clementine-agent 1.1.4 → 1.1.5

package/dist/agent/assistant.js

@@ -3789,7 +3789,10 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
         const cronProfile = agentSlug && agentSlug !== 'clementine'
             ? this.profileManager.get(agentSlug)
             : null;
-        const cronGuard = new StallGuard();
+        // Cron jobs deliver via side effects (sent emails, updated records, etc),
+        // not chat text — pass mode='cron' so high_effort_low_output guard is
+        // disabled. Loop detection and circular-reasoning checks stay active.
+        const cronGuard = new StallGuard('cron');
         const sdkOptions = this.buildOptions({
             isHeartbeat: true,
             cronTier: tier,
@@ -4271,7 +4274,8 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
             logger.info(`Unleashed task ${jobName}: starting phase ${phase}`);
             // Re-assert autonomous source — a chat message may have changed it between phases
             setInteractionSource('autonomous');
-            const phaseGuard = new StallGuard();
+            // Unleashed phases run side-effect-heavy work; same logic as cron mode.
+            const phaseGuard = new StallGuard('unleashed');
             const sdkOptions = this.buildOptions({
                 isHeartbeat: true,
                 cronTier: tier,

package/dist/agent/metacognition.d.ts

@@ -28,7 +28,21 @@ export interface MetacognitiveSummary {
     confidenceFinal: 'high' | 'medium' | 'low';
     signals: string[];
 }
+/**
+ * Execution mode the monitor is observing. Chat sessions deliver via output
+ * text, so "many tool calls + zero output" is genuinely suspicious. Cron
+ * jobs (especially unleashed) deliver via side effects (sent emails, updated
+ * records, written files) — chat-text length is NOT the success signal, so
+ * the high_effort_low_output heuristic must be disabled or it produces
+ * 100+ false-positive interventions per run (observed 2026-04-26 on
+ * market-leader-followup which sent 17 real emails while this guard fired
+ * 169 times). Other heuristics (circular_reasoning via repeated identical
+ * tool calls, research_without_action via consecutive reads) stay active —
+ * those are real bug shapes regardless of mode.
+ */
+export type MetacognitiveMode = 'chat' | 'cron' | 'unleashed';
 export declare class MetacognitiveMonitor {
+    private readonly mode;
     private toolCalls;
     private uniqueTools;
     private consecutiveReads;
@@ -37,6 +51,7 @@ export declare class MetacognitiveMonitor {
     private interventionCount;
     private signals;
     private confidence;
+    constructor(mode?: MetacognitiveMode);
     /**
      * Record a tool call. Returns a signal if the pattern is concerning.
      */

