@blinkdotnew/cli 0.1.6 → 0.1.8

package/dist/cli.js

@@ -1,6 +1,8 @@
 #!/usr/bin/env node
 var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
@@ -8,6 +10,15 @@ var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
 };
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/lib/project.ts
 var project_exports = {};
@@ -53,6 +64,34 @@ var init_project = __esm({
   }
 });
 
+// src/lib/agent.ts
+var agent_exports = {};
+__export(agent_exports, {
+  requireAgentId: () => requireAgentId,
+  resolveAgentId: () => resolveAgentId
+});
+function resolveAgentId(explicitId) {
+  if (explicitId) return explicitId;
+  if (process.env.BLINK_AGENT_ID) return process.env.BLINK_AGENT_ID;
+  if (process.env.BLINK_ACTIVE_AGENT) return process.env.BLINK_ACTIVE_AGENT;
+  return void 0;
+}
+function requireAgentId(explicitId) {
+  const id = resolveAgentId(explicitId);
+  if (!id) {
+    process.stderr.write(
+      "\nError: No agent set.\n  On Claw machines this is automatic (BLINK_AGENT_ID is injected).\n  Otherwise:\n    blink agent list                      # find your agent ID\n    eval $(blink agent use clw_xxx --export)   # set it for this session\n    blink secrets set --agent clw_xxx KEY val  # or pass --agent directly\n"
+    );
+    process.exit(1);
+  }
+  return id;
+}
+var init_agent = __esm({
+  "src/lib/agent.ts"() {
+    "use strict";
+  }
+});
+
 // src/cli.ts
 import { Command } from "commander";
 import { createRequire } from "module";
@@ -135,8 +174,12 @@ function requireToken() {
 
 // src/lib/api-resources.ts
 var BASE_URL = process.env.BLINK_APIS_URL ?? "https://core.blink.new";
+function resolveResourceToken() {
+  if (process.env.BLINK_PROJECT_KEY) return process.env.BLINK_PROJECT_KEY;
+  return resolveToken();
+}
 async function resourcesRequest(path, opts = {}) {
-  const token = resolveToken();
+  const token = resolveResourceToken();
   const headers = {
     ...token ? { Authorization: `Bearer ${token}` } : {},
     ...process.env.BLINK_AGENT_ID ? { "x-blink-agent-id": process.env.BLINK_AGENT_ID } : {},
@@ -1204,16 +1247,30 @@ After linking, most commands work without specifying a project_id:
     clearProjectConfig();
     console.log("Unlinked.");
   });
-  program2.command("status").description("Show linked project and auth status").action(() => {
+  program2.command("status").description("Show current agent, project, and auth context").action(() => {
     const config = readProjectConfig();
-    const token = process.env.BLINK_API_KEY ? "BLINK_API_KEY env" : "~/.config/blink/config.toml";
+    const { resolveAgentId: resolveAgentId3 } = (init_agent(), __toCommonJS(agent_exports));
+    const agentId = resolveAgentId3();
+    const agentSource = process.env.BLINK_AGENT_ID ? "BLINK_AGENT_ID env" : process.env.BLINK_ACTIVE_AGENT ? "BLINK_ACTIVE_AGENT env" : null;
+    if (agentId) {
+      console.log(chalk7.bold("Agent    ") + agentId + chalk7.dim("  (" + agentSource + ")"));
+    } else {
+      console.log(chalk7.dim("Agent    not set  (use: eval $(blink agent use clw_xxx --export))"));
+    }
     if (config) {
-      console.log(chalk7.bold("Project  ") + config.projectId);
-      if (config.workspaceId) console.log(chalk7.bold("Workspace") + " " + config.workspaceId);
+      const projectSource = process.env.BLINK_ACTIVE_PROJECT ? "BLINK_ACTIVE_PROJECT env" : ".blink/project.json";
+      console.log(chalk7.bold("Project  ") + config.projectId + chalk7.dim("  (" + projectSource + ")"));
+    } else if (process.env.BLINK_ACTIVE_PROJECT) {
+      console.log(chalk7.bold("Project  ") + process.env.BLINK_ACTIVE_PROJECT + chalk7.dim("  (BLINK_ACTIVE_PROJECT env)"));
     } else {
-      console.log(chalk7.dim("No project linked (run `blink link`)"));
+      console.log(chalk7.dim("Project  not linked  (use: blink link  or  eval $(blink use proj_xxx --export))"));
+    }
+    const authSource = process.env.BLINK_API_KEY ? "BLINK_API_KEY env" : "~/.config/blink/config.toml";
+    const hasProjectKey = !!process.env.BLINK_PROJECT_KEY;
+    console.log(chalk7.bold("Auth     ") + authSource);
+    if (hasProjectKey) {
+      console.log(chalk7.bold("ProjKey  ") + "BLINK_PROJECT_KEY env" + chalk7.dim("  (used for db/storage/rag)"));
     }
-    console.log(chalk7.bold("Auth     ") + token);
   });
 }
 
