@phnx-labs/agents-cli 1.20.15 → 1.20.17

package/dist/lib/daemon.js

@@ -18,6 +18,7 @@ import { executeJobDetached, monitorRunningJobs } from './runner.js';
 import { detectOverdueJobs, notifyOverdue } from './overdue.js';
 import { BrowserService } from './browser/service.js';
 import { BrowserIPCServer } from './browser/ipc.js';
+import { readAndResolveBundleEnv } from './secrets/bundles.js';
 const PID_FILE = 'daemon.pid';
 const LOCK_FILE = 'daemon.lock';
 const LOG_FILE = 'logs.jsonl';
@@ -25,6 +26,12 @@ const LOG_MAX_SIZE = 5 * 1024 * 1024; // 5 MB
 const LOG_ROTATE_COUNT = 3;
 const PLIST_NAME = 'com.phnx-labs.agents-daemon';
 const SYSTEMD_UNIT = 'agents-daemon.service';
+// A long-lived `claude setup-token` value stored in this secrets bundle/key is
+// baked into the daemon's service-manager environment so headless routine runs
+// authenticate without depending on the short-lived interactive Keychain OAuth
+// session (which expires between runs and produces intermittent 401s).
+const DAEMON_OAUTH_BUNDLE = 'claude';
+const DAEMON_OAUTH_KEY = 'CLAUDE_CODE_OAUTH_TOKEN';
 function getDaemonDir() {
     const dir = getDaemonDirRoot();
     fs.mkdirSync(dir, { recursive: true });
@@ -225,6 +232,34 @@ export async function runDaemon() {
     const monitorInterval = setInterval(() => {
         monitorRunningJobs();
     }, 60_000);
+    // Cross-machine session sync: push this machine's transcripts to R2 and pull
+    // every other machine's, ~every 90s. Skipped silently when the r2.backups
+    // bundle is absent. An overlap guard prevents a slow cycle from stacking.
+    let syncing = false;
+    const runSessionSync = async () => {
+        if (syncing)
+            return;
+        syncing = true;
+        try {
+            const { isSyncConfigured } = await import('./session/sync/config.js');
+            if (!isSyncConfigured())
+                return;
+            const { syncSessions } = await import('./session/sync/sync.js');
+            const r = await syncSessions();
+            if (r.pushed || r.pulled || r.errors.length) {
+                log('INFO', `sessions sync: pushed ${r.pushed}, pulled ${r.pulled}, merged ${r.merged}` +
+                    (r.errors.length ? `, ${r.errors.length} error(s): ${r.errors[0]}` : ''));
+            }
+        }
+        catch (err) {
+            log('ERROR', `sessions sync failed: ${err.message}`);
+        }
+        finally {
+            syncing = false;
+        }
+    };
+    const syncInterval = setInterval(() => { void runSessionSync(); }, 90_000);
+    void runSessionSync(); // kick once at startup
     const handleReload = () => {
         log('INFO', 'Reloading jobs (SIGHUP)');
         scheduler.reloadAll();
@@ -236,6 +271,7 @@ export async function runDaemon() {
         scheduler.stopAll();
         await browserIPC.stop();
         clearInterval(monitorInterval);
+        clearInterval(syncInterval);
         removeDaemonPid();
         process.exit(0);
     };
@@ -244,10 +280,42 @@ export async function runDaemon() {
     process.on('SIGINT', () => handleShutdown());
     await new Promise(() => { });
 }
+/**
+ * Read the long-lived Claude OAuth token (from `claude setup-token`) that the
+ * user stored under the `claude` secrets bundle. Resolves the bundle the same
+ * way `agents run --secrets` does, so the token is found whether it was stored
+ * keychain-backed or as a literal. Returns null when the bundle/key isn't
+ * configured, the Keychain read is cancelled, or the platform has no keychain —
+ * the daemon then behaves exactly as before (relying on the interactive OAuth
+ * session). Never throws: a misconfigured token must not block daemon startup.
+ */
+export function readDaemonClaudeOAuthToken() {
+    try {
+        const { env } = readAndResolveBundleEnv(DAEMON_OAUTH_BUNDLE, { caller: 'daemon' });
+        const token = (env[DAEMON_OAUTH_KEY] ?? '').trim();
+        return token.length > 0 ? token : null;
+    }
+    catch {
+        return null;
+    }
+}
+/** Escape a string for safe inclusion in an XML <string> node. */
+function xmlEscape(s) {
+    return s
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;');
+}
 /** Generate a macOS launchd plist for auto-starting the daemon. */
 export function generateLaunchdPlist() {
     const agentsBin = getAgentsBinPath();
     const logPath = getLogPath();
+    const oauthToken = readDaemonClaudeOAuthToken();
+    const oauthEntry = oauthToken
+        ? `
+    <key>${DAEMON_OAUTH_KEY}</key>
+    <string>${xmlEscape(oauthToken)}</string>`
+        : '';
     return `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -271,7 +339,7 @@ export function generateLaunchdPlist() {
   <key>EnvironmentVariables</key>
   <dict>
     <key>PATH</key>
-    <string>/usr/local/bin:/usr/bin:/bin:/opt/homebrew/bin:${os.homedir()}/.bun/bin:${os.homedir()}/.nvm/versions/node/v24.0.0/bin</string>
+    <string>/usr/local/bin:/usr/bin:/bin:/opt/homebrew/bin:${os.homedir()}/.bun/bin:${os.homedir()}/.nvm/versions/node/v24.0.0/bin</string>${oauthEntry}
   </dict>
 </dict>
 </plist>`;
@@ -279,6 +347,10 @@ export function generateLaunchdPlist() {
 /** Generate a Linux systemd user unit for auto-starting the daemon. */
 export function generateSystemdUnit() {
     const agentsBin = getAgentsBinPath();
+    const oauthToken = readDaemonClaudeOAuthToken();
+    const oauthLine = oauthToken
+        ? `\nEnvironment=${DAEMON_OAUTH_KEY}=${oauthToken}`
+        : '';
     return `[Unit]
 Description=Agents Daemon - Scheduled Job Runner
 After=network.target
@@ -288,7 +360,7 @@ Type=simple
 ExecStart=${agentsBin} daemon _run
 Restart=always
 RestartSec=10
-Environment=PATH=/usr/local/bin:/usr/bin:/bin:${os.homedir()}/.nvm/versions/node/v24.0.0/bin
+Environment=PATH=/usr/local/bin:/usr/bin:/bin:${os.homedir()}/.nvm/versions/node/v24.0.0/bin${oauthLine}
 
