@ouro.bot/cli 0.1.0-alpha.56 → 0.1.0-alpha.561

package/skills/configure-dev-tools.md

@@ -0,0 +1,101 @@
+# Configure Dev Tools for MCP Agent Bridge
+
+Set up your development tools (Claude Code, Codex) to communicate with Ouroboros agents via MCP. One command does everything — including cross-platform WSL2 bridging on Windows.
+
+## Setup
+
+### Claude Code
+
+```bash
+ouro setup --tool claude-code --agent <agent-name>
+```
+
+This command:
+1. Registers the MCP server with Claude Code via `claude mcp add`
+2. Configures lifecycle hooks (SessionStart, Stop, PostToolUse) for passive awareness
+3. Detects dev vs installed mode automatically and uses the correct command path
+
+**On WSL2 (Windows):** The command automatically detects the WSL environment and:
+- Calls `claude.exe` (the Windows binary) instead of `claude`
+- Prefixes MCP serve and hook commands with `wsl` so Windows-side Claude Code spawns them through WSL
+- Resolves the Windows-side home directory and writes config to the Windows-side `~/.claude/`
+- After setup, open Claude Code in PowerShell — the agent is there
+
+**On native Windows (no WSL):** Not yet supported. The command prints a message directing you to install WSL2.
+
+For the full cross-machine setup flow (including cloning an agent to a new machine), see `docs/cross-machine-setup.md` in the harness repo.
+
+### Codex
+
+```bash
+ouro setup --tool codex --agent <agent-name>
+```
+
+This command:
+1. Registers the MCP server with Codex via `codex mcp add`
+2. Detects dev vs installed mode automatically
+
+## Verification
+
+After setup, verify the connection:
+
+1. **Check daemon is running**: `ouro up` (installed) or `ouro dev --repo-path <path>` (dev mode).
+2. **Test from Claude Code**: Start a new session and use the `status` tool.
+3. **Test from Codex**: Run `codex exec "Use the <agent-name> status tool"`.
+4. **Check registration**: `claude mcp list` or `codex mcp list`.
+
+## Available MCP Tools
+
+Once connected, these tools are available:
+
+### Conversation tools (new)
+- **send_message** -- Send a message and get a synchronous agent response (full turn with tools)
+- **check_response** -- Check for pending messages from the agent (after ponder or proactive surface)
+
+### Read-only tools
+- **ask** -- Ask the agent a question (uses diary, journal, and context)
+- **status** -- Get agent's current status and activity
+- **catchup** -- Get recent activity summary
+- **get_context** -- Get agent's current working context
+- **search_notes** -- Search the agent's diary for specific topics
+- **get_task** -- Get details of the agent's current task
+- **check_scope** -- Verify if something is in scope for current work
+- **check_guidance** -- Get guidance on how to approach something
+
+### Write tools
+- **delegate** -- Request the agent to handle a task (runs full conversation turn)
+- **request_decision** -- Ask agent to make a decision about something
+- **report_progress** -- Report progress on delegated work
+- **report_blocker** -- Report a blocker on delegated work
+- **report_complete** -- Report completion of delegated work
+
+## Troubleshooting
+
+### "Daemon not running" error
+Most read-only tools work without the daemon (reads filesystem directly). For write operations and `send_message`, start the daemon with `ouro up` or `ouro dev`.
+
+### MCP server not appearing
+- Run `claude mcp list` or `codex mcp list` to verify registration
+- Re-run `ouro setup` to fix
+- Restart your dev tool (MCP loads at session start)
+
+### Connection timeouts
+- Ensure `dist/` is built: `npm run build`
+- Check that the entry point path is correct (setup auto-detects this)
+
+### WSL2-specific issues
+
+**`claude.exe` not found** — Windows executables must be accessible from WSL. This is the default, but enterprise environments may disable it via `/etc/wsl.conf` setting `appendWindowsPath = false`. Check with `which claude.exe`. If missing, add Claude Code's install directory to WSL's PATH manually or update `wsl.conf`.