package/dist/agent/metacognition.js

@@ -25,8 +25,8 @@ const ACTION_TOOLS = new Set([
     'team_message', 'discord_channel_send', 'outlook_draft', 'outlook_send',
     'set_timer', 'self_restart', 'feedback_log', 'teach_skill', 'create_tool',
 ]);
-// ── MetacognitiveMonitor ────────────────────────────────────────────
 export class MetacognitiveMonitor {
+    mode;
     toolCalls = [];
     uniqueTools = new Set();
     consecutiveReads = 0;
@@ -35,6 +35,9 @@ export class MetacognitiveMonitor {
     interventionCount = 0;
     signals = [];
     confidence = 'high';
+    constructor(mode = 'chat') {
+        this.mode = mode;
+    }
     /**
      * Record a tool call. Returns a signal if the pattern is concerning.
      */
@@ -95,31 +98,34 @@ export class MetacognitiveMonitor {
             return signal;
         }
         // Signal: excessive tool calls with near-zero output.
-        // Warn at 20, intervene (hard stop) at 60 — beyond 60 the agent is
-        // almost certainly in a runaway loop that will burn through the
-        // budget cap with nothing to show for it.
-        if (this.toolCalls.length >= 60 && this.outputCharCount < 200) {
-            this.confidence = 'low';
-            if (!this.signals.includes('high_effort_low_output')) {
-                this.signals.push('high_effort_low_output');
-            }
-            this.interventionCount++;
-            return {
-                type: 'intervene',
-                reason: 'high_effort_low_output',
-                guidance: `You've made ${this.toolCalls.length} tool calls across ${this.uniqueTools.size} tools with only ${this.outputCharCount} chars of output. This is a runaway loop. Stopping now to prevent budget waste.`,
-            };
-        }
-        if (this.toolCalls.length > 20 && this.outputCharCount < 200) {
-            this.confidence = 'low';
-            if (!this.signals.includes('high_effort_low_output')) {
-                this.signals.push('high_effort_low_output');
+        // Chat scenarios deliver via output text, so this is meaningful there.
+        // Cron and unleashed scenarios deliver via side effects (emails sent,
+        // records updated, files written) — chat-text length is irrelevant.
+        // Skip entirely outside chat mode.
+        if (this.mode === 'chat') {
+            if (this.toolCalls.length >= 60 && this.outputCharCount < 200) {
+                this.confidence = 'low';
+                if (!this.signals.includes('high_effort_low_output')) {
+                    this.signals.push('high_effort_low_output');
+                }
+                this.interventionCount++;
                 return {
-                    type: 'warn',
+                    type: 'intervene',
                     reason: 'high_effort_low_output',
-                    guidance: 'You\'ve made 20+ tool calls with minimal output. Step back and simplify your approach.',
+                    guidance: `You've made ${this.toolCalls.length} tool calls across ${this.uniqueTools.size} tools with only ${this.outputCharCount} chars of output. This is a runaway loop. Stopping now to prevent budget waste.`,
                 };
             }
+            if (this.toolCalls.length > 20 && this.outputCharCount < 200) {
+                this.confidence = 'low';
+                if (!this.signals.includes('high_effort_low_output')) {
+                    this.signals.push('high_effort_low_output');
+                    return {
+                        type: 'warn',
+                        reason: 'high_effort_low_output',
+                        guidance: 'You\'ve made 20+ tool calls with minimal output. Step back and simplify your approach.',
+                    };
+                }
+            }
         }
         return { type: 'ok' };
     }

package/dist/agent/stall-guard.d.ts

@@ -11,7 +11,8 @@
  *   3. recordToolCall() called for each tool_use block in the stream
  *   4. After query: detectPromiseWithoutAction() + getSummary() for cross-query nudges
  */
-import { type MetacognitiveSignal, type MetacognitiveSummary } from './metacognition.js';
+import { type MetacognitiveMode, type MetacognitiveSignal, type MetacognitiveSummary } from './metacognition.js';
+export type StallGuardMode = MetacognitiveMode;
 export interface StallSummary {
     metacognition: MetacognitiveSummary;
     breakerActivated: boolean;
@@ -20,10 +21,17 @@ export interface StallSummary {
 }
 export declare class StallGuard {
     private loopDetector;
-    private metacog;
+    private readonly metacog;
     private breakerActive;
     private breakerReason;
     private toolCallLog;
+    /**
+     * @param mode 'chat' (default) keeps full output-text-driven heuristics.
+     *             'cron' / 'unleashed' disable the high_effort_low_output check
+     *             since side effects, not chat text, are the deliverable for
+     *             those execution contexts.
+     */
+    constructor(mode?: StallGuardMode);
     /**
      * Check if a tool should be blocked. Called from canUseTool.
      * When the breaker is active, denies read-only tools to force the agent

