clementine-agent 1.1.3 → 1.1.5

package/dist/agent/assistant.js

@@ -3789,7 +3789,10 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
         const cronProfile = agentSlug && agentSlug !== 'clementine'
             ? this.profileManager.get(agentSlug)
             : null;
-        const cronGuard = new StallGuard();
+        // Cron jobs deliver via side effects (sent emails, updated records, etc),
+        // not chat text — pass mode='cron' so high_effort_low_output guard is
+        // disabled. Loop detection and circular-reasoning checks stay active.
+        const cronGuard = new StallGuard('cron');
         const sdkOptions = this.buildOptions({
             isHeartbeat: true,
             cronTier: tier,
@@ -4271,7 +4274,8 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
             logger.info(`Unleashed task ${jobName}: starting phase ${phase}`);
             // Re-assert autonomous source — a chat message may have changed it between phases
             setInteractionSource('autonomous');
-            const phaseGuard = new StallGuard();
+            // Unleashed phases run side-effect-heavy work; same logic as cron mode.
+            const phaseGuard = new StallGuard('unleashed');
             const sdkOptions = this.buildOptions({
                 isHeartbeat: true,
                 cronTier: tier,

package/dist/agent/metacognition.d.ts

@@ -28,7 +28,21 @@ export interface MetacognitiveSummary {
     confidenceFinal: 'high' | 'medium' | 'low';
     signals: string[];
 }
+/**
+ * Execution mode the monitor is observing. Chat sessions deliver via output
+ * text, so "many tool calls + zero output" is genuinely suspicious. Cron
+ * jobs (especially unleashed) deliver via side effects (sent emails, updated
+ * records, written files) — chat-text length is NOT the success signal, so
+ * the high_effort_low_output heuristic must be disabled or it produces
+ * 100+ false-positive interventions per run (observed 2026-04-26 on
+ * market-leader-followup which sent 17 real emails while this guard fired
+ * 169 times). Other heuristics (circular_reasoning via repeated identical
+ * tool calls, research_without_action via consecutive reads) stay active —
+ * those are real bug shapes regardless of mode.
+ */
+export type MetacognitiveMode = 'chat' | 'cron' | 'unleashed';
 export declare class MetacognitiveMonitor {
+    private readonly mode;
     private toolCalls;
     private uniqueTools;
     private consecutiveReads;
@@ -37,6 +51,7 @@ export declare class MetacognitiveMonitor {
     private interventionCount;
     private signals;
     private confidence;
+    constructor(mode?: MetacognitiveMode);
     /**
      * Record a tool call. Returns a signal if the pattern is concerning.
      */

package/dist/agent/metacognition.js

@@ -25,8 +25,8 @@ const ACTION_TOOLS = new Set([
     'team_message', 'discord_channel_send', 'outlook_draft', 'outlook_send',
     'set_timer', 'self_restart', 'feedback_log', 'teach_skill', 'create_tool',
 ]);
-// ── MetacognitiveMonitor ────────────────────────────────────────────
 export class MetacognitiveMonitor {
+    mode;
     toolCalls = [];
     uniqueTools = new Set();
     consecutiveReads = 0;
@@ -35,6 +35,9 @@ export class MetacognitiveMonitor {
     interventionCount = 0;
     signals = [];
     confidence = 'high';
+    constructor(mode = 'chat') {
+        this.mode = mode;
+    }
     /**
      * Record a tool call. Returns a signal if the pattern is concerning.
      */
@@ -95,31 +98,34 @@ export class MetacognitiveMonitor {
             return signal;
         }
         // Signal: excessive tool calls with near-zero output.
-        // Warn at 20, intervene (hard stop) at 60 — beyond 60 the agent is
-        // almost certainly in a runaway loop that will burn through the
-        // budget cap with nothing to show for it.
-        if (this.toolCalls.length >= 60 && this.outputCharCount < 200) {
-            this.confidence = 'low';
-            if (!this.signals.includes('high_effort_low_output')) {
-                this.signals.push('high_effort_low_output');
-            }
-            this.interventionCount++;
-            return {
-                type: 'intervene',
-                reason: 'high_effort_low_output',
-                guidance: `You've made ${this.toolCalls.length} tool calls across ${this.uniqueTools.size} tools with only ${this.outputCharCount} chars of output. This is a runaway loop. Stopping now to prevent budget waste.`,
-            };
-        }
-        if (this.toolCalls.length > 20 && this.outputCharCount < 200) {
-            this.confidence = 'low';
-            if (!this.signals.includes('high_effort_low_output')) {
-                this.signals.push('high_effort_low_output');
+        // Chat scenarios deliver via output text, so this is meaningful there.
+        // Cron and unleashed scenarios deliver via side effects (emails sent,
+        // records updated, files written) — chat-text length is irrelevant.
+        // Skip entirely outside chat mode.
+        if (this.mode === 'chat') {
+            if (this.toolCalls.length >= 60 && this.outputCharCount < 200) {
+                this.confidence = 'low';
+                if (!this.signals.includes('high_effort_low_output')) {
+                    this.signals.push('high_effort_low_output');
+                }
+                this.interventionCount++;
                 return {
-                    type: 'warn',
+                    type: 'intervene',
                     reason: 'high_effort_low_output',
-                    guidance: 'You\'ve made 20+ tool calls with minimal output. Step back and simplify your approach.',
+                    guidance: `You've made ${this.toolCalls.length} tool calls across ${this.uniqueTools.size} tools with only ${this.outputCharCount} chars of output. This is a runaway loop. Stopping now to prevent budget waste.`,
                 };
             }
+            if (this.toolCalls.length > 20 && this.outputCharCount < 200) {
+                this.confidence = 'low';
+                if (!this.signals.includes('high_effort_low_output')) {
+                    this.signals.push('high_effort_low_output');
+                    return {
+                        type: 'warn',
+                        reason: 'high_effort_low_output',
+                        guidance: 'You\'ve made 20+ tool calls with minimal output. Step back and simplify your approach.',
+                    };
+                }
+            }
         }
         return { type: 'ok' };
     }

