@phnx-labs/agents-cli 1.19.2 → 1.20.3

package/dist/lib/routines-format.js

@@ -0,0 +1,194 @@
+/**
+ * Pure display helpers for `agents routines list`.
+ *
+ * No external dependencies. All functions are pure (no I/O, no side effects).
+ */
+// ---------------------------------------------------------------------------
+// humanizeCron
+// ---------------------------------------------------------------------------
+const DAY_NAMES = ['Sundays', 'Mondays', 'Tuesdays', 'Wednesdays', 'Thursdays', 'Fridays', 'Saturdays'];
+/**
+ * Convert a cron expression to a human-readable phrase.
+ *
+ * Handles the common patterns. For anything unrecognized, returns the raw
+ * expression so the user still sees something useful. NEVER throws.
+ */
+export function humanizeCron(expr, _tz) {
+    try {
+        const parts = expr.trim().split(/\s+/);
+        if (parts.length !== 5)
+            return expr;
+        const [minute, hour, dom, month, dow] = parts;
+        // every minute: * * * * *
+        if (minute === '*' && hour === '*' && dom === '*' && month === '*' && dow === '*') {
+            return 'every minute';
+        }
+        // every N minutes: */N * * * *
+        const everyMinMatch = minute.match(/^\*\/(\d+)$/);
+        if (everyMinMatch && hour === '*' && dom === '*' && month === '*' && dow === '*') {
+            const n = parseInt(everyMinMatch[1], 10);
+            return `every ${n} minute${n === 1 ? '' : 's'}`;
+        }
+        // every N hours: 0 */N * * *
+        const everyHourMatch = hour.match(/^\*\/(\d+)$/);
+        if (everyHourMatch && minute === '0' && dom === '*' && month === '*' && dow === '*') {
+            const n = parseInt(everyHourMatch[1], 10);
+            return `every ${n} hour${n === 1 ? '' : 's'}`;
+        }
+        // Only proceed with time-of-day patterns when hour and minute are fixed integers
+        const hourNum = /^\d+$/.test(hour) ? parseInt(hour, 10) : null;
+        const minNum = /^\d+$/.test(minute) ? parseInt(minute, 10) : null;
+        if (hourNum === null || minNum === null)
+            return expr;
+        const timeStr = formatTime12(hourNum, minNum);
+        // daily at HH:MM: M H * * *
+        if (dom === '*' && month === '*' && dow === '*') {
+            return `daily at ${timeStr}`;
+        }
+        // weekdays: M H * * 1-5
+        if (dom === '*' && month === '*' && dow === '1-5') {
+            return `weekdays at ${timeStr}`;
+        }
+        // specific day of week: M H * * D  (single digit 0-6)
+        if (dom === '*' && month === '*' && /^\d$/.test(dow)) {
+            const dayIdx = parseInt(dow, 10);
+            if (dayIdx >= 0 && dayIdx <= 6) {
+                return `${DAY_NAMES[dayIdx]} at ${timeStr}`;
+            }
+        }
+        // specific day of month: M H D * *
+        if (/^\d+$/.test(dom) && month === '*' && dow === '*') {
+            const d = parseInt(dom, 10);
+            return `monthly on day ${d} at ${timeStr}`;
+        }
+        // every N hours with fixed minute: M */N * * *  (already handled above for M=0; catch M != 0)
+        if (everyHourMatch && dom === '*' && month === '*' && dow === '*') {
+            const n = parseInt(everyHourMatch[1], 10);
+            return `every ${n} hour${n === 1 ? '' : 's'} at :${String(minNum).padStart(2, '0')}`;
+        }
+        return expr;
+    }
+    catch {
+        return expr;
+    }
+}
+/** Format an hour (0-23) + minute (0-59) as "H:MM AM/PM". */
+function formatTime12(hour, minute) {
+    const period = hour < 12 ? 'AM' : 'PM';
+    const h = hour % 12 === 0 ? 12 : hour % 12;
+    const m = String(minute).padStart(2, '0');
+    return `${h}:${m} ${period}`;
+}
+// ---------------------------------------------------------------------------
+// humanizeNextRun
+// ---------------------------------------------------------------------------
+const WEEKDAY_NAMES = ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'];
+const MONTH_NAMES = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'];
+/**
+ * Convert a next-run Date into a human phrase relative to `now`.
