clementine-agent 1.1.4 → 1.1.6

package/dist/agent/assistant.js

@@ -3789,7 +3789,10 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
         const cronProfile = agentSlug && agentSlug !== 'clementine'
             ? this.profileManager.get(agentSlug)
             : null;
-        const cronGuard = new StallGuard();
+        // Cron jobs deliver via side effects (sent emails, updated records, etc),
+        // not chat text — pass mode='cron' so high_effort_low_output guard is
+        // disabled. Loop detection and circular-reasoning checks stay active.
+        const cronGuard = new StallGuard('cron');
         const sdkOptions = this.buildOptions({
             isHeartbeat: true,
             cronTier: tier,
@@ -4271,7 +4274,8 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
             logger.info(`Unleashed task ${jobName}: starting phase ${phase}`);
             // Re-assert autonomous source — a chat message may have changed it between phases
             setInteractionSource('autonomous');
-            const phaseGuard = new StallGuard();
+            // Unleashed phases run side-effect-heavy work; same logic as cron mode.
+            const phaseGuard = new StallGuard('unleashed');
             const sdkOptions = this.buildOptions({
                 isHeartbeat: true,
                 cronTier: tier,

package/dist/agent/metacognition.d.ts

@@ -28,7 +28,21 @@ export interface MetacognitiveSummary {
     confidenceFinal: 'high' | 'medium' | 'low';
     signals: string[];
 }
+/**
+ * Execution mode the monitor is observing. Chat sessions deliver via output
+ * text, so "many tool calls + zero output" is genuinely suspicious. Cron
+ * jobs (especially unleashed) deliver via side effects (sent emails, updated
+ * records, written files) — chat-text length is NOT the success signal, so
+ * the high_effort_low_output heuristic must be disabled or it produces
+ * 100+ false-positive interventions per run (observed 2026-04-26 on
+ * market-leader-followup which sent 17 real emails while this guard fired
+ * 169 times). Other heuristics (circular_reasoning via repeated identical
+ * tool calls, research_without_action via consecutive reads) stay active —
+ * those are real bug shapes regardless of mode.
+ */
+export type MetacognitiveMode = 'chat' | 'cron' | 'unleashed';
 export declare class MetacognitiveMonitor {
+    private readonly mode;
     private toolCalls;
     private uniqueTools;
     private consecutiveReads;
@@ -37,6 +51,7 @@ export declare class MetacognitiveMonitor {
     private interventionCount;
     private signals;
     private confidence;
+    constructor(mode?: MetacognitiveMode);
     /**
      * Record a tool call. Returns a signal if the pattern is concerning.
      */

