fix: daemon unlocks passphrase-protected profiles on switch/refresh

A user's diagnostics showed the dashboard "Session active and ready" while the
daemon stayed "anonymous" after switching to a passphrase-protected profile,
and "Refresh state" never recovered. Root cause: the long-lived daemon reads
PERPLEXITY_VAULT_PASSPHRASE from SecretStorage only ONCE at spawn; a profile
switch just touched .reinit, so init() re-ran with the stale/absent passphrase
("Vault locked: no keychain, no env var, no TTY"), and the vault unseal cache
pinned the first profile's material ("wrong passphrase"). The extension could
read the vault (user typed the passphrase) — hence the two badges disagreed.

Fix (authed reinit endpoint + global passphrase, per maintainer decision):
- daemon/server.ts: new loopback-only, bearer-authed POST /daemon/reinit
  {passphrase} → sets the daemon's env, __resetKeyCache(), hot-reloads the
  client (no restart, no dropped MCP connections). Blocked from tunnel by the
  H11 admin allowlist (404) + an in-handler loopback check; audit logs only
  method+path, never the body.
- client.ts: reinit({passphrase}) sets env (when supplied) and ALWAYS resets
  the vault cache before re-init, so a profile switch isn't blocked by the
  previous profile's pinned material. DaemonAuthStatus gains a machine-readable
  reason (ok / vault-locked / not-logged-in), surfaced via config.ts
  wasLastVaultLocked().
- DashboardProvider.ts + extension.ts: Refresh state, webview profile:switch,
  and command-palette switchAccount/addAccount POST the SecretStorage
  passphrase to /daemon/reinit (non-spawning — only targets an already-running
  daemon; falls back to .reinit on HTTP failure / non-2xx).
- views.tsx: daemon badge is reason-aware (vault-locked vs not-logged-in).

Tests: reinit-http (bearer/passphrase/empty), /daemon/reinit in the tunnel
admin-allowlist suite (tunnel 404 / loopback handler), wasLastVaultLocked
coverage. Adversarial review (4 dims) — all confirmed findings fixed. Full
typecheck + build clean; 1154 unit tests pass. Version 0.8.46 -> 0.8.47.
Deferred: reconnecting loader. Needs live Windows daemon smoke to confirm.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: A.R.

CHANGELOG.md

@@ -6,6 +6,28 @@ All notable changes to this project are documented here. Format follows
 
 ## [Unreleased]
 
+## [0.8.49] — 2026-06-04 — Daemon unlocks passphrase-protected profiles on switch/refresh
+
+> Reported via a diagnostics bundle: after switching to a **passphrase-protected** profile, the dashboard showed "Session active and ready" while the daemon showed "Daemon sees anonymous session — use Refresh state to reconnect", and Refresh did not help. Root cause: the long-lived daemon is spawned with `PERPLEXITY_VAULT_PASSPHRASE` read from SecretStorage **once at spawn**; a profile switch only touched `.reinit`, which re-ran `init()` with the *stale/absent* passphrase, so the daemon could not unseal the new profile's vault (`Vault locked: no keychain, no env var, no TTY`). The vault unseal cache also pinned the first profile's material (`Vault decrypt failed: wrong passphrase`). The extension could read the vault (the user had typed the passphrase) — hence the two badges disagreed.
+
+### Fixed
+
+- **The daemon now re-receives the vault passphrase on profile-switch / "Refresh state"** instead of staying anonymous. New **loopback-only, bearer-authed `POST /daemon/reinit {passphrase}`** ([`daemon/server.ts`](packages/mcp-server/src/daemon/server.ts)) sets `PERPLEXITY_VAULT_PASSPHRASE` in the running daemon, clears the vault unseal cache, and hot-reloads the client — no daemon restart, no dropped MCP connections. The endpoint is blocked from tunnel callers by the H11 admin allowlist (404) plus an in-handler loopback check (defense-in-depth); the audit log records only method+path, never the body.
+- **`client.reinit({ passphrase })`** ([`client.ts`](packages/mcp-server/src/client.ts)) sets the env (when supplied) and **always `vault.__resetKeyCache()`** before re-init, so a profile switch is never blocked by the previous profile's pinned `_unsealMaterialCache`/`_keyCache`. The daemon's own active-profile-switch reinit benefits automatically.
+- **The extension re-supplies the passphrase** ([`DashboardProvider.ts`](packages/extension/src/webview/DashboardProvider.ts)): "Refresh state", webview `profile:switch`, and the command-palette `Perplexity.switchAccount` / `Perplexity.addAccount` now POST the SecretStorage passphrase to `/daemon/reinit` (non-spawning — it only targets an already-running daemon; falls back to touching `.reinit` if the HTTP path is unavailable or returns non-2xx).
+
+### Added
+
+- **`DaemonAuthStatus.reason`** (`ok` / `vault-locked` / `not-logged-in`) in [shared](packages/shared/src/models.ts), surfaced from `getSavedCookies()` → `wasLastVaultLocked()` → `init()` → `writeDaemonStatus()`. The dashboard's daemon badge is now **reason-aware** ([`views.tsx`](packages/webview/src/views.tsx)) — it distinguishes "daemon can't unlock this profile's vault" from "not logged in" instead of always saying "use Refresh state".
+
+### Known follow-up
+
+- An animated "reconnecting…" loader while a daemon reinit is in flight is deferred (needs transient webview-store state). One vault passphrase per machine is intentional (global SecretStorage key); per-profile passphrases are out of scope.
+
+### Verification
+
+- New unit tests: `test/daemon/reinit-http.test.js` (bearer required, passphrase forwarded, empty/missing handled), `/daemon/reinit` added to the tunnel-admin-allowlist suite (tunnel→404, loopback→handler), and `wasLastVaultLocked()` coverage in `test/config-getSavedCookies.test.js`. Adversarial review (4 dimensions) — all confirmed findings fixed (command-palette wiring, `res.ok` fallback, no-spawn). Full typecheck + build clean across all four packages. **Live daemon + passphrase-profile-switch flow on Windows still needs the manual smoke** (the SecretStorage→daemon round-trip can't be exercised without a real daemon).
+
 ## [0.8.46] — 2026-06-04 — Fix browser-data singleton-lock deadlock (issue #8)
 
