clementine-agent 1.18.63 → 1.18.64

package/dist/agent/agent-definitions.js

@@ -54,10 +54,10 @@ const CRON_FIXER_PROMPT = [
     'You are the cron-fix specialist. You diagnose and apply fixes to broken cron jobs.',
     '',
     'Workflow:',
-    '1. Call `list_broken_jobs` to see what is currently broken with their cached diagnoses.',
+    '1. If you already know the job name (parent named it, or notification context names it), call `cron_diagnose` first — it returns the bounded recent-run summary, phase status, and inferred root cause in one shot. If you need a list of currently failing jobs, call `list_broken_jobs` instead.',
     '2. For each job the user/parent asked about, check the proposed fix:',
     '   - confidence=high + risk=low + autoApply=true → call `apply_broken_job_fix`.',
-    '   - Otherwise → describe the diagnosis and ask the parent for explicit approval.',
+    '   - Otherwise → describe the diagnosis and ask the parent for explicit approval before any manual repair.',
     '3. After applying a fix, the verification system auto-rolls-back if the next 3 runs do not improve. You do NOT need to monitor manually.',
     '',
     'Return: a one-paragraph summary of what you applied (or what is blocking apply), per job.',
@@ -154,6 +154,7 @@ export function buildAgentMap(opts = {}) {
         prompt: CRON_FIXER_PROMPT,
         model: 'sonnet',
         tools: [
+            'mcp__clementine-tools__cron_diagnose',
             'mcp__clementine-tools__list_broken_jobs',
             'mcp__clementine-tools__apply_broken_job_fix',
             'mcp__clementine-tools__cron_list',

package/dist/gateway/cron-diagnostic-turn.d.ts

@@ -20,7 +20,4 @@ export declare function detectCronDiagnosticRequest(text: string, opts?: {
 export declare function buildCronDiagnosticResponseForRequest(request: CronDiagnosticRequest, opts?: {
     baseDir: string;
 }): string | null;
-export declare function buildCronDiagnosticResponse(text: string, opts?: {
-    baseDir: string;
-}): string | null;
 //# sourceMappingURL=cron-diagnostic-turn.d.ts.map

package/dist/gateway/cron-diagnostic-turn.js

@@ -274,10 +274,4 @@ export function buildCronDiagnosticResponseForRequest(request, opts = { baseDir:
     }
     return lines.join('\n');
 }
-export function buildCronDiagnosticResponse(text, opts = { baseDir: process.env.CLEMENTINE_HOME || '' }) {
-    const request = detectCronDiagnosticRequest(text, { baseDir: opts.baseDir });
-    if (!request || !opts.baseDir)
-        return null;
-    return buildCronDiagnosticResponseForRequest(request, opts);
-}
 //# sourceMappingURL=cron-diagnostic-turn.js.map

