cloverleaf-larry/CHANGELOG.md

Changelog

All notable changes to cloverleaf-larry / larry-anywhere are recorded here. Versioning is loose-semver; bumps trigger the in-process self-update on every running client via LARRY_BASE_URL + MANIFEST.

v0.8.13 — 2026-05-28

Proactive both-mode Cloverleaf-env detection + the $HCIROOT login-shell fix + a first-class site lister + the dominant residual-slowness fix (Clover). Closes the live-session friction where "how many sites are on qa?" stalled on repeated export $HCIROOT nags despite a working qa SSH alias.

1. $HCIROOT login-shell fix (root cause). ssh-helper.sh exec ran the remote command in a NON-login, non-interactive shell, so the Cloverleaf login profile (which exports $HCIROOT, $HCISITE, and the hci* PATH) never sourced and $HCIROOT arrived empty — and Larry gave up and asked for a path. exec now wraps the command in bash -lc (login shell), so the remote env populates exactly as for an interactive operator login. Version-agnostic, zero-config. Escape hatch: NOLOGIN prefix or LARRY_SSH_NO_LOGIN=1. The pull-smat find/sample paths use the same wrapper so $HCISITEDIR/sqlite3 resolve there too.
2. Both-mode detection (proactive). Startup now determines and surfaces a MODE= line: LOCAL ($HCIROOT set by the local profile, or a Cloverleaf install auto-discovered at a common path — work the local tree, no SSH), REMOTE (no local install but a Cloverleaf SSH alias configured — discover over a login shell), or UNKNOWN (ask which mode applies). Larry leads with what it found instead of asking Bryan to spoon-feed paths.
3. First-class list_sites tool + /sites [alias]. "How many sites are on X / what sites exist" now Just Works in both modes: REMOTE (list_sites(alias=qa)) resolves the remote $HCIROOT in a login shell and enumerates sites (Cloverleaf hcisitelist fast-path, NetConfig-walk fallback); LOCAL (list_sites()) does the same against the detected local $HCIROOT. Reports the resolved HCIROOT, a count, and the names. New ssh-helper.sh discover <alias> backs the remote path.
4. System-prompt de-nagging. agents/larry.md and the /nc-diff-env / /nc-regression-env templated prompts no longer instruct Larry to ask Bryan to export $HCIROOT for a reachable host. The cardinal rule is explicit: never request a path you can resolve; the only remote precondition surfaced is an open ControlMaster (/ssh-setup <alias>).
5. Streaming slowness — dominant residual fix. v0.8.12 collapsed per-delta routing to one jq call, but each text_delta/input_json_delta STILL forked a second jq purely to un-escape the @json-encoded payload — ~N forks/turn (N≈output tokens), and on Cygwin/MobaXterm a fork is ~50-100ms. New _json_str_decode un-escapes in pure bash for the common escape-free chunk (zero forks), deferring to jq only when a real backslash escape is present. Halves per-turn fork count on top of v0.8.12. Round-trip verified for tab, escaped quote/backslash, embedded newline, \uXXXX Unicode, and empty.
6. pull-smat path capture hardened (Vera Minor #1). The remote .smatdb path lookup previously took tail -1 of the merged stdout+stderr stream. Under the new login shell (item 1) a profile MOTD/banner can land on stdout, which a blind tail -1 could mistake for the path. The remote find now emits the resolved path behind a SMATDB_PATH: sentinel; the client selects by pattern, not position, and only falls back to the prior tail -1 when no sentinel is present (so no host that worked before can regress). Selection logic unit-verified for banner-before, banner-after, ERROR, empty, multi- sentinel, and no-sentinel-fallback.

Compatible with bash 3.2 / Cygwin; no regression to the v0.8.12 fixes.

---

v0.8.12 — 2026-05-27

Crash fix + slowness + cost pass on the new API-key rail (Clover). Full diagnosis: Deliverables/2026-05-27-cloverleaf-larry-v0812-crash-slowness-cost.md.

1. Fix the post-response arithmetic crash (bash: <n>: syntax error: invalid arithmetic operator (error token is "")). The token/cost accounting fed jq-extracted usage counts straight into $(( )); on Cygwin/MobaXterm a CRLF-translated response body makes jq -r emit 1234\r, and // 0 only guards JSON null, not the CR. coerce_int now defends all three accounting sites (non-streaming cost block, streaming cost block, _record_ctx_used). This is the v0.7.5 OAuth crash's Anomaly-#4 recurrence on the response path.
2. Prompt caching wired into the request (cost). The ~12.7K-token static prefix (system ~6K + 35 tools ~6.7K) was re-sent uncached every turn. v0.8.12 sends system as a block array and marks the last tool with cache_control: ephemeral (apikey rail; LARRY_PROMPT_CACHE=0 to disable), so the prefix is billed at the 0.1x cache-read rate after turn 1 — a ~90% cut on the static prefix and a large TTFB reduction.
3. Streaming parser per-delta jq forks collapsed (slowness, dominant fix). The SSE content_block_delta hot path spawned 3 jq processes per event (.index, .delta.type, then the text/json payload). A normal response ships dozens-to-hundreds of these, and on Cygwin/MobaXterm a process fork is ~50-100ms (Windows fork emulation) — so the per-turn render lagged multiple seconds ("veeery slow"). The routing fields are now pulled in ONE jq call (payload @json-encoded so embedded newlines/tabs survive the line read), cutting the text path to 2 forks/event and ignored deltas to 1. Verified round-trip on text with embedded NL/TAB/quote and on input_json_delta.
4. Per-turn PHI sidecar /health probe cached for the session (slowness). phi_client_available ran curl -m1 every turn; on MobaXterm the sidecar can never run, so it was a guaranteed curl fork + up-to-1s wait per turn. Now probed once per session (file-flag, survives the $(...) subshell); LARRY_PHI_REPROBE=1 forces a fresh probe.