package/dist/agent/metacognition.js

@@ -25,8 +25,8 @@ const ACTION_TOOLS = new Set([
     'team_message', 'discord_channel_send', 'outlook_draft', 'outlook_send',
     'set_timer', 'self_restart', 'feedback_log', 'teach_skill', 'create_tool',
 ]);
-// ── MetacognitiveMonitor ────────────────────────────────────────────
 export class MetacognitiveMonitor {
+    mode;
     toolCalls = [];
     uniqueTools = new Set();
     consecutiveReads = 0;
@@ -35,6 +35,9 @@ export class MetacognitiveMonitor {
     interventionCount = 0;
     signals = [];
     confidence = 'high';
+    constructor(mode = 'chat') {
+        this.mode = mode;
+    }
     /**
      * Record a tool call. Returns a signal if the pattern is concerning.
      */
@@ -95,31 +98,34 @@ export class MetacognitiveMonitor {
             return signal;
         }
         // Signal: excessive tool calls with near-zero output.
-        // Warn at 20, intervene (hard stop) at 60 — beyond 60 the agent is
-        // almost certainly in a runaway loop that will burn through the
-        // budget cap with nothing to show for it.
-        if (this.toolCalls.length >= 60 && this.outputCharCount < 200) {
-            this.confidence = 'low';
-            if (!this.signals.includes('high_effort_low_output')) {
-                this.signals.push('high_effort_low_output');
-            }
-            this.interventionCount++;
-            return {
-                type: 'intervene',
-                reason: 'high_effort_low_output',
-                guidance: `You've made ${this.toolCalls.length} tool calls across ${this.uniqueTools.size} tools with only ${this.outputCharCount} chars of output. This is a runaway loop. Stopping now to prevent budget waste.`,
-            };
-        }
-        if (this.toolCalls.length > 20 && this.outputCharCount < 200) {
-            this.confidence = 'low';
-            if (!this.signals.includes('high_effort_low_output')) {
-                this.signals.push('high_effort_low_output');
+        // Chat scenarios deliver via output text, so this is meaningful there.
+        // Cron and unleashed scenarios deliver via side effects (emails sent,
+        // records updated, files written) — chat-text length is irrelevant.
+        // Skip entirely outside chat mode.
+        if (this.mode === 'chat') {
+            if (this.toolCalls.length >= 60 && this.outputCharCount < 200) {
+                this.confidence = 'low';
+                if (!this.signals.includes('high_effort_low_output')) {
+                    this.signals.push('high_effort_low_output');
+                }
+                this.interventionCount++;
                 return {
-                    type: 'warn',
+                    type: 'intervene',
                     reason: 'high_effort_low_output',
-                    guidance: 'You\'ve made 20+ tool calls with minimal output. Step back and simplify your approach.',
+                    guidance: `You've made ${this.toolCalls.length} tool calls across ${this.uniqueTools.size} tools with only ${this.outputCharCount} chars of output. This is a runaway loop. Stopping now to prevent budget waste.`,
                 };
             }
+            if (this.toolCalls.length > 20 && this.outputCharCount < 200) {
+                this.confidence = 'low';
+                if (!this.signals.includes('high_effort_low_output')) {
+                    this.signals.push('high_effort_low_output');
+                    return {
+                        type: 'warn',
+                        reason: 'high_effort_low_output',
+                        guidance: 'You\'ve made 20+ tool calls with minimal output. Step back and simplify your approach.',
+                    };
+                }
+            }
         }
         return { type: 'ok' };
     }

package/dist/agent/stall-guard.d.ts

@@ -11,7 +11,8 @@
  *   3. recordToolCall() called for each tool_use block in the stream
  *   4. After query: detectPromiseWithoutAction() + getSummary() for cross-query nudges
  */
-import { type MetacognitiveSignal, type MetacognitiveSummary } from './metacognition.js';
+import { type MetacognitiveMode, type MetacognitiveSignal, type MetacognitiveSummary } from './metacognition.js';
+export type StallGuardMode = MetacognitiveMode;
 export interface StallSummary {
     metacognition: MetacognitiveSummary;
     breakerActivated: boolean;
@@ -20,10 +21,17 @@ export interface StallSummary {
 }
 export declare class StallGuard {
     private loopDetector;
-    private metacog;
+    private readonly metacog;
     private breakerActive;
     private breakerReason;
     private toolCallLog;
+    /**
+     * @param mode 'chat' (default) keeps full output-text-driven heuristics.
+     *             'cron' / 'unleashed' disable the high_effort_low_output check
+     *             since side effects, not chat text, are the deliverable for
+     *             those execution contexts.
+     */
+    constructor(mode?: StallGuardMode);
     /**
      * Check if a tool should be blocked. Called from canUseTool.
      * When the breaker is active, denies read-only tools to force the agent

