@ouro.bot/cli 0.1.0-alpha.659 → 0.1.0-alpha.660

package/changelog.json

@@ -1,6 +1,13 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.660",
+      "changes": [
+        "Add `ouro mcp-serve --workbench-mcp [<path>]` so Ouro Workbench injects its `ouro_workbench` MCP into the boss agent's turn at runtime — merged per-turn and per-agent in the daemon with no cross-agent leak — instead of writing a machine-specific entry into the git-synced agent bundle.",
+        "Drop the Workbench MCP bundle-write from the boss path (the explicit `ouro connect workbench` opt-in escape hatch is unchanged) and update the agent self-model copy so the boss understands it receives `ouro_workbench` via runtime injection rather than treating the missing bundle entry as a blocked or trust-level state."
+      ]
+    },
     {
       "version": "0.1.0-alpha.659",
       "changes": [

package/dist/heart/daemon/cli-exec.js

@@ -46,6 +46,7 @@ exports.mergeStartupStability = mergeStartupStability;
 exports.ensureDaemonRunning = ensureDaemonRunning;
 exports.listGithubCopilotModels = listGithubCopilotModels;
 exports.checkManualCloneBundles = checkManualCloneBundles;
+exports.resolveWorkbenchRuntimeMcp = resolveWorkbenchRuntimeMcp;
 exports.resolveMailImportFilePath = resolveMailImportFilePath;
 exports.runOuroCli = runOuroCli;
 const child_process_1 = require("child_process");
@@ -2540,6 +2541,28 @@ function findInstalledWorkbenchMcp(deps, preferred) {
     ];
     return candidates.find((candidate) => cliPathExists(deps, candidate)) ?? null;
 }
+/**
+ * Resolve the `--workbench-mcp [<path>]` flag into a per-turn runtime MCP
+ * override for the `ouro mcp-serve` bridge, or null when the flag is absent /
+ * unresolvable.
+ *
+ * - `undefined` (flag not passed) → null (no runtime injection).
+ * - `true` (bare opt-in) → self-discover the installed OuroWorkbenchMCP.
+ * - a string path → use it if it exists, otherwise fall back to discovery
+ *   (treating the string as the preferred candidate).
+ *
+ * Returns `{ ouro_workbench: { command, args: [] } }` so the daemon merges it
+ * into the boss agent's toolset for the turn without writing to agent.json.
+ */
+function resolveWorkbenchRuntimeMcp(flag, deps) {
+    if (flag === undefined)
+        return null;
+    const preferred = typeof flag === "string" ? flag : null;
+    const command = findInstalledWorkbenchMcp(deps, preferred);
+    if (!command)
+        return null;
+    return { ouro_workbench: { command, args: [] } };
+}
 function writeWorkbenchMcpRegistration(agent, executablePath, deps) {
     const { configPath } = (0, auth_flow_1.readAgentConfigForAgent)(agent, deps.bundlesRoot);
     enableAgentSense(agent, "workbench", deps);
@@ -2758,6 +2781,14 @@ async function buildConnectMenu(agent, deps, onProgress) {
         installedWorkbenchMcp
             ? `OuroWorkbenchMCP found: ${installedWorkbenchMcp}`
             : "OuroWorkbenchMCP not found in ~/Applications or /Applications",
+        // Runtime injection is the boss's normal path: the Workbench app launches
+        // its boss with `ouro mcp-serve --workbench-mcp`, which injects the
+        // ouro_workbench MCP per-turn without any agent.json entry. A blank/“not
+        // registered” bundle state above is expected for a runtime-only boss; this
+        // `connect workbench` command only writes a persistent entry as an opt-in.
+        installedWorkbenchMcp
+            ? "boss runtime injection: when the Workbench app launches this agent it injects ouro_workbench per-turn; an agent.json entry is not required (this command writes one as an opt-in escape hatch)."
+            : "boss runtime injection: install Ouro Workbench.app so the app can inject ouro_workbench per-turn when it launches this agent as boss (no agent.json entry required).",
     ];
     const entries = [
         {
@@ -6674,19 +6705,28 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
         const { createMcpServer } = await Promise.resolve().then(() => __importStar(require("../mcp/mcp-server")));
         const friendId = command.friendId ?? `local-${os.userInfo().username}`;
         const mcpSocketPath = command.socketOverride ?? deps.socketPath;
+        // Resolve the optional --workbench-mcp flag into a concrete runtime MCP
+        // override. A string is taken as the explicit binary path (falling back to
+        // discovery if it does not exist); a boolean opt-in (true) self-discovers
+        // the installed OuroWorkbenchMCP. The resolved override is forwarded by the
+        // bridge on every senseTurn and merged per-turn in the daemon — nothing is
+        // written to agent.json.
+        const workbenchMcpFlag = command.workbenchMcp;
+        const runtimeMcp = resolveWorkbenchRuntimeMcp(workbenchMcpFlag, deps);
         const server = createMcpServer({
             agent: command.agent,
             friendId,
             socketPath: mcpSocketPath,
             stdin: process.stdin,
             stdout: process.stdout,
+            ...(runtimeMcp ? { runtimeMcp } : {}),
         });
         server.start();
         (0, runtime_1.emitNervesEvent)({
             component: "daemon",
             event: "daemon.mcp_serve_started",
             message: "MCP server started via CLI",
-            meta: { agent: command.agent, friendId },
+            meta: { agent: command.agent, friendId, workbenchRuntimeMcp: !!runtimeMcp },
         });
         // Keep process alive until stdin closes
         await new Promise((resolve) => {