---

v0.8.11 — 2026-05-27

Two headline features land together (Clover):

1. API key is now the default auth rail — sanctioned, not edge-throttled; OAuth-impersonation disabled by default to protect the user's Max account; secure per-client key via /set-api-key, stored 0600, CR-safe, masked in diagnostics.
2. Manifest-hashing auto-update — relaunch skips unchanged files by comparing each MANIFEST sha256 to a local hash, so only changed/missing files download. Relaunch drops from minutes to seconds.

---

1. API key as the default auth rail

Bryan's decision (2026-05-27): the durable fix for the multi-hour OAuth rate_limit_error is to STOP impersonating the official Claude Code client and move to the sanctioned API-key rail. Anthropic actively fingerprints and blocks Claude-Code OAuth impersonation (server-side enforcement since ~2026-01-09, ToS change 2026-02-19/20); every impersonated OAuth request flags the user's Max account. The API key (sk-ant-api03-) is the intended programmatic rail — a plain x-api-key request, billed pay-as-you-go, not edge-throttled. (Research: Deliverables/2026-05-27-claude-code-oauth-request-requirements-research.md.)

• API key is the default. LARRY_AUTH_MODE defaults to apikey. The request shape is the clean sanctioned form: x-api-key + anthropic-version: 2023-06-01 + content-type: application/json — no Authorization: Bearer, no anthropic-beta: claude-code-*, no claude-cli (external, cli) UA, no x-app: cli, no ?beta=true, no "You are Claude Code" system block. All of the prior impersonation scaffolding was removed.
• OAuth is OFF by default (opt-in only). larry fires OAuth ONLY when LARRY_AUTH_MODE=oauth is set explicitly, and prints a one-time account-risk warning when it does. There is no silent OAuth fallback — larry never auto-pokes the impersonation tripwire. The opt-in OAuth request is minimal and honest (Bearer + anthropic-beta: oauth-2025-04-20 only).
• Secure per-client API-key provisioning + storage (Bryan's core ask):
  • /set-api-key (and larry-auth.sh --api-key) prompts with read -s (silent, never echoed, never in argv / process table / shell history), optionally validates with one cheap /v1/messages ping (max_tokens:1), then stores the key at $LARRY_HOME/.api-key (mode 0600, owner-only), CR-stripped (MobaXterm/Cygwin CRLF-safe). --clear removes it; --status shows it masked. Each client holds its OWN key (mint one per machine at console.anthropic.com — independently revocable, leak-contained).
  • The key is fed to curl via --config - on stdin, so it never appears in curl's argv / the process table (ps-clean), in all request and validation paths.
• Secret hygiene: the key is never logged, never committed (added to .gitignore and to larry's PHI/secret read_file path-block), and is masked as sk-ant-api03-XXXX…last4 in /auth, /auth-debug (alias /api-debug), and /set-api-key --status. The audit-trail secret-guard's sk-ant-[A-Za-z0-9_-]{20,} pattern catches sk-ant-api03- specifically.
• 429-discrimination (reused from the prior thread's good work): a real rate-limit 429 ALWAYS carries anthropic-ratelimit-* headers → legitimate backoff; a 429 with NO such headers on the API-key rail → clear "edge/ transient bounce, not your quota" message (no futile backoff). On the opt-in OAuth rail, that same edge-reject signature triggers an automatic flip to the sanctioned API-key rail if a key is configured (LARRY_NO_EDGE_FALLBACK=1 to opt out).
• Migration UX: first launch with the apikey default and no key → friendly prompt to run /set-api-key (not a bounce into the risky OAuth path).

2. Manifest-hashing auto-update speedup

sync_from_manifest used to re-download all 48 manifest entries every relaunch over authenticated HTTPS (Gitea via proxy + Cloudflare) and cmp locally to find the 0–3 that changed — ~3 min on the work-box for a 3-file update, because the MANIFEST was paths-only and the client could not tell what changed without fetching everything.

• MANIFEST now ships each file's expected sha256 (path<TAB>sha256, generated at release by scripts/make-manifest.sh). The client fetches MANIFEST once, hashes its LOCAL copy of each path, and downloads ONLY entries whose hash differs or are missing. 48 round-trips → 1 (MANIFEST) + a local hash pass + N real downloads (N = actually-changed files, usually 0–3). Relaunch drops from minutes to seconds.
• Fail-SAFE: a doubt NEVER skips an update. A download is skipped only when ALL hold — a working sha256 tool, a valid 64-hex manifest hash, the local file exists, and its hash matches exactly. No tool / empty / malformed / non-hex hash, missing local file, hash-tool error, or any mismatch (including a stale or wrong published hash) all fall through to download. Worst case is a needless re-download, never a missed update.
• sha256 tool fallback chain: sha256sum → shasum -a 256 → openssl dgst -sha256 → (none → full-download fallback, updater never breaks). Detected once, cached. Tool output normalized to bare lowercase 64-hex.
• CR-safe: the MANIFEST is fetched from Gitea (CRLF risk); the whole line is CR-stripped before splitting and the hash-tool output is tr -d '\r''d, so a CRLF-tainted hash never forces a needless re-download.
• Download path unchanged from v0.8.9 — still routes through fetch_validate (HTML-sign-in-trap detection), keeps the post-download cmp guard (idempotent), chmod +x for *.sh, and per-file --max-time. The v0.8.9 live progress indicator now renders over the new "verifying (local)" phase and the (fewer) "downloading" frames. New summary line: manifest sync: N updated, M unchanged (local hash), F failed, T total.
• Release tooling (committed, not synced to clients): scripts/make-manifest.sh regenerates/checks the MANIFEST hashes; scripts/hooks/pre-commit blocks a commit whose MANIFEST hashes drifted. These are release-side only — the work-box consumes manifests, never generates them — so they are deliberately NOT listed in MANIFEST.

