@exagent/agent 0.3.2 → 0.3.4

package/dist/{chunk-VDK4XPAC.js → chunk-WTECTX2Z.js}

@@ -1,6 +1,6 @@
 // src/config.ts
 import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
-import { existsSync, readFileSync, writeFileSync } from "fs";
+import { chmodSync, existsSync, readFileSync, writeFileSync } from "fs";
 import { homedir } from "os";
 import { resolve } from "path";
 import { z } from "zod";
@@ -141,7 +141,7 @@ var secureStoreSchema = z.object({
   ciphertext: z.string(),
   authTag: z.string()
 });
-var DEFAULT_SCRYPT_COST = 32768;
+var DEFAULT_SCRYPT_COST = 16384;
 var DEFAULT_SCRYPT_BLOCK_SIZE = 8;
 var DEFAULT_SCRYPT_PARALLELIZATION = 1;
 function expandHomeDir(path) {
@@ -276,6 +276,17 @@ ${issues}`);
   }
   return result.data;
 }
+function updateSecureStore(path, password, updates) {
+  const secrets = decryptSecretPayload(path, password);
+  const updated = { ...secrets, ...updates };
+  const encrypted = encryptSecretPayload(updated, password);
+  const secureStorePath = expandHomeDir(path);
+  writeFileSync(secureStorePath, JSON.stringify(encrypted, null, 2), { mode: 384 });
+  try {
+    chmodSync(secureStorePath, 384);
+  } catch {
+  }
+}
 function generateSampleConfig(agentId, apiUrl) {
   const config = {
     agentId,
@@ -4868,6 +4879,20 @@ try {
 } catch {
 }
 var MAX_CONSECUTIVE_FAILURES = 3;
+function getCycleErrorHint(category, msg) {
+  const lower = msg.toLowerCase();
+  if (category === "auth" || lower.includes("401") || lower.includes("unauthorized") || lower.includes("invalid api key") || lower.includes("authentication"))
+    return "Check your LLM API key \u2014 update via npx exagent setup";
+  if (category === "network" || lower.includes("econnrefused") || lower.includes("enotfound") || lower.includes("fetch failed") || lower.includes("timeout"))
+    return "Network connectivity issue \u2014 check your internet connection";
+  if (category === "venue" || lower.includes("hyperliquid") || lower.includes("polymarket") || lower.includes("venue"))
+    return "Venue API error \u2014 the venue may be experiencing issues";
+  if (category === "strategy" || lower.includes("invalid") && lower.includes("signal") || lower.includes("strategy"))
+    return "Strategy returned invalid output \u2014 check your strategy file";
+  if (lower.includes("rate limit") || lower.includes("429"))
+    return "Rate limited \u2014 consider increasing tradingIntervalMs";
+  return null;
+}
 var AgentRuntime = class _AgentRuntime {
   config;
   relay;
@@ -5477,12 +5502,13 @@ var AgentRuntime = class _AgentRuntime {
       const errMsg = err.message;
       timings.totalMs = Date.now() - cycleStart;
       const categorized = this.diagnostics.recordError(err);
-      log.error("cycle", `Cycle error: ${errMsg}`, {
+      const hint = getCycleErrorHint(categorized.category, errMsg);
+      log.error("cycle", `Cycle error: ${errMsg}${hint ? ` \u2014 ${hint}` : ""}`, {
         cycle: this.cycleCount,
         totalMs: timings.totalMs,
         category: categorized.category
       });
-      this.signal.reportError("Cycle Error", errMsg);
+      this.signal.reportError("Cycle Error", `${errMsg}${hint ? ` \u2014 ${hint}` : ""}`);
       this.diagnostics.recordCycle({
         cycleNumber: this.cycleCount,
         startedAt: cycleStart,
@@ -6272,6 +6298,7 @@ export {
   writeConfigFile,
   encryptSecretPayload,
   loadConfig,
+  updateSecureStore,
   generateSampleConfig,
   writeSampleConfig,
   CHAIN_CONFIGS,

package/dist/cli.js

@@ -6,9 +6,10 @@ import {
   listTemplates,
   loadConfig,
   readConfigFile,
+  updateSecureStore,
   writeConfigFile,
   writeSampleConfig
-} from "./chunk-VDK4XPAC.js";
+} from "./chunk-WTECTX2Z.js";
 
