moflo 4.9.28 → 4.9.30

package/dist/src/cli/commands/spell.js

@@ -15,6 +15,9 @@ import { formatStatus, handleMCPError } from '../services/cli-formatters.js';
 import { scheduleCommand } from './spell-schedule.js';
 import { spellCredentialsCommand } from './spell-credentials.js';
 import { loadSpellEngine } from '../services/engine-loader.js';
+import { readFile, writeFile } from 'node:fs/promises';
+import { basename } from 'node:path';
+import { updateYamlArgDefaults } from '../spells/core/yaml-defaults-writer.js';
 // Re-export formatStatus as formatStageStatus for table column references
 const formatStageStatus = formatStatus;
 // Shared table column definitions
@@ -141,6 +144,12 @@ export const castCommand = {
             description: 'Single key=value spell argument (repeatable). Numeric/boolean strings are coerced.',
             type: 'array',
         },
+        {
+            name: 'reprompt-creds',
+            description: 'Force re-prompting for env-type prereqs (rotate or correct stored credentials)',
+            type: 'boolean',
+            default: false,
+        },
     ],
     examples: [
         { command: 'moflo spell cast -n development', description: 'Cast spell by name' },
@@ -148,6 +157,7 @@ export const castCommand = {
         { command: 'moflo spell cast -n sa --dry-run', description: 'Validate via abbreviation' },
         { command: "moflo spell cast -n oap --args '{\"maxEmails\":50}'", description: 'Pass spell arguments as JSON' },
         { command: 'moflo spell cast -n oap --arg headless=false --arg maxEmails=50', description: 'Pass arguments as key=value pairs' },
+        { command: 'moflo spell cast -n oap --reprompt-creds', description: 'Re-prompt for credentials (rotate stored secrets)' },
     ],
     action: async (ctx) => {
         const name = ctx.flags.name || ctx.args[0];
@@ -217,6 +227,7 @@ export const castCommand = {
                 file: file || undefined,
                 args,
                 dryRun,
+                forceCredentialReprompt: ctx.flags.repromptCreds,
             });
             if (result.error) {
                 spinner.fail(`Spell failed: ${result.error}`);
@@ -245,6 +256,22 @@ export const castCommand = {
                 output.printTable({ columns: STEP_COLUMNS, data: result.steps });
             }
             printSpellErrors(result.errors);
+            // #1003 — offer to persist --arg values back into the spell YAML.
+            // CLI-interactive only; MCP/headless callers skip by design.
+            if (result.success
+                && !dryRun
+                && ctx.interactive
+                && Object.keys(args).length > 0
+                && result.sourceFile) {
+                if (result.tier === 'shipped') {
+                    const hint = name || basename(result.sourceFile).replace(/\.[^.]+$/, '');
+                    output.writeln();
+                    output.printInfo(`Shipped spell — copy to spells/dev/${hint}.yaml first to persist defaults.`);
+                }
+                else {
+                    await offerArgWriteback(result.sourceFile, args);
+                }
+            }
             return { success: result.success, data: result };
         }
         catch (error) {
@@ -256,6 +283,39 @@ export const castCommand = {
         }
     },
 };
+async function offerArgWriteback(sourceFile, userArgs) {
+    const keys = Object.keys(userArgs);
+    output.writeln();
+    const noun = keys.length === 1 ? 'argument' : 'arguments';
+    const accepted = await confirm({
+        message: `Save ${keys.length} ${noun} (${keys.join(', ')}) as the spell's defaults?`,
+        default: false,
+    });
+    if (!accepted)
+        return;
+    let original;
+    try {
+        original = await readFile(sourceFile, 'utf-8');
+    }
+    catch (err) {
+        output.printError(`Could not read spell YAML: ${err.message}`);
+        return;
+    }
+    const result = updateYamlArgDefaults(original, userArgs);
+    if (result.updated.length > 0) {
+        try {
+            await writeFile(sourceFile, result.content, 'utf-8');
+            output.printSuccess(`Saved ${result.updated.length} default${result.updated.length === 1 ? '' : 's'}: ${result.updated.join(', ')}`);
+        }
+        catch (err) {
+            output.printError(`Could not write spell YAML: ${err.message}`);
+            return;
+        }
+    }
+    if (result.skipped.length > 0) {
+        output.printWarning(`Skipped ${result.skipped.length} (not declared in arguments:): ${result.skipped.join(', ')}`);
+    }
+}
 // Validate subcommand
 const validateCommand = {
     name: 'validate',

