clementine-agent 1.18.209 → 1.18.211

package/dist/agent/agent-definitions.js

@@ -141,15 +141,15 @@ function buildHiredAgentDescription(p) {
         'Spawn this subagent when the user names them, asks a question in their domain, or asks Clementine to "have <name> do X".',
     ].filter(Boolean).join(' ');
 }
-/** Map a hired-agent profile to an AgentDefinition.
- *  Used when Clementine wants to delegate to Ross/Sasha/Nora etc. */
+/** Map a hired-agent profile to an AgentDefinition. */
 function profileToAgentDefinition(p) {
-    // Always include `Agent` so the subagent can further fan out, plus
-    // core read tools as a baseline. profile.team.allowedTools narrows
-    // beyond this when set.
-    const baseline = ['Agent', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch', 'TodoWrite'];
+    // Hired-agent definitions are leaf subagents by default. The Claude
+    // Agent SDK does not support recursive subagent spawning via `Agent`
+    // inside subagent tool lists; if Clementine grows nested orchestration,
+    // it should be explicit and depth-limited rather than accidental.
+    const baseline = ['Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch', 'TodoWrite'];
     const tools = p.team?.allowedTools?.length
-        ? Array.from(new Set(['Agent', ...p.team.allowedTools]))
+        ? Array.from(new Set(p.team.allowedTools.filter(tool => tool !== 'Agent')))
         : baseline;
     return {
         description: buildHiredAgentDescription(p),
@@ -198,10 +198,10 @@ export function buildAgentMap(opts = {}) {
     // 1.18.198 — NO `tools` allowlist. Researcher inherits every tool the
     // parent has access to (Bash, Read, MCP wildcards, etc.). The earlier
     // hardcoded ['Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch'] blocked
-    // researcher from using the parent's MCP servers — when Ross dispatched
-    // "Parallel SEO enrichment for 13 domains" the subagent couldn't call
+    // researcher from using the parent's MCP servers. A delegated
+    // "Parallel SEO enrichment for 13 domains" subagent couldn't call
     // `mcp__dataforseo__*` because it wasn't in the allowlist. Result: the
-    // subagent said "I can't do that" and Ross fell back to running 25
+    // subagent said "I can't do that" and the parent fell back to running 25
     // sequential MCP calls in his own turn, defeating the fan-out.
     //
     // Read-only behavior is enforced in RESEARCHER_PROMPT (behavior class:

package/dist/agent/approval-signals.d.ts

@@ -13,7 +13,7 @@
  *   ## Owner approval signals (recent)
  *   APPROVED (do more like this):
  *   - cron/insight-check: "Apply lean mode to reduce prompt size"
- *   - agent/sasha-the-cmo: "Add explicit citation requirement to system prompt"
+ *   - agent/marketing-agent: "Add explicit citation requirement to system prompt"
  *
  *   DENIED (avoid these patterns):
  *   - workflow/email-gen: "Replace template with LLM generation"  ← user note: "too generic; loses voice"
@@ -31,7 +31,7 @@ export interface ApprovalSignal {
     experimentId: string;
     /** The area the proposal targeted (cron, agent, skill, soul, etc.). */
     area: string;
-    /** The specific target (e.g., "insight-check", "sasha-the-cmo"). */
+    /** The specific target (e.g., "insight-check", "marketing-agent"). */
     target: string;
     /** The proposal's one-sentence hypothesis (truncated to 200 chars). */
     hypothesis: string;

package/dist/agent/approval-signals.js

@@ -13,7 +13,7 @@
  *   ## Owner approval signals (recent)
  *   APPROVED (do more like this):
  *   - cron/insight-check: "Apply lean mode to reduce prompt size"
- *   - agent/sasha-the-cmo: "Add explicit citation requirement to system prompt"
+ *   - agent/marketing-agent: "Add explicit citation requirement to system prompt"
  *
  *   DENIED (avoid these patterns):
  *   - workflow/email-gen: "Replace template with LLM generation"  ← user note: "too generic; loses voice"

