@phnx-labs/agents-cli 1.20.0 → 1.20.3

package/dist/lib/runner.js

@@ -14,7 +14,8 @@ import { resolveJobPrompt, parseTimeout, writeRunMeta, getRunDir, } from './rout
 import { getRunsDir } from './state.js';
 import { prepareJobHome, buildSpawnEnv } from './sandbox.js';
 import { resolveModel, buildReasoningFlags } from './models.js';
-import { createTimer, maybeRotate, truncate } from './events.js';
+import { createTimer, maybeRotate, redactPrompt } from './events.js';
+import { normalizeMode } from './exec.js';
 /** CLI command templates per agent, with {prompt} as a placeholder. */
 const AGENT_COMMANDS = {
     claude: ['claude', '-p', '--verbose', '{prompt}', '--output-format', 'stream-json', '--permission-mode', 'plan'],
@@ -36,13 +37,20 @@ export function buildJobCommand(config, resolvedPrompt) {
         throw new Error(`Unsupported agent for daemon jobs: ${config.agent}`);
     }
     let cmd = template.map((part) => part.replace('{prompt}', resolvedPrompt));
+    // Canonicalize mode (accepts legacy `full` as alias for `skip`).
+    const mode = normalizeMode(config.mode);
     if (config.agent === 'claude') {
-        if (config.mode === 'edit') {
+        if (mode === 'edit') {
             const planIndex = cmd.indexOf('plan');
             if (planIndex !== -1)
                 cmd[planIndex] = 'acceptEdits';
         }
-        else if (config.mode === 'full') {
+        else if (mode === 'auto') {
+            const planIndex = cmd.indexOf('plan');
+            if (planIndex !== -1)
+                cmd[planIndex] = 'auto';
+        }
+        else if (mode === 'skip') {
             // Replace --permission-mode plan with --dangerously-skip-permissions
             const pmIndex = cmd.indexOf('--permission-mode');
             if (pmIndex !== -1)
@@ -63,10 +71,10 @@ export function buildJobCommand(config, resolvedPrompt) {
         appendModelAndReasoning(cmd, config);
     }
     if (config.agent === 'codex') {
-        if (config.mode === 'edit') {
+        if (mode === 'edit') {
             cmd.push('--full-auto');
         }
-        else if (config.mode === 'full') {
+        else if (mode === 'skip') {
             // Remove sandbox restriction, just --full-auto
             const sbIndex = cmd.indexOf('--sandbox');
             if (sbIndex !== -1)
@@ -76,7 +84,10 @@ export function buildJobCommand(config, resolvedPrompt) {
         appendModelAndReasoning(cmd, config);
     }
     if (config.agent === 'gemini') {
-        if (config.mode === 'edit' || config.mode === 'full') {
+        if (mode === 'edit') {
+            cmd.push('--approval-mode', 'auto_edit');
+        }
+        else if (mode === 'skip') {
             cmd.push('--yolo');
         }
         appendModelAndReasoning(cmd, config);
@@ -122,7 +133,7 @@ export async function executeJob(config) {
         version: config.version,
         jobName: config.name,
         mode: config.mode,
-        prompt: truncate(config.prompt, 200),
+        ...redactPrompt(config.prompt),
         schedule: config.schedule,
     });
     const resolvedPrompt = resolveJobPrompt(config);
@@ -321,6 +332,39 @@ export function extractReport(stdoutPath, agentType) {
         return null;
     }
 }
+/** Derive the final status of a detached run by reading the agent's stream-json
+ *  tail. Detached children fire-and-forget, so we never see their exit code
+ *  directly — but Claude's stream-json terminates with a `type: result` line
+ *  that carries `is_error`. If we find it, the run completed cleanly (modulo
+ *  agent-reported error). If not, the process likely died mid-stream and the
+ *  caller should treat the run as failed. */
+function inferFinalStatusFromLog(stdoutPath, agent) {
+    if (!fs.existsSync(stdoutPath))
+        return null;
+    try {
+        const content = fs.readFileSync(stdoutPath, 'utf-8');
+        const lines = content.split('\n').filter((l) => l.trim());
+        // Walk backwards over the last few lines — the result marker is always
+        // at the tail. Cap the scan so a huge stdout doesn't iterate forever.