package/dist/src/cli/mcp-tools/spell-tools.js

@@ -11,6 +11,7 @@ import { loadSpellEngine, getCachedEngine, } from '../services/engine-loader.js'
 import { findProjectRoot } from '../services/project-root.js';
 import { buildGrimoire } from '../services/grimoire-builder.js';
 import { errorDetail } from '../shared/utils/error-detail.js';
+import { inferSpellTier } from '../spells/core/spell-tier.js';
 // ============================================================================
 // Constants
 // ============================================================================
@@ -53,14 +54,18 @@ function trackResult(tracked, result) {
     tracked.completedAt = new Date().toISOString();
 }
 /** Execute a definition via the engine with tracking and error handling. */
-async function executeAndTrack(engine, definition, args) {
+async function executeAndTrack(engine, definition, args, options = {}) {
     const spellId = `sp-${Date.now()}`;
     const tracked = trackStart(spellId, definition.name, definition.description);
     try {
         const sandboxConfig = await engine.loadSandboxConfigFromProject(findProjectRoot());
-        const result = await engine.bridgeExecuteSpell(definition, args, { spellId, sandboxConfig });
+        const result = await engine.bridgeExecuteSpell(definition, args, {
+            spellId,
+            sandboxConfig,
+            forceCredentialReprompt: options.forceCredentialReprompt,
+        });
         trackResult(tracked, result);
-        return serializeResult(result);
+        return withSpellSource(serializeResult(result), options.sourceFile, options.tier);
     }
     catch (err) {
         tracked.status = SPELL_STATUS.FAILED;
@@ -68,6 +73,14 @@ async function executeAndTrack(engine, definition, args) {
         return { spellId, error: errorDetail(err) };
     }
 }
+/** Attach sourceFile + tier metadata to a serialized cast response. (#1003) */
+function withSpellSource(base, sourceFile, tier) {
+    if (sourceFile)
+        base.sourceFile = sourceFile;
+    if (tier)
+        base.tier = tier;
+    return base;
+}
 // ============================================================================
 // Registry singleton (created once per session, refreshable on demand)
 // ============================================================================
@@ -149,11 +162,16 @@ export const spellTools = [
                 content: { type: 'string', description: 'Inline YAML/JSON spell incantation' },
                 args: { type: 'object', description: 'Reagents (arguments) to pass to the spell' },
                 dryRun: { type: 'boolean', description: 'Preview the spell without casting' },
+                forceCredentialReprompt: {
+                    type: 'boolean',
+                    description: 'Force re-prompting for env-type prereqs even when the credential store has a stored value (used to rotate or correct stored secrets)',
+                },
             },
         },
         handler: async (input) => {
             const args = input.args ?? {};
             const dryRun = input.dryRun;
+            const forceCredentialReprompt = input.forceCredentialReprompt;
             if (input.name) {
                 // Resolve via registry and execute the parsed definition directly
                 const registry = await getRegistry();
@@ -162,7 +180,11 @@ export const spellTools = [
                     return { error: `Spell not found in grimoire: ${input.name}` };
                 }
                 const engine = await loadSpellEngine();
-                return executeAndTrack(engine, loaded.definition, args);
+                return executeAndTrack(engine, loaded.definition, args, {
+                    forceCredentialReprompt,
+                    sourceFile: loaded.sourceFile,
+                    tier: loaded.tier,
+                });
             }
             // Determine raw content source
             let content;
@@ -189,10 +211,12 @@ export const spellTools = [
             // Run from raw content via bridge
             const engine = await loadSpellEngine();
             const sandboxConfig = await engine.loadSandboxConfigFromProject(findProjectRoot());
-            const result = await engine.bridgeRunSpell(content, sourceFile, args, { dryRun, sandboxConfig });
+            const result = await engine.bridgeRunSpell(content, sourceFile, args, {
+                dryRun, sandboxConfig, forceCredentialReprompt,
+            });
             const tracked = trackStart(result.spellId, spellName);
             trackResult(tracked, result);
-            return serializeResult(result);
+            return withSpellSource(serializeResult(result), sourceFile, sourceFile ? inferSpellTier(sourceFile) : undefined);
         },
     },
     // --------------------------------------------------------------------------

