@ouro.bot/cli 0.1.0-alpha.56 → 0.1.0-alpha.561

package/dist/repertoire/bitwarden-store.js

@@ -0,0 +1,963 @@
+"use strict";
+/**
+ * Bitwarden CLI credential store — wraps `bw` CLI for the agent's own vault.
+ *
+ * This store authenticates directly as the agent using its own master password.
+ * The agent owns the vault, so no human-in-the-loop is needed.
+ *
+ * Requires the `bw` CLI to be installed. Session tokens are cached process-local.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BitwardenCredentialStore = void 0;
+exports.sanitizeCredentialErrorDetail = sanitizeCredentialErrorDetail;
+const node_child_process_1 = require("node:child_process");
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const runtime_1 = require("../nerves/runtime");
+const bw_installer_1 = require("./bw-installer");
+const MAX_ERROR_DETAIL_LENGTH = 500;
+const LONG_ENCODED_TOKEN_PATTERN = /[A-Za-z0-9+/=]{32,}/g;
+const BW_PASSWORD_ENV = "OURO_BW_MASTER_PASSWORD";
+function uniqueSecrets(secrets) {
+    return [...new Set(secrets.filter((value) => typeof value === "string" && value.length >= 4))].sort((left, right) => right.length - left.length);
+}
+function sanitizeCredentialErrorDetail(message, options = {}) {
+    const filtered = message
+        .split(/\r?\n/)
+        .filter((line) => {
+        const trimmed = line.trim();
+        if (trimmed.startsWith("Command failed:"))
+            return false;
+        if (trimmed.includes("[input is hidden]"))
+            return false;
+        return true;
+    })
+        .join("\n")
+        .trim();
+    let sanitized = filtered || "command failed";
+    for (const secret of uniqueSecrets(options.secrets ?? [])) {
+        sanitized = sanitized.split(secret).join("[redacted]");
+    }
+    sanitized = sanitized.replace(LONG_ENCODED_TOKEN_PATTERN, "[redacted]");
+    if (sanitized.replace(/\[redacted\]/g, "").trim().length === 0) {
+        return "command failed";
+    }
+    return sanitized.slice(0, MAX_ERROR_DETAIL_LENGTH);
+}
+// ---------------------------------------------------------------------------
+// bw CLI wrapper
+// ---------------------------------------------------------------------------
+function isBwSessionUnavailableMessage(message) {
+    return (/master password/i.test(message) ||
+        /vault is locked/i.test(message) ||
+        /not logged in/i.test(message) ||
+        /session key/i.test(message) ||
+        /local bitwarden session/i.test(message));
+}
+function isBwInvalidUnlockSecretMessage(message) {
+    return (/invalid master password/i.test(message) ||
+        /saved vault unlock secret/i.test(message) ||
+        /username or password is incorrect/i.test(message));
+}
+function isBwTimeoutError(err) {
+    const timeoutErr = err;
+    const message = err.message.toLowerCase();
+    return (timeoutErr.code === "ETIMEDOUT" ||
+        timeoutErr.killed === true ||
+        timeoutErr.signal === "SIGTERM" ||
+        message.includes("timed out"));
+}
+function formatBwOperation(args) {
+    const [command, target] = args;
+    /* v8 ignore next -- defensive: all execBw call sites pass a concrete bw subcommand @preserve */
+    if (!command)
+        return "bw command";
+    return [command, target].filter(Boolean).join(" ");
+}
+function sanitizeBwErrorDetail(message) {
+    if (isBwInvalidUnlockSecretMessage(message)) {
+        return "bw CLI rejected the saved vault unlock secret for this machine";
+    }
+    if (isBwSessionUnavailableMessage(message)) {
+        return "bw CLI could not use the local Bitwarden session because it is locked, missing, or expired";
+    }
+    return sanitizeCredentialErrorDetail(message);
+}
+function formatBwCliError(err, stderr = "", args = []) {
+    const operation = formatBwOperation(args);
+    if (isBwTimeoutError(err)) {
+        return new Error(`bw CLI error: ${operation} timed out -- usually resolves on retry. If it persists, check network connectivity to the vault server.`);
+    }
+    const detail = sanitizeBwErrorDetail(stderr.trim() || err.message);
+    if (detail === "command failed") {
+        return new Error(`bw CLI error: ${operation} failed without error detail`);
+    }
+    return new Error(`bw CLI error: ${detail}`);
+}
+function isBwSessionAuthError(err) {
+    return isBwSessionUnavailableMessage(err.message) || isBwInvalidUnlockSecretMessage(err.message);
+}
+function isBwConfigLogoutRequired(err) {
+    const message = err.message.toLowerCase();
+    return message.includes("logout") && message.includes("required");
+}
+function isBwAlreadyLoggedInError(err) {
+    return err.message.toLowerCase().includes("already logged in");
+}
+function isBwLoggedOutOrUnauthenticatedError(err) {
+    const message = err.message.toLowerCase();
+    return (message.includes("not logged in") ||
+        message.includes("not authenticated") ||
+        message.includes("unauthenticated") ||
+        message.includes("local bitwarden session because it is locked, missing, or expired"));
+}
+function shouldUseStructuredItemLookup(domain) {
+    return domain.includes("/");
+}
+function shouldUseFullListForStructuredLookup(domain, appDataDir) {
+    return domain.includes("/") && !appDataDir;
+}
+function isBwItemNotFoundError(error) {
+    const message = error.message.toLowerCase();
+    return message.includes("not found") || message.includes("no item");
+}
+// ---------------------------------------------------------------------------
+// Cross-process bw CLI lock
+// ---------------------------------------------------------------------------
+// The bw CLI cannot handle concurrent access to the same app data directory.