package/dist/agent/assistant.js

@@ -262,6 +262,9 @@ const TOOLS_SERVER = `${ASSISTANT_NAME.toLowerCase()}-tools`;
 function mcpTool(name) {
     return `mcp__${TOOLS_SERVER}__${name}`;
 }
+function mcpServerWildcard(serverName) {
+    return `mcp__${serverName}__*`;
+}
 const CLEMENTINE_CORE_TOOL_NAMES = [
     'working_memory',
     'user_model',
@@ -1748,6 +1751,31 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
                 fullSurface: false,
             };
         }
+        const profileComposioAllowList = profile?.allowedComposioToolkits;
+        if (!toolsDisabledForCall
+            && !isPlanStep
+            && !toolRoute.fullSurface
+            && Array.isArray(toolRoute.composioToolkits)
+            && !Array.isArray(profileComposioAllowList)) {
+            try {
+                const { listConnectedToolkits, matchConnectedToolkitsInText } = await import('../integrations/composio/client.js');
+                const composioRoutingText = [
+                    directScopeText,
+                    allowContextToolRoute ? contextRoutingText : '',
+                ].filter(Boolean).join('\n');
+                const mentioned = matchConnectedToolkitsInText(composioRoutingText, await listConnectedToolkits());
+                if (mentioned.length > 0) {
+                    toolRoute = {
+                        ...toolRoute,
+                        composioToolkits: [...new Set([...toolRoute.composioToolkits, ...mentioned])],
+                        reason: 'matched',
+                    };
+                }
+            }
+            catch (err) {
+                logger.debug({ err }, 'Connected Composio toolkit text match failed (non-fatal)');
+            }
+        }
         let allowedTools = [];
         const addAllowed = (...tools) => {
             for (const tool of tools) {
@@ -1944,9 +1972,8 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
         if (!toolsDisabledForCall && !isPlanStep) {
             try {
                 const { buildComposioMcpServers } = await import('../integrations/composio/mcp-bridge.js');
-                const profileAllowList = profile?.allowedComposioToolkits;
-                const allowList = Array.isArray(profileAllowList)
-                    ? profileAllowList
+                const allowList = Array.isArray(profileComposioAllowList)
+                    ? profileComposioAllowList
                     : toolRoute.composioToolkits;
                 composioMcpServers = await buildComposioMcpServers(allowList);
             }
@@ -1956,6 +1983,10 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
             }
         }
         const composioConnectedSlugs = Object.keys(composioMcpServers);
+        if (!toolsDisabledForCall) {
+            for (const slug of composioConnectedSlugs)
+                addAllowed(mcpServerWildcard(slug));
+        }
         const { stable, volatile: volatilePromptPart } = this.buildSystemPrompt({
             isHeartbeat, cronTier: isPlanStep ? null : cronTier, retrievalContext, profile, sessionKey, model: resolvedModel, verboseLevel, intentClassification,
             contextTier: turnPolicy?.retrievalTier ?? (retrievalContext ? 'full' : 'core'),

package/dist/agent/bg-planner.d.ts

@@ -4,7 +4,7 @@
  *
  * Why this exists (1.18.190)
  * ──────────────────────────
- * Before this, a complex multi-step user ask ("find the coaches project,
+ * Before this, a complex multi-step user ask ("find the catalog project,
  * build me an HTML report, deploy it to Netlify, verify the URL") got
  * handed to a single monolithic bg-task worker. The worker had its own
  * 200K context but still autocompact-thrashed because:
@@ -36,15 +36,14 @@
  * a multi-domain ask into proper steps is not mechanical.
  *
  * If you're tempted to "save tokens" by flipping this to Haiku, read
- * the 2026-05-12 root-cause plan first
- * (~/.claude/plans/look-at-the-last-vivid-rossum.md). The whole point
+ * a recent root-cause plan first. The whole point
  * of this ship is to NOT cut corners on the decomposition layer.
  */
 import type { ProjectMeta } from './assistant.js';
 export interface PlanStep {
     /** 0-indexed position. */
     index: number;
-    /** Short imperative title (e.g., "Find the coaches project"). */
+    /** Short imperative title (e.g., "Find the catalog project"). */
     title: string;
     /** What this step does, in 1-2 sentences. The chained worker sees this. */
     scope: string;

