npm - @exagent/agent - Versions diffs - 0.3.0 → 0.3.2 - Mend

@exagent/agent 0.3.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/src/scrub-secrets.ts ADDED Viewed

@@ -0,0 +1,39 @@
+/**
+ * Secret scrubbing utility — defense-in-depth protection against LLM responses
+ * or log messages accidentally containing API keys, private keys, or tokens.
+ *
+ * Applied to:
+ * - LLM response content before parsing (strategy/loader.ts)
+ * - Strategy log output (runtime.ts context.log)
+ */
+const SECRET_PATTERNS: Array<{ pattern: RegExp; label: string }> = [
+  // OpenAI API keys
+  { pattern: /sk-[a-zA-Z0-9]{20,}/g, label: '[REDACTED:openai-key]' },
+  // Anthropic API keys
+  { pattern: /sk-ant-[a-zA-Z0-9_-]{20,}/g, label: '[REDACTED:anthropic-key]' },
+  // Google API keys
+  { pattern: /AIza[a-zA-Z0-9_-]{35}/g, label: '[REDACTED:google-key]' },
+  // Private keys (64 hex chars after 0x)
+  { pattern: /0x[a-fA-F0-9]{64}/g, label: '[REDACTED:private-key]' },
+  // Agent tokens
+  { pattern: /exg_[a-fA-F0-9]{64}/g, label: '[REDACTED:agent-token]' },
+  // Bootstrap tokens
+  { pattern: /exb_[a-fA-F0-9]{64}/g, label: '[REDACTED:bootstrap-token]' },
+  // Generic long bearer tokens (base64-ish, 40+ chars)
+  { pattern: /Bearer\s+[A-Za-z0-9_-]{40,}/g, label: '[REDACTED:bearer-token]' },
+];
+/**
+ * Scrub known secret patterns from text. Returns the scrubbed string.
+ * Safe to call on any text — if no patterns match, returns the original unchanged.
+ */
+export function scrubSecrets(text: string): string {
+  let result = text;
+  for (const { pattern, label } of SECRET_PATTERNS) {
+    // Reset lastIndex for global regexes
+    pattern.lastIndex = 0;
+    result = result.replace(pattern, label);
+  }
+  return result;
+}

package/src/setup.ts CHANGED Viewed

@@ -1,9 +1,8 @@
 import { chmodSync, existsSync, mkdirSync, writeFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { dirname, resolve } from 'node:path';
-import { createInterface } from 'node:readline/promises';
-import { stdin as input, stdout as output } from 'node:process';
 import { generatePrivateKey, privateKeyToAccount } from 'viem/accounts';
+import * as clack from '@clack/prompts';
 import {
   encryptSecretPayload,
   getDefaultSecureStorePath,
@@ -12,6 +11,7 @@ import {
   type RuntimeConfigFile,
   writeConfigFile,
 } from './config.js';
+import { printBanner, printStep, printDone, printInfo, printError, printSuccess, pc } from './ui.js';
 interface BootstrapPayload {
   apiToken: string;
@@ -28,106 +28,23 @@ function expandHomeDir(path: string): string {
   return resolve(homedir(), path.slice(2));
 }
-async function prompt(question: string): Promise<string> {
-  const rl = createInterface({ input, output });
-  try {
-    return (await rl.question(question)).trim();
-  } finally {
-    rl.close();
-  }
-}
-async function promptSecret(question: string): Promise<string> {
-  const rl = createInterface({ input, output, terminal: true }) as ReturnType<typeof createInterface> & {
-    stdoutMuted?: boolean;
-    _writeToOutput?: (text: string) => void;
-  };
-  rl.stdoutMuted = true;
-  const originalWrite = rl._writeToOutput?.bind(rl);
-  rl._writeToOutput = (text: string) => {
-    if (!rl.stdoutMuted) {
-      originalWrite?.(text);
-    }
-  };
-  try {
-    const answer = (await rl.question(question)).trim();
-    output.write('\n');