+// Two processes (e.g. daemon worker + ouro up CLI) hitting the same dir
+// simultaneously corrupt bw's local state, producing empty/garbled output.
+//
+// We use two layers:
+//   1. In-process async mutex: a Map<string, Promise<void>> keyed by appDataDir
+//      serializes calls within a single Node.js process.
+//   2. Cross-process file lock: fs.openSync(lockPath, 'wx') with PID stale
+//      detection serializes across processes.
+// ---------------------------------------------------------------------------
+const BW_LOCK_FILENAME = ".ouro-bw.lock";
+const BW_LOCK_TIMEOUT_MS = 30_000;
+const BW_LOCK_POLL_MS = 100;
+const BW_DATA_FILENAME = "data.json";
+const BW_SYNC_MARKER_FILENAME = ".ouro-last-sync";
+const BW_SYNC_FRESH_MS = 60_000;
+/** In-process async mutex keyed by appDataDir. */
+const inProcessLocks = new Map();
+function isPidAlive(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function acquireFileLock(lockPath) {
+    const content = `${process.pid}\n`;
+    const deadline = Date.now() + BW_LOCK_TIMEOUT_MS;
+    while (true) {
+        try {
+            const fd = fs.openSync(lockPath, fs.constants.O_WRONLY | fs.constants.O_CREAT | fs.constants.O_EXCL);
+            fs.writeSync(fd, content);
+            fs.closeSync(fd);
+            return;
+        }
+        catch (err) {
+            if (err.code !== "EEXIST") {
+                throw err;
+            }
+            // Lock file exists -- check for stale lock
+            try {
+                const existing = fs.readFileSync(lockPath, "utf8").trim();
+                const pid = parseInt(existing, 10);
+                if (!isNaN(pid) && !isPidAlive(pid)) {
+                    // Stale lock -- remove and retry immediately
+                    try {
+                        fs.unlinkSync(lockPath);
+                    }
+                    catch { /* race with another cleaner is fine */ }
+                    continue;
+                }
+            }
+            catch { /* v8 ignore next -- race: lock file disappeared between openSync and readFileSync @preserve */
+                continue;
+            }
+            if (Date.now() >= deadline) {
+                throw new Error(`bw CLI lock timeout: could not acquire ${lockPath} within ${BW_LOCK_TIMEOUT_MS}ms`);
+            }
+            // Yield to the event loop before retrying
+            await delay(BW_LOCK_POLL_MS);
+        }
+    }
+}
+function releaseFileLock(lockPath) {
+    try {
+        fs.unlinkSync(lockPath);
+    }
+    catch {
+        // Already removed or never created -- safe to ignore
+    }
+}
+async function withBwLock(appDataDir, fn) {
+    if (!appDataDir) {
+        // No appDataDir means the default bw data location. Still need in-process
+        // serialization but cannot do cross-process file lock without a dir.