 // src/cli.ts
 import { Command } from "commander";
@@ -87,6 +88,21 @@ function cancelled() {
   clack.cancel("Setup cancelled.");
   process.exit(0);
 }
+function isNonInteractive() {
+  return process.env.EXAGENT_NONINTERACTIVE === "1" || process.env.EXAGENT_NONINTERACTIVE === "true";
+}
+var LLM_KEY_PREFIXES = {
+  openai: "sk-",
+  anthropic: "sk-ant-"
+};
+function validateLlmKeyFormat(provider, key) {
+  if (!key.trim()) return "API key is required.";
+  const expectedPrefix = LLM_KEY_PREFIXES[provider];
+  if (expectedPrefix && !key.startsWith(expectedPrefix)) {
+    return `${provider} API keys typically start with "${expectedPrefix}". Double-check your key.`;
+  }
+  if (key.length < 10) return "API key seems too short.";
+}
 async function consumeBootstrapPackage(config) {
   if (!config.secrets?.bootstrapToken) {
     return { apiToken: "" };
@@ -114,6 +130,22 @@ async function setupWallet(config) {
     printDone(`Using existing wallet: ${pc.dim(account.address)}`);
     return config.wallet.privateKey;
   }
+  if (isNonInteractive()) {
+    const mode = process.env.EXAGENT_WALLET_MODE || "generate";
+    if (mode === "import") {
+      const key = process.env.EXAGENT_WALLET_KEY;
+      if (!key || !/^0x[a-fA-F0-9]{64}$/.test(key)) {
+        throw new Error("EXAGENT_WALLET_KEY must be a valid 0x-prefixed 64-char hex private key in non-interactive mode");
+      }
+      const address3 = privateKeyToAccount(key).address;
+      printDone(`Wallet imported: ${pc.dim(address3)}`);
+      return key;
+    }
+    const privateKey2 = generatePrivateKey();
+    const address2 = privateKeyToAccount(privateKey2).address;
+    printDone(`Wallet created: ${pc.dim(address2)}`);
+    return privateKey2;
+  }
   const method = await clack.select({
     message: "How would you like to set up your wallet?",
     options: [
@@ -142,82 +174,75 @@ async function setupWallet(config) {
   return privateKey;
 }
 var LLM_PROVIDERS = ["openai", "anthropic", "google", "deepseek", "mistral", "groq", "together", "ollama"];
-async function setupLlm(config, bootstrapPayload) {
-  let provider = config.llm?.provider || bootstrapPayload.llm?.provider;
-  if (provider) {
-    printInfo(`Provider: ${pc.cyan(provider)} ${pc.dim("(from dashboard)")}`);
-  } else {
-    const selected = await clack.select({
-      message: "LLM provider:",
-      options: LLM_PROVIDERS.map((p) => ({ value: p, label: p }))
-    });
-    if (clack.isCancel(selected)) cancelled();
-    provider = selected;
-  }
-  let model = config.llm?.model || bootstrapPayload.llm?.model;
-  if (model) {
-    printInfo(`Model: ${pc.cyan(model)} ${pc.dim("(from dashboard)")}`);
-  } else {
-    const entered = await clack.text({
-      message: "LLM model:",
-      placeholder: "gpt-4o",
-      validate: (val) => {
-        if (!val.trim()) return "Model name is required.";
-      }
-    });
-    if (clack.isCancel(entered)) cancelled();
-    model = entered;
+async function setupLlm(config) {
+  if (isNonInteractive()) {
+    const provider2 = process.env.EXAGENT_LLM_PROVIDER || config.llm?.provider;
+    const model2 = process.env.EXAGENT_LLM_MODEL || config.llm?.model;
+    const apiKey2 = process.env.EXAGENT_LLM_KEY;
+    if (!provider2) throw new Error("EXAGENT_LLM_PROVIDER required in non-interactive mode");
+    if (!model2) throw new Error("EXAGENT_LLM_MODEL required in non-interactive mode");
+    if (!apiKey2) throw new Error("EXAGENT_LLM_KEY required in non-interactive mode");
+    printDone("LLM configured");
+    return { provider: provider2, model: model2, apiKey: apiKey2 };
   }
-  let apiKey;
-  if (bootstrapPayload.llm?.apiKey) {
-    const useBootstrap = await clack.confirm({
