clementine-agent 1.1.5 → 1.1.7

package/dist/channels/discord-utils.js

@@ -115,7 +115,19 @@ export async function sendChunked(channel, text) {
         return;
     }
     text = sanitizeResponse(text);
-    for (const chunk of chunkText(text, 1900)) {
+    // Last-line outbound credential redaction. Dispatcher-level redaction
+    // (gateway/notifications.ts) covers cron/heartbeat sends, but chat
+    // replies bypass the dispatcher and arrive here directly. Idempotent:
+    // re-redacting an already-redacted string is a no-op since the
+    // [REDACTED:label] markers don't match any pattern or known value.
+    const { redactSecrets } = await import('../security/redact.js');
+    const { text: redacted, stats } = redactSecrets(text);
+    if (stats.redactionCount > 0) {
+        // Log via console — pino isn't imported here and adding an import would
+        // bloat this lightweight utility module.
+        console.warn(`[clementine] sendChunked: redacted ${stats.redactionCount} credential-shaped value(s) [${stats.labelsHit.join(',')}]`);
+    }
+    for (const chunk of chunkText(redacted, 1900)) {
         await channel.send(chunk);
     }
 }

package/dist/channels/slack-utils.js

@@ -13,7 +13,15 @@ export function mdToSlack(text) {
 }
 // ── Chunked sending ───────────────────────────────────────────────────
 export async function sendChunkedSlack(client, channel, text, threadTs) {
-    let remaining = text;
+    // Last-line outbound credential redaction. Same rationale as
+    // discord-utils.sendChunked — chat replies bypass the dispatcher and
+    // arrive here directly, so apply redaction at the channel boundary.
+    const { redactSecrets } = await import('../security/redact.js');
+    const { text: redacted, stats } = redactSecrets(text);
+    if (stats.redactionCount > 0) {
+        console.warn(`[clementine] sendChunkedSlack: redacted ${stats.redactionCount} credential-shaped value(s) [${stats.labelsHit.join(',')}]`);
+    }
+    let remaining = redacted;
     while (remaining) {
         if (remaining.length <= SLACK_MSG_LIMIT) {
             await client.chat.postMessage({ channel, text: remaining, thread_ts: threadTs });

package/dist/channels/telegram.js

@@ -17,7 +17,14 @@ function mdToTelegram(text) {
 }
 // ── Chunked sending ───────────────────────────────────────────────────
 async function sendChunked(bot, chatId, text) {
-    let remaining = text;
+    // Last-line outbound credential redaction. Same rationale as
+    // discord-utils.sendChunked — chat replies bypass the dispatcher.
+    const { redactSecrets } = await import('../security/redact.js');
+    const { text: redacted, stats } = redactSecrets(text);
+    if (stats.redactionCount > 0) {
+        console.warn(`[clementine] telegram sendChunked: redacted ${stats.redactionCount} credential-shaped value(s) [${stats.labelsHit.join(',')}]`);
+    }
+    let remaining = redacted;
     while (remaining) {
         if (remaining.length <= TELEGRAM_MSG_LIMIT) {
             await bot.api.sendMessage(chatId, remaining);

package/dist/cli/dashboard.js

@@ -4322,7 +4322,12 @@ If the tool returns nothing or errors, return an empty array \`[]\`.`,
         try {
             const gateway = await getGateway();
             const response = await gateway.handleMessage('dashboard:web', message);
-            res.json({ ok: true, response });
+            // Outbound credential redaction — same defense applied at the channel
+            // edges. Dashboard is admin-only but a leaked credential in chat output
+            // could still end up in browser history, screenshots, etc.
+            const { redactSecrets } = await import('../security/redact.js');
+            const { text: redacted } = redactSecrets(response ?? '');
+            res.json({ ok: true, response: redacted });
         }
         catch (err) {
             res.status(500).json({ error: String(err) });

package/dist/cli/index.js

@@ -1918,7 +1918,7 @@ configCmd
 });
 configCmd
     .command('migrate-to-keychain')
-    .description('Move plaintext credentials in .env into the macOS keychain (in place)')
+    .description('Move plaintext credentials in .env into the macOS keychain (NOT recommended in v1.1.4+ — keychain entries can produce per-process approval prompts; plain .env at mode 0600 is the supported default)')
     .option('--dry-run', 'Show what would migrate without writing anything')
     .option('-k, --key <name...>', 'Limit to specific key(s); repeat or comma-separate for multiple')
     .action(async (opts) => {

