clawdi 0.6.0 → 0.8.0

package/README.md

@@ -46,6 +46,7 @@ That gets you:
 - Agent auto-detection for Claude Code, Codex, Hermes, and OpenClaw
 - MCP registration so your agent can call Clawdi tools
 - The bundled `clawdi` skill installed into each detected agent
+- Background sync daemons installed and started for every registered agent
 - A health check that verifies auth, agent paths, vault access, and MCP config
 
 By default the CLI talks to hosted Clawdi Cloud. Want to run your own backend? See [Own the Stack](#own-the-stack).
@@ -74,7 +75,7 @@ Clawdi is the shared layer underneath:
 - **Portable skills** — Upload or install agent instructions once, then sync them into every registered agent.
 - **Project sharing** — Share read-only Project access, accept it from the CLI inbox, and explicitly attach accepted Projects to Agents when they should be used at runtime.
 - **Session sync** — Push local session history to the dashboard for review and recall.
-- **Vault secrets** — Store secrets server-side and inject them only when running a command.
+- **Vault secrets** — Store secrets server-side, commit only `clawdi://` references, and resolve them at runtime.
 - **App connections** — Hook agents into Notion, Gmail, Drive, Calendar, Linear, GitHub, and more from the dashboard. Tools show up inside every connected agent automatically over MCP.
 - **MCP tools** — Memory, vault, and connector tools served through the Model Context Protocol so any MCP-aware agent can use them.
 
@@ -86,13 +87,39 @@ remember that this repo uses Bun for TypeScript and PDM for backend scripts
 
 Later, in a different agent or a fresh session, ask "what package manager should I use here?" — it can call Clawdi memory search and answer from your actual context instead of guessing.
 
-Run a command with vault secrets without putting them on disk:
+Run a fullstack dev command with vault references without putting plaintext secrets on disk:
 
 ```bash
 clawdi vault set OPENAI_API_KEY
-clawdi run -- python scripts/ingest.py
+echo "OPENAI_API_KEY=clawdi://project/<project-id>/vault/default/field/OPENAI_API_KEY" > .env.clawdi
+clawdi run --dry-run --env-file .env.clawdi -- npm run dev
+clawdi run --env-file .env.clawdi -- npm run dev
+clawdi read clawdi://project/<project-id>/vault/default/field/OPENAI_API_KEY
+clawdi inject --dry-run --in .env.clawdi --out .env.local
+clawdi inject --force --in .env.clawdi --out .env.local
 ```
 