Deliverables: Deliverables/2026-05-27-cloverleaf-larry-api-key-default-rail.md, Deliverables/2026-05-27-cloverleaf-larry-manifest-hashing-speedup.md.

v0.8.9 — 2026-05-27

Manifest-sync live progress indicator (Clover). Symptom: Bryan's auto-update relaunch is very slow and looks frozen — a multi-minute silent gap between update found: X -> Y … relaunching and manifest sync: N updated, 0 failed, M total, with NO output in between. Observed: [21:32:29] → [21:35:37] = ~3 min of silence to update just 3 of 48 files; earlier [20:19:42] → [20:20:32] = ~50s for 22 files. Bryan cannot tell working-but-slow from hung.

Root cause (confirmed by reading sync_from_manifest). Phase-A sync does NOT do cheap HEAD/hash-checks — it fully downloads EVERY manifest entry over an authenticated HTTPS round-trip (Gitea via the corporate proxy + Cloudflare), then uses cmp -s locally to decide whether the bytes actually changed (discarding unchanged ones). With 48 entries that is 48 sequential full downloads, every relaunch, regardless of how few files changed. The loop emits nothing until the trailing summary log line → the entire window is silent → looks hung. The "3 files changed" in the summary is just how many survived the cmp; all 48 were still fetched.

• Live in-place progress over the WHOLE sync. New _sync_progress / _sync_progress_done helpers render checking N/48 lib/foo.sh per entry, rewriting the line via \r\033[K (carriage-return + clear-line). When a fetch actually lands a changed file, the frame switches to downloading N/48 lib/foo.sh so real writes are distinguishable from the common unchanged case. The current filename is always shown, so a genuine stall is VISIBLE — you see exactly which file it is stuck on instead of a blank freeze.
• MobaXterm-safe escapes only. Uses solely \r + ESC[K (the same primitive already at the readline prompt, audited safe in the v0.8.7 escape inventory). Deliberately NO DECSTBM scroll-region, cursor save/restore, or absolute-row addressing — the exact escapes MobaXterm mis-honors. Verified under a pty: only ESC[0m, ESC[2m, ESC[K ever emitted; zero forbidden escapes. Independent of LARRY_NO_STREAM / mouse mode (gates only on a TTY).
• Non-TTY safe. Gates on [ -t 2 ]. When stderr is a pipe/log it emits a plain newline-terminated heartbeat every 10 files (no \r), so captured logs stay clean — verified zero \r bytes in piped output.
• Heartbeat for hangs. The per-file fetch already carries curl --max-time (5s for VERSION, 15s otherwise); a stuck file now shows its name, times out, counts as a fail, and the loop advances — never an infinite silent stall.
• Speedup deferred (by design). The clean fix — fetch the manifest once, compare per-file hashes locally, and SKIP unchanged files with NO per-file network round-trip — requires the MANIFEST to carry hashes. It currently carries paths only (no hashes/sizes), so the optimization would require a manifest-format + release-tooling change (higher risk, separate change). Filed as a follow-up: MANIFEST should emit path<TAB>sha256 so v0.9.x can turn 48 network round-trips into 1 fetch + local compare. This release ships the indicator (Bryan's explicit ask); correctness of the sync is unchanged.

Note: the v0.8.9 relaunch itself is still the slow path (the indicator helps from the NEXT update onward), but you now see live forward progress during it.

v0.8.8 — 2026-05-27

Force unconditional 429 header capture (Clover). Symptom: Bryan's MobaXterm work-box hits rate_limit_error repeatedly, but $LARRY_HOME/log/headers.log NEVER generates — so we cannot diagnose which rate-limit rail / auth path is failing. The single goal: guarantee the log generates on the NEXT 429 so Bryan can tail it and paste it (manual paste is the plan; auto-sync is dropped).

Call-flow trace (first, to disprove the deeper hypothesis). Bryan's box runs LARRY_NO_STREAM=1 (auto-set on MobaXterm since v0.8.5), so agent_turn takes resp=$(call_api …). call_api (larry.sh) ALWAYS dumps response headers via curl -D and ALWAYS calls _parse_response_headers on that dump after curl returns — regardless of HTTP status (it explicitly comments "headers carry rate-limit info even on 429s"). So the non-stream 429 path WAS reaching the parser. The parser was NOT the missing call — the bug was entirely the over-clever write-gate INSIDE the parser.

Root cause = the write-gate was too clever for its own purpose. The v0.8.5 gate wrote headers.log only if (OAuth-mode AND a unified-* header was present) OR (retry-after was non-empty). Bryan's 429s carry NEITHER: the backoff used the exponential 2/4/8s fallback (proving no server retry-after), and a per-minute burst 429 routinely omits the unified-* family. Neither branch fired → no write → no log → no diagnosis. The capture defeated its own purpose.

• Unconditional write on ANY 429, detected from the status line. _parse_response_headers now greps the -D dump for ^HTTP/<ver> 429 (CRLF-tolerant) and, on a match, ALWAYS writes the full raw header block to $LARRY_HOME/log/headers.log — regardless of retry-after, unified-*, or auth mode. A bare 429 with no diagnostic headers STILL logs; that absence is itself the finding (signals a low/bare-tier limit).
• 429s exempt from the OAuth 50-call cap. New STATUS_429_headers_logged counter with its own budget (STATUS_429_HEADER_LOG_LIMIT=200), independent of the 200-path OAuth sampling cap. A session that burned all 50 OAuth captures on successful calls STILL logs its next (51st-call) 429.
• Full diagnostic dump. The 429 block writes: a banner with auth-mode (OAuth-Max vs API-key rail), the detected limit-rail, retry-after, org-id, and request-id; then the HTTP status line, ALL anthropic-* headers (not just -ratelimit-*), retry-after, request-id, and every x-* header — so the auth-rail + which-limit question is answerable from one paste.
• Live stderr pointer. On every 429 capture, prints phi/rl> 429 headers logged to ~/.larry/log/headers.log (rail=<x>, retry-after=<y>) — paste for diagnosis so Bryan knows the log now exists.
• Same-pattern sweep. Streaming path (call_api_stream → _drain_pending_stream_headers → _parse_response_headers) shares the same function, so Mac/Linux streaming users get identical 429 capture. The v0.8.0 tool_read_file PHI path-block (which blocks $LARRY_HOME/log/) is tool-dispatch-only — Bryan reading his own headers.log via interactive shell tail is unaffected (verified: no shell-level block; bash_exec runs bash -c directly without the path-block). The 200-path OAuth sampling cap is unchanged.