+
+**`cmd.exe` or `wslpath` fails** — The setup command resolves the Windows home directory using `cmd.exe /C echo %USERPROFILE%` piped through `wslpath`. If either is unavailable, the setup will fail. `wslpath` ships with all standard WSL distributions. `cmd.exe` requires Windows executables to be on PATH (see above).
+
+**MCP server hangs or returns empty** — The MCP server runs inside WSL via `wsl ouro mcp-serve --agent <name>`. If stdio piping between Windows and WSL is broken, check that the WSL distribution is running (`wsl --status`) and that no other process has claimed stdin.
+
+**Hooks not firing** — Claude Code hooks use `wsl ouro hook <event> --agent <name>`. If hooks fail silently, check that `ouro` is on PATH inside WSL (run `wsl ouro --version` from PowerShell to verify).
+
+### Removing
+```bash
+claude mcp remove ouro-<agent-name>
+# or
+codex mcp remove ouro-<agent-name>
+```

package/skills/travel-planning.md

@@ -0,0 +1,138 @@
+# Travel Planning Skill
+
+Compose all travel infrastructure to plan and book trips effectively.
+
+## Research Phase
+
+### Destination Research
+1. Use `geocode_search` to find candidate destinations and get coordinates
+2. Use `weather_lookup` to check climate for travel dates
+3. Use `travel_advisory` to check US State Dept safety levels (1-4):
+   - Level 1: Exercise Normal Precautions
+   - Level 2: Exercise Increased Caution
+   - Level 3: Reconsider Travel
+   - Level 4: Do Not Travel
+4. Use browser tools (see `browser-navigation` skill) for destination reviews, travel blogs, local tips
+5. Compare multiple destinations on weather, safety, cost, and flight availability
+
+### Information Gathering Workflow
+```
+geocode_search -> get coordinates
+weather_lookup -> check weather at coordinates
+travel_advisory -> check safety level
+browser tools -> reviews, local info, pricing
+```
+
+## Flight Search
+
+### Using Duffel MCP (when available)
+- Search via `duffel_search_flights` tool (first-class MCP tool)
+- Provide: origin, destination, dates, passengers, cabin class
+- Compare options on price, duration, stops, airline
+
+### Using Browser (fallback)
+- Use browser-navigation skill patterns for Google Flights, airline sites
+- Add delays between searches to avoid detection
+
+### Comparison Criteria
+Present top 3-5 options comparing:
+- Total price (including bags, seat selection)
+- Duration and number of stops
+- Airline and aircraft
+- Departure/arrival times
+- Cancellation/change policy
+
+## Accommodation Search
+
+### Hotel Search
+- Use Expedia MCP when available (`expedia_search_hotels` tool)
+- Compare: price per night, total stay cost, location, rating, amenities
+- Check cancellation policies (crucial for travel planning)
+
+### Vacation Rentals (Browser-based)
+- Use browser-navigation skill for Airbnb/VRBO
+- Search by location, dates, guests, budget
+- Compare: price, location proximity, reviews, amenities, host rating
+- Screenshot listings for user review
+
+### Comparison Criteria
+- Price per night and total cost
+- Location (distance to key attractions/activities)
+- Reviews and ratings
+- Amenities (WiFi, kitchen, parking, pool)
+- Cancellation flexibility
+
+## Booking Workflow
+
+### Critical Safety Gates
+- **ALWAYS confirm with user before any booking action**
+- **ALWAYS confirm before entering payment information**
+- **ALWAYS confirm before agreeing to terms**
+- **Never proceed with a financial commitment without explicit approval**
+
+### Credential Handling
+
+Credentials are managed through the credential access layer, which stores
+agent-owned secrets in the agent's Bitwarden/Vaultwarden credential vault.
+Stored passwords stay in the vault. A brand-new signup password may enter
+model context briefly when the agent explicitly generates or types it during
+an interactive sign-up flow.