package/dist/src/cli/spells/core/credential-validation.js

@@ -0,0 +1,89 @@
+/**
+ * Credential Validation
+ *
+ * Lightweight, no-config shape checks applied to values pulled from the
+ * encrypted credential store before they are promoted to `process.env`.
+ *
+ * Two heuristics, both conservative — only invalidate when there is
+ * positive evidence the stored value is bad. Anything we can't classify
+ * passes through unchanged.
+ *
+ *   - JWT-shaped values (3 base64url segments) get their `exp` claim
+ *     parsed and compared to "now". An expired JWT is reported as such.
+ *   - Env keys ending in `_URL` must parse via the WHATWG `URL`
+ *     constructor and have a non-empty host.
+ *
+ * Story #1007: avoid silently reusing stale stored credentials (e.g.
+ * Microsoft Graph access tokens, which expire in ~1h) so the resolver
+ * can fall through to the prompt path and the user understands why.
+ */
+const VALID_JWT_SEGMENT = /^[A-Za-z0-9_-]+$/;
+export function validateStoredCredential(envKey, value) {
+    if (envKey.endsWith('_URL')) {
+        return validateUrlValue(value);
+    }
+    if (looksLikeJwt(value)) {
+        return validateJwtExpiry(value);
+    }
+    return { valid: true };
+}
+function validateUrlValue(value) {
+    try {
+        const parsed = new URL(value);
+        if (!parsed.host) {
+            return { valid: false, reason: 'stored value is not a valid URL (missing host)' };
+        }
+        return { valid: true };
+    }
+    catch {
+        return { valid: false, reason: 'stored value is not a valid URL' };
+    }
+}
+function looksLikeJwt(value) {
+    const parts = value.split('.');
+    if (parts.length !== 3)
+        return false;
+    return parts.every(p => p.length > 0 && VALID_JWT_SEGMENT.test(p));
+}
+function validateJwtExpiry(value) {
+    const exp = readJwtExp(value);
+    if (exp == null)
+        return { valid: true };
+    const expiryMs = exp * 1000;
+    const now = Date.now();
+    if (expiryMs >= now)
+        return { valid: true };
+    return { valid: false, reason: `JWT expired ${formatDuration(now - expiryMs)} ago` };
+}
+function readJwtExp(value) {
+    try {
+        const payload = value.split('.')[1];
+        const padLen = (4 - (payload.length % 4)) % 4;
+        const b64 = payload.replace(/-/g, '+').replace(/_/g, '/') + '='.repeat(padLen);
+        const decoded = Buffer.from(b64, 'base64').toString('utf-8');
+        const parsed = JSON.parse(decoded);
+        if (typeof parsed === 'object' && parsed !== null) {
+            const exp = parsed.exp;
+            if (typeof exp === 'number' && Number.isFinite(exp))
+                return exp;
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+function formatDuration(ms) {
+    const s = Math.floor(ms / 1000);
+    if (s < 60)
+        return `${s}s`;
+    const m = Math.floor(s / 60);
+    if (m < 60)
+        return `${m}m`;
+    const h = Math.floor(m / 60);
+    if (h < 24)
+        return `${h}h ${m % 60}m`;
+    const d = Math.floor(h / 24);
+    return `${d}d ${h % 24}h`;
+}
+//# sourceMappingURL=credential-validation.js.map

