clementine-agent 1.1.2 → 1.1.3

package/dist/cli/index.js

@@ -1148,6 +1148,128 @@ async function cmdConfigMigrateToKeychain(opts) {
     console.log(`  ${DIM}choose Always Allow to make the prompt permanent.${RESET}`);
     console.log();
 }
+// ── Config migrate-from-keychain (inverse of migrate-to-keychain) ───
+async function cmdConfigMigrateFromKeychain(opts) {
+    const { planReverseMigration, applyReverseMigration } = await import('../config/migrate-from-keychain.js');
+    const DIM = '\x1b[0;90m';
+    const BOLD = '\x1b[1m';
+    const GREEN = '\x1b[0;32m';
+    const YELLOW = '\x1b[0;33m';
+    const RED = '\x1b[0;31m';
+    const CYAN = '\x1b[0;36m';
+    const RESET = '\x1b[0m';
+    const only = opts.key
+        ? opts.key.flatMap(k => k.split(',').map(s => s.trim()).filter(Boolean))
+        : undefined;
+    const plan = planReverseMigration(BASE_DIR, only ? { only } : {});
+    console.log();
+    console.log(`  ${BOLD}.env path:${RESET}  ${plan.envPath}`);
+    console.log();
+    const groups = {};
+    for (const c of plan.candidates)
+        (groups[c.status] ??= []).push(c);
+    const renderGroup = (label, color, items, showRef = false) => {
+        if (!items || items.length === 0)
+            return;
+        console.log(`  ${color}${label}${RESET} ${DIM}(${items.length})${RESET}`);
+        for (const c of items) {
+            const refTag = showRef && c.ref ? ` ${DIM}${c.ref}${RESET}` : '';
+            console.log(`    ${c.key}${refTag}`);
+        }
+        console.log();
+    };
+    renderGroup('Will migrate from keychain → .env', CYAN, groups.migrated);
+    renderGroup('Sensitive — left in keychain (correct)', DIM, groups['sensitive-skipped']);
+    renderGroup('Unresolvable refs (keychain entry missing)', RED, groups.unresolvable, true);
+    if (plan.toMigrate.length === 0) {
+        console.log(`  ${GREEN}Nothing to migrate.${RESET}`);
+        if (plan.unresolvable.length > 0) {
+            console.log(`  ${YELLOW}${plan.unresolvable.length} unresolvable ref(s) above — fix or delete by hand.${RESET}`);
+        }
+        console.log();
+        return;
+    }
+    if (opts.dryRun) {
+        console.log(`  ${YELLOW}Dry run — no changes written.${RESET}`);
+        console.log();
+        return;
+    }
+    console.log(`  ${BOLD}Applying...${RESET}`);
+    let result;
+    try {
+        result = applyReverseMigration(BASE_DIR, only ? { only } : {});
+    }
+    catch (err) {
+        console.error(`  ${RED}Failed:${RESET} ${err.message}`);
+        process.exit(1);
+    }
+    if (result.failed.length > 0) {
+        console.log(`  ${RED}Some keychain reads failed — .env was NOT modified:${RESET}`);
+        for (const f of result.failed)
+            console.log(`    ${RED}✗${RESET} ${f.key}: ${f.error}`);
+        console.log();
+        process.exit(1);
+    }
+    for (const key of result.migrated) {
+        console.log(`    ${GREEN}✓${RESET} ${key} ${DIM}→ .env (keychain entry deleted)${RESET}`);
+    }
+    console.log();
+    console.log(`  ${GREEN}Migrated ${result.migrated.length} key${result.migrated.length === 1 ? '' : 's'} out of keychain.${RESET}`);
+    console.log();
+}
+// ── Config keychain-fix-acl ─────────────────────────────────────────
+async function cmdConfigKeychainFixAcl(opts) {
