@ouro.bot/cli 0.1.0-alpha.9 → 0.1.0-alpha.91

package/dist/repertoire/tools-bluebubbles.js

@@ -0,0 +1,93 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bluebubblesToolDefinitions = void 0;
+const runtime_1 = require("../nerves/runtime");
+exports.bluebubblesToolDefinitions = [
+    {
+        tool: {
+            type: "function",
+            function: {
+                name: "bluebubbles_set_reply_target",
+                description: "choose where the current iMessage turn should land. use this when you want to widen back to top-level or route your update into a specific active thread in the same chat.",
+                parameters: {
+                    type: "object",
+                    properties: {
+                        target: {
+                            type: "string",
+                            enum: ["current_lane", "top_level", "thread"],
+                            description: "current_lane mirrors the current inbound lane, top_level answers in the main chat, and thread targets a specific active thread.",
+                        },
+                        threadOriginatorGuid: {
+                            type: "string",
+                            description: "required when target=thread; use one of the thread ids surfaced in the inbound iMessage context.",
+                        },
+                    },
+                    required: ["target"],
+                },
+            },
+        },
+        handler: (args, ctx) => {
+            const target = typeof args.target === "string" ? args.target.trim() : "";
+            const controller = ctx?.bluebubblesReplyTarget;
+            if (!controller) {
+                (0, runtime_1.emitNervesEvent)({
+                    level: "warn",
+                    component: "tools",
+                    event: "tool.error",
+                    message: "bluebubbles reply target missing controller",
+                    meta: { target },
+                });
+                return "bluebubbles reply targeting is not available in this context.";
+            }
+            if (target === "current_lane") {
+                const result = controller.setSelection({ target: "current_lane" });
+                (0, runtime_1.emitNervesEvent)({
+                    component: "tools",
+                    event: "tool.end",
+                    message: "bluebubbles reply target updated",
+                    meta: { target: "current_lane", success: true },
+                });
+                return result;
+            }
+            if (target === "top_level") {
+                const result = controller.setSelection({ target: "top_level" });
+                (0, runtime_1.emitNervesEvent)({
+                    component: "tools",
+                    event: "tool.end",
+                    message: "bluebubbles reply target updated",
+                    meta: { target: "top_level", success: true },
+                });
+                return result;
+            }
+            if (target === "thread") {
+                const threadOriginatorGuid = typeof args.threadOriginatorGuid === "string" ? args.threadOriginatorGuid.trim() : "";
+                if (!threadOriginatorGuid) {
+                    (0, runtime_1.emitNervesEvent)({
+                        level: "warn",
+                        component: "tools",
+                        event: "tool.error",
+                        message: "bluebubbles reply target missing thread id",
+                        meta: { target: "thread" },
+                    });
+                    return "threadOriginatorGuid is required when target=thread.";
+                }
+                const result = controller.setSelection({ target: "thread", threadOriginatorGuid });
+                (0, runtime_1.emitNervesEvent)({
+                    component: "tools",
+                    event: "tool.end",
+                    message: "bluebubbles reply target updated",
+                    meta: { target: "thread", success: true },
+                });
+                return result;
+            }
+            (0, runtime_1.emitNervesEvent)({
+                level: "warn",
+                component: "tools",
+                event: "tool.error",
+                message: "bluebubbles reply target invalid target",
+                meta: { target },
+            });
+            return "target must be one of: current_lane, top_level, thread.";
+        },
+    },
+];

package/dist/repertoire/tools-teams.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.teamsToolHandlers = exports.teamsTools = exports.teamsToolDefinitions = void 0;
+exports.teamsToolDefinitions = void 0;
 exports.summarizeTeamsArgs = summarizeTeamsArgs;
 const graph_client_1 = require("./graph-client");
 const ado_client_1 = require("./ado-client");
@@ -11,16 +11,6 @@ const graph_endpoints_json_1 = __importDefault(require("./data/graph-endpoints.j
 const ado_endpoints_json_1 = __importDefault(require("./data/ado-endpoints.json"));
 const runtime_1 = require("../nerves/runtime");
 const MUTATE_METHODS = ["POST", "PATCH", "DELETE"];
-// Map HTTP method to authority action name for canWrite() checks
-const METHOD_TO_ACTION = {
-    POST: "createWorkItem",
-    PATCH: "updateWorkItem",
-    DELETE: "deleteWorkItem",
-};
-// Check if a tool response indicates a 403 PERMISSION_DENIED (authority checker removed; this is now a no-op kept for call-site stability)
-function checkAndRecord403(_result, _integration, _scope, _action, _ctx) {
-    // No-op: AuthorityChecker eliminated. 403 recording removed.
