npm - clementine-agent - Versions diffs - 1.1.12 → 1.1.14 - Mend

clementine-agent 1.1.12 → 1.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/agent/advisor-rules/context.js +11 -2
package/dist/cli/index.js +73 -3
package/dist/config/harden-permissions.d.ts +52 -0
package/dist/config/harden-permissions.js +181 -0
package/package.json +1 -1

package/dist/agent/advisor-rules/context.js CHANGED Viewed

@@ -10,8 +10,17 @@
  * data pipeline is identical and any divergence is purely rule-evaluation.
  */
 import { CronRunLog } from '../../gateway/cron-scheduler.js';
-import { CIRCUIT_BREAKER_COOLDOWN_MS as _COOLDOWN_MS, DEFAULT_MAX_TURNS_FALLBACK, DEFAULT_TIMEOUT_MS, MAX_TIMEOUT_MS, TIER_MAX_TURNS, getInterventionStats, readReflections, } from '../execution-advisor.js';
-void _COOLDOWN_MS; // currently encoded as a literal in builtin YAMLs; re-export hook
+import { DEFAULT_MAX_TURNS_FALLBACK, DEFAULT_TIMEOUT_MS, MAX_TIMEOUT_MS, TIER_MAX_TURNS, getInterventionStats, readReflections, } from '../execution-advisor.js';
+// NOTE: Phase 9c (commit 4451f36) made execution-advisor.ts static-import
+// THIS module, creating a circular dep. The previous module-init line
+// `void CIRCUIT_BREAKER_COOLDOWN_MS as _COOLDOWN_MS` was deferring access
+// in source comment terms but actually FORCED a TDZ access at context.ts
+// module-init — which is BEFORE execution-advisor.ts has reached line 38
+// where the const is declared. That produced "Cannot access '_COOLDOWN_MS'
+// before initialization" errors on every cron run after Phase 9c shipped.
+// Removed the import + the void line. The cooldown duration is encoded as
+// a literal in the builtin YAML rules, so this module never actually
+// needed the constant — the import was documentation noise.
 /**
  * Build a fresh RuleContext for a job. Pass an existing `advice` if you want
  * to mutate it (e.g. shadow mode passes a clone so the TS path's advice is