+    const { listClementineKeychainEntries, fixAllClementineEntries } = await import('../config/keychain-fix-acl.js');
+    const DIM = '\x1b[0;90m';
+    const BOLD = '\x1b[1m';
+    const GREEN = '\x1b[0;32m';
+    const YELLOW = '\x1b[0;33m';
+    const RED = '\x1b[0;31m';
+    const RESET = '\x1b[0m';
+    const entries = listClementineKeychainEntries();
+    console.log();
+    console.log(`  ${BOLD}Found ${entries.length} clementine-agent keychain entr${entries.length === 1 ? 'y' : 'ies'}.${RESET}`);
+    for (const e of entries)
+        console.log(`    ${DIM}${e.account}${RESET}`);
+    console.log();
+    if (entries.length === 0) {
+        console.log(`  ${GREEN}Nothing to fix.${RESET}`);
+        console.log();
+        return;
+    }
+    if (opts.list) {
+        console.log(`  ${DIM}--list mode — no changes made. Drop the flag to apply.${RESET}`);
+        console.log();
+        return;
+    }
+    console.log(`  ${BOLD}Fixing ACLs...${RESET}`);
+    console.log(`  ${DIM}macOS may ask for your login keychain password (the system prompt — it DOES appear).${RESET}`);
+    console.log(`  ${DIM}You may also be asked to "Always Allow" — pick that.${RESET}`);
+    console.log();
+    const results = fixAllClementineEntries();
+    let okCount = 0;
+    let failCount = 0;
+    for (const r of results) {
+        if (r.status === 'fixed') {
+            console.log(`    ${GREEN}✓${RESET} ${r.account}`);
+            okCount++;
+        }
+        else {
+            console.log(`    ${RED}✗${RESET} ${r.account} ${DIM}— ${r.error}${RESET}`);
+            failCount++;
+        }
+    }
+    console.log();
+    if (failCount === 0) {
+        console.log(`  ${GREEN}All ${okCount} entries fixed.${RESET} ${DIM}Future reads via the security CLI succeed silently.${RESET}`);
+    }
+    else {
+        console.log(`  ${YELLOW}${okCount} fixed, ${failCount} failed.${RESET}`);
+        console.log(`  ${DIM}Failed entries can be fixed manually in Keychain Access.app:${RESET}`);
+        console.log(`  ${DIM}  search "clementine-agent" → double-click → Access Control → Allow all applications.${RESET}`);
+    }
+    console.log();
+}
 // ── Advisor commands ────────────────────────────────────────────────
 const ADVISOR_MODES = ['off', 'shadow', 'primary'];
 function readAdvisorMode() {
@@ -1802,6 +1924,21 @@ configCmd
     .action(async (opts) => {
     await cmdConfigMigrateToKeychain(opts);
 });
+configCmd
+    .command('migrate-from-keychain')
+    .description('Pull non-credential values OUT of keychain back to plaintext .env (only API keys belong in keychain)')
+    .option('--dry-run', 'Show what would migrate without writing anything')
+    .option('-k, --key <name...>', 'Limit to specific key(s); repeat or comma-separate for multiple')
+    .action(async (opts) => {
+    await cmdConfigMigrateFromKeychain(opts);
+});
+configCmd
+    .command('keychain-fix-acl')
+    .description('One-shot fix for clementine-agent keychain entries that prompt on every read (one master prompt then no more)')
+    .option('--list', 'List entries without changing anything')
+    .action(async (opts) => {
+    await cmdConfigKeychainFixAcl(opts);
+});
 configCmd
     .command('edit')
     .description('Open .env in your editor')