package/dist/gateway/recent-context.js

@@ -8,7 +8,7 @@
 import path from 'node:path';
 import { listBackgroundTasks } from '../agent/background-tasks.js';
 import { buildNotificationContextPrompt, findRecentNotificationContext, looksLikeNotificationFollowup, } from './notification-context.js';
-import { buildCronDiagnosticResponseForRequest, detectCronDiagnosticRequest, isInternalSyntheticPrompt, } from './cron-diagnostic-turn.js';
+import { detectCronDiagnosticRequest, isInternalSyntheticPrompt, } from './cron-diagnostic-turn.js';
 export { isInternalSyntheticPrompt } from './cron-diagnostic-turn.js';
 const RECENT_TASK_TTL_MS = 24 * 60 * 60 * 1000;
 function normalizeForMatch(text) {
@@ -22,48 +22,6 @@ function normalizeForMatch(text) {
 function compactWhitespace(text) {
     return text.replace(/\s+/g, ' ').trim();
 }
-function wantsFix(text) {
-    return /\b(fix|repair|solve|handle|diagnose|debug|what broke|what happened|why did|why is|issue|problem|failure|failed|failing)\b/i.test(text);
-}
-function jobMentionedInText(jobName, text) {
-    const normalizedText = normalizeForMatch(text);
-    const normalizedJob = normalizeForMatch(jobName);
-    return !!normalizedJob && normalizedText.includes(normalizedJob);
-}
-function resolveNotificationJob(event, userText, baseDir) {
-    const explicit = detectCronDiagnosticRequest(userText, { baseDir });
-    if (explicit?.jobName)
-        return explicit.jobName;
-    const jobs = event.jobNames ?? [];
-    if (jobs.length === 1)
-        return jobs[0] ?? null;
-    const mentioned = jobs.find((job) => jobMentionedInText(job, userText));
-    return mentioned ?? null;
-}
-function summarizeCronNotification(event, userText, opts) {
-    const jobs = event.jobNames ?? [];
-    if (jobs.length === 0)
-        return null;
-    const targetJob = resolveNotificationJob(event, userText, opts.baseDir);
-    if (targetJob) {
-        return buildCronDiagnosticResponseForRequest({ jobName: targetJob, wantsFix: wantsFix(userText) }, { baseDir: opts.baseDir });
-    }
-    const lines = [
-        `I am resolving this to the recent cron failure alert: ${jobs.join(', ')}.`,
-        'More than one job was in that alert, so I am not going to guess or start background work.',
-        '',
-    ];
-    for (const job of jobs.slice(0, 5)) {
-        const diagnostic = buildCronDiagnosticResponseForRequest({ jobName: job, wantsFix: false }, { baseDir: opts.baseDir });
-        const preview = diagnostic
-            ? diagnostic.split('\n').slice(1, 4).join(' ')
-            : 'No local diagnostic summary available.';
-        lines.push(`- ${job}: ${compactWhitespace(preview).slice(0, 260)}`);
-    }
-    lines.push('');
-    lines.push(`Reply \`fix ${jobs[0]}\` or name the job you want me to repair first.`);
-    return lines.join('\n');
-}
 function taskMatchesSession(task, sessionKey) {
     return task.sessionKey === sessionKey;
 }
@@ -151,22 +109,11 @@ export function resolveRecentOperationalContext(sessionKey, text, opts) {
         now: opts.now,
     });
     if (notification) {
-        if (notification.type === 'cron_failure') {
-            const responseText = summarizeCronNotification(notification, text, opts);
-            if (responseText) {
-                return {
-                    source: 'notification',
-                    reason: 'vague-followup-to-cron-failure-notification',
-                    responseText,
-                    suppressDeepMode: true,
-                    eventId: notification.id,
-                    jobNames: notification.jobNames,
-                };
-            }
-        }
         return {
             source: 'notification',
-            reason: 'vague-followup-to-proactive-notification',
+            reason: notification.type === 'cron_failure'
+                ? 'vague-followup-to-cron-failure-notification'
+                : 'vague-followup-to-proactive-notification',
             promptText: buildNotificationContextPrompt(notification, text),
             suppressDeepMode: true,
             eventId: notification.id,

package/dist/gateway/router.js

@@ -20,7 +20,6 @@ import { listBackgroundTasks, loadBackgroundTask, markFailed } from '../agent/ba
 import { applyAssistantExperienceUpdate, detectApprovalReply, detectLocalTurn } from '../agent/local-turn.js';
 import { buildApprovalFollowupPrompt, detectActionExpectation } from '../agent/action-enforcer.js';
 import { updateClementineJson } from '../config/clementine-json.js';
-import { buildCronDiagnosticResponse } from './cron-diagnostic-turn.js';
 import { classifyIntent } from '../agent/intent-classifier.js';
 import { decideTurn } from '../agent/turn-policy.js';
 import { recordProactiveNotificationEvent, } from './notification-context.js';
@@ -1441,34 +1440,6 @@ export class Gateway {
                 text = recentContext.promptText;
             }
         }
-        // Cron "what broke / fix this job" asks should not spin up a broad SDK
-        // session. They are bounded local diagnostics over run summaries and scalar
-        // config only, and they intentionally do not execute the cron job.
-        if (this.isTrustedPersonalSession(sessionKey) && !isInternalSyntheticPrompt(text)) {
-            const cronDiagnostic = buildCronDiagnosticResponse(text, { baseDir: BASE_DIR });
-            if (cronDiagnostic) {
-                const current = this.sessions.get(sessionKey);
-                if (current?.abortController && !current.abortController.signal.aborted) {
-                    current.abortController.abort('replaced-by-cron-diagnostic');
-                    logger.info({ sessionKey }, 'Interrupted active chat for local cron diagnostic');
-                }
-                this.assistant.injectContext(sessionKey, originalText, cronDiagnostic);
-                if (onText) {
-                    try {
-                        await onText(cronDiagnostic);
-                    }
-                    catch { /* channel streaming is best-effort */ }
-                }
-                logger.info({
-                    sessionKey,
-                    totalMs: Date.now() - tInnerStart,
-                    chatMs: Date.now() - localTurnStarted,
-                    localCronDiagnostic: true,
-                    responseLen: cronDiagnostic.length,
-                }, 'chat:latency');
-                return cronDiagnostic;
-            }
-        }
         // Show "queued" status if either lane or session lock is contended,
         // so the user doesn't stare at "thinking..." for up to 60s while a
         // previous message is still processing.

