@ouro.bot/cli 0.1.0-alpha.653 → 0.1.0-alpha.654

package/dist/senses/pipeline.js

@@ -188,6 +188,16 @@ function emitObligationTransitionEpisodes(agentRoot, preTurnObligationIds, postT
 function providerLaneForChannel(channel) {
     return channel === "inner" ? "inner" : "outward";
 }
+function latestUserAuthoredText(messages, continuityIngressTexts) {
+    const ingress = continuityIngressTexts?.map((entry) => entry.trim()).filter(Boolean);
+    if (ingress?.length)
+        return ingress[ingress.length - 1];
+    const userMessages = messages
+        .filter((message) => message.role === "user")
+        .map((message) => typeof message.content === "string" ? message.content.trim() : "")
+        .filter(Boolean);
+    return userMessages[userMessages.length - 1];
+}
 function resolveCurrentFailoverBinding(agentName, lane) {
     const agentRoot = (0, identity_1.getAgentRoot)();
     const { config: agentConfig } = (0, auth_flow_1.readAgentConfigForAgent)(agentName, path.dirname(agentRoot));
@@ -676,6 +686,8 @@ async function handleInboundTurn(input) {
         }
         // Step 5: runAgent
         const existingToolContext = input.runAgentOptions?.toolContext;
+        const currentUserMessage = existingToolContext?.currentUserMessage
+            ?? latestUserAuthoredText(input.messages, input.continuityIngressTexts);
         const runAgentOptions = {
             ...input.runAgentOptions,
             ...(orientationFrame ? { orientationFrame } : {}),
@@ -702,6 +714,7 @@ async function handleInboundTurn(input) {
                 /* v8 ignore next -- default no-op signin satisfies interface; real signin injected by sense adapter @preserve */
                 signin: async () => undefined,
                 ...existingToolContext,
+                ...(currentUserMessage ? { currentUserMessage } : {}),
                 context: resolvedContext,
                 friendStore: input.friendStore,
                 currentSession,

package/dist/senses/shared-turn.js

@@ -199,7 +199,16 @@ async function runSenseTurn(options) {
     // Otherwise, resolve as a local user (same pattern as CLI sense).
     const isUuid = /^[0-9a-f]{8}-[0-9a-f]{4}-/.test(friendId);
     let resolverParams;
-    if (isUuid) {
+    if (options.identity) {
+        resolverParams = {
+            provider: options.identity.provider,
+            externalId: options.identity.externalId,
+            displayName: options.identity.displayName,
+            channel,
+            ...(options.identity.tenantId ? { tenantId: options.identity.tenantId } : {}),
+        };
+    }
+    else if (isUuid) {
         const existingFriend = await friendStore.get(friendId);
         if (existingFriend) {
             // Use the friend's first external ID for resolver context
@@ -298,7 +307,7 @@ async function runSenseTurn(options) {
     // Run the pipeline
     const userMsg = { role: "user", content: userMessage };
     (0, session_events_1.stampIngressTime)(userMsg);
-    await (0, pipeline_1.handleInboundTurn)({
+    const turnResult = await (0, pipeline_1.handleInboundTurn)({
         channel,
         latencyMode: options.latencyMode,
         sessionKey,
@@ -319,14 +328,19 @@ async function runSenseTurn(options) {
         /* v8 ignore stop */
         pendingDir,
         friendStore,
-        provider: "local",
-        externalId: friendId,
+        provider: resolverParams.provider,
+        externalId: resolverParams.externalId,
+        tenantId: resolverParams.tenantId,
         enforceTrustGate: trust_gate_1.enforceTrustGate,
         drainPending: pending_1.drainPending,
         runAgentOptions: {
             mcpManager,
             ...(options.latencyMode === "live" ? { skipKeptNotes: true } : {}),
-            ...(options.toolContext ? { toolContext: options.toolContext } : {}),
+            toolContext: {
+                signin: async () => undefined,
+                ...(options.toolContext ? options.toolContext : {}),
+                currentUserMessage: userMessage,
+            },
         },
         /* v8 ignore start — delegation wrappers; these just forward to the real functions */
         runAgent: (msgs, cb, ch, sig, opts) => (0, core_1.runAgent)(msgs, cb, ch, sig, opts),
@@ -338,6 +352,17 @@ async function runSenseTurn(options) {
         /* v8 ignore stop */
         accumulateFriendTokens: tokens_1.accumulateFriendTokens,
     });
+    if (turnResult.gateResult && !turnResult.gateResult.allowed) {
+        const blockedResponse = "autoReply" in turnResult.gateResult
+            ? turnResult.gateResult.autoReply
+            : `(blocked by trust gate: ${turnResult.gateResult.reason})`;
+        return {
+            response: blockedResponse,
+            ponderDeferred: false,
+            deliveries,
+            deliveryFailures,
+        };
+    }
     await deliverPending(terminalDeliveryKind, { throwOnError: false });
     const ponderDeferred = false;
     // Build response