 [Install]
 WantedBy=default.target`;
@@ -338,6 +410,9 @@ function startDaemonLocked() {
                 fs.mkdirSync(plistDir, { recursive: true });
             }
             fs.writeFileSync(plistPath, generateLaunchdPlist(), 'utf-8');
+            // The plist may embed a long-lived OAuth token in EnvironmentVariables;
+            // keep it owner-only so it isn't world/group readable on disk.
+            fs.chmodSync(plistPath, 0o600);
             try {
                 execFileSync('launchctl', ['unload', plistPath], { encoding: 'utf-8', stdio: ['ignore', 'pipe', 'ignore'] });
             }
@@ -365,6 +440,8 @@ function startDaemonLocked() {
                 fs.mkdirSync(unitDir, { recursive: true });
             }
             fs.writeFileSync(unitPath, generateSystemdUnit(), 'utf-8');
+            // May embed a long-lived OAuth token in an Environment= line; owner-only.
+            fs.chmodSync(unitPath, 0o600);
             execFileSync('systemctl', ['--user', 'daemon-reload'], { encoding: 'utf-8' });
             execFileSync('systemctl', ['--user', 'enable', SYSTEMD_UNIT], { encoding: 'utf-8' });
             execFileSync('systemctl', ['--user', 'start', SYSTEMD_UNIT], { encoding: 'utf-8' });
@@ -377,6 +454,23 @@ function startDaemonLocked() {
     }
     return startDetached();
 }
+/**
+ * Environment for the detached daemon fallback. The launchd/systemd paths
+ * deliver the long-lived OAuth token via the service manifest's environment;
+ * the detached path has no manifest, so inject it here. Read happens during an
+ * interactive `routines start`, so a Keychain Touch ID prompt can be satisfied;
+ * the daemon then passes it to every routine run it spawns. An already-set
+ * value (e.g. inherited from launchd) is left untouched.
+ */
+export function buildDetachedDaemonEnv(baseEnv = process.env) {
+    const env = { ...baseEnv };
+    if (!env.CLAUDE_CODE_OAUTH_TOKEN) {
+        const token = readDaemonClaudeOAuthToken();
+        if (token)
+            env.CLAUDE_CODE_OAUTH_TOKEN = token;
+    }
+    return env;
+}
 function startDetached() {
     const agentsBin = getAgentsBinPath();
     const logPath = getLogPath();
@@ -384,6 +478,7 @@ function startDetached() {
     const child = spawn(agentsBin, ['daemon', '_run'], {
         stdio: ['ignore', logFd, logFd],
         detached: true,
+        env: buildDetachedDaemonEnv(),
     });
     child.unref();
     fs.closeSync(logFd);