@@ -1267,6 +1324,174 @@ For CI/GitHub Actions: set BLINK_API_KEY as a secret, skip login entirely.
   });
 }
 
+// src/commands/agent.ts
+init_agent();
+import chalk9 from "chalk";
+function registerAgentCommands(program2) {
+  const agent = program2.command("agent").description("Manage Blink Claw agents in your workspace").addHelpText("after", `
+Examples:
+  $ blink agent list                           List all agents in workspace
+  $ blink agent use clw_xxx                   Show how to set active agent
+  $ eval $(blink agent use clw_xxx --export)  Set active agent for this session
+  $ blink agent status                         Show current agent details
+
+Agent ID resolution for all agent/secrets commands (priority: high \u2192 low):
+  1. --agent <id> flag
+  2. BLINK_AGENT_ID env var    \u2190 always set on Claw Fly machines (zero config)
+  3. BLINK_ACTIVE_AGENT env    \u2190 set via eval $(blink agent use clw_xxx --export)
+`);
+  agent.command("list").description("List all Claw agents in the workspace").action(async () => {
+    requireToken();
+    const result = await withSpinner("Loading agents...", () => appRequest("/api/claw/agents"));
+    if (isJsonMode()) return printJson(result);
+    const agents = Array.isArray(result) ? result : result?.agents ?? [];
+    if (!agents.length) {
+      console.log(chalk9.dim("No agents found. Deploy one at blink.new/claw"));
+      return;
+    }
+    const table = createTable(["ID", "Name", "Status", "Size", "Model"]);
+    for (const a of agents) {
+      table.push([a.id, a.name, a.status, a.machine_size ?? "-", a.model ?? "-"]);
+    }
+    console.log(table.toString());
+  });
+  agent.command("use <agent_id>").description("Set active agent for this shell session").option("--export", "Output shell export statement for eval").addHelpText("after", `
+Examples:
+  $ blink agent use clw_xxx               Prints the export command to run
+  $ eval $(blink agent use clw_xxx --export)  Actually sets it in your shell
+  $ export BLINK_ACTIVE_AGENT=clw_xxx    Same thing, manual
+
+After setting, secrets commands use this agent automatically:
+  $ blink secrets list
+  $ blink secrets set GITHUB_TOKEN ghp_xxx
+`).action(async (agentId, opts) => {
+    if (opts.export) {
+      process.stdout.write(`export BLINK_ACTIVE_AGENT=${agentId}
+`);
+    } else {
+      console.log(chalk9.bold("Active agent: ") + agentId);
+      console.log(chalk9.dim(`Run: export BLINK_ACTIVE_AGENT=${agentId}`));
+      console.log(chalk9.dim(`Or:  eval $(blink agent use ${agentId} --export)`));
+    }
+  });
+  agent.command("status [agent_id]").description("Show details for an agent").option("--agent <id>", "Agent ID (defaults to BLINK_AGENT_ID or BLINK_ACTIVE_AGENT)").addHelpText("after", `
+Examples:
+  $ blink agent status                 Show current agent (from BLINK_AGENT_ID)
+  $ blink agent status clw_xxx        Show specific agent
+`).action(async (agentIdArg, opts) => {
+    requireToken();
+    const agentId = requireAgentId(opts.agent ?? agentIdArg);
+    const result = await withSpinner(
+      "Loading agent...",
+      () => appRequest(`/api/claw/agents/${agentId}`)
+    );
+    if (isJsonMode()) return printJson(result);
+    const a = result?.agent ?? result;
+    console.log(chalk9.bold("ID       ") + a.id);
+    console.log(chalk9.bold("Name     ") + a.name);
+    console.log(chalk9.bold("Status   ") + a.status);
+    console.log(chalk9.bold("Model    ") + (a.model ?? "-"));
+    console.log(chalk9.bold("Machine  ") + (a.machine_size ?? "-"));
+    if (a.fly_app_name) console.log(chalk9.bold("Fly App  ") + a.fly_app_name);
+  });
+}
+
+// src/commands/secrets.ts
+init_agent();
+import chalk10 from "chalk";
+function registerSecretsCommands(program2) {
+  const secrets = program2.command("secrets").description("Manage encrypted secrets vault for a Claw agent").addHelpText("after", `
+Secrets are encrypted key-value pairs stored in the agent's vault.
+They are available as $KEY_NAME in all shell commands run by the agent.
+Values are NEVER shown after being set \u2014 only key names are listed.
+
+Agent ID resolution (priority: high \u2192 low):
+  1. --agent <id> flag
