clementine-agent 1.1.5 → 1.1.6

package/dist/channels/discord-utils.js

@@ -115,7 +115,19 @@ export async function sendChunked(channel, text) {
         return;
     }
     text = sanitizeResponse(text);
-    for (const chunk of chunkText(text, 1900)) {
+    // Last-line outbound credential redaction. Dispatcher-level redaction
+    // (gateway/notifications.ts) covers cron/heartbeat sends, but chat
+    // replies bypass the dispatcher and arrive here directly. Idempotent:
+    // re-redacting an already-redacted string is a no-op since the
+    // [REDACTED:label] markers don't match any pattern or known value.
+    const { redactSecrets } = await import('../security/redact.js');
+    const { text: redacted, stats } = redactSecrets(text);
+    if (stats.redactionCount > 0) {
+        // Log via console — pino isn't imported here and adding an import would
+        // bloat this lightweight utility module.
+        console.warn(`[clementine] sendChunked: redacted ${stats.redactionCount} credential-shaped value(s) [${stats.labelsHit.join(',')}]`);
+    }
+    for (const chunk of chunkText(redacted, 1900)) {
         await channel.send(chunk);
     }
 }

package/dist/channels/slack-utils.js

@@ -13,7 +13,15 @@ export function mdToSlack(text) {
 }
 // ── Chunked sending ───────────────────────────────────────────────────
 export async function sendChunkedSlack(client, channel, text, threadTs) {
-    let remaining = text;
+    // Last-line outbound credential redaction. Same rationale as
+    // discord-utils.sendChunked — chat replies bypass the dispatcher and
+    // arrive here directly, so apply redaction at the channel boundary.
+    const { redactSecrets } = await import('../security/redact.js');
+    const { text: redacted, stats } = redactSecrets(text);
+    if (stats.redactionCount > 0) {
+        console.warn(`[clementine] sendChunkedSlack: redacted ${stats.redactionCount} credential-shaped value(s) [${stats.labelsHit.join(',')}]`);
+    }
+    let remaining = redacted;
     while (remaining) {
         if (remaining.length <= SLACK_MSG_LIMIT) {
             await client.chat.postMessage({ channel, text: remaining, thread_ts: threadTs });

package/dist/channels/telegram.js

@@ -17,7 +17,14 @@ function mdToTelegram(text) {
 }
 // ── Chunked sending ───────────────────────────────────────────────────
 async function sendChunked(bot, chatId, text) {
-    let remaining = text;
+    // Last-line outbound credential redaction. Same rationale as
+    // discord-utils.sendChunked — chat replies bypass the dispatcher.
+    const { redactSecrets } = await import('../security/redact.js');
+    const { text: redacted, stats } = redactSecrets(text);
+    if (stats.redactionCount > 0) {
+        console.warn(`[clementine] telegram sendChunked: redacted ${stats.redactionCount} credential-shaped value(s) [${stats.labelsHit.join(',')}]`);
+    }
+    let remaining = redacted;
     while (remaining) {
         if (remaining.length <= TELEGRAM_MSG_LIMIT) {
             await bot.api.sendMessage(chatId, remaining);

package/dist/cli/dashboard.js

@@ -4322,7 +4322,12 @@ If the tool returns nothing or errors, return an empty array \`[]\`.`,
         try {
             const gateway = await getGateway();
             const response = await gateway.handleMessage('dashboard:web', message);
-            res.json({ ok: true, response });
+            // Outbound credential redaction — same defense applied at the channel
+            // edges. Dashboard is admin-only but a leaked credential in chat output
+            // could still end up in browser history, screenshots, etc.
+            const { redactSecrets } = await import('../security/redact.js');
+            const { text: redacted } = redactSecrets(response ?? '');
+            res.json({ ok: true, response: redacted });
         }
         catch (err) {
             res.status(500).json({ error: String(err) });

package/dist/cli/index.js

@@ -1918,7 +1918,7 @@ configCmd
 });
 configCmd
     .command('migrate-to-keychain')
-    .description('Move plaintext credentials in .env into the macOS keychain (in place)')
+    .description('Move plaintext credentials in .env into the macOS keychain (NOT recommended in v1.1.4+ — keychain entries can produce per-process approval prompts; plain .env at mode 0600 is the supported default)')
     .option('--dry-run', 'Show what would migrate without writing anything')
     .option('-k, --key <name...>', 'Limit to specific key(s); repeat or comma-separate for multiple')
     .action(async (opts) => {