-      message: "LLM API key received from dashboard. Use it?",
-      initialValue: true
-    });
-    if (clack.isCancel(useBootstrap)) cancelled();
-    if (useBootstrap) {
-      apiKey = bootstrapPayload.llm.apiKey;
+  const defaultProvider = config.llm?.provider;
+  const providerOptions = LLM_PROVIDERS.map((p) => ({ value: p, label: p }));
+  const selected = await clack.select({
+    message: "LLM provider:",
+    options: providerOptions,
+    initialValue: defaultProvider || void 0
+  });
+  if (clack.isCancel(selected)) cancelled();
+  const provider = selected;
+  const defaultModel = config.llm?.model;
+  const entered = await clack.text({
+    message: "LLM model:",
+    placeholder: defaultModel || "gpt-4o",
+    defaultValue: defaultModel || void 0,
+    validate: (val) => {
+      if (!val.trim()) return "Model name is required.";
     }
-  }
-  if (!apiKey) {
-    apiKey = config.llm?.apiKey;
-  }
-  if (!apiKey) {
-    const entered = await clack.password({
-      message: "LLM API key:",
-      validate: (val) => {
-        if (!val.trim()) return "API key is required.";
-      }
-    });
-    if (clack.isCancel(entered)) cancelled();
-    apiKey = entered;
-  }
+  });
+  if (clack.isCancel(entered)) cancelled();
+  const model = entered;
+  const apiKey = await clack.password({
+    message: "LLM API key:",
+    validate: (val) => validateLlmKeyFormat(provider, val)
+  });
+  if (clack.isCancel(apiKey)) cancelled();
   printDone("LLM configured");
   return { provider, model, apiKey };
 }
 async function setupEncryption() {
+  if (isNonInteractive()) {
+    const password4 = process.env.EXAGENT_PASSWORD;
+    if (!password4 || password4.length < 12) {
+      throw new Error("EXAGENT_PASSWORD must be at least 12 characters in non-interactive mode");
+    }
+    return password4;
+  }
   printInfo(`Secrets encrypted with ${pc.cyan("AES-256-GCM")} (${pc.cyan("scrypt")} KDF)`);
   printInfo("The password never leaves this machine.");
   console.log();
-  const password2 = await clack.password({
+  const password3 = await clack.password({
     message: "Choose a device password (12+ characters):",
     validate: (val) => {
       if (val.length < 12) return "Password must be at least 12 characters.";
     }
   });
-  if (clack.isCancel(password2)) cancelled();
-  const confirm2 = await clack.password({
+  if (clack.isCancel(password3)) cancelled();
+  const confirm = await clack.password({
     message: "Confirm password:",
     validate: (val) => {
-      if (val !== password2) return "Passwords do not match.";
+      if (val !== password3) return "Passwords do not match.";
     }
   });
-  if (clack.isCancel(confirm2)) cancelled();
-  return password2;
+  if (clack.isCancel(confirm)) cancelled();
+  return password3;
 }
-function writeSecureStore(path, secrets, password2) {
+function writeSecureStore(path, secrets, password3) {
   const secureStorePath = expandHomeDir(path);
-  const encrypted = encryptSecretPayload(secrets, password2);
+  const encrypted = encryptSecretPayload(secrets, password3);
   const dir = dirname(secureStorePath);
   if (!existsSync(dir)) {
     mkdirSync(dir, { recursive: true, mode: 448 });
@@ -230,14 +255,27 @@ function writeSecureStore(path, secrets, password2) {
   return secureStorePath;
 }
 async function promptSecretPassword(question = "Device password:") {
-  const password2 = await clack.password({ message: question });
-  if (clack.isCancel(password2)) cancelled();
-  return password2;
+  if (isNonInteractive()) {
+    const password4 = process.env.EXAGENT_PASSWORD || process.env.EXAGENT_SECRET_PASSWORD;
+    if (!password4) throw new Error("EXAGENT_PASSWORD required in non-interactive mode");
+    return password4;
+  }