+  2. BLINK_AGENT_ID env var    \u2190 always set on Claw Fly machines (zero config)
+  3. BLINK_ACTIVE_AGENT env    \u2190 set via eval $(blink agent use clw_xxx --export)
+
+Examples:
+  $ blink secrets list                          List key names for current agent
+  $ blink secrets set GITHUB_TOKEN ghp_xxx      Add/update a secret
+  $ blink secrets delete OLD_KEY                Remove a secret
+
+Cross-agent management (an agent manager setting secrets on another agent):
+  $ blink secrets set --agent clw_other OPENAI_KEY sk-xxx
+  $ blink secrets list --agent clw_other
+`);
+  secrets.command("list").description("List secret key names (values are never displayed)").option("--agent <id>", "Agent ID (defaults to BLINK_AGENT_ID or BLINK_ACTIVE_AGENT)").addHelpText("after", `
+Examples:
+  $ blink secrets list                      List current agent's secrets
+  $ blink secrets list --agent clw_xxx     List another agent's secrets
+  $ blink secrets list --json              Machine-readable output
+`).action(async (opts) => {
+    requireToken();
+    const agentId = requireAgentId(opts.agent);
+    const result = await withSpinner(
+      "Loading secrets...",
+      () => appRequest(`/api/claw/agents/${agentId}/secrets`)
+    );
+    if (isJsonMode()) return printJson(result);
+    const keys = result?.secrets?.map((s) => s.key) ?? result?.keys ?? [];
+    if (!keys.length) {
+      console.log(chalk10.dim("(no secrets set \u2014 use `blink secrets set KEY value`)"));
+      return;
+    }
+    for (const k of keys) console.log(chalk10.bold(k));
+    console.log(chalk10.dim(`
+${keys.length} secret${keys.length === 1 ? "" : "s"} (values hidden)`));
+  });
+  secrets.command("set <key> <value>").description("Add or update a secret (stored encrypted, value never shown again)").option("--agent <id>", "Agent ID (defaults to BLINK_AGENT_ID or BLINK_ACTIVE_AGENT)").addHelpText("after", `
+Examples:
+  $ blink secrets set GITHUB_TOKEN ghp_xxx
+  $ blink secrets set OPENAI_KEY sk-xxx
+  $ blink secrets set --agent clw_other DATABASE_URL postgres://...
+
+Key naming convention: UPPER_SNAKE_CASE (e.g. GITHUB_TOKEN, OPENAI_KEY)
+After setting, the secret is available as $KEY_NAME in agent shell commands.
+`).action(async (key, value, opts) => {
+    requireToken();
+    const agentId = requireAgentId(opts.agent);
+    await withSpinner(
+      `Setting ${key}...`,
+      () => appRequest(`/api/claw/agents/${agentId}/secrets`, {
+        method: "POST",
+        body: { key, value }
+      })
+    );
+    const normalised = key.toUpperCase();
+    if (!isJsonMode()) {
+      console.log(chalk10.green("\u2713") + ` ${normalised} saved`);
+      console.log(chalk10.dim("  Value hidden. Use $" + normalised + " in shell commands."));
+    } else {
+      printJson({ status: "ok", key: normalised, agent_id: agentId });
+    }
+  });
+  secrets.command("delete <key>").description("Delete a secret from the agent vault").option("--agent <id>", "Agent ID (defaults to BLINK_AGENT_ID or BLINK_ACTIVE_AGENT)").option("--yes", "Skip confirmation").addHelpText("after", `
+Examples:
+  $ blink secrets delete OLD_KEY
+  $ blink secrets delete OLD_KEY --yes
+  $ blink secrets delete --agent clw_xxx OLD_KEY
+`).action(async (key, opts) => {
+    requireToken();
+    const agentId = requireAgentId(opts.agent);
+    if (!opts.yes && !isJsonMode()) {
+      const { confirm } = await import("@clack/prompts");
+      const ok = await confirm({ message: `Delete secret "${key}" from agent ${agentId}?` });
+      if (!ok) {
+        console.log("Cancelled.");
+        return;
+      }
+    }
+    await withSpinner(
+      `Deleting ${key}...`,
+      () => appRequest(`/api/claw/agents/${agentId}/secrets?key=${encodeURIComponent(key)}`, { method: "DELETE" })
+    );
+    if (!isJsonMode()) console.log("Deleted: " + key);
+    else printJson({ status: "ok", key, agent_id: agentId });
+  });
+}
+
 // src/cli.ts
 var require2 = createRequire(import.meta.url);
 var pkg = require2("../package.json");
@@ -1322,6 +1547,20 @@ Connectors (Notion, Slack, Google, HubSpot, etc.):
   $ blink connector exec notion search_pages '{"query":"meeting notes"}'
   $ blink connector exec slack post_message '{"channel":"C123","text":"hi"}' --method POST
 