package/dist/config/effective-config.js

@@ -64,6 +64,8 @@ const refCache = new Map();
 function shellEscape(s) {
     return `'${s.replace(/'/g, "'\\''")}'`;
 }
+/** Hard cap per shell call — see config.ts for rationale. */
+const KEYCHAIN_TIMEOUT_MS = Math.max(500, parseInt(process.env.CLEMENTINE_KEYCHAIN_TIMEOUT_MS ?? '3000', 10) || 3000);
 function resolveRef(stub) {
     if (refCache.has(stub)) {
         const v = refCache.get(stub);
@@ -71,7 +73,7 @@ function resolveRef(stub) {
     }
     const account = stub.slice(KEYCHAIN_REF_PREFIX.length);
     try {
-        const result = execSync(`security find-generic-password -s clementine-agent -a ${shellEscape(account)} -w`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+        const result = execSync(`security find-generic-password -s clementine-agent -a ${shellEscape(account)} -w`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'], timeout: KEYCHAIN_TIMEOUT_MS }).trim();
         refCache.set(stub, result || null);
         return result || undefined;
     }

package/dist/config/keychain-fix-acl.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Bulk-fix the ACL on existing clementine-agent keychain entries.
+ *
+ * Why this exists: keychain entries created before commit 88cfd99 used
+ * `add-generic-password -T ''` which means NO apps are pre-approved to
+ * read. Every Clementine read triggered a per-app dialog that often
+ * didn't appear (hidden behind windows, dismissed silently, queued).
+ *
+ * The new keychain.set uses `-T /usr/bin/security` so future entries
+ * don't have this problem. For existing entries this module runs
+ *
+ *   security set-generic-password-partition-list \
+ *     -s clementine-agent -a <account> -S apple-tool:,apple:
+ *
+ * which adds Apple-signed tools (including /usr/bin/security itself)
+ * to the partition allowlist. Result: future reads via security
+ * succeed silently, no per-app dialog.
+ *
+ * The user is prompted for their LOGIN keychain password once per call
+ * (the macOS system prompt — the one that DOES reliably appear). After
+ * approving, all entries become readable without further prompts.
+ */
+export interface KeychainEntry {
+    account: string;
+}
+export interface AclFixResult {
+    account: string;
+    status: 'fixed' | 'failed';
+    error?: string;
+}
+/**
+ * Enumerate every clementine-agent keychain entry. Uses the dump-keychain
+ * grep approach since `security` doesn't expose a clean list-by-service.
+ * Read-only, no prompts.
+ */
+export declare function listClementineKeychainEntries(): KeychainEntry[];
+/**
+ * Add `apple-tool:,apple:` to the partition list of a given account.
+ *
+ * `security set-generic-password-partition-list` prompts on the controlling
+ * terminal — `password to unlock default:` — for the user's login keychain
+ * password. We must inherit stdio so the child can read from the parent's
+ * TTY; piped stdio causes security to consume an empty line and fail with
+ * "exit code null" / "wrong password."
+ *
+ * That means this function only works when called from an interactive shell.
+ * Callers in non-TTY contexts should fall back to instructing the user to
+ * run `clementine config keychain-fix-acl` from their own terminal.
+ */
+export declare function fixAcl(account: string): AclFixResult;
+/**
+ * Plan + apply: enumerate entries, fix each in turn. Returns per-entry
+ * results so the CLI can render a checklist.
+ */
+export declare function fixAllClementineEntries(): AclFixResult[];
+//# sourceMappingURL=keychain-fix-acl.d.ts.map