package/dist/agent/stall-guard.d.ts

@@ -11,7 +11,8 @@
  *   3. recordToolCall() called for each tool_use block in the stream
  *   4. After query: detectPromiseWithoutAction() + getSummary() for cross-query nudges
  */
-import { type MetacognitiveSignal, type MetacognitiveSummary } from './metacognition.js';
+import { type MetacognitiveMode, type MetacognitiveSignal, type MetacognitiveSummary } from './metacognition.js';
+export type StallGuardMode = MetacognitiveMode;
 export interface StallSummary {
     metacognition: MetacognitiveSummary;
     breakerActivated: boolean;
@@ -20,10 +21,17 @@ export interface StallSummary {
 }
 export declare class StallGuard {
     private loopDetector;
-    private metacog;
+    private readonly metacog;
     private breakerActive;
     private breakerReason;
     private toolCallLog;
+    /**
+     * @param mode 'chat' (default) keeps full output-text-driven heuristics.
+     *             'cron' / 'unleashed' disable the high_effort_low_output check
+     *             since side effects, not chat text, are the deliverable for
+     *             those execution contexts.
+     */
+    constructor(mode?: StallGuardMode);
     /**
      * Check if a tool should be blocked. Called from canUseTool.
      * When the breaker is active, denies read-only tools to force the agent

package/dist/agent/stall-guard.js

@@ -12,7 +12,7 @@
  *   4. After query: detectPromiseWithoutAction() + getSummary() for cross-query nudges
  */
 import { ToolLoopDetector } from './tool-loop-detector.js';
-import { MetacognitiveMonitor } from './metacognition.js';
+import { MetacognitiveMonitor, } from './metacognition.js';
 import pino from 'pino';
 const logger = pino({ name: 'clementine.stall-guard' });
 // Only block SDK read tools — MCP tools (memory_read, etc.) are intentionally
@@ -21,10 +21,19 @@ const READ_ONLY_TOOLS = new Set(['Read', 'Glob', 'Grep', 'WebSearch', 'WebFetch'
 // ── StallGuard ──────────────────────────────────────────────────────
 export class StallGuard {
     loopDetector = new ToolLoopDetector();
-    metacog = new MetacognitiveMonitor();
+    metacog;
     breakerActive = false;
     breakerReason = '';
     toolCallLog = [];
+    /**
+     * @param mode 'chat' (default) keeps full output-text-driven heuristics.
+     *             'cron' / 'unleashed' disable the high_effort_low_output check
+     *             since side effects, not chat text, are the deliverable for
+     *             those execution contexts.
+     */
+    constructor(mode = 'chat') {
+        this.metacog = new MetacognitiveMonitor(mode);
+    }
     /**
      * Check if a tool should be blocked. Called from canUseTool.
      * When the breaker is active, denies read-only tools to force the agent