-}
 const DEFAULT_ADO_QUERY = "SELECT [System.Id], [System.Title], [System.State], [System.AssignedTo] FROM WorkItems WHERE [System.AssignedTo] = @Me AND [System.State] <> 'Closed' ORDER BY [System.ChangedDate] DESC";
 exports.teamsToolDefinitions = [
     // -- Generic Graph tools --
@@ -82,7 +72,7 @@ exports.teamsToolDefinitions = [
             type: "function",
             function: {
                 name: "ado_query",
-                description: "GET or POST (for WIQL read queries) any Azure DevOps API endpoint. Use ado_docs first to look up the correct path.",
+                description: "GET or POST (for WIQL read queries) any Azure DevOps API endpoint. Use ado_docs first to look up the correct path and host.",
                 parameters: {
                     type: "object",
                     properties: {
@@ -90,6 +80,7 @@ exports.teamsToolDefinitions = [
                         path: { type: "string", description: "ADO API path after /{org}, e.g. /_apis/wit/wiql" },
                         method: { type: "string", enum: ["GET", "POST"], description: "HTTP method (defaults to GET)" },
                         body: { type: "string", description: "JSON request body (optional, used with POST for WIQL)" },
+                        host: { type: "string", description: "API host override for non-standard APIs (e.g. 'vsapm.dev.azure.com' for entitlements, 'vssps.dev.azure.com' for users). Omit for standard dev.azure.com." },
                     },
                     required: ["organization", "path"],
                 },
@@ -100,9 +91,7 @@ exports.teamsToolDefinitions = [
                 return "AUTH_REQUIRED:ado -- I need access to Azure DevOps. Please sign in when prompted.";
             }
             const method = args.method || "GET";
-            const result = await (0, ado_client_1.adoRequest)(ctx.adoToken, method, args.organization, args.path, args.body);
-            checkAndRecord403(result, "ado", args.organization, method, ctx);
-            return result;
+            return (0, ado_client_1.adoRequest)(ctx.adoToken, method, args.organization, args.path, args.body, args.host);
         },
         integration: "ado",
     },
@@ -111,7 +100,7 @@ exports.teamsToolDefinitions = [
             type: "function",
             function: {
                 name: "ado_mutate",
-                description: "POST/PATCH/DELETE any Azure DevOps API endpoint for actual mutations. Use ado_docs first to look up the correct path.",
+                description: "POST/PATCH/DELETE any Azure DevOps API endpoint for actual mutations. Use ado_docs first to look up the correct path and host.",
                 parameters: {
                     type: "object",
                     properties: {
@@ -119,6 +108,7 @@ exports.teamsToolDefinitions = [
                         organization: { type: "string", description: "Azure DevOps organization name" },
                         path: { type: "string", description: "ADO API path after /{org}" },
                         body: { type: "string", description: "JSON request body (optional)" },
+                        host: { type: "string", description: "API host override for non-standard APIs (e.g. 'vsapm.dev.azure.com' for entitlements, 'vssps.dev.azure.com' for users). Omit for standard dev.azure.com." },
                     },
                     required: ["method", "organization", "path"],
                 },
@@ -131,11 +121,7 @@ exports.teamsToolDefinitions = [
             if (!MUTATE_METHODS.includes(args.method)) {
                 return `Invalid method "${args.method}". Must be one of: ${MUTATE_METHODS.join(", ")}`;
             }
-            /* v8 ignore next -- fallback unreachable: method is validated against MUTATE_METHODS above @preserve */
-            const action = METHOD_TO_ACTION[args.method] || args.method;
-            const result = await (0, ado_client_1.adoRequest)(ctx.adoToken, args.method, args.organization, args.path, args.body);
-            checkAndRecord403(result, "ado", args.organization, action, ctx);
-            return result;