+        for (let i = lines.length - 1, scanned = 0; i >= 0 && scanned < 20; i--, scanned++) {
+            try {
+                const parsed = JSON.parse(lines[i]);
+                if (agent === 'claude' && parsed.type === 'result') {
+                    return parsed.is_error
+                        ? { status: 'failed', exitCode: 1 }
+                        : { status: 'completed', exitCode: 0 };
+                }
+            }
+            catch {
+                // malformed JSONL line — keep scanning
+            }
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
 /** Scan all runs marked "running" and finalize any whose process has exited. */
 export function monitorRunningJobs() {
     const runsDir = getRunsDir();
@@ -346,11 +390,21 @@ export function monitorRunningJobs() {
                     process.kill(meta.pid, 0);
                 }
                 catch { /* process no longer running */
-                    meta.status = 'failed';
+                    const runDirPath = path.join(jobRunsPath, runDirEntry.name);
+                    const stdoutPath = path.join(runDirPath, 'stdout.log');
+                    // Prefer the agent's own success/error marker; fall back to "failed"
+                    // only when the stream ended without one (process killed mid-run).
+                    const inferred = inferFinalStatusFromLog(stdoutPath, meta.agent);
+                    if (inferred) {
+                        meta.status = inferred.status;
+                        meta.exitCode = inferred.exitCode;
+                    }
+                    else {
+                        meta.status = 'failed';
+                    }
                     meta.completedAt = new Date().toISOString();
                     writeRunMeta(meta);
-                    const stdoutPath = path.join(jobRunsPath, runDirEntry.name, 'stdout.log');
-                    extractAndSaveReport(stdoutPath, meta.agent, path.join(jobRunsPath, runDirEntry.name));
+                    extractAndSaveReport(stdoutPath, meta.agent, runDirPath);
                 }
             }
             catch { /* corrupt or unreadable meta.json */ }

package/dist/lib/secrets/Agents CLI.app/Contents/_CodeSignature/CodeResources

@@ -5,15 +5,7 @@
 	<key>files</key>
 	<dict/>
 	<key>files2</key>
-	<dict>
-		<key>embedded.provisionprofile</key>
-		<dict>
-			<key>hash2</key>
-			<data>
-			2vfA/eR3dTYgNc/fXhdADUPkp5tRIepPzE3FCLfDx4w=
-			</data>
-		</dict>
-	</dict>
+	<dict/>
 	<key>rules</key>
 	<dict>
 		<key>^Resources/</key>

package/dist/lib/secrets/bundles.d.ts

@@ -1,15 +1,15 @@
 /**
- * Secret bundles -- named sets of keychain-backed environment variables.
+ * Secret bundles — named sets of keychain-backed environment variables.
  *
  * Bundle metadata (name, description, vars map) is stored in the macOS
- * Keychain as a JSON blob under `agents-cli.bundles.<name>`. Bundles created
- * with `--icloud-sync` write the metadata to the iCloud-synced keychain so
- * the full bundle definition (not just secret values) propagates across
- * the user's Macs. Nothing about secrets ever lives in plaintext on disk.
+ * Keychain as a JSON blob under `agents-cli.bundles.<name>`. Secret values
+ * live one per keychain item under `agents-cli.secrets.<bundle>.<key>`.
+ * Every item is device-local and gated by Touch ID / device passcode — see
+ * src/lib/secrets/index.ts for the access-control story. Nothing about
+ * secrets ever lives in plaintext on disk.
  *
- * Secret values keep their old layout: one keychain item per key under
- * `agents-cli.secrets.<bundle>.<key>`, sync-state matching the bundle's
- * `icloud_sync` flag.
+ * Cross-machine sync is handled by src/lib/secrets/sync.ts via an explicit
+ * encrypted export/import flow; the bundle layer is sync-agnostic.