+ *
+ * - null            → '-'
+ * - same calendar day  → 'today 9:00 AM'
+ * - next calendar day  → 'tomorrow 9:00 AM'
+ * - within 7 days   → 'Mon 9:00 AM'
+ * - further out      → 'Jun 15, 9:00 AM'
+ */
+export function humanizeNextRun(date, now, tz) {
+    if (!date)
+        return '-';
+    try {
+        const locale = 'en-US';
+        const tzOpts = tz ? { timeZone: tz } : {};
+        // Extract calendar date components for both dates using the same timezone.
+        const toYMD = (d) => {
+            const fmt = new Intl.DateTimeFormat(locale, { year: 'numeric', month: 'numeric', day: 'numeric', ...tzOpts });
+            const parts = fmt.formatToParts(d);
+            const get = (type) => parseInt(parts.find((p) => p.type === type)?.value ?? '0', 10);
+            return { y: get('year'), m: get('month'), day: get('day') };
+        };
+        const nowYMD = toYMD(now);
+        const dateYMD = toYMD(date);
+        // Diff in whole calendar days (ignoring time-of-day)
+        const nowMidnight = Date.UTC(nowYMD.y, nowYMD.m - 1, nowYMD.day);
+        const dateMidnight = Date.UTC(dateYMD.y, dateYMD.m - 1, dateYMD.day);
+        const diffDays = Math.round((dateMidnight - nowMidnight) / 86400000);
+        // Time string for the date
+        const timeFmt = new Intl.DateTimeFormat(locale, { hour: 'numeric', minute: '2-digit', hour12: true, ...tzOpts });
+        const timeStr = timeFmt.format(date);
+        if (diffDays === 0)
+            return `today ${timeStr}`;
+        if (diffDays === 1)
+            return `tomorrow ${timeStr}`;
+        if (diffDays < 7) {
+            const weekdayIdx = new Intl.DateTimeFormat(locale, { weekday: 'short', ...tzOpts })
+                .formatToParts(date)
+                .find((p) => p.type === 'weekday')?.value;
+            return `${weekdayIdx ?? WEEKDAY_NAMES[date.getDay()]} ${timeStr}`;
+        }
+        // Further out: "Jun 15, 9:00 AM"
+        const monthName = MONTH_NAMES[dateYMD.m - 1];
+        return `${monthName} ${dateYMD.day}, ${timeStr}`;
+    }
+    catch {
+        return date.toLocaleString();
+    }
+}
+// ---------------------------------------------------------------------------
+// formatRepoLink
+// ---------------------------------------------------------------------------
+/**
+ * Maximum display length for a repo cell. Display strings longer than this
+ * are truncated with an ellipsis so column alignment is preserved.
+ * Consumers that render the column should use this constant as the column width.
+ */
+export const REPO_DISPLAY_MAX = 24;
+/**
+ * Parse a repo string into a display label and an optional hyperlink target.
+ *
+ * Rules:
+ *   - null / undefined / empty / non-string → display '-', href null
+ *   - 'owner/name' (one slash)              → display 'owner/name', href 'https://github.com/owner/name/pulls'
+ *   - 'https://...' or 'http://...'         → display hostname+path, href the URL verbatim
+ *   - anything else                         → display raw string, href null
+ *
+ * The display string is truncated to REPO_DISPLAY_MAX characters (with a
+ * trailing '…') when it would otherwise exceed the column width. The href
+ * is always the full untruncated URL so hyperlinks remain functional.
+ *
+ * NEVER throws — mirrors the contract of humanizeCron.