package/dist/agent/bg-planner.js

@@ -4,7 +4,7 @@
  *
  * Why this exists (1.18.190)
  * ──────────────────────────
- * Before this, a complex multi-step user ask ("find the coaches project,
+ * Before this, a complex multi-step user ask ("find the catalog project,
  * build me an HTML report, deploy it to Netlify, verify the URL") got
  * handed to a single monolithic bg-task worker. The worker had its own
  * 200K context but still autocompact-thrashed because:
@@ -36,8 +36,7 @@
  * a multi-domain ask into proper steps is not mechanical.
  *
  * If you're tempted to "save tokens" by flipping this to Haiku, read
- * the 2026-05-12 root-cause plan first
- * (~/.claude/plans/look-at-the-last-vivid-rossum.md). The whole point
+ * a recent root-cause plan first. The whole point
  * of this ship is to NOT cut corners on the decomposition layer.
  */
 import fs from 'node:fs';
@@ -202,7 +201,7 @@ function buildPlannerSystemPrompt() {
         '{',
         '  "steps": [',
         '    {',
-        '      "title": "<short imperative title, e.g. \'Find the coaches project\'>",',
+        '      "title": "<short imperative title, e.g. \'Find the catalog project\'>",',
         '      "scope": "<1-2 sentences describing exactly what this step does>",',
         '      "expectedTools": ["tool_name_1", "tool_name_2"],',
         '      "deliverable": "<file path | URL | description of the artifact>"',
@@ -273,7 +272,7 @@ async function runPlannerLlm(userPrompt, systemPrompt, model) {
     // Raw `systemPrompt: string` tells the SDK to use API-key auth, which
     // 99% of installs don't have configured — they're logged into Claude
     // Code, not the Anthropic API. This was the "Not logged in · Please
-    // run /login" failure Ross's owner hit on 2026-05-12.
+    // run /login" provider-auth failure.
     //
     // The preset injects Claude Code's default system prompt; our planning
     // instructions go in `append` and dominate behavior for the single

package/dist/agent/claim-verification.d.ts

@@ -5,7 +5,7 @@
  * Why this exists (1.18.187)
  * ──────────────────────────
  * On 2026-05-11 a bg task was diagnosed where Clementine said "The
- * site is live again at https://X.netlify.app — all 100 coaches with
+ * site is live again at https://X.netlify.app — all 100 product records with
  * search/filter/sort intact" — but the live URL returned HTTP 404,
  * and the run had zero tool calls matching a deploy. She had
  * confabulated success from a recall summary of a PRIOR task.

package/dist/agent/claim-verification.js

@@ -5,7 +5,7 @@
  * Why this exists (1.18.187)
  * ──────────────────────────
  * On 2026-05-11 a bg task was diagnosed where Clementine said "The
- * site is live again at https://X.netlify.app — all 100 coaches with
+ * site is live again at https://X.netlify.app — all 100 product records with
  * search/filter/sort intact" — but the live URL returned HTTP 404,
  * and the run had zero tool calls matching a deploy. She had
  * confabulated success from a recall summary of a PRIOR task.

