clementine-agent 1.18.164 → 1.18.167

package/dist/agent/action-enforcer.js

@@ -2,11 +2,11 @@ import { looksLikeApprovalPrompt } from './local-turn.js';
 function normalize(text) {
     return text.trim().toLowerCase().replace(/\s+/g, ' ');
 }
-const ACTION_REQUEST_RE = /\b(can you|could you|would you|please|pls|i need you to|i want you to|let'?s|go ahead and|do it|handle this|take care of)\b[\s\S]{0,160}\b(send|email|message|post|publish|delete|change|update|run|execute|check|look(?:\s+into)?|diagnose|investigate|figure(?:\s+it)?\s*out|find|search|read|write|create|fix|schedule|reschedule|pull|fetch|review|tag|save|upload|download)\b/i;
-const DIRECT_ACTION_RE = /^(send|email|message|post|publish|delete|change|update|run|execute|check|look(?:\s+into)?|diagnose|investigate|find|search|read|write|create|fix|schedule|reschedule|pull|fetch|review|tag|save|upload|download)\b/i;
+const ACTION_REQUEST_RE = /\b(can you|can we|could you|would you|please|pls|i need you to|i want you to|i would like (?:for you )?to|i'?d like (?:for you )?to|let'?s|go ahead and|do it|handle this|take care of)\b[\s\S]{0,160}\b(send|email|message|post|publish|delete|change|update|run|execute|start|fire(?:\s+off)?|add|append|insert|check|look(?:\s+into)?|diagnose|investigate|figure(?:\s+it)?\s*out|find|search|research|scrape|collect|analyze|read|write|create|build|generate|fix|schedule|reschedule|pull|fetch|review|tag|save|upload|download)\b/i;
+const DIRECT_ACTION_RE = /^(send|email|message|post|publish|delete|change|update|run|execute|start|fire(?:\s+off)?|add|append|insert|check|look(?:\s+into)?|diagnose|investigate|find|search|research|scrape|collect|analyze|read|write|create|build|generate|fix|schedule|reschedule|pull|fetch|review|tag|save|upload|download)\b/i;
 const DIAGNOSTIC_RE = /\b(log|logs|crash|crashing|error|failing|failure|broken|diagnose|debug|investigate|look into|figure it out|what'?s causing|why is|why did)\b/i;
-const DONE_CLAIM_RE = /\b(done|sent|emailed|queued|accepted|completed|finished|fixed|updated|changed|deleted|posted|published|scheduled|rescheduled|created|saved|uploaded|downloaded|tagged|checked|reviewed|found|read|ran|executed)\b/i;
-const PROMISE_RE = /\b(i'?ll|i will|i am going to|i'?m going to|let me|i'?m checking|i'?m sending|i'?m running|i'?m looking|working on it|on it)\b[\s\S]{0,120}\b(send|email|message|post|publish|delete|change|update|run|execute|check|look|diagnose|investigate|find|search|read|write|create|fix|schedule|reschedule|pull|fetch|review|tag|save|upload|download|now)\b/i;
+const DONE_CLAIM_RE = /\b(done|sent|emailed|queued|accepted|completed|finished|fixed|updated|changed|deleted|posted|published|scheduled|rescheduled|created|built|generated|saved|uploaded|downloaded|tagged|checked|reviewed|found|scraped|researched|analyzed|read|ran|executed|fired)\b/i;
+const PROMISE_RE = /\b(i'?ll|i will|i am going to|i'?m going to|let me|i'?m checking|i'?m sending|i'?m running|i'?m looking|working on it|on it)\b[\s\S]{0,120}\b(send|email|message|post|publish|delete|change|update|run|execute|start|fire(?:\s+off)?|add|append|insert|check|look|diagnose|investigate|find|search|research|scrape|collect|analyze|read|write|create|build|generate|fix|schedule|reschedule|pull|fetch|review|tag|save|upload|download|now)\b/i;
 const VACUOUS_ACK_RE = /^(got it|okay|ok|sure|perfect|sounds good|on it|will do|yep|yeah)[.! ]*$/i;
 const BLOCKED_OR_ASKING_RE = /\b(i can'?t|i cannot|unable to|blocked|need you to|need a|need the|please provide|please send|can you send|can you share|which|what should|who should|before i|confirm|approve|good to go|okay to)\b/i;
 const DIAGNOSTIC_DEFLECTION_RE = /\b(what are you seeing|what do you see|send (me )?the logs|share (the )?logs|provide (the )?logs|can you paste|can you send me)\b/i;