-    return answer;
-  } finally {
-    rl.close();
-  }
-}
-export async function promptSecretPassword(question: string = 'Device password: '): Promise<string> {
-  return promptSecret(question);
+function cancelled(): never {
+  clack.cancel('Setup cancelled.');
+  process.exit(0);
 }
-async function promptPasswordWithConfirmation(): Promise<string> {
-  output.write('\n');
-  output.write('Important: this password encrypts the local wallet key, relay token, and agent LLM key for this device.\n');
-  output.write('If you lose this password and the agent wallet holds funds, those funds cannot be recovered.\n\n');
-  const ack = await prompt('Type "I UNDERSTAND" to continue: ');
-  if (ack !== 'I UNDERSTAND') {
-    throw new Error('Secure setup aborted');
-  }
-  while (true) {
-    const password = await promptSecret('Create a device password (min 12 chars): ');
-    if (password.length < 12) {
-      output.write('Password must be at least 12 characters.\n');
-      continue;
-    }
-    const confirm = await promptSecret('Confirm device password: ');
-    if (password !== confirm) {
-      output.write('Passwords did not match. Try again.\n');
-      continue;
-    }
-    return password;
-  }
-}
-async function promptWalletPrivateKey(): Promise<string> {
-  while (true) {
-    const choice = (await prompt('Wallet setup — [1] generate new wallet locally, [2] use existing private key: ')).trim();
-    if (choice === '1') {
-      const privateKey = generatePrivateKey();
-      const address = privateKeyToAccount(privateKey).address;
-      output.write(`Generated wallet address: ${address}\n`);
-      return privateKey;
-    }
-    if (choice === '2') {
-      const privateKey = await promptSecret('Wallet private key (0x...): ');
-      if (/^0x[a-fA-F0-9]{64}$/.test(privateKey)) {
-        return privateKey;
-      }
-      output.write('Invalid private key. Expected a 32-byte hex string prefixed with 0x.\n');
-      continue;
-    }
-    output.write('Enter 1 or 2.\n');
-  }
-}
-async function promptLlmProvider(): Promise<string> {
-  while (true) {
-    const provider = (await prompt('Agent LLM provider (openai/anthropic/google/deepseek/mistral/groq/together/ollama): ')).toLowerCase();
-    if (['openai', 'anthropic', 'google', 'deepseek', 'mistral', 'groq', 'together', 'ollama'].includes(provider)) {
-      return provider;
-    }
-    output.write('Unsupported provider.\n');
-  }
-}
+// ---------------------------------------------------------------------------
+// Step 1: Bootstrap
+// ---------------------------------------------------------------------------
 async function consumeBootstrapPackage(config: RuntimeConfigFile): Promise<BootstrapPayload> {
   if (!config.secrets?.bootstrapToken) {
     return { apiToken: '' };
   }
+  const apiHost = new URL(config.apiUrl).host;
+  printInfo(`Connecting to ${pc.cyan(apiHost)}...`);
   const res = await fetch(`${config.apiUrl}/v1/agents/bootstrap/consume`, {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
@@ -139,52 +56,157 @@ async function consumeBootstrapPackage(config: RuntimeConfigFile): Promise<Boots
   if (!res.ok) {
     const body = await res.text();
-    throw new Error(`Failed to consume secure setup package: ${body}`);
+    throw new Error(`Failed to consume bootstrap package: ${body}`);
   }
   const data = await res.json() as { payload: BootstrapPayload };