package/dist/lib/hooks.js

@@ -90,6 +90,18 @@ function isManagedHookCommand(command, prefixes) {
     for (const prefix of prefixes) {
         if (resolved.startsWith(prefix))
             return true;
+        // The command dir above is realpath-resolved, but a raw prefix may still
+        // point through a symlink (macOS TMPDIR /var -> /private/var, or a
+        // symlinked ~/.agents). Compare against a realpath-normalized prefix too
+        // so the two sides match. Strip the trailing sep, resolve the dir, re-add.
+        const rawPrefixDir = prefix.endsWith(path.sep) ? prefix.slice(0, -path.sep.length) : prefix;
+        let resolvedPrefix = prefix;
+        try {
+            resolvedPrefix = fs.realpathSync(rawPrefixDir) + path.sep;
+        }
+        catch { /* absent or broken link */ }
+        if (resolvedPrefix !== prefix && resolved.startsWith(resolvedPrefix))
+            return true;
     }
     return false;
 }

package/dist/lib/migrate.d.ts

@@ -25,6 +25,28 @@
  * LEGACY_SYSTEM_DIR" without duplicating data.
  */
 export declare function foldLegacySystemRepo(): void;
+/**
+ * Repair self-referential agent binary symlinks.
+ *
+ * Some installScript-based agents — notably Factory's `droid`, whose installer
+ * drops a standalone native binary at ~/.local/bin/droid — were registered at
+ * install time by resolving the post-install binary with `which <cli>`. Because
+ * ~/.agents/.cache/shims sits ahead of ~/.local/bin on PATH, `which` could
+ * return OUR OWN dispatcher shim, and the install step symlinked
+ *   ~/.agents/.history/versions/<agent>/<version>/node_modules/.bin/<cli>
+ * back at ~/.agents/.cache/shims/<cli>. Launching that agent then re-execs the
+ * dispatcher forever (an infinite exec loop that hangs the terminal).
+ *
+ * This walks every installed version's node_modules/.bin and, for any entry
+ * whose symlink resolves into the shims dir, re-points it at the real binary
+ * (found on PATH with the shims dir excluded) — or removes it when no real
+ * binary can be found, letting getBinaryPath's per-agent resolver take over.
+ * Idempotent: a correctly-pointed link is left untouched on re-run.
+ *
+ * Params default to the real on-disk locations; they are injectable so tests
+ * can drive a fixture tree without touching the user's ~/.agents.
+ */
+export declare function repairSelfReferentialBinShims(versionsRoot?: string, shimsDir?: string): void;
 /**
  * Rename the legacy `extras-extras/` plugin-marketplace dir to `agents-extras/`
  * inside every installed agent version-home, and rewrite cross-references in