+
+- Use `credential_get` to check what credentials exist for a domain (metadata only, never passwords)
+- Use `credential_generate_password` to mint a strong password for a new sign-up
+- Use `credential_store` to save credentials the agent acquired after the site accepts them
+- The credential gateway automatically injects secrets into API requests via `getRawSecret()`
+- Use browser-navigation skill form patterns for entering credentials during interactive sessions
+
+**How credentials work:**
+- Agent-owned credentials live in the agent's Bitwarden/Vaultwarden vault
+- Travel credentials such as Duffel and Stripe are ordinary vault credential items
+- The agent can sign up for services and store its own credentials
+- Existing stored passwords are never returned to the model — only metadata (domain, username, notes)
+
+### Post-Booking
+- Save confirmation details (confirmation number, dates, hotel name, airline, booking reference)
+- Save to diary/journal for future reference
+- Set reminders for check-in windows
+- Note cancellation deadlines
+
+## Preference Management
+
+### Storing Preferences
+Track and reference these travel preferences:
+- Preferred airlines and alliance status
+- Preferred hotel chains and loyalty numbers
+- Seat preferences (window/aisle, extra legroom)
+- Dietary needs for in-flight meals
+- Budget ranges (per night for hotels, per flight)
+- Must-have amenities (WiFi, gym, pool)
+
+### Using Preferences
+- Reference stored preferences when searching
+- Apply airline preferences to flight comparisons
+- Apply hotel brand preferences to accommodation searches
+- Adjust budget ranges based on destination
+
+## Tool Reference
+
+### Native Tools (always available)
+- `weather_lookup` - Current weather and daily forecast by city or coordinates (Open-Meteo, zero config)
+- `travel_advisory` - US State Dept advisory by country code
+- `geocode_search` - Location/POI search with coordinates
+- `credential_get` - Check credential metadata for a domain (never returns passwords)
+- `credential_generate_password` - Generate a strong password for a new sign-up (family trust)
+- `credential_store` - Store credentials the agent acquired (family trust)
+- `credential_list` - List stored credential domains
+- `credential_delete` - Delete stored credentials (family trust)
+
+### MCP Tools (when configured)
+- Browser tools via `@playwright/mcp` - see `browser-navigation` skill
+- Duffel flight search (when MCP server available)
+- Expedia hotel search (when MCP server available)
+
+### Human Confirmation Required For
+- Any booking or payment
+- Entering personal information
+- Agreeing to terms of service
+- Creating financial obligations
+- Sharing credentials with third parties

package/dist/heart/daemon/auth-flow.js

@@ -1,351 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.readAgentConfigForAgent = readAgentConfigForAgent;
-exports.writeAgentProviderSelection = writeAgentProviderSelection;
-exports.loadAgentSecrets = loadAgentSecrets;
-exports.writeProviderCredentials = writeProviderCredentials;
-exports.collectRuntimeAuthCredentials = collectRuntimeAuthCredentials;
-exports.resolveHatchCredentials = resolveHatchCredentials;
-exports.runRuntimeAuthFlow = runRuntimeAuthFlow;
-const child_process_1 = require("child_process");
-const fs = __importStar(require("fs"));
-const os = __importStar(require("os"));
-const path = __importStar(require("path"));
-const runtime_1 = require("../../nerves/runtime");
-const identity_1 = require("../identity");
-const ANTHROPIC_SETUP_TOKEN_PREFIX = "sk-ant-oat01-";
-const ANTHROPIC_SETUP_TOKEN_MIN_LENGTH = 80;
-const DEFAULT_SECRETS_TEMPLATE = {
-    providers: {
-        azure: {
-            modelName: "gpt-4o-mini",
-            apiKey: "",
-            endpoint: "",
-            deployment: "",
-            apiVersion: "2025-04-01-preview",
-        },