package/dist/agent/advisor-rules/loader.js

@@ -83,6 +83,7 @@ const ruleSchema = z.object({
 // ── Loader ──────────────────────────────────────────────────────────
 let cachedRules = [];
 let watcherInstalled = false;
+let watcher = null;
 let watchDebounce = null;
 function readYamlFile(filePath) {
     try {
@@ -171,7 +172,7 @@ export function watchUserRulesDir(opts) {
         mkdirSync(userDir, { recursive: true });
     }
     try {
-        fsWatch(userDir, () => {
+        watcher = fsWatch(userDir, () => {
             if (watchDebounce)
                 clearTimeout(watchDebounce);
             watchDebounce = setTimeout(() => {
@@ -183,6 +184,16 @@ export function watchUserRulesDir(opts) {
                 }
             }, 250);
         });
+        watcher.on('error', (err) => {
+            logger.warn({ err, userDir }, 'Rule watcher failed — hot reload disabled');
+            try {
+                watcher?.close();
+            }
+            catch { /* ignore */ }
+            watcher = null;
+            watcherInstalled = false;
+        });
+        watcher.unref();
         watcherInstalled = true;
         logger.debug({ dir: userDir }, 'Watching user rules dir for hot reload');
     }
@@ -194,6 +205,13 @@ export function watchUserRulesDir(opts) {
 export function _resetLoaderState() {
     cachedRules = [];
     watcherInstalled = false;
+    if (watcher) {
+        try {
+            watcher.close();
+        }
+        catch { /* ignore */ }
+        watcher = null;
+    }
     if (watchDebounce) {
         clearTimeout(watchDebounce);
         watchDebounce = null;

package/dist/agent/assistant.js

@@ -13,7 +13,7 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { query as rawQuery, listSubagents, getSubagentMessages, SYSTEM_PROMPT_DYNAMIC_BOUNDARY, } from '@anthropic-ai/claude-agent-sdk';
 import pino from 'pino';
-import { BASE_DIR, PKG_DIR, VAULT_DIR, DAILY_NOTES_DIR, SOUL_FILE, AGENTS_FILE, MEMORY_FILE, AGENTS_DIR, ASSISTANT_NAME, OWNER_NAME, MODEL, MODELS, HEARTBEAT_MAX_TURNS, SESSION_EXCHANGE_HISTORY_SIZE, SESSION_EXCHANGE_MAX_CHARS, INJECTED_CONTEXT_MAX_CHARS, PROJECTS_META_FILE, CRON_PROGRESS_DIR, CRON_REFLECTIONS_DIR, BUDGET, TASK_BUDGET_TOKENS, CLAUDE_CODE_OAUTH_TOKEN, ANTHROPIC_API_KEY as CONFIG_ANTHROPIC_API_KEY, claudeCodeDisableOneMillionForModel, currentOneMillionContextMode, normalizeClaudeModelForOneMillionContext, normalizeClaudeSdkOptionsForOneMillionContext, looksLikeClaudeOneMillionContextError, envSnapshot, } from '../config.js';
+import { BASE_DIR, PKG_DIR, VAULT_DIR, DAILY_NOTES_DIR, SOUL_FILE, AGENTS_FILE, MEMORY_FILE, AGENTS_DIR, ASSISTANT_NAME, OWNER_NAME, MODEL, MODELS, HEARTBEAT_MAX_TURNS, SESSION_EXCHANGE_HISTORY_SIZE, SESSION_EXCHANGE_MAX_CHARS, INJECTED_CONTEXT_MAX_CHARS, PROJECTS_META_FILE, CRON_PROGRESS_DIR, CRON_REFLECTIONS_DIR, BUDGET, TASK_BUDGET_TOKENS, TIMEZONE, CLAUDE_CODE_OAUTH_TOKEN, ANTHROPIC_API_KEY as CONFIG_ANTHROPIC_API_KEY, claudeCodeDisableOneMillionForModel, currentOneMillionContextMode, normalizeClaudeModelForOneMillionContext, normalizeClaudeSdkOptionsForOneMillionContext, looksLikeClaudeOneMillionContextError, envSnapshot, } from '../config.js';
 import { summarizeIntegrationStatus } from '../config/integrations-registry.js';
 import { loadToolPreferences, computeAvailability, buildPromptInstruction, buildComposioStatusBlock, KNOWN_SERVICES, } from '../integrations/tool-preferences.js';
 import { loadClaudeIntegrations } from './mcp-bridge.js';
@@ -33,6 +33,7 @@ import { applyServiceDedup, routeToolSurface, TOOL_SURFACE_HARD_LIMIT, TOOL_SURF
 import { isRestrictedToolset, toolsetAllowsLocalWrites, toolsetDisablesAllTools } from './toolsets.js';
 import { looksLikeApprovalPrompt } from './local-turn.js';
 import { loadClementineJson } from '../config/clementine-json.js';
+import { dateKeyInTimeZone, formatDateInTimeZone, formatTimeInTimeZone, hourInTimeZone } from '../lib/time.js';
 // ── Channel capabilities ────────────────────────────────────────────
 /** Map channel label to its capabilities so the agent adapts its responses. */
 function getChannelCapabilities(channel) {
@@ -562,22 +563,17 @@ function extractText(blocks) {
 }
 // ── Date Helpers ────────────────────────────────────────────────────
 function formatDate(d) {
-    return d.toLocaleDateString('en-US', {
-        weekday: 'long', year: 'numeric', month: 'long', day: 'numeric',
-    });
+    return formatDateInTimeZone(d, TIMEZONE);
 }
 function formatTime(d) {
-    return d.toLocaleTimeString('en-US', { hour: 'numeric', minute: '2-digit', hour12: true });
+    return formatTimeInTimeZone(d, TIMEZONE);
 }
 /** Local-time YYYY-MM-DD (avoids UTC date mismatch late at night). */
 function todayISO() {
-    const d = new Date();
-    return `${d.getFullYear()}-${String(d.getMonth() + 1).padStart(2, '0')}-${String(d.getDate()).padStart(2, '0')}`;
+    return dateKeyInTimeZone(new Date(), TIMEZONE);
 }
 function yesterdayISO() {
-    const d = new Date();
-    d.setDate(d.getDate() - 1);
-    return `${d.getFullYear()}-${String(d.getMonth() + 1).padStart(2, '0')}-${String(d.getDate()).padStart(2, '0')}`;
+    return dateKeyInTimeZone(new Date(Date.now() - 24 * 60 * 60 * 1000), TIMEZONE);
 }
 // ── Cron Output Extraction ──────────────────────────────────────────
 /** Autonomous jobs use this sentinel to mean "completed, but do not notify the owner." */
@@ -1143,7 +1139,7 @@ Large tool outputs blow the context window and rotate your session mid-task —
         // Skip yesterday's notes and recent conversation summaries for autonomous runs
         if (!isAutonomous && !skipAmbientContext) {
             if (!retrievalContext) {
-                const hour = new Date().getHours();
+                const hour = hourInTimeZone(new Date(), TIMEZONE);
                 const mentionsYesterday = this._lastUserMessage?.toLowerCase().includes('yesterday');
                 if (hour < 12 || mentionsYesterday) {
                     const yPath = path.join(DAILY_NOTES_DIR, `${yesterdayISO()}.md`);
@@ -1638,7 +1634,7 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
 
