@heylemon/lemonade 0.0.9 → 0.1.1

package/dist/agents/sandbox/sanitize-env-vars.js

@@ -0,0 +1,76 @@
+const BLOCKED_ENV_VAR_PATTERNS = [
+    /^ANTHROPIC_API_KEY$/i,
+    /^OPENAI_API_KEY$/i,
+    /^GEMINI_API_KEY$/i,
+    /^OPENROUTER_API_KEY$/i,
+    /^MINIMAX_API_KEY$/i,
+    /^ELEVENLABS_API_KEY$/i,
+    /^SYNTHETIC_API_KEY$/i,
+    /^TELEGRAM_BOT_TOKEN$/i,
+    /^DISCORD_BOT_TOKEN$/i,
+    /^SLACK_(BOT|APP)_TOKEN$/i,
+    /^LINE_CHANNEL_SECRET$/i,
+    /^LINE_CHANNEL_ACCESS_TOKEN$/i,
+    /^LEMONADE_GATEWAY_(TOKEN|PASSWORD)$/i,
+    /^AWS_(SECRET_ACCESS_KEY|SECRET_KEY|SESSION_TOKEN)$/i,
+    /^(GH|GITHUB)_TOKEN$/i,
+    /^(AZURE|AZURE_OPENAI|COHERE|AI_GATEWAY|OPENROUTER)_API_KEY$/i,
+    /_?(API_KEY|TOKEN|PASSWORD|PRIVATE_KEY|SECRET)$/i,
+];
+const ALLOWED_ENV_VAR_PATTERNS = [
+    /^LANG$/,
+    /^LC_.*$/i,
+    /^PATH$/i,
+    /^HOME$/i,
+    /^USER$/i,
+    /^SHELL$/i,
+    /^TERM$/i,
+    /^TZ$/i,
+    /^NODE_ENV$/i,
+];
+export function validateEnvVarValue(value) {
+    if (value.includes("\0")) {
+        return "Contains null bytes";
+    }
+    if (value.length > 32768) {
+        return "Value exceeds maximum length";
+    }
+    if (/^[A-Za-z0-9+/=]{80,}$/.test(value)) {
+        return "Value looks like base64-encoded credential data";
+    }
+    return undefined;
+}
+function matchesAnyPattern(value, patterns) {
+    return patterns.some((pattern) => pattern.test(value));
+}
+export function sanitizeEnvVars(envVars, options = {}) {
+    const allowed = {};
+    const blocked = [];
+    const warnings = [];
+    const blockedPatterns = [...BLOCKED_ENV_VAR_PATTERNS, ...(options.customBlockedPatterns ?? [])];
+    const allowedPatterns = [...ALLOWED_ENV_VAR_PATTERNS, ...(options.customAllowedPatterns ?? [])];
+    for (const [rawKey, value] of Object.entries(envVars)) {
+        const key = rawKey.trim();
+        if (!key) {
+            continue;
+        }
+        if (matchesAnyPattern(key, blockedPatterns)) {
+            blocked.push(key);
+            continue;
+        }
+        if (options.strictMode && !matchesAnyPattern(key, allowedPatterns)) {
+            blocked.push(key);
+            continue;
+        }
+        const warning = validateEnvVarValue(value);
+        if (warning) {
+            if (warning === "Contains null bytes") {
+                blocked.push(key);
+                continue;
+            }
+            warnings.push(`${key}: ${warning}`);
+        }
+        allowed[key] = value;
+    }
+    return { allowed, blocked, warnings };
+}