+            return (0, ado_client_1.adoRequest)(ctx.adoToken, args.method, args.organization, args.path, args.body, args.host);
         },
         integration: "ado",
         confirmationRequired: true,
@@ -201,6 +187,53 @@ exports.teamsToolDefinitions = [
         },
         integration: "ado",
     },
+    // -- Proactive messaging --
+    {
+        tool: {
+            type: "function",
+            function: {
+                name: "teams_send_message",
+                description: "send a proactive 1:1 Teams message to a user. requires their AAD object ID (use graph_query /users to find it). the message appears as coming from the bot.",
+                parameters: {
+                    type: "object",
+                    properties: {
+                        user_id: { type: "string", description: "AAD object ID of the user to message" },
+                        user_name: { type: "string", description: "display name of the user (for logging)" },
+                        message: { type: "string", description: "message text to send" },
+                        tenant_id: { type: "string", description: "tenant ID (optional, defaults to current conversation tenant)" },
+                    },
+                    required: ["user_id", "message"],
+                },
+            },
+        },
+        /* v8 ignore start -- proactive messaging requires live Teams SDK conversation client @preserve */
+        handler: async (args, ctx) => {
+            if (!ctx?.botApi) {
+                return "proactive messaging is not available -- no bot API context (this tool only works in the Teams channel)";
+            }
+            try {
+                const tenantId = args.tenant_id || ctx.tenantId;
+                // Cast to the SDK's ConversationClient shape (kept as `unknown` in ToolContext to avoid type coupling)
+                const conversations = ctx.botApi.conversations;
+                const conversation = await conversations.create({
+                    bot: { id: ctx.botApi.id },
+                    members: [{ id: args.user_id, role: "user", name: args.user_name || args.user_id }],
+                    tenantId,
+                    isGroup: false,
+                });
+                await conversations.activities(conversation.id).create({
+                    type: "message",
+                    text: args.message,
+                });
+                return `message sent to ${args.user_name || args.user_id}`;
+            }
+            catch (e) {
+                return `failed to send proactive message: ${e instanceof Error ? e.message : String(e)}`;
+            }
+        },
+        /* v8 ignore stop */
+        confirmationRequired: true,
+    },
     // -- Documentation tools --
     {
         tool: {
@@ -243,10 +276,6 @@ exports.teamsToolDefinitions = [
         integration: "ado",
     },
 ];
-// Backward-compat: extract just the OpenAI tool schemas
-exports.teamsTools = exports.teamsToolDefinitions.map((d) => d.tool);
-// Backward-compat: extract just the handlers by name
-exports.teamsToolHandlers = Object.fromEntries(exports.teamsToolDefinitions.map((d) => [d.tool.function.name, d.handler]));
 function searchEndpoints(entries, query) {
     (0, runtime_1.emitNervesEvent)({
         component: "repertoire",
@@ -268,6 +297,8 @@ function searchEndpoints(entries, query) {
             `  ${e.description}`,
             `  Params: ${e.params || "none"}`,
         ];
+        if (e.host)
+            lines.push(`  Host: ${e.host}`);
         if (e.scopes)
             lines.push(`  Scopes: ${e.scopes}`);
         return lines.join("\n");
@@ -304,5 +335,7 @@ function summarizeTeamsArgs(name, args) {
         return summarizeKeyValues(["query"]);
     if (name === "ado_docs")
         return summarizeKeyValues(["query"]);
+    if (name === "teams_send_message")
+        return summarizeKeyValues(["user_name", "user_id"]);
     return undefined;
 }

package/dist/repertoire/tools.js

@@ -1,29 +1,38 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.teamsTools = exports.finalAnswerTool = exports.tools = void 0;