package/dist/lib/migrate.js

@@ -8,7 +8,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as os from 'os';
 import * as yaml from 'yaml';
-import { AGENTS, agentConfigDirName } from './agents.js';
+import { AGENTS, agentConfigDirName, findInPath } from './agents.js';
 const HOME = process.env.HOME ?? os.homedir();
 const USER_DIR = path.join(HOME, '.agents');
 /** Canonical system-repo location (post-fold). */
@@ -715,6 +715,100 @@ function repairAgentConfigSymlinks() {
         console.error(`Repaired ${repaired} agent config symlink${repaired === 1 ? '' : 's'} to point at ~/.agents/versions/`);
     }
 }
+/**
+ * Repair self-referential agent binary symlinks.
+ *
+ * Some installScript-based agents — notably Factory's `droid`, whose installer
+ * drops a standalone native binary at ~/.local/bin/droid — were registered at
+ * install time by resolving the post-install binary with `which <cli>`. Because
+ * ~/.agents/.cache/shims sits ahead of ~/.local/bin on PATH, `which` could
+ * return OUR OWN dispatcher shim, and the install step symlinked
+ *   ~/.agents/.history/versions/<agent>/<version>/node_modules/.bin/<cli>
+ * back at ~/.agents/.cache/shims/<cli>. Launching that agent then re-execs the
+ * dispatcher forever (an infinite exec loop that hangs the terminal).
+ *
+ * This walks every installed version's node_modules/.bin and, for any entry
+ * whose symlink resolves into the shims dir, re-points it at the real binary
+ * (found on PATH with the shims dir excluded) — or removes it when no real
+ * binary can be found, letting getBinaryPath's per-agent resolver take over.
+ * Idempotent: a correctly-pointed link is left untouched on re-run.
+ *
+ * Params default to the real on-disk locations; they are injectable so tests
+ * can drive a fixture tree without touching the user's ~/.agents.
+ */
+export function repairSelfReferentialBinShims(versionsRoot = path.join(HISTORY_DIR, 'versions'), shimsDir = path.resolve(CACHE_DIR, 'shims')) {
+    // Normalize the shims dir through realpath so the prefix check below survives
+    // a symlinked ~/.agents (or macOS's /tmp -> /private/tmp): fs.realpathSync on
+    // the link target resolves those symlinks, so the dir we compare against must
+    // too, or every loop would read as "points at a real binary" and be skipped.
+    shimsDir = path.resolve(shimsDir);
+    try {
+        shimsDir = fs.realpathSync(shimsDir);
+    }
+    catch {
+        /* shims dir absent — leave the resolved path; nothing will match it */
+    }
+    let agents;
+    try {
+        agents = fs.readdirSync(versionsRoot);
+    }
+    catch {
+        return; // no versions installed yet
+    }
+    let repaired = 0;
+    for (const agent of agents) {
+        const cli = agent in AGENTS ? AGENTS[agent].cliCommand : agent;
+        let versions;
+        try {
+            versions = fs.readdirSync(path.join(versionsRoot, agent));
+        }
+        catch {
+            continue;
+        }
+        for (const version of versions) {
+            const binLink = path.join(versionsRoot, agent, version, 'node_modules', '.bin', cli);
+            let stat;
+            try {
+                stat = fs.lstatSync(binLink);
+            }
+            catch {
+                continue; // no .bin entry for this version
+            }
+            if (!stat.isSymbolicLink())
+                continue;
+            let real;
+            try {
+                real = fs.realpathSync(binLink);
+            }
+            catch {
+                // Dangling symlink — if it was aimed at the shims dir it's the loop
+                // residue; drop it either way so getBinaryPath reports honestly.
+                try {
+                    fs.unlinkSync(binLink);
+                    repaired++;
+                }
+                catch { /* best-effort */ }
+                continue;
+            }
+            if (!path.resolve(real).startsWith(shimsDir + path.sep))
+                continue; // points at a real binary — fine
+            // Self-referential: the link resolves back into our own shims dir.
+            // findInPath does a pure-Node PATH scan (no subprocess) and already
+            // skips our shims dir, so it returns the genuine install if one exists.
+            const realBinary = findInPath(cli);
+            try {
+                fs.unlinkSync(binLink);
+                if (realBinary)
+                    fs.symlinkSync(realBinary, binLink);
+                repaired++;
+            }
+            catch { /* best-effort */ }
+        }
+    }
+    if (repaired > 0) {
+        console.error(`Repaired ${repaired} self-referential agent binary symlink${repaired === 1 ? '' : 's'} (infinite exec-loop fix).`);
+    }
+}
 /**
  * Move a directory from `src` to `dest`. No-op when src is absent. When dest
  * already exists, merge by copying everything that isn't already there, then
@@ -1733,4 +1827,8 @@ export async function runMigration() {
     migrateExtrasExtrasToAgentsExtras();
     // Symlink repair runs LAST so it can find the post-move version homes.
     repairAgentConfigSymlinks();
+    // Repair self-referential node_modules/.bin/<cli> symlinks (the droid
+    // infinite-exec-loop). Also runs after the bucket moves so it scans the
+    // canonical HISTORY_DIR/versions tree.
+    repairSelfReferentialBinShims();
 }