package/dist/src/cli/spells/core/prerequisite-checker.js

@@ -18,6 +18,7 @@ import { access } from 'node:fs/promises';
 import { promisify } from 'node:util';
 import { acquireTTYLock } from './tty-lock.js';
 import { readLineFromStdin } from './stdin-reader.js';
+import { validateStoredCredential } from './credential-validation.js';
 const execFileAsync = promisify(execFile);
 /**
  * Check whether a CLI command is available on the system PATH.
@@ -165,7 +166,9 @@ function appendPrereqLine(lines, name, hint, url) {
  * Evaluate all prereqs. Resolution chain for env-type prereqs:
  *   1. process.env[key] already set → satisfied.
  *   2. credentials.get(key) returns a value → write to process.env, satisfied.
- *   3. TTY interactive → prompt → write to process.env AND credentials.store.
+ *   3. TTY interactive → prompt → write to process.env. After ALL prompts,
+ *      one Y/n offer asks whether to persist the collected answers to the
+ *      credential store as a batch (default Y). Story #1002.
  *   4. Non-TTY or no credentials → fail fast with `errorCode: 'MISSING_CREDENTIAL'`.
  *
  * Non-env prereqs (`command`, `file`) bypass the credential chain and surface
@@ -186,19 +189,30 @@ export async function resolveUnmetPrerequisites(prerequisites, options = {}) {
     }
     // Pull env-type prereqs from the store in parallel — each resolved index
     // lets us skip a re-check of the cheap env detector.
+    // `forceCredentialReprompt` bypasses this step so users can rotate or
+    // correct stored credentials by re-running through the prompt path.
+    // Stored values are shape-validated (#1007): expired JWTs and malformed
+    // _URL values are rejected and surface in the preflight banner, so the
+    // resolver re-prompts instead of silently feeding garbage to the spell.
     const resolvedFromStoreNames = [];
     const storeResolved = new Set();
-    if (credentials) {
+    const rejectedFromStore = [];
+    if (credentials && !options.forceCredentialReprompt) {
         await Promise.all(unmetIndices.map(async (i) => {
             const prereq = prerequisites[i];
             if (!prereq.envKey)
                 return;
             const stored = await credentials.get(prereq.envKey);
-            if (typeof stored === 'string' && stored.length > 0) {
-                process.env[prereq.envKey] = stored;
-                storeResolved.add(i);
-                resolvedFromStoreNames.push(prereq.name);
+            if (typeof stored !== 'string' || stored.length === 0)
+                return;
+            const validation = validateStoredCredential(prereq.envKey, stored);
+            if (!validation.valid) {
+                rejectedFromStore.push({ envKey: prereq.envKey, reason: validation.reason });
+                return;
             }
+            process.env[prereq.envKey] = stored;
+            storeResolved.add(i);
+            resolvedFromStoreNames.push(prereq.name);
         }));
     }
     const stillUnmetIdx = unmetIndices.filter(i => !storeResolved.has(i));
@@ -214,7 +228,7 @@ export async function resolveUnmetPrerequisites(prerequisites, options = {}) {
         if (promptableEnvKeys.length > 0) {
             return {
                 ok: false,
-                message: formatMissingCredentialMessage(promptableEnvKeys, stillUnmet),
+                message: formatMissingCredentialMessage(promptableEnvKeys, stillUnmet, rejectedFromStore),
                 resolvedNames: resolvedFromStoreNames,
                 errorCode: 'MISSING_CREDENTIAL',
                 missingCredentials: promptableEnvKeys,
@@ -227,10 +241,18 @@ export async function resolveUnmetPrerequisites(prerequisites, options = {}) {
         };
     }
     printPreflightBanner(log, stillUnmet.length);
+    if (rejectedFromStore.length > 0) {
+        for (const r of rejectedFromStore) {
+            log(`  Stored ${r.envKey} rejected — ${r.reason}. Re-enter below.`);
+        }
+        log('');
+    }
     const promptLine = options.promptLine ?? readLineFromStdin;
     const promptedNames = [];