package/dist/agent/stall-guard.js

@@ -12,7 +12,7 @@
  *   4. After query: detectPromiseWithoutAction() + getSummary() for cross-query nudges
  */
 import { ToolLoopDetector } from './tool-loop-detector.js';
-import { MetacognitiveMonitor } from './metacognition.js';
+import { MetacognitiveMonitor, } from './metacognition.js';
 import pino from 'pino';
 const logger = pino({ name: 'clementine.stall-guard' });
 // Only block SDK read tools — MCP tools (memory_read, etc.) are intentionally
@@ -21,10 +21,19 @@ const READ_ONLY_TOOLS = new Set(['Read', 'Glob', 'Grep', 'WebSearch', 'WebFetch'
 // ── StallGuard ──────────────────────────────────────────────────────
 export class StallGuard {
     loopDetector = new ToolLoopDetector();
-    metacog = new MetacognitiveMonitor();
+    metacog;
     breakerActive = false;
     breakerReason = '';
     toolCallLog = [];
+    /**
+     * @param mode 'chat' (default) keeps full output-text-driven heuristics.
+     *             'cron' / 'unleashed' disable the high_effort_low_output check
+     *             since side effects, not chat text, are the deliverable for
+     *             those execution contexts.
+     */
+    constructor(mode = 'chat') {
+        this.metacog = new MetacognitiveMonitor(mode);
+    }
     /**
      * Check if a tool should be blocked. Called from canUseTool.
      * When the breaker is active, denies read-only tools to force the agent

package/dist/cli/index.js

@@ -1227,19 +1227,13 @@ async function cmdConfigKeychainFixAcl(opts) {
     const RED = '\x1b[0;31m';
     const RESET = '\x1b[0m';
     const entries = listClementineKeychainEntries();
-    const ours = entries.filter(e => e.isClementine);
-    const foreign = entries.filter(e => !e.isClementine);
     console.log();
-    console.log(`  ${BOLD}Found ${entries.length} entr${entries.length === 1 ? 'y' : 'ies'} under clementine* services.${RESET}`);
-    console.log(`  ${DIM}Will fix ${ours.length}; will skip ${foreign.length} (look like other apps).${RESET}`);
+    console.log(`  ${BOLD}Found ${entries.length} clementine-agent keychain entr${entries.length === 1 ? 'y' : 'ies'}.${RESET}`);
+    for (const e of entries)
+        console.log(`    ${DIM}${e.account}${RESET}`);
     console.log();
-    for (const e of entries) {
-        const tag = e.isClementine ? `${GREEN}fix${RESET}` : `${DIM}skip${RESET}`;
-        console.log(`    [${tag}] ${e.service}/${e.account}`);
-    }
-    console.log();
-    if (ours.length === 0) {
-        console.log(`  ${GREEN}Nothing Clementine-shaped to fix.${RESET}`);
+    if (entries.length === 0) {
+        console.log(`  ${GREEN}Nothing to fix.${RESET}`);
         console.log();
         return;
     }
@@ -1250,34 +1244,29 @@ async function cmdConfigKeychainFixAcl(opts) {
     }
     console.log(`  ${BOLD}Fixing ACLs...${RESET}`);
     console.log(`  ${DIM}macOS may ask for your login keychain password (the system prompt — it DOES appear).${RESET}`);
-    console.log(`  ${DIM}One prompt per entry; type Mac password + Enter for each.${RESET}`);
+    console.log(`  ${DIM}You may also be asked to "Always Allow" — pick that.${RESET}`);
     console.log();
     const results = fixAllClementineEntries();
     let okCount = 0;
     let failCount = 0;
-    let skipCount = 0;
     for (const r of results) {
         if (r.status === 'fixed') {
-            console.log(`    ${GREEN}✓${RESET} ${r.service}/${r.account}`);
+            console.log(`    ${GREEN}✓${RESET} ${r.account}`);
             okCount++;
         }
-        else if (r.status === 'skipped-foreign') {
-            skipCount++;
-        }
         else {
-            console.log(`    ${RED}✗${RESET} ${r.service}/${r.account} ${DIM}— ${r.error}${RESET}`);
+            console.log(`    ${RED}✗${RESET} ${r.account} ${DIM}— ${r.error}${RESET}`);
             failCount++;
         }
     }
     console.log();
     if (failCount === 0) {
-        console.log(`  ${GREEN}All ${okCount} Clementine entries fixed.${RESET} ${DIM}Future reads via the security CLI succeed silently.${RESET}`);
-        if (skipCount > 0)
-            console.log(`  ${DIM}(${skipCount} foreign entr${skipCount === 1 ? 'y' : 'ies'} left untouched.)${RESET}`);
+        console.log(`  ${GREEN}All ${okCount} entries fixed.${RESET} ${DIM}Future reads via the security CLI succeed silently.${RESET}`);
     }
     else {
-        console.log(`  ${YELLOW}${okCount} fixed, ${failCount} failed${skipCount > 0 ? `, ${skipCount} foreign-skipped` : ''}.${RESET}`);
-        console.log(`  ${DIM}Failed entries can be fixed manually in Keychain Access.app.${RESET}`);
+        console.log(`  ${YELLOW}${okCount} fixed, ${failCount} failed.${RESET}`);
+        console.log(`  ${DIM}Failed entries can be fixed manually in Keychain Access.app:${RESET}`);
+        console.log(`  ${DIM}  search "clementine-agent" → double-click → Access Control → Allow all applications.${RESET}`);
     }
     console.log();
 }