-        minimax: {
-            model: "minimax-text-01",
-            apiKey: "",
-        },
-        anthropic: {
-            model: "claude-opus-4-6",
-            setupToken: "",
-        },
-        "openai-codex": {
-            model: "gpt-5.4",
-            oauthAccessToken: "",
-        },
-    },
-    teams: {
-        clientId: "",
-        clientSecret: "",
-        tenantId: "",
-    },
-    oauth: {
-        graphConnectionName: "graph",
-        adoConnectionName: "ado",
-        githubConnectionName: "",
-    },
-    teamsChannel: {
-        skipConfirmation: true,
-        port: 3978,
-    },
-    integrations: {
-        perplexityApiKey: "",
-        openaiEmbeddingsApiKey: "",
-    },
-};
-function deepMerge(defaults, partial) {
-    const result = { ...defaults };
-    for (const key of Object.keys(partial)) {
-        const left = result[key];
-        const right = partial[key];
-        if (right !== null &&
-            typeof right === "object" &&
-            !Array.isArray(right) &&
-            left !== null &&
-            typeof left === "object" &&
-            !Array.isArray(left)) {
-            result[key] = deepMerge(left, right);
-            continue;
-        }
-        result[key] = right;
-    }
-    return result;
-}
-function readJsonRecord(filePath, label) {
-    try {
-        const raw = fs.readFileSync(filePath, "utf8");
-        const parsed = JSON.parse(raw);
-        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
-            throw new Error("expected object");
-        }
-        return parsed;
-    }
-    catch (error) {
-        throw new Error(`Failed to read ${label} at ${filePath}: ${String(error)}`);
-    }
-}
-function readAgentConfigForAgent(agentName, bundlesRoot = (0, identity_1.getAgentBundlesRoot)()) {
-    const configPath = path.join(bundlesRoot, `${agentName}.ouro`, "agent.json");
-    const parsed = readJsonRecord(configPath, "agent config");
-    const provider = parsed.provider;
-    if (provider !== "azure" &&
-        provider !== "anthropic" &&
-        provider !== "minimax" &&
-        provider !== "openai-codex") {
-        throw new Error(`agent.json at ${configPath} has unsupported provider '${String(provider)}'`);
-    }
-    return {
-        configPath,
-        config: parsed,
-    };
-}
-function writeAgentProviderSelection(agentName, provider, bundlesRoot = (0, identity_1.getAgentBundlesRoot)()) {
-    const { configPath, config } = readAgentConfigForAgent(agentName, bundlesRoot);
-    const nextConfig = { ...config, provider };
-    fs.writeFileSync(configPath, `${JSON.stringify(nextConfig, null, 2)}\n`, "utf8");
-    (0, runtime_1.emitNervesEvent)({
-        component: "daemon",
-        event: "daemon.auth_provider_selected",
-        message: "updated agent provider selection after auth flow",
-        meta: { agentName, provider, configPath },
-    });
-    return configPath;
-}
-function resolveAgentSecretsPath(agentName, deps = {}) {
-    if (deps.secretsRoot)
-        return path.join(deps.secretsRoot, agentName, "secrets.json");
-    const homeDir = deps.homeDir ?? os.homedir();
-    return (0, identity_1.getAgentSecretsPath)(agentName).replace(os.homedir(), homeDir);
-}
-function loadAgentSecrets(agentName, deps = {}) {
-    const secretsPath = resolveAgentSecretsPath(agentName, deps);
-    const secretsDir = path.dirname(secretsPath);
-    fs.mkdirSync(secretsDir, { recursive: true });
-    let onDisk = {};
-    try {
-        onDisk = readJsonRecord(secretsPath, "secrets config");
-    }
-    catch (error) {
-        const message = error.message;
-        if (!message.includes("ENOENT"))
-            throw error;
-    }
-    return {
-        secretsPath,
-        secrets: deepMerge(DEFAULT_SECRETS_TEMPLATE, onDisk),
-    };
-}
-function writeSecrets(secretsPath, secrets) {