v0.8.7 — 2026-05-27

Status-line render fix for MobaXterm/Cygwin (Clover). Symptom: the dim between-turn status line (session context + rate-limit reset date) never appeared on Bryan's MobaXterm work-box — the v0.7.1 status-line feature that MEMORY.md flagged as a never-verified passive item.

Root cause = suppress-when-empty gate, NOT terminal positioning. render_status_line (larry.sh) gated the OAuth arm on ctx_used_tokens, oauth_5h_utilization, AND oauth_7d_utilization ALL being empty — returning silently (rendering nothing) when so. Two facts made all three stay empty turn after turn on Bryan's box: (1) STATUS_ctx_used_tokens is populated by _record_ctx_used, which runs only AFTER a successful agent_turn; on a rate_limit_error the turn returns early (larry.sh ~L3929), so ctx was never recorded; (2) pre-v0.8.5 the anthropic-ratelimit-unified-* utilization headers weren't captured on error responses. With every turn erroring, all three gate fields were empty every turn, so the line was suppressed for the whole session and never rendered. This was NOT a positioning bug: the status line is a single plain printf'd dim line printed between turns — there is no DECSTBM scroll-region reservation, no cursor save/restore, no absolute-row positioning anywhere in the codebase, so MobaXterm's terminal emulation had nothing to mis-honor. It was also NOT coupled to streaming or mouse mode.

• Gate on turn count, not data presence. render_status_line now suppresses ONLY before the first turn has run (_LARRY_TURNS == 0, coerce_int-guarded); thereafter it ALWAYS renders. Both auth-mode helpers already self-render a — placeholder for any unpopulated field, so the line always shows session context (model context window, turns, session cost) and the rate-limit reset time fills in once a successful call — or, since v0.8.5, a captured error response — populates the headers.
• /status always renders on demand, even before the first turn — an explicit request bypasses the turn-0 gate. Lets Bryan verify the line renders on MobaXterm without first completing a (possibly rate-limited) turn.
• CR-taint hardening (same-pattern sweep). The OAuth segment's reset-epoch comparisons ([ <epoch> -le <now> ]) read STATUS_oauth_{5h,7d}_reset_epoch, which come from _header_value (strips only the TRAILING CR). A CRLF response on MobaXterm or a non-numeric token would have crashed the arithmetic test and aborted the entire line. Both comparisons now coerce_int the epoch first; the STATUS_oauth_status color-override case is now strip_cr-guarded so a rate_limited\r value still matches its literal-glob arm.
• Same-pattern sweep results: audited every escape sequence in larry.sh + lib/ — only color SGR, clear-screen (\033[2J\033[H), erase-line (\r\033[K), and the opt-in mouse/bracketed-paste modes (off by default since v0.7.5) are used; ZERO scroll-region / cursor-save-restore / absolute-cursor sequences, so no other UI element is at risk of MobaXterm mis-rendering. Confirmed no user-visible element is gated behind streaming (used_stream only guards re-printing already-streamed text) or mouse mode.
• Verification: bash -n clean; 7/7 unit tests pass against the shipped render functions — turn-0 suppressed; turn≥1 with empty data renders with placeholders; reset date shown when populated; renders with LARRY_NO_STREAM=1
  • mouse off (Bryan's exact config); survives a CR-tainted reset epoch without crashing; LARRY_NO_STATUS=1 still fully disables.

v0.8.6 — 2026-05-27

Work-box → Mac headers.log sync (tsk-2026-05-27-023, Clover headers-sync). Closes the last gap in the rate-limit-diagnosis pipeline: the anthropic-ratelimit-* headers captured on Bryan's MobaXterm work-box (where the testing happens) never reached the Mac's memory daemon, so they could not be analyzed. v0.8.6 pushes the work-box headers.log to a daemon-watched path on the Mac automatically; the Mac daemon ingests it to memory Tier 4 (Hindsight) + Tier 7 (mem0).

• New lib/headers-sync.sh — incremental, offset-tracked, idempotent push of $LARRY_HOME/log/headers.log to a per-host file on the Mac (~/.cloverleaf/headers-<workbox-hostname>.jsonl, a daemon-watched dir). Transport rides the EXISTING authenticated SSH ControlMaster (/ssh-setup <alias>) — no new key, no second auth, the password is never in argv/env. Only the new bytes since the last sync are sent (dd skip=offset → remote cat >>); a no-op when nothing is new; a re-seed (truncate + resend) when the local file rotates/shrinks. Fully graceful: missing target, closed master, or transport failure logs a warn to $LARRY_HOME/log/sync.log and returns non-fatally — it can NEVER crash or wedge the larry session.
• /headers-sync on|off|status|target <alias>|now slash command. target binds the Mac SSH alias; on/off toggle auto-sync (persisted to $LARRY_HOME/.env as LARRY_HEADERS_SYNC / LARRY_HEADERS_SYNC_TARGET); status shows enabled?, target, dest, last-sync time, bytes pushed, and master state; now runs one incremental sync on demand. Registered in the TAB-completion arrays and /help.
• Auto-sync cadence: on larry exit. The REPL EXIT/INT/TERM handler flushes headers.log if auto-sync is enabled (cheap + incremental). On-demand /headers-sync now is always available. (After-EVERY-turn cadence was intentionally deferred to keep this change out of the turn/streaming loop that v0.8.5 just reworked.)
• Mac-daemon receive side (scripts/headers_log_ingest.py, not part of the larry bundle): now resolves headers-*.jsonl glob sources under the watched dirs IN ADDITION to the fixed canonical headers.log, and processes ALL sources with PER-SOURCE offsets — so the Mac's own stream and one or more work-box streams are surfaced independently. Each fact carries a source= label (the work-box hostname) so the memory layer can tell them apart.
• Security (Vera PHI audit V7): headers.log holds only anthropic-* response headers (rate-limit metadata + org id) and HTTP status lines — NO message body, NO PHI — so syncing is safe. The existing key/password-auth ControlMaster transport is reused unchanged (not weakened).