+Agents (Claw \u2014 zero config on Fly machines, BLINK_AGENT_ID is already set):
+  $ blink agent list                           List all agents in workspace
+  $ blink agent status                         Show current agent details
+  $ eval $(blink agent use clw_xxx --export)   Set active agent for session
+
+Secrets (encrypted agent vault \u2014 values never shown):
+  $ blink secrets list                         List secret key names
+  $ blink secrets set GITHUB_TOKEN ghp_xxx     Add/update a secret
+  $ blink secrets delete OLD_KEY               Remove a secret
+  $ blink secrets set --agent clw_other KEY v  Set secret on another agent (agent manager pattern)
+
+Tip \u2014 check full context (agent + project + auth):
+  $ blink status
+
 Scripting tip \u2014 add --json to any command for machine-readable output:
   $ blink deploy ./dist --prod --json | jq '.url'
   $ blink db query "SELECT email FROM users" --json | jq '.[].email'
@@ -1334,6 +1573,8 @@ Docs: https://blink.new/docs/cli
   if (opts.profile) setProfile(opts.profile);
 });
 registerAuthCommands(program);
+registerAgentCommands(program);
+registerSecretsCommands(program);
 registerProjectCommands(program);
 registerDeployCommands(program);
 registerAiCommands(program);
@@ -1359,10 +1600,10 @@ After setting:
     process.stdout.write(`export BLINK_ACTIVE_PROJECT=${projectId}
 `);
   } else {
-    const { default: chalk9 } = await import("chalk");
-    console.log(chalk9.bold("Active project: ") + projectId);
-    console.log(chalk9.dim(`Run: export BLINK_ACTIVE_PROJECT=${projectId}`));
-    console.log(chalk9.dim(`Or:  eval $(blink use ${projectId} --export)`));
+    const { default: chalk11 } = await import("chalk");
+    console.log(chalk11.bold("Active project: ") + projectId);
+    console.log(chalk11.dim(`Run: export BLINK_ACTIVE_PROJECT=${projectId}`));
+    console.log(chalk11.dim(`Or:  eval $(blink use ${projectId} --export)`));
   }
 });
 program.action(async () => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blinkdotnew/cli",
-  "version": "0.1.6",
+  "version": "0.1.8",
   "description": "Blink platform CLI — deploy apps, manage databases, generate AI content",
   "bin": {
     "blink": "dist/cli.js"

package/src/cli.ts

@@ -12,6 +12,8 @@ import { registerConnectorCommands } from './commands/connector.js'
 import { registerDeployCommands } from './commands/deploy.js'
 import { registerProjectCommands } from './commands/project.js'
 import { registerAuthCommands } from './commands/auth.js'
+import { registerAgentCommands } from './commands/agent.js'
+import { registerSecretsCommands } from './commands/secrets.js'
 
 const require = createRequire(import.meta.url)
 const pkg = require('../package.json') as { version: string }
@@ -78,6 +80,20 @@ Connectors (Notion, Slack, Google, HubSpot, etc.):
   $ blink connector exec notion search_pages '{"query":"meeting notes"}'
   $ blink connector exec slack post_message '{"channel":"C123","text":"hi"}' --method POST
 