 > Ref [#8](https://github.com/Automations-Project/VSCode-Perplexity-MCP/issues/8). Regression from the 0.8.43 issue-#5 fix (commit `c841124`): Phase 2 (headless search) switched from an *ephemeral* `chromium.launch()` to a long-lived `launchPersistentContext(browser-data)` so it could reuse the on-disk `cf_clearance` written by Phase 1. The side effect — the daemon now holds the `browser-data` Chromium process-singleton lock for its entire lifetime, and Chromium forbids a second `launchPersistentContext` on the same `--user-data-dir`. Three independent callers still targeted that dir: the Doctor probe (a separate process that ran its own `init()` against `browser-data`), the daemon's own Phase 1→Phase 2 transition, and the reinit cycle. On Windows each collision surfaced as `exitCode 21` / "Target page, context or browser has been closed", leaving the daemon stuck in anonymous mode in a self-reinforcing deadlock that only a full restart cleared. The fix makes the daemon the **single owner** of `browser-data` and hardens the lock handling — without reverting the `cf_clearance` reuse.

packages/extension/package.json

@@ -1,7 +1,7 @@
 {
   "name": "perplexity-vscode",
   "displayName": "Perplexity MCP",
-  "version": "0.8.48",
+  "version": "0.8.49",
   "publisher": "Nskha",
   "private": true,
   "description": "Perplexity AI search, reasoning, research, and compute — MCP server, dashboard, and multi-IDE auto-config for VS Code.",

packages/extension/src/extension.ts

@@ -878,6 +878,10 @@ async function activateInner(context: vscode.ExtensionContext): Promise<void> {
       if (pick) {
         setActive(pick);
         serverDefinitionsChanged.fire();
+        // Re-supply the new profile's vault passphrase to the running daemon
+        // (same fix as the webview profile:switch — otherwise a passphrase-
+        // protected account stays anonymous in the daemon).
+        dashboard.reinitDaemonAfterProfileChange();
         await dashboard.refresh();
       }
     })
@@ -892,6 +896,7 @@ async function activateInner(context: vscode.ExtensionContext): Promise<void> {
         createProfile(config.name, { loginMode: config.mode });
         setActive(config.name);
         serverDefinitionsChanged.fire();
+        dashboard.reinitDaemonAfterProfileChange();
         await dashboard.refresh();
         await dashboard.postNotice("info", `Created profile '${config.name}'. Starting login…`);
       } catch (err) {