package/dist/config/keychain-fix-acl.d.ts

@@ -20,37 +20,43 @@
  * (the macOS system prompt — the one that DOES reliably appear). After
  * approving, all entries become readable without further prompts.
  */
+/**
+ * Both keychain service names the codebase has used over time:
+ * - "clementine-agent" — used by src/secrets/keychain.ts (env_set / migrate-to-keychain)
+ * - "clementine"       — getSecret's default fallback when no explicit service
+ *                        passed (src/config.ts: ASSISTANT_NAME.toLowerCase()).
+ *                        Holds older per-agent and handoff entries.
+ */
+declare const SERVICES: readonly ["clementine-agent", "clementine"];
+type Service = typeof SERVICES[number];
 export interface KeychainEntry {
+    service: Service;
     account: string;
+    /** True when isClementineAccount returned true; only these get fixed. */
+    isClementine: boolean;
 }
 export interface AclFixResult {
+    service: Service;
     account: string;
-    status: 'fixed' | 'failed';
+    status: 'fixed' | 'failed' | 'skipped-foreign';
     error?: string;
 }
 /**
- * Enumerate every clementine-agent keychain entry. Uses the dump-keychain
- * grep approach since `security` doesn't expose a clean list-by-service.
- * Read-only, no prompts.
- */
-export declare function listClementineKeychainEntries(): KeychainEntry[];
-/**
- * Add `apple-tool:,apple:` to the partition list of a given account.
- *
- * `security set-generic-password-partition-list` prompts on the controlling
- * terminal — `password to unlock default:` — for the user's login keychain
- * password. We must inherit stdio so the child can read from the parent's
- * TTY; piped stdio causes security to consume an empty line and fail with
- * "exit code null" / "wrong password."
+ * Enumerate every keychain entry under any service in SERVICES. Uses the
+ * dump-keychain grep approach since `security` doesn't expose a clean
+ * list-by-service. Read-only, no prompts.
  *
- * That means this function only works when called from an interactive shell.
- * Callers in non-TTY contexts should fall back to instructing the user to
- * run `clementine config keychain-fix-acl` from their own terminal.
+ * For the legacy "clementine" service we set `isClementine: false` on any
+ * entry that doesn't match our naming patterns — those get reported but
+ * never touched (could be other apps that coincidentally chose that name).
  */
-export declare function fixAcl(account: string): AclFixResult;
+export declare function listClementineKeychainEntries(): KeychainEntry[];
+export declare function fixAcl(service: Service, account: string): AclFixResult;
 /**
- * Plan + apply: enumerate entries, fix each in turn. Returns per-entry
- * results so the CLI can render a checklist.
+ * Plan + apply: enumerate entries, fix each Clementine-shaped one in turn.
+ * Foreign entries (other apps under the legacy "clementine" service) get
+ * reported with status='skipped-foreign' and never touched.
  */
 export declare function fixAllClementineEntries(): AclFixResult[];
+export {};
 //# sourceMappingURL=keychain-fix-acl.d.ts.map