package/dist/tools/admin-tools.js

@@ -1779,5 +1779,16 @@ export function registerAdminTools(server) {
                 `The fix-verification tracker will roll it back automatically if the next runs don't improve. ` +
                 `Root cause: ${d.rootCause?.slice(0, 200) ?? ""}.`);
     });
+    server.tool('cron_diagnose', 'Return a bounded deterministic diagnosis for one cron job — recent run summary, unleashed phase status, last clean success, current scalar config, and the inferred root cause. Reads only from local run history and cron config; does NOT execute the job. Use this when the user asks what is broken with a specific job, before deciding whether to call apply_broken_job_fix or to propose a manual repair.', {
+        jobName: z.string().describe('The job name as shown in CRON.md or list_broken_jobs output (e.g. "audit-inbox-check" or "ross-the-sdr:reply-detection").'),
+    }, async ({ jobName }) => {
+        const { buildCronDiagnosticResponseForRequest } = await import('../gateway/cron-diagnostic-turn.js');
+        const response = buildCronDiagnosticResponseForRequest({ jobName, wantsFix: true }, { baseDir: BASE_DIR });
+        if (!response) {
+            return textResult(`No diagnostic data for \`${jobName}\` — either the job is not configured in CRON.md or there is no run history yet. ` +
+                `Check the job name with cron_list or list_broken_jobs.`);
+        }
+        return textResult(response);
+    });
 }
 //# sourceMappingURL=admin-tools.js.map

package/electron-builder.yml

@@ -27,6 +27,8 @@ mac:
   target:
     - dmg
     - zip
+dmg:
+  sign: true
 artifactName: Clementine-${version}-mac-${arch}.${ext}
 publish:
   provider: github

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clementine-agent",
-  "version": "1.18.63",
+  "version": "1.18.64",
   "description": "Clementine — Personal AI Assistant (TypeScript)",
   "type": "module",
   "main": "dist/index.js",
@@ -18,7 +18,8 @@
     "desktop:debug": "npm run build && CLEMENTINE_DESKTOP_DEBUG=1 electron dist/desktop/main.js",
     "desktop:prepare": "npm run build && npm rebuild better-sqlite3",
     "desktop:pack": "npm run desktop:prepare && electron-builder --mac --dir",
-    "desktop:dist": "npm run desktop:prepare && electron-builder --mac",
+    "desktop:dist": "scripts/build-desktop-mac.sh",
+    "desktop:dist:unnotarized": "CLEMENTINE_ALLOW_UNNOTARIZED=1 scripts/build-desktop-mac.sh",
     "mcp": "tsx src/tools/mcp-server.ts",
     "cli": "tsx src/cli/index.ts",
     "typecheck": "tsc --noEmit",

