npm - clementine-agent - Versions diffs - 1.1.29 → 1.1.31 - Mend

clementine-agent 1.1.29 → 1.1.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli/index.js +37 -10
package/dist/config/keychain-first-run-wizard.d.ts +26 -0
package/dist/config/keychain-first-run-wizard.js +115 -0
package/package.json +1 -1

package/dist/cli/index.js CHANGED Viewed

@@ -155,7 +155,7 @@ function ensureDataHome() {
     }
 }
 // ── Commands ─────────────────────────────────────────────────────────
-function cmdLaunch(options) {
+async function cmdLaunch(options) {
     if (options.uninstall) {
         if (process.platform === 'darwin') {
             const plistPath = getLaunchdPlistPath();
@@ -197,6 +197,22 @@ function cmdLaunch(options) {
         }
         return;
     }
+    // Ensure data home exists so the wizard's sentinel write lands somewhere,
+    // then run the one-time keychain ACL repair wizard if applicable. This
+    // happens before --install so the launchd-spawned daemon (no TTY) inherits
+    // already-repaired entries; before --foreground so the user sees the
+    // prompt; and before the daemon spawn for the same reason.
+    ensureDataHome();
+    if (!options.skipWizard) {
+        try {
+            const { runFirstRunKeychainWizardIfNeeded } = await import('../config/keychain-first-run-wizard.js');
+            await runFirstRunKeychainWizardIfNeeded(BASE_DIR);
+        }
+        catch (err) {
+            // Wizard failure must never block launch — log and continue.
+            console.error(`  ${'\x1b[0;90m'}keychain wizard skipped: ${err.message}${'\x1b[0m'}`);
+        }
+    }
     if (options.install) {
         if (process.platform === 'darwin') {
             const plistPath = getLaunchdPlistPath();
@@ -414,7 +430,7 @@ async function cmdRestart(options) {
         }
     }
     catch { /* dashboard module may not be available */ }
-    cmdLaunch({ foreground: options.foreground });
+    await cmdLaunch({ foreground: options.foreground });
     if (dashboardWasRunning) {
         try {
             const { spawn: spawnProc } = await import('node:child_process');
@@ -1317,6 +1333,7 @@ async function cmdConfigHardenPermissions(opts) {
 // ── Config keychain-fix-acl ─────────────────────────────────────────
 async function cmdConfigKeychainFixAcl(opts) {
     const { listClementineKeychainEntries, fixAllClementineEntries } = await import('../config/keychain-fix-acl.js');
+    const { markKeychainWizardDone } = await import('../config/keychain-first-run-wizard.js');
     const DIM = '\x1b[0;90m';
     const BOLD = '\x1b[1m';
     const GREEN = '\x1b[0;32m';
@@ -1332,6 +1349,8 @@ async function cmdConfigKeychainFixAcl(opts) {
     if (entries.length === 0) {
         console.log(`  ${GREEN}Nothing to fix.${RESET}`);
         console.log();
+        // No entries means the launch wizard has nothing to do either.
+        markKeychainWizardDone(BASE_DIR);
         return;
     }
     if (opts.list) {
@@ -1365,6 +1384,9 @@ async function cmdConfigKeychainFixAcl(opts) {
         console.log(`  ${DIM}Failed entries can be fixed manually in Keychain Access.app:${RESET}`);
         console.log(`  ${DIM}  search "clementine-agent" → double-click → Access Control → Allow all applications.${RESET}`);
     }
+    // Always mark the launch wizard satisfied — user has explicitly decided
+    // to deal with this via the manual command.
+    markKeychainWizardDone(BASE_DIR);
     console.log();
 }
 // ── Analytics ────────────────────────────────────────────────────────
@@ -3144,13 +3166,15 @@ async function cmdUpdate(options) {
             console.log(`  ${GREEN}OK${RESET}  Daemon stopped`);
         }
     }
-    // Helper: if update fails after stopping daemon, relaunch before exiting
-    function failAndRestart(backupDir) {
+    // Helper: if update fails after stopping daemon, relaunch before exiting.
+    // Runs cmdLaunch with skipWizard so it doesn't try to prompt mid-recovery —
+    // the wizard, if needed, fires on the user's next intentional `clementine launch`.
+    async function failAndRestart(backupDir) {
         if (wasRunning) {
             console.log();
             console.log(`  Restarting daemon (was running before update)...`);
             try {
-                cmdLaunch({});
+                await cmdLaunch({ skipWizard: true });
                 console.log(`  ${GREEN}OK${RESET}  Daemon restarted`);
             }
             catch {
@@ -3242,7 +3266,7 @@ async function cmdUpdate(options) {
             }
             catch { /* best effort */ }
         }
-        failAndRestart(backupDir);
+        await failAndRestart(backupDir);
     }
     // 6. npm install
     console.log(`  ${S()} Installing dependencies...`);
@@ -3255,7 +3279,7 @@ async function cmdUpdate(options) {
     }
     catch (err) {
         console.error(`  ${RED}FAIL${RESET}  npm install failed: ${String(err).slice(0, 200)}`);
-        failAndRestart(backupDir);
+        await failAndRestart(backupDir);
     }
     // 6b. Rebuild native modules (better-sqlite3) for current Node version
     try {
@@ -3347,7 +3371,7 @@ async function cmdUpdate(options) {
         }
         catch (retryErr) {
             console.error(`  ${RED}FAIL${RESET}  Build failed after update: ${String(retryErr).slice(0, 200)}`);
-            failAndRestart(backupDir);
+            await failAndRestart(backupDir);
         }
     }
     // 7b. Verify build output is fresh
@@ -3363,7 +3387,7 @@ async function cmdUpdate(options) {
             }
             catch (err) {
                 console.error(`  ${RED}FAIL${RESET}  Clean rebuild failed: ${String(err).slice(0, 200)}`);
-                failAndRestart(backupDir);
+                await failAndRestart(backupDir);
             }
         }
     }
@@ -3615,7 +3639,10 @@ async function cmdUpdate(options) {
         // Ensure build output is fully flushed before spawning new process
         execSync('sync', { stdio: 'pipe' });
         console.log(`  ${S()} Restarting daemon...`);
-        cmdLaunch({});
+        // Let the keychain wizard fire here too — for users on launchd who only
+        // ever run `clementine update` (the daemon respawns automatically), this
+        // is their one chance to see the prompt and repair legacy ACLs.
+        await cmdLaunch({});
     }
     // 13. Post-restart health check — verify daemon started and channels connected
     if (options.restart || wasRunning) {