package/dist/gateway/notifications.js

@@ -7,6 +7,7 @@
  */
 import pino from 'pino';
 import { DeliveryQueue } from './delivery-queue.js';
+import { redactSecrets } from '../security/redact.js';
 const logger = pino({ name: 'clementine.notifications' });
 /** Safety cap — prevent runaway messages, but each channel handles its own chunking/limits. */
 const MAX_MESSAGE_LENGTH = 8000;
@@ -62,10 +63,18 @@ export class NotificationDispatcher {
             logger.warn('No notification senders registered — message dropped');
             return { delivered: false, channelErrors: { _: 'no channels registered' } };
         }
+        // Outbound credential redaction — last-line defense against the agent
+        // accidentally (or via prompt injection) shipping a credential to a
+        // public channel. Pattern-based + known-value scan; cheap enough to
+        // run on every send. See src/security/redact.ts for the policy.
+        const { text: redacted, stats: redactionStats } = redactSecrets(text);
+        if (redactionStats.redactionCount > 0) {
+            logger.warn({ count: redactionStats.redactionCount, labels: redactionStats.labelsHit, sessionKey: context?.sessionKey }, `Redacted ${redactionStats.redactionCount} credential-shaped value(s) before delivery`);
+        }
         // Sanity cap only — each channel sender handles its own chunking/truncation
-        const capped = text.length > MAX_MESSAGE_LENGTH
-            ? text.slice(0, MAX_MESSAGE_LENGTH - 20) + '\n\n_(truncated)_'
-            : text;
+        const capped = redacted.length > MAX_MESSAGE_LENGTH
+            ? redacted.slice(0, MAX_MESSAGE_LENGTH - 20) + '\n\n_(truncated)_'
+            : redacted;
         // If sessionKey is set, route only to the channel that owns it.
         // Fan out to all channels only when no originating channel is known.
         const targetChannel = context?.sessionKey ? channelForSessionKey(context.sessionKey) : null;

package/dist/memory/store.js

@@ -1023,8 +1023,10 @@ export class MemoryStore {
         const tagFilters = (category || topic) ? { category, topic } : undefined;
         // 1. FTS5 relevance (fetch extra to allow re-ranking after boost)
         const ftsResults = this.searchFts(query, agentSlug ? limit * 2 : limit, tagFilters, agentSlug && strict ? agentSlug : undefined);
-        // Apply salience boost to FTS results
+        // Apply boosts. Order doesn't matter (all multiplicative) but readability does.
+        const nowMs = Date.now();
         for (const r of ftsResults) {
+            // Salience: editor-curated importance (admin tag, sticky note, etc.)
             if (r.salience > 0) {
                 r.score *= 1.0 + r.salience;
             }
@@ -1036,6 +1038,17 @@ export class MemoryStore {
             if (outcome !== 0) {
                 r.score *= 1.0 + 0.3 * outcome;
             }
+            // Temporal decay — without this, a 2-year-old chunk with the same BM25
+            // score ranks identically to one from yesterday. Half-life of 30 days
+            // (matches TEMPORAL_DECAY_HALF_LIFE_DAYS in config). Applied to a
+            // bounded fraction (max 60% reduction) so genuinely high-relevance
+            // historical context still surfaces — this is a tiebreaker, not a cliff.
+            if (r.lastUpdated) {
+                const daysOld = Math.max(0, (nowMs - new Date(r.lastUpdated).getTime()) / 86_400_000);
+                const decay = temporalDecay(daysOld, 30);
+                // Clamp to [0.4, 1.0] so very old chunks lose at most 60% of their score.
+                r.score *= Math.max(0.4, decay);
+            }
         }
         // Soft-isolation: apply agent affinity boost when not strict
         if (agentSlug && !strict) {

