moflo 4.9.32 → 4.9.33

package/dist/src/cli/commands/spell-schedule.js

@@ -15,6 +15,7 @@ import { callMCPTool } from '../mcp-client.js';
 import { TOOL_MEMORY_STORE, TOOL_MEMORY_LIST, TOOL_MEMORY_RETRIEVE } from '../mcp-tools/tool-names.js';
 import { handleMCPError } from '../services/cli-formatters.js';
 import { ensureDaemonForScheduling } from '../services/daemon-readiness.js';
+import { checkScheduleAcceptance } from '../services/schedule-acceptance-check.js';
 import { reconcileDaemonAutostart } from '../services/daemon-autostart-lifecycle.js';
 import { isDaemonInstalled } from '../services/daemon-service.js';
 import { validateSchedule, computeNextRun } from '../spells/scheduler/cron-parser.js';
@@ -123,6 +124,16 @@ const createCommand = {
         for (const warning of readiness.warnings) {
             output.printWarning(warning);
         }
+        // Permission-acceptance check (#1037): scheduled fires run in the daemon's
+        // non-interactive context and have no way to prompt for permissions. If
+        // this spell hasn't been manually cast yet, the user needs to know NOW so
+        // they can run `flo spell cast -n <name>` once before relying on the
+        // schedule. This is a warning, never a block — the user may have a legit
+        // reason (about to cast, scripted setup, etc.).
+        const acceptance = await checkScheduleAcceptance(projectRoot, name);
+        if (acceptance.message) {
+            output.printWarning(acceptance.message);
+        }
         // Always create the schedule, regardless of daemon state
         const id = `sched-adhoc-${now}-${Math.random().toString(36).slice(2, 8)}`;
         const record = {

package/dist/src/cli/services/daemon-spell-executor.js

@@ -24,9 +24,17 @@ export class DaemonSpellExecutor {
         this.explicitSandbox = opts.sandboxConfig;
     }
     exists(spellName) {
+        // Invalidate before resolve so newly-added yamls are visible to the
+        // poll loop. Without this, stale-false from exists() causes the
+        // scheduler to auto-disable schedules whose spell was added on disk
+        // after daemon boot (#1034).
+        this.registry.invalidate();
         return this.registry.resolve(spellName) !== undefined;
     }
     async execute(spellName, args, signal, mofloLevel) {
+        // Invalidate before resolve so yaml edits on disk reach the next fire
+        // without needing a daemon restart (#1034).
+        this.registry.invalidate();
         const loaded = this.registry.resolve(spellName);
         if (!loaded) {
             return failedResult(`scheduled-${spellName}-${Date.now()}`, 'STEP_EXECUTION_FAILED', `Spell not found in grimoire: ${spellName}`);