package/dist/config/keychain-fix-acl.js

@@ -0,0 +1,93 @@
+/**
+ * Bulk-fix the ACL on existing clementine-agent keychain entries.
+ *
+ * Why this exists: keychain entries created before commit 88cfd99 used
+ * `add-generic-password -T ''` which means NO apps are pre-approved to
+ * read. Every Clementine read triggered a per-app dialog that often
+ * didn't appear (hidden behind windows, dismissed silently, queued).
+ *
+ * The new keychain.set uses `-T /usr/bin/security` so future entries
+ * don't have this problem. For existing entries this module runs
+ *
+ *   security set-generic-password-partition-list \
+ *     -s clementine-agent -a <account> -S apple-tool:,apple:
+ *
+ * which adds Apple-signed tools (including /usr/bin/security itself)
+ * to the partition allowlist. Result: future reads via security
+ * succeed silently, no per-app dialog.
+ *
+ * The user is prompted for their LOGIN keychain password once per call
+ * (the macOS system prompt — the one that DOES reliably appear). After
+ * approving, all entries become readable without further prompts.
+ */
+import { execSync, spawnSync } from 'node:child_process';
+const SERVICE = 'clementine-agent';
+/**
+ * Enumerate every clementine-agent keychain entry. Uses the dump-keychain
+ * grep approach since `security` doesn't expose a clean list-by-service.
+ * Read-only, no prompts.
+ */
+export function listClementineKeychainEntries() {
+    try {
+        const out = execSync('/usr/bin/security dump-keychain 2>/dev/null', {
+            encoding: 'utf-8',
+            timeout: 5000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        const accounts = new Set();
+        // Lines look like:  "acct"<blob>="clementine-agent-DISCORD_TOKEN"
+        const re = /"acct"<blob>="(clementine-agent-[^"]+)"/g;
+        for (const m of out.matchAll(re)) {
+            accounts.add(m[1]);
+        }
+        return Array.from(accounts).sort().map(account => ({ account }));
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Add `apple-tool:,apple:` to the partition list of a given account.
+ *
+ * `security set-generic-password-partition-list` prompts on the controlling
+ * terminal — `password to unlock default:` — for the user's login keychain
+ * password. We must inherit stdio so the child can read from the parent's
+ * TTY; piped stdio causes security to consume an empty line and fail with
+ * "exit code null" / "wrong password."
+ *
+ * That means this function only works when called from an interactive shell.
+ * Callers in non-TTY contexts should fall back to instructing the user to
+ * run `clementine config keychain-fix-acl` from their own terminal.
+ */
+export function fixAcl(account) {
+    const result = spawnSync('/usr/bin/security', [
+        'set-generic-password-partition-list',
+        '-s', SERVICE,
+        '-a', account,
+        '-S', 'apple-tool:,apple:',
+    ], {
+        stdio: 'inherit',
+        timeout: 120_000, // 2min — generous since the user is typing per call
+    });
+    if (result.status === 0) {
+        return { account, status: 'fixed' };
+    }
+    return {
+        account,
+        status: 'failed',
+        error: result.error?.message ?? `exit code ${result.status}`,
+    };
+}
+/**
+ * Plan + apply: enumerate entries, fix each in turn. Returns per-entry
+ * results so the CLI can render a checklist.
+ */
+export function fixAllClementineEntries() {
+    const entries = listClementineKeychainEntries();
+    const results = [];
+    for (const entry of entries) {
+        results.push(fixAcl(entry.account));
+    }
+    return results;
+}
+//# sourceMappingURL=keychain-fix-acl.js.map

package/dist/config/migrate-from-keychain.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Inverse of migrate-keychain.ts: pulls non-credential values OUT of the
+ * macOS keychain and back into plaintext .env entries.
+ *
+ * Why this exists: an earlier env_set bug routed every value to keychain
+ * regardless of whether the key looked like a credential, producing stale
+ * keychain entries for things like TASK_BUDGET_HEARTBEAT (a token-count
+ * config knob, not a secret). Each one costs the user a keychain prompt
+ * for no benefit. This module reverses that mistake — and the user-rule
+ * "only actual API keys belong in keychain" stays enforced going forward
+ * by the env_set classifier fix in 897bb97.
+ *
+ * For each line in .env that holds a `keychain:` ref AND whose key does
+ * NOT match the sensitivity classifier:
+ *   1. Resolve via `security find-generic-password`
+ *   2. Replace the .env line with `KEY=<plaintext value>`
+ *   3. Delete the keychain entry
+ *
+ * Atomic: phase-1 reads + writes succeed in a temp file before the original
+ * .env is replaced via rename. Keychain deletes happen last, so a partial
+ * failure leaves the keychain entry intact (no data loss).
+ *
+ * Idempotent + opt-in: lines whose key IS credential-shaped pass through
+ * untouched even when stored as a keychain ref — we don't undo legitimate
+ * keychain storage. --key filter for surgical migrations.
+ */
+export type ReverseMigrationStatus = 'migrated' | 'sensitive-skipped' | 'not-keychain' | 'unresolvable' | 'skipped';
+export interface ReverseMigrationCandidate {
+    key: string;
+    status: ReverseMigrationStatus;
+    /** The keychain stub itself (always safe to log — it's just an account name). */
+    ref?: string;
+}
+export interface ReverseMigrationPlan {
+    envPath: string;
+    candidates: ReverseMigrationCandidate[];
+    /** Keys this run would migrate out of keychain. */
+    toMigrate: string[];
+    /** Refs that look bad — surfaced separately so doctor can flag them. */
+    unresolvable: string[];
+}
+export interface ReverseMigrationResult {
+    envPath: string;
+    migrated: string[];
+    failed: Array<{
+        key: string;
+        error: string;
+    }>;
+}
+/**
+ * Pure read + classify pass — no .env writes, no keychain deletes, but
+ * DOES make read-only `security find-generic-password` calls to detect
+ * unresolvable refs (and to verify resolvable ones won't fail later).
+ */
+export declare function planReverseMigration(baseDir: string, opts?: {
+    only?: string[];
+}): ReverseMigrationPlan;
+/**
+ * Apply the migration. Two phases:
+ *   1. Rewrite .env in a temp file, swapping each migrated ref for plaintext.
+ *      If anything throws, the original .env is untouched.
+ *   2. Atomically rename the temp file over .env.
+ *   3. Delete each migrated key's keychain entry. Best-effort — failure to
+ *      delete is logged but doesn't roll back the .env update (the value
+ *      is now safely in .env regardless).
+ */
+export declare function applyReverseMigration(baseDir: string, opts?: {
+    only?: string[];
+}): ReverseMigrationResult;
+//# sourceMappingURL=migrate-from-keychain.d.ts.map