package/dist/security/redact.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Outbound credential redaction.
+ *
+ * Last-line defense against prompt-injection exfil: any outbound text
+ * (Discord, Slack, email, dashboard chat) gets scanned for credential
+ * shapes BEFORE delivery. Matches are replaced with [REDACTED:reason]
+ * so the recipient sees that something was stripped without seeing the
+ * value itself.
+ *
+ * Two layers:
+ *   1. Pattern-based — well-known token formats from common providers
+ *      (Stripe, Anthropic, OpenAI, GitHub, Slack, AWS, Discord). These
+ *      catch credentials whose values we don't know in advance — including
+ *      ones the agent might have just learned about from external sources.
+ *   2. Known-value — exact-match against the live values of credential-
+ *      shaped keys in process.env / .env. Caught even if the format
+ *      doesn't match a known pattern (e.g. internal API keys, custom
+ *      webhook secrets).
+ *
+ * Designed to be cheap (single pass over each pattern + known-value set)
+ * so we can run on every outbound message without measurable latency.
+ *
+ * Designed to err on the side of REDACTING. False positives (a chunk of
+ * text that happens to look like a Stripe key) just produce a [REDACTED]
+ * marker; the recipient knows to ask. False negatives (a real credential
+ * leaked) are the bug we're trying to prevent.
+ */
+export interface RedactionStats {
+    redactionCount: number;
+    /** Labels that fired, deduped. Useful for audit logging. */
+    labelsHit: string[];
+}
+export interface RedactionResult {
+    text: string;
+    stats: RedactionStats;
+}
+/**
+ * Pull credential values from process.env for any key that looks sensitive
+ * (matches isSensitiveEnvKey). Used to build the known-value redaction set
+ * lazily — re-read on each call so a freshly-set credential is covered
+ * within one tick.
+ */
+export declare function buildKnownValueSet(env?: NodeJS.ProcessEnv): Set<string>;
+/**
+ * Run all redaction layers against a string. Returns the redacted text
+ * plus stats about what fired.
+ *
+ * `knownValues` defaults to a fresh process.env scan but tests pass an
+ * explicit set for hermetic coverage.
+ */
+export declare function redactSecrets(text: string, knownValues?: Set<string>): RedactionResult;
+//# sourceMappingURL=redact.d.ts.map