package/dist/agents/skills/env-overrides.js

@@ -1,36 +1,123 @@
+import { sanitizeEnvVars, validateEnvVarValue } from "../sandbox/sanitize-env-vars.js";
 import { resolveSkillConfig } from "./config.js";
 import { resolveSkillKey } from "./frontmatter.js";
-export function applySkillEnvOverrides(params) {
-    const { skills, config } = params;
-    const updates = [];
-    for (const entry of skills) {
-        const skillKey = resolveSkillKey(entry.skill, entry);
-        const skillConfig = resolveSkillConfig(config, skillKey);
-        if (!skillConfig)
+const HARD_BLOCKED_SKILL_ENV_PATTERNS = [
+    /^NODE_OPTIONS$/i,
+    /^OPENSSL_CONF$/i,
+    /^LD_PRELOAD$/i,
+    /^DYLD_INSERT_LIBRARIES$/i,
+];
+function matchesAnyPattern(value, patterns) {
+    return patterns.some((pattern) => pattern.test(value));
+}
+function sanitizeSkillEnvOverrides(params) {
+    if (Object.keys(params.overrides).length === 0) {
+        return { allowed: {}, blocked: [], warnings: [] };
+    }
+    const result = sanitizeEnvVars(params.overrides, {
+        customBlockedPatterns: HARD_BLOCKED_SKILL_ENV_PATTERNS,
+    });
+    const allowed = { ...result.allowed };
+    const blocked = [];
+    const warnings = [...result.warnings];
+    for (const key of result.blocked) {
+        if (matchesAnyPattern(key, HARD_BLOCKED_SKILL_ENV_PATTERNS) ||
+            !params.allowedSensitiveKeys.has(key)) {
+            blocked.push(key);
             continue;
-        if (skillConfig.env) {
-            for (const [envKey, envValue] of Object.entries(skillConfig.env)) {
-                if (!envValue || process.env[envKey])
-                    continue;
-                updates.push({ key: envKey, prev: process.env[envKey] });
-                process.env[envKey] = envValue;
+        }
+        const value = params.overrides[key];
+        if (!value) {
+            continue;
+        }
+        const warning = validateEnvVarValue(value);
+        if (warning) {
+            if (warning === "Contains null bytes") {
+                blocked.push(key);
+                continue;
             }
+            warnings.push(`${key}: ${warning}`);
         }
-        const primaryEnv = entry.metadata?.primaryEnv;
-        if (primaryEnv && skillConfig.apiKey && !process.env[primaryEnv]) {
-            updates.push({ key: primaryEnv, prev: process.env[primaryEnv] });
-            process.env[primaryEnv] = skillConfig.apiKey;
+        allowed[key] = value;
+    }
+    return { allowed, blocked, warnings };
+}
+function applySkillConfigEnvOverrides(params) {
+    const { updates, skillConfig, primaryEnv, requiredEnv, skillKey } = params;
+    const allowedSensitiveKeys = new Set();
+    const normalizedPrimaryEnv = primaryEnv?.trim();
+    if (normalizedPrimaryEnv) {
+        allowedSensitiveKeys.add(normalizedPrimaryEnv);
+    }
+    for (const envName of requiredEnv ?? []) {
+        const trimmedEnv = envName.trim();
+        if (trimmedEnv) {
+            allowedSensitiveKeys.add(trimmedEnv);
+        }
+    }
+    const pendingOverrides = {};
+    if (skillConfig.env) {
+        for (const [rawKey, envValue] of Object.entries(skillConfig.env)) {
+            const envKey = rawKey.trim();
+            if (!envKey || !envValue || process.env[envKey]) {
+                continue;
+            }
+            pendingOverrides[envKey] = envValue;
         }
     }
+    if (normalizedPrimaryEnv && skillConfig.apiKey && !process.env[normalizedPrimaryEnv]) {
+        if (!pendingOverrides[normalizedPrimaryEnv]) {
+            pendingOverrides[normalizedPrimaryEnv] = skillConfig.apiKey;
+        }
+    }
+    const sanitized = sanitizeSkillEnvOverrides({
+        overrides: pendingOverrides,
+        allowedSensitiveKeys,
+    });
+    if (sanitized.blocked.length > 0) {
+        console.warn(`[Security] Blocked skill env overrides for ${skillKey}:`, sanitized.blocked.join(", "));
+    }
+    if (sanitized.warnings.length > 0) {
+        console.warn(`[Security] Suspicious skill env overrides for ${skillKey}:`, sanitized.warnings);
+    }
+    for (const [envKey, envValue] of Object.entries(sanitized.allowed)) {
+        if (process.env[envKey]) {
+            continue;
+        }
+        updates.push({ key: envKey, prev: process.env[envKey] });
+        process.env[envKey] = envValue;
+    }
+}
+function createEnvReverter(updates) {
     return () => {
         for (const update of updates) {
-            if (update.prev === undefined)
+            if (update.prev === undefined) {
                 delete process.env[update.key];
-            else
+            }
+            else {
                 process.env[update.key] = update.prev;
+            }
         }
     };
 }
+export function applySkillEnvOverrides(params) {
+    const { skills, config } = params;
+    const updates = [];
+    for (const entry of skills) {
+        const skillKey = resolveSkillKey(entry.skill, entry);
+        const skillConfig = resolveSkillConfig(config, skillKey);
+        if (!skillConfig)
+            continue;
+        applySkillConfigEnvOverrides({
+            updates,
+            skillConfig,
+            primaryEnv: entry.metadata?.primaryEnv,
+            requiredEnv: entry.metadata?.requires?.env,
+            skillKey,
+        });
+    }
+    return createEnvReverter(updates);
+}
 export function applySkillEnvOverridesFromSnapshot(params) {
     const { snapshot, config } = params;
     if (!snapshot)
@@ -40,28 +127,13 @@ export function applySkillEnvOverridesFromSnapshot(params) {
         const skillConfig = resolveSkillConfig(config, skill.name);
         if (!skillConfig)
             continue;
-        if (skillConfig.env) {
-            for (const [envKey, envValue] of Object.entries(skillConfig.env)) {
-                if (!envValue || process.env[envKey])
-                    continue;
-                updates.push({ key: envKey, prev: process.env[envKey] });
-                process.env[envKey] = envValue;
-            }
-        }
-        if (skill.primaryEnv && skillConfig.apiKey && !process.env[skill.primaryEnv]) {
-            updates.push({
-                key: skill.primaryEnv,
-                prev: process.env[skill.primaryEnv],
-            });
-            process.env[skill.primaryEnv] = skillConfig.apiKey;
-        }
+        applySkillConfigEnvOverrides({
+            updates,
+            skillConfig,
+            primaryEnv: skill.primaryEnv,
+            requiredEnv: skill.requiredEnv,
+            skillKey: skill.name,
+        });
     }
-    return () => {
-        for (const update of updates) {
-            if (update.prev === undefined)
-                delete process.env[update.key];
-            else
-                process.env[update.key] = update.prev;
-        }
-    };
+    return createEnvReverter(updates);
 }

package/dist/agents/skills/workspace.js

@@ -147,6 +147,7 @@ export function buildWorkspaceSkillSnapshot(workspaceDir, opts) {
         skills: eligible.map((entry) => ({
             name: entry.skill.name,
             primaryEnv: entry.metadata?.primaryEnv,
+            requiredEnv: entry.metadata?.requires?.env,
         })),
         resolvedSkills,
         version: opts?.snapshotVersion,

