clementine-agent 1.18.151 → 1.18.153

package/dist/cli/dashboard.js

@@ -2047,9 +2047,36 @@ export async function cmdDashboard(opts) {
         jsonParser(req, res, next);
     });
     // ── Dashboard authentication ────────────────────────────────────────
-    const dashboardToken = randomBytes(24).toString('hex');
+    // 1.18.152 — persist the token across restarts. Before this, every
+    // dashboard startup (manual restart, auto-respawn, crash recovery)
+    // generated a fresh random token, which invalidated every browser
+    // bookmark, open tab, and printed URL. Auto-respawn (1.18.146) +
+    // auto-open browser (1.18.147) made this acutely visible — users
+    // would re-open the dashboard and find the URL they had bookmarked
+    // 401'd, then a new browser window would open with a different token,
+    // and any hook commands installed in projects would silently 401 too.
+    //
+    // Fix: read the existing token if `~/.clementine/.dashboard-token`
+    // already exists; only generate-and-persist on first-ever startup.
+    // To rotate tokens deliberately, the user deletes the file and
+    // restarts. Local-machine threat model assumes the home dir is
+    // trusted (see feedback_security_model.md) — a persistent token here
+    // is the same security posture as `~/.ssh/id_rsa`.
     const tokenPath = path.join(BASE_DIR, '.dashboard-token');
-    writeFileSync(tokenPath, dashboardToken, { mode: 0o600 });
+    let dashboardToken;
+    try {
+        const existing = readFileSync(tokenPath, 'utf-8').trim();
+        // Strict format check — anything that doesn't look like a 48-hex-char
+        // token (the format randomBytes(24).toString('hex') produces) gets
+        // regenerated. Defends against truncated / corrupt files.
+        if (!/^[a-f0-9]{48}$/.test(existing))
+            throw new Error('invalid token format on disk');
+        dashboardToken = existing;
+    }
+    catch {
+        dashboardToken = randomBytes(24).toString('hex');
+        writeFileSync(tokenPath, dashboardToken, { mode: 0o600 });
+    }
     // ── Remote access + session management ─────────────────────────────
     const remoteConfig = loadRemoteConfig();
     const sessions = new Map();
@@ -39458,9 +39485,15 @@ async function runWorkflow(name) {
 // the list so the migrated workflow disappears (its .md is renamed to
 // .md.migrated server-side and parseAllWorkflows stops picking it up).
 async function migrateWorkflowToSkill(name) {
-  if (!confirm('Migrate "' + name + '" into a skill folder?\n\n' +
-    '• A new skill will be created at vault/00-System/skills/<slug>/SKILL.md\n' +
-    '• The original workflow .md will be renamed to .md.migrated (kept for rollback)\n' +
+  // 1.18.153 — escape \\n through the outer template literal. Without the
+  // double-backslash the served HTML gets literal newlines INSIDE a single-
+  // quoted JS string, which the browser parser rejects as
+  // "Uncaught SyntaxError: Invalid or unexpected token". That kills the
+  // entire inline script block, so no API calls fire, no data renders,
+  // dashboard appears completely broken even though the server is healthy.
+  if (!confirm('Migrate "' + name + '" into a skill folder?\\n\\n' +
+    '• A new skill will be created at vault/00-System/skills/<slug>/SKILL.md\\n' +
+    '• The original workflow .md will be renamed to .md.migrated (kept for rollback)\\n' +
     '• The workflow stops firing; the skill is ready to schedule from the Skills tab')) return;
   try {
     var r = await apiFetch('/api/workflows/' + encodeURIComponent(name) + '/migrate-to-skill', {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clementine-agent",
-  "version": "1.18.151",
+  "version": "1.18.153",
   "description": "Clementine — Personal AI Assistant (TypeScript)",
   "type": "module",
   "main": "dist/index.js",