+exports.goInwardTool = exports.noResponseTool = exports.finalAnswerTool = exports.tools = void 0;
 exports.getToolsForChannel = getToolsForChannel;
 exports.isConfirmationRequired = isConfirmationRequired;
 exports.execTool = execTool;
 exports.summarizeArgs = summarizeArgs;
 const tools_base_1 = require("./tools-base");
 const tools_teams_1 = require("./tools-teams");
+const tools_bluebubbles_1 = require("./tools-bluebubbles");
 const ado_semantic_1 = require("./ado-semantic");
 const tools_github_1 = require("./tools-github");
 const runtime_1 = require("../nerves/runtime");
+const guardrails_1 = require("./guardrails");
+const identity_1 = require("../heart/identity");
+const safe_workspace_1 = require("../heart/safe-workspace");
+function safeGetAgentRoot() {
+    try {
+        return (0, identity_1.getAgentRoot)();
+    }
+    catch {
+        return undefined;
+    }
+}
 // Re-export types and constants used by the rest of the codebase
 var tools_base_2 = require("./tools-base");
 Object.defineProperty(exports, "tools", { enumerable: true, get: function () { return tools_base_2.tools; } });
 Object.defineProperty(exports, "finalAnswerTool", { enumerable: true, get: function () { return tools_base_2.finalAnswerTool; } });
-var tools_teams_2 = require("./tools-teams");
-Object.defineProperty(exports, "teamsTools", { enumerable: true, get: function () { return tools_teams_2.teamsTools; } });
+Object.defineProperty(exports, "noResponseTool", { enumerable: true, get: function () { return tools_base_2.noResponseTool; } });
+Object.defineProperty(exports, "goInwardTool", { enumerable: true, get: function () { return tools_base_2.goInwardTool; } });
 // All tool definitions in a single registry
-const allDefinitions = [...tools_base_1.baseToolDefinitions, ...tools_teams_1.teamsToolDefinitions, ...ado_semantic_1.adoSemanticToolDefinitions, ...tools_github_1.githubToolDefinitions];
-const REMOTE_BLOCKED_LOCAL_TOOLS = new Set(["shell", "read_file", "write_file", "git_commit", "gh_cli"]);
-function baseToolsForCapabilities(capabilities) {
-    const isRemoteChannel = capabilities?.channel === "teams" || capabilities?.channel === "bluebubbles";
-    if (!isRemoteChannel)
-        return tools_base_1.tools;
-    return tools_base_1.tools.filter((tool) => !REMOTE_BLOCKED_LOCAL_TOOLS.has(tool.function.name));
+const allDefinitions = [...tools_base_1.baseToolDefinitions, ...tools_bluebubbles_1.bluebubblesToolDefinitions, ...tools_teams_1.teamsToolDefinitions, ...ado_semantic_1.adoSemanticToolDefinitions, ...tools_github_1.githubToolDefinitions];
+function baseToolsForCapabilities() {
+    // Use baseToolDefinitions at call time so dynamically-added tools are included
+    return tools_base_1.baseToolDefinitions.map((d) => d.tool);
 }
 // Apply a single tool preference to a tool schema, returning a new object.
 function applyPreference(tool, pref) {
@@ -35,32 +44,55 @@ function applyPreference(tool, pref) {
         },
     };
 }
+// Filter out tools whose requiredCapability is not in the provider's capability set.
+// Uses baseToolDefinitions at call time so dynamically-added tools are included.
+// Only base tools can have requiredCapability (integration tools do not).
+function filterByCapability(toolList, providerCapabilities) {
+    return toolList.filter((tool) => {
+        const def = tools_base_1.baseToolDefinitions.find((d) => d.tool.function.name === tool.function.name);
+        if (!def?.requiredCapability)
+            return true;
+        return providerCapabilities?.has(def.requiredCapability) === true;
+    });
+}
 // Return the appropriate tools list based on channel capabilities.
 // Base tools (no integration) are always included.
 // Teams/integration tools are included only if their integration is in availableIntegrations.
 // When toolPreferences is provided, matching preferences are appended to tool descriptions.
-function getToolsForChannel(capabilities, toolPreferences) {
-    const baseTools = baseToolsForCapabilities(capabilities);
+// When providerCapabilities is provided, tools with requiredCapability are filtered.