package/dist/lib/plugin-marketplace.d.ts

@@ -98,6 +98,21 @@ export declare function knownMarketplacesPath(agent: AgentId, versionHome: strin
  * Internal symlinks (target stays inside the plugin root) are preserved.
  */
 export declare function copyPluginToMarketplace(plugin: DiscoveredPlugin, spec: MarketplaceSpec | string, agent: AgentId, versionHome: string): string;
+/**
+ * Claude Code's plugin-manifest schema requires the resource path fields to be
+ * relative paths starting with "./" — `skills`/`commands`/`agents` are
+ * `union([startsWith("./"), array(startsWith("./"))])` (verified against the
+ * Claude Code binary). Bare names like "loop" fail validation and Claude rejects
+ * the ENTIRE plugin at load time, surfacing only in its `/plugin` > Errors tab.
+ *
+ * agents-cli copies plugin.json verbatim into the marketplace, so a malformed
+ * manifest ships looking fully installed while loading nothing. This catches the
+ * unambiguous type violation (non-"./" string entries) and returns one warning
+ * per offending field so the caller can surface it loudly. `hooks`/`mcpServers`
+ * are intentionally skipped — they legitimately accept inline objects, so a path
+ * check would false-positive.
+ */
+export declare function validateClaudePluginManifest(manifest: unknown): string[];
 /**
  * Re-synthesize <marketplace>/.claude-plugin/marketplace.json from the plugins
  * already installed under <marketplace>/plugins/. Always run after add or remove