package/dist/src/cli/services/schedule-acceptance-check.js

@@ -0,0 +1,68 @@
+/**
+ * Schedule Acceptance Check
+ *
+ * Resolves a spell, computes its current permission hash, and checks whether
+ * `.moflo/accepted-permissions/<name>.json` records a valid prior acceptance.
+ *
+ * The schedule-create command consumes the result to warn — never block — when
+ * the spell is missing acceptance. Without it, scheduled fires running in the
+ * non-interactive daemon context fail with `Missing credentials` and the user
+ * has no signal at create time that a one-time manual cast was the missing
+ * step (#1037).
+ */
+import { buildGrimoire } from './grimoire-builder.js';
+import { checkAcceptance } from '../spells/core/permission-acceptance.js';
+/**
+ * Resolve `spellName` via the Grimoire, hash its permissions, compare against
+ * any stored acceptance under `<projectRoot>/.moflo/accepted-permissions/`.
+ *
+ * Always returns — never throws. A check failure (e.g. Grimoire unavailable)
+ * resolves to `check-failed` with an empty message so callers don't surface
+ * noise; the schedule create proceeds either way.
+ */
+export async function checkScheduleAcceptance(projectRoot, spellName) {
+    try {
+        const { registry } = await buildGrimoire(projectRoot);
+        const loaded = registry.resolve(spellName);
+        if (!loaded) {
+            return {
+                state: 'spell-not-found',
+                message: `Spell "${spellName}" was not found in the grimoire. The schedule will be created, but the daemon will auto-disable it on the first fire. Check the spell name (try \`flo spell list\`).`,
+            };
+        }
+        const [{ analyzeSpellPermissions }, { StepCommandRegistry }, { builtinCommands },] = await Promise.all([
+            import('../spells/core/permission-disclosure.js'),
+            import('../spells/core/step-command-registry.js'),
+            import('../spells/commands/index.js'),
+        ]);
+        const stepRegistry = new StepCommandRegistry();
+        for (const cmd of builtinCommands) {
+            stepRegistry.register(cmd, 'built-in');
+        }
+        const report = analyzeSpellPermissions(loaded.definition, stepRegistry);
+        const result = await checkAcceptance(projectRoot, loaded.definition.name, report.permissionHash);
+        if (result.accepted) {
+            return { state: 'accepted', message: '' };
+        }
+        if (result.reason === 'no-acceptance') {
+            return {
+                state: 'never-accepted',
+                message: `Spell "${loaded.definition.name}" has not been accepted yet. Scheduled fires run non-interactively, so the first run will fail with "missing credentials". Run \`flo spell cast -n ${loaded.definition.name}\` once manually to accept permissions, then this schedule will work on the next fire.`,
+            };
+        }
+        return {
+            state: 'hash-mismatch',
+            message: `Spell "${loaded.definition.name}" permissions have changed since you last accepted them. Re-run \`flo spell cast -n ${loaded.definition.name}\` once to review and re-accept the new permissions; otherwise scheduled fires will fail.`,
+        };
+    }
+    catch (err) {
+        // Soft-fail: a Grimoire load error or permission analysis failure must
+        // never block schedule creation. Return a quiet check-failed state and
+        // let the create proceed. Surface the cause via console.debug so a
+        // developer chasing a regression can see why the check degraded
+        // without polluting normal CLI output.
+        console.debug(`[schedule-acceptance-check] check failed for ${spellName}: ${err.message}`);
+        return { state: 'check-failed', message: '' };
+    }
+}
+//# sourceMappingURL=schedule-acceptance-check.js.map

