clementine-agent 1.12.1 → 1.12.3

package/dist/cli/dashboard.js

@@ -4555,6 +4555,21 @@ If the tool returns nothing or errors, return an empty array \`[]\`.`,
             res.status(500).json({ error: String(err) });
         }
     });
+    // Force-refresh the Composio caches. Useful when the user just made a
+    // connection in Composio's web UI and wants the agent to pick it up
+    // immediately instead of waiting up to 60s for the user_id cache to
+    // expire. Agents can also call this after surfacing a "needs OAuth"
+    // error to retry cleanly.
+    app.post('/api/composio/refresh', async (_req, res) => {
+        try {
+            const c = await import('../integrations/composio/client.js');
+            c.resetComposioClient();
+            res.json({ ok: true, message: 'Composio caches cleared — next query will re-detect.' });
+        }
+        catch (err) {
+            res.status(500).json({ error: String(err) });
+        }
+    });
     // ── CRON CRUD routes ──────────────────────────────────────────
     app.get('/api/projects', (_req, res) => {
         try {
@@ -15444,7 +15459,14 @@ function navigateTo(page, opts) {
       if (bt === 'learning' && typeof refreshSelfImprove === 'function') refreshSelfImprove();
       break;
     case 'settings':
-      switchDestTab('settings', opts.tab || 'channels');
+      // Settings tabs use the switchTab() system (id="tab-settings-<tab>"),
+      // not switchDestTab's [data-tab] selector. Default tab name is
+      // 'general' (the "Channels & Env" pane) to match the HTML id.
+      switchTab('settings', opts.tab || 'general');
+      // 'general' has no auto-refresh in switchTab — kick it manually so
+      // the Channels & Env card actually loads from /api/settings instead
+      // of stalling on "Loading settings…".
+      if ((opts.tab || 'general') === 'general' && typeof refreshSettings === 'function') refreshSettings();
       break;
   }
 
@@ -15846,6 +15868,7 @@ function switchTab(group, tab) {
     if (tab === 'learning' && typeof refreshSelfImprove === 'function') refreshSelfImprove();
   }
   if (group === 'settings') {
+    if (tab === 'general' && typeof refreshSettings === 'function') refreshSettings();
     if (tab === 'integrations') { refreshSalesforce(); refreshComposioConnections(); }
     if (tab === 'remote') refreshRemoteAccess();
     if (tab === 'security') refreshAuthSessions();
@@ -25936,9 +25959,13 @@ async function saveComposioApiKey() {
 }
 
 async function connectComposio(slug) {
+  // Open a blank popup SYNCHRONOUSLY inside the click handler. Browsers
+  // only let popups through if they're a direct user gesture — once we
+  // hit the await below, the gesture is "consumed" and any later
+  // window.open() gets silently blocked by Chrome/Safari/Firefox.
+  // We'll redirect this blank window to the OAuth URL once we have it.
+  var popup = window.open('about:blank', '_blank');
   try {
-    // Use apiFetch (not raw fetch) so the Authorization: Bearer header is
-    // attached — the /api/* middleware rejects unauth'd POSTs with 401.
     var res = await apiFetch('/api/composio/toolkits/' + encodeURIComponent(slug) + '/authorize', {
       method: 'POST',
       headers: { 'content-type': 'application/json' },
@@ -25947,27 +25974,61 @@ async function connectComposio(slug) {
     var d = await res.json();
     if (res.status === 409 && d.needsAuthConfig) {
       toast('This toolkit needs a BYO OAuth app — opening Composio dashboard.', 'warn');
-      window.open(d.setupUrl, '_blank');
+      if (popup && !popup.closed) popup.location.href = d.setupUrl;
+      else showOAuthLinkPrompt(slug, d.setupUrl);
       return;
     }
     if (!res.ok) {
+      if (popup && !popup.closed) popup.close();
       var reason = d.error || ('HTTP ' + res.status);
       toast('Connect failed: ' + reason, 'error');
       console.error('[composio] connect failed', { slug: slug, status: res.status, body: d });
       return;
     }
     if (d.redirectUrl) {
-      window.open(d.redirectUrl, '_blank');
-      toast('Opened ' + slug + ' authorization in a new tab. Refresh after approving.', 'info');
-      // Soft poll to catch the new connection without forcing a manual refresh.
+      if (popup && !popup.closed) {
+        popup.location.href = d.redirectUrl;
+        toast('Authorize ' + slug + ' in the new tab, then come back here.', 'info');
+      } else {
+        // Popup got blocked even with the synchronous-open trick (some
+        // browsers / extensions block about:blank too). Fall back to a
+        // visible "click to open" dialog — that click is a direct gesture
+        // and reliably bypasses the blocker.
+        showOAuthLinkPrompt(slug, d.redirectUrl);
+      }
       setTimeout(refreshComposioConnections, 5000);
       setTimeout(refreshComposioConnections, 15000);
       setTimeout(refreshComposioConnections, 30000);
     } else {
+      if (popup && !popup.closed) popup.close();
       toast('Connected ' + slug, 'success');
       refreshComposioConnections();
     }
-  } catch (e) { toast('Connect failed: ' + e, 'error'); }
+  } catch (e) {
+    if (popup && !popup.closed) popup.close();
+    toast('Connect failed: ' + e, 'error');
+  }
+}
+
+function showOAuthLinkPrompt(slug, url) {
+  // Renders a modal with a clickable link. User clicking the link is a
+  // direct gesture, so the new tab will open even when popup blockers are
+  // aggressive. Used as the fallback when window.open returns null.
+  var existing = document.getElementById('composio-oauth-prompt');
+  if (existing) existing.remove();
+  var overlay = document.createElement('div');
+  overlay.id = 'composio-oauth-prompt';
+  overlay.style.cssText = 'position:fixed;inset:0;background:rgba(0,0,0,0.5);z-index:9999;display:flex;align-items:center;justify-content:center';
+  overlay.innerHTML =
+    '<div style="background:var(--bg-primary,#1e1e1e);border:1px solid var(--border);border-radius:8px;padding:20px;max-width:480px;width:90%;box-shadow:0 8px 32px rgba(0,0,0,0.4)">' +
+    '<div style="font-size:14px;font-weight:600;margin-bottom:8px">Authorize ' + esc(slug) + '</div>' +
+    '<div style="font-size:12px;color:var(--text-muted);margin-bottom:14px;line-height:1.5">Your browser blocked the popup. Click below to open the authorization page in a new tab — after approving, come back here and the connection will show up within a few seconds.</div>' +
+    '<div style="display:flex;gap:8px;justify-content:flex-end">' +
+    '<button class="btn-sm" onclick="document.getElementById(\\'composio-oauth-prompt\\').remove()" style="padding:6px 12px;background:transparent;border:1px solid var(--border);color:var(--text-primary);border-radius:4px;cursor:pointer;font-size:12px">Cancel</button>' +
+    '<a href="' + esc(url) + '" target="_blank" rel="noopener" onclick="setTimeout(function(){var e=document.getElementById(\\'composio-oauth-prompt\\');if(e)e.remove();},500)" class="btn btn-sm btn-primary" style="text-decoration:none;padding:6px 14px;display:inline-block;font-size:12px">Open authorization</a>' +
+    '</div>' +
+    '</div>';
+  document.body.appendChild(overlay);
 }
 