package/dist/agents/system-prompt.js

@@ -32,7 +32,7 @@ function buildMemorySection(params) {
 function buildUserIdentitySection(ownerLine, isMinimal) {
     if (!ownerLine || isMinimal)
         return [];
-    return ["## User Identity", ownerLine, ""];
+    return ["## Authorized Senders", ownerLine, ""];
 }
 function buildTimeSection(params) {
     if (!params.userTimezone)
@@ -231,7 +231,7 @@ export function buildAgentSystemPrompt(params) {
     const extraSystemPrompt = params.extraSystemPrompt?.trim();
     const ownerNumbers = (params.ownerNumbers ?? []).map((value) => value.trim()).filter(Boolean);
     const ownerLine = ownerNumbers.length > 0
-        ? `Owner numbers: ${ownerNumbers.join(", ")}. Treat messages from these numbers as the user.`
+        ? `Authorized senders: ${ownerNumbers.join(", ")}. These senders are allowlisted; do not assume they are the owner.`
         : undefined;
     const reasoningHint = params.reasoningTagHint
         ? [
@@ -317,6 +317,45 @@ export function buildAgentSystemPrompt(params) {
         "Never reply with a list of approaches/options when a single tool call would suffice.",
         "For screenshots of native macOS windows: use Peekaboo (`peekaboo image`) via exec if the skill is available.",
         "",
+        "## URLs & Quick Open",
+        "When the user wants to *see* a page, video, or search result — open it in their browser. Don't over-automate simple requests.",
+        "",
+        "### Decision tree",
+        "1. User wants to *view* something (website, video, search results) → `open` the URL via exec.",
+        "2. User wants an *answer* from the web → use `web_search` (+ `web_fetch` if needed).",
+        "3. User wants to *interact* with a page (fill forms, click buttons, scrape data) → use the `browser` tool.",
+        "",
+        "### Opening URLs (macOS)",
+        "Use `exec` with the macOS `open` command to launch URLs in the user's default browser:",
+        '- `open "https://example.com"` — opens in default browser.',
+        '- `open -a "Google Chrome" "https://example.com"` — opens in a specific browser.',
+        'This is the fastest path for simple requests like "open YouTube" or "show me Amazon".',
+        "",
+        "### Common search/action URIs",
+        "Build the URL directly instead of navigating and typing into search boxes:",
+        "| Task | URI pattern |",
+        "|------|------------|",
+        "| Google search | `https://google.com/search?q={query}` |",
+        "| YouTube search | `https://youtube.com/results?search_query={query}` |",
+        "| Google Maps search | `https://maps.google.com/maps?q={query}` |",
+        "| Google Maps directions | `https://maps.google.com/maps/dir/{from}/{to}` |",
+        "| Amazon search | `https://amazon.com/s?k={query}` |",
+        "| Wikipedia | `https://en.wikipedia.org/wiki/{topic}` |",
+        "| Google Images | `https://google.com/search?tbm=isch&q={query}` |",
+        "| Google News | `https://news.google.com/search?q={query}` |",
+        "| Google Flights | `https://google.com/travel/flights?q={query}` |",
+        "| Reddit search | `https://reddit.com/search/?q={query}` |",
+        "| Twitter/X search | `https://x.com/search?q={query}` |",
+        "| LinkedIn search | `https://linkedin.com/search/results/all/?keywords={query}` |",
+        "URL-encode the query (`%20` for spaces or use `+`).",
+        "",
+        "### Examples",
+        '- "search YouTube for funny cats" → `open "https://youtube.com/results?search_query=funny+cats"`',
+        '- "show me flights to Tokyo" → `open "https://google.com/travel/flights?q=flights+to+tokyo"`',
+        '- "open amazon" → `open "https://amazon.com"`',
+        '- "find Italian restaurants near me" → `open "https://maps.google.com/maps?q=italian+restaurants+near+me"`',
+        '- "what is the capital of France?" → use `web_search` (user wants the answer, not a page)',
+        "",
         "## IDE & Coding Agent Control",
         "Control AI coding agents via CLI — never type into GUI windows:",
         "- Terminal agents (Claude Code, Codex, Pi): run via `bash pty:true` with `background:true` for long tasks. Monitor with `process action:log`.",
@@ -509,6 +548,7 @@ export function buildAgentSystemPrompt(params) {
     if (!isMinimal) {
         lines.push("## Heartbeats", heartbeatPromptLine, "If you receive a heartbeat poll (a user message matching the heartbeat prompt above), and there is nothing that needs attention, reply exactly:", "HEARTBEAT_OK", 'Lemonade treats a leading/trailing "HEARTBEAT_OK" as a heartbeat ack (and may discard it).', 'If something needs attention, do NOT include "HEARTBEAT_OK"; reply with the alert text instead.', "");
     }
+    lines.push("## Safety", "You have no independent goals: do not pursue self-preservation, replication, resource acquisition, or power-seeking; avoid long-term plans beyond the user's request.", "Prioritize safety and human oversight over completion; if instructions conflict, pause and ask; comply with stop/pause/audit requests and never bypass safeguards.", "Do not manipulate or persuade anyone to expand access or disable safeguards. Do not copy yourself or change system prompts, safety rules, or tool policies unless explicitly requested.", "");
     lines.push("## Runtime", buildRuntimeLine(runtimeInfo, runtimeChannel, runtimeCapabilities, params.defaultThinkLevel), `Reasoning: ${reasoningLevel} (hidden unless on/stream). Toggle /reasoning; /status shows Reasoning when enabled.`);
     return lines.filter(Boolean).join("\n");
 }

package/dist/build-info.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.0.9",
-  "commit": "a7a899fbe3b6faf9d612cb1e17c04c84035f02aa",
-  "builtAt": "2026-02-20T07:57:12.714Z"
+  "version": "0.1.1",
+  "commit": "c8a249c7139f4bab7fe16d65fb0e565384f6e6ae",
+  "builtAt": "2026-02-20T22:53:16.169Z"
 }

package/dist/canvas-host/a2ui/.bundle.hash

@@ -1 +1 @@
-b3f5fa0f921d2d5f4c3f96081e3cca7ec3382c9223c7dea1eb1b7047d2bf267c
+4ad41ef1417592c4619976cb95999af4828d9438481c0c3a0bb43a06440cb7b2