package/dist/config/migrate-from-keychain.js

@@ -0,0 +1,173 @@
+/**
+ * Inverse of migrate-keychain.ts: pulls non-credential values OUT of the
+ * macOS keychain and back into plaintext .env entries.
+ *
+ * Why this exists: an earlier env_set bug routed every value to keychain
+ * regardless of whether the key looked like a credential, producing stale
+ * keychain entries for things like TASK_BUDGET_HEARTBEAT (a token-count
+ * config knob, not a secret). Each one costs the user a keychain prompt
+ * for no benefit. This module reverses that mistake — and the user-rule
+ * "only actual API keys belong in keychain" stays enforced going forward
+ * by the env_set classifier fix in 897bb97.
+ *
+ * For each line in .env that holds a `keychain:` ref AND whose key does
+ * NOT match the sensitivity classifier:
+ *   1. Resolve via `security find-generic-password`
+ *   2. Replace the .env line with `KEY=<plaintext value>`
+ *   3. Delete the keychain entry
+ *
+ * Atomic: phase-1 reads + writes succeed in a temp file before the original
+ * .env is replaced via rename. Keychain deletes happen last, so a partial
+ * failure leaves the keychain entry intact (no data loss).
+ *
+ * Idempotent + opt-in: lines whose key IS credential-shaped pass through
+ * untouched even when stored as a keychain ref — we don't undo legitimate
+ * keychain storage. --key filter for surgical migrations.
+ */
+import { existsSync, readFileSync, renameSync, writeFileSync } from 'node:fs';
+import path from 'node:path';
+import * as keychain from '../secrets/keychain.js';
+import { isSensitiveEnvKey } from '../secrets/sensitivity.js';
+const REF_PREFIX = 'keychain:'; // pragma: allowlist secret
+function parseLine(line) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#'))
+        return { raw: line, passthrough: true };
+    const eq = trimmed.indexOf('=');
+    if (eq === -1)
+        return { raw: line, passthrough: true };
+    const key = trimmed.slice(0, eq);
+    let value = trimmed.slice(eq + 1);
+    if ((value.startsWith('"') && value.endsWith('"')) ||
+        (value.startsWith("'") && value.endsWith("'"))) {
+        value = value.slice(1, -1);
+    }
+    return { raw: line, key, value, passthrough: false };
+}
+function refAccount(stub) {
+    return stub.slice(REF_PREFIX.length);
+}
+function tryResolveRef(stub) {
+    // Account names are stored under the well-known service "clementine-agent",
+    // and the stub is encoded as keychain:<service>-<envVar>. The actual
+    // keychain lookup uses the env-var name as the account label, which is
+    // also the suffix of the stub past the service prefix.
+    const account = refAccount(stub);
+    // The keychain `get(envVar)` helper expects just the env-var name; our
+    // stub format is `keychain:clementine-agent-<envVar>`, so strip the
+    // service prefix before delegating.
+    const SERVICE_PREFIX = 'clementine-agent-';
+    const envVar = account.startsWith(SERVICE_PREFIX) ? account.slice(SERVICE_PREFIX.length) : account;
+    return keychain.get(envVar);
+}
+/**
+ * Pure read + classify pass — no .env writes, no keychain deletes, but
+ * DOES make read-only `security find-generic-password` calls to detect
+ * unresolvable refs (and to verify resolvable ones won't fail later).
+ */
+export function planReverseMigration(baseDir, opts = {}) {
+    const envPath = path.join(baseDir, '.env');
+    if (!existsSync(envPath)) {
+        return { envPath, candidates: [], toMigrate: [], unresolvable: [] };
+    }
+    const raw = readFileSync(envPath, 'utf-8');
+    const onlySet = opts.only ? new Set(opts.only) : undefined;
+    const candidates = [];
+    const toMigrate = [];
+    const unresolvable = [];
+    for (const line of raw.split('\n')) {
+        const parsed = parseLine(line);
+        if (parsed.passthrough || !parsed.key || parsed.value === undefined)