package/dist/config/config-doctor.js

@@ -16,7 +16,6 @@
 import { existsSync, readFileSync } from 'node:fs';
 import path from 'node:path';
 import { computeEffectiveConfig } from './effective-config.js';
-import { isSensitiveEnvKey } from '../secrets/sensitivity.js';
 // ── Type expectations ───────────────────────────────────────────────
 //
 // Keys that must parse as a finite number when set. The inspector already
@@ -165,41 +164,32 @@ function checkChannelRequirements(cfg, findings) {
     }
 }
 function checkPlaintextSecretsInEnv(_cfg, baseDir, findings) {
-    // Scan .env directly for sensitive-looking keys that hold long plaintext
-    // values. Stops bot tokens from quietly sitting in .env when they should
-    // be in the keychain.
+    // Sanity check on .env file permissions.
+    //
+    // History: this function previously WARNED whenever credential-shaped keys
+    // (DISCORD_TOKEN, *_API_KEY, etc.) sat as plaintext in .env, recommending
+    // migration to the macOS Keychain. After the 2026-04-26 rabbit hole
+    // (commits 88cfd99 .. c5a2eb5) we reversed that recommendation: plaintext
+    // .env at mode 0600 is the supported default, and keychain is opt-in only.
+    // The old warning is now misleading guidance, so it's removed.
+    //
+    // What we DO check: file mode. If .env is world-readable or group-readable
+    // we flag that as a real risk regardless of what's inside.
     const envPath = path.join(baseDir, '.env');
     if (!existsSync(envPath))
         return;
-    let raw;
     try {
-        raw = readFileSync(envPath, 'utf-8');
-    }
-    catch {
-        return;
-    }
-    for (const line of raw.split('\n')) {
-        const trimmed = line.trim();
-        if (!trimmed || trimmed.startsWith('#'))
-            continue;
-        const eq = trimmed.indexOf('=');
-        if (eq === -1)
-            continue;
-        const key = trimmed.slice(0, eq);
-        const value = trimmed.slice(eq + 1);
-        if (!isSensitiveEnvKey(key))
-            continue;
-        if (value.startsWith('keychain:'))
-            continue; // already a ref — fine
-        if (value.length < 16)
-            continue; // probably a config-shaped value (port number, etc.)
-        findings.push({
-            severity: 'warning',
-            key,
-            message: `${key} is stored as plaintext in .env. Credential-shaped keys should live in the keychain on macOS.`,
-            fix: `# In a chat with Clementine: env_set ${key} <value> storage=auto  (auto routes credentials to keychain)`,
-        });
+        const st = require('node:fs').statSync(envPath);
+        const worldOrGroupReadable = (st.mode & 0o077) !== 0;
+        if (worldOrGroupReadable) {
+            findings.push({
+                severity: 'error',
+                message: `.env file is readable by other users (mode ${(st.mode & 0o777).toString(8)}). Restrict to owner-only.`,
+                fix: `chmod 600 ${envPath}`,
+            });
+        }
     }
+    catch { /* stat failed — non-fatal, doctor continues */ }
 }
 function checkRangeSanity(cfg, findings) {
     const byKey = new Map(cfg.entries.map(e => [e.key, e]));