+        return fn();
+    }
+    const lockKey = appDataDir;
+    const lockPath = path.join(appDataDir, BW_LOCK_FILENAME);
+    // In-process serialization: chain onto the previous promise for this key
+    const previous = inProcessLocks.get(lockKey) ?? Promise.resolve();
+    let releaseLock;
+    const current = new Promise((resolve) => { releaseLock = resolve; });
+    inProcessLocks.set(lockKey, current);
+    await previous;
+    let fileLockAcquired = false;
+    try {
+        // Cross-process file lock
+        await acquireFileLock(lockPath);
+        fileLockAcquired = true;
+        return await fn();
+    }
+    finally {
+        if (fileLockAcquired) {
+            releaseFileLock(lockPath);
+        }
+        releaseLock();
+        // Clean up the map entry if we are the latest
+        if (inProcessLocks.get(lockKey) === current) {
+            inProcessLocks.delete(lockKey);
+        }
+    }
+}
+function execBw(args, sessionToken, appDataDir, stdin, bwBinaryPath = "bw", extraEnv = {}) {
+    const env = {
+        ...process.env,
+        ...(sessionToken ? { BW_SESSION: sessionToken } : {}),
+        ...(appDataDir ? { BITWARDENCLI_APPDATA_DIR: appDataDir } : {}),
+        ...extraEnv,
+    };
+    const runCommand = () => new Promise((resolve, reject) => {
+        const child = (0, node_child_process_1.execFile)(bwBinaryPath, args, { timeout: 30_000, env }, (err, stdout, stderr) => {
+            if (err) {
+                if (isBwNotInstalled(err)) {
+                    reject(new Error("bw CLI not found. Install from https://bitwarden.com/help/cli/"));
+                    return;
+                }
+                reject(formatBwCliError(err, stderr, args));
+                return;
+            }
+            resolve(stdout);
+        });
+        if (stdin !== undefined) {
+            child?.stdin?.end(stdin);
+        }
+    });
+    return withBwLock(appDataDir, runCommand);
+}
+/** Check if the error indicates the bw CLI binary is not installed. */
+function isBwNotInstalled(err) {
+    const msg = err.message.toLowerCase();
+    const code = err.code;
+    return code === "ENOENT" || /\bspawn\b.*\benoent\b/.test(msg) || msg.includes("command not found");
+}
+/** Check if the error is transient (network/timeout) and worth retrying. */
+function isTransientError(err) {
+    const msg = err.message.toLowerCase();
+    return (msg.includes("econnrefused") ||
+        msg.includes("etimedout") ||
+        msg.includes("enotfound") ||
+        msg.includes("socket hang up") ||
+        msg.includes("503") ||
+        msg.includes("server unavailable") ||
+        msg.includes("timed out"));
+}
+const MAX_RETRIES = 3;
+const BASE_BACKOFF_MS = 1000;
+const TRANSIENT_MAX_RETRIES = 3;
+const TRANSIENT_RETRY_BASE_MS = 500;
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isBwLoginItem(value) {
+    if (!value || typeof value !== "object" || Array.isArray(value))
+        return false;
+    const item = value;
+    if (typeof item.id !== "string" || item.id.trim().length === 0)
+        return false;
+    if (typeof item.name !== "string" || item.name.trim().length === 0)
+        return false;
+    if (item.login !== undefined) {
+        if (!item.login || typeof item.login !== "object" || Array.isArray(item.login))
+            return false;
+        const login = item.login;
+        if (login.username !== undefined && typeof login.username !== "string")
+            return false;
+        if (login.password !== undefined && typeof login.password !== "string")
+            return false;
+        if (login.uris !== undefined) {
+            if (!Array.isArray(login.uris))
+                return false;
+            for (const uri of login.uris) {
+                if (!uri || typeof uri !== "object" || Array.isArray(uri))
+                    return false;
+                const uriRecord = uri;
+                if (uriRecord.uri !== undefined && typeof uriRecord.uri !== "string")
+                    return false;
+            }
+        }
+    }
+    if (item.notes !== undefined && item.notes !== null && typeof item.notes !== "string")
+        return false;
+    if (item.revisionDate !== undefined && typeof item.revisionDate !== "string")
+        return false;
+    return true;
+}
+function parseBwItems(stdout, context) {
+    let parsed;
+    try {
+        parsed = JSON.parse(stdout);
+        if (!Array.isArray(parsed)) {
+            throw new Error("expected item array");
+        }
+        const items = parsed;
+        if (!items.every(isBwLoginItem)) {
+            throw new Error("expected login items");
+        }
+        return items;
+    }
+    catch {
+        if (Array.isArray(parsed)) {
+            throw new Error(`bw CLI error: invalid item from ${context}`);
+        }
+        throw new Error(`bw CLI error: invalid JSON from ${context}`);
+    }
+}
+function parseBwItem(stdout, context) {
+    let parsed;
+    try {
+        parsed = JSON.parse(stdout);
+        if (!isBwLoginItem(parsed)) {
+            throw new Error("expected login item");
+        }
+        return parsed;
+    }
+    catch {
+        if (parsed !== undefined) {
+            throw new Error(`bw CLI error: invalid item from ${context}`);
+        }
+        throw new Error(`bw CLI error: invalid JSON from ${context}`);
+    }
+}
+function parseBwItemId(stdout) {
+    try {
+        const parsed = JSON.parse(stdout);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return null;
+        const id = parsed.id;