+  const password3 = await clack.password({ message: question });
+  if (clack.isCancel(password3)) cancelled();
+  return password3;
 }
 async function ensureLocalSetup(configPath) {
   const config = readConfigFile(configPath);
   const existingSecureStorePath = config.secrets?.secureStorePath ? expandHomeDir(config.secrets.secureStorePath) : null;
   if (existingSecureStorePath && !config.secrets?.bootstrapToken && existsSync(existingSecureStorePath) && !config.apiToken && !config.wallet?.privateKey && !config.llm.apiKey) {
+    printBanner();
+    printSuccess("Already set up", [
+      `${pc.cyan("npx exagent run")}       Start the agent`,
+      `${pc.cyan("npx exagent config")}    Change LLM API key or model`,
+      `${pc.cyan("npx exagent status")}    Check agent connection`,
+      "",
+      `${pc.dim("Dashboard:")}  ${pc.cyan("https://exagent.io")}`
+    ]);
     return;
   }
   printBanner();
@@ -246,32 +284,35 @@ async function ensureLocalSetup(configPath) {
   const bootstrapPayload = await consumeBootstrapPackage(config);
   if (config.secrets?.bootstrapToken) {
     printDone("Bootstrap package consumed");
-    if (bootstrapPayload.llm?.provider) {
-      printInfo(`LLM config received: ${pc.cyan(bootstrapPayload.llm.provider)}${bootstrapPayload.llm.model ? ` / ${pc.cyan(bootstrapPayload.llm.model)}` : ""}`);
-    }
   } else {
     printInfo("No bootstrap token \u2014 manual configuration");
   }
   printStep(2, 4, "Wallet setup");
   const walletPrivateKey = await setupWallet(config);
   printStep(3, 4, "LLM configuration");
-  const llm = await setupLlm(config, bootstrapPayload);
+  const llm = await setupLlm(config);
   printStep(4, 4, "Device encryption");
-  const password2 = await setupEncryption();
+  const password3 = await setupEncryption();
   const secrets = {
     apiToken: bootstrapPayload.apiToken || config.apiToken || "",
     walletPrivateKey,
     llmApiKey: llm.apiKey
   };
   if (!secrets.apiToken) {
-    const token = await clack.password({
-      message: "Agent relay token:",
-      validate: (val) => {
-        if (!val.trim()) return "Relay token is required.";
-      }
-    });
-    if (clack.isCancel(token)) cancelled();
-    secrets.apiToken = token;
+    if (isNonInteractive()) {
+      const token = process.env.EXAGENT_API_TOKEN;
+      if (!token) throw new Error("EXAGENT_API_TOKEN required in non-interactive mode (no relay token from bootstrap)");
+      secrets.apiToken = token;
+    } else {
+      const token = await clack.password({
+        message: "Agent relay token:",
+        validate: (val) => {
+          if (!val.trim()) return "Relay token is required.";
+        }
+      });
+      if (clack.isCancel(token)) cancelled();
+      secrets.apiToken = token;
+    }
   }
   const nextConfig = structuredClone(config);
   nextConfig.llm = {
@@ -285,23 +326,25 @@ async function ensureLocalSetup(configPath) {
   const secureStorePath = writeSecureStore(
     nextConfig.secrets?.secureStorePath || getDefaultSecureStorePath(nextConfig.agentId),
     secrets,
-    password2
+    password3
   );
   nextConfig.secrets = { secureStorePath };
   writeConfigFile(configPath, nextConfig);
   printDone(`Encrypted store: ${pc.dim(secureStorePath)}`);
   clack.outro(pc.green("Setup complete"));
   printSuccess("Ready", [
-    `${pc.cyan("npx exagent run")}      Start trading`,
-    `${pc.cyan("npx exagent status")}   Check connection`,
+    `${pc.cyan("npx exagent run")}       Start the agent`,
+    `${pc.cyan("npx exagent config")}    Change LLM API key or model`,
+    `${pc.cyan("npx exagent status")}    Check agent connection`,
     "",
     `${pc.dim("Dashboard:")}  ${pc.cyan("https://exagent.io")}`
   ]);
 }
 