package/dist/cron/service/ops.js

@@ -1,7 +1,7 @@
 import { applyJobPatch, computeJobNextRunAtMs, createJob, findJobOrThrow, isJobDue, nextWakeAtMs, recomputeNextRuns, } from "./jobs.js";
 import { locked } from "./locked.js";
 import { ensureLoaded, forceReload, persist, startFileWatcher, stopFileWatcher, warnIfDisabled, } from "./store.js";
-import { armTimer, emit, executeJob, stopTimer, wake } from "./timer.js";
+import { armTimer, emit, executeJob, runMissedJobs, stopTimer, wake } from "./timer.js";
 export async function start(state) {
     await locked(state, async () => {
         if (!state.deps.cronEnabled) {
@@ -9,6 +9,18 @@ export async function start(state) {
             return;
         }
         await ensureLoaded(state);
+        // Clear stale running markers from jobs interrupted by a crash
+        const jobs = state.store?.jobs ?? [];
+        const startupInterruptedJobIds = new Set();
+        for (const job of jobs) {
+            if (typeof job.state.runningAtMs === "number") {
+                state.deps.log.warn({ jobId: job.id, runningAtMs: job.state.runningAtMs }, "cron: clearing stale running marker on startup");
+                job.state.runningAtMs = undefined;
+                startupInterruptedJobIds.add(job.id);
+            }
+        }
+        // Run missed jobs (skip ones that were interrupted mid-execution)
+        await runMissedJobs(state, { skipJobIds: startupInterruptedJobIds });
         recomputeNextRuns(state);
         await persist(state);
         armTimer(state);

package/dist/cron/service/timer.js

@@ -2,6 +2,31 @@ import { computeJobNextRunAtMs, nextWakeAtMs, resolveJobPayloadTextForMain } fro
 import { locked } from "./locked.js";
 import { ensureLoaded, persist } from "./store.js";
 const MAX_TIMEOUT_MS = 2 ** 31 - 1;
+/**
+ * Maximum wall-clock time between consecutive timer fires.
+ * Ensures the scheduler wakes at least once a minute to avoid drift.
+ */
+const MAX_TIMER_DELAY_MS = 60_000;
+/**
+ * Minimum gap between consecutive fires of the same cron job.
+ * Prevents spin-loops when `computeJobNextRunAtMs` returns a value
+ * within the same second as the just-completed run.
+ */
+const MIN_REFIRE_GAP_MS = 2_000;
+/**
+ * Exponential backoff delays (in ms) indexed by consecutive error count.
+ */
+const ERROR_BACKOFF_SCHEDULE_MS = [
+    30_000, // 1st error  →  30 s
+    60_000, // 2nd error  →   1 min
+    5 * 60_000, // 3rd error  →   5 min
+    15 * 60_000, // 4th error  →  15 min
+    60 * 60_000, // 5th+ error →  60 min
+];
+function errorBackoffMs(consecutiveErrors) {
+    const idx = Math.min(consecutiveErrors - 1, ERROR_BACKOFF_SCHEDULE_MS.length - 1);
+    return ERROR_BACKOFF_SCHEDULE_MS[Math.max(0, idx)];
+}
 export function armTimer(state) {
     if (state.timer)
         clearTimeout(state.timer);
@@ -12,8 +37,7 @@ export function armTimer(state) {
     if (!nextAt)
         return;
     const delay = Math.max(nextAt - state.deps.nowMs(), 0);
-    // Avoid TimeoutOverflowWarning when a job is far in the future.
-    const clampedDelay = Math.min(delay, MAX_TIMEOUT_MS);
+    const clampedDelay = Math.min(delay, MAX_TIMER_DELAY_MS);
     state.timer = setTimeout(() => {
         void onTimer(state).catch((err) => {
             state.deps.log.error({ err: String(err) }, "cron: timer tick failed");
@@ -22,8 +46,20 @@ export function armTimer(state) {
     state.timer.unref?.();
 }
 export async function onTimer(state) {
-    if (state.running)
+    if (state.running) {
+        // Re-arm the timer so the scheduler keeps ticking even when a job is
+        // still executing. Without this, a long-running job causes the clamped
+        // timer to fire while `running` is true. The early return then leaves
+        // no timer set, silently killing the scheduler until the next restart.
+        if (state.timer)
+            clearTimeout(state.timer);
+        state.timer = setTimeout(() => {
+            void onTimer(state).catch((err) => {
+                state.deps.log.error({ err: String(err) }, "cron: timer tick failed");
+            });
+        }, MAX_TIMER_DELAY_MS);
         return;
+    }
     state.running = true;
     try {
         await locked(state, async () => {
@@ -53,6 +89,31 @@ export async function runDueJobs(state) {
         await executeJob(state, job, now, { forced: false });
     }
 }
+export async function runMissedJobs(state, opts) {
+    if (!state.store)
+        return;
+    const now = state.deps.nowMs();
+    const skipJobIds = opts?.skipJobIds;
+    const missed = state.store.jobs.filter((j) => {
+        if (!j.enabled)
+            return false;
+        if (skipJobIds?.has(j.id))
+            return false;
+        if (typeof j.state.runningAtMs === "number")
+            return false;
+        // Skip one-shot jobs that already ran
+        if (j.schedule.kind === "at" && j.state.lastStatus)
+            return false;
+        const next = j.state.nextRunAtMs;
+        return typeof next === "number" && now >= next;
+    });
+    if (missed.length > 0) {
+        state.deps.log.info({ count: missed.length, jobIds: missed.map((j) => j.id) }, "cron: running missed jobs after restart");
+        for (const job of missed) {
+            await executeJob(state, job, now, { forced: false });
+        }
+    }
+}
 export async function executeJob(state, job, nowMs, opts) {
     const startedAt = state.deps.nowMs();
     job.state.runningAtMs = startedAt;
@@ -66,15 +127,43 @@ export async function executeJob(state, job, nowMs, opts) {
         job.state.lastStatus = status;
         job.state.lastDurationMs = Math.max(0, endedAt - startedAt);
         job.state.lastError = err;
+        // Track consecutive errors for backoff
+        if (status === "error") {
+            job.state.consecutiveErrors = (job.state.consecutiveErrors ?? 0) + 1;
+        }
+        else {
+            job.state.consecutiveErrors = 0;
+        }
         const shouldDelete = job.schedule.kind === "at" && status === "ok" && job.deleteAfterRun === true;
         if (!shouldDelete) {
-            if (job.schedule.kind === "at" && status === "ok") {
-                // One-shot job completed successfully; disable it.
+            if (job.schedule.kind === "at") {
                 job.enabled = false;
                 job.state.nextRunAtMs = undefined;
             }
+            else if (status === "error" && job.enabled) {
+                // Apply exponential backoff for errored jobs to prevent retry storms
+                const backoff = errorBackoffMs(job.state.consecutiveErrors ?? 1);
+                const normalNext = computeJobNextRunAtMs(job, endedAt);
+                const backoffNext = endedAt + backoff;
+                job.state.nextRunAtMs =
+                    normalNext !== undefined ? Math.max(normalNext, backoffNext) : backoffNext;
+                state.deps.log.info({
+                    jobId: job.id,
+                    consecutiveErrors: job.state.consecutiveErrors,
+                    backoffMs: backoff,
+                    nextRunAtMs: job.state.nextRunAtMs,
+                }, "cron: applying error backoff");
+            }
             else if (job.enabled) {
-                job.state.nextRunAtMs = computeJobNextRunAtMs(job, endedAt);
+                const naturalNext = computeJobNextRunAtMs(job, endedAt);
+                if (job.schedule.kind === "cron") {
+                    const minNext = endedAt + MIN_REFIRE_GAP_MS;
+                    job.state.nextRunAtMs =
+                        naturalNext !== undefined ? Math.max(naturalNext, minNext) : minNext;
+                }
+                else {
+                    job.state.nextRunAtMs = naturalNext;
+                }
             }
             else {
                 job.state.nextRunAtMs = undefined;