packages/extension/src/webview/DashboardProvider.ts

@@ -517,6 +517,10 @@ export class DashboardProvider implements vscode.WebviewViewProvider {
           case "profile:switch": {
             setActive(message.payload.name);
             this.onMcpServerDefinitionsChanged?.();
+            // The active profile changed → re-supply its vault passphrase to
+            // the running daemon so it can unlock the new profile (otherwise it
+            // stays anonymous with the previous profile's passphrase).
+            void this.reinitDaemonWithPassphrase();
             await this.postActionResult(message.id, true);
             await this.postProfileList();
             await this.refresh();
@@ -2130,26 +2134,74 @@ export class DashboardProvider implements vscode.WebviewViewProvider {
 
   /**
    * If the daemon's last-known auth state is anonymous while the profile has
-   * stored credentials, touch the .reinit sentinel to ask the daemon to
-   * re-run init() and re-check auth. The daemon-status.json watcher will
-   * pick up the result automatically.
+   * stored credentials, re-supply the vault passphrase to the daemon and ask
+   * it to re-run init(). The daemon-status.json watcher picks up the result.
    */
   private triggerDaemonReinitIfStale(): void {
     try {
       const snapshot = this.buildState().snapshot;
       if (!snapshot.loggedIn) return;
       if (!snapshot.daemonAuth) return;
       if (snapshot.daemonAuth.authenticated) return;
-      // Stored login but daemon is anonymous → touch .reinit
-      const profile = getActiveName() ?? "default";
-      const reinitPath = getProfilePaths(profile).reinit;
-      fs.writeFileSync(reinitPath, String(Date.now()));
-      debug("[daemonStatusSync] Touched .reinit — daemon was anonymous with stored login");
+      // Stored login but daemon is anonymous → re-supply the passphrase + reinit.
+      void this.reinitDaemonWithPassphrase();
     } catch (err) {
       debug(`[daemonStatusSync] triggerDaemonReinitIfStale error: ${(err as Error).message}`);
     }
   }
 
+  /**
+   * Re-supply the current SecretStorage vault passphrase to the RUNNING daemon
+   * and hot-reload it (POST /daemon/reinit, loopback + bearer). This is what
+   * makes the daemon unlock passphrase-protected profiles whose passphrase was
+   * not in the daemon's spawn env (the daemon-anonymous-after-profile-switch
+   * bug). Fire-and-forget: the daemon-status watcher refreshes the UI when the
+   * reinit completes. Falls back to touching .reinit (keychain-unlockable
+   * profiles need no passphrase) if the daemon isn't reachable over HTTP.
+   */
+  /**
+   * Public entry for profile changes made OUTSIDE the webview (the command-
+   * palette Perplexity.switchAccount / Perplexity.addAccount). Fire-and-forget.
+   */
+  public reinitDaemonAfterProfileChange(): void {
+    void this.reinitDaemonWithPassphrase();
+  }
+
+  private async reinitDaemonWithPassphrase(): Promise<void> {
+    try {
+      // Non-spawning: only POST to a daemon that is ALREADY running. Using
+      // ensureBundledDaemon() here would spawn a daemon on stdio-only installs
+      // (review finding). getBundledDaemonStatus() never spawns.
+      const status = await getBundledDaemonStatus().catch(() => null);
+      const record = status?.running ? status.record : null;
+      if (!record?.port || !record?.bearerToken) {
+        throw new Error("no running daemon");
+      }
+      const passphrase = await peekStoredVaultPassphrase(this.context);
+      const res = await fetch(`http://127.0.0.1:${record.port}/daemon/reinit`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${record.bearerToken}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify(passphrase ? { passphrase } : {}),
+      });
+      // A non-2xx (403/500/…) must trigger the fallback, not be silently
+      // ignored — fetch only rejects on network errors (review finding).
+      if (!res.ok) throw new Error(`/daemon/reinit returned HTTP ${res.status}`);
+      debug(`[daemonStatusSync] POST /daemon/reinit -> ${res.status} (passphrase ${passphrase ? "sent" : "none"})`);
+    } catch (err) {
+      // HTTP path unavailable — fall back to the .reinit sentinel so a
+      // keychain-unlockable profile still reinits.
+      try {
+        const profile = getActiveName() ?? "default";
+        fs.writeFileSync(getProfilePaths(profile).reinit, String(Date.now()));
+        debug("[daemonStatusSync] /daemon/reinit path unavailable; touched .reinit instead");
+      } catch { /* ignore */ }
+      debug(`[daemonStatusSync] reinitDaemonWithPassphrase: ${(err as Error).message}`);
+    }
+  }
+
   private async readDaemonEvents(body: ReadableStream<Uint8Array>, controller: AbortController): Promise<void> {
     const reader = body.getReader();
     const decoder = new TextDecoder();