package/dist/lib/plugin-marketplace.js

@@ -185,6 +185,54 @@ export function copyPluginToMarketplace(plugin, spec, agent, versionHome) {
     }
     return dest;
 }
+// ─── Manifest validation ─────────────────────────────────────────────────────
+/**
+ * Claude Code's plugin-manifest schema requires the resource path fields to be
+ * relative paths starting with "./" — `skills`/`commands`/`agents` are
+ * `union([startsWith("./"), array(startsWith("./"))])` (verified against the
+ * Claude Code binary). Bare names like "loop" fail validation and Claude rejects
+ * the ENTIRE plugin at load time, surfacing only in its `/plugin` > Errors tab.
+ *
+ * agents-cli copies plugin.json verbatim into the marketplace, so a malformed
+ * manifest ships looking fully installed while loading nothing. This catches the
+ * unambiguous type violation (non-"./" string entries) and returns one warning
+ * per offending field so the caller can surface it loudly. `hooks`/`mcpServers`
+ * are intentionally skipped — they legitimately accept inline objects, so a path
+ * check would false-positive.
+ */
+export function validateClaudePluginManifest(manifest) {
+    const warnings = [];
+    if (!manifest || typeof manifest !== 'object')
+        return warnings;
+    const m = manifest;
+    for (const field of ['skills', 'commands', 'agents']) {
+        const value = m[field];
+        if (value === undefined || value === null)
+            continue;
+        // How-to-fix written so a human OR a coding agent reading stderr can act
+        // without further investigation. Deleting the field is the recommended fix:
+        // Claude auto-discovers skills/commands/agents from their directories, which
+        // is why every well-formed plugin omits these fields entirely.
+        const fix = `Fix: delete the "${field}" field from plugin.json (recommended — Claude ` +
+            `auto-discovers from the ${field}/ directory), or rewrite every entry as a ` +
+            `"./"-relative path (e.g. "./${field}/<name>").`;
+        const entries = Array.isArray(value) ? value : [value];
+        for (const entry of entries) {
+            if (typeof entry !== 'string') {
+                warnings.push(`field "${field}" must be a "./"-relative path string or an array of them; ` +
+                    `found a non-string entry. Claude Code silently rejects the ENTIRE plugin. ${fix}`);
+                break;
+            }
+            if (!entry.startsWith('./')) {
+                warnings.push(`field "${field}" entry "${entry}" must be a relative path starting with "./" ` +
+                    `(e.g. "./${field}/${entry}"), not a bare name. Claude Code silently rejects the ` +
+                    `ENTIRE plugin — no commands or skills load. ${fix}`);
+                break;
+            }
+        }
+    }
+    return warnings;
+}
 // ─── Catalog synthesis ──────────────────────────────────────────────────────
 /**
  * Re-synthesize <marketplace>/.claude-plugin/marketplace.json from the plugins
@@ -226,6 +274,12 @@ export function syncMarketplaceManifest(spec, agent, versionHome) {
         catch {
             continue;
         }
+        for (const warning of validateClaudePluginManifest(manifest)) {
+            // Reference the plugin by name, not the marketplace-copy path: that copy is
+            // regenerated from source on every sync, so editing it gets stomped. The fix
+            // belongs in the plugin's SOURCE .claude-plugin/plugin.json.
+            process.stderr.write(`agents-cli: plugin '${manifest.name ?? entry.name}' has a Claude-invalid manifest — ${warning}\n`);
+        }
         entries.push({
             name: manifest.name,
             source: `./plugins/${manifest.name}`,

package/dist/lib/secrets/drivers/rush.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Rush `SyncBackend` driver — the original (and currently default) transport
+ * for `agents secrets push/pull`. Talks to api.prix.dev and authenticates with
+ * the session token written by `rush login` (`~/.rush/user.yaml`).
+ *
+ * This is the ONE place in the secrets module allowed to reference Rush
+ * (api.prix.dev / ~/.rush). It is an opt-in driver kept for backwards
+ * compatibility with bundles already pushed to Rush; `sync.ts` selects it as
+ * the default but the transport seam (`SyncBackend`) lets other backends drop
+ * in without touching the crypto or push/pull logic.
+ */
+import type { SyncBackend } from '../sync-backend.js';
+/** The Rush transport. Plaintext never reaches here — only ciphertext envelopes. */
+export declare const rushSyncBackend: SyncBackend;