     const promptableSet = new Set(promptable);
+    const pendingSaves = [];
     const lock = acquireTTYLock();
+    let shouldSave = false;
     try {
         for (const prereq of promptable) {
             if (options.abortSignal?.aborted) {
@@ -265,21 +287,32 @@ export async function resolveUnmetPrerequisites(prerequisites, options = {}) {
             }
             if (prereq.envKey) {
                 process.env[prereq.envKey] = answer;
-                if (credentials) {
-                    try {
-                        await credentials.store(prereq.envKey, answer);
-                    }
-                    catch (err) {
-                        log(`  (could not persist credential "${prereq.envKey}": ${err.message})`);
-                    }
-                }
+                if (credentials)
+                    pendingSaves.push({ envKey: prereq.envKey, value: answer });
             }
             promptedNames.push(prereq.name);
         }
+        // One batched save offer covers every collected answer — issuing N
+        // confirmations would be repetitive when most users want all-or-nothing.
+        if (credentials && pendingSaves.length > 0) {
+            shouldSave = await promptSaveCredentialsConfirmation(promptLine, pendingSaves.length, options.abortSignal);
+        }
     }
     finally {
         lock.release();
     }
+    // Persist outside the TTY lock so slow disk/keychain writes don't block
+    // concurrent stdin readers waiting on the same lock.
+    if (credentials && shouldSave) {
+        for (const { envKey, value } of pendingSaves) {
+            try {
+                await credentials.store(envKey, value);
+            }
+            catch (err) {
+                log(`  (could not persist credential "${envKey}": ${err.message})`);
+            }
+        }
+    }
     // Anything in stillUnmet that wasn't promptable (typically command/file
     // prereqs) is still broken — carry forward the initial detector result.
     const unfixableIdx = stillUnmetIdx.filter(i => !promptableSet.has(prerequisites[i]));
@@ -292,18 +325,44 @@ export async function resolveUnmetPrerequisites(prerequisites, options = {}) {
     }
     return { ok: true, resolvedNames: [...resolvedFromStoreNames, ...promptedNames] };
 }
-function formatMissingCredentialMessage(envKeys, prereqs) {
+function formatMissingCredentialMessage(envKeys, prereqs, rejectedFromStore) {
     const lines = ['Missing credentials (cannot prompt — non-interactive run):'];
     for (const key of envKeys) {
         const prereq = prereqs.find(p => p.envKey === key);
         const label = `${prereq?.name ?? key} (${key})`;
         appendPrereqLine(lines, label, prereq?.installHint, prereq?.url);
     }
+    if (rejectedFromStore.length > 0) {
+        lines.push('');
+        lines.push('Stored value(s) rejected as stale or invalid:');
+        for (const r of rejectedFromStore) {
+            lines.push(`  - ${r.envKey}: ${r.reason}`);
+        }
+    }
     lines.push('');
     lines.push('Prime these by casting the spell once interactively, or run:');
     lines.push('  flo spell credentials set <name>');
     return lines.join('\n');
 }
+/**
+ * Ask once whether to persist every collected prereq answer to the
+ * credential store. Empty input or `y/yes` → true (default Y); `n/no` →
+ * false. A failed prompt (e.g. abort) silently declines so the cast
+ * still proceeds with the in-memory env values.
+ */
+async function promptSaveCredentialsConfirmation(promptLine, count, abortSignal) {
+    const noun = count === 1 ? 'credential' : 'credentials';
+    const prompt = `  Save ${count} ${noun} to the encrypted credential store for future runs? [Y/n] `;
+    let answer;
+    try {
+        answer = await promptLine(prompt, abortSignal);
+    }
+    catch {
+        return false;
+    }
+    const trimmed = answer.trim().toLowerCase();
+    return trimmed === '' || trimmed === 'y' || trimmed === 'yes';
+}
 function printPreflightBanner(log, unmetCount) {
     log('');
     log('\x1b[1;36m━━━ Preflight: missing prerequisites ━━━\x1b[0m');