package/dist/agent/stall-guard.js

@@ -12,7 +12,7 @@
  *   4. After query: detectPromiseWithoutAction() + getSummary() for cross-query nudges
  */
 import { ToolLoopDetector } from './tool-loop-detector.js';
-import { MetacognitiveMonitor } from './metacognition.js';
+import { MetacognitiveMonitor, } from './metacognition.js';
 import pino from 'pino';
 const logger = pino({ name: 'clementine.stall-guard' });
 // Only block SDK read tools — MCP tools (memory_read, etc.) are intentionally
@@ -21,10 +21,19 @@ const READ_ONLY_TOOLS = new Set(['Read', 'Glob', 'Grep', 'WebSearch', 'WebFetch'
 // ── StallGuard ──────────────────────────────────────────────────────
 export class StallGuard {
     loopDetector = new ToolLoopDetector();
-    metacog = new MetacognitiveMonitor();
+    metacog;
     breakerActive = false;
     breakerReason = '';
     toolCallLog = [];
+    /**
+     * @param mode 'chat' (default) keeps full output-text-driven heuristics.
+     *             'cron' / 'unleashed' disable the high_effort_low_output check
+     *             since side effects, not chat text, are the deliverable for
+     *             those execution contexts.
+     */
+    constructor(mode = 'chat') {
+        this.metacog = new MetacognitiveMonitor(mode);
+    }
     /**
      * Check if a tool should be blocked. Called from canUseTool.
      * When the breaker is active, denies read-only tools to force the agent

package/dist/channels/discord-utils.js

@@ -115,7 +115,19 @@ export async function sendChunked(channel, text) {
         return;
     }
     text = sanitizeResponse(text);
-    for (const chunk of chunkText(text, 1900)) {
+    // Last-line outbound credential redaction. Dispatcher-level redaction
+    // (gateway/notifications.ts) covers cron/heartbeat sends, but chat
+    // replies bypass the dispatcher and arrive here directly. Idempotent:
+    // re-redacting an already-redacted string is a no-op since the
+    // [REDACTED:label] markers don't match any pattern or known value.
+    const { redactSecrets } = await import('../security/redact.js');
+    const { text: redacted, stats } = redactSecrets(text);
+    if (stats.redactionCount > 0) {
+        // Log via console — pino isn't imported here and adding an import would
+        // bloat this lightweight utility module.
+        console.warn(`[clementine] sendChunked: redacted ${stats.redactionCount} credential-shaped value(s) [${stats.labelsHit.join(',')}]`);
+    }
+    for (const chunk of chunkText(redacted, 1900)) {
         await channel.send(chunk);
     }
 }

package/dist/channels/slack-utils.js

@@ -13,7 +13,15 @@ export function mdToSlack(text) {
 }
 // ── Chunked sending ───────────────────────────────────────────────────
 export async function sendChunkedSlack(client, channel, text, threadTs) {
-    let remaining = text;
+    // Last-line outbound credential redaction. Same rationale as
+    // discord-utils.sendChunked — chat replies bypass the dispatcher and
+    // arrive here directly, so apply redaction at the channel boundary.
+    const { redactSecrets } = await import('../security/redact.js');
+    const { text: redacted, stats } = redactSecrets(text);
+    if (stats.redactionCount > 0) {
+        console.warn(`[clementine] sendChunkedSlack: redacted ${stats.redactionCount} credential-shaped value(s) [${stats.labelsHit.join(',')}]`);
+    }
+    let remaining = redacted;
     while (remaining) {
         if (remaining.length <= SLACK_MSG_LIMIT) {
             await client.chat.postMessage({ channel, text: remaining, thread_ts: threadTs });

package/dist/channels/telegram.js

@@ -17,7 +17,14 @@ function mdToTelegram(text) {
 }
 // ── Chunked sending ───────────────────────────────────────────────────
 async function sendChunked(bot, chatId, text) {
-    let remaining = text;
+    // Last-line outbound credential redaction. Same rationale as
+    // discord-utils.sendChunked — chat replies bypass the dispatcher.
+    const { redactSecrets } = await import('../security/redact.js');
+    const { text: redacted, stats } = redactSecrets(text);
+    if (stats.redactionCount > 0) {
+        console.warn(`[clementine] telegram sendChunked: redacted ${stats.redactionCount} credential-shaped value(s) [${stats.labelsHit.join(',')}]`);
+    }
+    let remaining = redacted;
     while (remaining) {
         if (remaining.length <= TELEGRAM_MSG_LIMIT) {
             await bot.api.sendMessage(chatId, remaining);