package/dist/gateway/fix-applier.js

@@ -358,6 +358,18 @@ function applyAdvisorRuleFix(jobName, autoApply, opts) {
     }
     appendAudit({ kind: 'advisor-rule', jobName, file: targetPath, ruleId: autoApply.ruleId, diff });
     logger.info({ jobName, ruleId: autoApply.ruleId, file: targetPath }, 'Applied advisor-rule fix');
+    // Phase 8.1 — record this autoApply for verification. The next
+    // AUTOAPPLY_VERDICT_WINDOW non-skipped runs decide whether the rule
+    // helped; if not, fix-verification auto-reverts (deletes the file).
+    // Lazy import to avoid circular dependency (fix-verification imports
+    // failure-monitor which transitively touches the cron path).
+    import('./fix-verification.js').then(({ recordAutoApplyForVerification }) => {
+        recordAutoApplyForVerification(jobName, {
+            kind: 'advisor-rule',
+            file: targetPath,
+            ruleId: autoApply.ruleId,
+        });
+    }).catch(err => logger.warn({ err, jobName }, 'Failed to record autoApply for verification'));
     return {
         ok: true,
         message: `Wrote advisor rule ${autoApply.ruleId} (hot-reloads on next eval)`,
@@ -408,6 +420,15 @@ function applyPromptOverrideFix(jobName, autoApply, opts) {
         diff,
     });
     logger.info({ jobName, scope: autoApply.scope, scopeKey: autoApply.scopeKey, file: targetPath }, 'Applied prompt-override fix');
+    // Phase 8.1 — same multi-run verification flow as advisor-rule.
+    import('./fix-verification.js').then(({ recordAutoApplyForVerification }) => {
+        recordAutoApplyForVerification(jobName, {
+            kind: 'prompt-override',
+            file: targetPath,
+            scope: autoApply.scope,
+            scopeKey: autoApply.scopeKey,
+        });
+    }).catch(err => logger.warn({ err, jobName }, 'Failed to record autoApply for verification'));
     return {
         ok: true,
         message: `Wrote prompt override ${autoApply.scope}${autoApply.scopeKey ? `:${autoApply.scopeKey}` : ''}`,

package/dist/gateway/fix-verification.d.ts

@@ -13,6 +13,29 @@ interface PendingVerification {
     recordedAt: string;
     preFailureCount: number;
     preLastError: string | null;
+    /** Used by Phase 8.1 — when set, the verifier is also responsible for
+     * deleting this artifact if the fix doesn't help. Existing CRON.md edits
+     * leave this unset (they're hand-edits, not auto-applies, so we never
+     * revert them automatically). */
+    autoApply?: AutoApplyTracker;
+    /** Run-by-run history accumulated since the fix was applied. Single-run
+     * verdicts (the original CRON.md flow) only need the first entry; multi-
+     * run autoApply verifications need the accumulated sample. */
+    postRunOutcomes?: Array<'ok' | 'error' | 'retried'>;
+}
+/**
+ * Tracks an autoApply that's currently being verified. When the verdict
+ * window closes negatively, revertFix() uses these fields to undo.
+ */
+export interface AutoApplyTracker {
+    kind: 'advisor-rule' | 'prompt-override';
+    /** Absolute path of the file the apply wrote. */
+    file: string;
+    /** advisor-rule only: the rule's id, used by the loader's hot-reload. */
+    ruleId?: string;
+    /** prompt-override only: scope label for the verdict message. */
+    scope?: 'global' | 'agent' | 'job';
+    scopeKey?: string;
 }
 /**
  * Compare an old and new jobs list and record verifications for any job that:
@@ -25,15 +48,32 @@ interface PendingVerification {
  * pending verification" rather than waiting for a run that will never come.
  */
 export declare function recordEditsForFailingJobs(oldJobs: CronJobDefinition[], newJobs: CronJobDefinition[]): void;
+/**
+ * Phase 8.1 — record a pending verification for an autoApply (advisor-rule
+ * or prompt-override) so the verifier can roll the fix back if the next
+ * AUTOAPPLY_VERDICT_WINDOW runs don't show improvement.
+ *
+ * Called from fix-applier.applyFix on success. Idempotent: if a previous
+ * verification for the same job is still pending, the new tracker overwrites
+ * it (the most-recent fix is the one we're verifying).
+ */
+export declare function recordAutoApplyForVerification(jobName: string, tracker: AutoApplyTracker): void;
 /**
  * After a cron run completes, check whether we were waiting on a fix
- * verification for this job. If so, send the owner a verdict and clear it.
+ * verification for this job. Two flows:
+ *
+ *   1. Hand-edit (CRON.md) — verdict on the FIRST non-skipped run. Original
+ *      Phase 7 behavior, preserved.
+ *   2. AutoApply (advisor-rule / prompt-override) — accumulate up to
+ *      AUTOAPPLY_VERDICT_WINDOW outcomes, then decide. If 0 successes,
+ *      revert the file. Either way, DM the verdict.
  *
- * Skipped runs (circuit breaker, pre-check exit, etc.) don't carry signal
- * and shouldn't count as a verdict either way.
+ * Skipped runs don't carry signal and don't advance the window in either flow.
  */
 export declare function checkAndDeliverVerification(entry: CronRunEntry, send: (text: string) => Promise<unknown>): Promise<void>;
 /** Read-only accessor for dashboards or debugging. */
 export declare function listPendingVerifications(): PendingVerification[];
+/** Test helper — clear all state. */
+export declare function _resetVerificationState(): void;
 export {};
 //# sourceMappingURL=fix-verification.d.ts.map