+        return typeof id === "string" && id.trim().length > 0 ? id : null;
+    }
+    catch {
+        return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// BitwardenCredentialStore
+// ---------------------------------------------------------------------------
+class BitwardenCredentialStore {
+    serverUrl;
+    email;
+    masterPassword;
+    appDataDir;
+    onInvalidUnlockSecret;
+    onLoginSuccess;
+    sessionToken = null;
+    terminalLoginError = null;
+    bwBinaryPath = "bw";
+    structuredItemCache = null;
+    constructor(serverUrl, email, masterPassword, options = {}) {
+        this.serverUrl = serverUrl;
+        this.email = email;
+        this.masterPassword = masterPassword;
+        this.appDataDir = options.appDataDir;
+        this.onInvalidUnlockSecret = options.onInvalidUnlockSecret;
+        this.onLoginSuccess = options.onLoginSuccess;
+    }
+    isReady() {
+        return true;
+    }
+    execBw(args, sessionToken, stdin) {
+        return execBw(args, sessionToken, this.appDataDir, stdin, this.bwBinaryPath);
+    }
+    execBwWithPasswordEnv(args) {
+        return execBw([...args, "--passwordenv", BW_PASSWORD_ENV], undefined, this.appDataDir, undefined, this.bwBinaryPath, { [BW_PASSWORD_ENV]: this.masterPassword });
+    }
+    async notifyInvalidUnlockSecret(error) {
+        if (!this.onInvalidUnlockSecret)
+            return;
+        try {
+            await this.onInvalidUnlockSecret(error);
+        }
+        catch (callbackError) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "warn",
+                event: "repertoire.bw_invalid_unlock_cleanup_failed",
+                component: "repertoire",
+                message: "failed to clean up rejected local vault unlock material",
+                meta: {
+                    email: this.email,
+                    serverUrl: this.serverUrl,
+                    error: callbackError instanceof Error ? callbackError.message : String(callbackError),
+                    originalError: error.message,
+                },
+            });
+        }
+    }
+    /**
+     * Ensure the bw CLI is authenticated and unlocked.
+     * Handles three states: logged out → login, locked → unlock, already unlocked → no-op.
+     * Retries transient failures (network/timeout) up to MAX_RETRIES with exponential backoff.
+     */
+    async login() {
+        if (this.terminalLoginError) {
+            throw this.terminalLoginError;
+        }
+        // Ensure bw CLI is installed before any bw commands
+        this.bwBinaryPath = await (0, bw_installer_1.ensureBwCli)();
+        if (this.appDataDir) {
+            fs.mkdirSync(this.appDataDir, { recursive: true, mode: 0o700 });
+        }
+        let lastError;
+        for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
+            try {
+                await this.loginAttempt();
+                await this.onLoginSuccess?.();
+                return;
+            }
+            catch (err) {
+                /* v8 ignore next -- defensive: loginAttempt always throws Error instances @preserve */
+                lastError = err instanceof Error ? err : new Error(String(err));
+                // Don't retry non-transient errors (auth failures, bw not installed)
+                if (!isTransientError(lastError)) {
+                    this.terminalLoginError = lastError;
+                    if (isBwInvalidUnlockSecretMessage(lastError.message)) {
+                        await this.notifyInvalidUnlockSecret(lastError);
+                    }
+                    throw lastError;
+                }
+                // Don't retry after final attempt
+                if (attempt === MAX_RETRIES - 1)
+                    break;
+                const backoffMs = BASE_BACKOFF_MS * Math.pow(2, attempt);
+                (0, runtime_1.emitNervesEvent)({
+                    event: "repertoire.bw_login_retry",
+                    component: "repertoire",
+                    message: `bw login attempt ${attempt + 1} failed, retrying in ${backoffMs}ms`,
+                    meta: { attempt: attempt + 1, backoffMs, reason: lastError.message },
+                });
+                await delay(backoffMs);
+            }
+        }
+        this.terminalLoginError = lastError;
+        /* v8 ignore next -- invalid unlock errors are non-transient and exit through the non-retry path above @preserve */
+        if (isBwInvalidUnlockSecretMessage(lastError.message)) {
+            await this.notifyInvalidUnlockSecret(lastError);
+        }
+        throw lastError;
+    }
+    /** Single login attempt — called by login() retry loop. */
+    async loginAttempt() {
+        let status = await this.readStatus();
+        if (this.shouldRebuildLocalProfile(status)) {
+            await this.rebuildLocalProfile("local bw profile did not match requested vault", status);
+            status = { status: "unlocked", serverUrl: this.serverUrl, userEmail: this.email };
+        }
+        // Configure server URL if needed (only works when logged out)
+        if (status.status === "unauthenticated" || !status.serverUrl) {
+            try {
+                await this.execBw(["config", "server", this.serverUrl]);
+            }
+            catch (error) {
+                const err = error;
+                if (!isBwConfigLogoutRequired(err))
+                    throw err;
+                // "Logout required" means bw already has local auth state; keep the
+                // existing behavior and proceed to login/unlock below.