+            continue;
+        if (onlySet && !onlySet.has(parsed.key)) {
+            candidates.push({ key: parsed.key, status: 'skipped' });
+            continue;
+        }
+        if (!parsed.value.startsWith(REF_PREFIX)) {
+            candidates.push({ key: parsed.key, status: 'not-keychain' });
+            continue;
+        }
+        if (isSensitiveEnvKey(parsed.key)) {
+            candidates.push({ key: parsed.key, status: 'sensitive-skipped', ref: parsed.value });
+            continue;
+        }
+        // Try to resolve. If unresolvable, surface separately — caller decides
+        // whether to delete the orphan stub.
+        const resolved = tryResolveRef(parsed.value);
+        if (resolved === undefined) {
+            candidates.push({ key: parsed.key, status: 'unresolvable', ref: parsed.value });
+            unresolvable.push(parsed.key);
+            continue;
+        }
+        candidates.push({ key: parsed.key, status: 'migrated', ref: parsed.value });
+        toMigrate.push(parsed.key);
+    }
+    return { envPath, candidates, toMigrate, unresolvable };
+}
+/**
+ * Apply the migration. Two phases:
+ *   1. Rewrite .env in a temp file, swapping each migrated ref for plaintext.
+ *      If anything throws, the original .env is untouched.
+ *   2. Atomically rename the temp file over .env.
+ *   3. Delete each migrated key's keychain entry. Best-effort — failure to
+ *      delete is logged but doesn't roll back the .env update (the value
+ *      is now safely in .env regardless).
+ */
+export function applyReverseMigration(baseDir, opts = {}) {
+    const envPath = path.join(baseDir, '.env');
+    const result = { envPath, migrated: [], failed: [] };
+    if (!existsSync(envPath))
+        return result;
+    const raw = readFileSync(envPath, 'utf-8');
+    const onlySet = opts.only ? new Set(opts.only) : undefined;
+    const lines = raw.split('\n');
+    const parsedLines = lines.map(parseLine);
+    // Phase 1: resolve every target via keychain (read-only). Bail before
+    // touching anything if any target is unresolvable — caller can rerun
+    // with --key to skip the bad ones.
+    const newValues = new Map();
+    for (const parsed of parsedLines) {
+        if (parsed.passthrough || !parsed.key || parsed.value === undefined)
+            continue;
+        if (onlySet && !onlySet.has(parsed.key))
+            continue;
+        if (!parsed.value.startsWith(REF_PREFIX))
+            continue;
+        if (isSensitiveEnvKey(parsed.key))
+            continue;
+        const resolved = tryResolveRef(parsed.value);
+        if (resolved === undefined) {
+            result.failed.push({ key: parsed.key, error: `keychain entry missing or unreadable for ${parsed.value}` });
+            continue;
+        }
+        newValues.set(parsed.key, resolved);
+    }
+    if (result.failed.length > 0)
+        return result;
+    if (newValues.size === 0)
+        return result;
+    // Phase 2: rewrite .env atomically.
+    const newLines = parsedLines.map((parsed) => {
+        if (parsed.passthrough || !parsed.key)
+            return parsed.raw;
+        const newValue = newValues.get(parsed.key);
+        if (newValue === undefined)
+            return parsed.raw;
+        return `${parsed.key}=${newValue}`;
+    });
+    const tmp = `${envPath}.${process.pid}.${Date.now()}.tmp`;
+    writeFileSync(tmp, newLines.join('\n'));
+    renameSync(tmp, envPath);
+    // Phase 3: best-effort keychain deletes.
+    for (const key of newValues.keys()) {
+        try {
+            keychain.remove(key);
+        }
+        catch {
+            /* keychain delete failure is non-fatal — the value is in .env now */
+        }
+        result.migrated.push(key);
+    }
+    return result;
+}
+//# sourceMappingURL=migrate-from-keychain.js.map