package/dist/gateway/fix-verification.js

@@ -15,6 +15,13 @@ import { BASE_DIR } from '../config.js';
 import { computeBrokenJobs } from './failure-monitor.js';
 const logger = pino({ name: 'clementine.fix-verification' });
 const STATE_FILE = path.join(BASE_DIR, 'cron', 'fix-verifications.json');
+/**
+ * Number of post-fix runs we accumulate before deciding an autoApply
+ * verdict. Single sample is too noisy; ten is too patient. Three is
+ * a tight window: 0/3 successes after a "fix" is overwhelming evidence
+ * the fix didn't help.
+ */
+const AUTOAPPLY_VERDICT_WINDOW = 3;
 function loadState() {
     try {
         if (!existsSync(STATE_FILE))
@@ -109,12 +116,62 @@ export function recordEditsForFailingJobs(oldJobs, newJobs) {
     if (mutated)
         saveState(state);
 }
+/**
+ * Phase 8.1 — record a pending verification for an autoApply (advisor-rule
+ * or prompt-override) so the verifier can roll the fix back if the next
+ * AUTOAPPLY_VERDICT_WINDOW runs don't show improvement.
+ *
+ * Called from fix-applier.applyFix on success. Idempotent: if a previous
+ * verification for the same job is still pending, the new tracker overwrites
+ * it (the most-recent fix is the one we're verifying).
+ */
+export function recordAutoApplyForVerification(jobName, tracker) {
+    const state = loadState();
+    const broken = computeBrokenJobs();
+    const b = broken.find(x => x.jobName === jobName);
+    state.pending[jobName] = {
+        jobName,
+        recordedAt: new Date().toISOString(),
+        preFailureCount: b?.errorCount48h ?? 0,
+        preLastError: b?.lastErrors[0] ?? null,
+        autoApply: tracker,
+        postRunOutcomes: [],
+    };
+    saveState(state);
+    logger.info({ job: jobName, kind: tracker.kind, file: tracker.file }, 'Recorded autoApply for verification — will track next runs');
+}
+/**
+ * Undo an autoApply by deleting the file the apply wrote. Best-effort:
+ * a missing file is not an error (might have been hand-deleted). Returns
+ * true if a file was actually removed.
+ */
+function revertAutoApply(tracker) {
+    try {
+        if (existsSync(tracker.file)) {
+            // Use unlinkSync from fs — kept dynamic to avoid a top-of-file import
+            // we don't otherwise need.
+            const { unlinkSync } = require('node:fs');
+            unlinkSync(tracker.file);
+            logger.warn({ file: tracker.file, kind: tracker.kind }, 'Reverted autoApply — fix did not help');
+            return true;
+        }
+    }
+    catch (err) {
+        logger.warn({ err, file: tracker.file }, 'Failed to delete autoApply file during revert');
+    }
+    return false;
+}
 /**
  * After a cron run completes, check whether we were waiting on a fix
- * verification for this job. If so, send the owner a verdict and clear it.
+ * verification for this job. Two flows:
+ *
+ *   1. Hand-edit (CRON.md) — verdict on the FIRST non-skipped run. Original
+ *      Phase 7 behavior, preserved.
+ *   2. AutoApply (advisor-rule / prompt-override) — accumulate up to
+ *      AUTOAPPLY_VERDICT_WINDOW outcomes, then decide. If 0 successes,
+ *      revert the file. Either way, DM the verdict.
  *
- * Skipped runs (circuit breaker, pre-check exit, etc.) don't carry signal
- * and shouldn't count as a verdict either way.
+ * Skipped runs don't carry signal and don't advance the window in either flow.
  */
 export async function checkAndDeliverVerification(entry, send) {
     if (entry.status === 'skipped')
@@ -123,15 +180,60 @@ export async function checkAndDeliverVerification(entry, send) {