 - **Date:** ${formatDate(now)}
 - **Time:** ${formatTime(now)}
-- **Timezone:** ${Intl.DateTimeFormat().resolvedOptions().timeZone}
+- **Timezone:** ${TIMEZONE}
 - **Channel:** ${channel}${caps ? ` (${formatCapabilities(caps)})` : ''}
 - **Model:** ${modelLabel} (${resolvedModel})
 - **Vault:** ${vault}
@@ -2237,9 +2233,9 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
                 }
             }
         }
-        // Permission mode: always 'bypassPermissions' — this is a daemon/harness with no interactive
-        // terminal, so 'auto' mode (which requires plan support + human approval) doesn't apply.
-        const effectivePermissionMode = 'bypassPermissions';
+        // Headless daemon runs cannot prompt for approval. `dontAsk` auto-allows
+        // only the explicit allowedTools surface and denies everything else.
+        const effectivePermissionMode = 'dontAsk';
         // SessionStore adapter: mirror SDK transcripts into our SQLite store.
         // Resume then works from the durable store, not just local JSONL.
         const sessionStore = this.getSessionStore();
@@ -2313,7 +2309,6 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
             ...(fallback ? { fallbackModel: fallback } : {}),
             ...(oneMillionDisableValue === '1' ? { betas: [] } : {}),
             permissionMode: effectivePermissionMode,
-            allowDangerouslySkipPermissions: true,
             ...(sessionStore ? { sessionStore } : {}),
             ...(computedTaskBudget && supportsTaskBudget ? { taskBudget: { total: computedTaskBudget } } : {}),
             // SDK field semantics (per node_modules/@anthropic-ai/claude-agent-sdk/sdk.d.ts):
@@ -2323,8 +2318,8 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
             //                      CLEMENTINE_TOOL_ALLOWLIST so unneeded internal tools
             //                      are never registered for lightweight turns.
             //   - `allowedTools` → auto-allow list covering both built-ins AND MCP tool
-            //                      names; MCP names stay here so bypassPermissions has
-            //                      explicit grants for every exposed external server.
+            //                      names. With permissionMode=dontAsk, anything not
+            //                      present here is denied instead of prompting.
             //   - `disallowedTools` → blocklist, takes precedence.
             tools: toolsDisabledForCall ? [] : allowedTools.filter(t => !t.startsWith('mcp__')),
             allowedTools: toolsDisabledForCall ? [] : allowedTools,
@@ -2831,8 +2826,7 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
                 options: {
                     systemPrompt: 'You are a silent memory extraction agent. Save facts to the vault and exit.',
                     model: AUTO_MEMORY_MODEL,
-                    permissionMode: 'bypassPermissions',
-                    allowDangerouslySkipPermissions: true,
+                    permissionMode: 'dontAsk',
                     // MCP tool names live in allowedTools, not tools. See note at
                     // buildOptions — `tools` is for built-ins only.
                     tools: [],
@@ -2862,6 +2856,7 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
                                 CLEMENTINE_TEAM_AGENT: profile?.slug ?? 'clementine',
                                 // Auto-memory extractor runs autonomously.
                                 CLEMENTINE_INTERACTION_SOURCE: 'autonomous',
+                                CLEMENTINE_TOOL_ALLOWLIST: 'memory_write,memory_search,note_create,task_add,note_take,memory_read,user_model',
                             },
                         },
                     },
@@ -3082,8 +3077,9 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
                 options: {
                     systemPrompt: 'You are a task output verifier. Assess the output quality.',
                     model: MODELS.haiku,
-                    permissionMode: 'bypassPermissions',
-                    allowDangerouslySkipPermissions: true,
+                    permissionMode: 'dontAsk',
+                    tools: [],
+                    allowedTools: [],
                     maxTurns: 1,
                     cwd: BASE_DIR,
                     env: SAFE_ENV,