  */
 import { type BundleValue, type SecretRef } from './index.js';
 /** Allowed values for a secret's `type` metadata field. */
@@ -28,8 +28,6 @@ export interface SecretsBundle {
     name: string;
     description?: string;
     allow_exec?: boolean;
-    /** When true, keychain-backed values and bundle metadata sync via iCloud Keychain. */
-    icloud_sync?: boolean;
     /** ISO 8601 UTC timestamp. Set once on the first writeBundle() for a bundle. */
     created_at?: string;
     /** ISO 8601 UTC timestamp. Refreshed on every writeBundle(). */
@@ -49,6 +47,7 @@ export declare const RESERVED_ENV_NAMES: Set<string>;
 export declare function bundleToEnvPrefix(name: string): string;
 export declare function isReservedEnvName(key: string): boolean;
 export declare function isLoaderOrInterpreterEnv(name: string): boolean;
+export declare function sanitizeProcessEnv(env?: NodeJS.ProcessEnv): NodeJS.ProcessEnv;
 /** Validate a bundle name against the allowed pattern. Throws on invalid input. */
 export declare function validateBundleName(name: string): void;
 export declare function validateEnvKey(key: string): void;
@@ -62,11 +61,7 @@ export declare function validateSecretType(t: string): asserts t is SecretType;
 export declare function validateExpiresFutureDated(iso: string): void;
 export declare function bundleExists(name: string): boolean;
 export declare function readBundle(name: string): SecretsBundle;
-export interface WriteBundleOptions {
-    /** Emit a secrets.set audit event. Internal bookkeeping writes turn this off. */
-    emitEvent?: boolean;
-}
-export declare function writeBundle(bundle: SecretsBundle, opts?: WriteBundleOptions): void;
+export declare function writeBundle(bundle: SecretsBundle): void;
 export declare function deleteBundle(name: string): boolean;
 export declare function listBundles(): SecretsBundle[];
 export interface BundleEntryInfo {
@@ -78,14 +73,15 @@ export declare function describeBundle(bundle: SecretsBundle): BundleEntryInfo[]
 /** Options for resolveBundleEnv. */
 export interface ResolveBundleOptions {
     /**
-     * Human-readable label for who is requesting the secrets. Shown to the
-     * user under the Touch ID prompt so they know what's about to read.
-     * Example: "agent claude", "command curl", "browser profile".
-     * When omitted the prompt only names the bundle.
+     * Human-readable label for who is requesting the secrets. Currently
+     * informational only — the helper's Touch ID prompt is set by the OS and
+     * cannot be reliably customized once we drop the per-batch reason path,
+     * but we keep this in the API so call sites stay explicit about who's
+     * about to read the bundle.
      */
     caller?: string;
 }
-export declare function resolveBundleEnv(bundle: SecretsBundle, opts?: ResolveBundleOptions): Record<string, string>;
+export declare function resolveBundleEnv(bundle: SecretsBundle, _opts?: ResolveBundleOptions): Record<string, string>;
 /**
  * Read a bundle's metadata AND resolve its env in a single Touch ID prompt.
  *
@@ -135,8 +131,8 @@ export interface RenameOptions {
  *   4) write new bundle metadata
  *   5) delete the old per-key keychain items + old metadata
  *
- * Steps 1-4 are reversible. If 5 partially fails (e.g. iCloud Keychain
- * hiccup), running `rename` again is a safe no-op for the source items.
+ * Steps 1-4 are reversible. If 5 partially fails, running `rename` again is
+ * a safe no-op for the source items.
  */
 export declare function renameBundle(oldName: string, newName: string, opts?: RenameOptions): void;
 export declare function keychainItemsForBundle(bundle: SecretsBundle): Array<{

package/dist/lib/secrets/bundles.js

@@ -1,21 +1,21 @@
 /**
- * Secret bundles -- named sets of keychain-backed environment variables.
+ * Secret bundles — named sets of keychain-backed environment variables.
  *
  * Bundle metadata (name, description, vars map) is stored in the macOS
- * Keychain as a JSON blob under `agents-cli.bundles.<name>`. Bundles created
- * with `--icloud-sync` write the metadata to the iCloud-synced keychain so
- * the full bundle definition (not just secret values) propagates across
- * the user's Macs. Nothing about secrets ever lives in plaintext on disk.
+ * Keychain as a JSON blob under `agents-cli.bundles.<name>`. Secret values
+ * live one per keychain item under `agents-cli.secrets.<bundle>.<key>`.
+ * Every item is device-local and gated by Touch ID / device passcode — see
+ * src/lib/secrets/index.ts for the access-control story. Nothing about
+ * secrets ever lives in plaintext on disk.
  *
- * Secret values keep their old layout: one keychain item per key under
- * `agents-cli.secrets.<bundle>.<key>`, sync-state matching the bundle's
- * `icloud_sync` flag.
+ * Cross-machine sync is handled by src/lib/secrets/sync.ts via an explicit
+ * encrypted export/import flow; the bundle layer is sync-agnostic.