     const pending = state.pending[entry.jobName];
     if (!pending)
         return;
+    // Hand-edit flow — single-run verdict, unchanged.
+    if (!pending.autoApply) {
+        delete state.pending[entry.jobName];
+        saveState(state);
+        const ok = entry.status === 'ok';
+        const verdict = ok ? '✅ succeeded' : '⚠️ still failing';
+        const ageMin = Math.max(1, Math.round((Date.now() - Date.parse(pending.recordedAt)) / 60000));
+        const detail = ok ? '' : `\nError: ${(entry.error ?? 'unknown').split('\n')[0].slice(0, 200)}`;
+        const msg = `**[Fix verification]** \`${entry.jobName}\` ${verdict} on its first run after edit (${ageMin}m later).${detail}`;
+        try {
+            await send(msg);
+        }
+        catch (err) {
+            logger.warn({ err, job: entry.jobName }, 'Failed to send fix verification DM');
+        }
+        return;
+    }
+    // AutoApply flow — accumulate the sample first.
+    const outcomes = pending.postRunOutcomes ?? [];
+    outcomes.push(entry.status);
+    pending.postRunOutcomes = outcomes;
+    if (outcomes.length < AUTOAPPLY_VERDICT_WINDOW) {
+        // Not enough sample yet — persist accumulated state, wait for more runs.
+        saveState(state);
+        return;
+    }
+    // Decision time.
     delete state.pending[entry.jobName];
     saveState(state);
-    const ok = entry.status === 'ok';
-    const verdict = ok ? '✅ succeeded' : '⚠️ still failing';
+    const successes = outcomes.filter(o => o === 'ok').length;
     const ageMin = Math.max(1, Math.round((Date.now() - Date.parse(pending.recordedAt)) / 60000));
-    const detail = ok
-        ? ''
-        : `\nError: ${(entry.error ?? 'unknown').split('\n')[0].slice(0, 200)}`;
-    const msg = `**[Fix verification]** \`${entry.jobName}\` ${verdict} on its first run after edit (${ageMin}m later).${detail}`;
+    const tracker = pending.autoApply;
+    const scopeLabel = tracker.scope
+        ? `${tracker.kind}:${tracker.scope}${tracker.scopeKey ? `:${tracker.scopeKey}` : ''}`
+        : `${tracker.kind}${tracker.ruleId ? `:${tracker.ruleId}` : ''}`;
+    if (successes === 0) {
+        // Fix didn't help — revert and notify.
+        const reverted = revertAutoApply(tracker);
+        const msg = `**[Fix verification — REVERTED]** \`${entry.jobName}\`: ` +
+            `auto-applied ${scopeLabel} did not help (0/${outcomes.length} runs succeeded over ${ageMin}m). ` +
+            (reverted ? `Reverted ${path.basename(tracker.file)}.` : `Tried to revert but file was already gone.`);
+        try {
+            await send(msg);
+        }
+        catch (err) {
+            logger.warn({ err, job: entry.jobName }, 'Failed to send fix-revert DM');
+        }
+        logger.warn({ job: entry.jobName, scopeLabel, reverted }, 'Auto-reverted ineffective autoApply');
+        return;
+    }
+    const verdict = successes === outcomes.length
+        ? `✅ verified — ${successes}/${outcomes.length} runs succeeded`
+        : `⚠️ partial — ${successes}/${outcomes.length} runs succeeded`;
+    const msg = `**[Fix verification]** \`${entry.jobName}\`: auto-applied ${scopeLabel} ${verdict} over ${ageMin}m.`;
     try {
         await send(msg);
     }
@@ -143,4 +245,8 @@ export async function checkAndDeliverVerification(entry, send) {
 export function listPendingVerifications() {
     return Object.values(loadState().pending);
 }
+/** Test helper — clear all state. */
+export function _resetVerificationState() {
+    saveState({ pending: {} });
+}
 //# sourceMappingURL=fix-verification.js.map