+ */
+export function formatRepoLink(repo) {
+    if (repo == null || typeof repo !== 'string' || repo.trim() === '') {
+        return { display: '-', href: null };
+    }
+    const trimmed = repo.trim();
+    let display;
+    let href;
+    // Absolute URL
+    if (trimmed.startsWith('https://') || trimmed.startsWith('http://')) {
+        try {
+            const url = new URL(trimmed);
+            display = url.hostname + url.pathname.replace(/\/$/, '');
+            href = trimmed;
+        }
+        catch {
+            display = trimmed;
+            href = null;
+        }
+    }
+    else if (/^[A-Za-z0-9._-]+\/[A-Za-z0-9._-]+$/.test(trimmed)) {
+        // GitHub shorthand: owner/name (exactly one slash, no scheme, no extra slashes)
+        display = trimmed;
+        href = `https://github.com/${trimmed}/pulls`;
+    }
+    else {
+        // Anything else: plain text, no link
+        display = trimmed;
+        href = null;
+    }
+    // Truncate display to column width; href stays untruncated.
+    if (display.length > REPO_DISPLAY_MAX) {
+        display = display.slice(0, REPO_DISPLAY_MAX - 1) + '…';
+    }
+    return { display, href };
+}

package/dist/lib/routines.d.ts

@@ -18,12 +18,14 @@ export interface JobConfig {
     name: string;
     schedule: string;
     agent: AgentId;
-    mode: 'plan' | 'edit' | 'full';
+    workflow?: string;
+    mode: 'plan' | 'edit' | 'auto' | 'skip' | 'full';
     effort: 'low' | 'medium' | 'high' | 'xhigh' | 'max' | 'auto';
     timeout: string;
     enabled: boolean;
     prompt: string;
     timezone?: string;
+    repo?: string;
     variables?: Record<string, string>;
     sandbox?: boolean;
     allow?: JobAllowConfig;
@@ -36,6 +38,7 @@ export interface RunMeta {
     jobName: string;
     runId: string;
     agent: AgentId;
+    workflow?: string;
     pid: number | null;
     status: 'running' | 'completed' | 'failed' | 'timeout';
     startedAt: string;
@@ -56,7 +59,10 @@ export declare function setJobEnabled(name: string, enabled: boolean): void;
 export declare function validateJob(config: Partial<JobConfig>): string[];
 /** Expand built-in and user-defined template variables in a job's prompt string. */
 export declare function resolveJobPrompt(config: JobConfig): string;
-/** Parse a human-readable timeout string (e.g. "30m", "2h", "1h30m") into milliseconds. */
+/** Parse a human-readable timeout string (e.g. "10m", "2h", "1h30m", "3d", "1w") into milliseconds.
+ *  Accepts combinations of w (weeks), d (days), h (hours), m (minutes).
+ *  Returns null if the string is empty, matches nothing, totals zero, or exceeds 1 week.