  */
 import * as fs from 'fs';
 import * as os from 'os';
 import * as path from 'path';
 import * as yaml from 'yaml';
-import { deleteKeychainToken, getKeychainToken, getKeychainTokensBatch, hasKeychainToken, listKeychainItems, parseBundleValue, resolveRef, secretsKeychainItem, setKeychainToken, } from './index.js';
+import { deleteKeychainToken, getKeychainToken, getKeychainTokens, hasKeychainToken, listKeychainItems, parseBundleValue, resolveRef, secretsKeychainItem, setKeychainToken, } from './index.js';
 import { emit } from '../events.js';
 /** Allowed values for a secret's `type` metadata field. */
 export const SECRET_TYPES = [
@@ -63,6 +63,17 @@ export function isLoaderOrInterpreterEnv(name) {
             'CDPATH',
         ].includes(upper);
 }
+export function sanitizeProcessEnv(env = process.env) {
+    const out = {};
+    for (const [k, v] of Object.entries(env)) {
+        if (v === undefined)
+            continue;
+        if (isLoaderOrInterpreterEnv(k))
+            continue;
+        out[k] = v;
+    }
+    return out;
+}
 /** Validate a bundle name against the allowed pattern. Throws on invalid input. */
 export function validateBundleName(name) {
     if (!BUNDLE_NAME_PATTERN.test(name)) {
@@ -125,11 +136,12 @@ export function readBundle(name) {
     if (!parsed || typeof parsed !== 'object') {
         throw new Error(`Bundle '${name}' is malformed.`);
     }
+    // Unknown fields on the JSON (e.g. legacy sync flags) are silently dropped
+    // here; the SecretsBundle shape is the only source of truth.
     const bundle = {
         name,
         description: parsed.description,
         allow_exec: Boolean(parsed.allow_exec),
-        icloud_sync: Boolean(parsed.icloud_sync),
         vars: parsed.vars && typeof parsed.vars === 'object' ? parsed.vars : {},
     };
     if (typeof parsed.created_at === 'string')
@@ -146,7 +158,7 @@ export function readBundle(name) {
     }
     return bundle;
 }
-export function writeBundle(bundle, opts = {}) {
+export function writeBundle(bundle) {
     validateBundleName(bundle.name);
     for (const key of Object.keys(bundle.vars)) {
         validateEnvKey(key);
@@ -179,7 +191,6 @@ export function writeBundle(bundle, opts = {}) {
     const payload = {
         description: bundle.description,
         allow_exec: bundle.allow_exec ? true : undefined,
-        icloud_sync: bundle.icloud_sync ? true : undefined,
         created_at: bundle.created_at,
         updated_at: bundle.updated_at,
         last_used: bundle.last_used,
@@ -187,10 +198,8 @@ export function writeBundle(bundle, opts = {}) {
         meta,
     };
     const json = JSON.stringify(payload);
-    setKeychainToken(bundleMetaItem(bundle.name), json, Boolean(bundle.icloud_sync));
-    if (opts.emitEvent !== false) {
-        emit('secrets.set', { bundle: bundle.name });
-    }
+    setKeychainToken(bundleMetaItem(bundle.name), json);
+    emit('secrets.set', { bundle: bundle.name });
 }
 export function deleteBundle(name) {
     validateBundleName(name);
@@ -220,7 +229,7 @@ export function listBundles() {
     // SecItemCopyMatching calls collapses the prompt to one. Mirrors the pattern
     // already used by resolveBundleEnv for runtime secret injection.
     const itemsToFetch = names.map(bundleMetaItem);
-    const fetched = getKeychainTokensBatch(itemsToFetch, false, 'list secrets bundles');
+    const fetched = getKeychainTokens(itemsToFetch);
     const out = [];
     for (const name of names) {
         const json = fetched.get(bundleMetaItem(name));
@@ -240,7 +249,6 @@ export function listBundles() {
             name,
             description: parsed.description,
             allow_exec: Boolean(parsed.allow_exec),
-            icloud_sync: Boolean(parsed.icloud_sync),
             vars: parsed.vars && typeof parsed.vars === 'object' ? parsed.vars : {},
         };
         if (typeof parsed.created_at === 'string')
@@ -294,90 +302,63 @@ function stampLastUsed(bundle) {
     }
     try {
         bundle.last_used = new Date(nowMs).toISOString();
-        writeBundle(bundle, { emitEvent: false });
+        writeBundle(bundle);
     }
     catch {
         // Swallow — telemetry must never block secret resolution.
     }
 }
-export function resolveBundleEnv(bundle, opts = {}) {
+// Walk the bundle and produce a flat env map. Every keychain: ref is gathered
+// into a single batch read so macOS shows ONE Touch ID prompt for the whole
+// bundle — including the metadata fetch that already happened in readBundle
+// (the helper's auth context survives across separate invocations only via
+// the per-process LAContext, so we still get one prompt for the batch even
+// if metadata triggered an earlier one). Literals/env/file/exec refs are
+// resolved inline and never reach the keychain.