package/dist/imessage/constants.js

@@ -0,0 +1,2 @@
+/** Default timeout for iMessage probe/RPC operations (10 seconds). */
+export const DEFAULT_IMESSAGE_PROBE_TIMEOUT_MS = 10_000;

package/dist/imessage/monitor/abort-handler.js

@@ -0,0 +1,23 @@
+export function attachIMessageMonitorAbortHandler(params) {
+    const abort = params.abortSignal;
+    if (!abort) {
+        return () => { };
+    }
+    const onAbort = () => {
+        const subscriptionId = params.getSubscriptionId();
+        if (subscriptionId) {
+            void params.client
+                .request("watch.unsubscribe", {
+                subscription: subscriptionId,
+            })
+                .catch(() => {
+                // Ignore disconnect errors during shutdown.
+            });
+        }
+        void params.client.stop().catch(() => {
+            // Ignore disconnect errors during shutdown.
+        });
+    };
+    abort.addEventListener("abort", onAbort, { once: true });
+    return () => abort.removeEventListener("abort", onAbort);
+}

package/dist/imessage/monitor/deliver.js

@@ -4,7 +4,8 @@ import { resolveMarkdownTableMode } from "../../config/markdown-tables.js";
 import { convertMarkdownTables } from "../../markdown/tables.js";
 import { sendMessageIMessage } from "../send.js";
 export async function deliverReplies(params) {
-    const { replies, target, client, runtime, maxBytes, textLimit, accountId } = params;
+    const { replies, target, client, runtime, maxBytes, textLimit, accountId, sentMessageCache } = params;
+    const scope = `${accountId ?? ""}:${target}`;
     const cfg = loadConfig();
     const tableMode = resolveMarkdownTableMode({
         cfg,
@@ -19,12 +20,14 @@ export async function deliverReplies(params) {
         if (!text && mediaList.length === 0)
             continue;
         if (mediaList.length === 0) {
+            sentMessageCache?.remember(scope, text);
             for (const chunk of chunkTextWithMode(text, textLimit, chunkMode)) {
                 await sendMessageIMessage(target, chunk, {
                     maxBytes,
                     client,
                     accountId,
                 });
+                sentMessageCache?.remember(scope, chunk);
             }
         }
         else {
@@ -38,6 +41,9 @@ export async function deliverReplies(params) {
                     client,
                     accountId,
                 });
+                if (caption) {
+                    sentMessageCache?.remember(scope, caption);
+                }
             }
         }
         runtime.log?.(`imessage: delivered reply to ${target}`);