+ */
 export declare function parseTimeout(timeout: string): number | null;
 /** List all run metadata entries for a job, sorted chronologically. */
 export declare function listRuns(jobName: string): RunMeta[];

package/dist/lib/routines.js

@@ -17,7 +17,7 @@ import { ALL_AGENT_IDS } from './agents.js';
 const JOB_DEFAULTS = {
     mode: 'plan',
     effort: 'auto',
-    timeout: '30m',
+    timeout: '10m',
     enabled: true,
 };
 /** List all job configs from ~/.agents/routines/. */
@@ -73,7 +73,7 @@ export function writeJob(config) {
         delete output.mode;
     if (output.effort === 'auto')
         delete output.effort;
-    if (output.timeout === '30m')
+    if (output.timeout === '10m')
         delete output.timeout;
     if (output.enabled === true)
         delete output.enabled;
@@ -119,14 +119,24 @@ export function validateJob(config) {
             errors.push(`invalid cron expression: "${config.schedule}"`);
         }
     }
-    if (!config.agent || typeof config.agent !== 'string') {
-        errors.push('agent is required');
+    const hasAgent = Boolean(config.agent && typeof config.agent === 'string');
+    const hasWorkflow = Boolean(config.workflow && typeof config.workflow === 'string');
+    if (!hasAgent && !hasWorkflow) {
+        errors.push('exactly one of agent or workflow is required');
     }
-    if (config.agent && !ALL_AGENT_IDS.includes(config.agent)) {
+    else if (hasAgent && hasWorkflow) {
+        errors.push('exactly one of agent or workflow must be set (not both)');
+    }
+    if (hasAgent && config.agent && !ALL_AGENT_IDS.includes(config.agent)) {
         errors.push(`agent must be one of: ${ALL_AGENT_IDS.join(', ')}`);
     }
-    if (config.mode && !['plan', 'edit', 'full'].includes(config.mode)) {
-        errors.push('mode must be plan, edit, or full');
+    if (hasWorkflow && config.workflow) {
+        if (!/^[a-z0-9][a-z0-9_-]*$/.test(config.workflow)) {
+            errors.push('workflow must be a lowercase alphanumeric name (hyphens and underscores allowed, e.g. autodev)');
+        }
+    }
+    if (config.mode && !['plan', 'edit', 'auto', 'skip', 'full'].includes(config.mode)) {
+        errors.push("mode must be plan, edit, auto, or skip ('full' accepted as alias for skip)");
     }
     if (config.effort && !['low', 'medium', 'high', 'xhigh', 'max', 'auto'].includes(config.effort)) {
         errors.push('effort must be low, medium, high, xhigh, max, or auto');
@@ -135,7 +145,7 @@ export function validateJob(config) {
         errors.push('prompt is required');
     }
     if (config.timeout && !parseTimeout(config.timeout)) {
-        errors.push('timeout must be like 30m, 2h, 1h30m');
+        errors.push('timeout must be like 10m, 2h, 3d, 1w (max 1w)');
     }
     return errors;
 }
@@ -179,15 +189,25 @@ export function resolveJobPrompt(config) {
     }
     return prompt;
 }
-/** Parse a human-readable timeout string (e.g. "30m", "2h", "1h30m") into milliseconds. */
+/** Parse a human-readable timeout string (e.g. "10m", "2h", "1h30m", "3d", "1w") into milliseconds.
+ *  Accepts combinations of w (weeks), d (days), h (hours), m (minutes).
+ *  Returns null if the string is empty, matches nothing, totals zero, or exceeds 1 week.
+ */
 export function parseTimeout(timeout) {
-    const match = timeout.match(/^(?:(\d+)h)?(?:(\d+)m)?$/);
+    const match = timeout.match(/^(?:(\d+)w)?(?:(\d+)d)?(?:(\d+)h)?(?:(\d+)m)?$/);
     if (!match)
         return null;
-    const hours = parseInt(match[1] || '0', 10);
-    const minutes = parseInt(match[2] || '0', 10);
-    const ms = (hours * 60 + minutes) * 60 * 1000;
-    return ms > 0 ? ms : null;
+    const weeks = parseInt(match[1] || '0', 10);
+    const days = parseInt(match[2] || '0', 10);
+    const hours = parseInt(match[3] || '0', 10);
+    const minutes = parseInt(match[4] || '0', 10);
+    const ms = ((weeks * 7 + days) * 24 * 60 + hours * 60 + minutes) * 60 * 1000;
+    if (ms <= 0)
+        return null;
+    const ONE_WEEK_MS = 7 * 24 * 60 * 60 * 1000; // 604800000
+    if (ms > ONE_WEEK_MS)
+        return null;
+    return ms;
 }
 /** List all run metadata entries for a job, sorted chronologically. */
 export function listRuns(jobName) {

package/dist/lib/runner.js

@@ -14,7 +14,8 @@ import { resolveJobPrompt, parseTimeout, writeRunMeta, getRunDir, } from './rout
 import { getRunsDir } from './state.js';
 import { prepareJobHome, buildSpawnEnv } from './sandbox.js';
 import { resolveModel, buildReasoningFlags } from './models.js';
-import { createTimer, maybeRotate, truncate } from './events.js';
+import { createTimer, maybeRotate, redactPrompt } from './events.js';
+import { normalizeMode } from './exec.js';
 /** CLI command templates per agent, with {prompt} as a placeholder. */
 const AGENT_COMMANDS = {
     claude: ['claude', '-p', '--verbose', '{prompt}', '--output-format', 'stream-json', '--permission-mode', 'plan'],
@@ -23,18 +24,33 @@ const AGENT_COMMANDS = {
 };
 /** Build the full CLI argv for executing a job, applying mode, model, and permission flags. */
 export function buildJobCommand(config, resolvedPrompt) {
+    // Workflow branch: delegate to `agents run <workflow>` which handles subagent
+    // injection, WORKFLOW.md orchestration, and model selection via frontmatter.