 // src/cli.ts
+import * as clack2 from "@clack/prompts";
 var program = new Command();
-program.name("exagent").description("Exagent \u2014 LLM trading agent runtime").version("0.3.0");
+program.name("exagent").description("Exagent \u2014 LLM trading agent runtime").version("0.3.4");
 program.command("init").description("Create a sample agent configuration file").option("--agent-id <id>", "Agent ID (from dashboard)", "my-agent").option("--api-url <url>", "API server URL", "http://localhost:3002").option("--config <path>", "Config file path", "agent-config.json").action((opts) => {
   printBanner();
   writeSampleConfig(opts.agentId, opts.apiUrl, opts.config);
@@ -377,4 +420,96 @@ program.command("status").description("Check agent status").option("--config <pa
     process.exit(1);
   }
 });
+var LLM_PROVIDERS2 = ["openai", "anthropic", "google", "deepseek", "mistral", "groq", "together", "ollama"];
+program.command("config").description("Change LLM provider, model, or API key").option("--config <path>", "Config file path", "agent-config.json").action(async (opts) => {
+  try {
+    printBanner();
+    const config = readConfigFile(opts.config);
+    const secureStorePath = config.secrets?.secureStorePath;
+    if (!secureStorePath) {
+      printError("No secure store found. Run setup first: npx exagent setup");
+      process.exit(1);
+    }
+    clack2.intro(pc.bold("Agent Configuration"));
+    const password3 = await promptSecretPassword();
+    const currentConfig = await loadConfig(opts.config, {
+      getSecretPassword: async () => password3
+    });
+    const currentProvider = currentConfig.llm.provider;
+    const currentModel = currentConfig.llm.model || "not set";
+    const currentKey = currentConfig.llm.apiKey;
+    const maskedKey = currentKey ? `${currentKey.slice(0, 7)}...${currentKey.slice(-4)}` : "not set";
+    printInfo(`Provider:  ${pc.cyan(currentProvider)}`);
+    printInfo(`Model:     ${pc.cyan(currentModel)}`);
+    printInfo(`API key:   ${pc.dim(maskedKey)}`);
+    console.log();
+    const action = await clack2.select({
+      message: "What would you like to change?",
+      options: [
+        { value: "key", label: "LLM API key" },
+        { value: "all", label: "Provider, model, and API key" }
+      ]
+    });
+    if (clack2.isCancel(action)) {
+      clack2.cancel("Cancelled.");
+      process.exit(0);
+    }
+    let newProvider = currentProvider;
+    let newModel = currentModel;
+    if (action === "all") {
+      const selectedProvider = await clack2.select({
+        message: "LLM provider:",
+        options: LLM_PROVIDERS2.map((p) => ({ value: p, label: p })),
+        initialValue: currentProvider || void 0
+      });
+      if (clack2.isCancel(selectedProvider)) {
+        clack2.cancel("Cancelled.");
+        process.exit(0);
+      }
+      newProvider = selectedProvider;
+      const enteredModel = await clack2.text({
+        message: "LLM model:",
+        defaultValue: currentModel,
+        validate: (val) => {
+          if (!val?.trim()) return "Model name is required.";
+        }
+      });
+      if (clack2.isCancel(enteredModel)) {
+        clack2.cancel("Cancelled.");
+        process.exit(0);
+      }
+      newModel = enteredModel;
+    }
+    const newKey = await clack2.password({
+      message: "New LLM API key:",
+      validate: (val) => {
+        if (!val?.trim()) return "API key is required.";
+        if (val.length < 10) return "API key seems too short.";
+      }
+    });
+    if (clack2.isCancel(newKey)) {
+      clack2.cancel("Cancelled.");
+      process.exit(0);
+    }
+    updateSecureStore(secureStorePath, password3, { llmApiKey: newKey });
+    const updatedConfig = readConfigFile(opts.config);
+    updatedConfig.llm = {
+      ...updatedConfig.llm,
+      provider: newProvider,
+      model: newModel
+    };
+    writeConfigFile(opts.config, updatedConfig);
+    clack2.outro(pc.green("Configuration updated"));
+    printSuccess("Updated", [
+      `${pc.dim("Provider:")}  ${pc.cyan(newProvider)}`,
+      `${pc.dim("Model:")}     ${pc.cyan(newModel)}`,
+      `${pc.dim("API key:")}   ${pc.dim(`${newKey.slice(0, 7)}...${newKey.slice(-4)}`)}`,
+      "",
+      `Run ${pc.cyan("npx exagent run")} to start with the new configuration.`
+    ]);
+  } catch (err) {
+    printError(err.message);
+    process.exit(1);
+  }
+});
 program.parse();