package/dist/agent/clarification-gate.d.ts

@@ -0,0 +1,116 @@
+import type { RunSummary, SideEffectCall } from './run-summary.js';
+export type PendingAgentDecisionKind = 'blocked_external_action';
+export type BlockedActionCategory = 'deployment_target_missing';
+export interface PendingAgentDecision {
+    id: string;
+    kind: PendingAgentDecisionKind;
+    createdAt: number;
+    expiresAt: number;
+    runIds: string[];
+    originalRequest: string;
+    question: string;
+    context: {
+        category: BlockedActionCategory;
+        classifierId: string;
+        provider: string;
+        providerLabel: string;
+        blockerSummary: string;
+        failedCommand: string;
+        error: string;
+        targetNoun: string;
+        targetPlaceholder: string;
+        createInstructions: string[];
+        existingInstructions: string[];
+        projectPath?: string;
+        agentId?: string;
+        completedSideEffects?: string[];
+    };
+}
+export type AgentDecisionReply = {
+    kind: 'answer';
+    action: 'create_new_target';
+} | {
+    kind: 'answer';
+    action: 'use_existing_target';
+    target: string;
+} | {
+    kind: 'cancel';
+} | {
+    kind: 'unclear';
+    message: string;
+};
+export interface BlockedActionClassifier {
+    id: string;
+    category: BlockedActionCategory;
+    provider: string;
+    providerLabel: string;
+    targetNoun: string;
+    targetPlaceholder: string;
+    defaultCommand: string;
+    defaultError: string;
+    blockerSummary: string;
+    matches(call: SideEffectCall): boolean;
+    createInstructions: string[];
+    existingInstructions: string[];
+}
+/**
+ * Extension point for install-specific tool/provider blockers. Core owns the
+ * state machine; providers own only small classifiers and resume instructions.
+ */
+export declare function registerBlockedActionClassifier(classifier: BlockedActionClassifier): () => void;
+export interface PreconditionEnv {
+    /** Working directory the agent will use for this tool call. */
+    cwd: string;
+    /** Active project path if the router resolved one. */
+    activeProjectPath?: string;
+    /** filesystem.existsSync injection point for testability. */
+    existsSync?: (path: string) => boolean;
+}
+export interface PreconditionMatch {
+    /** The command or tool action that would have run (for owner display). */
+    attemptedCommand: string;
+    /** The reason the precondition failed (for owner display). */
+    reason: string;
+    /** Optional project path inferred from the input (e.g. `cd /path && netlify deploy`). */
+    projectPath?: string;
+}
+export interface PreconditionClassifier {
+    id: string;
+    category: BlockedActionCategory;
+    provider: string;
+    providerLabel: string;
+    targetNoun: string;
+    targetPlaceholder: string;
+    blockerSummary: string;
+    /** Tool names this classifier inspects. e.g. ['Bash'] or
+     *  ['mcp__clementine-tools__project_deploy']. Wildcard `'*'` not supported —
+     *  classifiers should be narrow on purpose. */
+    toolNames: readonly string[];
+    /** Returns a PreconditionMatch when the call should be blocked, or null
+     *  to let it proceed. Errors thrown here are caught and treated as a pass
+     *  (fail-open) — the post-hoc classifier still catches the failure. */
+    matchesPreconditions(input: Record<string, unknown>, env: PreconditionEnv): PreconditionMatch | null;
+    createInstructions: string[];
+    existingInstructions: string[];
+}
+/** Extension point for pre-call classifiers. Mirrors registerBlockedActionClassifier. */
+export declare function registerPreconditionClassifier(classifier: PreconditionClassifier): () => void;
+export declare function buildBlockedActionDecisionFromRunSummary(summary: RunSummary, originalRequest: string, nowMs?: number): PendingAgentDecision | null;
+export declare function parseAgentDecisionReply(decision: PendingAgentDecision, message: string): AgentDecisionReply;
+export declare function buildAgentDecisionContinuationPrompt(decision: PendingAgentDecision, reply: Extract<AgentDecisionReply, {
+    kind: 'answer';
+}>): string;
+export declare const buildRepairDecisionFromRunSummary: typeof buildBlockedActionDecisionFromRunSummary;
+/**
+ * Run all registered precondition classifiers against an attempted tool
+ * call. Returns the first PendingAgentDecision that matches, or null if
+ * the call should proceed. Errors inside individual classifiers are
+ * swallowed (fail-open) — the post-hoc classifier remains as the safety
+ * net for any case the pre-call rule mishandles.
+ */
+export declare function evaluatePreconditionsForToolCall(toolName: string, input: Record<string, unknown>, env: PreconditionEnv, opts?: {
+    originalRequest?: string;
+    runId?: string;
+    nowMs?: number;
+}): PendingAgentDecision | null;
+//# sourceMappingURL=clarification-gate.d.ts.map