+    // appendModelAndReasoning is intentionally skipped — the workflow frontmatter
+    // owns model selection. No --timeout flag: the runner enforces its own SIGTERM/SIGKILL.
+    if (config.workflow) {
+        const cmd = ['agents', 'run', config.workflow, resolvedPrompt, '--mode', config.mode];
+        return cmd;
+    }
     const template = AGENT_COMMANDS[config.agent];
     if (!template) {
         throw new Error(`Unsupported agent for daemon jobs: ${config.agent}`);
     }
     let cmd = template.map((part) => part.replace('{prompt}', resolvedPrompt));
+    // Canonicalize mode (accepts legacy `full` as alias for `skip`).
+    const mode = normalizeMode(config.mode);
     if (config.agent === 'claude') {
-        if (config.mode === 'edit') {
+        if (mode === 'edit') {
             const planIndex = cmd.indexOf('plan');
             if (planIndex !== -1)
                 cmd[planIndex] = 'acceptEdits';
         }
-        else if (config.mode === 'full') {
+        else if (mode === 'auto') {
+            const planIndex = cmd.indexOf('plan');
+            if (planIndex !== -1)
+                cmd[planIndex] = 'auto';
+        }
+        else if (mode === 'skip') {
             // Replace --permission-mode plan with --dangerously-skip-permissions
             const pmIndex = cmd.indexOf('--permission-mode');
             if (pmIndex !== -1)
@@ -55,10 +71,10 @@ export function buildJobCommand(config, resolvedPrompt) {
         appendModelAndReasoning(cmd, config);
     }
     if (config.agent === 'codex') {
-        if (config.mode === 'edit') {
+        if (mode === 'edit') {
             cmd.push('--full-auto');
         }
-        else if (config.mode === 'full') {
+        else if (mode === 'skip') {
             // Remove sandbox restriction, just --full-auto
             const sbIndex = cmd.indexOf('--sandbox');
             if (sbIndex !== -1)
@@ -68,7 +84,10 @@ export function buildJobCommand(config, resolvedPrompt) {
         appendModelAndReasoning(cmd, config);
     }
     if (config.agent === 'gemini') {
-        if (config.mode === 'edit' || config.mode === 'full') {
+        if (mode === 'edit') {
+            cmd.push('--approval-mode', 'auto_edit');
+        }
+        else if (mode === 'skip') {
             cmd.push('--yolo');
         }
         appendModelAndReasoning(cmd, config);
@@ -114,7 +133,7 @@ export async function executeJob(config) {
         version: config.version,
         jobName: config.name,
         mode: config.mode,
-        prompt: truncate(config.prompt, 200),
+        ...redactPrompt(config.prompt),
         schedule: config.schedule,
     });
     const resolvedPrompt = resolveJobPrompt(config);
@@ -130,10 +149,14 @@ export async function executeJob(config) {
     if (config.timezone) {
         spawnEnv.TZ = config.timezone;
     }
+    // Workflows run via `agents run <workflow>` which delegates to claude under the hood.