package/dist/config/keychain-fix-acl.js

@@ -21,30 +21,97 @@
  * approving, all entries become readable without further prompts.
  */
 import { execSync, spawnSync } from 'node:child_process';
-const SERVICE = 'clementine-agent';
 /**
- * Enumerate every clementine-agent keychain entry. Uses the dump-keychain
- * grep approach since `security` doesn't expose a clean list-by-service.
- * Read-only, no prompts.
+ * Both keychain service names the codebase has used over time:
+ * - "clementine-agent" — used by src/secrets/keychain.ts (env_set / migrate-to-keychain)
+ * - "clementine"       — getSecret's default fallback when no explicit service
+ *                        passed (src/config.ts: ASSISTANT_NAME.toLowerCase()).
+ *                        Holds older per-agent and handoff entries.
+ */
+const SERVICES = ['clementine-agent', 'clementine'];
+/**
+ * Under the legacy "clementine" service, some non-Clementine apps
+ * coincidentally store entries (e.g., macOS "Local Crypto Key Data"
+ * with a UUID prefix). We refuse to touch those — only entries that
+ * match our naming conventions get the ACL update.
+ */
+function isClementineAccount(service, account) {
+    if (service === 'clementine-agent')
+        return true; // we own this whole service
+    // For the legacy "clementine" service, conservatively only touch entries
+    // that look like things we set: per-agent secrets (AGENT_*),
+    // handoff-decryption-key-*, oauth-tokens, env-var names (UPPER_SNAKE),
+    // anything starting with "clementine-".
+    if (account.startsWith('AGENT_'))
+        return true;
+    if (account.startsWith('handoff-'))
+        return true;
+    if (account === 'oauth-tokens')
+        return true;
+    if (account.startsWith('clementine-'))
+        return true;
+    if (/^[A-Z][A-Z0-9_]*$/.test(account))
+        return true;
+    return false;
+}
+/**
+ * Enumerate every keychain entry under any service in SERVICES. Uses the
+ * dump-keychain grep approach since `security` doesn't expose a clean
+ * list-by-service. Read-only, no prompts.
+ *
+ * For the legacy "clementine" service we set `isClementine: false` on any
+ * entry that doesn't match our naming patterns — those get reported but
+ * never touched (could be other apps that coincidentally chose that name).
  */
 export function listClementineKeychainEntries() {
+    let raw;
     try {
-        const out = execSync('/usr/bin/security dump-keychain 2>/dev/null', {
+        raw = execSync('/usr/bin/security dump-keychain 2>/dev/null', {
             encoding: 'utf-8',
-            timeout: 5000,
+            timeout: 10_000,
             stdio: ['pipe', 'pipe', 'pipe'],
+            maxBuffer: 32 * 1024 * 1024,
         });
-        const accounts = new Set();
-        // Lines look like:  "acct"<blob>="clementine-agent-DISCORD_TOKEN"
-        const re = /"acct"<blob>="(clementine-agent-[^"]+)"/g;
-        for (const m of out.matchAll(re)) {
-            accounts.add(m[1]);
-        }
-        return Array.from(accounts).sort().map(account => ({ account }));
     }
     catch {
         return [];
     }
+    // dump-keychain emits one record per item. Within a record, fields appear
+    // in arbitrary order — `acct` often comes BEFORE `svce`. So we can't track
+    // "last-seen svce" line-by-line; we have to split into per-record blocks
+    // and extract both fields from each block.
+    //
+    // Each record starts with `keychain: "/path/to/keychain"` followed by the
+    // `version`, `class`, `attributes:` lines and the field blobs. The next
+    // record begins at the next `^keychain: ` line.
+    const entries = [];
+    const seen = new Set();
+    // Split by record boundary. Use a positive lookahead so the delimiter stays
+    // at the start of each chunk.
+    const blocks = raw.split(/\n(?=keychain: ")/);
+    for (const block of blocks) {
+        const svceMatch = block.match(/"svce"<blob>="([^"]+)"/);
+        const acctMatch = block.match(/"acct"<blob>="([^"]+)"/);
+        if (!svceMatch || !acctMatch)
+            continue;
+        const svc = svceMatch[1];
+        const account = acctMatch[1];
+        if (!SERVICES.includes(svc))
+            continue;
+        const service = svc;
+        const dedupeKey = `${service}\x00${account}`;
+        if (seen.has(dedupeKey))
+            continue;
+        seen.add(dedupeKey);
+        entries.push({
+            service,
+            account,
+            isClementine: isClementineAccount(service, account),
+        });
+    }
+    // Stable sort: service first, then account
+    entries.sort((a, b) => a.service === b.service ? a.account.localeCompare(b.account) : a.service.localeCompare(b.service));
+    return entries;
 }
 /**
  * Add `apple-tool:,apple:` to the partition list of a given account.
@@ -59,34 +126,75 @@ export function listClementineKeychainEntries() {
  * Callers in non-TTY contexts should fall back to instructing the user to
  * run `clementine config keychain-fix-acl` from their own terminal.
  */
-export function fixAcl(account) {
-    const result = spawnSync('/usr/bin/security', [
+/**
+ * Discover which keychain a (service, account) pair lives in. Returns the
+ * path or null if find-generic-password can't locate it (in which case we
+ * skip — the entry isn't reachable via standard search anyway).
+ */
+function locateKeychain(service, account) {
+    const probe = spawnSync('/usr/bin/security', [
+        'find-generic-password',
+        '-s', service,
+        '-a', account,
+    ], {
+        stdio: ['pipe', 'pipe', 'pipe'],
+        timeout: 5000,
+        encoding: 'utf-8',
+    });
+    if (probe.status !== 0)
+        return null;
+    // First line is `keychain: "/path/to/keychain"` — extract.
+    const first = (probe.stdout || '').split('\n')[0] ?? '';
+    const m = first.match(/^keychain:\s+"([^"]+)"/);
+    return m ? m[1] : null;
+}
+export function fixAcl(service, account) {
+    const keychainPath = locateKeychain(service, account);
+    if (!keychainPath) {
+        return {
+            service,
+            account,
+            status: 'failed',
+            error: 'item not findable via standard search (may be in iCloud or a non-default keychain) — leaving alone',
+        };
+    }
+    // Pass the keychain path as the trailing positional arg so partition-list
+    // doesn't search the wrong store.
+    const args = [
         'set-generic-password-partition-list',
-        '-s', SERVICE,
+        '-s', service,
         '-a', account,
         '-S', 'apple-tool:,apple:',
-    ], {
+        keychainPath,
+    ];
+    const result = spawnSync('/usr/bin/security', args, {
         stdio: 'inherit',
-        timeout: 120_000, // 2min — generous since the user is typing per call
+        timeout: 120_000,
     });
     if (result.status === 0) {
-        return { account, status: 'fixed' };
+        return { service, account, status: 'fixed' };
     }
     return {
+        service,
         account,
         status: 'failed',
         error: result.error?.message ?? `exit code ${result.status}`,
     };
 }
 /**
- * Plan + apply: enumerate entries, fix each in turn. Returns per-entry
- * results so the CLI can render a checklist.
+ * Plan + apply: enumerate entries, fix each Clementine-shaped one in turn.
+ * Foreign entries (other apps under the legacy "clementine" service) get
+ * reported with status='skipped-foreign' and never touched.
  */
 export function fixAllClementineEntries() {
     const entries = listClementineKeychainEntries();
     const results = [];
     for (const entry of entries) {
-        results.push(fixAcl(entry.account));
+        if (!entry.isClementine) {
+            results.push({ service: entry.service, account: entry.account, status: 'skipped-foreign' });
+            continue;
+        }
+        results.push(fixAcl(entry.service, entry.account));
     }
     return results;
 }

