clementine-agent 1.6.3 → 1.8.0

package/dist/agent/assistant.js

@@ -411,10 +411,24 @@ Routing rule: if the fact is something the agent should *always know* (not just
 ## Rules:
 - Only save genuinely NEW facts not already present in the Current Memory above.
 - If updating an existing topic, use memory_write(action="update_memory") to REPLACE the section, not append duplicates.
+- If a stored fact is now wrong (user corrected it, situation changed), use memory_write(action="supersede", supersedes_chunk_id=N, reason="…") instead of appending — the old chunk becomes invisible to retrieval, provenance is preserved.
 - If there's nothing new to save, respond "No new facts." and exit — do NOT call any tools.
 - Use the MCP tools (user_model, memory_write, note_create, task_add, note_take).
 - NEVER respond to ${OWNER}. You are invisible. Just save facts and exit.
 
+## Salience hint, confidence, reason (memory_write):
+Every memory_write call may include \`salience_hint\` (0.5–2.0), \`confidence\` (0–1), and \`reason\` (one short sentence). Use them — retrieval prioritizes high-salience, deprioritizes low-confidence, and reasons make the memory system explainable.
+
+salience_hint:
+- 0.5 — tentative, single-mention, may not be durable
+- 1.0 — normal (default; equivalent to omitting)
+- 1.5 — durable preference, decision, or strong stated opinion
+- 2.0 — identity-level fact (rare): role, name, foundational stance
+
+confidence: 1.0 = certain (default), 0.7 = probable, 0.5 = uncertain or heard secondhand, 0.3 = tentative. Lowers retrieval ranking without hiding.
+
+reason: one sentence answering "why is this worth keeping?" — e.g. "user just stated firm preference for plain .env over keychain after being burned by it." Skip routine cases.
+
 ## Behavioral Correction Detection:
 If ${OWNER} corrects HOW the assistant behaved (not a factual correction), output a JSON block:
 \`\`\`json-behavioral

package/dist/agent/hooks.d.ts

@@ -48,6 +48,8 @@ export interface AuditEvent {
  */
 export declare function logAuditJsonl(event: AuditEvent): void;
 export declare function setHeartbeatMode(active: boolean, tier2Allowed?: boolean): void;
+export declare function resetBrowserHarnessApproval(): void;
+export declare function isBrowserHarnessApproved(): boolean;
 export declare function setApprovalCallback(cb: ((desc: string) => Promise<boolean>) | null): void;
 export declare function setProfileTier(tier: number | null): void;
 export declare function setProfileAllowedTools(tools: string[] | null): void;

package/dist/agent/hooks.js

@@ -120,6 +120,16 @@ export function setHeartbeatMode(active, tier2Allowed = false) {
     heartbeatActive = active;
     heartbeatTier2Allowed = tier2Allowed;
 }
+// Session-scoped approval for browser harness T3 actions. Once the user
+// approves a session, subsequent T3 calls within that session auto-allow.
+// Resets on daemon restart (in-memory) and on explicit revoke.
+let browserHarnessSessionApproved = false;
+export function resetBrowserHarnessApproval() {
+    browserHarnessSessionApproved = false;
+}
+export function isBrowserHarnessApproved() {
+    return browserHarnessSessionApproved;
+}
 export function setApprovalCallback(cb) {
     approvalCallback = cb;
 }
@@ -197,11 +207,23 @@ export function logToolUse(toolName, toolInput) {
 // These apply to actual heartbeats and tier-1 cron jobs (read-only).
 // Tier 2+ cron jobs and unleashed tasks bypass these restrictions.
 const HEARTBEAT_DISALLOWED_TIER2 = ['Write', 'Edit', 'Bash'];
+// Browser harness write-class tools — drive the user's real Chrome with their
+// live cookies/sessions. NEVER run these without interactive approval. The
+// MCP server name is "browser-harness" so the SDK exposes them as
+// mcp__browser-harness__<tool>.
+const BROWSER_HARNESS_T3_TOOLS = [
+    'mcp__browser-harness__browser_click_xy',
+    'mcp__browser-harness__browser_type_text',
+    'mcp__browser-harness__browser_press_key',
+    'mcp__browser-harness__browser_scroll',
+    'mcp__browser-harness__browser_run_python',
+];
 const HEARTBEAT_DISALLOWED_ALWAYS = [
     'Bash', // No raw shell in low-tier autonomous mode
     'Task', // No sub-agents in heartbeats (too short to benefit)
     'Skill', // Skill packs load heavy context and waste turns
     'TodoWrite', // Internal bookkeeping wastes autonomous turns
+    ...BROWSER_HARNESS_T3_TOOLS, // Browser writes never run unsupervised
 ];
 export function getHeartbeatDisallowedTools() {
     const disallowed = [...HEARTBEAT_DISALLOWED_ALWAYS];
@@ -315,6 +337,42 @@ export async function enforceToolPermissions(toolName, toolInput, sourceOverride
             };
         }
     }
+    // ── Browser harness T3 — never autonomous, approve once per session ─
+    // These tools click/type/scroll/run-python in the user's REAL Chrome
+    // with their live cookies. They must never run without explicit consent.
+    const effectiveSourceForBrowser = sourceOverride ?? interactionSource;
+    if (BROWSER_HARNESS_T3_TOOLS.includes(toolName)) {
+        // Hard block during any autonomous context (cron tier-2, unleashed,
+        // heartbeat, member-channel sources). Heartbeat block is also handled
+        // above via getHeartbeatDisallowedTools, but this catches tier-2 cron
+        // and unleashed where heartbeatActive=false.
+        if (heartbeatActive || effectiveSourceForBrowser === 'autonomous') {
+            appendAuditFile(`[BROWSER-HARNESS] DENIED autonomous: ${toolName}`);
+            return {
+                behavior: 'deny',
+                message: `${toolName} controls your live browser — blocked during autonomous execution. Run interactively instead.`,
+            };
+        }
+        // Interactive: ask once per session. Subsequent T3 calls auto-allow
+        // until daemon restart (or explicit revoke via resetBrowserHarnessApproval).
+        if (!browserHarnessSessionApproved) {
+            if (approvalCallback) {
+                const approved = await approvalCallback('Allow Clementine to control your browser this session? Clicks, types, and key presses will run in your real Chrome with your live cookies and logins.');
+                if (!approved) {
+                    return { behavior: 'deny', message: 'Browser control denied by user.' };
+                }
+                browserHarnessSessionApproved = true;
+                appendAuditFile('[BROWSER-HARNESS] Session approval granted');
+            }
+            else {
+                // No approval callback wired — be safe, deny.
+                return {
+                    behavior: 'deny',
+                    message: 'Browser control requires interactive approval, but no approval callback is set in this context.',
+                };
+            }
+        }
+    }
     // ── Profile tier restrictions (restrict, never elevate) ────────
     if (activeProfileTier !== null) {
         if (activeProfileTier < 2 && ['Bash', 'Write', 'Edit'].includes(toolName)) {