   return data.payload;
 }
-async function buildLocalSecrets(config: RuntimeConfigFile, bootstrapPayload: BootstrapPayload): Promise<{ config: RuntimeConfigFile; secrets: LocalSecretPayload }> {
-  const nextConfig = structuredClone(config);
-  const llm = { ...(nextConfig.llm || {}) };
+// ---------------------------------------------------------------------------
+// Step 2: Wallet
+// ---------------------------------------------------------------------------
-  if (bootstrapPayload.llm?.provider && !llm.provider) {
-    llm.provider = bootstrapPayload.llm.provider as RuntimeConfigFile['llm']['provider'];
+async function setupWallet(config: RuntimeConfigFile): Promise<string> {
+  if (config.wallet?.privateKey) {
+    const account = privateKeyToAccount(config.wallet.privateKey as `0x${string}`);
+    printDone(`Using existing wallet: ${pc.dim(account.address)}`);
+    return config.wallet.privateKey;
   }
-  if (bootstrapPayload.llm?.model && !llm.model) {
-    llm.model = bootstrapPayload.llm.model;
+  const method = await clack.select({
+    message: 'How would you like to set up your wallet?',
+    options: [
+      { value: 'generate', label: 'Generate new wallet locally', hint: 'recommended' },
+      { value: 'import', label: 'Import existing private key' },
+    ],
+  });
+  if (clack.isCancel(method)) cancelled();
+  if (method === 'generate') {
+    const privateKey = generatePrivateKey();
+    const address = privateKeyToAccount(privateKey).address;
+    printDone(`Wallet created: ${pc.dim(address)}`);
+    return privateKey;
+  }
+  // Import flow
+  const privateKey = await clack.password({
+    message: 'Wallet private key (0x...):',
+    validate: (val) => {
+      if (!/^0x[a-fA-F0-9]{64}$/.test(val)) {
+        return 'Invalid private key. Expected a 32-byte hex string prefixed with 0x.';
+      }
+    },
+  });
+  if (clack.isCancel(privateKey)) cancelled();
+  const address = privateKeyToAccount(privateKey as `0x${string}`).address;
+  printDone(`Wallet imported: ${pc.dim(address)}`);
+  return privateKey;
+}
+// ---------------------------------------------------------------------------
+// Step 3: LLM
+// ---------------------------------------------------------------------------
+const LLM_PROVIDERS = ['openai', 'anthropic', 'google', 'deepseek', 'mistral', 'groq', 'together', 'ollama'] as const;
+async function setupLlm(
+  config: RuntimeConfigFile,
+  bootstrapPayload: BootstrapPayload,
+): Promise<{ provider: string; model: string; apiKey: string }> {
+  // Provider
+  let provider = config.llm?.provider || bootstrapPayload.llm?.provider;
+  if (provider) {
+    printInfo(`Provider: ${pc.cyan(provider)} ${pc.dim('(from dashboard)')}`);
+  } else {
+    const selected = await clack.select({
+      message: 'LLM provider:',
+      options: LLM_PROVIDERS.map(p => ({ value: p, label: p })),
+    });
+    if (clack.isCancel(selected)) cancelled();
+    provider = selected;
   }
-  if (!llm.provider) {
-    llm.provider = await promptLlmProvider() as RuntimeConfigFile['llm']['provider'];
+  // Model
+  let model = config.llm?.model || bootstrapPayload.llm?.model;
+  if (model) {
+    printInfo(`Model: ${pc.cyan(model)} ${pc.dim('(from dashboard)')}`);
+  } else {
+    const entered = await clack.text({
+      message: 'LLM model:',
+      placeholder: 'gpt-4o',
