --verify` flag form also accepted alongside positional `verify` subcommand."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.70",
+      "changes": [
+        "New github-copilot LLM provider: use GitHub Copilot as model backend via `gh auth` token. Claude models route to /chat/completions, GPT models to /responses. Endpoint auto-discovered from your Copilot enterprise plan.",
+        "Auth decoupled from switching: `ouro auth --provider X` now stores credentials only. Use `ouro auth switch --provider X` to change the active provider, and `ouro auth verify` to check which stored providers have valid credentials.",
+        "Agents can now manage their own auth: `ouro auth`, `ouro auth verify`, and `ouro auth switch` are in the system prompt and gated at family trust level. Auth error messages include actionable recovery guidance.",
+        "Fix: `ouro --agent <name> <command>` now works correctly when --agent is the first argument."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.69",
+      "changes": [
+        "Generic MCP client: ouroboros agents can now connect to any MCP server (e.g., agency mcp ado, agency mcp mail) configured in agent.json. Zero new dependencies — pure JSON-RPC over stdio.",
+        "New `ouro mcp list` and `ouro mcp call` CLI commands route through the daemon socket to persistent MCP connections, so agents use shared server instances instead of spawning fresh ones per call.",
+        "MCP tools are injected into the agent's system prompt on startup, so agents know what external capabilities are available without a discovery step.",
+        "Trust manifest: `mcp list` requires acquaintance trust, `mcp call` requires friend trust."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.68",
+      "changes": [
+        "New no_response tool lets agents stay silent in group chats when the moment doesn't call for a reply — reactions, side conversations, and tapbacks no longer trigger unwanted responses.",
+        "Group chat participation prompt teaches agents to be intentional participants, comfortable with silence, and to prefer reactions over full text replies when appropriate.",
+        "System prompt includes --agent flag in all ouro CLI examples for non-daemon deployments. Azure startup symlinks ouro CLI into /usr/local/bin."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.66",
+      "changes": [
+        "The ouro PATH shim now uses npx --prefer-online to always check the npm registry before using cached packages. Prevents stale npx cache from serving old runtime versions on ouro up."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.65",
+      "changes": [
+        "Tool permissions overhauled: channel-level blocking removed, all tools now visible on all channels. Guardrails are invocation-level with two layers — structural (edit-requires-read, destructive pattern blocking, protected paths) always on for everyone, and trust-level (ouro CLI per-subcommand trust manifest, general CLI allowlists, bundle-scoped writes) for untrusted contexts.",
+        "New `ouro changelog` CLI subcommand reads changelog.json and supports `--from <version>` for delta filtering, so agents can introspect their own update history on any channel.",
+        "Compound shell commands (&&, ;, |, $()) are blocked for untrusted users to prevent smuggling dangerous operations behind safe prefixes.",
+        "Azure App Service deployment migrated from zip-deploy to npm-based harness install with persistent agent bundle and managed identity auth."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.63",
+      "changes": [
+        "ensureSkillManagement now iterates all discovered agent bundles instead of requiring a single-agent context. Fixes skill-management not being installed during ouro up."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.62",
+      "changes": [
+        "ensureSkillManagement now prints to stdout on install/failure instead of only emitting silent nerves events."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.61",
+      "changes": [
+        "Workflow skills (work-planner, work-doer, work-merger) migrated to the shared ouroboros-skills repo at github.com/ouroborosbot/ouroboros-skills.",
+        "Removed the subagent-installer. Skills are now installed via the skill-management bootstrap skill or manual download.",
+        "Skills loading simplified from 3-source to 2-source model. Canonical-protocol fallback to subagents/ removed.",
+        "New ensureSkillManagement() auto-installs the skill-management bootstrap skill from the shared repo on ouro up."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.60",
+      "changes": [
+        "Azure OpenAI provider now supports DefaultAzureCredential for managed identity auth in production and az-login auth for local dev, with API key as an optional fallback.",
+        "The @azure/identity package is lazy-loaded only when the managed identity path is used, so API key users and other providers pay no cold-start cost.",
+        "Auth failure errors now preserve the original cause and list all three resolution paths (API key, az login, managed identity)."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.59",
+      "changes": [
+        "Repo file edits now acquire a safe workspace before local tool writes, creating a dedicated worktree from `origin/main` when running from a clone and a scratch clone from the canonical GitHub source when running from an installed runtime.",
+        "The harness now has bundle-local workspace primitives for repo work plus bundle-local daemon logs, daemon logging config, message routing storage, and tool caches instead of leaning on `~/.agentstate` paths.",
+        "Coverage/test-run artifacts and related runtime expectations now use the new non-`~/.agentstate` locations, and daemon/tool tests cover the safe workspace decision table and the bundle-local path migration."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.58",
+      "changes": [
+        "Normal `ouro` and `ouro-bot` CLI entrypoints now stay quiet by default in the terminal while still writing runtime NDJSON logs, and explicit logging overrides still work.",
+        "Interactive pasted input now clears every echoed row before re-rendering its bold summary, so multi-line instructions stay legible instead of colliding with prompt redraws and streaming output.",
+        "Wrapped CLI text now prefers whitespace breaks for ordinary words and only splits a word mid-line when that single word is wider than the terminal."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.57",
+      "changes": [
+        "Explicit `ouro chat <agent>` now launches the local interactive chat flow instead of just printing the daemon's connection acknowledgement and exiting.",
+        "The explicit chat path still ensures the daemon is running first, so direct chat commands behave like the existing auto-chat flows without losing daemon setup.",
+        "Daemon CLI coverage now includes the explicit `chat <agent>` route so regressions in interactive chat startup get caught in tests."
+      ]
+    },
     {
       "version": "0.1.0-alpha.56",
       "changes": [