package/dist/agent/execution-policy.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Shared Claude Agent SDK execution policy.
+ *
+ * The SDK permission model has two separate layers:
+ *   - `tools` controls which built-in tools are visible.
+ *   - `allowedTools` pre-approves built-ins and MCP tools.
+ *
+ * Critically, `allowedTools` does not constrain `bypassPermissions`.
+ * Headless Clementine runs should therefore default to `dontAsk` and
+ * explicitly allow the built-ins/MCP servers they need.
+ */
+export type ExecutionPermissionMode = 'default' | 'acceptEdits' | 'bypassPermissions' | 'plan' | 'dontAsk' | 'auto';
+export declare const SDK_BUILTIN_TOOLS: Set<string>;
+export interface BuildExecutionPolicyOptions {
+    /** Caller-provided allowedTools. Undefined means use defaults; [] means deny all. */
+    requestedTools?: string[];
+    /** Built-ins used when requestedTools is undefined. */
+    defaultBuiltins: readonly string[];
+    /** Names of MCP servers mounted for this query. */
+    mcpServerNames: string[];
+    /** Clementine's own MCP server name, e.g. "clementine-tools". */
+    clementineServerName: string;
+    /** Optional override. Defaults to dontAsk for headless auto-execution. */
+    permissionMode?: ExecutionPermissionMode;
+}
+export interface ExecutionToolPolicy {
+    permissionMode: ExecutionPermissionMode;
+    allowDangerouslySkipPermissions?: true;
+    /** SDK `tools` option: visible built-ins only. */
+    builtinTools: string[];
+    /** SDK `allowedTools` option: built-ins + MCP permissions. */
+    allowedTools: string[];
+    /** Value for CLEMENTINE_TOOL_ALLOWLIST inside the Clementine MCP subprocess. */
+    clementineToolAllowlist: string;
+    /** Env vars for the SDK subprocess. */
+    env: Record<string, string>;
+}
+/** Best-effort registry of first-party Clementine MCP tool names. */
+export declare function listClementineMcpToolNames(): Set<string>;
+export declare function buildExecutionToolPolicy(opts: BuildExecutionPolicyOptions): ExecutionToolPolicy;
+//# sourceMappingURL=execution-policy.d.ts.map