v0.8.5 — 2026-05-27

Diagnose-don't-assume rate-limit cluster fix (Clover #8). Symptom: a hello turn threw rate_limit_error on a work-box with 90% of the Claude Max 5h quota free — so NOT 5h-window exhaustion. Root cause = a short-window BURST rail tripped by a stream→non-stream double-send per turn, with no backoff.

• Rate-limit backoff + actionable message (ROOT). A 429 no longer fails the turn or fires an immediate re-send. agent_turn now retries with backoff that HONORS the retry-after header (else exponential 2/4/8s capped at 30s; LARRY_RL_MAX_RETRIES/LARRY_RL_BACKOFF_MAX tunable). The error message is now ACTIONABLE: _parse_response_headers captures retry-after + which rail tripped (anthropic-ratelimit-{requests,input-tokens,output-tokens}-remaining:0 or unified-{5h,7d} for OAuth) and _humanize_rate_limit renders e.g. rate limit: requests-per-minute exhausted (short-window burst, NOT your 5h quota) — resets in 38s; retrying with backoff. headers.log now captures the full header block on ANY 429 (was: OAuth-mode + unified-* header only), tagged *** 429 retry-after=Ns rail=… ***, so the next rate-limit is always diagnosable.
• Streaming parse failure no longer double-sends (burst trigger). A streaming 429/overload returns a plain JSON error body (not SSE); parse_stream_to_response previously dropped those non-data: lines, produced zero blocks, returned 1, and agent_turn blindly re-SENT the whole prompt non-streaming — a SECOND full API call within the same second (the per-minute burst). The parser now buffers the non-SSE body and, if it parses as a JSON error, returns a distinct code so the caller surfaces it WITH backoff instead of re-sending (single-send invariant: one logical attempt per turn). Also auto-defaults LARRY_NO_STREAM=1 on MobaXterm/Cygwin/MSYS (_is_cygwin_like) where SSE parsing is fragile; an explicit LARRY_NO_STREAM=0 still forces it on.
• ErrorPI mangled error string fixed (CR-taint). — ErrorPI error: rate_limit_error was a carriage-return overprint: on MobaXterm the response field jq -r '.error.type' carried a trailing \r, which (a) broke the case "$err_type" in rate_limit_error) match → fell to the %s — %s default (the stray —), and (b) CR-returned the cursor so the terminal overprinted "API error" → "ErrorPI". Fix: strip_cr on err_type/err_msg in _humanize_api_error, and err()/warn()/log() now strip embedded CRs defensively. (The v0.7.5 CR sweep missed the error-DISPLAY construction path.)
• phi tier-5 notice fires once per session (was per-turn nag). The tier-5 (presidio NER) disabled — sidecar not running notice printed every turn because auto_detect_phi runs inside $(...) command substitution and the old export _LARRY_PHI_TIER5_WARNED=1 flag died in the subshell. Now keyed to a $LARRY_HOME/.phi-notice-shown file holding SESSION_ID — fires once per session, survives the subshell, resets for a genuinely new session. Same-pattern sweep caught the identical subshell-flag bug in _auto_phi_b64_roundtrip's python3-missing notice (_LARRY_B64_PY3_WARNED) — fixed the same way.

v0.8.4 — 2026-05-27

• Installer/updater now detects HTML-sign-in-page responses and fails loud instead of silently corrupting. Root cause (Clover #5's diagnosis, Deliverables/2026-05-27-cloverleaf-larry-stuck-update-and-tab-bug.md): a private/sign-in-gated Gitea answers an unauthenticated raw-file read with the HTML Sign-In page at HTTP 200 (303 → /user/login, followed by curl -L to a 200 HTML page). curl -fsSL treats that as success, so the old installer/auto-updater parsed the HTML as VERSION/MANIFEST/larry.sh content — silently aborting, or overwriting real on-disk files with HTML soup. This is exactly what stranded a work-box at v0.7.3 until the Gitea REQUIRE_SIGNIN_VIEW=false flip.
• New lib/fetch-safe.sh — a content-validating fetch wrapper (fetch_validate URL DEST KIND [MAX_TIME]). After every curl, BEFORE trusting the bytes, it (a) detects the HTML-login trap (<!DOCTYPE html / <html / Sign In - Gitea / <title>Sign In markers, or a text/html Content-Type when a raw file was expected) and (b) validates the content shape per file type: VERSION must match ^[0-9]+\.[0-9]+\.[0-9]+, MANIFEST must be a path-list with no HTML, larry.sh must start with #!/usr/bin/env bash, other .sh must be non-HTML. On any failure it prints an actionable error and returns non-zero without overwriting the target. The bootstrap install-larry.sh (curl|bash, runs before any lib exists) and larry.sh's self_update() (runs before lib is sourced) each carry a byte-identical inline copy; the canonical file is in MANIFEST and auto-syncs.
• Every remote-content fetch hardened. install-larry.sh fetch(); larry.sh agent fetch, sync_from_manifest MANIFEST + per-file fetches, and _fetch_with_fallback (Phase-B VERSION + larry.sh) all route through the validator. No trusted-content fetch still uses raw curl -fsSL.
• Optional LARRY_GITEA_TOKEN (alias GITEA_TOKEN) for authenticated fetch. When set, fetches add Authorization: token <PAT> so the installer/updater works against a PRIVATE repo without the public-flip. The token is never hardcoded and never logged. Documented in --help + MANUAL.md.