package/dist/config.js

@@ -60,6 +60,16 @@ const resolvedKeychainRefs = new Map();
 function isKeychainRef(value) {
     return typeof value === 'string' && value.startsWith(KEYCHAIN_REF_PREFIX);
 }
+/**
+ * Hard cap on each `security find-generic-password` shell call. The macOS
+ * keychain prompts the user for read access on first use of any entry created
+ * with restrictive ACL (`-T ''`). If the prompt doesn't appear (hidden behind
+ * a window, denied silently, or the user is afk), the call would otherwise
+ * block indefinitely — which means `clementine` and the daemon would hang at
+ * boot. Cap and fall through to the caller's default; the failure caches as
+ * null so we don't re-prompt this process. Override via env if needed.
+ */
+const KEYCHAIN_TIMEOUT_MS = Math.max(500, parseInt(env['CLEMENTINE_KEYCHAIN_TIMEOUT_MS'] ?? process.env.CLEMENTINE_KEYCHAIN_TIMEOUT_MS ?? '3000', 10) || 3000);
 function resolveKeychainRef(stub) {
     if (resolvedKeychainRefs.has(stub)) {
         const cached = resolvedKeychainRefs.get(stub);
@@ -69,7 +79,7 @@ function resolveKeychainRef(stub) {
     // is the account name under the well-known service "clementine-agent".
     const account = stub.slice(KEYCHAIN_REF_PREFIX.length);
     try {
-        const result = execSync(`security find-generic-password -s clementine-agent -a ${shellEscape(account)} -w`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+        const result = execSync(`security find-generic-password -s clementine-agent -a ${shellEscape(account)} -w`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'], timeout: KEYCHAIN_TIMEOUT_MS }).trim();
         resolvedKeychainRefs.set(stub, result || null);
         return result || undefined;
     }
@@ -158,7 +168,7 @@ function getSecret(envKey, keychainService) {
         return local;
     const service = keychainService ?? ASSISTANT_NAME.toLowerCase();
     try {
-        const result = execSync(`security find-generic-password -s ${shellEscape(service)} -a ${shellEscape(envKey)} -w`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+        const result = execSync(`security find-generic-password -s ${shellEscape(service)} -a ${shellEscape(envKey)} -w`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'], timeout: KEYCHAIN_TIMEOUT_MS });
         return result.trim();
     }
     catch {

package/dist/gateway/cron-scheduler.d.ts

@@ -32,6 +32,25 @@ export declare function parseAgentCronJobs(agentsDir: string): CronJobDefinition
  * Returns null on success, or the error message on failure.
  */
 export declare function validateCronYaml(content: string): string | null;
+/**
+ * Detect duplicate job definitions across the global CRON.md and agent-scoped
+ * CRON.md files. A "duplicate" is a global job tagged with `agentSlug: X`
+ * whose bare name matches a job defined in `agents/X/CRON.md` — i.e. the same
+ * conceptual job exists in two places, usually with diverged prompts.
+ *
+ * Returns a list of warnings; pure function, safe to call from any surface.
+ * The scheduler logs these on every reload so the user sees them on first
+ * boot AND on every CRON.md edit.
+ */
+export interface DuplicateJobWarning {
+    bareName: string;
+    agentSlug: string;
+    globalJobName: string;
+    agentJobName: string;
+    /** Diverged fields between the two definitions, for actionable reporting. */
+    divergedFields: string[];
+}
+export declare function findDuplicateJobDefinitions(globalJobs: CronJobDefinition[], agentJobs: CronJobDefinition[]): DuplicateJobWarning[];
 export declare function classifyError(err: unknown): 'transient' | 'permanent';
 /**
  * Classify a TerminalReason from the SDK into a retry strategy.