package/dist/agent/execution-policy.js

@@ -0,0 +1,217 @@
+/**
+ * Shared Claude Agent SDK execution policy.
+ *
+ * The SDK permission model has two separate layers:
+ *   - `tools` controls which built-in tools are visible.
+ *   - `allowedTools` pre-approves built-ins and MCP tools.
+ *
+ * Critically, `allowedTools` does not constrain `bypassPermissions`.
+ * Headless Clementine runs should therefore default to `dontAsk` and
+ * explicitly allow the built-ins/MCP servers they need.
+ */
+import { existsSync, readFileSync, readdirSync } from 'node:fs';
+import path from 'node:path';
+import { BASE_DIR, PKG_DIR } from '../config.js';
+export const SDK_BUILTIN_TOOLS = new Set([
+    'Agent',
+    'AskUserQuestion',
+    'Bash',
+    'Edit',
+    'Glob',
+    'Grep',
+    'Monitor',
+    'Read',
+    'TodoWrite',
+    'WebFetch',
+    'WebSearch',
+    'Write',
+]);
+let _cachedClementineToolNames = null;
+function discoverToolNamesInDir(dir, out) {
+    if (!existsSync(dir))
+        return;
+    let files = [];
+    try {
+        files = readdirSync(dir).filter((f) => /\.(ts|js|mjs)$/.test(f));
+    }
+    catch {
+        return;
+    }
+    const re = /\.tool\(\s*['"`]([A-Za-z0-9_.:-]+)['"`]/g;
+    for (const file of files) {
+        let text = '';
+        try {
+            text = readFileSync(path.join(dir, file), 'utf-8');
+        }
+        catch {
+            continue;
+        }
+        re.lastIndex = 0;
+        let m;
+        while ((m = re.exec(text)) !== null)
+            out.add(m[1]);
+    }
+}
+function discoverUserToolNames(dir, out) {
+    if (!existsSync(dir))
+        return;
+    let files = [];
+    try {
+        files = readdirSync(dir).filter((f) => /\.(sh|py)$/.test(f));
+    }
+    catch {
+        return;
+    }
+    for (const file of files) {
+        const name = file.replace(/\.(sh|py)$/, '').replace(/[^a-z0-9_]/gi, '_');
+        if (name)
+            out.add(name);
+    }
+}
+/** Best-effort registry of first-party Clementine MCP tool names. */
+export function listClementineMcpToolNames() {
+    if (_cachedClementineToolNames)
+        return _cachedClementineToolNames;
+    const out = new Set();
+    discoverToolNamesInDir(path.join(PKG_DIR, 'src', 'tools'), out);
+    discoverToolNamesInDir(path.join(PKG_DIR, 'dist', 'tools'), out);
+    discoverUserToolNames(path.join(BASE_DIR, 'tools'), out);
+    _cachedClementineToolNames = out;
+    return out;
+}
+function mcpWildcard(serverName) {
+    return `mcp__${serverName}__*`;
+}
+function clementineMcpTool(serverName, toolName) {
+    return `mcp__${serverName}__${toolName}`;
+}
+function commandExistsOnPath(command) {
+    if (!/^[A-Za-z0-9._-]+$/.test(command))
+        return false;
+    const pathValue = process.env.PATH ?? '';
+    for (const dir of pathValue.split(path.delimiter)) {
+        if (!dir)
+            continue;
+        if (existsSync(path.join(dir, command)))
+            return true;
+    }
+    return false;
+}
+function normalizeRequestedToolName(raw, clementineServerName, clementineTools) {
+    const tool = String(raw ?? '').trim();
+    if (!tool)
+        return { sdkTool: '' };
+    if (/^Bash\(.+\)$/.test(tool)) {
+        return { sdkTool: tool, builtinTool: 'Bash', scopedBash: tool !== 'Bash(*)' };
+    }
+    if (tool.startsWith('mcp__')) {
+        const prefix = `mcp__${clementineServerName}__`;
+        if (tool === mcpWildcard(clementineServerName)) {
+            return { sdkTool: tool, clementineTool: '*' };
+        }
+        if (tool.startsWith(prefix)) {
+            const name = tool.slice(prefix.length);
+            if (name && name !== '*')
+                return { sdkTool: tool, clementineTool: name };
+        }
+        return { sdkTool: tool };
+    }
+    if (SDK_BUILTIN_TOOLS.has(tool))
+        return { sdkTool: tool, builtinTool: tool };
+    if (clementineTools.has(tool)) {
+        return { sdkTool: clementineMcpTool(clementineServerName, tool), clementineTool: tool };
+    }
+    if (commandExistsOnPath(tool)) {
+        return { sdkTool: `Bash(${tool}:*)`, builtinTool: 'Bash', scopedBash: true };
+    }
+    // Unknown names are preserved for forward compatibility with SDK/plugins.
+    return { sdkTool: tool };