+Agents (Claw — zero config on Fly machines, BLINK_AGENT_ID is already set):
+  $ blink agent list                           List all agents in workspace
+  $ blink agent status                         Show current agent details
+  $ eval $(blink agent use clw_xxx --export)   Set active agent for session
+
+Secrets (encrypted agent vault — values never shown):
+  $ blink secrets list                         List secret key names
+  $ blink secrets set GITHUB_TOKEN ghp_xxx     Add/update a secret
+  $ blink secrets delete OLD_KEY               Remove a secret
+  $ blink secrets set --agent clw_other KEY v  Set secret on another agent (agent manager pattern)
+
+Tip — check full context (agent + project + auth):
+  $ blink status
+
 Scripting tip — add --json to any command for machine-readable output:
   $ blink deploy ./dist --prod --json | jq '.url'
   $ blink db query "SELECT email FROM users" --json | jq '.[].email'
@@ -92,6 +108,8 @@ Docs: https://blink.new/docs/cli
   })
 
 registerAuthCommands(program)
+registerAgentCommands(program)
+registerSecretsCommands(program)
 registerProjectCommands(program)
 registerDeployCommands(program)
 registerAiCommands(program)

package/src/commands/agent.ts

@@ -0,0 +1,89 @@
+import { Command } from 'commander'
+import { appRequest } from '../lib/api-app.js'
+import { requireToken } from '../lib/auth.js'
+import { requireAgentId, resolveAgentId } from '../lib/agent.js'
+import { printJson, isJsonMode, withSpinner, createTable } from '../lib/output.js'
+import chalk from 'chalk'
+
+export function registerAgentCommands(program: Command) {
+  const agent = program.command('agent')
+    .description('Manage Blink Claw agents in your workspace')
+    .addHelpText('after', `
+Examples:
+  $ blink agent list                           List all agents in workspace
+  $ blink agent use clw_xxx                   Show how to set active agent
+  $ eval $(blink agent use clw_xxx --export)  Set active agent for this session
+  $ blink agent status                         Show current agent details
+
+Agent ID resolution for all agent/secrets commands (priority: high → low):
+  1. --agent <id> flag
+  2. BLINK_AGENT_ID env var    ← always set on Claw Fly machines (zero config)
+  3. BLINK_ACTIVE_AGENT env    ← set via eval \$(blink agent use clw_xxx --export)
+`)
+
+  agent.command('list')
+    .description('List all Claw agents in the workspace')
+    .action(async () => {
+      requireToken()
+      const result = await withSpinner('Loading agents...', () => appRequest('/api/claw/agents'))
+      if (isJsonMode()) return printJson(result)
+      const agents: Array<{ id: string; name: string; status: string; model?: string; machine_size?: string }> =
+        Array.isArray(result) ? result : result?.agents ?? []
+      if (!agents.length) {
+        console.log(chalk.dim('No agents found. Deploy one at blink.new/claw'))
+        return
+      }
+      const table = createTable(['ID', 'Name', 'Status', 'Size', 'Model'])
+      for (const a of agents) {
+        table.push([a.id, a.name, a.status, a.machine_size ?? '-', a.model ?? '-'])
+      }
+      console.log(table.toString())
+    })
+
+  agent.command('use <agent_id>')
+    .description('Set active agent for this shell session')
+    .option('--export', 'Output shell export statement for eval')
+    .addHelpText('after', `
+Examples:
+  $ blink agent use clw_xxx               Prints the export command to run
+  $ eval $(blink agent use clw_xxx --export)  Actually sets it in your shell
+  $ export BLINK_ACTIVE_AGENT=clw_xxx    Same thing, manual
+
+After setting, secrets commands use this agent automatically:
+  $ blink secrets list
+  $ blink secrets set GITHUB_TOKEN ghp_xxx
+`)
+    .action(async (agentId: string, opts) => {
+      if (opts.export) {
+        process.stdout.write(`export BLINK_ACTIVE_AGENT=${agentId}\n`)
+      } else {
+        console.log(chalk.bold('Active agent: ') + agentId)
+        console.log(chalk.dim(`Run: export BLINK_ACTIVE_AGENT=${agentId}`))
+        console.log(chalk.dim(`Or:  eval $(blink agent use ${agentId} --export)`))
+      }
+    })
+
+  agent.command('status [agent_id]')
+    .description('Show details for an agent')
+    .option('--agent <id>', 'Agent ID (defaults to BLINK_AGENT_ID or BLINK_ACTIVE_AGENT)')
+    .addHelpText('after', `
+Examples:
+  $ blink agent status                 Show current agent (from BLINK_AGENT_ID)
+  $ blink agent status clw_xxx        Show specific agent
+`)
+    .action(async (agentIdArg: string | undefined, opts) => {
+      requireToken()
+      const agentId = requireAgentId(opts.agent ?? agentIdArg)
+      const result = await withSpinner('Loading agent...', () =>
+        appRequest(`/api/claw/agents/${agentId}`)
+      )
+      if (isJsonMode()) return printJson(result)
+      const a = result?.agent ?? result
+      console.log(chalk.bold('ID       ') + a.id)
+      console.log(chalk.bold('Name     ') + a.name)
+      console.log(chalk.bold('Status   ') + a.status)
+      console.log(chalk.bold('Model    ') + (a.model ?? '-'))
+      console.log(chalk.bold('Machine  ') + (a.machine_size ?? '-'))
+      if (a.fly_app_name) console.log(chalk.bold('Fly App  ') + a.fly_app_name)
+    })
+}