+function getToolsForChannel(capabilities, toolPreferences, _context, providerCapabilities) {
+    const baseTools = baseToolsForCapabilities();
+    const bluebubblesTools = capabilities?.channel === "bluebubbles"
+        ? tools_bluebubbles_1.bluebubblesToolDefinitions.map((d) => d.tool)
+        : [];
+    let result;
     if (!capabilities || capabilities.availableIntegrations.length === 0) {
-        return baseTools;
-    }
-    const available = new Set(capabilities.availableIntegrations);
-    const integrationDefs = [...tools_teams_1.teamsToolDefinitions, ...ado_semantic_1.adoSemanticToolDefinitions, ...tools_github_1.githubToolDefinitions].filter((d) => d.integration && available.has(d.integration));
-    if (!toolPreferences || Object.keys(toolPreferences).length === 0) {
-        return [...baseTools, ...integrationDefs.map((d) => d.tool)];
+        result = [...baseTools, ...bluebubblesTools];
     }
-    // Build a map of integration -> preference text for fast lookup
-    const prefMap = new Map();
-    for (const [key, value] of Object.entries(toolPreferences)) {
-        prefMap.set(key, value);
+    else {
+        const available = new Set(capabilities.availableIntegrations);
+        const channelDefs = [...tools_teams_1.teamsToolDefinitions, ...ado_semantic_1.adoSemanticToolDefinitions, ...tools_github_1.githubToolDefinitions];
+        // Include tools whose integration is available, plus channel tools with no integration gate (e.g. teams_send_message)
+        const integrationDefs = channelDefs.filter((d) => d.integration ? available.has(d.integration) : capabilities.channel === "teams");
+        if (!toolPreferences || Object.keys(toolPreferences).length === 0) {
+            result = [...baseTools, ...bluebubblesTools, ...integrationDefs.map((d) => d.tool)];
+        }
+        else {
+            // Build a map of integration -> preference text for fast lookup
+            const prefMap = new Map();
+            for (const [key, value] of Object.entries(toolPreferences)) {
+                prefMap.set(key, value);
+            }
+            // Apply preferences to matching integration tools (new objects, no mutation)
+            // d.integration is guaranteed truthy -- integrationDefs are pre-filtered above
+            const enrichedIntegrationTools = integrationDefs.map((d) => {
+                const pref = prefMap.get(d.integration);
+                return pref ? applyPreference(d.tool, pref) : d.tool;
+            });
+            result = [...baseTools, ...bluebubblesTools, ...enrichedIntegrationTools];
+        }
     }
-    // Apply preferences to matching integration tools (new objects, no mutation)
-    // d.integration is guaranteed truthy -- integrationDefs are pre-filtered above
-    const enrichedIntegrationTools = integrationDefs.map((d) => {
-        const pref = prefMap.get(d.integration);
-        return pref ? applyPreference(d.tool, pref) : d.tool;
-    });
-    return [...baseTools, ...enrichedIntegrationTools];
+    return filterByCapability(result, providerCapabilities);
 }
 // Check whether a tool requires user confirmation before execution.
 // Reads from ToolDefinition.confirmationRequired instead of a separate Set.
@@ -68,12 +100,21 @@ function isConfirmationRequired(toolName) {
     const def = allDefinitions.find((d) => d.tool.function.name === toolName);
     return def?.confirmationRequired === true;
 }
+function normalizeGuardArgs(name, args) {
+    if ((name === "read_file" || name === "write_file" || name === "edit_file") && args.path) {
+        return {
+            ...args,
+            path: (0, safe_workspace_1.resolveSafeRepoPath)({ requestedPath: args.path }).resolvedPath,
+        };
+    }
+    return args;
+}
 async function execTool(name, args, ctx) {
     (0, runtime_1.emitNervesEvent)({
         event: "tool.start",
         component: "tools",
         message: "tool execution started",
-        meta: { name },
+        meta: { name, ...(name === "shell" && args.command ? { command: args.command } : {}) },
     });
     // Look up from combined registry
     const def = allDefinitions.find((d) => d.tool.function.name === name);
@@ -87,17 +128,23 @@ async function execTool(name, args, ctx) {
         });
         return `unknown: ${name}`;
     }
-    const isRemoteChannel = ctx?.context?.channel?.channel === "teams" || ctx?.context?.channel?.channel === "bluebubbles";
-    if (isRemoteChannel && REMOTE_BLOCKED_LOCAL_TOOLS.has(name)) {