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.653",
+  "version": "0.1.0-alpha.654",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",

package/skills/agent-commerce.md

@@ -10,14 +10,16 @@ For services with direct API access: Duffel flights, LiteAPI hotels.
 
 1. Search using the API tool (`flight_search`, LiteAPI MCP)
 2. Present options to the human with prices and details
-3. Human approves a specific option and price
-4. Book using the API tool with passenger data from `user_profile_get`
-5. Create a single-use virtual card via `stripe_create_card`
-6. Complete payment through the API
-7. Deactivate the card via `stripe_deactivate_card`
-8. Confirm booking to the human
+3. Create a checkout preview with `commerce_checkout_preview` for the exact merchant, item, amount, currency, allowed tool, and exact tool constraints
+4. Human approves in a new message that exactly equals the preview's `confirmationMessage`, including checkout id, digest, merchant, amount, currency, allowed tool, and constraints
+5. Commit the preview with `commerce_checkout_commit`; then call the approved payment or booking tool with the exact amount, currency, and constraints from the preview. Ouro consumes the matching authority without exposing a bearer token in the transcript.
+6. Book using the API tool with passenger data from `user_profile_get`
+7. Create a single-use virtual card via `stripe_create_card` when needed
+8. Complete payment through the API
+9. Deactivate the card via `stripe_deactivate_card`
+10. Confirm booking to the human and record/read back the receipt with `commerce_receipt_get`
 
-**Key tools**: `flight_search`, `flight_book`, `flight_cancel`, `user_profile_get`, `user_profile_store`, `stripe_create_card`, `stripe_deactivate_card`, `stripe_list_cards`
+**Key tools**: `commerce_checkout_preview`, `commerce_checkout_commit`, `commerce_receipt_get`, `flight_search`, `flight_book`, `flight_cancel`, `user_profile_get`, `user_profile_store`, `stripe_create_card`, `stripe_deactivate_card`, `stripe_list_cards`
 
 ### Pattern B: Browser (Best-Effort)
 
@@ -26,9 +28,10 @@ For sites without API access, use browser automation via Playwright MCP.
 1. Navigate to the booking site
 2. Search for the requested service
 3. Fill forms using data from `user_profile_get`
-4. Use a virtual card from `stripe_create_card` for payment
-5. If blocked by anti-bot measures, fall back to Pattern C
-6. Complete and confirm the booking
+4. Create and commit a checkout preview before entering payment details
+5. Use a virtual card from `stripe_create_card` for payment
+6. If blocked by anti-bot measures, fall back to Pattern C
+7. Complete and confirm the booking
 
 **Limitations**: Browser automation is fragile. Sites may block, layouts change, CAPTCHAs appear. Always have Pattern C as fallback.
 
@@ -52,6 +55,10 @@ For sites that block automation or require complex human interaction.
 
 Default is Level 1. Level changes require explicit human approval.
 
+## Commerce Authority
+
+Money-moving tools (`stripe_create_card`, `flight_hold`, `flight_book`) require a one-use confirmed commerce authority. This is the local AP2-compatible primitive: an exact mandate record with merchant, amount, currency, allowed tool, exact tool constraints, reason, digest, expiry, confirmation, reservation/attempt/consumption state, and access log. `commerce_checkout_commit` confirms the authority but does not reveal a live bearer token to the model; the runtime reserves the one matching confirmed authority under a checkout lock, marks it attempted before crossing an external provider boundary, and consumes it only after the successful side effect is verified. A pre-attempt validation failure can release the reservation; an attempted Stripe/Duffel call stays non-replayable so ambiguous provider failures cannot create duplicate cards or bookings. Stripe card authority must include exact `type` and `merchant_categories` constraints so the card is counterparty/category-bound. If the tool, amount, currency, offer id, card type, merchant category, or other constraint changes, create a new preview and get a new confirmation.
+
 ## Error Handling
 
 ### Price Change Guard