packages/mcp-server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "perplexity-user-mcp",
-  "version": "0.8.48",
+  "version": "0.8.49",
   "mcpName": "io.github.Automations-Project/perplexity-user-mcp",
   "type": "module",
   "description": "Perplexity AI MCP server — browser automation for search, reasoning, research, and compute. Not affiliated with Perplexity AI, Inc.",

packages/mcp-server/src/client.ts

@@ -20,6 +20,7 @@ import {
   findChromeExecutable,
   resolveBrowserExecutable,
   getSavedCookies,
+  wasLastVaultLocked,
   type BrowserChannel,
   type ASIFile,
   type SearchResult,
@@ -1248,8 +1249,24 @@ export class PerplexityClient {
    * vault cookies are picked up. Called by the `.reinit` sentinel watcher
    * after a child login-runner completes.
    */
-  async reinit(): Promise<void> {
+  async reinit(opts: { passphrase?: string } = {}): Promise<void> {
     console.error("[perplexity-mcp] Reinit requested — closing current context and reloading cookies.");
+    // When the extension re-supplies the vault passphrase (e.g. after a profile
+    // switch to a passphrase-protected account), update the process env so the
+    // daemon can unseal the new profile's vault. The daemon's passphrase is
+    // otherwise fixed at spawn time and a plain reinit stays anonymous.
+    if (opts.passphrase) {
+      process.env.PERPLEXITY_VAULT_PASSPHRASE = opts.passphrase;
+    }
+    // Always clear the vault unseal cache: a profile switch (or a freshly
+    // supplied passphrase) must not be blocked by the previous profile's
+    // pinned `_unsealMaterialCache`/`_keyCache` (issue: daemon vault-locked).
+    try {
+      const vault = await import("./vault.js");
+      vault.__resetKeyCache();
+    } catch {
+      // best-effort — never let a cache reset crash reinit
+    }
     await this.shutdown().catch(() => {});
     this.browser = null;
     this.context = null;
@@ -2652,6 +2669,15 @@ export class PerplexityClient {
   private writeDaemonStatus(startedAt: number, error: string | null): void {
     try {
       const paths = getActivePaths();
+      // Machine-readable reason so the UI can distinguish "daemon can't unlock
+      // this profile's vault" (a plain reinit won't recover — the passphrase
+      // must be re-supplied) from "not logged in". Derived from the last
+      // getSavedCookies() unseal outcome (issue: daemon vault-locked).
+      const reason: DaemonAuthStatus["reason"] = this.authenticated
+        ? "ok"
+        : wasLastVaultLocked()
+          ? "vault-locked"
+          : "not-logged-in";
       const status: DaemonAuthStatus = {
         authenticated: this.authenticated,
         tier: this.daemonTier(),
@@ -2660,6 +2686,7 @@ export class PerplexityClient {
         lastInit: new Date().toISOString(),
         initDurationMs: Date.now() - startedAt,
         error,
+        reason,
       };
       writeFileSync(paths.daemonStatus, JSON.stringify(status, null, 2) + "\n");
     } catch {

packages/mcp-server/src/config.ts

@@ -372,7 +372,21 @@ export interface PlaywrightCookie {
 
 const _vault = new Vault();
 
+// Tracks whether the most recent getSavedCookies() returned [] because the
+// vault could not be UNSEALED (passphrase missing/wrong in this process), as
+// opposed to the profile simply having no saved session. init() reads this to
+// record a machine-readable reason in daemon-status.json so the UI can tell
+// "daemon can't unlock this profile" apart from "not logged in" (issue:
+// daemon vault-locked after profile switch).
+let _lastVaultLocked = false;
+
+/** True when the last getSavedCookies() returned [] because vault unseal failed. */
+export function wasLastVaultLocked(): boolean {
+  return _lastVaultLocked;
+}
+
 export async function getSavedCookies(): Promise<PlaywrightCookie[]> {
+  _lastVaultLocked = false;
   // 1. Env var override (unchanged behavior)
   if (process.env.PERPLEXITY_SESSION_TOKEN) {
     const cookies: PlaywrightCookie[] = [{
@@ -423,6 +437,7 @@ export async function getSavedCookies(): Promise<PlaywrightCookie[]> {
         console.error(`[vault] getSavedCookies: vault.enc exists for profile '${profile}' but 'cookies' key is absent`);
       }
     }
+    _lastVaultLocked = unsealFailed;
     return [];
   }
   try {