v0.8.3 — 2026-05-27

• Tab-completion trailing space no longer breaks command dispatch. The slash-command completer intentionally appends a trailing space after a unique match (so arg-taking commands feel snappy), but the main_loop dispatcher matched exact case globs, so /quit (completed) missed the /quit) arm and fell through to "unknown command". Latent since v0.6.6 when tab completion shipped. Fixed by rtrimming the dispatch key once at the case "$input" boundary (larry.sh), which tolerates the completer's space, a user-typed trailing space, and any CR remnant while preserving interior /load FILE argument spacing. Added a shared rtrim() helper to lib/cygwin-safe.sh (and the inline fallback) next to strip_cr.

v0.8.2 — 2026-05-27

Microsoft Presidio sidecar for free-text NER. Closes V1 from Vera's audit — the dominant real-world failure mode (patient names, addresses, un-keyworded dates in prose chat). Opt-in install; larry runs in v0.8.1 mode on hosts where Presidio isn't installed (MobaXterm/Cygwin per Bryan's accepted tradeoff).

• lib/phi-presidio-sidecar.py — FastAPI service on 127.0.0.1:$LARRY_PHI_PORT (default 41189). Wraps Presidio's AnalyzerEngine + AnonymizerEngine over spaCy en_core_web_sm (12MB model, ~9-second cold start). Two endpoints: POST /redact takes {"text": "..."} and returns {"redacted": "...", "entities": [...], "latency_ms": N}; GET /health for the launcher's readiness probe. Three HL7-specific custom recognizers added (HL7_MRN for 6-12 digit numerics with patient/MRN/account context; HL7_CARET_NAME for SMITH^JOHN outside Tier-3 line context; HL7_PHONE_BARE for plain 10-digit phones). Confidence threshold for tier-5 tokenize is 0.3 (below that is too noisy).

• lib/phi-sidecar.sh — lifecycle launcher. Subcommands: start / stop / status / health / ensure. ensure is idempotent (no-op if already up); called from larry.sh main_loop startup, backgrounded so it never blocks larry's first prompt. Waits up to 30 seconds for the sidecar to become healthy after start; surfaces the log tail if startup fails. PID file at $LARRY_HOME/.phi-sidecar.pid; log at $LARRY_HOME/log/phi-sidecar.log. Honors LARRY_PHI_VENV env to use a dedicated virtualenv (which the installer sets up at $LARRY_HOME/phi-venv when the user opts in).

• lib/phi-client.sh — bash wrapper around /redact. Sourceable functions: phi_client_available, phi_redact_text, phi_redact_entities. Also runs standalone as a CLI (./phi-client.sh check / redact / entities). CR-safe (sources cygwin-safe.sh defensively); 5-second curl timeout bounds any tier-5 stall.

• Tier-5 integration in larry.sh:auto_detect_phi. New stage AFTER the existing tier-1/2/3/4 substitution and BEFORE the status summary. Sources phi-client.sh lazily, probes phi_client_available, and on success runs phi_redact_entities to get Presidio's per-entity output. Each entity is tokenized through the SAME hl7-sanitize.sh tokenize-value pipeline as tiers 1-4 (category prefixed presidio_<TYPE>) so token IDs remain stable across surfaces and the /tokens listing stays unified. Tier-5 honors LARRY_AUTO_PHI=confirm (prompts Y/n once per value) and strict (aborts the turn if tokenize-value fails on a Presidio hit). Critically, v0.8.2 removes the v0.7.3 early-return that exited auto_detect_phi when tiers 1-4 found nothing — pure-prose input now ALWAYS reaches tier-5.

• Graceful degradation. If the sidecar is unreachable (not installed, not started, crashed), tier-5 silently no-ops with a one-time stderr warning per session. Larry's REPL remains fully functional in v0.8.1 mode. LARRY_AUTO_PHI=strict does NOT abort on absent sidecar (the strict mode escape is for HL7-shaped content where rule-pack would have caught the leak; tier-5 is additive coverage).

• /phi-sidecar slash command — start / stop / status / health / ensure exposed to the user. Slash-completion table and _LARRY_SLASH_CMDS_DESC updated.

• install-larry.sh install path. On hosts with Python 3.9+ + pip, the installer prompts before creating $LARRY_HOME/phi-venv and installing presidio_analyzer + presidio_anonymizer + fastapi + uvicorn + spaCy en_core_web_sm (~400MB on disk, ~250MB RAM resident). On MobaXterm/Cygwin without python3, the installer skips the prompt entirely and prints Bryan's accepted tradeoff (MobaXterm stays on v0.8.1 + nudges). Re-runnable; idempotent.

• MANIFEST. Added three new lib files. They auto-sync to every running client on next launch; clients without Python 3 won't run the sidecar but the files are harmless to ship.

Prototype validation (Bryan's Mac, Apple Silicon, Python 3.14). Cold start (model load): ~9 seconds with en_core_web_sm (vs ~82s with the larger en_core_web_lg Presidio auto-downloads by default — we explicitly pin _sm for the latency-sensitive REPL use case). Warm analyzer latency: P50 20.6ms, P95 22.7ms over 20 sequential requests on 100-word input. End-to-end HTTP round-trip (curl + json roundtrip): P50 ~57ms warm; first request post-startup pays a ~150ms tokenizer warmup tax then steady. Well under the 200ms-per-turn REPL budget.