package/dist/cli/dashboard.js

@@ -4322,7 +4322,12 @@ If the tool returns nothing or errors, return an empty array \`[]\`.`,
         try {
             const gateway = await getGateway();
             const response = await gateway.handleMessage('dashboard:web', message);
-            res.json({ ok: true, response });
+            // Outbound credential redaction — same defense applied at the channel
+            // edges. Dashboard is admin-only but a leaked credential in chat output
+            // could still end up in browser history, screenshots, etc.
+            const { redactSecrets } = await import('../security/redact.js');
+            const { text: redacted } = redactSecrets(response ?? '');
+            res.json({ ok: true, response: redacted });
         }
         catch (err) {
             res.status(500).json({ error: String(err) });

package/dist/cli/index.js

@@ -1227,19 +1227,13 @@ async function cmdConfigKeychainFixAcl(opts) {
     const RED = '\x1b[0;31m';
     const RESET = '\x1b[0m';
     const entries = listClementineKeychainEntries();
-    const ours = entries.filter(e => e.isClementine);
-    const foreign = entries.filter(e => !e.isClementine);
     console.log();
-    console.log(`  ${BOLD}Found ${entries.length} entr${entries.length === 1 ? 'y' : 'ies'} under clementine* services.${RESET}`);
-    console.log(`  ${DIM}Will fix ${ours.length}; will skip ${foreign.length} (look like other apps).${RESET}`);
+    console.log(`  ${BOLD}Found ${entries.length} clementine-agent keychain entr${entries.length === 1 ? 'y' : 'ies'}.${RESET}`);
+    for (const e of entries)
+        console.log(`    ${DIM}${e.account}${RESET}`);
     console.log();
-    for (const e of entries) {
-        const tag = e.isClementine ? `${GREEN}fix${RESET}` : `${DIM}skip${RESET}`;
-        console.log(`    [${tag}] ${e.service}/${e.account}`);
-    }
-    console.log();
-    if (ours.length === 0) {
-        console.log(`  ${GREEN}Nothing Clementine-shaped to fix.${RESET}`);
+    if (entries.length === 0) {
+        console.log(`  ${GREEN}Nothing to fix.${RESET}`);
         console.log();
         return;
     }
@@ -1250,34 +1244,29 @@ async function cmdConfigKeychainFixAcl(opts) {
     }
     console.log(`  ${BOLD}Fixing ACLs...${RESET}`);
     console.log(`  ${DIM}macOS may ask for your login keychain password (the system prompt — it DOES appear).${RESET}`);
-    console.log(`  ${DIM}One prompt per entry; type Mac password + Enter for each.${RESET}`);
+    console.log(`  ${DIM}You may also be asked to "Always Allow" — pick that.${RESET}`);
     console.log();
     const results = fixAllClementineEntries();
     let okCount = 0;
     let failCount = 0;
-    let skipCount = 0;
     for (const r of results) {
         if (r.status === 'fixed') {
-            console.log(`    ${GREEN}✓${RESET} ${r.service}/${r.account}`);
+            console.log(`    ${GREEN}✓${RESET} ${r.account}`);
             okCount++;
         }
-        else if (r.status === 'skipped-foreign') {
-            skipCount++;
-        }
         else {
-            console.log(`    ${RED}✗${RESET} ${r.service}/${r.account} ${DIM}— ${r.error}${RESET}`);
+            console.log(`    ${RED}✗${RESET} ${r.account} ${DIM}— ${r.error}${RESET}`);
             failCount++;
         }
     }
     console.log();
     if (failCount === 0) {
-        console.log(`  ${GREEN}All ${okCount} Clementine entries fixed.${RESET} ${DIM}Future reads via the security CLI succeed silently.${RESET}`);
-        if (skipCount > 0)
-            console.log(`  ${DIM}(${skipCount} foreign entr${skipCount === 1 ? 'y' : 'ies'} left untouched.)${RESET}`);
+        console.log(`  ${GREEN}All ${okCount} entries fixed.${RESET} ${DIM}Future reads via the security CLI succeed silently.${RESET}`);
     }
     else {
-        console.log(`  ${YELLOW}${okCount} fixed, ${failCount} failed${skipCount > 0 ? `, ${skipCount} foreign-skipped` : ''}.${RESET}`);
-        console.log(`  ${DIM}Failed entries can be fixed manually in Keychain Access.app.${RESET}`);
+        console.log(`  ${YELLOW}${okCount} fixed, ${failCount} failed.${RESET}`);
+        console.log(`  ${DIM}Failed entries can be fixed manually in Keychain Access.app:${RESET}`);
+        console.log(`  ${DIM}  search "clementine-agent" → double-click → Access Control → Allow all applications.${RESET}`);
     }
     console.log();
 }
@@ -1929,7 +1918,7 @@ configCmd
 });
 configCmd
     .command('migrate-to-keychain')
-    .description('Move plaintext credentials in .env into the macOS keychain (in place)')
+    .description('Move plaintext credentials in .env into the macOS keychain (NOT recommended in v1.1.4+ — keychain entries can produce per-process approval prompts; plain .env at mode 0600 is the supported default)')
     .option('--dry-run', 'Show what would migrate without writing anything')
     .option('-k, --key <name...>', 'Limit to specific key(s); repeat or comma-separate for multiple')
     .action(async (opts) => {