package/dist/lib/secrets/drivers/rush.js

@@ -0,0 +1,84 @@
+/**
+ * Rush `SyncBackend` driver — the original (and currently default) transport
+ * for `agents secrets push/pull`. Talks to api.prix.dev and authenticates with
+ * the session token written by `rush login` (`~/.rush/user.yaml`).
+ *
+ * This is the ONE place in the secrets module allowed to reference Rush
+ * (api.prix.dev / ~/.rush). It is an opt-in driver kept for backwards
+ * compatibility with bundles already pushed to Rush; `sync.ts` selects it as
+ * the default but the transport seam (`SyncBackend`) lets other backends drop
+ * in without touching the crypto or push/pull logic.
+ */
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import * as yaml from 'yaml';
+const PROXY_BASE = 'https://api.prix.dev';
+const USER_YAML = path.join(os.homedir(), '.rush', 'user.yaml');
+const BUNDLE_ENDPOINT = '/api/v1/secrets/bundles';
+function readRushToken() {
+    if (!fs.existsSync(USER_YAML)) {
+        throw new Error('Not logged in to Rush. Run `rush login` first.');
+    }
+    const raw = fs.readFileSync(USER_YAML, 'utf-8');
+    const data = yaml.parse(raw);
+    const token = data?.session?.access_token;
+    if (!token) {
+        throw new Error('No session token in ~/.rush/user.yaml. Run `rush login` first.');
+    }
+    return token;
+}
+async function api(method, endpoint, body) {
+    const token = readRushToken();
+    const url = endpoint.startsWith('http') ? endpoint : `${PROXY_BASE}${endpoint}`;
+    return fetch(url, {
+        method,
+        headers: {
+            Authorization: `Bearer ${token}`,
+            'Content-Type': 'application/json',
+        },
+        body: body === undefined ? undefined : JSON.stringify(body),
+    });
+}
+function bundlePath(name) {
+    return `${BUNDLE_ENDPOINT}/${encodeURIComponent(name)}`;
+}
+/** The Rush transport. Plaintext never reaches here — only ciphertext envelopes. */
+export const rushSyncBackend = {
+    async putEnvelope(name, payload) {
+        const res = await api('PUT', bundlePath(name), payload);
+        if (!res.ok) {
+            const body = await res.text().catch(() => '');
+            throw new Error(`Push failed (${res.status} ${res.statusText}): ${body}`);
+        }
+    },
+    async getEnvelope(name) {
+        const res = await api('GET', bundlePath(name));
+        if (res.status === 404)
+            return null;
+        if (!res.ok) {
+            const body = await res.text().catch(() => '');
+            throw new Error(`Pull failed (${res.status} ${res.statusText}): ${body}`);
+        }
+        return await res.json();
+    },
+    async deleteEnvelope(name) {
+        const res = await api('DELETE', bundlePath(name));
+        if (res.status === 404)
+            return false;
+        if (!res.ok) {
+            const body = await res.text().catch(() => '');
+            throw new Error(`Delete failed (${res.status} ${res.statusText}): ${body}`);
+        }
+        return true;
+    },
+    async listEnvelopes() {
+        const res = await api('GET', BUNDLE_ENDPOINT);
+        if (!res.ok) {
+            const body = await res.text().catch(() => '');
+            throw new Error(`List failed (${res.status} ${res.statusText}): ${body}`);
+        }
+        const data = await res.json();
+        return data.bundles ?? [];
+    },
+};

package/dist/lib/secrets/index.js

@@ -236,6 +236,26 @@ export function setKeychainToken(item, value) {
         linuxBackend.set(item, value);
         return;
     }
+    // Bare (non-`agents-cli.`) items are written WITHOUT the biometry ACL so
+    // they round-trip with the no-prompt read path in getKeychainToken (which
+    // also uses /usr/bin/security for non-our items). This is what lets a
+    // SessionStart hook read e.g. `linear-api-key` silently on every launch.
+    // Routing these through the helper would attach a Touch ID ACL that the
+    // /usr/bin/security read can't satisfy without popping the legacy password
+    // sheet. -U upserts so repeated sets overwrite in place.
+    if (!isOurItem(item)) {
+        const sec = spawnSync('/usr/bin/security', [
+            'add-generic-password', '-U',
+            '-a', os.userInfo().username,
+            '-s', item,
+            '-w', value,
+        ], { stdio: ['ignore', 'pipe', 'pipe'] });
+        if (sec.status !== 0) {
+            const msg = sec.stderr?.toString().trim();
+            throw new Error(msg || `Failed to write keychain item '${item}'.`);
+        }
+        return;
+    }
     const bin = getKeychainHelperPath();
     const result = spawnSync(bin, ['set', item, os.userInfo().username], {
         input: value,