package/dist/src/cli/spells/core/runner.js

@@ -107,6 +107,7 @@ export class SpellCaster {
                 const resolution = await resolveUnmetPrerequisites(prerequisites, {
                     abortSignal: options.signal,
                     credentials: this.credentials,
+                    forceCredentialReprompt: options.forceCredentialReprompt,
                 });
                 if (!resolution.ok) {
                     return this.failureResult(spellId, startTime, [{

package/dist/src/cli/spells/core/spell-tier.js

@@ -0,0 +1,23 @@
+/**
+ * Classify a spell's source path as 'shipped' (ships with moflo, read-only
+ * from the consumer's perspective) or 'user' (project-local, writable).
+ *
+ * Story #1003 — used by the post-cast arg-writeback offer to skip the save
+ * prompt for shipped YAMLs (mutating them inside `node_modules/moflo/...`
+ * would be wiped on the next `npm install` and confuses provenance).
+ */
+const SHIPPED_MARKERS = [
+    // Installed package — both bare 'moflo' and the legacy '@moflo/*' workspace.
+    /\/node_modules\/moflo\//,
+    /\/node_modules\/@moflo\//,
+    // Source-tree shipped definitions (relevant when moflo dogfoods itself).
+    /\/src\/cli\/spells\/definitions\//,
+    /\/dist\/[^/]*\/?cli\/spells\/definitions\//,
+];
+export function inferSpellTier(sourceFile) {
+    if (!sourceFile)
+        return 'user';
+    const norm = sourceFile.replace(/\\/g, '/');
+    return SHIPPED_MARKERS.some((re) => re.test(norm)) ? 'shipped' : 'user';
+}
+//# sourceMappingURL=spell-tier.js.map