package/dist/heart/daemon/cli-parse.js

@@ -1293,6 +1293,11 @@ function parseMcpServeCommand(args) {
     let agent;
     let friendId;
     let socketOverride;
+    // Optional runtime Workbench MCP injection. The path is OPTIONAL: when a
+    // concrete path follows the flag it is carried verbatim; when the flag stands
+    // alone (or is immediately followed by another `--flag`) it is a boolean
+    // opt-in and the daemon self-discovers the installed OuroWorkbenchMCP binary.
+    let workbenchMcp;
     for (let i = 0; i < args.length; i++) {
         if (args[i] === "--agent" && args[i + 1]) {
             agent = args[++i];
@@ -1306,10 +1311,26 @@ function parseMcpServeCommand(args) {
             socketOverride = args[++i];
             continue;
         }
+        if (args[i] === "--workbench-mcp") {
+            const next = args[i + 1];
+            if (next && !next.startsWith("--")) {
+                workbenchMcp = args[++i];
+            }
+            else {
+                workbenchMcp = true;
+            }
+            continue;
+        }
     }
     if (!agent)
         throw new Error("mcp-serve requires --agent <name>");
-    return { kind: "mcp-serve", agent, ...(friendId ? { friendId } : {}), ...(socketOverride ? { socketOverride } : {}) };
+    return {
+        kind: "mcp-serve",
+        agent,
+        ...(friendId ? { friendId } : {}),
+        ...(socketOverride ? { socketOverride } : {}),
+        ...(workbenchMcp !== undefined ? { workbenchMcp } : {}),
+    };
 }
 function parseSetupCommand(args) {
     let tool;

package/dist/heart/daemon/daemon.js

@@ -472,6 +472,10 @@ async function handleAgentSenseTurn(command, runtime) {
             friendId: command.friendId,
             userMessage: command.message,
             ...(runtime?.socketPath ? { toolContext: { daemonSocketPath: runtime.socketPath } } : {}),
+            // Per-turn, per-agent runtime MCP injection (e.g. Workbench's ouro_workbench).
+            // Scoped to THIS turn only — never stored as module state, so a concurrent
+            // turn for a different agent cannot inherit these servers.
+            ...(command.runtimeMcp ? { runtimeMcpServers: command.runtimeMcp } : {}),
         });
         return {
             ok: true,

package/dist/heart/mcp/mcp-server.js

@@ -165,6 +165,7 @@ function canonicalizeMcpFriendId(agent, rawFriendId) {
 function createMcpServer(options) {
     const { agent, socketPath, stdin, stdout } = options;
     const rawFriendId = options.friendId;
+    const runtimeMcp = options.runtimeMcp;
     const friendId = canonicalizeMcpFriendId(agent, rawFriendId);
     let buffer = "";
     let running = false;
@@ -374,6 +375,9 @@ function createMcpServer(options) {
                 channel: "mcp",
                 sessionKey: sessionId,
                 message,
+                // Forward the resolved runtime MCP override (if any) so the daemon merges
+                // it into this agent's toolset for the turn. Per-turn parameter data only.
+                ...(runtimeMcp ? { runtimeMcp } : {}),
             });
             /* v8 ignore next -- branch: ?? fallback for empty daemon response @preserve */
             const text = response.message ?? "(empty response)";