+      validate: (val) => {
+        if (!val.trim()) return 'Model name is required.';
+      },
+    });
+    if (clack.isCancel(entered)) cancelled();
+    model = entered;
   }
-  if (!llm.model) {
-    llm.model = await prompt('Agent LLM model: ');
-    if (!llm.model) {
-      throw new Error('Agent LLM model is required');
+  // API Key
+  let apiKey: string | undefined;
+  if (bootstrapPayload.llm?.apiKey) {
+    const useBootstrap = await clack.confirm({
+      message: 'LLM API key received from dashboard. Use it?',
+      initialValue: true,
+    });
+    if (clack.isCancel(useBootstrap)) cancelled();
+    if (useBootstrap) {
+      apiKey = bootstrapPayload.llm.apiKey;
     }
   }
+  if (!apiKey) {
+    apiKey = config.llm?.apiKey;
+  }
+  if (!apiKey) {
+    const entered = await clack.password({
+      message: 'LLM API key:',
+      validate: (val) => {
+        if (!val.trim()) return 'API key is required.';
+      },
+    });
+    if (clack.isCancel(entered)) cancelled();
+    apiKey = entered;
+  }
-  const secrets: LocalSecretPayload = {
-    apiToken: bootstrapPayload.apiToken || nextConfig.apiToken || await promptSecret('Agent relay token: '),
-    walletPrivateKey: bootstrapPayload.walletPrivateKey || nextConfig.wallet?.privateKey || await promptWalletPrivateKey(),
-    llmApiKey: bootstrapPayload.llm?.apiKey || nextConfig.llm.apiKey || await promptSecret('Agent LLM API key: '),
-  };
+  printDone('LLM configured');
+  return { provider, model, apiKey };
+}
-  if (!secrets.apiToken) {
-    throw new Error('Agent relay token is required');
-  }
+// ---------------------------------------------------------------------------
+// Step 4: Encryption
+// ---------------------------------------------------------------------------
-  nextConfig.llm = llm;
-  delete nextConfig.apiToken;
-  delete nextConfig.wallet;
-  delete nextConfig.llm.apiKey;
+async function setupEncryption(): Promise<string> {
+  printInfo(`Secrets encrypted with ${pc.cyan('AES-256-GCM')} (${pc.cyan('scrypt')} KDF)`);
+  printInfo('The password never leaves this machine.');
+  console.log();
-  return { config: nextConfig, secrets };
+  const password = await clack.password({
+    message: 'Choose a device password (12+ characters):',
+    validate: (val) => {
+      if (val.length < 12) return 'Password must be at least 12 characters.';
+    },
+  });
+  if (clack.isCancel(password)) cancelled();
+  const confirm = await clack.password({
+    message: 'Confirm password:',
+    validate: (val) => {
+      if (val !== password) return 'Passwords do not match.';
+    },
+  });
+  if (clack.isCancel(confirm)) cancelled();
+  return password;
 }
+// ---------------------------------------------------------------------------
+// Secure store
+// ---------------------------------------------------------------------------
 function writeSecureStore(path: string, secrets: LocalSecretPayload, password: string): string {
   const secureStorePath = expandHomeDir(path);
   const encrypted = encryptSecretPayload(secrets, password);
@@ -196,11 +218,25 @@ function writeSecureStore(path: string, secrets: LocalSecretPayload, password: s
   try {
     chmodSync(secureStorePath, 0o600);
   } catch {
-    // Best effort only — some platforms ignore chmod semantics.
+    // Best effort — some platforms ignore chmod semantics.