+            }
+        }
+        if (!this.sessionToken) {
+            if (status.status === "locked") {
+                // Already logged in, just needs unlock.
+                const unlockOutput = await this.execWithLocalProfileRebuild("unlock rejected saved local unlock material", status, () => this.execBwWithPasswordEnv(["unlock", "--raw"]));
+                this.sessionToken = unlockOutput.trim();
+            }
+            else if (status.status === "unauthenticated" || !status.status) {
+                // Not logged in -- full login.
+                this.sessionToken = this.sessionTokenFromLoginOutput(await this.loginWithPassword());
+            }
+            else {
+                // Status is "unlocked" -- already good, just need the session token.
+                const unlockOutput = await this.execWithLocalProfileRebuild("unlocked bw profile rejected saved local unlock material", status, () => this.execBwWithPasswordEnv(["unlock", "--raw"]));
+                this.sessionToken = unlockOutput.trim();
+            }
+        }
+        if (this.shouldSyncVaultAfterSession(status)) {
+            /* v8 ignore next -- defensive: loginAttempt always sets sessionToken before sync @preserve */
+            await this.execBw(["sync"], this.sessionToken ?? undefined);
+            this.writeSyncMarker();
+        }
+        else {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_sync_skipped",
+                component: "repertoire",
+                message: "skipping bw sync because local vault cache is still fresh",
+                meta: { email: this.email, serverUrl: this.serverUrl, freshnessWindowMs: BW_SYNC_FRESH_MS },
+            });
+        }
+        this.terminalLoginError = null;
+    }
+    async readStatus() {
+        try {
+            const raw = await this.execBw(["status"]);
+            const parsed = JSON.parse(raw);
+            if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+                return {};
+            const record = parsed;
+            return {
+                ...(typeof record.status === "string" ? { status: record.status } : {}),
+                ...(typeof record.serverUrl === "string" ? { serverUrl: record.serverUrl } : {}),
+                ...(typeof record.userEmail === "string" ? { userEmail: record.userEmail } : {}),
+            };
+        }
+        catch (err) {
+            // If bw CLI is not installed or a transient error, propagate it for retry.
+            if (err instanceof Error && (isBwNotInstalled(err) || isTransientError(err))) {
+                throw err;
+            }
+            // CLI not configured or broken -- proceed with full setup.