+    // Use 'claude' as the effective agent for report extraction and metadata when workflow is set.
+    const effectiveAgent = config.workflow ? 'claude' : config.agent;
     const meta = {
         jobName: config.name,
         runId,
-        agent: config.agent,
+        agent: effectiveAgent,
+        ...(config.workflow ? { workflow: config.workflow } : {}),
         pid: null,
         status: 'running',
         startedAt: new Date().toISOString(),
@@ -141,7 +164,7 @@ export async function executeJob(config) {
         exitCode: null,
     };
     writeRunMeta(meta);
-    const timeoutMs = parseTimeout(config.timeout) || 30 * 60 * 1000;
+    const timeoutMs = parseTimeout(config.timeout) || 10 * 60 * 1000;
     return new Promise((resolve) => {
         const child = spawn(cmd[0], cmd.slice(1), {
             stdio: ['ignore', stdoutFd, stdoutFd],
@@ -173,7 +196,7 @@ export async function executeJob(config) {
             meta.completedAt = new Date().toISOString();
             writeRunMeta(meta);
             timer.end({ status: 'timeout', runId });
-            const reportPath = extractAndSaveReport(stdoutPath, config.agent, runDir);
+            const reportPath = extractAndSaveReport(stdoutPath, effectiveAgent, runDir);
             resolve({ meta, reportPath });
         }, timeoutMs);
         child.on('exit', (code) => {
@@ -190,7 +213,7 @@ export async function executeJob(config) {
             meta.completedAt = new Date().toISOString();
             writeRunMeta(meta);
             timer.end({ status: meta.status, exitCode: code ?? undefined, runId });
-            const reportPath = extractAndSaveReport(stdoutPath, config.agent, runDir);
+            const reportPath = extractAndSaveReport(stdoutPath, effectiveAgent, runDir);
             resolve({ meta, reportPath });
         });
         child.on('error', (err) => {
@@ -226,10 +249,12 @@ export async function executeJobDetached(config) {
     if (config.timezone) {
         spawnEnv.TZ = config.timezone;
     }
+    const effectiveAgent = config.workflow ? 'claude' : config.agent;
     const meta = {
         jobName: config.name,
         runId,
-        agent: config.agent,
+        agent: effectiveAgent,
+        ...(config.workflow ? { workflow: config.workflow } : {}),
         pid: null,
         status: 'running',
         startedAt: new Date().toISOString(),
@@ -307,6 +332,39 @@ export function extractReport(stdoutPath, agentType) {
         return null;
     }
 }
+/** Derive the final status of a detached run by reading the agent's stream-json
+ *  tail. Detached children fire-and-forget, so we never see their exit code
+ *  directly — but Claude's stream-json terminates with a `type: result` line
+ *  that carries `is_error`. If we find it, the run completed cleanly (modulo
+ *  agent-reported error). If not, the process likely died mid-stream and the
+ *  caller should treat the run as failed. */
+function inferFinalStatusFromLog(stdoutPath, agent) {
+    if (!fs.existsSync(stdoutPath))
+        return null;
+    try {
+        const content = fs.readFileSync(stdoutPath, 'utf-8');
+        const lines = content.split('\n').filter((l) => l.trim());
+        // Walk backwards over the last few lines — the result marker is always
+        // at the tail. Cap the scan so a huge stdout doesn't iterate forever.