package/dist/index.js

@@ -43,7 +43,7 @@ import {
   loadConfig,
   loadStrategy,
   writeSampleConfig
-} from "./chunk-VDK4XPAC.js";
+} from "./chunk-WTECTX2Z.js";
 export {
   AcrossAdapter,
   AerodromeAdapter,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@exagent/agent",
-  "version": "0.3.2",
+  "version": "0.3.4",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/cli.ts

@@ -1,17 +1,18 @@
 #!/usr/bin/env node
 import { Command } from 'commander';
-import { loadConfig, writeSampleConfig } from './config.js';
+import { loadConfig, readConfigFile, writeConfigFile, updateSecureStore, writeSampleConfig } from './config.js';
 import { AgentRuntime } from './runtime.js';
 import { listTemplates } from './strategy/index.js';
 import { ensureLocalSetup, promptSecretPassword } from './setup.js';
-import { printBanner, printDone, printError, printSuccess, pc } from './ui.js';
+import { printBanner, printDone, printError, printInfo, printSuccess, pc } from './ui.js';
+import * as clack from '@clack/prompts';
 
 const program = new Command();
 
 program
   .name('exagent')
   .description('Exagent — LLM trading agent runtime')
-  .version('0.3.0');
+  .version('0.3.4');
 
 program
   .command('init')
@@ -119,4 +120,122 @@ program
     }
   });
 