package/dist/config/config-doctor.js

@@ -16,7 +16,6 @@
 import { existsSync, readFileSync } from 'node:fs';
 import path from 'node:path';
 import { computeEffectiveConfig } from './effective-config.js';
-import { isSensitiveEnvKey } from '../secrets/sensitivity.js';
 // ── Type expectations ───────────────────────────────────────────────
 //
 // Keys that must parse as a finite number when set. The inspector already
@@ -165,41 +164,32 @@ function checkChannelRequirements(cfg, findings) {
     }
 }
 function checkPlaintextSecretsInEnv(_cfg, baseDir, findings) {
-    // Scan .env directly for sensitive-looking keys that hold long plaintext
-    // values. Stops bot tokens from quietly sitting in .env when they should
-    // be in the keychain.
+    // Sanity check on .env file permissions.
+    //
+    // History: this function previously WARNED whenever credential-shaped keys
+    // (DISCORD_TOKEN, *_API_KEY, etc.) sat as plaintext in .env, recommending
+    // migration to the macOS Keychain. After the 2026-04-26 rabbit hole
+    // (commits 88cfd99 .. c5a2eb5) we reversed that recommendation: plaintext
+    // .env at mode 0600 is the supported default, and keychain is opt-in only.
+    // The old warning is now misleading guidance, so it's removed.
+    //
+    // What we DO check: file mode. If .env is world-readable or group-readable
+    // we flag that as a real risk regardless of what's inside.
     const envPath = path.join(baseDir, '.env');
     if (!existsSync(envPath))
         return;
-    let raw;
     try {
-        raw = readFileSync(envPath, 'utf-8');
-    }
-    catch {
-        return;
-    }
-    for (const line of raw.split('\n')) {
-        const trimmed = line.trim();
-        if (!trimmed || trimmed.startsWith('#'))
-            continue;
-        const eq = trimmed.indexOf('=');
-        if (eq === -1)
-            continue;
-        const key = trimmed.slice(0, eq);
-        const value = trimmed.slice(eq + 1);
-        if (!isSensitiveEnvKey(key))
-            continue;
-        if (value.startsWith('keychain:'))
-            continue; // already a ref — fine
-        if (value.length < 16)
-            continue; // probably a config-shaped value (port number, etc.)
-        findings.push({
-            severity: 'warning',
-            key,
-            message: `${key} is stored as plaintext in .env. Credential-shaped keys should live in the keychain on macOS.`,
-            fix: `# In a chat with Clementine: env_set ${key} <value> storage=auto  (auto routes credentials to keychain)`,
-        });
+        const st = require('node:fs').statSync(envPath);
+        const worldOrGroupReadable = (st.mode & 0o077) !== 0;
+        if (worldOrGroupReadable) {
+            findings.push({
+                severity: 'error',
+                message: `.env file is readable by other users (mode ${(st.mode & 0o777).toString(8)}). Restrict to owner-only.`,
+                fix: `chmod 600 ${envPath}`,
+            });
+        }
     }
+    catch { /* stat failed — non-fatal, doctor continues */ }
 }
 function checkRangeSanity(cfg, findings) {
     const byKey = new Map(cfg.entries.map(e => [e.key, e]));