+        for (let i = lines.length - 1, scanned = 0; i >= 0 && scanned < 20; i--, scanned++) {
+            try {
+                const parsed = JSON.parse(lines[i]);
+                if (agent === 'claude' && parsed.type === 'result') {
+                    return parsed.is_error
+                        ? { status: 'failed', exitCode: 1 }
+                        : { status: 'completed', exitCode: 0 };
+                }
+            }
+            catch {
+                // malformed JSONL line — keep scanning
+            }
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
 /** Scan all runs marked "running" and finalize any whose process has exited. */
 export function monitorRunningJobs() {
     const runsDir = getRunsDir();
@@ -332,11 +390,21 @@ export function monitorRunningJobs() {
                     process.kill(meta.pid, 0);
                 }
                 catch { /* process no longer running */
-                    meta.status = 'failed';
+                    const runDirPath = path.join(jobRunsPath, runDirEntry.name);
+                    const stdoutPath = path.join(runDirPath, 'stdout.log');
+                    // Prefer the agent's own success/error marker; fall back to "failed"
+                    // only when the stream ended without one (process killed mid-run).
+                    const inferred = inferFinalStatusFromLog(stdoutPath, meta.agent);
+                    if (inferred) {
+                        meta.status = inferred.status;
+                        meta.exitCode = inferred.exitCode;
+                    }
+                    else {
+                        meta.status = 'failed';
+                    }
                     meta.completedAt = new Date().toISOString();
                     writeRunMeta(meta);
-                    const stdoutPath = path.join(jobRunsPath, runDirEntry.name, 'stdout.log');
-                    extractAndSaveReport(stdoutPath, meta.agent, path.join(jobRunsPath, runDirEntry.name));
+                    extractAndSaveReport(stdoutPath, meta.agent, runDirPath);
                 }
             }
             catch { /* corrupt or unreadable meta.json */ }

package/dist/lib/scheduler.js

@@ -24,7 +24,14 @@ export class JobScheduler {
     }
     schedule(config) {
         this.unschedule(config.name);
-        const cron = new Cron(config.schedule, async () => {
+        // catch: true — a throw from one job's callback should not kill the
+        // whole cron loop. Each invocation of onTrigger is already wrapped in
+        // try/catch, but a synchronous throw before the await would otherwise
+        // bubble up; defense in depth.
+        const cronOptions = { catch: true };
+        if (config.timezone)
+            cronOptions.timezone = config.timezone;
+        const cron = new Cron(config.schedule, cronOptions, async () => {
             try {
                 await this.onTrigger(config);
             }

package/dist/lib/secrets/Agents CLI.app/Contents/_CodeSignature/CodeResources

@@ -5,15 +5,7 @@
 	<key>files</key>
 	<dict/>
 	<key>files2</key>
-	<dict>
-		<key>embedded.provisionprofile</key>
-		<dict>
-			<key>hash2</key>
-			<data>
-			2vfA/eR3dTYgNc/fXhdADUPkp5tRIepPzE3FCLfDx4w=
-			</data>
-		</dict>
-	</dict>
+	<dict/>
 	<key>rules</key>
 	<dict>
 		<key>^Resources/</key>

package/dist/lib/secrets/bundles.d.ts

@@ -1,15 +1,15 @@
 /**
- * Secret bundles -- named sets of keychain-backed environment variables.
+ * Secret bundles — named sets of keychain-backed environment variables.
  *
  * Bundle metadata (name, description, vars map) is stored in the macOS
- * Keychain as a JSON blob under `agents-cli.bundles.<name>`. Bundles created
- * with `--icloud-sync` write the metadata to the iCloud-synced keychain so
- * the full bundle definition (not just secret values) propagates across
- * the user's Macs. Nothing about secrets ever lives in plaintext on disk.
+ * Keychain as a JSON blob under `agents-cli.bundles.<name>`. Secret values
+ * live one per keychain item under `agents-cli.secrets.<bundle>.<key>`.
+ * Every item is device-local and gated by Touch ID / device passcode — see
+ * src/lib/secrets/index.ts for the access-control story. Nothing about
+ * secrets ever lives in plaintext on disk.
  *
- * Secret values keep their old layout: one keychain item per key under
- * `agents-cli.secrets.<bundle>.<key>`, sync-state matching the bundle's
- * `icloud_sync` flag.
+ * Cross-machine sync is handled by src/lib/secrets/sync.ts via an explicit
+ * encrypted export/import flow; the bundle layer is sync-agnostic.