package/dist/config.d.ts

@@ -14,6 +14,13 @@ export declare const BASE_DIR: string;
 export declare function envSnapshot(): Record<string, string | undefined>;
 /** Test-only: clear the keychain ref cache so re-resolution can be tested. */
 export declare function _resetKeychainRefCache(): void;
+/**
+ * Return the keychain stubs that couldn't be resolved this process. Used by
+ * the daemon entrypoint to log a clear remediation hint at boot if any
+ * keychain reads are failing (typically: ACL not yet partition-listed →
+ * `clementine config keychain-fix-acl` fixes it).
+ */
+export declare function getFailedKeychainResolutions(): string[];
 export declare const VAULT_DIR: string;
 export declare const SYSTEM_DIR: string;
 export declare const DAILY_NOTES_DIR: string;

package/dist/config.js

@@ -117,6 +117,20 @@ export function envSnapshot() {
 export function _resetKeychainRefCache() {
     resolvedKeychainRefs.clear();
 }
+/**
+ * Return the keychain stubs that couldn't be resolved this process. Used by
+ * the daemon entrypoint to log a clear remediation hint at boot if any
+ * keychain reads are failing (typically: ACL not yet partition-listed →
+ * `clementine config keychain-fix-acl` fixes it).
+ */
+export function getFailedKeychainResolutions() {
+    const out = [];
+    for (const [stub, value] of resolvedKeychainRefs) {
+        if (value === null)
+            out.push(stub);
+    }
+    return out;
+}
 // ── Paths ────────────────────────────────────────────────────────────
 export const VAULT_DIR = path.join(BASE_DIR, 'vault');
 export const SYSTEM_DIR = path.join(VAULT_DIR, '00-System');

package/dist/gateway/notifications.js

@@ -7,6 +7,7 @@
  */
 import pino from 'pino';
 import { DeliveryQueue } from './delivery-queue.js';
+import { redactSecrets } from '../security/redact.js';
 const logger = pino({ name: 'clementine.notifications' });
 /** Safety cap — prevent runaway messages, but each channel handles its own chunking/limits. */
 const MAX_MESSAGE_LENGTH = 8000;
@@ -62,10 +63,18 @@ export class NotificationDispatcher {
             logger.warn('No notification senders registered — message dropped');
             return { delivered: false, channelErrors: { _: 'no channels registered' } };
         }
+        // Outbound credential redaction — last-line defense against the agent
+        // accidentally (or via prompt injection) shipping a credential to a
+        // public channel. Pattern-based + known-value scan; cheap enough to
+        // run on every send. See src/security/redact.ts for the policy.
+        const { text: redacted, stats: redactionStats } = redactSecrets(text);
+        if (redactionStats.redactionCount > 0) {
+            logger.warn({ count: redactionStats.redactionCount, labels: redactionStats.labelsHit, sessionKey: context?.sessionKey }, `Redacted ${redactionStats.redactionCount} credential-shaped value(s) before delivery`);
+        }
         // Sanity cap only — each channel sender handles its own chunking/truncation
-        const capped = text.length > MAX_MESSAGE_LENGTH
-            ? text.slice(0, MAX_MESSAGE_LENGTH - 20) + '\n\n_(truncated)_'
-            : text;
+        const capped = redacted.length > MAX_MESSAGE_LENGTH
+            ? redacted.slice(0, MAX_MESSAGE_LENGTH - 20) + '\n\n_(truncated)_'
+            : redacted;
         // If sessionKey is set, route only to the channel that owns it.
         // Fan out to all channels only when no originating channel is known.
         const targetChannel = context?.sessionKey ? channelForSessionKey(context.sessionKey) : null;