package/dist/gateway/notifications.js

@@ -7,6 +7,7 @@
  */
 import pino from 'pino';
 import { DeliveryQueue } from './delivery-queue.js';
+import { redactSecrets } from '../security/redact.js';
 const logger = pino({ name: 'clementine.notifications' });
 /** Safety cap — prevent runaway messages, but each channel handles its own chunking/limits. */
 const MAX_MESSAGE_LENGTH = 8000;
@@ -49,10 +50,20 @@ export class NotificationDispatcher {
     }
     /** Send a notification; automatically queues for retry on total failure. */
     async send(text, context) {
-        const result = await this.sendDirect(text, context);
-        // If delivery failed and there were actual senders (not "no channels"), queue for retry
+        // Outbound credential redaction happens HERE, at the public entrypoint,
+        // BEFORE any failure could enqueue the message for retry. Otherwise an
+        // un-redacted credential would persist to ~/.clementine/.delivery-queue.json
+        // for the retry window. Pattern-based + known-value scan; cheap enough to
+        // run on every send. See src/security/redact.ts for policy.
+        const { text: redacted, stats: redactionStats } = redactSecrets(text);
+        if (redactionStats.redactionCount > 0) {
+            logger.warn({ count: redactionStats.redactionCount, labels: redactionStats.labelsHit, sessionKey: context?.sessionKey }, `Redacted ${redactionStats.redactionCount} credential-shaped value(s) before delivery`);
+        }
+        const result = await this.sendDirect(redacted, context);
+        // If delivery failed and there were actual senders (not "no channels"), queue for retry.
+        // Stored text is already-redacted so disk persistence never holds a credential.
         if (!result.delivered && this.senders.size > 0) {
-            this._retryQueue.enqueue(text, context);
+            this._retryQueue.enqueue(redacted, context);
         }
         return result;
     }
@@ -62,7 +73,9 @@ export class NotificationDispatcher {
             logger.warn('No notification senders registered — message dropped');
             return { delivered: false, channelErrors: { _: 'no channels registered' } };
         }
-        // Sanity cap only — each channel sender handles its own chunking/truncation
+        // Sanity cap only — each channel sender handles its own chunking/truncation.
+        // Redaction happens at send() (public entrypoint) before any retry-enqueue,
+        // so anything reaching here is already safe.
         const capped = text.length > MAX_MESSAGE_LENGTH
             ? text.slice(0, MAX_MESSAGE_LENGTH - 20) + '\n\n_(truncated)_'
             : text;

package/dist/memory/store.js

@@ -1023,8 +1023,10 @@ export class MemoryStore {
         const tagFilters = (category || topic) ? { category, topic } : undefined;
         // 1. FTS5 relevance (fetch extra to allow re-ranking after boost)
         const ftsResults = this.searchFts(query, agentSlug ? limit * 2 : limit, tagFilters, agentSlug && strict ? agentSlug : undefined);
-        // Apply salience boost to FTS results
+        // Apply boosts. Order doesn't matter (all multiplicative) but readability does.
+        const nowMs = Date.now();
         for (const r of ftsResults) {
+            // Salience: editor-curated importance (admin tag, sticky note, etc.)
             if (r.salience > 0) {
                 r.score *= 1.0 + r.salience;
             }
@@ -1036,6 +1038,17 @@ export class MemoryStore {
             if (outcome !== 0) {
                 r.score *= 1.0 + 0.3 * outcome;
             }
+            // Temporal decay — without this, a 2-year-old chunk with the same BM25
+            // score ranks identically to one from yesterday. Half-life of 30 days
+            // (matches TEMPORAL_DECAY_HALF_LIFE_DAYS in config). Applied to a
+            // bounded fraction (max 60% reduction) so genuinely high-relevance
+            // historical context still surfaces — this is a tiebreaker, not a cliff.
+            if (r.lastUpdated) {
+                const daysOld = Math.max(0, (nowMs - new Date(r.lastUpdated).getTime()) / 86_400_000);
+                const decay = temporalDecay(daysOld, 30);
+                // Clamp to [0.4, 1.0] so very old chunks lose at most 60% of their score.
+                r.score *= Math.max(0.4, decay);
+            }
         }
         // Soft-isolation: apply agent affinity boost when not strict
         if (agentSlug && !strict) {