package/dist/src/cli/spells/core/yaml-defaults-writer.js

@@ -0,0 +1,169 @@
+// YAML line-editor: rewrite `arguments.<key>.default` without a full
+// round-trip through js-yaml (which would drop comments). Anchors and
+// block-scalar defaults are listed in `skipped` so callers can surface them.
+import * as yaml from 'js-yaml';
+const ARGUMENTS_HEADER_RE = /^arguments\s*:\s*(?:#.*)?$/;
+const KEY_LINE_RE = /^(\s*)([A-Za-z_][A-Za-z0-9_-]*)\s*:\s*(.*)$/;
+const DEFAULT_LINE_RE = /^(\s*default\s*:\s*)(?:[^#\n]*?)(\s*#.*)?$/;
+const BLOCK_SCALAR_DEFAULT_RE = /^\s*default\s*:\s*[|>][+-]?\d*\s*(?:#.*)?$/;
+export function updateYamlArgDefaults(yamlContent, updates) {
+    const updateKeys = Object.keys(updates);
+    if (updateKeys.length === 0) {
+        return { content: yamlContent, updated: [], skipped: [] };
+    }
+    const usesCRLF = /\r\n/.test(yamlContent);
+    const normalized = usesCRLF ? yamlContent.replace(/\r\n/g, '\n') : yamlContent;
+    const lines = normalized.split('\n');
+    const argumentsLineIdx = findArgumentsHeader(lines);
+    if (argumentsLineIdx === -1) {
+        return { content: yamlContent, updated: [], skipped: updateKeys };
+    }
+    const argKeyIndent = findArgKeyIndent(lines, argumentsLineIdx);
+    if (argKeyIndent === -1) {
+        return { content: yamlContent, updated: [], skipped: updateKeys };
+    }
+    const remaining = new Set(updateKeys);
+    const updated = [];
+    const skippedExtra = [];
+    let i = argumentsLineIdx + 1;
+    while (i < lines.length) {
+        const line = lines[i];
+        const stripped = line.trim();
+        if (!stripped || stripped.startsWith('#')) {
+            i++;
+            continue;
+        }
+        const indent = leadingSpaces(line);
+        if (indent === 0)
+            break;
+        if (indent !== argKeyIndent) {
+            i++;
+            continue;
+        }
+        const m = KEY_LINE_RE.exec(line);
+        if (!m) {
+            i++;
+            continue;
+        }
+        const argName = m[2];
+        if (!remaining.has(argName)) {
+            i = skipBlock(lines, i + 1, argKeyIndent);
+            continue;
+        }
+        const blockStart = i + 1;
+        const blockEnd = skipBlock(lines, blockStart, argKeyIndent);
+        const propIndent = findPropIndent(lines, blockStart, blockEnd, argKeyIndent);
+        const defaultLineIdx = findDefaultLine(lines, blockStart, blockEnd, propIndent);
+        const newValueStr = formatYamlValue(updates[argName]);
+        // Refuse to touch block-scalar defaults — replacing the header line with
+        // an inline scalar would orphan the continuation lines as sibling keys.
+        if (defaultLineIdx !== -1 && BLOCK_SCALAR_DEFAULT_RE.test(lines[defaultLineIdx])) {
+            skippedExtra.push(argName);
+            remaining.delete(argName);
+            i = skipBlock(lines, i + 1, argKeyIndent);
+            continue;
+        }
+        // Refuse multi-line dumped values for the same orphan-line reason.
+        if (newValueStr.includes('\n')) {
+            skippedExtra.push(argName);
+            remaining.delete(argName);
+            i = skipBlock(lines, i + 1, argKeyIndent);
+            continue;
+        }
+        if (defaultLineIdx !== -1) {
+            lines[defaultLineIdx] = replaceDefaultValue(lines[defaultLineIdx], newValueStr);
+        }
+        else {
+            const insertIndent = ' '.repeat(propIndent);
+            lines.splice(blockStart, 0, `${insertIndent}default: ${newValueStr}`);
+        }
+        updated.push(argName);
+        remaining.delete(argName);
+        i = skipBlock(lines, i + 1, argKeyIndent);
+    }
+    const joined = lines.join('\n');
+    const content = usesCRLF ? joined.replace(/\n/g, '\r\n') : joined;
+    return {
+        content,
+        updated,
+        skipped: [...remaining, ...skippedExtra],
+    };
+}
+function findArgumentsHeader(lines) {
+    for (let i = 0; i < lines.length; i++) {
+        if (leadingSpaces(lines[i]) === 0 && ARGUMENTS_HEADER_RE.test(lines[i].trim())) {
+            return i;
+        }
+    }
+    return -1;
+}
+function findArgKeyIndent(lines, headerIdx) {
+    for (let i = headerIdx + 1; i < lines.length; i++) {
+        const stripped = lines[i].trim();
+        if (!stripped || stripped.startsWith('#'))
+            continue;
+        const indent = leadingSpaces(lines[i]);
+        if (indent === 0)
+            return -1;
+        return indent;
+    }
+    return -1;
+}
+function findPropIndent(lines, blockStart, blockEnd, argKeyIndent) {
+    for (let j = blockStart; j < blockEnd; j++) {
+        const stripped = lines[j].trim();
+        if (!stripped || stripped.startsWith('#'))
+            continue;
+        return leadingSpaces(lines[j]);
+    }
+    return argKeyIndent + 2;
+}
+function findDefaultLine(lines, blockStart, blockEnd, propIndent) {
+    for (let j = blockStart; j < blockEnd; j++) {
+        const stripped = lines[j].trim();
+        if (!stripped || stripped.startsWith('#'))
+            continue;
+        if (leadingSpaces(lines[j]) !== propIndent)
+            continue;
+        if (/^default\s*:/.test(stripped))
+            return j;
+    }
+    return -1;
+}
+function skipBlock(lines, start, parentIndent) {
+    for (let i = start; i < lines.length; i++) {
+        const stripped = lines[i].trim();
+        if (!stripped || stripped.startsWith('#'))
+            continue;
+        if (leadingSpaces(lines[i]) <= parentIndent)
+            return i;
+    }
+    return lines.length;
+}
+function leadingSpaces(line) {
+    let n = 0;
+    while (n < line.length && line[n] === ' ')
+        n++;
+    return n;
+}
+function replaceDefaultValue(line, newValue) {
+    const m = DEFAULT_LINE_RE.exec(line);
+    if (!m)
+        return line;
+    const prefix = m[1];
+    const trailingComment = m[2] ?? '';
+    return `${prefix}${newValue}${trailingComment}`;
+}
+export function formatYamlValue(value) {
+    if (value === null || value === undefined)
+        return 'null';
+    if (typeof value === 'boolean' || typeof value === 'number')
+        return String(value);
+    const dumped = yaml.dump(value, {
+        flowLevel: 0,
+        lineWidth: -1,
+        noRefs: true,
+    }).replace(/\r?\n$/, '');
+    return dumped;
+}
+//# sourceMappingURL=yaml-defaults-writer.js.map