package/dist/heart/turn-context.js

@@ -213,7 +213,15 @@ function readSenseStatusLines() {
         },
         {
             label: "Workbench",
-            status: !senses.workbench.enabled ? "disabled" : configured.workbench ? "ready" : "needs_config",
+            // Workbench can be injected at runtime (the Workbench app spawns
+            // `ouro mcp-serve --workbench-mcp` for its boss) with NO agent.json entry.
+            // A disabled/needs_config row here does NOT mean the tools are absent —
+            // the authoritative signal is whether `workbench_*` tools are in the
+            // toolset this turn. The annotation prevents the agent from misreading the
+            // row as "blocked".
+            status: !senses.workbench.enabled
+                ? "disabled (runtime-injected when launched by Workbench app)"
+                : configured.workbench ? "ready" : "needs_config",
         },
     ];
     return rows.map((row) => `- ${row.label}: ${row.status}`);

package/dist/mind/prompt.js

@@ -492,7 +492,15 @@ function localSenseStatusLines() {
         },
         {
             label: "Workbench",
-            status: !senses.workbench.enabled ? "disabled" : configured.workbench ? "ready" : "needs_config",
+            // Workbench can be injected at runtime (the Workbench app spawns
+            // `ouro mcp-serve --workbench-mcp` for its boss) with NO agent.json entry.
+            // A disabled/needs_config row here does NOT mean the tools are absent —
+            // the authoritative signal is whether `workbench_*` tools are in the
+            // toolset this turn. The annotation prevents the agent from misreading the
+            // row as "blocked".
+            status: !senses.workbench.enabled
+                ? "disabled (runtime-injected when launched by Workbench app)"
+                : configured.workbench ? "ready" : "needs_config",
         },
     ];
     return rows.map((row) => `- ${row.label}: ${row.status}`);
@@ -512,7 +520,7 @@ function senseRuntimeGuidance(channel, preReadStatusLines) {
     lines.push("teams setup truth: run `ouro connect teams --agent <agent>` from the connect bay; it stores Teams runtime/config fields and enables `senses.teams.enabled`.");
     lines.push("bluebubbles setup truth: run `ouro connect bluebubbles --agent <agent>` from the connect bay; it stores this machine's BlueBubbles URL/password/listener config in the agent vault machine runtime item.");
     lines.push("a2a setup truth: run `ouro connect a2a --agent <agent>` to enable the A2A sense, `ouro a2a card --agent <agent> --base-url <public-url>` to publish an agent card, and `ouro a2a onboard --agent <agent> --card-url <peer-card-url>` to add a peer as an agent friend. A2A uses the existing friend trust model, not a separate trust registry.");
-    lines.push("workbench setup truth: Ouro Workbench is the local machine sense for terminal/TUI agents. Enabling it means `agent.json` has `senses.workbench.enabled=true` and an `mcpServers.ouro_workbench` entry pointing at the installed `OuroWorkbenchMCP` executable. The boss observes and queues auditable Workbench actions through `workbench_status`, `workbench_sense`, `workbench_transcript_tail`, `workbench_search_transcripts`, `workbench_recovery_drill`, and `workbench_request_action`; raw provider secrets remain in the agent vault, and Apple notarization is unrelated to local use.");
+    lines.push("workbench setup truth: Ouro Workbench is the local machine sense for terminal/TUI agents. When the Workbench app launches me as its boss it injects the `ouro_workbench` MCP into my turn at runtime (it spawns `ouro mcp-serve --agent <me> --workbench-mcp`), so I receive the tools for the served session without any `agent.json` `mcpServers.ouro_workbench` entry — nothing is written to the bundle, so this stays path-free and cross-machine clean. The authoritative signal that Workbench is active is simply that the `workbench_*` tools are present in my toolset this turn; the sense table or `agent.json` may still read as disabled/needs_config because no bundle entry exists, and that is expected under runtime injection — I do NOT treat that as blocked or as a trust-level problem. I observe and queue auditable Workbench actions through `workbench_status`, `workbench_sense`, `workbench_transcript_tail`, `workbench_search_transcripts`, `workbench_recovery_drill`, and `workbench_request_action`; raw provider secrets remain in the agent vault, and Apple notarization is unrelated to local use. The explicit `ouro connect workbench --agent <me>` command still writes a persistent bundle entry as an opt-in escape hatch, but the boss does not need it.");
     lines.push("mail setup AX: if a human asks me to set up email, I do not hand them a terminal checklist. I guide the flow end-to-end: name the current phase, run agent-runnable commands myself with shell/tools when available, ask the human only for human-required facts or browser actions, wait for their reply, verify the result, then continue.");
     lines.push("mail setup hard rule: never tell the human to run `ouro account ensure`, `ouro connect mail`, `ouro mail import-mbox`, `ouro status`, or `ouro doctor` for setup. Say what I am about to run, run it myself, and report the result. If my current surface cannot run shell/tools, I ask for a tool-capable Ouro setup session or companion to continue; I do not offload CLI operation to the human.");
     lines.push("mail setup truth: Agent Mail uses Mailroom, not HEY OAuth/IMAP. For the full work substrate account, the agent-runnable command is `ouro account ensure --agent <agent> --owner-email <email> --source hey`; use `ouro connect mail --agent <agent> --owner-email <email> --source hey` for mail-only repair/provisioning, or `--no-delegated-source` for native-only mail. The detailed runbook is `docs/agent-mail-setup.md`.");