package/scripts/build-desktop-mac.sh

@@ -0,0 +1,132 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$ROOT_DIR"
+
+load_env_file() {
+  local file="$1"
+  if [[ -f "$file" ]]; then
+    set -a
+    # shellcheck disable=SC1090
+    source "$file"
+    set +a
+  fi
+}
+
+load_env_file "$ROOT_DIR/.env.signing"
+load_env_file "$ROOT_DIR/.env.release"
+load_env_file "$HOME/.clementine/signing.env"
+
+if [[ -n "${APPLE_ID_PASSWORD:-}" && -z "${APPLE_APP_SPECIFIC_PASSWORD:-}" ]]; then
+  export APPLE_APP_SPECIFIC_PASSWORD="$APPLE_ID_PASSWORD"
+fi
+
+if [[ -n "${CLEMENTINE_NOTARY_PROFILE:-}" && -z "${APPLE_KEYCHAIN_PROFILE:-}" ]]; then
+  export APPLE_KEYCHAIN_PROFILE="$CLEMENTINE_NOTARY_PROFILE"
+fi
+
+has_password_creds=false
+if [[ -n "${APPLE_ID:-}" && -n "${APPLE_APP_SPECIFIC_PASSWORD:-}" && -n "${APPLE_TEAM_ID:-}" ]]; then
+  has_password_creds=true
+fi
+
+has_api_key_creds=false
+if [[ -n "${APPLE_API_KEY:-}" && -n "${APPLE_API_KEY_ID:-}" && -n "${APPLE_API_ISSUER:-}" ]]; then
+  has_api_key_creds=true
+fi
+
+has_keychain_profile=false
+if [[ -n "${APPLE_KEYCHAIN_PROFILE:-}" ]]; then
+  has_keychain_profile=true
+fi
+
+notarytool_args=()
+if [[ "$has_password_creds" == true ]]; then
+  notarytool_args=(--apple-id "$APPLE_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --team-id "$APPLE_TEAM_ID")
+elif [[ "$has_api_key_creds" == true ]]; then
+  notarytool_args=(--key "$APPLE_API_KEY" --key-id "$APPLE_API_KEY_ID" --issuer "$APPLE_API_ISSUER")
+elif [[ "$has_keychain_profile" == true ]]; then
+  notarytool_args=(--keychain-profile "$APPLE_KEYCHAIN_PROFILE")
+  if [[ -n "${APPLE_KEYCHAIN:-}" ]]; then
+    notarytool_args=(--keychain "$APPLE_KEYCHAIN" "${notarytool_args[@]}")
+  fi
+fi
+
+if [[ "$has_password_creds" != true && "$has_api_key_creds" != true && "$has_keychain_profile" != true ]]; then
+  cat >&2 <<'EOF'
+No Apple notarization credentials were detected, so the release DMG would be signed but not notarized.
+
+Set one of these before running npm run desktop:dist:
+  - APPLE_ID, APPLE_APP_SPECIFIC_PASSWORD, APPLE_TEAM_ID
+  - APPLE_API_KEY, APPLE_API_KEY_ID, APPLE_API_ISSUER
+  - APPLE_KEYCHAIN_PROFILE
+
+This script also accepts:
+  - APPLE_ID_PASSWORD as an alias for APPLE_APP_SPECIFIC_PASSWORD
+  - CLEMENTINE_NOTARY_PROFILE as an alias for APPLE_KEYCHAIN_PROFILE
+
+One-time local keychain setup:
+  xcrun notarytool store-credentials clementine --apple-id <apple-id> --team-id 4AR3Y8XD72 --sync
+  CLEMENTINE_NOTARY_PROFILE=clementine npm run desktop:dist
+
+For a local signed-but-unnotarized test build:
+  npm run desktop:dist:unnotarized
+EOF
+  if [[ "${CLEMENTINE_ALLOW_UNNOTARIZED:-}" != "1" ]]; then
+    exit 1
+  fi
+fi
+
+npm run desktop:prepare
+"$ROOT_DIR/node_modules/.bin/electron-builder" --mac
+
+if [[ ${#notarytool_args[@]} -gt 0 ]]; then
+  package_version="$(node -p "require('./package.json').version")"
+  shopt -s nullglob
+  dmg_files=("$ROOT_DIR"/release/Clementine-"$package_version"-mac-*.dmg)
+  shopt -u nullglob
+
+  for dmg_file in "${dmg_files[@]}"; do
+    echo "Notarizing DMG wrapper: $(basename "$dmg_file")"
+    xcrun notarytool submit "$dmg_file" --wait "${notarytool_args[@]}"
+    xcrun stapler staple "$dmg_file"
+    xcrun stapler validate "$dmg_file"
+
+    case "$(uname -m)" in
+      arm64) app_builder="$ROOT_DIR/node_modules/app-builder-bin/mac/app-builder_arm64" ;;
+      x86_64) app_builder="$ROOT_DIR/node_modules/app-builder-bin/mac/app-builder_amd64" ;;
+      *) app_builder="" ;;
+    esac
+    if [[ -n "$app_builder" && -x "$app_builder" ]]; then
+      "$app_builder" blockmap --input "$dmg_file" --output "$dmg_file.blockmap"
+    fi
+
+    if [[ -f "$ROOT_DIR/release/latest-mac.yml" ]]; then
+      node --input-type=module - "$dmg_file" "$ROOT_DIR/release/latest-mac.yml" <<'NODE'
+import { createHash } from 'node:crypto';
+import { readFileSync, statSync, writeFileSync } from 'node:fs';
+import { basename } from 'node:path';
+
+const [dmgPath, latestPath] = process.argv.slice(2);
+const url = basename(dmgPath);
+const sha512 = createHash('sha512').update(readFileSync(dmgPath)).digest('base64');
+const size = statSync(dmgPath).size;
+const lines = readFileSync(latestPath, 'utf8').split(/\r?\n/);
+
+for (let index = 0; index < lines.length; index++) {
+  if (lines[index].trim() === `- url: ${url}`) {
+    for (let cursor = index + 1; cursor < lines.length; cursor++) {
+      if (/^\S/.test(lines[cursor]) || /^\s*-\s+url:/.test(lines[cursor])) break;
+      if (lines[cursor].trim().startsWith('sha512:')) lines[cursor] = `    sha512: ${sha512}`;
+      if (lines[cursor].trim().startsWith('size:')) lines[cursor] = `    size: ${size}`;
+    }
+    break;
+  }
+}
+
+writeFileSync(latestPath, `${lines.join('\n').replace(/\n*$/, '')}\n`);
+NODE
+    fi
+  done
+fi