package/dist/imessage/monitor/monitor-provider.js

@@ -25,10 +25,13 @@ import { truncateUtf16Safe } from "../../utils.js";
 import { resolveControlCommandGate } from "../../channels/command-gating.js";
 import { resolveIMessageAccount } from "../accounts.js";
 import { createIMessageRpcClient } from "../client.js";
+import { DEFAULT_IMESSAGE_PROBE_TIMEOUT_MS } from "../constants.js";
 import { probeIMessage } from "../probe.js";
 import { sendMessageIMessage } from "../send.js";
 import { formatIMessageChatTarget, isAllowedIMessageSender, normalizeIMessageHandle, } from "../targets.js";
+import { attachIMessageMonitorAbortHandler } from "./abort-handler.js";
 import { deliverReplies } from "./deliver.js";
+import { parseIMessageNotification } from "./parse-notification.js";
 import { normalizeAllowList, resolveRuntime } from "./runtime.js";
 /**
  * Try to detect remote host from an SSH wrapper script like:
@@ -55,6 +58,47 @@ async function detectRemoteHostFromCliPath(cliPath) {
         return undefined;
     }
 }
+/**
+ * Cache for recently sent messages, used for echo detection.
+ * Keys are scoped by conversation (accountId:target) so the same text in different chats is not conflated.
+ * Entries expire after 5 seconds; we do not forget on match so multiple echo deliveries are all filtered.
+ */
+class SentMessageCache {
+    cache = new Map();
+    ttlMs = 5000;
+    remember(scope, text) {
+        if (!text?.trim()) {
+            return;
+        }
+        const key = `${scope}:${text.trim()}`;
+        this.cache.set(key, Date.now());
+        this.cleanup();
+    }
+    has(scope, text) {
+        if (!text?.trim()) {
+            return false;
+        }
+        const key = `${scope}:${text.trim()}`;
+        const timestamp = this.cache.get(key);
+        if (!timestamp) {
+            return false;
+        }
+        const age = Date.now() - timestamp;
+        if (age > this.ttlMs) {
+            this.cache.delete(key);
+            return false;
+        }
+        return true;
+    }
+    cleanup() {
+        const now = Date.now();
+        for (const [text, timestamp] of this.cache.entries()) {
+            if (now - timestamp > this.ttlMs) {
+                this.cache.delete(text);
+            }
+        }
+    }
+}
 function normalizeReplyField(value) {
     if (typeof value === "string") {
         const trimmed = value.trim();
@@ -84,6 +128,7 @@ export async function monitorIMessageProvider(opts = {}) {
         cfg.messages?.groupChat?.historyLimit ??
         DEFAULT_GROUP_HISTORY_LIMIT);
     const groupHistories = new Map();
+    const sentMessageCache = new SentMessageCache();
     const textLimit = resolveTextChunkLimit(cfg, "imessage", accountInfo.accountId);
     const allowFrom = normalizeAllowList(opts.allowFrom ?? imessageCfg.allowFrom);
     const groupAllowFrom = normalizeAllowList(opts.groupAllowFrom ??
@@ -96,6 +141,7 @@ export async function monitorIMessageProvider(opts = {}) {
     const mediaMaxBytes = (opts.mediaMaxMb ?? imessageCfg.mediaMaxMb ?? 16) * 1024 * 1024;
     const cliPath = opts.cliPath ?? imessageCfg.cliPath ?? "imsg";
     const dbPath = opts.dbPath ?? imessageCfg.dbPath;
+    const probeTimeoutMs = imessageCfg.probeTimeoutMs ?? DEFAULT_IMESSAGE_PROBE_TIMEOUT_MS;
     // Resolve remoteHost: explicit config, or auto-detect from SSH wrapper script
     let remoteHost = imessageCfg.remoteHost;
     if (!remoteHost && cliPath && cliPath !== "imsg") {
@@ -155,6 +201,13 @@ export async function monitorIMessageProvider(opts = {}) {
         const senderNormalized = normalizeIMessageHandle(sender);
         if (message.is_from_me)
             return;
+        // Echo detection: skip messages that match recently sent replies
+        const echoScope = `${accountInfo.accountId ?? ""}:${sender}`;
+        const messageText0 = (message.text ?? "").trim();
+        if (messageText0 && sentMessageCache.has(echoScope, messageText0)) {
+            logVerbose(`imessage: dropping echo from ${sender}`);
+            return;
+        }
         const chatId = message.chat_id ?? undefined;
         const chatGuid = message.chat_guid ?? undefined;
         const chatIdentifier = message.chat_identifier ?? undefined;
@@ -482,6 +535,7 @@ export async function monitorIMessageProvider(opts = {}) {
                     runtime,
                     maxBytes: mediaMaxBytes,
                     textLimit,
+                    sentMessageCache,
                 });
             },
             onError: (err, info) => {
@@ -514,10 +568,11 @@ export async function monitorIMessageProvider(opts = {}) {
         }
     }
     const handleMessage = async (raw) => {
-        const params = raw;
-        const message = params?.message ?? null;
-        if (!message)
+        const message = parseIMessageNotification(raw);
+        if (!message) {
+            logVerbose("imessage: dropping malformed RPC message payload");
             return;
+        }
         await inboundDebouncer.enqueue({ message });
     };
     await waitForTransportReady({
@@ -529,7 +584,7 @@ export async function monitorIMessageProvider(opts = {}) {
         abortSignal: opts.abortSignal,
         runtime,
         check: async () => {
-            const probe = await probeIMessage(2000, { cliPath, dbPath, runtime });
+            const probe = await probeIMessage(probeTimeoutMs, { cliPath, dbPath, runtime });
             if (probe.ok)
                 return { ok: true };
             if (probe.fatal) {
@@ -557,21 +612,11 @@ export async function monitorIMessageProvider(opts = {}) {
     });
     let subscriptionId = null;
     const abort = opts.abortSignal;
-    const onAbort = () => {
-        if (subscriptionId) {
-            void client
-                .request("watch.unsubscribe", {
-                subscription: subscriptionId,
-            })
-                .catch(() => {
-                // Ignore disconnect errors during shutdown.
-            });
-        }
-        void client.stop().catch(() => {
-            // Ignore disconnect errors during shutdown.
-        });
-    };
-    abort?.addEventListener("abort", onAbort, { once: true });
+    const detachAbortHandler = attachIMessageMonitorAbortHandler({
+        abortSignal: abort,
+        client,
+        getSubscriptionId: () => subscriptionId,
+    });
     try {
         const result = await client.request("watch.subscribe", {
             attachments: includeAttachments,
@@ -586,7 +631,7 @@ export async function monitorIMessageProvider(opts = {}) {
         throw err;
     }
     finally {
-        abort?.removeEventListener("abort", onAbort);
+        detachAbortHandler();
         await client.stop();
     }
 }