package/src/commands/project.ts

@@ -99,16 +99,42 @@ After linking, most commands work without specifying a project_id:
     })
 
   program.command('status')
-    .description('Show linked project and auth status')
+    .description('Show current agent, project, and auth context')
     .action(() => {
       const config = readProjectConfig()
-      const token = process.env.BLINK_API_KEY ? 'BLINK_API_KEY env' : '~/.config/blink/config.toml'
+      const { resolveAgentId } = require('../lib/agent.js') as typeof import('../lib/agent.js')
+
+      // Agent context
+      const agentId = resolveAgentId()
+      const agentSource = process.env.BLINK_AGENT_ID
+        ? 'BLINK_AGENT_ID env'
+        : process.env.BLINK_ACTIVE_AGENT
+          ? 'BLINK_ACTIVE_AGENT env'
+          : null
+      if (agentId) {
+        console.log(chalk.bold('Agent    ') + agentId + chalk.dim('  (' + agentSource + ')'))
+      } else {
+        console.log(chalk.dim('Agent    not set  (use: eval $(blink agent use clw_xxx --export))'))
+      }
+
+      // Project context
       if (config) {
-        console.log(chalk.bold('Project  ') + config.projectId)
-        if (config.workspaceId) console.log(chalk.bold('Workspace') + ' ' + config.workspaceId)
+        const projectSource = process.env.BLINK_ACTIVE_PROJECT
+          ? 'BLINK_ACTIVE_PROJECT env'
+          : '.blink/project.json'
+        console.log(chalk.bold('Project  ') + config.projectId + chalk.dim('  (' + projectSource + ')'))
+      } else if (process.env.BLINK_ACTIVE_PROJECT) {
+        console.log(chalk.bold('Project  ') + process.env.BLINK_ACTIVE_PROJECT + chalk.dim('  (BLINK_ACTIVE_PROJECT env)'))
       } else {
-        console.log(chalk.dim('No project linked (run `blink link`)'))
+        console.log(chalk.dim('Project  not linked  (use: blink link  or  eval $(blink use proj_xxx --export))'))
+      }
+
+      // Auth
+      const authSource = process.env.BLINK_API_KEY ? 'BLINK_API_KEY env' : '~/.config/blink/config.toml'
+      const hasProjectKey = !!process.env.BLINK_PROJECT_KEY
+      console.log(chalk.bold('Auth     ') + authSource)
+      if (hasProjectKey) {
+        console.log(chalk.bold('ProjKey  ') + 'BLINK_PROJECT_KEY env' + chalk.dim('  (used for db/storage/rag)'))
       }
-      console.log(chalk.bold('Auth     ') + token)
     })
 }