-    fs.writeFileSync(secretsPath, `${JSON.stringify(secrets, null, 2)}\n`, "utf8");
-}
-function writeProviderCredentials(agentName, provider, credentials, deps = {}) {
-    const { secretsPath, secrets } = loadAgentSecrets(agentName, deps);
-    applyCredentials(secrets, provider, credentials);
-    writeSecrets(secretsPath, secrets);
-    return { secretsPath, secrets };
-}
-function readCodexAccessToken(homeDir) {
-    const authPath = path.join(homeDir, ".codex", "auth.json");
-    try {
-        const raw = fs.readFileSync(authPath, "utf8");
-        const parsed = JSON.parse(raw);
-        const token = parsed?.tokens?.access_token;
-        return typeof token === "string" ? token.trim() : "";
-    }
-    catch {
-        return "";
-    }
-}
-function ensurePromptInput(promptInput, provider) {
-    if (promptInput)
-        return promptInput;
-    throw new Error(`No prompt input is available for ${provider} authentication.`);
-}
-function validateAnthropicToken(token) {
-    const trimmed = token.trim();
-    if (!trimmed) {
-        throw new Error("No Anthropic setup token was provided.");
-    }
-    if (!trimmed.startsWith(ANTHROPIC_SETUP_TOKEN_PREFIX)) {
-        throw new Error(`Invalid Anthropic setup token format. Expected prefix ${ANTHROPIC_SETUP_TOKEN_PREFIX}.`);
-    }
-    if (trimmed.length < ANTHROPIC_SETUP_TOKEN_MIN_LENGTH) {
-        throw new Error("Anthropic setup token looks too short.");
-    }
-    return trimmed;
-}
-async function collectRuntimeAuthCredentials(input, deps) {
-    const spawnSync = deps.spawnSync ?? child_process_1.spawnSync;
-    const homeDir = deps.homeDir ?? os.homedir();
-    if (input.provider === "openai-codex") {
-        let token = readCodexAccessToken(homeDir);
-        if (!token) {
-            (0, runtime_1.emitNervesEvent)({
-                component: "daemon",
-                event: "daemon.auth_codex_login_start",
-                message: "starting codex login for runtime auth",
-                meta: { agentName: input.agentName },
-            });
-            const result = spawnSync("codex", ["login"], { stdio: "inherit" });
-            if (result.error) {
-                throw new Error(`Failed to run 'codex login': ${result.error.message}`);
-            }
-            if (result.status !== 0) {
-                throw new Error(`'codex login' exited with status ${result.status}.`);
-            }
-            token = readCodexAccessToken(homeDir);
-            if (!token) {
-                throw new Error("Codex login completed but no token was found in ~/.codex/auth.json. Re-run `codex login` and try again.");
-            }
-        }
-        return { oauthAccessToken: token };
-    }
-    if (input.provider === "anthropic") {
-        (0, runtime_1.emitNervesEvent)({
-            component: "daemon",
-            event: "daemon.auth_claude_setup_start",
-            message: "starting claude setup-token for runtime auth",
-            meta: { agentName: input.agentName },
-        });
-        const result = spawnSync("claude", ["setup-token"], { stdio: "inherit" });
-        if (result.error) {
-            throw new Error(`Failed to run 'claude setup-token': ${result.error.message}`);
-        }
-        if (result.status !== 0) {
-            throw new Error(`'claude setup-token' exited with status ${result.status}.`);
-        }
-        const prompt = ensurePromptInput(input.promptInput, input.provider);
-        const setupToken = validateAnthropicToken(await prompt("Paste the setup token from `claude setup-token`: "));
-        return { setupToken };
-    }
-    if (input.provider === "minimax") {
-        const prompt = ensurePromptInput(input.promptInput, input.provider);
-        const apiKey = (await prompt("MiniMax API key: ")).trim();
-        if (!apiKey)
-            throw new Error("MiniMax API key is required.");
-        return { apiKey };
-    }