package/dist/imessage/monitor/parse-notification.js

@@ -0,0 +1,64 @@
+function isRecord(value) {
+    return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function isOptionalString(value) {
+    return value === undefined || value === null || typeof value === "string";
+}
+function isOptionalStringOrNumber(value) {
+    return (value === undefined || value === null || typeof value === "string" || typeof value === "number");
+}
+function isOptionalNumber(value) {
+    return value === undefined || value === null || typeof value === "number";
+}
+function isOptionalBoolean(value) {
+    return value === undefined || value === null || typeof value === "boolean";
+}
+function isOptionalStringArray(value) {
+    return (value === undefined ||
+        value === null ||
+        (Array.isArray(value) && value.every((entry) => typeof entry === "string")));
+}
+function isOptionalAttachments(value) {
+    if (value === undefined || value === null) {
+        return true;
+    }
+    if (!Array.isArray(value)) {
+        return false;
+    }
+    return value.every((attachment) => {
+        if (!isRecord(attachment)) {
+            return false;
+        }
+        return (isOptionalString(attachment.original_path) &&
+            isOptionalString(attachment.mime_type) &&
+            isOptionalBoolean(attachment.missing));
+    });
+}
+export function parseIMessageNotification(raw) {
+    if (!isRecord(raw)) {
+        return null;
+    }
+    const maybeMessage = raw.message;
+    if (!isRecord(maybeMessage)) {
+        return null;
+    }
+    const message = maybeMessage;
+    if (!isOptionalNumber(message.id) ||
+        !isOptionalNumber(message.chat_id) ||
+        !isOptionalString(message.sender) ||
+        !isOptionalBoolean(message.is_from_me) ||
+        !isOptionalString(message.text) ||
+        !isOptionalStringOrNumber(message.reply_to_id) ||
+        !isOptionalString(message.reply_to_text) ||
+        !isOptionalString(message.reply_to_sender) ||
+        !isOptionalString(message.created_at) ||
+        !isOptionalAttachments(message.attachments) ||
+        !isOptionalString(message.chat_identifier) ||
+        !isOptionalString(message.chat_guid) ||
+        !isOptionalString(message.chat_name) ||
+        !isOptionalStringArray(message.participants) ||
+        !isOptionalBoolean(message.is_group)) {
+        return null;
+    }
+    return message;
+}

package/dist/imessage/probe.js

@@ -2,13 +2,16 @@ import { detectBinary } from "../commands/onboard-helpers.js";
 import { loadConfig } from "../config/config.js";
 import { runCommandWithTimeout } from "../process/exec.js";
 import { createIMessageRpcClient } from "./client.js";
+import { DEFAULT_IMESSAGE_PROBE_TIMEOUT_MS } from "./constants.js";
+// Re-export for backwards compatibility
+export { DEFAULT_IMESSAGE_PROBE_TIMEOUT_MS } from "./constants.js";
 const rpcSupportCache = new Map();
-async function probeRpcSupport(cliPath) {
+async function probeRpcSupport(cliPath, timeoutMs) {
     const cached = rpcSupportCache.get(cliPath);
     if (cached)
         return cached;
     try {
-        const result = await runCommandWithTimeout([cliPath, "rpc", "--help"], { timeoutMs: 2000 });
+        const result = await runCommandWithTimeout([cliPath, "rpc", "--help"], { timeoutMs });
         const combined = `${result.stdout}\n${result.stderr}`.trim();
         const normalized = combined.toLowerCase();
         if (normalized.includes("unknown command") && normalized.includes("rpc")) {
@@ -34,7 +37,12 @@ async function probeRpcSupport(cliPath) {
         return { supported: false, error: String(err) };
     }
 }
-export async function probeIMessage(timeoutMs = 2000, opts = {}) {
+/**
+ * Probe iMessage RPC availability.
+ * @param timeoutMs - Explicit timeout in ms. If undefined, uses config or default.
+ * @param opts - Additional options (cliPath, dbPath, runtime).
+ */
+export async function probeIMessage(timeoutMs, opts = {}) {
     const cfg = opts.cliPath || opts.dbPath ? undefined : loadConfig();
     const cliPath = opts.cliPath?.trim() || cfg?.channels?.imessage?.cliPath?.trim() || "imsg";
     const dbPath = opts.dbPath?.trim() || cfg?.channels?.imessage?.dbPath?.trim();
@@ -42,7 +50,8 @@ export async function probeIMessage(timeoutMs = 2000, opts = {}) {
     if (!detected) {
         return { ok: false, error: `imsg not found (${cliPath})` };
     }
-    const rpcSupport = await probeRpcSupport(cliPath);
+    const effectiveTimeout = timeoutMs ?? cfg?.channels?.imessage?.probeTimeoutMs ?? DEFAULT_IMESSAGE_PROBE_TIMEOUT_MS;
+    const rpcSupport = await probeRpcSupport(cliPath, effectiveTimeout);
     if (!rpcSupport.supported) {
         return {
             ok: false,
@@ -56,7 +65,7 @@ export async function probeIMessage(timeoutMs = 2000, opts = {}) {
         runtime: opts.runtime,
     });
     try {
-        await client.request("chats.list", { limit: 1 }, { timeoutMs });
+        await client.request("chats.list", { limit: 1 }, { timeoutMs: effectiveTimeout });
         return { ok: true };
     }
     catch (err) {