package/src/commands/secrets.ts

@@ -0,0 +1,110 @@
+import { Command } from 'commander'
+import { appRequest } from '../lib/api-app.js'
+import { requireToken } from '../lib/auth.js'
+import { requireAgentId } from '../lib/agent.js'
+import { printJson, isJsonMode, withSpinner } from '../lib/output.js'
+import chalk from 'chalk'
+
+export function registerSecretsCommands(program: Command) {
+  const secrets = program.command('secrets')
+    .description('Manage encrypted secrets vault for a Claw agent')
+    .addHelpText('after', `
+Secrets are encrypted key-value pairs stored in the agent's vault.
+They are available as $KEY_NAME in all shell commands run by the agent.
+Values are NEVER shown after being set — only key names are listed.
+
+Agent ID resolution (priority: high → low):
+  1. --agent <id> flag
+  2. BLINK_AGENT_ID env var    ← always set on Claw Fly machines (zero config)
+  3. BLINK_ACTIVE_AGENT env    ← set via eval \$(blink agent use clw_xxx --export)
+
+Examples:
+  $ blink secrets list                          List key names for current agent
+  $ blink secrets set GITHUB_TOKEN ghp_xxx      Add/update a secret
+  $ blink secrets delete OLD_KEY                Remove a secret
+
+Cross-agent management (an agent manager setting secrets on another agent):
+  $ blink secrets set --agent clw_other OPENAI_KEY sk-xxx
+  $ blink secrets list --agent clw_other
+`)
+
+  secrets.command('list')
+    .description('List secret key names (values are never displayed)')
+    .option('--agent <id>', 'Agent ID (defaults to BLINK_AGENT_ID or BLINK_ACTIVE_AGENT)')
+    .addHelpText('after', `
+Examples:
+  $ blink secrets list                      List current agent's secrets
+  $ blink secrets list --agent clw_xxx     List another agent's secrets
+  $ blink secrets list --json              Machine-readable output
+`)
+    .action(async (opts) => {
+      requireToken()
+      const agentId = requireAgentId(opts.agent)
+      const result = await withSpinner('Loading secrets...', () =>
+        appRequest(`/api/claw/agents/${agentId}/secrets`)
+      )
+      if (isJsonMode()) return printJson(result)
+      const keys: string[] = result?.secrets?.map((s: { key: string }) => s.key) ?? result?.keys ?? []
+      if (!keys.length) {
+        console.log(chalk.dim('(no secrets set — use `blink secrets set KEY value`)'))
+        return
+      }
+      for (const k of keys) console.log(chalk.bold(k))
+      console.log(chalk.dim(`\n${keys.length} secret${keys.length === 1 ? '' : 's'} (values hidden)`))
+    })
+
+  secrets.command('set <key> <value>')
+    .description('Add or update a secret (stored encrypted, value never shown again)')
+    .option('--agent <id>', 'Agent ID (defaults to BLINK_AGENT_ID or BLINK_ACTIVE_AGENT)')
+    .addHelpText('after', `
+Examples:
+  $ blink secrets set GITHUB_TOKEN ghp_xxx
+  $ blink secrets set OPENAI_KEY sk-xxx
+  $ blink secrets set --agent clw_other DATABASE_URL postgres://...
+
+Key naming convention: UPPER_SNAKE_CASE (e.g. GITHUB_TOKEN, OPENAI_KEY)
+After setting, the secret is available as $KEY_NAME in agent shell commands.
+`)
+    .action(async (key: string, value: string, opts) => {
+      requireToken()
+      const agentId = requireAgentId(opts.agent)
+      await withSpinner(`Setting ${key}...`, () =>
+        appRequest(`/api/claw/agents/${agentId}/secrets`, {
+          method: 'POST',
+          body: { key, value },
+        })
+      )
+      const normalised = key.toUpperCase()
+      if (!isJsonMode()) {
+        console.log(chalk.green('✓') + ` ${normalised} saved`)
+        console.log(chalk.dim('  Value hidden. Use $' + normalised + ' in shell commands.'))
+      } else {
+        printJson({ status: 'ok', key: normalised, agent_id: agentId })
+      }
+    })
+
+  secrets.command('delete <key>')
+    .description('Delete a secret from the agent vault')
+    .option('--agent <id>', 'Agent ID (defaults to BLINK_AGENT_ID or BLINK_ACTIVE_AGENT)')
+    .option('--yes', 'Skip confirmation')
+    .addHelpText('after', `
+Examples:
+  $ blink secrets delete OLD_KEY
+  $ blink secrets delete OLD_KEY --yes
+  $ blink secrets delete --agent clw_xxx OLD_KEY
+`)
+    .action(async (key: string, opts) => {
+      requireToken()
+      const agentId = requireAgentId(opts.agent)
+      if (!opts.yes && !isJsonMode()) {
+        const { confirm } = await import('@clack/prompts')
+        const ok = await confirm({ message: `Delete secret "${key}" from agent ${agentId}?` })
+        if (!ok) { console.log('Cancelled.'); return }
+      }
+      await withSpinner(`Deleting ${key}...`, () =>
+        appRequest(`/api/claw/agents/${agentId}/secrets?key=${encodeURIComponent(key)}`, { method: 'DELETE' })
+      )
+      if (!isJsonMode()) console.log('Deleted: ' + key)
+      else printJson({ status: 'ok', key, agent_id: agentId })
+    })
+}