package/dist/src/cli/spells/factory/runner-bridge.js

@@ -45,6 +45,7 @@ export async function bridgeRunSpell(content, sourceFile, args, options = {}) {
             signal: controller.signal,
             memory: options.memory,
             credentials,
+            forceCredentialReprompt: options.forceCredentialReprompt,
             ...(options.projectRoot ? { projectRoot: options.projectRoot } : {}),
             ...(sandboxConfig ? { sandboxConfig } : {}),
         });
@@ -68,6 +69,7 @@ export async function bridgeExecuteSpell(definition, args, options = {}) {
         return await runner.run(definition, args, {
             spellId,
             signal: controller.signal,
+            forceCredentialReprompt: options.forceCredentialReprompt,
             ...(options.projectRoot ? { projectRoot: options.projectRoot } : {}),
             ...(sandboxConfig ? { sandboxConfig } : {}),
         });

package/dist/src/cli/swarm/message-bus/write-through-adapter.js

@@ -101,16 +101,17 @@ export class WriteThroughAdapter {
             // Best-effort cleanup
         }
     }
-    /**
-     * Wait for every fire-and-forget write currently in flight to settle.
-     * No-op when no writes are queued. Bounded by `Promise.allSettled` so a
-     * single hung write can't block forever (each individual write has its
-     * own daemon-write-client timeout).
-     */
+    // #1003 — yield to the microtask queue and re-check until pendingWrites
+    // settles. The single-snapshot pattern lost a race on fast hosts (Ubuntu CI)
+    // where a caller's awaited bus.sendUnified resolved before its `.then()`
+    // chain registered the write-through promise.
     async drainPendingWrites() {
-        if (this.pendingWrites.size === 0)
-            return;
-        await Promise.allSettled([...this.pendingWrites]);
+        for (let i = 0; i < 5; i++) {
+            await Promise.resolve();
+            if (this.pendingWrites.size === 0)
+                return;
+            await Promise.allSettled([...this.pendingWrites]);
+        }
     }
     onUnifiedMessage(event) {
         if (!event.namespace || !this.enabledNamespaces.has(event.namespace)) {

package/dist/src/cli/version.js

@@ -2,5 +2,5 @@
  * Auto-generated by build. Do not edit manually.
  * Source of truth: root package.json → scripts/sync-version.mjs
  */
-export const VERSION = '4.9.28';
+export const VERSION = '4.9.30';
 //# sourceMappingURL=version.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "moflo",
-  "version": "4.9.28",
+  "version": "4.9.30",
   "description": "MoFlo — AI agent orchestration for Claude Code. A standalone, opinionated toolkit with semantic memory, learned routing, gates, spells, and the /flo issue-execution skill.",
   "main": "dist/src/cli/index.js",
   "type": "module",
@@ -84,7 +84,7 @@
     "@typescript-eslint/eslint-plugin": "^7.18.0",
     "@typescript-eslint/parser": "^7.18.0",
     "eslint": "^8.0.0",
-    "moflo": "^4.9.27",
+    "moflo": "^4.9.29",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
     "vitest": "^4.0.0"