package/dist/config/keychain-first-run-wizard.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * One-time interactive wizard that repairs ACLs on legacy clementine-agent
+ * keychain entries during `clementine launch`.
+ *
+ * Why this exists: entries written before commit 88cfd99 used
+ * `add-generic-password -T ''` (no apps pre-approved), so every Clementine
+ * read would trigger a per-app approval dialog. Newer writes use
+ * `-T /usr/bin/security` and read silently. Existing users have legacy
+ * entries that need a one-time partition-list repair to stop the prompt
+ * cascade.
+ *
+ * The manual fix is `clementine config keychain-fix-acl`. This wizard runs
+ * the same fix automatically on the next `clementine launch` (where we
+ * know we have a TTY for the macOS login-keychain password prompt), then
+ * writes a sentinel so we never prompt again on this machine.
+ *
+ * Skipped when:
+ *   - non-darwin platform (no keychain),
+ *   - non-TTY stdin (launchd, systemd, CI — no way to prompt),
+ *   - sentinel already exists (already offered + decided),
+ *   - no clementine-agent entries exist (nothing to repair).
+ */
+/** Write the sentinel so the wizard skips on subsequent launches. */
+export declare function markKeychainWizardDone(baseDir: string): void;
+export declare function runFirstRunKeychainWizardIfNeeded(baseDir: string): Promise<void>;
+//# sourceMappingURL=keychain-first-run-wizard.d.ts.map