+export function resolveBundleEnv(bundle, _opts = {}) {
     stampLastUsed(bundle);
     const parsedByKey = new Map();
     const keychainItemsToFetch = [];
-    const keychainKeys = [];
-    const kindCounts = {};
     for (const [key, raw] of Object.entries(bundle.vars)) {
         const parsed = parseBundleValue(raw);
         parsedByKey.set(key, parsed);
-        const kind = 'literal' in parsed ? 'literal' : parsed.ref.provider;
-        kindCounts[kind] = (kindCounts[kind] ?? 0) + 1;
         if ('ref' in parsed && parsed.ref.provider === 'keychain') {
-            const item = secretsKeychainItem(bundle.name, parsed.ref.value);
-            keychainItemsToFetch.push(item);
-            keychainKeys.push(key);
+            keychainItemsToFetch.push(secretsKeychainItem(bundle.name, parsed.ref.value));
         }
     }
-    const keys = Object.keys(bundle.vars).sort();
-    keychainKeys.sort();
-    const emitReadAudit = (status, err) => {
-        emit('secrets.get', {
-            bundle: bundle.name,
-            caller: opts.caller,
-            status,
-            keyCount: keys.length,
-            keys,
-            keychainKeys,
-            kindCounts,
-            error: err instanceof Error ? err.message : (err ? String(err) : undefined),
-        });
-    };
-    // Build the localizedReason shown under the Touch ID prompt. Lowercase verb
-    // phrase per Apple HIG — the system prepends "<App> is required to ".
-    const reason = opts.caller
-        ? `read ${bundle.name} secrets (for ${opts.caller})`
-        : `read ${bundle.name} secrets`;
-    try {
-        // Single helper invocation, one biometric prompt.
-        const fetched = keychainItemsToFetch.length > 0
-            ? getKeychainTokensBatch(keychainItemsToFetch, bundle.icloud_sync, reason)
-            : new Map();
-        // Second pass: assemble env. Keychain values come from the batch; everything
-        // else is resolved inline (literals and env/file/exec refs don't prompt).
-        const env = {};
-        for (const [key] of Object.entries(bundle.vars)) {
-            const parsed = parsedByKey.get(key);
-            if ('literal' in parsed) {
-                env[key] = parsed.literal;
-                continue;
-            }
-            if (parsed.ref.provider === 'keychain') {
-                const item = secretsKeychainItem(bundle.name, parsed.ref.value);
-                const value = fetched.get(item);
-                if (value === undefined) {
-                    throw new Error(`Bundle '${bundle.name}' key '${key}': keychain item '${item}' not found. ` +
-                        `Run: agents secrets add ${bundle.name} ${key}`);
-                }
-                env[key] = value;
-                continue;
-            }
-            try {
-                env[key] = resolveRef(parsed.ref, {
-                    allowExec: bundle.allow_exec,
-                    iCloudSync: bundle.icloud_sync,
-                    keychainItemFor: (shortId) => secretsKeychainItem(bundle.name, shortId),
-                });
-            }
-            catch (err) {
-                throw new Error(`Bundle '${bundle.name}' key '${key}': ${err.message}`);
+    const fetched = keychainItemsToFetch.length > 0
+        ? getKeychainTokens(keychainItemsToFetch)
+        : new Map();
+    const env = {};
+    for (const [key, raw] of Object.entries(bundle.vars)) {
+        const parsed = parsedByKey.get(key);
+        if ('literal' in parsed) {
+            env[key] = parsed.literal;
+            continue;
+        }
+        if (parsed.ref.provider === 'keychain') {
+            const item = secretsKeychainItem(bundle.name, parsed.ref.value);
+            const value = fetched.get(item);
+            if (value === undefined) {
+                throw new Error(`Bundle '${bundle.name}' key '${key}': keychain item '${item}' not found. ` +
+                    `Run: agents secrets add ${bundle.name} ${key}`);
             }
+            env[key] = value;
+            continue;
+        }
+        try {
+            env[key] = resolveRef(parsed.ref, {
+                allowExec: bundle.allow_exec,
+                keychainItemFor: (shortId) => secretsKeychainItem(bundle.name, shortId),
+            });
+        }
+        catch (err) {
+            throw new Error(`Bundle '${bundle.name}' key '${key}': ${err.message}`);
         }
-        emitReadAudit('success');
-        return env;
-    }
-    catch (err) {
-        emitReadAudit('error', err);
-        throw err;
     }
+    // `caller` is intentionally unused; see ResolveBundleOptions.