package/dist/gateway/notifications.js

@@ -50,10 +50,20 @@ export class NotificationDispatcher {
     }
     /** Send a notification; automatically queues for retry on total failure. */
     async send(text, context) {
-        const result = await this.sendDirect(text, context);
-        // If delivery failed and there were actual senders (not "no channels"), queue for retry
+        // Outbound credential redaction happens HERE, at the public entrypoint,
+        // BEFORE any failure could enqueue the message for retry. Otherwise an
+        // un-redacted credential would persist to ~/.clementine/.delivery-queue.json
+        // for the retry window. Pattern-based + known-value scan; cheap enough to
+        // run on every send. See src/security/redact.ts for policy.
+        const { text: redacted, stats: redactionStats } = redactSecrets(text);
+        if (redactionStats.redactionCount > 0) {
+            logger.warn({ count: redactionStats.redactionCount, labels: redactionStats.labelsHit, sessionKey: context?.sessionKey }, `Redacted ${redactionStats.redactionCount} credential-shaped value(s) before delivery`);
+        }
+        const result = await this.sendDirect(redacted, context);
+        // If delivery failed and there were actual senders (not "no channels"), queue for retry.
+        // Stored text is already-redacted so disk persistence never holds a credential.
         if (!result.delivered && this.senders.size > 0) {
-            this._retryQueue.enqueue(text, context);
+            this._retryQueue.enqueue(redacted, context);
         }
         return result;
     }
@@ -63,18 +73,12 @@ export class NotificationDispatcher {
             logger.warn('No notification senders registered — message dropped');
             return { delivered: false, channelErrors: { _: 'no channels registered' } };
         }
-        // Outbound credential redaction — last-line defense against the agent
-        // accidentally (or via prompt injection) shipping a credential to a
-        // public channel. Pattern-based + known-value scan; cheap enough to
-        // run on every send. See src/security/redact.ts for the policy.
-        const { text: redacted, stats: redactionStats } = redactSecrets(text);
-        if (redactionStats.redactionCount > 0) {
-            logger.warn({ count: redactionStats.redactionCount, labels: redactionStats.labelsHit, sessionKey: context?.sessionKey }, `Redacted ${redactionStats.redactionCount} credential-shaped value(s) before delivery`);
-        }
-        // Sanity cap only — each channel sender handles its own chunking/truncation
-        const capped = redacted.length > MAX_MESSAGE_LENGTH
-            ? redacted.slice(0, MAX_MESSAGE_LENGTH - 20) + '\n\n_(truncated)_'
-            : redacted;
+        // Sanity cap only — each channel sender handles its own chunking/truncation.
+        // Redaction happens at send() (public entrypoint) before any retry-enqueue,
+        // so anything reaching here is already safe.
+        const capped = text.length > MAX_MESSAGE_LENGTH
+            ? text.slice(0, MAX_MESSAGE_LENGTH - 20) + '\n\n_(truncated)_'
+            : text;
         // If sessionKey is set, route only to the channel that owns it.
         // Fan out to all channels only when no originating channel is known.
         const targetChannel = context?.sessionKey ? channelForSessionKey(context.sessionKey) : null;

package/dist/memory/store.js

@@ -1094,6 +1094,7 @@ export class MemoryStore {
         }
         const rows = this.conn.prepare(sql).all(...params);
         const scored = [];
+        const nowMs = Date.now();
         for (const row of rows) {
             try {
                 const vec = embeddingsModule.deserializeEmbedding(row.embedding);
@@ -1109,6 +1110,16 @@ export class MemoryStore {
                 // Soft isolation: apply boost (only when not strict)
                 if (!strict && agentSlug && row.agent_slug === agentSlug)
                     score *= 1.4;
+                // Temporal decay — same policy as FTS scoring (Phase 9d). Without
+                // this, vector and FTS rankings disagree on freshness: FTS prefers
+                // recent at equal relevance but vector treats all timestamps
+                // equally, so MMR rerank surfaces stale matches when vector wins.
+                // Same 30-day half-life, same 0.4 floor — see store.ts FTS path
+                // for design rationale.
+                if (row.updated_at) {
+                    const daysOld = Math.max(0, (nowMs - new Date(row.updated_at).getTime()) / 86_400_000);
+                    score *= Math.max(0.4, temporalDecay(daysOld, 30));
+                }
                 scored.push({
                     sourceFile: row.source_file,
                     section: row.section,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clementine-agent",
-  "version": "1.1.5",
+  "version": "1.1.7",
   "description": "Clementine — Personal AI Assistant (TypeScript)",
   "type": "module",
   "main": "dist/index.js",