package/dist/security/redact.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Outbound credential redaction.
+ *
+ * Last-line defense against prompt-injection exfil: any outbound text
+ * (Discord, Slack, email, dashboard chat) gets scanned for credential
+ * shapes BEFORE delivery. Matches are replaced with [REDACTED:reason]
+ * so the recipient sees that something was stripped without seeing the
+ * value itself.
+ *
+ * Two layers:
+ *   1. Pattern-based — well-known token formats from common providers
+ *      (Stripe, Anthropic, OpenAI, GitHub, Slack, AWS, Discord). These
+ *      catch credentials whose values we don't know in advance — including
+ *      ones the agent might have just learned about from external sources.
+ *   2. Known-value — exact-match against the live values of credential-
+ *      shaped keys in process.env / .env. Caught even if the format
+ *      doesn't match a known pattern (e.g. internal API keys, custom
+ *      webhook secrets).
+ *
+ * Designed to be cheap (single pass over each pattern + known-value set)
+ * so we can run on every outbound message without measurable latency.
+ *
+ * Designed to err on the side of REDACTING. False positives (a chunk of
+ * text that happens to look like a Stripe key) just produce a [REDACTED]
+ * marker; the recipient knows to ask. False negatives (a real credential
+ * leaked) are the bug we're trying to prevent.
+ */
+export interface RedactionStats {
+    redactionCount: number;
+    /** Labels that fired, deduped. Useful for audit logging. */
+    labelsHit: string[];
+}
+export interface RedactionResult {
+    text: string;
+    stats: RedactionStats;
+}
+/**
+ * Pull credential values from process.env for any key that looks sensitive
+ * (matches isSensitiveEnvKey). Used to build the known-value redaction set
+ * lazily — re-read on each call so a freshly-set credential is covered
+ * within one tick.
+ */
+export declare function buildKnownValueSet(env?: NodeJS.ProcessEnv): Set<string>;
+/**
+ * Run all redaction layers against a string. Returns the redacted text
+ * plus stats about what fired.
+ *
+ * `knownValues` defaults to a fresh process.env scan but tests pass an
+ * explicit set for hermetic coverage.
+ */
+export declare function redactSecrets(text: string, knownValues?: Set<string>): RedactionResult;
+//# sourceMappingURL=redact.d.ts.map