-    const prompt = ensurePromptInput(input.promptInput, input.provider);
-    const apiKey = (await prompt("Azure API key: ")).trim();
-    const endpoint = (await prompt("Azure endpoint: ")).trim();
-    const deployment = (await prompt("Azure deployment: ")).trim();
-    if (!apiKey || !endpoint || !deployment) {
-        throw new Error("Azure API key, endpoint, and deployment are required.");
-    }
-    return { apiKey, endpoint, deployment };
-}
-async function resolveHatchCredentials(input) {
-    const prompt = input.promptInput;
-    const credentials = { ...(input.credentials ?? {}) };
-    if (input.provider === "anthropic" && !credentials.setupToken && input.runAuthFlow) {
-        const result = await input.runAuthFlow({
-            agentName: input.agentName,
-            provider: "anthropic",
-            promptInput: prompt,
-        });
-        Object.assign(credentials, result.credentials);
-    }
-    if (input.provider === "anthropic" && !credentials.setupToken && prompt) {
-        credentials.setupToken = await prompt("Anthropic setup-token: ");
-    }
-    if (input.provider === "openai-codex" && !credentials.oauthAccessToken && input.runAuthFlow) {
-        const result = await input.runAuthFlow({
-            agentName: input.agentName,
-            provider: "openai-codex",
-            promptInput: prompt,
-        });
-        Object.assign(credentials, result.credentials);
-    }
-    if (input.provider === "openai-codex" && !credentials.oauthAccessToken && prompt) {
-        credentials.oauthAccessToken = await prompt("OpenAI Codex OAuth token: ");
-    }
-    if (input.provider === "minimax" && !credentials.apiKey && prompt) {
-        credentials.apiKey = await prompt("MiniMax API key: ");
-    }
-    if (input.provider === "azure") {
-        if (!credentials.apiKey && prompt)
-            credentials.apiKey = await prompt("Azure API key: ");
-        if (!credentials.endpoint && prompt)
-            credentials.endpoint = await prompt("Azure endpoint: ");
-        if (!credentials.deployment && prompt)
-            credentials.deployment = await prompt("Azure deployment: ");
-    }
-    return credentials;
-}
-function applyCredentials(secrets, provider, credentials) {
-    if (provider === "anthropic") {
-        secrets.providers.anthropic.setupToken = credentials.setupToken.trim();
-        return;
-    }
-    if (provider === "openai-codex") {
-        secrets.providers["openai-codex"].oauthAccessToken = credentials.oauthAccessToken.trim();
-        return;
-    }
-    if (provider === "minimax") {
-        secrets.providers.minimax.apiKey = credentials.apiKey.trim();
-        return;
-    }
-    secrets.providers.azure.apiKey = credentials.apiKey.trim();
-    secrets.providers.azure.endpoint = credentials.endpoint.trim();
-    secrets.providers.azure.deployment = credentials.deployment.trim();
-}
-async function runRuntimeAuthFlow(input, deps = {}) {
-    (0, runtime_1.emitNervesEvent)({
-        component: "daemon",
-        event: "daemon.auth_flow_start",
-        message: "starting runtime auth flow",
-        meta: { agentName: input.agentName, provider: input.provider },
-    });
-    const homeDir = deps.homeDir ?? os.homedir();
-    const credentials = await collectRuntimeAuthCredentials(input, deps);
-    const { secretsPath } = writeProviderCredentials(input.agentName, input.provider, credentials, { homeDir });
-    (0, runtime_1.emitNervesEvent)({
-        component: "daemon",
-        event: "daemon.auth_flow_end",
-        message: "completed runtime auth flow",
-        meta: { agentName: input.agentName, provider: input.provider, secretsPath },
-    });
-    return {
-        agentName: input.agentName,
-        provider: input.provider,
-        secretsPath,
-        message: `authenticated ${input.agentName} with ${input.provider}`,
-        credentials,
-    };
-}