 async function disconnectComposio(slug, connectionId) {

package/dist/integrations/composio/client.js

@@ -108,13 +108,22 @@ export function clementineUserId() {
     return readComposioEnv('COMPOSIO_USER_ID') || DEFAULT_NEW_CONNECTION_USER_ID;
 }
 // Cached after first detection — avoids extra API calls per authorize.
+// Cache the detected user_id but only briefly. New connections made via
+// Composio's web UI (outside Clementine) need to be picked up without a
+// daemon restart — long-lived caching breaks that. 60s is short enough
+// for "hit dashboard → connect in Composio web → use it from agent" to
+// work without explicit invalidation, and long enough that within-burst
+// queries don't hammer the API.
 let detectedPreferredUserId = null;
+let detectedAt = 0;
+const USER_ID_CACHE_TTL_MS = 60_000;
 async function detectPreferredUserId(composio) {
     const explicit = readComposioEnv('COMPOSIO_USER_ID');
     if (explicit)
         return explicit;
-    if (detectedPreferredUserId !== null)
+    if (detectedPreferredUserId !== null && Date.now() - detectedAt < USER_ID_CACHE_TTL_MS) {
         return detectedPreferredUserId;
+    }
     // The high-level wrapper's list() drops the snake_case `user_id` field
     // during its camelCase transformation, so connections look like they have
     // no user_id. Use the raw client (snake_case shape) to actually read the
@@ -141,6 +150,7 @@ async function detectPreferredUserId(composio) {
             const top = [...counts.entries()].sort((a, b) => b[1] - a[1])[0][0];
             logger.info({ userId: top, candidates: counts.size }, 'Detected Composio user_id from existing connections');
             detectedPreferredUserId = top;
+            detectedAt = Date.now();
             return top;
         }
     }
@@ -151,6 +161,7 @@ async function detectPreferredUserId(composio) {
     // requires a non-empty string, and "default" is the conventional
     // single-tenant value that Composio's quickstart uses.
     detectedPreferredUserId = DEFAULT_NEW_CONNECTION_USER_ID;
+    detectedAt = Date.now();
     return DEFAULT_NEW_CONNECTION_USER_ID;
 }
 export function displayNameFor(slug) {
@@ -517,6 +528,10 @@ _opts) {
     try {
         const conn = await composio.toolkits.authorize(userId, slug);
         logger.info({ slug, userId, connectionId: conn.id }, 'Composio authorize OK');
+        // Force re-detect on the next query so the new connection (and any
+        // others created in parallel via Composio's web UI) get picked up
+        // immediately, even within the 60s TTL window.
+        detectedPreferredUserId = null;
         return { redirectUrl: conn.redirectUrl ?? null, connectionId: conn.id };
     }
     catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clementine-agent",
-  "version": "1.12.1",
+  "version": "1.12.3",
   "description": "Clementine — Personal AI Assistant (TypeScript)",
   "type": "module",
   "main": "dist/index.js",