+}
+function applyNormalizedTool(normalized, builtins, allowed, clementineAllow, opts = {}) {
+    const { sdkTool, clementineTool, builtinTool } = normalized;
+    if (!sdkTool)
+        return;
+    if (builtinTool && SDK_BUILTIN_TOOLS.has(builtinTool))
+        builtins.add(builtinTool);
+    if (!(opts.skipBroadBash && sdkTool === 'Bash'))
+        allowed.add(sdkTool);
+    if (clementineTool === '*') {
+        clementineAllow.clear();
+        clementineAllow.add('*');
+    }
+    else if (clementineTool && !clementineAllow.has('*')) {
+        clementineAllow.add(clementineTool);
+    }
+}
+function applyMemoryCompanionTools(normalizedTools, clementineTools, clementineServerName, builtins, allowed, clementineAllow) {
+    if (clementineAllow.has('*'))
+        return;
+    const requestedClementine = new Set(normalizedTools
+        .map(tool => tool.clementineTool)
+        .filter((tool) => Boolean(tool) && tool !== '*'));
+    if (!requestedClementine.has('memory_write'))
+        return;
+    // Existing agent profiles predate the brain ingestion tools. If a profile
+    // already grants durable memory writes, keep the newer ingestion write path
+    // available without widening to the full Clementine MCP surface.
+    const companionTools = ['brain_save'];
+    const canReadLocalData = normalizedTools.some(tool => tool.builtinTool === 'Read' || tool.builtinTool === 'Bash');
+    if (canReadLocalData)
+        companionTools.push('brain_ingest_folder');
+    for (const toolName of companionTools) {
+        if (!clementineTools.has(toolName) || requestedClementine.has(toolName))
+            continue;
+        const normalized = normalizeRequestedToolName(toolName, clementineServerName, clementineTools);
+        applyNormalizedTool(normalized, builtins, allowed, clementineAllow);
+    }
+}
+export function buildExecutionToolPolicy(opts) {
+    const permissionMode = opts.permissionMode ?? 'dontAsk';
+    const clementineTools = listClementineMcpToolNames();
+    const allowed = new Set();
+    const builtins = new Set();
+    const clementineAllow = new Set();
+    if (opts.requestedTools === undefined) {
+        for (const raw of opts.defaultBuiltins) {
+            const normalized = normalizeRequestedToolName(raw, opts.clementineServerName, clementineTools);
+            applyNormalizedTool(normalized, builtins, allowed, clementineAllow);
+        }
+        for (const server of opts.mcpServerNames) {
+            if (!server)
+                continue;
+            allowed.add(mcpWildcard(server));
+            if (server === opts.clementineServerName)
+                clementineAllow.add('*');
+        }
+    }
+    else {
+        const normalizedTools = opts.requestedTools.map((raw) => normalizeRequestedToolName(raw, opts.clementineServerName, clementineTools));
+        const hasScopedBash = normalizedTools.some((tool) => tool.scopedBash);
+        for (const normalized of normalizedTools) {
+            applyNormalizedTool(normalized, builtins, allowed, clementineAllow, {
+                // In explicit skill/tool scopes, `Bash` plus `some-cli` usually means
+                // "make Bash visible and approve that CLI", not "approve all shell".
+                skipBroadBash: hasScopedBash,
+            });
+        }
+        if (opts.requestedTools.length > 0) {
+            applyMemoryCompanionTools(normalizedTools, clementineTools, opts.clementineServerName, builtins, allowed, clementineAllow);
+        }
+    }
+    const clementineToolAllowlist = clementineAllow.has('*')
+        ? '*'
+        : [...clementineAllow].sort().join(',');
+    return {
+        permissionMode,
+        ...(permissionMode === 'bypassPermissions' ? { allowDangerouslySkipPermissions: true } : {}),
+        builtinTools: [...builtins].sort(),
+        allowedTools: [...allowed].sort(),
+        clementineToolAllowlist,
+        env: {
+            // Tool search is default in current SDKs, but setting this makes the
+            // intent explicit and protects large Composio/MCP catalogs.
+            ENABLE_TOOL_SEARCH: process.env.ENABLE_TOOL_SEARCH || 'auto:5',
+        },
+    };
+}
+//# sourceMappingURL=execution-policy.js.map