package/dist/cli/index.js CHANGED Viewed

@@ -899,7 +899,10 @@ function cmdConfigSet(key, value) {
     else {
         content = content.trimEnd() + `\n${upperKey}=${value}\n`;
     }
-    writeFileSync(ENV_PATH, content);
+    // Mode 0o600 — credentials live here; never world-readable. Phase 12
+    // hardening also fixes pre-existing .env files via `clementine config
+    // harden-permissions`.
+    writeFileSync(ENV_PATH, content, { mode: 0o600 });
     console.log(`  Set ${upperKey}=${value}`);
 }
 function cmdConfigGet(key) {
@@ -1217,6 +1220,65 @@ async function cmdConfigMigrateFromKeychain(opts) {
     console.log(`  ${GREEN}Migrated ${result.migrated.length} key${result.migrated.length === 1 ? '' : 's'} out of keychain.${RESET}`);
     console.log();
 }
+// ── Config harden-permissions ────────────────────────────────────────
+async function cmdConfigHardenPermissions(opts) {
+    const { hardenPermissions } = await import('../config/harden-permissions.js');
+    const report = hardenPermissions(BASE_DIR, { dryRun: opts.dryRun });
+    if (opts.json) {
+        console.log(JSON.stringify(report, null, 2));
+        process.exit(report.failed > 0 ? 1 : 0);
+    }
+    const DIM = '\x1b[0;90m';
+    const BOLD = '\x1b[1m';
+    const GREEN = '\x1b[0;32m';
+    const YELLOW = '\x1b[0;33m';
+    const RED = '\x1b[0;31m';
+    const CYAN = '\x1b[0;36m';
+    const RESET = '\x1b[0m';
+    console.log();
+    console.log(`  ${BOLD}Data home:${RESET}  ${report.baseDir}`);
+    console.log(`  ${BOLD}Mode:${RESET}        ${opts.dryRun ? `${YELLOW}dry run${RESET}` : `${GREEN}apply${RESET}`}`);
+    console.log();
+    console.log(`  ${BOLD}Scanned:${RESET}         ${report.scanned}`);
+    console.log(`  ${GREEN}Tightened:${RESET}       ${report.tightened}`);
+    console.log(`  ${DIM}Already correct:${RESET} ${report.alreadyCorrect}`);
+    console.log(`  ${DIM}Skipped:${RESET}         ${report.skipped}`);
+    if (report.failed > 0) {
+        console.log(`  ${RED}Failed:${RESET}          ${report.failed}`);
+    }
+    console.log();
+    // Show first ~20 tightened entries — enough to see the shape without flooding
+    const tightened = report.entries.filter(e => e.status === 'tightened').slice(0, 20);
+    if (tightened.length > 0) {
+        console.log(`  ${BOLD}${opts.dryRun ? 'Would tighten' : 'Tightened'} (showing first ${tightened.length}):${RESET}`);
+        for (const e of tightened) {
+            const rel = e.path.startsWith(report.baseDir + '/') ? e.path.slice(report.baseDir.length + 1) : e.path;
+            const kindTag = e.kind === 'directory' ? `${CYAN}d${RESET}` : `${DIM}-${RESET}`;
+            console.log(`    ${kindTag} ${e.beforeMode} ${DIM}→${RESET} ${GREEN}${e.afterMode}${RESET}  ${rel}`);
+        }
+        if (report.tightened > tightened.length) {
+            console.log(`    ${DIM}... ${report.tightened - tightened.length} more${RESET}`);
+        }
+        console.log();
+    }
+    const failed = report.entries.filter(e => e.status === 'failed').slice(0, 10);
+    if (failed.length > 0) {
+        console.log(`  ${RED}${BOLD}Failed:${RESET}`);
+        for (const e of failed) {
+            console.log(`    ${RED}✗${RESET} ${e.path} — ${e.error ?? 'unknown'}`);
+        }
+        console.log();
+    }
+    if (opts.dryRun) {
+        console.log(`  ${DIM}Re-run without --dry-run to apply.${RESET}`);
+        console.log();
+    }
+    else if (report.tightened > 0) {
+        console.log(`  ${GREEN}Done.${RESET} ${DIM}Re-run \`clementine config doctor\` to confirm permissions are now correct.${RESET}`);
+        console.log();
+    }
+    process.exit(report.failed > 0 ? 1 : 0);
+}
 // ── Config keychain-fix-acl ─────────────────────────────────────────
 async function cmdConfigKeychainFixAcl(opts) {
     const { listClementineKeychainEntries, fixAllClementineEntries } = await import('../config/keychain-fix-acl.js');
@@ -2004,6 +2066,14 @@ configCmd
     .action(async (opts) => {
     await cmdConfigKeychainFixAcl(opts);
 });
+configCmd
+    .command('harden-permissions')
+    .description('Tighten file modes in ~/.clementine/ — files to 0600, directories to 0700')
+    .option('--dry-run', 'Preview without changing anything')
+    .option('--json', 'Emit machine-readable JSON')
+    .action(async (opts) => {
+    await cmdConfigHardenPermissions(opts);
+});
 configCmd
     .command('edit')
     .description('Open .env in your editor')
@@ -2229,10 +2299,10 @@ async function cmdUpdate(options) {
     console.log(`  ${S()} Backing up config...`);
     if (!options.dryRun) {
         mkdirSync(backupDir, { recursive: true });
-        // .env
+        // .env (mode 0o600 — backup carries credentials, same protection as live file)
         if (existsSync(ENV_PATH)) {
             const envContent = readFileSync(ENV_PATH, 'utf-8');
-            writeFileSync(path.join(backupDir, '.env'), envContent);
+            writeFileSync(path.join(backupDir, '.env'), envContent, { mode: 0o600 });
         }
         // Cron state
         const cronStateFile = path.join(BASE_DIR, '.cron_last_run.json');