package/dist/index.js

@@ -548,6 +548,17 @@ async function asyncMain() {
         hydrateSecretsFromEnv();
     }
     catch { /* non-fatal — non-macOS systems, or keychain unavailable */ }
+    // ── Surface keychain resolution failures with a clear remediation hint ──
+    // If any keychain ref couldn't be read at module-init time, the user is
+    // probably hitting the per-process approval-dialog issue (entry written
+    // with the wrong ACL). The fix is one command — print it loud so they
+    // don't have to grep for the answer.
+    const failedKcRefs = config.getFailedKeychainResolutions();
+    if (failedKcRefs.length > 0) {
+        logger.warn({ count: failedKcRefs.length, refs: failedKcRefs }, `${failedKcRefs.length} keychain reference(s) could not be resolved at startup.`);
+        logger.warn('Affected channels/integrations may be degraded. Fix in one command: clementine config keychain-fix-acl');
+        logger.warn('See: https://github.com/Natebreynolds/Clementine-AI-Assistant#keychain-prompts');
+    }
     // ── Check MCP extension permissions ────────────────────────────
     try {
         const { checkPermissionsOnStartup, bootstrapClaudeIntegrationsFromAuditLog, probeAvailableTools } = await import('./agent/mcp-bridge.js');

package/dist/memory/store.js

@@ -1023,8 +1023,10 @@ export class MemoryStore {
         const tagFilters = (category || topic) ? { category, topic } : undefined;
         // 1. FTS5 relevance (fetch extra to allow re-ranking after boost)
         const ftsResults = this.searchFts(query, agentSlug ? limit * 2 : limit, tagFilters, agentSlug && strict ? agentSlug : undefined);
-        // Apply salience boost to FTS results
+        // Apply boosts. Order doesn't matter (all multiplicative) but readability does.
+        const nowMs = Date.now();
         for (const r of ftsResults) {
+            // Salience: editor-curated importance (admin tag, sticky note, etc.)
             if (r.salience > 0) {
                 r.score *= 1.0 + r.salience;
             }
@@ -1036,6 +1038,17 @@ export class MemoryStore {
             if (outcome !== 0) {
                 r.score *= 1.0 + 0.3 * outcome;
             }
+            // Temporal decay — without this, a 2-year-old chunk with the same BM25
+            // score ranks identically to one from yesterday. Half-life of 30 days
+            // (matches TEMPORAL_DECAY_HALF_LIFE_DAYS in config). Applied to a
+            // bounded fraction (max 60% reduction) so genuinely high-relevance
+            // historical context still surfaces — this is a tiebreaker, not a cliff.
+            if (r.lastUpdated) {
+                const daysOld = Math.max(0, (nowMs - new Date(r.lastUpdated).getTime()) / 86_400_000);
+                const decay = temporalDecay(daysOld, 30);
+                // Clamp to [0.4, 1.0] so very old chunks lose at most 60% of their score.
+                r.score *= Math.max(0.4, decay);
+            }
         }
         // Soft-isolation: apply agent affinity boost when not strict
         if (agentSlug && !strict) {

package/dist/security/redact.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Outbound credential redaction.
+ *
+ * Last-line defense against prompt-injection exfil: any outbound text
+ * (Discord, Slack, email, dashboard chat) gets scanned for credential
+ * shapes BEFORE delivery. Matches are replaced with [REDACTED:reason]
+ * so the recipient sees that something was stripped without seeing the
+ * value itself.
+ *
+ * Two layers:
+ *   1. Pattern-based — well-known token formats from common providers
+ *      (Stripe, Anthropic, OpenAI, GitHub, Slack, AWS, Discord). These
+ *      catch credentials whose values we don't know in advance — including
+ *      ones the agent might have just learned about from external sources.
+ *   2. Known-value — exact-match against the live values of credential-
+ *      shaped keys in process.env / .env. Caught even if the format
+ *      doesn't match a known pattern (e.g. internal API keys, custom
+ *      webhook secrets).
+ *
+ * Designed to be cheap (single pass over each pattern + known-value set)
+ * so we can run on every outbound message without measurable latency.
+ *
+ * Designed to err on the side of REDACTING. False positives (a chunk of
+ * text that happens to look like a Stripe key) just produce a [REDACTED]
+ * marker; the recipient knows to ask. False negatives (a real credential
+ * leaked) are the bug we're trying to prevent.
+ */
+export interface RedactionStats {
+    redactionCount: number;
+    /** Labels that fired, deduped. Useful for audit logging. */
+    labelsHit: string[];
+}
+export interface RedactionResult {
+    text: string;
+    stats: RedactionStats;
+}
+/**
+ * Pull credential values from process.env for any key that looks sensitive
+ * (matches isSensitiveEnvKey). Used to build the known-value redaction set
+ * lazily — re-read on each call so a freshly-set credential is covered
+ * within one tick.
+ */
+export declare function buildKnownValueSet(env?: NodeJS.ProcessEnv): Set<string>;
+/**
+ * Run all redaction layers against a string. Returns the redacted text
+ * plus stats about what fired.
+ *
+ * `knownValues` defaults to a fresh process.env scan but tests pass an
+ * explicit set for hermetic coverage.
+ */
+export declare function redactSecrets(text: string, knownValues?: Set<string>): RedactionResult;
+//# sourceMappingURL=redact.d.ts.map