package/dist/agent/failure-fix-consumer.d.ts

@@ -114,6 +114,7 @@ export declare class FailureFixConsumer {
     private ticking;
     constructor(dispatcher: SelfImproveDispatcher, opts?: SelfImproveLoopOptions);
     start(): void;
+    private startFallbackTimer;
     stop(): void;
     /** Coalesce a burst of fs.watch events (multiple triggers landing in
      * quick succession) into a single tick. */

package/dist/agent/failure-fix-consumer.js

@@ -43,6 +43,7 @@ const logger = pino({ name: 'clementine.failure-fix-consumer' });
 const FALLBACK_TICK_MS = 60 * 60 * 1000;
 /** Coalesce a burst of fs.watch events into a single tick. */
 const WATCH_DEBOUNCE_MS = 2000;
+const WATCH_FAILURE_FALLBACK_MS = 1000;
 const TRIGGERS_DIR = path.join(BASE_DIR, 'self-improve', 'triggers');
 const PENDING_CHANGES_DIR = path.join(BASE_DIR, 'self-improve', 'pending-changes');
 const CRON_PATH = path.join(SYSTEM_DIR, 'CRON.md');
@@ -274,16 +275,35 @@ export class FailureFixConsumer {
                         return;
                     this.scheduleDebouncedTick();
                 });
+                this.watcher.on('error', (err) => {
+                    logger.warn({ err, dir: this.triggersDir }, 'Triggers dir watcher failed — falling back to polling');
+                    try {
+                        this.watcher?.close();
+                    }
+                    catch { /* ignore */ }
+                    this.watcher = null;
+                    this.startFallbackTimer(Math.min(this.tickMs, WATCH_FAILURE_FALLBACK_MS));
+                    this.scheduleDebouncedTick();
+                });
             }
             catch (err) {
                 logger.warn({ err, dir: this.triggersDir }, 'Failed to watch triggers dir — falling back to polling only');
+                this.startFallbackTimer(Math.min(this.tickMs, WATCH_FAILURE_FALLBACK_MS));
             }
         }
         // Slow fallback safety net — covers fs.watch event drops + boot-with-backlog.
+        if (!this.timer)
+            this.startFallbackTimer(this.tickMs);
+        logger.info({ fallbackTickMs: this.tickMs, watchEnabled: this.watchEnabled && this.watcher !== null }, 'Self-improve loop started');
+    }
+    startFallbackTimer(intervalMs) {
+        if (!this.running || !Number.isFinite(intervalMs) || intervalMs <= 0)
+            return;
+        if (this.timer)
+            clearInterval(this.timer);
         this.timer = setInterval(() => {
             this.tick().catch((err) => logger.error({ err }, 'Self-improve fallback tick failed'));
-        }, this.tickMs);
-        logger.info({ fallbackTickMs: this.tickMs, watchEnabled: this.watchEnabled && this.watcher !== null }, 'Self-improve loop started');
+        }, intervalMs);
     }
     stop() {
         if (!this.running)

package/dist/agent/hooks.js

@@ -13,6 +13,7 @@ import path from 'node:path';
 import { AsyncLocalStorage } from 'node:async_hooks';
 import { randomUUID } from 'node:crypto';
 import { OWNER_NAME, BASE_DIR, TIMEZONE } from '../config.js';
+import { formatTime24InTimeZone } from '../lib/time.js';
 // ── Shared state ───────────────────────────────────────────────────────
 let heartbeatActive = false;
 let heartbeatTier2Allowed = false;
@@ -189,7 +190,7 @@ export function clearActiveQueryContext() {
     // not by us. setInteractionSource resets it in the relevant transitions.
 }
 export function logToolUse(toolName, toolInput) {
-    const timestamp = new Date().toLocaleTimeString('en-US', { hour12: false });
+    const timestamp = formatTime24InTimeZone(new Date(), TIMEZONE);
     const summary = summarizeToolCall(toolName, toolInput);
     const entry = `- \`${timestamp}\` **${toolName}** — ${summary}`;
     auditLog.push(entry);