package/dist/config/harden-permissions.d.ts ADDED Viewed

@@ -0,0 +1,52 @@
+/**
+ * Tighten file modes on the Clementine data home.
+ *
+ * Walks ~/.clementine/ (or any baseDir) and:
+ *   - Sets every regular file to mode 0600 (owner read/write only)
+ *   - Sets every directory to mode 0700 (owner traverse only)
+ *
+ * Why: state files live alongside `credentials.json` and `.env`. Even
+ * after Phase 9b's outbound redaction, contents on disk include
+ * conversation transcripts, advisor LLM outputs, cron run logs, full
+ * Discord/Slack message snippets, etc. Default umask 022 leaves all of
+ * those world-readable; on a single-user laptop the practical risk is
+ * Time Machine backup exposure and any process running as the user.
+ *
+ * Pure: returns a result describing what was tightened, what was already
+ * correct, and what failed (e.g. permission denied if user wasn't owner).
+ * Caller decides whether to print, JSON-stringify, or act on the result.
+ *
+ * Idempotent: re-running on an already-hardened tree is a no-op (every
+ * entry returns "already correct"). chmod is the cheapest syscall —
+ * even a 1000-file tree completes in milliseconds.
+ *
+ * Skip list: a few entries are intentionally NOT touched:
+ *   - Symlinks (chmod follows symlinks; could escalate elsewhere). We
+ *     check via lstat and skip non-files/non-dirs.
+ *   - Files we don't own (chmod will fail; we capture the failure in
+ *     the report rather than crashing).
+ */
+export type HardenStatus = 'tightened' | 'already-correct' | 'skipped' | 'failed';
+export interface HardenEntry {
+    path: string;
+    kind: 'file' | 'directory' | 'other';
+    beforeMode: string;
+    afterMode: string;
+    status: HardenStatus;
+    error?: string;
+}
+export interface HardenReport {
+    baseDir: string;
+    scanned: number;
+    tightened: number;
+    alreadyCorrect: number;
+    skipped: number;
+    failed: number;
+    /** Per-entry detail. Cap at 50 in printable form to keep output sane;
+     *  full list available in the JSON output. */
+    entries: HardenEntry[];
+}
+export declare function hardenPermissions(baseDir: string, opts?: {
+    dryRun?: boolean;
+}): HardenReport;
+//# sourceMappingURL=harden-permissions.d.ts.map