package/dist/security/redact.js

@@ -0,0 +1,105 @@
+/**
+ * Outbound credential redaction.
+ *
+ * Last-line defense against prompt-injection exfil: any outbound text
+ * (Discord, Slack, email, dashboard chat) gets scanned for credential
+ * shapes BEFORE delivery. Matches are replaced with [REDACTED:reason]
+ * so the recipient sees that something was stripped without seeing the
+ * value itself.
+ *
+ * Two layers:
+ *   1. Pattern-based — well-known token formats from common providers
+ *      (Stripe, Anthropic, OpenAI, GitHub, Slack, AWS, Discord). These
+ *      catch credentials whose values we don't know in advance — including
+ *      ones the agent might have just learned about from external sources.
+ *   2. Known-value — exact-match against the live values of credential-
+ *      shaped keys in process.env / .env. Caught even if the format
+ *      doesn't match a known pattern (e.g. internal API keys, custom
+ *      webhook secrets).
+ *
+ * Designed to be cheap (single pass over each pattern + known-value set)
+ * so we can run on every outbound message without measurable latency.
+ *
+ * Designed to err on the side of REDACTING. False positives (a chunk of
+ * text that happens to look like a Stripe key) just produce a [REDACTED]
+ * marker; the recipient knows to ask. False negatives (a real credential
+ * leaked) are the bug we're trying to prevent.
+ */
+import { isSensitiveEnvKey } from '../secrets/sensitivity.js';
+// pragma: allowlist secret (this module exists to recognize secret patterns)
+const PATTERNS = [
+    { label: 'stripe', re: /\bsk_(?:live|test)_[A-Za-z0-9]{16,}\b/g },
+    { label: 'anthropic', re: /\bsk-ant-(?:api|admin)\w*-[A-Za-z0-9_-]{16,}\b/g },
+    { label: 'openai-project', re: /\bsk-proj-[A-Za-z0-9_-]{20,}\b/g },
+    { label: 'openai', re: /\bsk-[A-Za-z0-9]{40,}\b/g },
+    { label: 'github', re: /\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{30,}\b/g },
+    { label: 'slack', re: /\bxox[abpors]-[A-Za-z0-9-]{10,}\b/g },
+    { label: 'aws-access', re: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g },
+    { label: 'discord', re: /\b[A-Za-z0-9_-]{24,28}\.[A-Za-z0-9_-]{6,7}\.[A-Za-z0-9_-]{27,38}\b/g },
+    { label: 'jwt', re: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g },
+    { label: 'private-key', re: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]+?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g },
+];
+/**
+ * Pull credential values from process.env for any key that looks sensitive
+ * (matches isSensitiveEnvKey). Used to build the known-value redaction set
+ * lazily — re-read on each call so a freshly-set credential is covered
+ * within one tick.
+ */
+export function buildKnownValueSet(env = process.env) {
+    const out = new Set();
+    for (const [key, value] of Object.entries(env)) {
+        if (!value)
+            continue;
+        if (value.length < 12)
+            continue; // short values likely false positives
+        if (value.startsWith('keychain:'))
+            continue; // reference, not the secret itself
+        if (!isSensitiveEnvKey(key))
+            continue;
+        out.add(value);
+    }
+    return out;
+}
+/**
+ * Run all redaction layers against a string. Returns the redacted text
+ * plus stats about what fired.
+ *
+ * `knownValues` defaults to a fresh process.env scan but tests pass an
+ * explicit set for hermetic coverage.
+ */
+export function redactSecrets(text, knownValues = buildKnownValueSet()) {
+    if (!text)
+        return { text, stats: { redactionCount: 0, labelsHit: [] } };
+    let working = text;
+    const labelsHit = new Set();
+    let count = 0;
+    // Pattern pass first — catches well-known formats whose values we may
+    // not know in advance.
+    for (const { label, re } of PATTERNS) {
+        working = working.replace(re, () => {
+            labelsHit.add(label);
+            count++;
+            return `[REDACTED:${label}]`;
+        });
+    }
+    // Known-value pass — exact-match every credential currently loaded into
+    // process.env. Sort by length descending so longer values get replaced
+    // first (a longer secret might contain a shorter one as substring).
+    const sortedValues = [...knownValues].sort((a, b) => b.length - a.length);
+    for (const v of sortedValues) {
+        if (!v || v.length < 12)
+            continue;
+        let idx = working.indexOf(v);
+        while (idx !== -1) {
+            working = working.slice(0, idx) + '[REDACTED:env]' + working.slice(idx + v.length);
+            labelsHit.add('env');
+            count++;
+            idx = working.indexOf(v, idx + '[REDACTED:env]'.length);
+        }
+    }
+    return {
+        text: working,
+        stats: { redactionCount: count, labelsHit: [...labelsHit] },
+    };
+}
+//# sourceMappingURL=redact.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clementine-agent",
-  "version": "1.1.4",
+  "version": "1.1.5",
   "description": "Clementine — Personal AI Assistant (TypeScript)",
   "type": "module",
   "main": "dist/index.js",