clementine-agent 1.18.157 → 1.18.159

package/dist/cli/dashboard.d.ts

@@ -12,4 +12,5 @@ export declare function killExistingDashboards(): number;
 export declare function cmdDashboard(opts: {
     port?: string;
 }): Promise<void>;
+export declare function getDashboardHTML(token: string): string;
 //# sourceMappingURL=dashboard.d.ts.map

package/dist/cli/dashboard.js

@@ -1762,11 +1762,10 @@ export async function cmdDashboard(opts) {
         if (process.env.NO_BROWSER !== '1') {
             setTimeout(() => {
                 try {
-                    const tokenPath = path.join(BASE_DIR, '.dashboard-token');
-                    const token = existsSync(tokenPath) ? readFileSync(tokenPath, 'utf-8').trim() : '';
-                    if (!token)
-                        return;
-                    const url = `http://localhost:${childPort}/?token=${token}`;
+                    // 1.18.159 — open the bare URL. Token comes from the meta tag
+                    // in the served HTML (persistent since 1.18.152). Bare URL also
+                    // sidesteps Chrome's per-query-string HTML cache entries.
+                    const url = `http://localhost:${childPort}`;
                     const platform = process.platform;
                     const cmd = platform === 'darwin' ? 'open'
                         : platform === 'win32' ? 'start'
@@ -13550,7 +13549,10 @@ self.addEventListener('activate', e => {
     await new Promise(() => { });
 }
 // ── Inline HTML Dashboard ────────────────────────────────────────────
-function getDashboardHTML(token) {
+// Exported for testability — see tests/dashboard-spa-parses.test.ts.
+// 1.18.158 added that test as a guard against the recurring "served
+// HTML inline JS doesn't parse" bug (1.18.142 + 1.18.155).
+export function getDashboardHTML(token) {
     const name = getAssistantName();
     return `<!DOCTYPE html>
 <html lang="en">
@@ -25616,7 +25618,13 @@ function renderScheduledTaskCard(task) {
   // less safe path, worth flagging) or when lean mode is in effect for a
   // meta-job (worth showing because it explains why the prompt is small).
   if (task.lean === true) {
-    badges += '<span class="badge badge-purple" title="Lean envelope — drops every auto-injected context block (memory, progress, goal, criteria, skills) and prunes the MCP catalog. Used for meta-jobs that must stay under Haiku\'s prompt cap.">Lean</span>';
+    // 1.18.158 hotfix — apostrophe in title= breaks JS parser. Outer
+    // template literal converts \' → ', the resulting served HTML has
+    // 'Haiku's' inside a single-quoted JS string, which terminates the
+    // string early and crashes the entire SPA. Use HTML entity to be
+    // safe across both layers (also valid inside JS strings since &#39;
+    // is just text characters, no special meaning).
+    badges += '<span class="badge badge-purple" title="Lean envelope — drops every auto-injected context block (memory, progress, goal, criteria, skills) and prunes the MCP catalog. Used for meta-jobs that must stay under Haiku&#39;s prompt cap.">Lean</span>';
   } else if (task.predictable === false) {
     badges += '<span class="badge badge-yellow" title="Dynamic mode — fire-time injects MEMORY.md, recent team activity, and auto-matched skills. Can drift from chat-time intent.">Reads memory</span>';
   }

package/dist/cli/index.js

@@ -497,25 +497,23 @@ async function relaunchDashboardDetached(opts = {}) {
         // print the URL. If it never binds, the URL still prints (user
         // can retry) but we surface the failure in logs.
         await new Promise(resolve => setTimeout(resolve, 3000));
-        let token = '';
-        try {
-            const tokenPath = path.join(BASE_DIR, '.dashboard-token');
-            if (existsSync(tokenPath))
-                token = readFileSync(tokenPath, 'utf-8').trim();
-        }
-        catch { /* token may not be ready yet */ }
-        if (token) {
-            const url = `http://localhost:3030/?token=${token}`;
-            console.log(`  Dashboard relaunched: ${url}`);
-            // 1.18.147 — auto-open the browser by default. Restart/update
-            // already imply user wants the dashboard back; making them copy a
-            // URL was a UX papercut.
-            if (opts.open !== false)
-                openInBrowser(url);
-        }
-        else {
-            console.log('  Dashboard relaunched (token not ready — check `clementine status`).');
-        }
+        // 1.18.159 — print the bare URL, not the `?token=...` flavor.
+        // Token is delivered via meta tag in the served HTML (since 1.18.152
+        // when token persistence shipped). The token-in-URL flavor was a
+        // pre-1.18.152 habit and turned into a footgun: Chrome caches HTML
+        // by full URL including query string, so a stale `?token=ABC` cache
+        // entry survives across redeploys while bare `localhost:3030` pulls
+        // fresh HTML. Restart printing the bare URL also nudges users to
+        // bookmark THAT (which keeps working forever) instead of the
+        // token-flavored one (which would silently OK after a 1.18.152+
+        // restart but caches indefinitely on 1.18.151- installs).
+        const url = 'http://localhost:3030';
+        console.log(`  Dashboard relaunched: ${url}`);
+        // 1.18.147 — auto-open the browser by default. Restart/update
+        // already imply user wants the dashboard back; making them copy a
+        // URL was a UX papercut.
+        if (opts.open !== false)
+            openInBrowser(url);
     }
     catch {
         console.log('  Could not relaunch dashboard — run: clementine dashboard');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clementine-agent",
-  "version": "1.18.157",
+  "version": "1.18.159",
   "description": "Clementine — Personal AI Assistant (TypeScript)",
   "type": "module",
   "main": "dist/index.js",