  */
 import { type BundleValue, type SecretRef } from './index.js';
 /** Allowed values for a secret's `type` metadata field. */
@@ -28,8 +28,6 @@ export interface SecretsBundle {
     name: string;
     description?: string;
     allow_exec?: boolean;
-    /** When true, keychain-backed values and bundle metadata sync via iCloud Keychain. */
-    icloud_sync?: boolean;
     /** ISO 8601 UTC timestamp. Set once on the first writeBundle() for a bundle. */
     created_at?: string;
     /** ISO 8601 UTC timestamp. Refreshed on every writeBundle(). */
@@ -49,6 +47,7 @@ export declare const RESERVED_ENV_NAMES: Set<string>;
 export declare function bundleToEnvPrefix(name: string): string;
 export declare function isReservedEnvName(key: string): boolean;
 export declare function isLoaderOrInterpreterEnv(name: string): boolean;
+export declare function sanitizeProcessEnv(env?: NodeJS.ProcessEnv): NodeJS.ProcessEnv;
 /** Validate a bundle name against the allowed pattern. Throws on invalid input. */
 export declare function validateBundleName(name: string): void;
 export declare function validateEnvKey(key: string): void;
@@ -74,14 +73,32 @@ export declare function describeBundle(bundle: SecretsBundle): BundleEntryInfo[]
 /** Options for resolveBundleEnv. */
 export interface ResolveBundleOptions {
     /**
-     * Human-readable label for who is requesting the secrets. Shown to the
-     * user under the Touch ID prompt so they know what's about to read.
-     * Example: "agent claude", "command curl", "browser profile".
-     * When omitted the prompt only names the bundle.
+     * Human-readable label for who is requesting the secrets. Currently
+     * informational only — the helper's Touch ID prompt is set by the OS and
+     * cannot be reliably customized once we drop the per-batch reason path,
+     * but we keep this in the API so call sites stay explicit about who's
+     * about to read the bundle.
      */
     caller?: string;
 }
-export declare function resolveBundleEnv(bundle: SecretsBundle, opts?: ResolveBundleOptions): Record<string, string>;
+export declare function resolveBundleEnv(bundle: SecretsBundle, _opts?: ResolveBundleOptions): Record<string, string>;
+/**
+ * Read a bundle's metadata AND resolve its env in a single Touch ID prompt.
+ *
+ * `readBundle` + `resolveBundleEnv` issued two separate `LAContext` calls
+ * (metadata read via `get-auth`, then secret values via `get-batch`) which
+ * surfaced as two consecutive Touch ID prompts. macOS does not honor
+ * "Always Allow" for items protected with `kSecAttrAccessControl`+biometry,
+ * so caching at the OS level was never an option. This collapses both reads
+ * into one `get-batch` call: we enumerate the bundle's secret items first
+ * (silent — `list` returns attrs only and does not trigger biometry) and
+ * include the metadata item in the same batch. One prompt, correctly scoped
+ * to the bundle name and caller.
+ */
+export declare function readAndResolveBundleEnv(name: string, opts?: ResolveBundleOptions): {
+    bundle: SecretsBundle;
+    env: Record<string, string>;
+};
 export declare function keychainRef(key: string): string;
 /** Options for rotateBundleSecret. */
 export interface RotateOptions {
@@ -114,8 +131,8 @@ export interface RenameOptions {
  *   4) write new bundle metadata
  *   5) delete the old per-key keychain items + old metadata
  *
- * Steps 1-4 are reversible. If 5 partially fails (e.g. iCloud Keychain
- * hiccup), running `rename` again is a safe no-op for the source items.
+ * Steps 1-4 are reversible. If 5 partially fails, running `rename` again is
+ * a safe no-op for the source items.
  */
 export declare function renameBundle(oldName: string, newName: string, opts?: RenameOptions): void;
 export declare function keychainItemsForBundle(bundle: SecretsBundle): Array<{