+            return {};
+        }
+    }
+    normalizedServerUrl(value) {
+        return value.trim().replace(/\/+$/, "").toLowerCase();
+    }
+    shouldRebuildLocalProfile(status) {
+        if (status.status !== "locked" && status.status !== "unlocked")
+            return false;
+        if (status.serverUrl && this.normalizedServerUrl(status.serverUrl) !== this.normalizedServerUrl(this.serverUrl))
+            return true;
+        if (status.userEmail && status.userEmail.trim().toLowerCase() !== this.email.trim().toLowerCase())
+            return true;
+        return false;
+    }
+    sessionTokenFromLoginOutput(loginOutput) {
+        try {
+            const parsed = JSON.parse(loginOutput);
+            return typeof parsed.access_token === "string" && parsed.access_token.trim()
+                ? parsed.access_token.trim()
+                : loginOutput.trim();
+        }
+        catch {
+            return loginOutput.trim();
+        }
+    }
+    async loginWithPassword() {
+        try {
+            return await this.execBwWithPasswordEnv(["login", this.email, "--raw"]);
+        }
+        catch (error) {
+            const err = error;
+            if (!isBwAlreadyLoggedInError(err))
+                throw err;
+            return this.execBwWithPasswordEnv(["unlock", "--raw"]);
+        }
+    }
+    forgetLocalSyncMarker() {
+        if (!this.appDataDir)
+            return;
+        try {
+            fs.rmSync(path.join(this.appDataDir, BW_SYNC_MARKER_FILENAME), { force: true });
+        }
+        catch {
+            // A stale sync marker is only a cache hint; failure to remove it should not block auth repair.
+        }
+    }
+    async logoutLocalProfile(reason, status, cause) {
+        this.sessionToken = null;
+        this.structuredItemCache = null;
+        this.forgetLocalSyncMarker();
+        (0, runtime_1.emitNervesEvent)({
+            level: "warn",
+            event: "repertoire.bw_local_profile_rebuild",
+            component: "repertoire",
+            message: "rebuilding local bw profile for agent vault",
+            meta: {
+                email: this.email,
+                serverUrl: this.serverUrl,
+                reason,
+                /* v8 ignore next -- defensive: every profile rebuild path starts from a locked/unlocked bw status @preserve */
+                previousStatus: status.status ?? "unknown",
+                previousServerUrl: status.serverUrl ?? null,
+                previousUserEmail: status.userEmail ?? null,
+                /* v8 ignore next -- defensive: internal rebuild callers pass Error or undefined causes @preserve */
+                error: cause instanceof Error ? cause.message : cause ? String(cause) : undefined,
+            },
+        });
+        try {
+            await this.execBw(["logout"]);
+        }
+        catch (error) {
+            const err = error;
+            if (isBwLoggedOutOrUnauthenticatedError(err))
+                return;
+            (0, runtime_1.emitNervesEvent)({
+                level: "warn",
+                event: "repertoire.bw_local_profile_logout_failed",
+                component: "repertoire",
+                message: "failed to logout local bw profile before rebuild",
+                meta: { email: this.email, serverUrl: this.serverUrl, error: err.message },
+            });
+        }
+    }
+    async rebuildLocalProfile(reason, status, cause) {
+        await this.logoutLocalProfile(reason, status, cause);
+        await this.execBw(["config", "server", this.serverUrl]);
+        this.sessionToken = this.sessionTokenFromLoginOutput(await this.loginWithPassword());
+    }
+    async execWithLocalProfileRebuild(reason, status, operation) {
+        try {
+            return await operation();
+        }
+        catch (error) {
+            const err = error;
+            if (!isBwInvalidUnlockSecretMessage(err.message))
+                throw err;
+            await this.rebuildLocalProfile(reason, status, err);
+            /* v8 ignore next -- defensive: rebuildLocalProfile always stores a string session token on success @preserve */
+            return this.sessionToken ?? "";
+        }
+    }
+    async ensureSession() {
+        if (!this.sessionToken) {
+            await this.login();
+        }
+        /* v8 ignore next -- defensive: login() always sets sessionToken on success @preserve */
+        return this.sessionToken ?? undefined;
+    }
+    async withSessionRetry(operation) {
+        let attemptedFreshSession = false;
+        while (true) {
+            const session = await this.ensureSession();
+            try {
+                return await operation(session);
+            }
+            catch (error) {
+                const err = error;
+                if (attemptedFreshSession || !isBwSessionAuthError(err)) {
+                    throw err;
+                }
+                this.sessionToken = null;
+                this.structuredItemCache = null;
+                attemptedFreshSession = true;
+            }
+        }
+    }
+    async withTransientRetry(operation) {
+        let lastError;
+        for (let attempt = 0; attempt < TRANSIENT_MAX_RETRIES; attempt++) {
+            try {
+                return await operation();
+            }
+            catch (err) {
+                /* v8 ignore next -- defensive: operation always throws Error instances @preserve */
+                lastError = err instanceof Error ? err : new Error(String(err));