package/dist/src/cli/spells/credentials/credential-store.js

@@ -8,7 +8,7 @@
  * Story #106: Encrypted Credential Storage
  */
 import { createCipheriv, createDecipheriv, randomBytes, pbkdf2Sync, } from 'node:crypto';
-import { readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { readFileSync, writeFileSync, mkdirSync, statSync } from 'node:fs';
 import { dirname } from 'node:path';
 // ============================================================================
 // Constants
@@ -55,6 +55,11 @@ export class CredentialStore {
     filePath;
     derivedKey = null;
     data = null;
+    // Tracks the file mtime that produced `this.data`. `null` means the file
+    // didn't exist when we last read. refreshIfStale() compares against the
+    // current mtime to detect external writes (e.g. CLI subprocesses calling
+    // `flo spell credentials set` while the daemon's instance is alive — #1035).
+    lastReadMtimeMs = null;
     constructor(options) {
         this.filePath = options.filePath;
         if (options.passphrase) {
@@ -70,6 +75,7 @@ export class CredentialStore {
             throw new CredentialStoreError(`Passphrase must be at least ${MIN_PASSPHRASE_LENGTH} characters`, 'WEAK_PASSPHRASE');
         }
         this.data = this.readFile();
+        this.lastReadMtimeMs = this.fileMtimeMs();
         const salt = Buffer.from(this.data.salt, 'hex');
         this.derivedKey = deriveKey(passphrase, salt);
     }
@@ -85,9 +91,17 @@ export class CredentialStore {
     }
     /**
      * Store an encrypted credential.
+     *
+     * The refreshIfStale() call rebases on the latest on-disk state so we don't
+     * write back a snapshot that's missing concurrent additions. It is NOT a
+     * mutual-exclusion primitive: two processes calling store() on the same key
+     * concurrently still race, and the last writer wins. Cross-process locking
+     * is out of scope; the file write is small and the typical layout (one
+     * daemon reader + occasional CLI writers) makes the race window vanishing.
      */
     async store(name, value, description) {
         this.ensureUnlocked();
+        this.refreshIfStale();
         const now = new Date().toISOString();
         const encrypted = encrypt(value, this.derivedKey);
         const existing = this.data.credentials[name];
@@ -105,6 +119,7 @@ export class CredentialStore {
      */
     async get(name) {
         this.ensureUnlocked();
+        this.refreshIfStale();
         const entry = this.data.credentials[name];
         if (!entry)
             return undefined;
@@ -121,6 +136,7 @@ export class CredentialStore {
      */
     async has(name) {
         this.ensureUnlocked();
+        this.refreshIfStale();
         return name in this.data.credentials;
     }
     /**
@@ -128,6 +144,7 @@ export class CredentialStore {
      */
     async delete(name) {
         this.ensureUnlocked();
+        this.refreshIfStale();
         if (!(name in this.data.credentials))
             return false;
         delete this.data.credentials[name];
@@ -141,6 +158,7 @@ export class CredentialStore {
      */
     async clear() {
         this.ensureUnlocked();
+        this.refreshIfStale();
         const count = Object.keys(this.data.credentials).length;
         if (count === 0)
             return 0;
@@ -153,6 +171,7 @@ export class CredentialStore {
      */
     async list() {
         this.ensureUnlocked();
+        this.refreshIfStale();
         return Object.entries(this.data.credentials).map(([name, entry]) => ({
             name,
             description: entry.description,
@@ -166,6 +185,7 @@ export class CredentialStore {
      */
     async allValues() {
         this.ensureUnlocked();
+        this.refreshIfStale();
         const values = [];
         for (const entry of Object.values(this.data.credentials)) {
             try {
@@ -265,6 +285,49 @@ export class CredentialStore {
     writeFile(data) {
         mkdirSync(dirname(this.filePath), { recursive: true });
         writeFileSync(this.filePath, JSON.stringify(data, null, 2), { encoding: 'utf-8', mode: 0o600 });
+        // Adopt the just-written mtime so refreshIfStale() doesn't trigger an
+        // unnecessary re-read on the next operation through this instance.
+        this.lastReadMtimeMs = this.fileMtimeMs();
+    }
+    /**
+     * Return the file's mtime in ms, or null when the file doesn't exist.
+     * Other errors (permissions, etc.) are surfaced — they signal a real problem
+     * worth raising rather than silently treating as "no file".
+     */
+    fileMtimeMs() {
+        try {
+            return statSync(this.filePath).mtimeMs;
+        }
+        catch (err) {
+            if (err.code === 'ENOENT')
+                return null;
+            throw err;
+        }
+    }
+    /**
+     * Reload `this.data` from disk when the file's mtime differs from what we
+     * last read. This is the per-call hook that keeps long-lived instances
+     * (the daemon's singleton CredentialStore — see #1035) consistent with
+     * writes made by CLI subprocesses.
+     *
+     * Limitations:
+     * - If another process rotated the passphrase, the salt in the reloaded
+     *   data will mismatch our derivedKey. Subsequent decrypt() calls throw
+     *   DECRYPTION_FAILED, which the resolver treats as missing — same UX as
+     *   today's stale-daemon failure mode and only resolved by daemon restart.
+     *   Rotation-aware reload would need the new passphrase, which we don't
+     *   have post-construction; out of scope here.
+     * - Designed for local filesystems. Network mounts (NFS/SMB) can return
+     *   coarse or stale mtimes via client caching, which would weaken the
+     *   detection. The credentials file lives at `~/.moflo/credentials.json`
+     *   and is expected to be local; network-mounted homedirs aren't supported.
+     */
+    refreshIfStale() {
+        const current = this.fileMtimeMs();
+        if (current === this.lastReadMtimeMs)
+            return;
+        this.data = this.readFile();
+        this.lastReadMtimeMs = current;
     }
 }
 export class CredentialStoreError extends Error {

package/dist/src/cli/version.js

@@ -2,5 +2,5 @@
  * Auto-generated by build. Do not edit manually.
  * Source of truth: root package.json → scripts/sync-version.mjs
  */
-export const VERSION = '4.9.32';
+export const VERSION = '4.9.33';
 //# sourceMappingURL=version.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "moflo",
-  "version": "4.9.32",
+  "version": "4.9.33",
   "description": "MoFlo — AI agent orchestration for Claude Code. A standalone, opinionated toolkit with semantic memory, learned routing, gates, spells, and the /flo issue-execution skill.",
   "main": "dist/src/cli/index.js",
   "type": "module",
@@ -97,7 +97,7 @@
     "@typescript-eslint/eslint-plugin": "^7.18.0",
     "@typescript-eslint/parser": "^7.18.0",
     "eslint": "^8.0.0",
-    "moflo": "^4.9.31",
+    "moflo": "^4.9.32",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
     "vitest": "^4.0.0"