@phnx-labs/agents-cli 1.20.20 → 1.20.21

package/dist/lib/daemon.js

@@ -265,6 +265,9 @@ export async function runDaemon() {
         scheduler.reloadAll();
         const reloaded = scheduler.listScheduled();
         log('INFO', `Reloaded ${reloaded.length} jobs`);
+        // Drop the memoized R2 config so rotated/added sync credentials are re-read
+        // on the next cycle instead of waiting for a restart.
+        void import('./session/sync/config.js').then(m => m.clearR2ConfigCache());
     };
     const handleShutdown = async () => {
         log('INFO', 'Daemon shutting down');

package/dist/lib/session/sync/config.d.ts

@@ -13,14 +13,26 @@ export interface R2Config {
     /** S3-compatible endpoint for the account (no bucket, no trailing slash). */
     endpoint: string;
 }
+/** Window after a prompt-bearing resolution failure during which we skip
+ *  re-attempting (and thus re-prompting). SIGHUP / restart bypasses it. */
+export declare const RESOLVE_RETRY_COOLDOWN_MS: number;
+/** Drop the cached resolution so the next call reads the bundle fresh. Called on
+ *  daemon SIGHUP (to pick up rotated credentials) and between tests. */
+export declare function clearR2ConfigCache(): void;
 /**
- * Resolve R2 credentials from the `r2.backups` bundle. Throws a clear,
- * actionable error if the bundle or any key is missing — sync cannot proceed
- * without real credentials (no silent fallback).
+ * Resolve R2 credentials, reading the keychain at most once per process. The
+ * first call reads (and may prompt for Touch ID); every later call returns the
+ * memoized result. Throws if the bundle/keys are missing — failures are not
+ * memoized, but see isSyncConfigured for the re-prompt cooldown.
  */
 export declare function loadR2Config(): R2Config;
-/** True when the sync bundle exists and looks resolvable, without throwing. */
-export declare function isSyncConfigured(): boolean;
+/**
+ * True when the sync bundle exists and resolves, without throwing. After a
+ * prompt-bearing failure (e.g. a cancelled Touch ID) it returns false without
+ * re-reading the keychain for RESOLVE_RETRY_COOLDOWN_MS, so a dismissed prompt
+ * does not re-storm every cycle. `now` is injectable for tests.
+ */
+export declare function isSyncConfigured(now?: number): boolean;
 /**
  * This machine's stable, human-readable id, used as its R2 prefix and mirror
  * directory name. Tailnet hostnames (zion, yosemite-s0, mac-mini) are already

package/dist/lib/session/sync/config.js

@@ -12,7 +12,7 @@ export const SYNC_BUNDLE = 'r2.backups';
  * actionable error if the bundle or any key is missing — sync cannot proceed
  * without real credentials (no silent fallback).
  */
-export function loadR2Config() {
+function resolveR2Config() {
     const { env } = readAndResolveBundleEnv(SYNC_BUNDLE, { caller: 'sessions-sync' });
     const accountId = env.R2_ACCOUNT_ID?.trim();
     const bucket = env.R2_BUCKET_NAME?.trim();
@@ -36,13 +36,60 @@ export function loadR2Config() {
         endpoint: `https://${accountId}.r2.cloudflarestorage.com`,
     };
 }
-/** True when the sync bundle exists and looks resolvable, without throwing. */
-export function isSyncConfigured() {
+// ── Resolution cache ────────────────────────────────────────────────────────
+// The daemon calls isSyncConfigured() + syncSessions() every ~90s, and each used
+// to trigger a fresh read of the biometry-gated `r2.backups` keychain items —
+// one Touch ID prompt per gated item, every cycle, forever. We instead resolve
+// at most once per process: a success is memoized for the process lifetime
+// (cleared on daemon SIGHUP via clearR2ConfigCache), so subsequent cycles never
+// touch the keychain again. A *prompt-bearing* failure (cancelled Touch ID, etc.)
+// starts a cooldown so a dismissed prompt is not re-issued every cycle. A simply
+// absent bundle never prompts, so it is re-checked each cycle (fast pickup when
+// the user later adds credentials).
+let cachedConfig = null;
+let lastPromptFailureAt = 0;
+/** Window after a prompt-bearing resolution failure during which we skip
+ *  re-attempting (and thus re-prompting). SIGHUP / restart bypasses it. */
+export const RESOLVE_RETRY_COOLDOWN_MS = 30 * 60 * 1000; // 30 minutes
+/** Drop the cached resolution so the next call reads the bundle fresh. Called on
+ *  daemon SIGHUP (to pick up rotated credentials) and between tests. */
+export function clearR2ConfigCache() {
+    cachedConfig = null;
+    lastPromptFailureAt = 0;
+}
+/**
+ * Resolve R2 credentials, reading the keychain at most once per process. The
+ * first call reads (and may prompt for Touch ID); every later call returns the
+ * memoized result. Throws if the bundle/keys are missing — failures are not
+ * memoized, but see isSyncConfigured for the re-prompt cooldown.
+ */
+export function loadR2Config() {
+    if (cachedConfig)
+        return cachedConfig;
+    cachedConfig = resolveR2Config();
+    return cachedConfig;
+}
+/**
+ * True when the sync bundle exists and resolves, without throwing. After a
+ * prompt-bearing failure (e.g. a cancelled Touch ID) it returns false without
+ * re-reading the keychain for RESOLVE_RETRY_COOLDOWN_MS, so a dismissed prompt
+ * does not re-storm every cycle. `now` is injectable for tests.
+ */
+export function isSyncConfigured(now = Date.now()) {
+    if (cachedConfig)
+        return true;
+    if (lastPromptFailureAt && now - lastPromptFailureAt < RESOLVE_RETRY_COOLDOWN_MS)
+        return false;
     try {
         loadR2Config();
         return true;
     }
-    catch {
+    catch (err) {
+        // A missing bundle never prompts, so keep re-checking it each cycle (so a
+        // later `agents secrets add` is picked up quickly). Any other failure may
+        // have cost a prompt (cancelled Touch ID, keychain error) — back off.
+        if (!/not found/i.test(err.message))
+            lastPromptFailureAt = now;
         return false;
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@phnx-labs/agents-cli",
-  "version": "1.20.20",
+  "version": "1.20.21",
   "description": "One CLI for all your AI coding agents - versions, config, cloud dispatch, sessions, and teams (now with first-class Grok Build CLI support)",
   "type": "module",
   "main": "dist/index.js",