+                if (!isTransientError(lastError)) {
+                    throw lastError;
+                }
+                if (attempt === TRANSIENT_MAX_RETRIES - 1)
+                    break;
+                const backoffMs = TRANSIENT_RETRY_BASE_MS * Math.pow(2, attempt);
+                (0, runtime_1.emitNervesEvent)({
+                    event: "repertoire.bw_transient_retry",
+                    component: "repertoire",
+                    message: `transient bw error, retrying in ${backoffMs}ms`,
+                    meta: { attempt: attempt + 1, backoffMs, reason: lastError.message },
+                });
+                await delay(backoffMs);
+            }
+        }
+        throw lastError;
+    }
+    async get(domain) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_get_start",
+            component: "repertoire",
+            message: `getting credential via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+        const item = await this.withTransientRetry(() => this.withSessionRetry((session) => this.findItemByDomain(domain, session, { preferExactStructured: true })));
+        if (!item) {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_credential_get_end",
+                component: "repertoire",
+                message: `no bw credential for ${domain}`,
+                meta: { domain, found: false, backend: "bitwarden" },
+            });
+            return null;
+        }
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_get_end",
+            component: "repertoire",
+            message: `bw credential found for ${domain}`,
+            meta: { domain, found: true, backend: "bitwarden" },
+        });
+        return {
+            domain: item.name,
+            username: item.login?.username,
+            notes: item.notes ?? undefined,
+            createdAt: item.revisionDate ?? new Date().toISOString(),
+        };
+    }
+    async getRawSecret(domain, field) {
+        const item = await this.withTransientRetry(() => this.withSessionRetry((session) => this.findItemByDomain(domain, session, { preferExactStructured: true })));
+        if (!item) {
+            throw new Error(`no credential found for domain "${domain}"`);
+        }
+        // Map common field names to bw item structure
+        let value;
+        if (field === "password") {
+            value = item.login?.password;
+        }
+        else if (field === "username") {
+            value = item.login?.username;
+        }
+        else {
+            value = item[field];
+        }
+        if (value === undefined || value === null) {
+            throw new Error(`field "${field}" not found for domain "${domain}"`);
+        }
+        return String(value);
+    }
+    async store(domain, data) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_store_start",
+            component: "repertoire",
+            message: `storing credential via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+        await this.withSessionRetry(async (session) => {
+            const existing = await this.findItemByDomain(domain, session);
+            const item = {
+                ...(existing ?? {}),
+                type: 1, // Login type
+                name: domain,
+                login: {
+                    username: data.username ?? "",
+                    password: data.password,
+                    uris: [{ match: null, uri: `https://${domain}` }],
+                },
+                notes: data.notes ?? null,
+            };
+            const encoded = Buffer.from(JSON.stringify(item)).toString("base64");
+            this.structuredItemCache = null;
+            let savedItem;
+            if (existing) {
+                const stdout = await this.execBw(["edit", "item", existing.id], session, encoded);
+                const savedItemId = parseBwItemId(stdout) ?? existing.id;
+                savedItem = await this.findItemById(savedItemId, session);
+            }
+            else {
+                const stdout = await this.execBw(["create", "item"], session, encoded);
+                const savedItemId = parseBwItemId(stdout);
+                savedItem = savedItemId
+                    ? await this.findItemById(savedItemId, session)
+                    : await this.findItemByDomain(domain, session);
+            }
+            this.assertStoredCredentialMatches(domain, data, savedItem);
+        });
+        this.structuredItemCache = null;
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_store_end",
+            component: "repertoire",
+            message: `credential stored via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+    }
+    async list() {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_list_start",
+            component: "repertoire",
+            message: "listing bw credentials",
+            meta: { backend: "bitwarden" },
+        });
+        const stdout = await this.withTransientRetry(() => this.withSessionRetry((session) => this.execBw(["list", "items"], session)));
+        const items = parseBwItems(stdout, "bw list items");
+        const results = items.map((item) => ({
+            domain: item.name,
+            username: item.login?.username,
+            notes: item.notes ?? undefined,
+            createdAt: item.revisionDate ?? new Date().toISOString(),
+        }));
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_list_end",
+            component: "repertoire",