Detection quality on the canonical "John Doe MRN 623000286" sample: 8 core entities caught (PERSON x2, DATE_TIME x2, PHONE_NUMBER, US_*), plus the three custom HL7 recognizers add MRN + caret-name + bare-phone coverage. Misclassifications (MRN as US_PASSPORT, "ED" as PERSON) are within tolerance for the tokenize-everything-suspicious policy — the auto-PHI lookup table sees them as presidio_* categories and the operator can audit via /tokens.

MobaXterm compatibility verdict. Per Bryan's accepted tradeoff: v0.8.2 ships Mac/Linux-only. MobaXterm/Cygwin stays on v0.8.1 (rule-pack + path-block + content-shape gating + strict mode + base64 round-trip + tool-result review gate). Test path: install-larry.sh detects platform and skips the Presidio install on windows-cygwin with a clear "v0.8.1 mode" note. No code in larry.sh is platform-gated — tier-5 silently no-ops when the sidecar is absent, which IS the MobaXterm path.

Proactive same-pattern sweep. Searched for other call sites where free-text NER would help: tool-result surface already gets HL7-shape sanitize (v0.8.1) and base64 round-trip (v0.8.1-c). Tier-5 is user_input-only by design — tool-result free-text NER deferred to a future patch (would require deciding on per-tool latency budgets; Bryan to call when needed).

v0.8.1 — 2026-05-27

Tool-result PHI gating expansion. Closes V2 / V12 and the V2 base64 sub-gap from Vera's audit. No behavior change for users not on HL7-shaped data; opt-in friction for the 8KB+ tool-result review gate.

• Tool-name allow-list dropped; content-shape gating only. The v0.7.3 tool-result auto-PHI gate ran only on read_file (.hl7|.txt), nc_msgs, hl7_field, hl7_diff. v0.8.1 runs _auto_phi_looks_like_hl7 on EVERY tool result. On hit → route through lib/hl7-sanitize.sh. On miss → pass through unchanged. Closes V2: bash_exec/ssh_exec/ grep_files/read_file of .log/.csv/.dat/no-suffix files are now all covered when their output is HL7-shaped. False-positive cost is cheap (extra regex pass with zero behavioral impact on non-HL7).

• Base64-wrapped HL7 round-trip. New _auto_phi_b64_roundtrip helper. Detects candidate base64 runs (length >= 200 chars, [A-Za-z0-9+/=] only, length divisible by 4 — NOT entropy-based, per Pax §V2-sub: HL7's repetitive prefixes survive base64 with LOW entropy). Speculatively decodes each run; if decoded bytes look like HL7, routes through hl7-sanitize.sh and re-encodes (base64 -w0) back into the result. Catches ssh_pull_smat sampled mode TSV (server-side encoding kept for binary-safe TSV transport; client-side unwrap handles the safety concern). Requires python3 (installed everywhere larry-anywhere runs); skipped with a one-time stderr warning if unavailable.

• Operator review gate for bash_exec/ssh_exec/ssh_pull/ ssh_pull_smat results. When the tool produced HL7-shaped output OR the result exceeds LARRY_TOOL_RESULT_REVIEW_THRESHOLD bytes (default 8192), Larry prompts [Y/n/i] before passing the result back to the model. i opens the result in $PAGER then re-prompts. Default Y — zero friction by default. N substitutes a refusal JSON so the model knows a result was withheld. Skipped when LARRY_AUTO_PHI=off (consistent with the opt-out) OR running non-interactively (no TTY — never blocks headless scripts). Override with LARRY_TOOL_RESULT_REVIEW=always to gate every result. Per Pax §V2/V12: closes the "operator wanted to see this themselves, didn't want the model to see it" gap that's the actual common case.

Proactive same-pattern sweep. Searched the codebase for other call sites where tool output bypasses content-shape gating: found only the one in agent_turn. The v0.8.0-c strict-mode tool-result branch was hardened in lockstep so it now triggers on the broader (content-only) eligibility instead of the old name-allow-list.

Manifest unchanged.

v0.8.0 — 2026-05-27

PHI-safety quick-wins pack — three independent zero-risk patches closing four gap-classes Vera identified in the v0.7.5 static audit (Deliverables/2026-05-27-cloverleaf-larry-phi-leak-audit.md) with Pax's recommended mitigations (Deliverables/2026-05-27-cloverleaf-larry-phi-mitigation-research.md). No new dependencies, no behavior change for users not interacting with PHI.

• read_file/grep_files/glob_files/list_dir path-block list (closes V4 + V6 + V11). Refuse — with a structured JSON error the model must surface, NOT a silent "file not found" — any tool-side attempt to read or enumerate under $LARRY_HOME/log/ (auto-phi.log, headers.log, oauth.log, session logs), $LARRY_HOME/sanitize/ (lookup.tsv — the desanitization key), $LARRY_HOME/sessions/, $LARRY_HOME/.oauth.json, or $LARRY_HOME/.env. Block-list resolves $LARRY_HOME at call time (not script-parse time) and runs against both the literal path and its realpath -m canonical form, so symlink detours don't bypass. The proactive same-pattern sweep (Bryan standing rule, 2026-05-27) extended the block from tool_read_file alone to also cover tool_grep_files, tool_glob_files, and tool_list_dir — those tools would otherwise leak filenames or grep-matched content out of the same protected dirs without any approval gate.

• /load <file> HL7 pre-routing (closes V3). When the loaded file's content matches _auto_phi_looks_like_hl7, route it through lib/hl7-sanitize.sh (the segment-aware tokenizer with the full PHI field rule set: PID, PV1, NK1, GT1, IN1, OBR, OBX, DG1, ORC) BEFORE the existing user_input auto-PHI pass. Closes the gap where smat dumps loaded via /load only got the lighter per-word classifier, which misses bare HL7 PID fields. Status line reports how many fields were tokenized: phi> /load: hl7-sanitize.sh tokenized N HL7 field(s) from <file> before passing to auto-PHI. Strict mode (see below) aborts the /load if sanitize fails; default/confirm modes warn-and-continue.