package/dist/config/harden-permissions.js ADDED Viewed

@@ -0,0 +1,181 @@
+/**
+ * Tighten file modes on the Clementine data home.
+ *
+ * Walks ~/.clementine/ (or any baseDir) and:
+ *   - Sets every regular file to mode 0600 (owner read/write only)
+ *   - Sets every directory to mode 0700 (owner traverse only)
+ *
+ * Why: state files live alongside `credentials.json` and `.env`. Even
+ * after Phase 9b's outbound redaction, contents on disk include
+ * conversation transcripts, advisor LLM outputs, cron run logs, full
+ * Discord/Slack message snippets, etc. Default umask 022 leaves all of
+ * those world-readable; on a single-user laptop the practical risk is
+ * Time Machine backup exposure and any process running as the user.
+ *
+ * Pure: returns a result describing what was tightened, what was already
+ * correct, and what failed (e.g. permission denied if user wasn't owner).
+ * Caller decides whether to print, JSON-stringify, or act on the result.
+ *
+ * Idempotent: re-running on an already-hardened tree is a no-op (every
+ * entry returns "already correct"). chmod is the cheapest syscall —
+ * even a 1000-file tree completes in milliseconds.
+ *
+ * Skip list: a few entries are intentionally NOT touched:
+ *   - Symlinks (chmod follows symlinks; could escalate elsewhere). We
+ *     check via lstat and skip non-files/non-dirs.
+ *   - Files we don't own (chmod will fail; we capture the failure in
+ *     the report rather than crashing).
+ */
+import { readdirSync, lstatSync, chmodSync } from 'node:fs';
+import path from 'node:path';
+const FILE_TARGET = 0o600;
+const DIR_TARGET = 0o700;
+function octal(mode) {
+    return (mode & 0o777).toString(8).padStart(3, '0');
+}
+/**
+ * Walk a directory tree iteratively (not recursively — no stack-blow risk
+ * on deep vault trees). Returns absolute paths.
+ */
+function walk(root) {
+    const out = [];
+    const stack = [root];
+    while (stack.length > 0) {
+        const dir = stack.pop();
+        let entries;
+        try {
+            entries = readdirSync(dir);
+        }
+        catch {
+            continue; // unreadable dir — caller will see it as skipped
+        }
+        for (const name of entries) {
+            const full = path.join(dir, name);
+            try {
+                const st = lstatSync(full);
+                if (st.isSymbolicLink())
+                    continue; // never follow
+                if (st.isDirectory()) {
+                    out.push(full);
+                    stack.push(full);
+                }
+                else if (st.isFile()) {
+                    out.push(full);
+                }
+            }
+            catch {
+                // stat failed — skip
+            }
+        }
+    }
+    return out;
+}
+export function hardenPermissions(baseDir, opts = {}) {
+    const report = {
+        baseDir,
+        scanned: 0,
+        tightened: 0,
+        alreadyCorrect: 0,
+        skipped: 0,
+        failed: 0,
+        entries: [],
+    };
+    // Always include baseDir itself in the walk
+    let baseSt;
+    try {
+        baseSt = lstatSync(baseDir);
+    }
+    catch (err) {
+        report.entries.push({
+            path: baseDir,
+            kind: 'other',
+            beforeMode: '???',
+            afterMode: '???',
+            status: 'failed',
+            error: `baseDir not accessible: ${String(err).slice(0, 100)}`,
+        });
+        report.failed++;
+        return report;
+    }
+    if (!baseSt.isDirectory()) {
+        report.entries.push({
+            path: baseDir,
+            kind: 'other',
+            beforeMode: octal(baseSt.mode),
+            afterMode: octal(baseSt.mode),
+            status: 'skipped',
+            error: 'baseDir is not a directory',
+        });
+        report.skipped++;
+        return report;
+    }
+    const all = [baseDir, ...walk(baseDir)];
+    for (const p of all) {
+        let st;
+        try {
+            st = lstatSync(p);
+        }
+        catch (err) {
+            report.entries.push({
+                path: p,
+                kind: 'other',
+                beforeMode: '???',
+                afterMode: '???',
+                status: 'failed',
+                error: String(err).slice(0, 100),
+            });
+            report.failed++;
+            continue;
+        }
+        report.scanned++;
+        const beforeMode = octal(st.mode);
+        let kind = 'other';
+        let target = null;
+        if (st.isDirectory()) {
+            kind = 'directory';
+            target = DIR_TARGET;
+        }
+        else if (st.isFile()) {
+            kind = 'file';
+            target = FILE_TARGET;
+        }
+        if (target === null) {
+            // Sockets, FIFOs, devices, etc. — leave alone.
+            report.entries.push({
+                path: p, kind, beforeMode, afterMode: beforeMode, status: 'skipped',
+            });
+            report.skipped++;
+            continue;
+        }
+        if ((st.mode & 0o777) === target) {
+            report.entries.push({
+                path: p, kind, beforeMode, afterMode: beforeMode, status: 'already-correct',
+            });
+            report.alreadyCorrect++;
+            continue;
+        }
+        if (opts.dryRun) {
+            report.entries.push({
+                path: p, kind, beforeMode, afterMode: octal(target), status: 'tightened',
+            });
+            report.tightened++;
+            continue;
+        }
+        try {
+            chmodSync(p, target);
+            report.entries.push({
+                path: p, kind, beforeMode, afterMode: octal(target), status: 'tightened',
+            });
+            report.tightened++;
+        }
+        catch (err) {
+            report.entries.push({
+                path: p, kind, beforeMode, afterMode: beforeMode, status: 'failed',
+                error: String(err).slice(0, 100),
+            });
+            report.failed++;
+        }
+    }
+    return report;
+}
+//# sourceMappingURL=harden-permissions.js.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "clementine-agent",
-  "version": "1.1.12",
+  "version": "1.1.14",
   "description": "Clementine — Personal AI Assistant (TypeScript)",
   "type": "module",
   "main": "dist/index.js",