   }
   return secureStorePath;
 }
+// ---------------------------------------------------------------------------
+// Public: password prompt (used by run/status commands)
+// ---------------------------------------------------------------------------
+export async function promptSecretPassword(question: string = 'Device password:'): Promise<string> {
+  const password = await clack.password({ message: question });
+  if (clack.isCancel(password)) cancelled();
+  return password;
+}
+// ---------------------------------------------------------------------------
+// Main setup orchestrator
+// ---------------------------------------------------------------------------
 export async function ensureLocalSetup(configPath: string): Promise<void> {
   const config = readConfigFile(configPath);
   const existingSecureStorePath = config.secrets?.secureStorePath ? expandHomeDir(config.secrets.secureStorePath) : null;
@@ -215,19 +251,82 @@ export async function ensureLocalSetup(configPath: string): Promise<void> {
     return;
   }
+  printBanner();
+  clack.intro(pc.bold('Agent Setup'));
+  // Step 1: Bootstrap
+  printStep(1, 4, 'Bootstrap package');
   const bootstrapPayload = await consumeBootstrapPackage(config);
-  const { config: nextConfig, secrets } = await buildLocalSecrets(config, bootstrapPayload);
-  const password = await promptPasswordWithConfirmation();
+  if (config.secrets?.bootstrapToken) {
+    printDone('Bootstrap package consumed');
+    if (bootstrapPayload.llm?.provider) {
+      printInfo(`LLM config received: ${pc.cyan(bootstrapPayload.llm.provider)}${bootstrapPayload.llm.model ? ` / ${pc.cyan(bootstrapPayload.llm.model)}` : ''}`);
+    }
+  } else {
+    printInfo('No bootstrap token — manual configuration');
+  }
+  // Step 2: Wallet
+  printStep(2, 4, 'Wallet setup');
+  const walletPrivateKey = await setupWallet(config);
+  // Step 3: LLM
+  printStep(3, 4, 'LLM configuration');
+  const llm = await setupLlm(config, bootstrapPayload);
+  // Step 4: Encryption
+  printStep(4, 4, 'Device encryption');
+  const password = await setupEncryption();
+  // Build secrets and write
+  const secrets: LocalSecretPayload = {
+    apiToken: bootstrapPayload.apiToken || config.apiToken || '',
+    walletPrivateKey,
+    llmApiKey: llm.apiKey,
+  };
+  if (!secrets.apiToken) {
+    // Prompt for relay token if not available from bootstrap or config
+    const token = await clack.password({
+      message: 'Agent relay token:',
+      validate: (val) => {
+        if (!val.trim()) return 'Relay token is required.';
+      },
+    });
+    if (clack.isCancel(token)) cancelled();
+    secrets.apiToken = token;
+  }
+  const nextConfig = structuredClone(config);
+  nextConfig.llm = {
+    ...nextConfig.llm,
+    provider: llm.provider as RuntimeConfigFile['llm']['provider'],
+    model: llm.model,
+  };
+  // Strip plaintext secrets from config file
+  delete nextConfig.apiToken;
+  delete nextConfig.wallet;
+  delete nextConfig.llm.apiKey;
   const secureStorePath = writeSecureStore(
     nextConfig.secrets?.secureStorePath || getDefaultSecureStorePath(nextConfig.agentId),
     secrets,
     password,
   );
-  nextConfig.secrets = {
-    secureStorePath,
-  };
+  nextConfig.secrets = { secureStorePath };
   writeConfigFile(configPath, nextConfig);
-  output.write(`Encrypted local secret store created at ${secureStorePath}\n`);
+  printDone(`Encrypted store: ${pc.dim(secureStorePath)}`);
+  clack.outro(pc.green('Setup complete'));
+  printSuccess('Ready', [
+    `${pc.cyan('npx exagent run')}      Start trading`,
+    `${pc.cyan('npx exagent status')}   Check connection`,
+    '',
+    `${pc.dim('Dashboard:')}  ${pc.cyan('https://exagent.io')}`,
+  ]);
 }

package/src/strategy/loader.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import { resolve } from 'node:path';
 import { z } from 'zod';
 import type { StrategyFunction, StrategyContext, TradeSignal } from '@exagent/sdk';
 import { getTemplate } from './templates.js';
+import { scrubSecrets } from '../scrub-secrets.js';
 const promptSignalSchema = z.object({
   symbol: z.string().min(1),
@@ -24,6 +25,7 @@ const promptSignalArraySchema = z.array(promptSignalSchema);
 export async function loadStrategy(config: {