packages/mcp-server/src/daemon/server.ts

@@ -574,6 +574,31 @@ export async function startDaemonServer(options: StartDaemonServerOptions = {}):
     });
   });
 
+  // Re-supply the vault passphrase to the RUNNING daemon and hot-reload the
+  // client. LOOPBACK ONLY (never reachable over the tunnel) because the body
+  // carries the vault passphrase; the audit middleware logs only method+path,
+  // never the body, so the passphrase is not persisted. The extension host
+  // calls this on profile-switch and on "Refresh state" so passphrase-
+  // protected profiles can unseal without a full daemon restart (issue: daemon
+  // stuck anonymous because PERPLEXITY_VAULT_PASSPHRASE was fixed at spawn).
+  app.post("/daemon/reinit", requireBearer, async (req: any, res: any, next: any) => {
+    try {
+      if (req._pplx?.source === "tunnel") {
+        res.status(403).json({ ok: false, error: "loopback_only" });
+        return;
+      }
+      const passphrase =
+        typeof req.body?.passphrase === "string" && req.body.passphrase.length > 0
+          ? req.body.passphrase
+          : undefined;
+      const client = await getClient();
+      await client.reinit(passphrase ? { passphrase } : {});
+      res.json({ ok: true, authenticated: !!client.authenticated });
+    } catch (error) {
+      next(error);
+    }
+  });
+
   app.post("/daemon/enable-tunnel", requireBearer, async (_req: any, res: any, next: any) => {
     try {
       await options.onEnableTunnel?.();

packages/mcp-server/test/config-getSavedCookies.test.js

@@ -26,6 +26,7 @@ describe("getSavedCookies diagnostic logging (issue #5.3)", () => {
     delete process.env.PERPLEXITY_CONFIG_DIR;
     delete process.env.PERPLEXITY_PROFILE;
     delete process.env.PERPLEXITY_VAULT_PASSPHRASE;
+    delete process.env.PERPLEXITY_DISABLE_KEYCHAIN;
     console.error = originalConsoleError;
   });
 
@@ -52,4 +53,34 @@ describe("getSavedCookies diagnostic logging (issue #5.3)", () => {
     expect(cookies).toEqual([]);
     expect(capturedErrors.some((c) => c.includes("'cookies' key is absent"))).toBe(true);
   });
+
+  it("wasLastVaultLocked() is false when there is no vault (not locked — just not logged in)", async () => {
+    const { getSavedCookies, wasLastVaultLocked } = await import("../src/config.js");
+    await getSavedCookies();
+    expect(wasLastVaultLocked()).toBe(false);
+  });
+
+  it("wasLastVaultLocked() is true when vault.enc exists but cannot be unsealed", async () => {
+    const { createProfile } = await import("../src/profiles.js");
+    const { Vault, __resetKeyCache } = await import("../src/vault.js");
+    createProfile("default");
+    // Write a cookies blob encrypted with a passphrase (keychain disabled so
+    // the blob is purely passphrase-protected).
+    process.env.PERPLEXITY_DISABLE_KEYCHAIN = "1";
+    process.env.PERPLEXITY_VAULT_PASSPHRASE = "secret";
+    __resetKeyCache();
+    const v = new Vault();
+    await v.set("default", "cookies", JSON.stringify([{ name: "x", value: "y" }]));
+
+    // Now drop the passphrase (and keychain) — the daemon-style "Vault locked"
+    // path: vault.enc exists but there is no unseal material.
+    delete process.env.PERPLEXITY_VAULT_PASSPHRASE;
+    __resetKeyCache();
+
+    vi.resetModules();
+    const { getSavedCookies, wasLastVaultLocked } = await import("../src/config.js");
+    const cookies = await getSavedCookies();
+    expect(cookies).toEqual([]);
+    expect(wasLastVaultLocked()).toBe(true);
+  });
 });