package/dist/security/redact.js

@@ -0,0 +1,105 @@
+/**
+ * Outbound credential redaction.
+ *
+ * Last-line defense against prompt-injection exfil: any outbound text
+ * (Discord, Slack, email, dashboard chat) gets scanned for credential
+ * shapes BEFORE delivery. Matches are replaced with [REDACTED:reason]
+ * so the recipient sees that something was stripped without seeing the
+ * value itself.
+ *
+ * Two layers:
+ *   1. Pattern-based — well-known token formats from common providers
+ *      (Stripe, Anthropic, OpenAI, GitHub, Slack, AWS, Discord). These
+ *      catch credentials whose values we don't know in advance — including
+ *      ones the agent might have just learned about from external sources.
+ *   2. Known-value — exact-match against the live values of credential-
+ *      shaped keys in process.env / .env. Caught even if the format
+ *      doesn't match a known pattern (e.g. internal API keys, custom
+ *      webhook secrets).
+ *
+ * Designed to be cheap (single pass over each pattern + known-value set)
+ * so we can run on every outbound message without measurable latency.
+ *
+ * Designed to err on the side of REDACTING. False positives (a chunk of
+ * text that happens to look like a Stripe key) just produce a [REDACTED]
+ * marker; the recipient knows to ask. False negatives (a real credential
+ * leaked) are the bug we're trying to prevent.
+ */
+import { isSensitiveEnvKey } from '../secrets/sensitivity.js';
+// pragma: allowlist secret (this module exists to recognize secret patterns)
+const PATTERNS = [
+    { label: 'stripe', re: /\bsk_(?:live|test)_[A-Za-z0-9]{16,}\b/g },
+    { label: 'anthropic', re: /\bsk-ant-(?:api|admin)\w*-[A-Za-z0-9_-]{16,}\b/g },
+    { label: 'openai-project', re: /\bsk-proj-[A-Za-z0-9_-]{20,}\b/g },
+    { label: 'openai', re: /\bsk-[A-Za-z0-9]{40,}\b/g },
+    { label: 'github', re: /\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{30,}\b/g },
+    { label: 'slack', re: /\bxox[abpors]-[A-Za-z0-9-]{10,}\b/g },
+    { label: 'aws-access', re: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g },
+    { label: 'discord', re: /\b[A-Za-z0-9_-]{24,28}\.[A-Za-z0-9_-]{6,7}\.[A-Za-z0-9_-]{27,38}\b/g },
+    { label: 'jwt', re: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g },
+    { label: 'private-key', re: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]+?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g },
+];
+/**
+ * Pull credential values from process.env for any key that looks sensitive
+ * (matches isSensitiveEnvKey). Used to build the known-value redaction set
+ * lazily — re-read on each call so a freshly-set credential is covered
+ * within one tick.
+ */
+export function buildKnownValueSet(env = process.env) {
+    const out = new Set();
+    for (const [key, value] of Object.entries(env)) {
+        if (!value)
+            continue;
+        if (value.length < 12)
+            continue; // short values likely false positives
+        if (value.startsWith('keychain:'))
+            continue; // reference, not the secret itself
+        if (!isSensitiveEnvKey(key))
+            continue;
+        out.add(value);
+    }
+    return out;
+}
+/**
+ * Run all redaction layers against a string. Returns the redacted text
+ * plus stats about what fired.
+ *
+ * `knownValues` defaults to a fresh process.env scan but tests pass an
+ * explicit set for hermetic coverage.
+ */
+export function redactSecrets(text, knownValues = buildKnownValueSet()) {
+    if (!text)
+        return { text, stats: { redactionCount: 0, labelsHit: [] } };
+    let working = text;
+    const labelsHit = new Set();
+    let count = 0;
+    // Pattern pass first — catches well-known formats whose values we may
+    // not know in advance.
+    for (const { label, re } of PATTERNS) {
+        working = working.replace(re, () => {
+            labelsHit.add(label);
+            count++;
+            return `[REDACTED:${label}]`;
+        });
+    }
+    // Known-value pass — exact-match every credential currently loaded into
+    // process.env. Sort by length descending so longer values get replaced
+    // first (a longer secret might contain a shorter one as substring).
+    const sortedValues = [...knownValues].sort((a, b) => b.length - a.length);
+    for (const v of sortedValues) {
+        if (!v || v.length < 12)
+            continue;
+        let idx = working.indexOf(v);
+        while (idx !== -1) {
+            working = working.slice(0, idx) + '[REDACTED:env]' + working.slice(idx + v.length);
+            labelsHit.add('env');
+            count++;
+            idx = working.indexOf(v, idx + '[REDACTED:env]'.length);
+        }
+    }
+    return {
+        text: working,
+        stats: { redactionCount: count, labelsHit: [...labelsHit] },
+    };
+}
+//# sourceMappingURL=redact.js.map