   file?: string;
+  code?: string;
   template?: string;
   prompt?: {
     name?: string;
@@ -35,6 +37,10 @@ export async function loadStrategy(config: {
     return loadFromFile(config.file);
   }
+  if (config.code) {
+    return loadFromCode(config.code);
+  }
   if (config.prompt) {
     return loadFromPrompt(config.prompt);
   }
@@ -62,7 +68,31 @@ async function loadFromFile(filePath: string): Promise<StrategyFunction> {
     const fn = mod.default || mod.strategy;
     if (typeof fn !== 'function') {
-      throw new Error(`Strategy file must export a default function or 'strategy' function`);
+      if (typeof mod.code === 'string' && mod.code.trim()) {
+        return loadFromCode(mod.code);
+      }
+      if (typeof mod.systemPrompt === 'string' && mod.systemPrompt.trim()) {
+        const venues = Array.isArray(mod.venues)
+          ? mod.venues.filter((venue: unknown): venue is string => typeof venue === 'string')
+          : undefined;
+        const name = typeof mod.name === 'string' ? mod.name : undefined;
+        return loadFromPrompt({
+          name,
+          systemPrompt: mod.systemPrompt,
+          venues,
+        });
+      }
+      if (typeof mod.template === 'string' && mod.template.trim()) {
+        const template = getTemplate(mod.template);
+        if (!template) {
+          throw new Error(`Unknown strategy template: ${mod.template}. Available: momentum, value, arbitrage, hold`);
+        }
+        return loadFromCode(template.code);
+      }
+      throw new Error(`Strategy file must export a default function, 'strategy' function, 'code' string, 'systemPrompt' string, or 'template' string`);
     }
     return fn as StrategyFunction;
@@ -109,7 +139,10 @@ function loadFromPrompt(config: {
       },
     ]);
-    const match = response.content.match(/\[[\s\S]*\]/);
+    // Defense-in-depth: scrub any secrets the LLM might echo back before parsing
+    const scrubbedContent = scrubSecrets(response.content);
+    const match = scrubbedContent.match(/\[[\s\S]*\]/);
     if (!match) {
       context.log('Prompt strategy returned a non-JSON response; no signals emitted.');
       return [];

package/src/ui.ts ADDED Viewed

@@ -0,0 +1,75 @@
+import figlet from 'figlet';
+import gradient from 'gradient-string';
+import boxen from 'boxen';
+import pc from 'picocolors';
+import { createRequire } from 'node:module';
+// Brand gradient: Blue → Indigo → Violet (from Exagent design system)
+const brandGradient: (text: string) => string = gradient(['#3B82F6', '#6366F1', '#7C3AED']);
+// Secondary gradient: Cyan → Blue
+const accentGradient: (text: string) => string = gradient(['#22D3EE', '#3B82F6']);
+function getVersion(): string {
+  try {
+    const require = createRequire(import.meta.url);
+    const pkg = require('../package.json');
+    return pkg.version || '0.0.0';
+  } catch {
+    return '0.0.0';
+  }
+}
+export function printBanner(): void {
+  const art = figlet.textSync('EXAGENT', {
+    font: 'Small',
+    horizontalLayout: 'default',
+  });
+  console.log();
+  console.log(brandGradient(art));
+  console.log(pc.dim(`  v${getVersion()}`));
+  console.log();
+}
+export function printSuccess(title: string, lines: string[]): void {
+  const body = [
+    '',
+    pc.bold(pc.white(title)),
+    '',
+    ...lines.map(l => `  ${l}`),
+    '',
+  ].join('\n');
+  console.log();
+  console.log(boxen(body, {
+    padding: { top: 0, bottom: 0, left: 2, right: 2 },
+    borderColor: '#3B82F6',
+    borderStyle: 'round',
+    dimBorder: false,
+  }));
+  console.log();
+}
+export function printStep(step: number, total: number, label: string): void {
+  console.log();
+  console.log(accentGradient(`  Step ${step} of ${total}`) + pc.dim(` — ${label}`));
+}
+export function printDone(message: string): void {
+  console.log(`  ${pc.green('✓')} ${message}`);
+}
+export function printInfo(message: string): void {
+  console.log(`  ${pc.dim('│')} ${message}`);
+}
+export function printWarn(message: string): void {
+  console.log(`  ${pc.yellow('!')} ${message}`);
+}
+export function printError(message: string): void {
+  console.log(`  ${pc.red('✗')} ${message}`);
+}
+export { pc, brandGradient, accentGradient };