package/dist/config/config-doctor.js

@@ -16,7 +16,6 @@
 import { existsSync, readFileSync } from 'node:fs';
 import path from 'node:path';
 import { computeEffectiveConfig } from './effective-config.js';
-import { isSensitiveEnvKey } from '../secrets/sensitivity.js';
 // ── Type expectations ───────────────────────────────────────────────
 //
 // Keys that must parse as a finite number when set. The inspector already
@@ -165,41 +164,32 @@ function checkChannelRequirements(cfg, findings) {
     }
 }
 function checkPlaintextSecretsInEnv(_cfg, baseDir, findings) {
-    // Scan .env directly for sensitive-looking keys that hold long plaintext
-    // values. Stops bot tokens from quietly sitting in .env when they should
-    // be in the keychain.
+    // Sanity check on .env file permissions.
+    //
+    // History: this function previously WARNED whenever credential-shaped keys
+    // (DISCORD_TOKEN, *_API_KEY, etc.) sat as plaintext in .env, recommending
+    // migration to the macOS Keychain. After the 2026-04-26 rabbit hole
+    // (commits 88cfd99 .. c5a2eb5) we reversed that recommendation: plaintext
+    // .env at mode 0600 is the supported default, and keychain is opt-in only.
+    // The old warning is now misleading guidance, so it's removed.
+    //
+    // What we DO check: file mode. If .env is world-readable or group-readable
+    // we flag that as a real risk regardless of what's inside.
     const envPath = path.join(baseDir, '.env');
     if (!existsSync(envPath))
         return;
-    let raw;
     try {
-        raw = readFileSync(envPath, 'utf-8');
-    }
-    catch {
-        return;
-    }
-    for (const line of raw.split('\n')) {
-        const trimmed = line.trim();
-        if (!trimmed || trimmed.startsWith('#'))
-            continue;
-        const eq = trimmed.indexOf('=');
-        if (eq === -1)
-            continue;
-        const key = trimmed.slice(0, eq);
-        const value = trimmed.slice(eq + 1);
-        if (!isSensitiveEnvKey(key))
-            continue;
-        if (value.startsWith('keychain:'))
-            continue; // already a ref — fine
-        if (value.length < 16)
-            continue; // probably a config-shaped value (port number, etc.)
-        findings.push({
-            severity: 'warning',
-            key,
-            message: `${key} is stored as plaintext in .env. Credential-shaped keys should live in the keychain on macOS.`,
-            fix: `# In a chat with Clementine: env_set ${key} <value> storage=auto  (auto routes credentials to keychain)`,
-        });
+        const st = require('node:fs').statSync(envPath);
+        const worldOrGroupReadable = (st.mode & 0o077) !== 0;
+        if (worldOrGroupReadable) {
+            findings.push({
+                severity: 'error',
+                message: `.env file is readable by other users (mode ${(st.mode & 0o777).toString(8)}). Restrict to owner-only.`,
+                fix: `chmod 600 ${envPath}`,
+            });
+        }
     }
+    catch { /* stat failed — non-fatal, doctor continues */ }
 }
 function checkRangeSanity(cfg, findings) {
     const byKey = new Map(cfg.entries.map(e => [e.key, e]));

package/dist/gateway/notifications.js

@@ -50,10 +50,20 @@ export class NotificationDispatcher {
     }
     /** Send a notification; automatically queues for retry on total failure. */
     async send(text, context) {
-        const result = await this.sendDirect(text, context);
-        // If delivery failed and there were actual senders (not "no channels"), queue for retry
+        // Outbound credential redaction happens HERE, at the public entrypoint,
+        // BEFORE any failure could enqueue the message for retry. Otherwise an
+        // un-redacted credential would persist to ~/.clementine/.delivery-queue.json
+        // for the retry window. Pattern-based + known-value scan; cheap enough to
+        // run on every send. See src/security/redact.ts for policy.
+        const { text: redacted, stats: redactionStats } = redactSecrets(text);
+        if (redactionStats.redactionCount > 0) {
+            logger.warn({ count: redactionStats.redactionCount, labels: redactionStats.labelsHit, sessionKey: context?.sessionKey }, `Redacted ${redactionStats.redactionCount} credential-shaped value(s) before delivery`);
+        }
+        const result = await this.sendDirect(redacted, context);
+        // If delivery failed and there were actual senders (not "no channels"), queue for retry.
+        // Stored text is already-redacted so disk persistence never holds a credential.
         if (!result.delivered && this.senders.size > 0) {
-            this._retryQueue.enqueue(text, context);
+            this._retryQueue.enqueue(redacted, context);
         }
         return result;
     }
@@ -63,18 +73,12 @@ export class NotificationDispatcher {
             logger.warn('No notification senders registered — message dropped');
             return { delivered: false, channelErrors: { _: 'no channels registered' } };
         }
-        // Outbound credential redaction — last-line defense against the agent
-        // accidentally (or via prompt injection) shipping a credential to a
-        // public channel. Pattern-based + known-value scan; cheap enough to
-        // run on every send. See src/security/redact.ts for the policy.
-        const { text: redacted, stats: redactionStats } = redactSecrets(text);
-        if (redactionStats.redactionCount > 0) {
-            logger.warn({ count: redactionStats.redactionCount, labels: redactionStats.labelsHit, sessionKey: context?.sessionKey }, `Redacted ${redactionStats.redactionCount} credential-shaped value(s) before delivery`);
-        }
-        // Sanity cap only — each channel sender handles its own chunking/truncation
-        const capped = redacted.length > MAX_MESSAGE_LENGTH
-            ? redacted.slice(0, MAX_MESSAGE_LENGTH - 20) + '\n\n_(truncated)_'
-            : redacted;
+        // Sanity cap only — each channel sender handles its own chunking/truncation.
+        // Redaction happens at send() (public entrypoint) before any retry-enqueue,
+        // so anything reaching here is already safe.
+        const capped = text.length > MAX_MESSAGE_LENGTH
+            ? text.slice(0, MAX_MESSAGE_LENGTH - 20) + '\n\n_(truncated)_'
+            : text;
         // If sessionKey is set, route only to the channel that owns it.
         // Fan out to all channels only when no originating channel is known.
         const targetChannel = context?.sessionKey ? channelForSessionKey(context.sessionKey) : null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clementine-agent",
-  "version": "1.1.5",
+  "version": "1.1.6",
   "description": "Clementine — Personal AI Assistant (TypeScript)",
   "type": "module",
   "main": "dist/index.js",