package/dist/agent/insight-engine.js

@@ -11,10 +11,11 @@
 import { existsSync, readFileSync, readdirSync } from 'node:fs';
 import path from 'node:path';
 import pino from 'pino';
-import { GOALS_DIR, BASE_DIR, MEMORY_DB_PATH, VAULT_DIR } from '../config.js';
+import { GOALS_DIR, BASE_DIR, MEMORY_DB_PATH, VAULT_DIR, TIMEZONE } from '../config.js';
 import { listAllGoals } from '../tools/shared.js';
 import { computeBrokenJobs } from '../gateway/failure-monitor.js';
 import { MemoryStore } from '../memory/store.js';
+import { dateKeyInTimeZone } from '../lib/time.js';
 const logger = pino({ name: 'clementine.insight-engine' });
 const BASE_COOLDOWN_MS = 2 * 60 * 60 * 1000; // 2 hours
 const MAX_DAILY_INSIGHTS = 3;
@@ -23,7 +24,7 @@ const UNACKED_THRESHOLD = 3; // double cooldown after this many ignored
  * Check if it's too soon to send another proactive message.
  */
 export function canSendInsight(state) {
-    const today = new Date().toISOString().slice(0, 10);
+    const today = dateKeyInTimeZone(new Date(), TIMEZONE);
     // Reset daily count on new day
     if (state.currentDate !== today) {
         state.sentToday = [];

package/dist/agent/mcp-bridge.js

@@ -453,8 +453,7 @@ export async function probeAvailableTools(force = false) {
             options: normalizeClaudeSdkOptionsForOneMillionContext({
                 systemPrompt: 'Reply ok.',
                 model: 'claude-haiku-4-5',
-                permissionMode: 'bypassPermissions',
-                allowDangerouslySkipPermissions: true,
+                permissionMode: 'dontAsk',
                 mcpServers: externalMcpServers,
             }),
         });

package/dist/agent/prompt-cache.js

@@ -24,6 +24,13 @@ export class PromptCache {
             return;
         try {
             const w = watch(filePath, () => { this.cache.delete(filePath); });
+            w.on('error', () => {
+                try {
+                    w.close();
+                }
+                catch { /* ignore */ }
+                this.watchers.delete(filePath);
+            });
             w.unref(); // Don't keep daemon alive
             this.watchers.set(filePath, w);
         }

package/dist/agent/prompt-overrides/loader.js

@@ -20,6 +20,7 @@ function rootDir(baseDir) {
 // ── State ────────────────────────────────────────────────────────────
 let cached = [];
 let watcherInstalled = false;
+let watcher = null;
 let watchDebounce = null;
 // ── Parse one file ───────────────────────────────────────────────────
 function parseOverride(filePath, scope, scopeKey) {
@@ -132,7 +133,7 @@ export function watchPromptOverrides(opts) {
             mkdirSync(p, { recursive: true });
     }
     try {
-        fsWatch(root, { recursive: true }, () => {
+        watcher = fsWatch(root, { recursive: true }, () => {
             if (watchDebounce)
                 clearTimeout(watchDebounce);
             watchDebounce = setTimeout(() => {
@@ -144,6 +145,16 @@ export function watchPromptOverrides(opts) {
                 }
             }, 250);
         });
+        watcher.on('error', (err) => {
+            logger.warn({ err, root }, 'Prompt-overrides watcher failed — hot reload disabled');
+            try {
+                watcher?.close();
+            }
+            catch { /* ignore */ }
+            watcher = null;
+            watcherInstalled = false;
+        });
+        watcher.unref();
         watcherInstalled = true;
         logger.debug({ root }, 'Watching prompt-overrides for hot reload');
     }
@@ -155,6 +166,13 @@ export function watchPromptOverrides(opts) {
 export function _resetLoaderState() {
     cached = [];
     watcherInstalled = false;
+    if (watcher) {
+        try {
+            watcher.close();
+        }
+        catch { /* ignore */ }
+        watcher = null;
+    }
     if (watchDebounce) {
         clearTimeout(watchDebounce);
         watchDebounce = null;

package/dist/agent/run-agent-cron.d.ts

@@ -210,8 +210,7 @@ export interface RunAgentCronResult extends RunAgentResult {
     /** Pinned skills that didn't resolve (bad slug / suppressed). Empty array
      *  is fine; only populated when the trick had pins that failed to load. */
     skillsMissing: string[];
-    /** Effective tool allowlist passed to runAgent (post-intersection). Undefined
-     *  means the trick didn't override — runAgent fell through to profile/default. */
+    /** Effective SDK allowedTools after defaults/MCP mapping were applied. */
     allowedToolsApplied?: string[];
     /** MCP servers live for this run after profile + trick intersection. */
     mcpServersApplied: string[];

package/dist/agent/run-agent-cron.js

@@ -809,7 +809,7 @@ export async function runAgentCron(opts) {
         externalConnected,
         skillsApplied: plan.skillsApplied,
         skillsMissing: plan.skillsMissing,
-        allowedToolsApplied: effectiveAllowedTools,
+        allowedToolsApplied: result.allowedToolsApplied ?? effectiveAllowedTools,
         mcpServersApplied,
     };
 }