+`clawdi vault set`, `clawdi vault import`, and `clawdi vault list` print exact references that include the Project ID. Project-relative references such as `clawdi://default/OPENAI_API_KEY` still work for portable templates, but exact references are the default copy/read UX.
+
+Agents should prefer `clawdi run --env-file .env.clawdi -- <command>` when they can launch the tool themselves. Use `clawdi inject` only for tools that must read a physical `.env.local`; generated files are written owner-only and should stay gitignored.
+
+Use `--dry-run` on `clawdi read`, `clawdi inject`, `clawdi run`, and `clawdi vault resolve` to verify provenance without requesting plaintext values. `clawdi doctor` checks vault metadata only; it does not resolve stored secrets.
+
+Sync a local agent CLI credential profile to another machine:
+
+```bash
+clawdi agent credentials import codex
+clawdi agent credentials import claude-code
+clawdi agent credentials import gh
+clawdi agent credentials materialize codex
+clawdi agent credentials materialize claude-code
+clawdi agent credentials materialize gh
+```
+
+Credential profile sync is separate from `clawdi run`: it stores and restores a supported tool's local auth file, while `run` injects explicit `clawdi://` references into one child process. Profiles default to your stable Personal Project so `import` on one machine and `materialize` on another resolve the same namespace. They are personal backup/restore artifacts: shared Project viewers and env-bound Agent keys cannot materialize them. macOS Keychain imports are guarded behind `--source keychain` and require explicit `--keychain-service` plus `--keychain-account`; Clawdi does not guess or silently scrape credential-store items, and Keychain reads cannot use `--yes`.
+
+Current vault storage is server-managed encryption. Clawdi avoids plaintext secrets in repo files and local templates, but the backend can decrypt stored vault values and credential profiles today. Do not treat this release as zero-knowledge.
+
 Install a shared skill into every registered agent at once:
 
 ```bash
@@ -216,8 +243,9 @@ Each agent has a dedicated adapter in [`packages/cli/src/adapters`](https://gith
 | --- | --- |
 | `clawdi auth login` / `logout` | Authenticate this machine |
 | `clawdi status [--json]` | Show auth and sync state |
-| `clawdi setup [--agent <type>]` | Register local agents, install MCP, install the bundled skill |
+| `clawdi setup [--agent <type>] [--no-daemon]` | Register local agents, install MCP, install the bundled skill, and install/start daemons by default |
 | `clawdi teardown [--agent <type>]` | Remove Clawdi's local agent wiring |
+| `clawdi daemon run/install/status/logs/doctor/restart/uninstall` | Run and manage the background sync daemon (`serve` remains a legacy alias) |
 | `clawdi push` | Upload sessions and skills |
 | `clawdi pull` | Download cloud skills into registered agents |
 | `clawdi memory list/search/add/rm` | Manage cross-agent long-term memory |
@@ -225,11 +253,16 @@ Each agent has a dedicated adapter in [`packages/cli/src/adapters`](https://gith
 | `clawdi project create/list/show/share/share-links/invite/invites/members/leave/unshare` | Manage Projects and read-only sharing |
 | `clawdi inbox [accept/decline/forget]` | Accept invitations and share links |
 | `clawdi agent projects list/attach/detach/move` | View the fixed Agent Project and manage attached Projects |
-| `clawdi project folder link/status/unlink` | Link a local folder to a Project for `clawdi run` vault selection |
-| `clawdi vault set/list/import` | Manage encrypted secrets |
-| `clawdi run -- <cmd>` | Run a command with vault secrets injected |
+| `clawdi agent credentials import/materialize` | Sync local CLI credential profiles for Codex, Claude Code, and GitHub CLI; explicit Keychain import requires service/account options |
+| `clawdi project folder link/status/unlink` | Link a local folder to a Project for vault reference selection |
+| `clawdi vault set/list/import` | Manage encrypted secrets and copy exact references |
+| `clawdi read <clawdi://...>` | Explicitly print one vault reference value |
+| `clawdi inject --in <file> --out <file>` | Render `clawdi://` references into templates |
+| `clawdi run --env-file <file> -- <cmd>` | Run a command with explicit vault references resolved |
 | `clawdi doctor` | Diagnose auth, agent paths, vault, and MCP config |
-| `clawdi update` | Check for a newer CLI version |
+| `clawdi update` | Install the latest CLI version (`--check` only reports) |
+
+Auto-update is enabled by default for all newer releases, including majors. Human CLI invocations update the global CLI in the background; installed daemons check on their own cadence, install silently, then let launchd/systemd restart them onto the new code. Disable both with `CLAWDI_NO_AUTO_UPDATE=1` or `clawdi config set autoUpdate false`.
 | `clawdi mcp` | Start the MCP stdio server used by agents |
 
 Every command supports `--help`.
@@ -297,7 +330,7 @@ Common issues:
 - **No supported agent detected** - Install a supported agent or pass `--agent claude_code`, `--agent codex`, `--agent hermes`, or `--agent openclaw`.
 - **Memory search is empty** - Add a memory first with `clawdi memory add "..."`, then verify with `clawdi memory search "..."`.
 - **Local backend cannot start because `vector` is missing** - Install `pgvector` for your PostgreSQL 16 instance, or use the included Docker Compose database.
-- **Agent MCP tools look stale** - Run `clawdi setup --agent <type>` again and restart the agent.
+- **Agent MCP tools look stale** - Run `clawdi setup --agent <type>` again, then `clawdi daemon restart --all`.
 
 ## License