-        const message = "I can't do that from here because I'm talking to multiple people in a shared remote channel, and local shell/file/git/gh operations could let conversations interfere with each other. Ask me for a remote-safe alternative (Graph/ADO/web), or run that operation from CLI.";
+    // Guardrail check: structural + trust-level
+    const guardContext = {
+        readPaths: tools_base_1.editFileReadTracker,
+        trustLevel: ctx?.context?.friend?.trustLevel,
+        agentRoot: safeGetAgentRoot(),
+    };
+    const guardArgs = normalizeGuardArgs(name, args);
+    const guardResult = (0, guardrails_1.guardInvocation)(name, guardArgs, guardContext);
+    if (!guardResult.allowed) {
         (0, runtime_1.emitNervesEvent)({
             level: "warn",
-            event: "tool.error",
+            event: "tool.guardrail_block",
             component: "tools",
-            message: "blocked local tool in remote channel",
-            meta: { name, channel: ctx?.context?.channel?.channel },
+            message: "guardrail blocked tool execution",
+            meta: { name, reason: guardResult.reason },
         });
-        return message;
+        return guardResult.reason;
     }
     try {
         const result = await def.handler(args, ctx);
@@ -152,34 +199,30 @@ function summarizeArgs(name, args) {
     // Base tools
     if (name === "read_file" || name === "write_file")
         return summarizeKeyValues(args, ["path"]);
-    if (name === "shell")
-        return summarizeKeyValues(args, ["command"]);
-    if (name === "list_directory")
+    if (name === "edit_file")
         return summarizeKeyValues(args, ["path"]);
-    if (name === "git_commit")
-        return summarizeKeyValues(args, ["message"]);
-    if (name === "gh_cli")
+    if (name === "glob")
+        return summarizeKeyValues(args, ["pattern", "cwd"]);
+    if (name === "grep")
+        return summarizeKeyValues(args, ["pattern", "path", "include"]);
+    if (name === "shell")
         return summarizeKeyValues(args, ["command"]);
     if (name === "load_skill")
         return summarizeKeyValues(args, ["name"]);
-    if (name === "task_create")
-        return summarizeKeyValues(args, ["title", "type", "category"]);
-    if (name === "task_update_status")
-        return summarizeKeyValues(args, ["name", "status"]);
-    if (name === "task_board_status")
-        return summarizeKeyValues(args, ["status"]);
-    if (name === "task_board_action")
-        return summarizeKeyValues(args, ["scope"]);
-    if (name === "task_board" || name === "task_board_deps" || name === "task_board_sessions")
-        return "";
     if (name === "coding_spawn")
         return summarizeKeyValues(args, ["runner", "workdir", "taskRef"]);
     if (name === "coding_status")
         return summarizeKeyValues(args, ["sessionId"]);
+    if (name === "coding_tail")
+        return summarizeKeyValues(args, ["sessionId"]);
     if (name === "coding_send_input")
         return summarizeKeyValues(args, ["sessionId", "input"]);
     if (name === "coding_kill")
         return summarizeKeyValues(args, ["sessionId"]);
+    if (name === "bluebubbles_set_reply_target")
+        return summarizeKeyValues(args, ["target", "threadOriginatorGuid"]);
+    if (name === "set_reasoning_effort")
+        return summarizeKeyValues(args, ["level"]);
     if (name === "claude")
         return summarizeKeyValues(args, ["prompt"]);
     if (name === "web_search")
@@ -193,7 +236,17 @@ function summarizeArgs(name, args) {
     if (name === "save_friend_note") {
         return summarizeKeyValues(args, ["type", "key", "content"]);
     }
+    if (name === "bridge_manage")
+        return summarizeKeyValues(args, ["action", "bridgeId", "objective", "friendId", "channel", "key"]);
     if (name === "ado_backlog_list")
         return summarizeKeyValues(args, ["organization", "project"]);
+    if (name === "ado_batch_update")
+        return summarizeKeyValues(args, ["organization", "project"]);
+    if (name === "ado_create_epic" || name === "ado_create_issue")
+        return summarizeKeyValues(args, ["organization", "project", "title"]);
+    if (name === "ado_move_items")
+        return summarizeKeyValues(args, ["organization", "project", "workItemIds"]);
+    if (name === "ado_restructure_backlog")
+        return summarizeKeyValues(args, ["organization", "project"]);
     return summarizeUnknownArgs(args);
 }