package/src/lib/agent.ts

@@ -0,0 +1,29 @@
+// Agent ID resolution — parallel to lib/project.ts for project ID resolution
+//
+// Priority (high → low):
+// 1. Explicit --agent <id> flag passed to the command
+// 2. BLINK_AGENT_ID env var  ← always set on Claw Fly machines (zero config)
+// 3. BLINK_ACTIVE_AGENT env  ← set via `eval $(blink agent use clw_xxx --export)`
+
+export function resolveAgentId(explicitId?: string): string | undefined {
+  if (explicitId) return explicitId
+  if (process.env.BLINK_AGENT_ID) return process.env.BLINK_AGENT_ID
+  if (process.env.BLINK_ACTIVE_AGENT) return process.env.BLINK_ACTIVE_AGENT
+  return undefined
+}
+
+export function requireAgentId(explicitId?: string): string {
+  const id = resolveAgentId(explicitId)
+  if (!id) {
+    process.stderr.write(
+      '\nError: No agent set.\n' +
+      '  On Claw machines this is automatic (BLINK_AGENT_ID is injected).\n' +
+      '  Otherwise:\n' +
+      '    blink agent list                      # find your agent ID\n' +
+      '    eval $(blink agent use clw_xxx --export)   # set it for this session\n' +
+      '    blink secrets set --agent clw_xxx KEY val  # or pass --agent directly\n'
+    )
+    process.exit(1)
+  }
+  return id
+}

package/src/lib/api-resources.ts

@@ -2,6 +2,14 @@ import { resolveToken } from './auth.js'
 
 const BASE_URL = process.env.BLINK_APIS_URL ?? 'https://core.blink.new'
 
+// BLINK_PROJECT_KEY overrides the workspace key for project-scoped endpoints
+// (db, storage, realtime, rag, notifications). Set it per-command:
+//   BLINK_PROJECT_KEY=$BLINK_PROJECT_KEY_1 blink db query "SELECT * FROM users"
+function resolveResourceToken(): string | undefined {
+  if (process.env.BLINK_PROJECT_KEY) return process.env.BLINK_PROJECT_KEY
+  return resolveToken()
+}
+
 interface RequestOptions {
   method?: string
   body?: unknown
@@ -10,7 +18,7 @@ interface RequestOptions {
 }
 
 export async function resourcesRequest(path: string, opts: RequestOptions = {}) {
-  const token = resolveToken()
+  const token = resolveResourceToken()
   const headers: Record<string, string> = {
     ...(token ? { Authorization: `Bearer ${token}` } : {}),
     ...(process.env.BLINK_AGENT_ID ? { 'x-blink-agent-id': process.env.BLINK_AGENT_ID } : {}),