package/dist/config/keychain-first-run-wizard.js ADDED Viewed

@@ -0,0 +1,115 @@
+/**
+ * One-time interactive wizard that repairs ACLs on legacy clementine-agent
+ * keychain entries during `clementine launch`.
+ *
+ * Why this exists: entries written before commit 88cfd99 used
+ * `add-generic-password -T ''` (no apps pre-approved), so every Clementine
+ * read would trigger a per-app approval dialog. Newer writes use
+ * `-T /usr/bin/security` and read silently. Existing users have legacy
+ * entries that need a one-time partition-list repair to stop the prompt
+ * cascade.
+ *
+ * The manual fix is `clementine config keychain-fix-acl`. This wizard runs
+ * the same fix automatically on the next `clementine launch` (where we
+ * know we have a TTY for the macOS login-keychain password prompt), then
+ * writes a sentinel so we never prompt again on this machine.
+ *
+ * Skipped when:
+ *   - non-darwin platform (no keychain),
+ *   - non-TTY stdin (launchd, systemd, CI — no way to prompt),
+ *   - sentinel already exists (already offered + decided),
+ *   - no clementine-agent entries exist (nothing to repair).
+ */
+import { existsSync, writeFileSync } from 'node:fs';
+import path from 'node:path';
+import readline from 'node:readline/promises';
+import { stdin as input, stdout as output } from 'node:process';
+const SENTINEL_FILE = '.keychain-acl-wizard-done';
+function sentinelPath(baseDir) {
+    return path.join(baseDir, SENTINEL_FILE);
+}
+/** Write the sentinel so the wizard skips on subsequent launches. */
+export function markKeychainWizardDone(baseDir) {
+    try {
+        writeFileSync(sentinelPath(baseDir), new Date().toISOString() + '\n');
+    }
+    catch {
+        // Best-effort. If we can't write the sentinel the user gets re-prompted
+        // next launch — annoying but not broken.
+    }
+}
+export async function runFirstRunKeychainWizardIfNeeded(baseDir) {
+    if (process.platform !== 'darwin')
+        return;
+    if (!input.isTTY)
+        return;
+    if (existsSync(sentinelPath(baseDir)))
+        return;
+    const { listClementineKeychainEntries, fixAllClementineEntries } = await import('./keychain-fix-acl.js');
+    const entries = listClementineKeychainEntries().filter((e) => e.isClementine);
+    if (entries.length === 0) {
+        // Nothing to fix — write sentinel so we don't re-scan every launch.
+        markKeychainWizardDone(baseDir);
+        return;
+    }
+    const DIM = '\x1b[0;90m';
+    const BOLD = '\x1b[1m';
+    const YELLOW = '\x1b[0;33m';
+    const GREEN = '\x1b[0;32m';
+    const RED = '\x1b[0;31m';
+    const RESET = '\x1b[0m';
+    console.log();
+    console.log(`  ${BOLD}One-time keychain setup${RESET}`);
+    console.log(`  ${DIM}${entries.length} keychain entr${entries.length === 1 ? 'y' : 'ies'} from a previous version need an${RESET}`);
+    console.log(`  ${DIM}access-control update so Clementine can read them${RESET}`);
+    console.log(`  ${DIM}silently — otherwise macOS will prompt on every read.${RESET}`);
+    console.log();
+    console.log(`  ${DIM}macOS will ask once for your login-keychain password.${RESET}`);
+    console.log(`  ${DIM}After that, no more prompts. We won't ask again.${RESET}`);
+    console.log();
+    const rl = readline.createInterface({ input, output });
+    let answer;
+    try {
+        answer = (await rl.question(`  Repair now? ${DIM}[Y/n]${RESET} `)).trim().toLowerCase();
+    }
+    finally {
+        rl.close();
+    }
+    if (answer === 'n' || answer === 'no') {
+        console.log();
+        console.log(`  ${YELLOW}Skipped.${RESET} ${DIM}Run later with: clementine config keychain-fix-acl${RESET}`);
+        console.log();
+        markKeychainWizardDone(baseDir);
+        return;
+    }
+    console.log();
+    console.log(`  ${BOLD}Repairing ACLs...${RESET}`);
+    console.log();
+    const results = fixAllClementineEntries();
+    let okCount = 0;
+    let failCount = 0;
+    for (const r of results) {
+        if (r.status === 'fixed') {
+            console.log(`    ${GREEN}✓${RESET} ${r.account}`);
+            okCount++;
+        }
+        else if (r.status === 'failed') {
+            console.log(`    ${RED}✗${RESET} ${r.account} ${DIM}— ${r.error ?? 'unknown'}${RESET}`);
+            failCount++;
+        }
+    }
+    console.log();
+    if (failCount === 0) {
+        console.log(`  ${GREEN}Done — ${okCount} entr${okCount === 1 ? 'y' : 'ies'} repaired.${RESET} ${DIM}Future reads silent.${RESET}`);
+    }
+    else {
+        console.log(`  ${YELLOW}${okCount} fixed, ${failCount} failed.${RESET}`);
+        console.log(`  ${DIM}Failed entries can be fixed manually in Keychain Access.app:${RESET}`);
+        console.log(`  ${DIM}  search "clementine-agent" → right-click → Get Info → Access Control.${RESET}`);
+    }
+    console.log();
+    // Always mark done — even on partial failure we don't want to re-prompt
+    // every launch. The user can re-run the manual command if they want.
+    markKeychainWizardDone(baseDir);
+}
+//# sourceMappingURL=keychain-first-run-wizard.js.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "clementine-agent",
-  "version": "1.1.29",
+  "version": "1.1.31",
   "description": "Clementine — Personal AI Assistant (TypeScript)",
   "type": "module",
   "main": "dist/index.js",