+    void _opts.caller;
+    return env;
 }
 /**
  * Read a bundle's metadata AND resolve its env in a single Touch ID prompt.
@@ -406,10 +387,8 @@ export function readAndResolveBundleEnv(name, opts = {}) {
     const reason = opts.caller
         ? `read ${name} secrets (for ${opts.caller})`
         : `read ${name} secrets`;
-    // icloud_sync flag is unknown until we parse metadata, but the helper's
-    // get-batch uses kSecAttrSynchronizableAny so it finds both synced and
-    // device-local items in one shot.
-    const fetched = getKeychainTokensBatch([metaItem, ...secretItems], false, reason);
+    void reason;
+    const fetched = getKeychainTokens([metaItem, ...secretItems]);
     const json = fetched.get(metaItem);
     if (json === undefined) {
         throw new Error(`Secrets bundle '${name}' not found.`);
@@ -428,7 +407,6 @@ export function readAndResolveBundleEnv(name, opts = {}) {
         name,
         description: parsed.description,
         allow_exec: Boolean(parsed.allow_exec),
-        icloud_sync: Boolean(parsed.icloud_sync),
         vars: parsed.vars && typeof parsed.vars === 'object' ? parsed.vars : {},
     };
     if (typeof parsed.created_at === 'string')
@@ -490,7 +468,6 @@ export function readAndResolveBundleEnv(name, opts = {}) {
             try {
                 env[key] = resolveRef(p.ref, {
                     allowExec: bundle.allow_exec,
-                    iCloudSync: bundle.icloud_sync,
                     keychainItemFor: (shortId) => secretsKeychainItem(bundle.name, shortId),
                 });
             }
@@ -529,7 +506,7 @@ export function rotateBundleSecret(bundle, key, opts) {
     }
     const shortId = raw.slice('keychain:'.length);
     const item = secretsKeychainItem(bundle.name, shortId);
-    setKeychainToken(item, opts.newValue, bundle.icloud_sync);
+    setKeychainToken(item, opts.newValue);
     if (opts.clearMeta) {
         if (bundle.meta)
             delete bundle.meta[key];
@@ -560,8 +537,8 @@ export function rotateBundleSecret(bundle, key, opts) {
  *   4) write new bundle metadata
  *   5) delete the old per-key keychain items + old metadata
  *
- * Steps 1-4 are reversible. If 5 partially fails (e.g. iCloud Keychain
- * hiccup), running `rename` again is a safe no-op for the source items.
+ * Steps 1-4 are reversible. If 5 partially fails, running `rename` again is
+ * a safe no-op for the source items.
  */
 export function renameBundle(oldName, newName, opts = {}) {
     validateBundleName(oldName);
@@ -579,7 +556,7 @@ export function renameBundle(oldName, newName, opts = {}) {
         }
         const dest = readBundle(newName);
         for (const { item } of keychainItemsForBundle(dest)) {
-            deleteKeychainToken(item, dest.icloud_sync);
+            deleteKeychainToken(item);
         }
         deleteBundle(newName);
     }
@@ -592,15 +569,15 @@ export function renameBundle(oldName, newName, opts = {}) {
             continue;
         const shortId = raw.slice('keychain:'.length);
         const newItem = secretsKeychainItem(newName, shortId);
-        const value = getKeychainToken(oldItem, source.icloud_sync);
-        setKeychainToken(newItem, value, source.icloud_sync);
+        const value = getKeychainToken(oldItem);
+        setKeychainToken(newItem, value);
     }
     // writeBundle preserves source.created_at and refreshes updated_at.
     const renamed = { ...source, name: newName };
     writeBundle(renamed);
     // Cleanup: delete the old per-key keychain items, then the old metadata.
     for (const { item: oldItem } of sourceItems) {
-        deleteKeychainToken(oldItem, source.icloud_sync);
+        deleteKeychainToken(oldItem);
     }
     deleteBundle(oldName);
     emit('secrets.rename', { from: oldName, to: newName });
@@ -674,7 +651,6 @@ export async function migrateLegacyBundles(confirmBundle) {
                 name,
                 description: parsed.description,
                 allow_exec: Boolean(parsed.allow_exec),
-                icloud_sync: Boolean(parsed.icloud_sync),
                 vars: parsed.vars && typeof parsed.vars === 'object' ? parsed.vars : {},
             };
             const keys = Object.keys(bundle.vars);