+            message: "bw credentials listed",
+            meta: { backend: "bitwarden", count: results.length },
+        });
+        return results;
+    }
+    async delete(domain) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_delete_start",
+            component: "repertoire",
+            message: `deleting credential via bw for ${domain}`,
+            meta: { domain, backend: "bitwarden" },
+        });
+        const item = await this.withSessionRetry((session) => this.findItemByDomain(domain, session));
+        if (!item) {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.bw_credential_delete_end",
+                component: "repertoire",
+                message: `no bw credential to delete for ${domain}`,
+                meta: { domain, deleted: false, backend: "bitwarden" },
+            });
+            return false;
+        }
+        await this.withSessionRetry((session) => this.execBw(["delete", "item", item.id], session));
+        this.structuredItemCache = null;
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.bw_credential_delete_end",
+            component: "repertoire",
+            message: `credential deleted via bw for ${domain}`,
+            meta: { domain, deleted: true, backend: "bitwarden" },
+        });
+        return true;
+    }
+    // --- Private ---
+    async findItemByDomain(domain, session, options = {}) {
+        if (options.preferExactStructured && shouldUseStructuredItemLookup(domain)) {
+            return this.findStructuredItemByName(domain, session);
+        }
+        if (shouldUseFullListForStructuredLookup(domain, this.appDataDir)) {
+            const items = await this.readStructuredItemCache(session);
+            return items.get(domain) ?? null;
+        }
+        const stdout = await this.execBw(["list", "items", "--search", domain], session);
+        const items = parseBwItems(stdout, "bw list items --search");
+        // Find exact match by name
+        return items.find((item) => item.name === domain) ?? null;
+    }
+    async findStructuredItemByName(domain, session) {
+        try {
+            const stdout = await this.execBw(["get", "item", domain], session);
+            const item = parseBwItem(stdout, "bw get item");
+            return item.name === domain ? item : null;
+        }
+        catch (error) {
+            /* v8 ignore next -- defensive: execBw rejects with Error instances @preserve */
+            const err = error instanceof Error ? error : new Error(String(error));
+            if (isBwItemNotFoundError(err))
+                return null;
+            throw err;
+        }
+    }
+    shouldSyncVaultAfterSession(status) {
+        if (status.status === "unauthenticated" || !status.status)
+            return true;
+        if (!this.appDataDir)
+            return true;
+        const freshnessTimestamp = this.latestLocalSyncTimestamp();
+        if (freshnessTimestamp !== null) {
+            return Date.now() - freshnessTimestamp > BW_SYNC_FRESH_MS;
+        }
+        return true;
+    }
+    latestLocalSyncTimestamp() {
+        const files = [BW_SYNC_MARKER_FILENAME, BW_DATA_FILENAME];
+        let latest = null;
+        for (const name of files) {
+            try {
+                const mtimeMs = fs.statSync(path.join(this.appDataDir, name)).mtimeMs;
+                latest = latest === null ? mtimeMs : Math.max(latest, mtimeMs);
+            }
+            catch {
+                // Missing freshness file is fine; use any other available timestamp.
+            }
+        }
+        return latest;
+    }
+    writeSyncMarker() {
+        if (!this.appDataDir)
+            return;
+        try {
+            fs.writeFileSync(path.join(this.appDataDir, BW_SYNC_MARKER_FILENAME), `${Date.now()}\n`, { mode: 0o600 });
+        }
+        catch {
+            // If the marker cannot be written, fall back to syncing next time.
+        }
+    }
+    async findItemById(id, session) {
+        const stdout = await this.execBw(["get", "item", id], session);
+        return parseBwItem(stdout, "bw get item");
+    }
+    async readStructuredItemCache(session) {
+        if (this.structuredItemCache)
+            return this.structuredItemCache;
+        const stdout = await this.execBw(["list", "items"], session);
+        const items = parseBwItems(stdout, "bw list items");
+        this.structuredItemCache = new Map(items.map((item) => [item.name, item]));
+        return this.structuredItemCache;
+    }
+    assertStoredCredentialMatches(domain, data, item) {
+        if (!item) {
+            throw new Error(`bw CLI error: credential save verification failed for ${domain}: saved item could not be read back after write`);
+        }
+        const mismatches = [];
+        if (item.name !== domain)
+            mismatches.push("name");
+        if ((item.login?.username ?? "") !== (data.username ?? ""))
+            mismatches.push("username");
+        if ((item.login?.password ?? "") !== data.password)
+            mismatches.push("password");
+        if ((item.notes ?? null) !== (data.notes ?? null))
+            mismatches.push("notes");
+        if (mismatches.length > 0) {
+            const label = mismatches.length === 1 ? "field" : "fields";
+            throw new Error(`bw CLI error: credential save verification failed for ${domain}: saved item did not match requested ${label} ${mismatches.join(", ")}`);
+        }
+    }
+}
+exports.BitwardenCredentialStore = BitwardenCredentialStore;