package/dist/gateway/cron-scheduler.js

@@ -193,6 +193,43 @@ export function validateCronYaml(content) {
         return err instanceof Error ? err.message : String(err);
     }
 }
+export function findDuplicateJobDefinitions(globalJobs, agentJobs) {
+    const warnings = [];
+    // Index agent jobs by `${slug}:${bareName}` (which is how parseAgentCronJobs
+    // names them). For each global job with an agentSlug, look up the
+    // corresponding agent-scoped name.
+    const agentByName = new Map();
+    for (const a of agentJobs)
+        agentByName.set(a.name, a);
+    for (const g of globalJobs) {
+        if (!g.agentSlug)
+            continue;
+        const expected = `${g.agentSlug}:${g.name}`;
+        const a = agentByName.get(expected);
+        if (!a)
+            continue;
+        // Found a duplicate. Compute diverged fields so the warning is actionable.
+        const diverged = [];
+        const compare = [
+            'schedule', 'enabled', 'tier', 'mode', 'maxHours', 'maxTurns',
+            'workDir', 'prompt', 'preCheck',
+        ];
+        for (const f of compare) {
+            const gv = g[f];
+            const av = a[f];
+            if (JSON.stringify(gv) !== JSON.stringify(av))
+                diverged.push(f);
+        }
+        warnings.push({
+            bareName: g.name,
+            agentSlug: g.agentSlug,
+            globalJobName: g.name,
+            agentJobName: a.name,
+            divergedFields: diverged,
+        });
+    }
+    return warnings;
+}
 // ── Retry / backoff ──────────────────────────────────────────────────
 /** Exponential backoff schedule in ms: 30s, 1m, 5m, 15m, 60m */
 const BACKOFF_MS = [30_000, 60_000, 300_000, 900_000, 3_600_000];
@@ -425,10 +462,21 @@ export class CronScheduler {
     }
     /** Load job definitions from CRON.md and agent dirs without scheduling tasks. */
     loadJobDefinitions() {
-        this.jobs = parseCronJobs();
+        const globalJobs = parseCronJobs();
         const agentJobs = parseAgentCronJobs(AGENTS_DIR);
-        if (agentJobs.length > 0) {
-            this.jobs.push(...agentJobs);
+        this.jobs = [...globalJobs, ...agentJobs];
+        // Surface duplicate definitions loud — these are footguns where the same
+        // conceptual job is defined in both global and agent-scoped CRON.md, often
+        // with diverged prompts. The user usually wants one of them deleted.
+        const dupes = findDuplicateJobDefinitions(globalJobs, agentJobs);
+        for (const d of dupes) {
+            logger.warn({
+                bareName: d.bareName,
+                agentSlug: d.agentSlug,
+                globalJob: d.globalJobName,
+                agentJob: d.agentJobName,
+                divergedFields: d.divergedFields,
+            }, `Duplicate cron definition: '${d.bareName}' is defined in both global CRON.md (with agentSlug=${d.agentSlug}) and agents/${d.agentSlug}/CRON.md. Consolidate to avoid confusion — pick one and delete the other.`);
         }
     }
     /** Register a listener that fires when system state changes (job start/finish, self-improve, etc). */

package/dist/secrets/keychain.js

@@ -54,14 +54,20 @@ export function set(envVar, value) {
         throw new Error('Keychain unavailable on this platform');
     }
     const account = `${SERVICE_NAME}-${envVar}`;
-    // -U updates existing entry in place; -s = service; -a = account; -w = password
+    // -U updates existing entry in place; -s = service; -a = account; -w = password.
+    // -T /usr/bin/security pre-approves the `security` CLI itself — that's what
+    // every Clementine read goes through, so reads via clementine/the daemon
+    // don't produce a per-process keychain dialog. Without this flag, every
+    // node process that reads the entry would block on a UI prompt that may
+    // never appear (hidden behind windows, dismissed silently, etc.) — which
+    // is the bug that motivated this change.
     const result = spawnSync('/usr/bin/security', [
         'add-generic-password',
         '-U',
         '-s', SERVICE_NAME,
         '-a', account,
         '-w', value,
-        '-T', '', // no apps pre-approved — will prompt on first read; user can approve for login session
+        '-T', '/usr/bin/security',
         '-l', `Clementine: ${envVar}`,
     ], { stdio: 'pipe' });
     if (result.status !== 0) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clementine-agent",
-  "version": "1.1.2",
+  "version": "1.1.3",
   "description": "Clementine — Personal AI Assistant (TypeScript)",
   "type": "module",
   "main": "dist/index.js",