package/dist/security/redact.js

@@ -0,0 +1,105 @@
+/**
+ * Outbound credential redaction.
+ *
+ * Last-line defense against prompt-injection exfil: any outbound text
+ * (Discord, Slack, email, dashboard chat) gets scanned for credential
+ * shapes BEFORE delivery. Matches are replaced with [REDACTED:reason]
+ * so the recipient sees that something was stripped without seeing the
+ * value itself.
+ *
+ * Two layers:
+ *   1. Pattern-based — well-known token formats from common providers
+ *      (Stripe, Anthropic, OpenAI, GitHub, Slack, AWS, Discord). These
+ *      catch credentials whose values we don't know in advance — including
+ *      ones the agent might have just learned about from external sources.
+ *   2. Known-value — exact-match against the live values of credential-
+ *      shaped keys in process.env / .env. Caught even if the format
+ *      doesn't match a known pattern (e.g. internal API keys, custom
+ *      webhook secrets).
+ *
+ * Designed to be cheap (single pass over each pattern + known-value set)
+ * so we can run on every outbound message without measurable latency.
+ *
+ * Designed to err on the side of REDACTING. False positives (a chunk of
+ * text that happens to look like a Stripe key) just produce a [REDACTED]
+ * marker; the recipient knows to ask. False negatives (a real credential
+ * leaked) are the bug we're trying to prevent.
+ */
+import { isSensitiveEnvKey } from '../secrets/sensitivity.js';
+// pragma: allowlist secret (this module exists to recognize secret patterns)
+const PATTERNS = [
+    { label: 'stripe', re: /\bsk_(?:live|test)_[A-Za-z0-9]{16,}\b/g },
+    { label: 'anthropic', re: /\bsk-ant-(?:api|admin)\w*-[A-Za-z0-9_-]{16,}\b/g },
+    { label: 'openai-project', re: /\bsk-proj-[A-Za-z0-9_-]{20,}\b/g },
+    { label: 'openai', re: /\bsk-[A-Za-z0-9]{40,}\b/g },
+    { label: 'github', re: /\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{30,}\b/g },
+    { label: 'slack', re: /\bxox[abpors]-[A-Za-z0-9-]{10,}\b/g },
+    { label: 'aws-access', re: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g },
+    { label: 'discord', re: /\b[A-Za-z0-9_-]{24,28}\.[A-Za-z0-9_-]{6,7}\.[A-Za-z0-9_-]{27,38}\b/g },
+    { label: 'jwt', re: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g },
+    { label: 'private-key', re: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]+?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g },
+];
+/**
+ * Pull credential values from process.env for any key that looks sensitive
+ * (matches isSensitiveEnvKey). Used to build the known-value redaction set
+ * lazily — re-read on each call so a freshly-set credential is covered
+ * within one tick.
+ */
+export function buildKnownValueSet(env = process.env) {
+    const out = new Set();
+    for (const [key, value] of Object.entries(env)) {
+        if (!value)
+            continue;
+        if (value.length < 12)
+            continue; // short values likely false positives
+        if (value.startsWith('keychain:'))
+            continue; // reference, not the secret itself
+        if (!isSensitiveEnvKey(key))
+            continue;
+        out.add(value);
+    }
+    return out;
+}
+/**
+ * Run all redaction layers against a string. Returns the redacted text
+ * plus stats about what fired.
+ *
+ * `knownValues` defaults to a fresh process.env scan but tests pass an
+ * explicit set for hermetic coverage.
+ */
+export function redactSecrets(text, knownValues = buildKnownValueSet()) {
+    if (!text)
+        return { text, stats: { redactionCount: 0, labelsHit: [] } };
+    let working = text;
+    const labelsHit = new Set();
+    let count = 0;
+    // Pattern pass first — catches well-known formats whose values we may
+    // not know in advance.
+    for (const { label, re } of PATTERNS) {
+        working = working.replace(re, () => {
+            labelsHit.add(label);
+            count++;
+            return `[REDACTED:${label}]`;
+        });
+    }
+    // Known-value pass — exact-match every credential currently loaded into
+    // process.env. Sort by length descending so longer values get replaced
+    // first (a longer secret might contain a shorter one as substring).
+    const sortedValues = [...knownValues].sort((a, b) => b.length - a.length);
+    for (const v of sortedValues) {
+        if (!v || v.length < 12)
+            continue;
+        let idx = working.indexOf(v);
+        while (idx !== -1) {
+            working = working.slice(0, idx) + '[REDACTED:env]' + working.slice(idx + v.length);
+            labelsHit.add('env');
+            count++;
+            idx = working.indexOf(v, idx + '[REDACTED:env]'.length);
+        }
+    }
+    return {
+        text: working,
+        stats: { redactionCount: count, labelsHit: [...labelsHit] },
+    };
+}
+//# sourceMappingURL=redact.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clementine-agent",
-  "version": "1.1.4",
+  "version": "1.1.6",
   "description": "Clementine — Personal AI Assistant (TypeScript)",
   "type": "module",
   "main": "dist/index.js",