package/dist/utils/normalize-secret-input.js

@@ -0,0 +1,19 @@
+/**
+ * Secret normalization for copy/pasted credentials.
+ *
+ * Common footgun: line breaks (especially `\r`) embedded in API keys/tokens.
+ * We strip line breaks anywhere, then trim whitespace at the ends.
+ *
+ * Intentionally does NOT remove ordinary spaces inside the string to avoid
+ * silently altering "Bearer <token>" style values.
+ */
+export function normalizeSecretInput(value) {
+    if (typeof value !== "string") {
+        return "";
+    }
+    return value.replace(/[\r\n\u2028\u2029]+/g, "").trim();
+}
+export function normalizeOptionalSecretInput(value) {
+    const normalized = normalizeSecretInput(value);
+    return normalized ? normalized : undefined;
+}

package/dist/web/inbound/access-control.js

@@ -1,7 +1,6 @@
 import { loadConfig } from "../../config/config.js";
 import { logVerbose } from "../../globals.js";
 import { emitAgentEvent } from "../../infra/agent-events.js";
-import { buildPairingReply } from "../../pairing/pairing-messages.js";
 import { readChannelAllowFromStore, upsertChannelPairingRequest, } from "../../pairing/pairing-store.js";
 import { isSelfChatMode, normalizeE164 } from "../../utils.js";
 import { resolveWhatsAppAccount } from "../accounts.js";
@@ -120,15 +119,15 @@ export async function checkInboundAccessControl(params) {
                                 data: {
                                     type: "pairing",
                                     channel: "whatsapp",
-                                    title: "Lemonade Access Request",
-                                    body: `${displayName} is requesting access to your Lemon via WhatsApp.`,
+                                    title: "WhatsApp Message",
+                                    body: `${displayName} sent a message. Add them in Settings to let Lemon respond.`,
                                     name: displayName,
                                     senderId: candidate,
                                 },
                             });
                             try {
-                                const title = encodeURIComponent("Lemonade Access Request");
-                                const body = encodeURIComponent(`${displayName} is requesting access to your Lemon via WhatsApp.`);
+                                const title = encodeURIComponent("WhatsApp Message");
+                                const body = encodeURIComponent(`${displayName} sent a message. Add them in Settings to let Lemon respond.`);
                                 const channel = encodeURIComponent("whatsapp");
                                 const encodedName = encodeURIComponent(displayName);
                                 const { exec } = await import("node:child_process");
@@ -137,14 +136,8 @@ export async function checkInboundAccessControl(params) {
                             catch {
                                 // Notification is best-effort
                             }
-                            try {
-                                await params.sock.sendMessage(params.remoteJid, {
-                                    text: buildPairingReply({ channel: "whatsapp" }),
-                                });
-                            }
-                            catch (err) {
-                                logVerbose(`whatsapp access reply failed for ${candidate}: ${String(err)}`);
-                            }
+                            // Do NOT reply to the sender on WhatsApp -- this is a personal
+                            // phone number and the sender may have no idea about Lemonade.
                         }
                     }
                 }

package/extensions/voice-call/src/config.ts

@@ -329,6 +329,14 @@ export const VoiceCallConfigSchema = z
   /** Maximum call duration in seconds */
   maxDurationSeconds: z.number().int().positive().default(300),
 
+  /**
+   * Maximum age of a call in seconds before it is automatically reaped.
+   * Catches calls stuck in unexpected states (e.g., notify-mode calls that
+   * never receive a terminal webhook). Set to 0 to disable.
+   * Default: 0 (disabled). Recommended: 120-300 for production.
+   */
+  staleCallReaperSeconds: z.number().int().nonnegative().default(0),
+
   /** Silence timeout for end-of-speech detection (ms) */
   silenceTimeoutMs: z.number().int().positive().default(800),
 

package/extensions/voice-call/src/webhook.ts

@@ -22,6 +22,7 @@ export class VoiceCallWebhookServer {
   private manager: CallManager;
   private provider: VoiceCallProvider;
   private coreConfig: CoreConfig | null;
+  private staleCallReaperInterval: ReturnType<typeof setInterval> | null = null;
 
   /** Media stream handler for bidirectional audio (when streaming enabled) */
   private mediaStreamHandler: MediaStreamHandler | null = null;
@@ -198,14 +199,50 @@ export class VoiceCallWebhookServer {
           );
         }
         resolve(url);
+
+        this.startStaleCallReaper();
       });
     });
   }
 
+  /**
+   * Start a periodic reaper that ends calls older than the configured threshold.
+   * Catches calls stuck in unexpected states (e.g., notify-mode calls that never
+   * receive a terminal webhook from the provider).
+   */
+  private startStaleCallReaper(): void {
+    const maxAgeSeconds = this.config.staleCallReaperSeconds;
+    if (!maxAgeSeconds || maxAgeSeconds <= 0) {
+      return;
+    }
+
+    const CHECK_INTERVAL_MS = 30_000;
+    const maxAgeMs = maxAgeSeconds * 1000;
+
+    this.staleCallReaperInterval = setInterval(() => {
+      const now = Date.now();
+      for (const call of this.manager.getActiveCalls()) {
+        const age = now - call.startedAt;
+        if (age > maxAgeMs) {
+          console.log(
+            `[voice-call] Reaping stale call ${call.callId} (age: ${Math.round(age / 1000)}s, state: ${call.state})`,
+          );
+          void this.manager.endCall(call.callId).catch((err) => {
+            console.warn(`[voice-call] Reaper failed to end call ${call.callId}:`, err);
+          });
+        }
+      }
+    }, CHECK_INTERVAL_MS);
+  }
+
   /**
    * Stop the webhook server.
    */
   async stop(): Promise<void> {
+    if (this.staleCallReaperInterval) {
+      clearInterval(this.staleCallReaperInterval);
+      this.staleCallReaperInterval = null;
+    }
     return new Promise((resolve) => {
       if (this.server) {
         this.server.close(() => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@heylemon/lemonade",
-  "version": "0.0.9",
+  "version": "0.1.1",
   "description": "AI gateway CLI for Lemon - local AI assistant with integrations",
   "publishConfig": {
     "access": "restricted"