package/dist/tools/admin-tools.js

@@ -122,10 +122,10 @@ export function registerAdminTools(server) {
         return textResult(`Timer set. Reminder in ${minutes} minute${minutes !== 1 ? 's' : ''} (~${fireTime}): "${message}"`);
     });
     // ── Env self-configuration (owner-DM only) ────────────────────────────
-    server.tool('env_set', 'Save or update an env var. Owner-DM only. In "auto" mode (default), credential-shaped keys (API keys, tokens, secrets, passwords) go to the macOS Keychain; everything else goes to plain ~/.clementine/.env. Force keychain or env via the storage arg if you need to override. Changes take effect immediately; process.env gets the real value and the next tool call can use it. Use this when the owner gives a value in chat — never tell them to hand-edit files.', {
+    server.tool('env_set', 'Save or update an env var. Owner-DM only. Default behavior writes to plain ~/.clementine/.env (mode 0600). Pass storage="keychain" to opt into macOS Keychain storage — but be aware keychain entries can require per-app approval prompts on first read which create UX friction (see commit history for the rabbit hole). Use plain .env unless you specifically need at-rest encryption beyond filesystem permissions.', {
         key: z.string().describe('Env var name (uppercase with underscores, e.g. STRIPE_API_KEY)'),
         value: z.string().describe('The value to store. Never echo back to the user; it will be masked in logs.'),
-        storage: z.enum(['keychain', 'env', 'auto']).optional().describe('Where to store it. "auto" (default) routes credential-shaped keys to Keychain and config-shaped keys to plain .env. "keychain" forces Keychain. "env" forces plaintext .env.'),
+        storage: z.enum(['keychain', 'env', 'auto']).optional().describe('Where to store it. Default (and "auto"/"env") writes plaintext to ~/.clementine/.env. "keychain" opts into macOS Keychain — only use when at-rest encryption matters more than read ergonomics.'),
     }, async ({ key, value, storage }) => {
         const gate = requireOwnerDm();
         if (!gate.ok)
@@ -137,14 +137,19 @@ export function registerAdminTools(server) {
         if (!value)
             return textResult('Refused: empty value. Use env_unset to remove a key.');
         const mode = storage ?? 'auto';
-        const looksSensitive = isSensitiveEnvKey(normalizedKey);
-        // auto mode: keychain-route only credential-shaped keys, so config knobs
-        // (BUDGET_*, OWNER_NAME, etc.) stay readable as plain .env values.
-        const useKeychain = mode === 'keychain' ||
-            (mode === 'auto' && looksSensitive && keychain.isAvailable());
+        // Keychain is now strictly opt-in. The legacy 'auto' mode used to route
+        // credential-shaped keys to keychain, but that produced a class of read-
+        // approval dialog UX bugs (see commits 88cfd99 .. c34da0b). Plaintext .env
+        // with mode 0600 is the safer default — credentials still encrypted at
+        // rest if FileVault is on, and no per-process keychain prompts.
+        const useKeychain = mode === 'keychain';
         if (mode === 'keychain' && !keychain.isAvailable()) {
             return textResult('Refused: Keychain storage requested but macOS Keychain is unavailable on this system.');
         }
+        // Reference unused-but-imported helper so the import line stays meaningful
+        // for grep — it's used by other modules and we may re-enable smart routing
+        // later behind a feature flag.
+        void isSensitiveEnvKey;
         const map = parseEnvFile();
         const existed = map.has(normalizedKey);
         let envFileValue;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clementine-agent",
-  "version": "1.1.3",
+  "version": "1.1.5",
   "description": "Clementine — Personal AI Assistant (TypeScript)",
   "type": "module",
   "main": "dist/index.js",