package/dist/repertoire/mcp-manager.js

@@ -21,8 +21,17 @@ const RESTART_DELAY_MS = 1000;
  * (re-read on each turn). Both code paths MUST use the same merge logic — if
  * reconcile reads only builtin, plugin servers get classified as "removed"
  * on the second turn and torn down. See alpha.635 fix.
+ *
+ * `runtimeServers` are per-turn, per-agent overrides (e.g. Workbench's
+ * `ouro_workbench`) supplied as PARAMETER data for the current turn — never read
+ * from module state. They merge with the HIGHEST precedence (after builtin), so
+ * a stale `agent.json` entry loses to the live runtime path. Because they are a
+ * parameter, a turn that omits them produces a merged set WITHOUT them, and
+ * `reconcile()` then tears the runtime server down — this is the no-leak
+ * invariant that keeps the runtime MCP from bleeding into a different agent's
+ * concurrent turn on the shared daemon.
  */
-function buildMergedServerConfig() {
+function buildMergedServerConfig(runtimeServers) {
     const config = (0, identity_1.loadAgentConfig)();
     const builtinServers = config.mcpServers ?? {};
     const pluginServers = (0, plugin_mcp_1.listPluginMcpServers)();
@@ -37,6 +46,15 @@ function buildMergedServerConfig() {
     for (const [name, cfg] of Object.entries(builtinServers)) {
         mergedServers[name] = cfg;
     }
+    // Runtime overrides win over both plugin and builtin (highest precedence).
+    // They are NOT recorded in pluginOrigins, so they surface as builtin-style
+    // (un-namespaced) tools — matching how an agent.json mcpServers entry would.
+    if (runtimeServers) {
+        for (const [name, cfg] of Object.entries(runtimeServers)) {
+            mergedServers[name] = cfg;
+            delete pluginOrigins[name];
+        }
+    }
     return { mergedServers, pluginOrigins };
 }
 class McpManager {
@@ -119,14 +137,19 @@ class McpManager {
         }
         return results;
     }
-    /* v8 ignore start — reconcile: dynamic MCP server management, tested via integration @preserve */
     /** Re-read agent config AND enabled-plugin .mcp.json files, then connect new
      *  servers / disconnect removed ones. Must include plugin-declared servers
      *  in the desired set — otherwise plugin servers (e.g. mcp__desk__*) are
-     *  treated as "removed" on every call and get torn down between turns. */
-    async reconcile() {
+     *  treated as "removed" on every call and get torn down between turns.
+     *
+     *  `runtimeServers` are the current turn's per-agent overrides. They MUST be
+     *  passed on every reconcile for the agent that owns them, otherwise the
+     *  runtime server (e.g. ouro_workbench) is classified as "removed" and torn
+     *  down — which is exactly the desired no-leak behavior for a turn that omits
+     *  them. */
+    async reconcile(runtimeServers) {
         try {
-            const { mergedServers, pluginOrigins } = buildMergedServerConfig();
+            const { mergedServers, pluginOrigins } = buildMergedServerConfig(runtimeServers);
             const currentNames = new Set(this.servers.keys());
             const desiredNames = new Set(Object.keys(mergedServers));
             // Connect new servers
@@ -151,6 +174,7 @@ class McpManager {
                         meta: { server: name },
                     });
                     const entry = this.servers.get(name);
+                    /* v8 ignore next -- defensive: name comes from this.servers.keys() this same tick, so entry is always present; the guard only protects against an awaited connectServer crash-handler racing a delete @preserve */