• LARRY_AUTO_PHI=strict fail-closed mode (closes V5). New fourth value alongside off / on / confirm. In strict mode, the auto-PHI pipeline aborts the surrounding turn (no payload built, no API call) when: (a) lib/hl7-sanitize.sh is missing/non-executable on HL7-shaped user_input, (b) the sanitizer returns empty on HL7-shaped content, (c) any single value's tokenize-value call fails inside the detection loop. On the tool-result surface (which can't kill the in-flight tool_use), strict mode substitutes the result with a structured JSON refusal sentinel so the raw HL7 NEVER reaches the model. Existing off / on / confirm semantics unchanged (still fail-open per Bryan's "don't break tools" priority). Strict is the opt-in tradeoff for HIPAA work where a silent leak is worse than a broken turn. /phi-auto strict toggle and /help text updated. Wired into both auto-PHI invocation sites: user input scan and the tool-result HL7 sanitizer gate.

Proactive same-pattern sweep (Bryan standing rule, 2026-05-27). Searched the codebase for other tools matching the pattern "reads arbitrary path, returns content to model, no approval gate": found and patched tool_grep_files, tool_glob_files, tool_list_dir alongside tool_read_file. bash_exec/ssh_exec already require Y/N operator approval — the operator is the gatekeeper there (a second gate deferred to v0.8.1). No other matches.

Manifest unchanged (no new files in lib/).

v0.7.5 — 2026-05-27

Three focused changes, one common cause: the Cygwin/MobaXterm CR-taint pattern that crashed OAuth on Bryan's v0.7.3 work-box with the cryptic error bash: ...: arithmetic syntax error: invalid arithmetic operator (error token is "").

• OAuth/arithmetic CR fix. lib/oauth.sh now routes every operand entering a bash arithmetic context (fetched_at, expires_in, now) through a dedicated coerce_int helper that strips non-digits at the source. The failure mode: $(date +%s) against a Cygwin pty where Windows-native date.exe shadows Cygwin date can return a CR-tainted epoch like "1779999999\r", which crashes the very next $((expires_at - now)). Diagnosis in Deliverables/2026-05-27-cloverleaf-larry-oauth-arithmetic-fix.md.

• Mouse mode is opt-in. REPL mouse handling now defaults to OFF and is enabled via LARRY_MOUSE=1 env var or /mouse on slash command. Several terminals (notably MobaXterm and stripped tmux) were swallowing the mouse ANSI sequences and printing literal ^[[?1000h garbage when v0.7.0 turned it on unconditionally. Diagnosis in Deliverables/2026-05-27-cloverleaf-larry-mouse-regression-fix.md.

• CR-safety sweep across lib/*.sh and top-level scripts. Three new primitives in lib/cygwin-safe.sh (sourced by every tool family member):

  • coerce_int VAL [DEFAULT] — for arithmetic and integer-test operands
  • strip_cr VAL — for case patterns, regex tests, paths, HTTP headers
  • read_clean VAR [PROMPT] — read -r wrapper that strips CR pre-assign Hardened call sites:
  • larry.sh — status-line date +%s / tput cols, three y/N approval prompts (write_file, bash_exec, first-run auth), API-key paste, first-run auth menu
  • lib/oauth.sh — cmd_login and cmd_refresh date +%s captures
  • lib/nc-engine.sh — five y/N action prompts (stop/start/bounce, resend, route-test, testxlate, tpstest) + find ... | wc -l arithmetic
  • lib/nc-msgs.sh — parse_time_ms date captures (4 sites), meta-TSV tm field, MSG_COUNT wc -l
  • lib/nc-regression.sh — tr | wc -c count, hl7-diff ?-fallback arithmetic
  • lib/nc-smat-diff.sh — A_COUNT/B_COUNT/DIFFS_TOTAL
  • lib/nc-insert-protocol.sh — every awk-emitted line-number that feeds head -n $((N-1)) / tail -n +$((N+1)) arithmetic
  • lib/journal.sh — _next_seq wc -l arithmetic
  • lib/lessons.sh — _next_id, cmd_list, cmd_count arithmetic + two y/N prompts (clear all, clear since)
  • lib/hl7-sanitize.sh — cmd_count arithmetic + clear-table y/N
  • lib/ssh-helper.sh — local + remote wc -c integer compares (4 sites)
  • lib/nc-find.sh — wc -l count for %d printf
  • lib/nc-table.sh — $(date +%s) in backup-filename construction
  • lib/nc-document.sh — two wc -l | %d printf sites
  • larry-rollback.sh — Proceed? y/N prompt

  Reproduction (now exercised by cygwin-safe.sh's in-line tests):

  now=$(printf '%s\r' 1779999999); echo $((now - 1))   # pre-fix: crashes
  now=$(coerce_int "$(printf '%s\r' 1779999999)" 0); echo $((now - 1))   # fix: 1779999998
  

  Added lib/cygwin-safe.sh to MANIFEST so it auto-syncs to every running client on next launch.

v0.7.4 — 2026-05-27

• Drop GitHub fallback from auto-update. Single-source Gitea (https://git.bjnoela.com/bryan/cloverleaf-larry.git).

v0.7.3 — 2026-05-26

• Automatic PHI detection (tiered detection + blacklist contexts).

v0.7.2 — 2026-05-26

• Gitea becomes primary auto-update origin; GitHub demoted to fallback.

v0.7.1 — 2026-05-26

• Status line moves to between-turn position (post-input, pre-response).
• Status line below prompt; automatic PHI detection; session-artifact upload.

v0.7.0 — 2026-05-26

• HL7-aware tab completion + REPL mouse mode (later made opt-in in v0.7.5).