                     if (entry)
                         entry.client.shutdown();
                     this.servers.delete(name);
@@ -167,7 +191,6 @@ class McpManager {
             });
         }
     }
-    /* v8 ignore stop */
     shutdown() {
         this.shuttingDown = true;
         // `_end` (not `_stop`) to pair with `mcp.manager_start` under the
@@ -346,22 +369,30 @@ let _sharedManagerPromise = null;
  * Get or create a shared McpManager instance from the agent's config.
  * Returns null if no mcpServers are configured.
  * Safe to call from multiple senses — will only create one instance.
+ *
+ * `options.runtimeServers` are the current turn's per-agent MCP overrides (e.g.
+ * Workbench's `ouro_workbench`). They are PARAMETER data for this call only —
+ * passed into the merge for both the initial `start()` and every subsequent
+ * `reconcile()`, and never persisted as module state. A call that omits them
+ * reconciles to a set WITHOUT them, tearing any prior runtime server down — the
+ * no-leak invariant for the shared multi-agent daemon.
  */
-async function getSharedMcpManager() {
+async function getSharedMcpManager(options) {
+    const runtimeServers = options?.runtimeServers;
     // If manager exists, reconcile to pick up config changes (new/removed servers)
-    /* v8 ignore start — reconcile on existing manager @preserve */
+    // AND this turn's runtime overrides. Passing runtimeServers per-call is what
+    // scopes the runtime MCP to the active agent's turn.
     if (_sharedManager) {
-        await _sharedManager.reconcile();
+        await _sharedManager.reconcile(runtimeServers);
         return _sharedManager;
     }
-    /* v8 ignore stop */
     /* v8 ignore next -- race guard: deduplicates concurrent initialization calls @preserve */
     if (_sharedManagerPromise)
         return _sharedManagerPromise;
     // Always re-check config — agent may have added servers since last call
     _sharedManagerPromise = (async () => {
         try {
-            const { mergedServers, pluginOrigins } = buildMergedServerConfig();
+            const { mergedServers, pluginOrigins } = buildMergedServerConfig(runtimeServers);
             if (Object.keys(mergedServers).length === 0)
                 return null;
             const manager = new McpManager();

package/dist/senses/shared-turn.js

@@ -230,8 +230,9 @@ async function runSenseTurn(options) {
         resolverParams = { provider: "local", externalId: username, displayName: username, channel };
     }
     const resolver = new resolver_1.FriendResolver(friendStore, resolverParams);
-    // Initialize MCP manager so MCP tools appear as first-class tools in the agent's tool list
-    const mcpManager = await (0, mcp_manager_1.getSharedMcpManager)() ?? undefined;
+    // Initialize MCP manager so MCP tools appear as first-class tools in the agent's tool list.
+    // Runtime MCP servers (e.g. Workbench's ouro_workbench) are passed per-turn for THIS agent only.
+    const mcpManager = await (0, mcp_manager_1.getSharedMcpManager)(options.runtimeMcpServers ? { runtimeServers: options.runtimeMcpServers } : undefined) ?? undefined;
     // Session path and loading
     const sessionDir = path.join(agentRoot, "state", "sessions", friendId, channel);
     fs.mkdirSync(sessionDir, { recursive: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.659",
+  "version": "0.1.0-alpha.660",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",