+const LLM_PROVIDERS = ['openai', 'anthropic', 'google', 'deepseek', 'mistral', 'groq', 'together', 'ollama'] as const;
+
+program
+  .command('config')
+  .description('Change LLM provider, model, or API key')
+  .option('--config <path>', 'Config file path', 'agent-config.json')
+  .action(async (opts) => {
+    try {
+      printBanner();
+      const config = readConfigFile(opts.config);
+      const secureStorePath = config.secrets?.secureStorePath;
+
+      if (!secureStorePath) {
+        printError('No secure store found. Run setup first: npx exagent setup');
+        process.exit(1);
+      }
+
+      clack.intro(pc.bold('Agent Configuration'));
+
+      // Decrypt current secrets
+      const password = await promptSecretPassword();
+      const currentConfig = await loadConfig(opts.config, {
+        getSecretPassword: async () => password,
+      });
+
+      // Show current LLM settings
+      const currentProvider = currentConfig.llm.provider;
+      const currentModel = currentConfig.llm.model || 'not set';
+      const currentKey = currentConfig.llm.apiKey;
+      const maskedKey = currentKey
+        ? `${currentKey.slice(0, 7)}...${currentKey.slice(-4)}`
+        : 'not set';
+
+      printInfo(`Provider:  ${pc.cyan(currentProvider)}`);
+      printInfo(`Model:     ${pc.cyan(currentModel)}`);
+      printInfo(`API key:   ${pc.dim(maskedKey)}`);
+      console.log();
+
+      const action = await clack.select({
+        message: 'What would you like to change?',
+        options: [
+          { value: 'key', label: 'LLM API key' },
+          { value: 'all', label: 'Provider, model, and API key' },
+        ],
+      });
+      if (clack.isCancel(action)) {
+        clack.cancel('Cancelled.');
+        process.exit(0);
+      }
+
+      let newProvider = currentProvider;
+      let newModel = currentModel;
+
+      if (action === 'all') {
+        const selectedProvider = await clack.select({
+          message: 'LLM provider:',
+          options: LLM_PROVIDERS.map(p => ({ value: p, label: p })),
+          initialValue: currentProvider || undefined,
+        });
+        if (clack.isCancel(selectedProvider)) {
+          clack.cancel('Cancelled.');
+          process.exit(0);
+        }
+        newProvider = selectedProvider;
+
+        const enteredModel = await clack.text({
+          message: 'LLM model:',
+          defaultValue: currentModel,
+          validate: (val) => {
+            if (!val?.trim()) return 'Model name is required.';
+          },
+        });
+        if (clack.isCancel(enteredModel)) {
+          clack.cancel('Cancelled.');
+          process.exit(0);
+        }
+        newModel = enteredModel;
+      }
+
+      const newKey = await clack.password({
+        message: 'New LLM API key:',
+        validate: (val) => {
+          if (!val?.trim()) return 'API key is required.';
+          if (val.length < 10) return 'API key seems too short.';
+        },
+      });
+      if (clack.isCancel(newKey)) {
+        clack.cancel('Cancelled.');
+        process.exit(0);
+      }
+
+      // Update secure store with new API key
+      updateSecureStore(secureStorePath, password, { llmApiKey: newKey });
+
+      // Update config file with new provider/model
+      const updatedConfig = readConfigFile(opts.config);
+      updatedConfig.llm = {
+        ...updatedConfig.llm,
+        provider: newProvider as typeof updatedConfig.llm.provider,
+        model: newModel,
+      };
+      writeConfigFile(opts.config, updatedConfig);
+
+      clack.outro(pc.green('Configuration updated'));
+
+      printSuccess('Updated', [
+        `${pc.dim('Provider:')}  ${pc.cyan(newProvider)}`,
+        `${pc.dim('Model:')}     ${pc.cyan(newModel)}`,
+        `${pc.dim('API key:')}   ${pc.dim(`${newKey.slice(0, 7)}...${newKey.slice(-4)}`)}`,
+        '',
+        `Run ${pc.cyan('npx exagent run')} to start with the new configuration.`,
+      ]);
+    } catch (err) {
+      printError((err as Error).message);
+      process.exit(1);
+    }
+  });
+
 program.parse();

package/src/config.ts

@@ -1,5 +1,5 @@
 import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto';
-import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { chmodSync, existsSync, readFileSync, writeFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { dirname, resolve } from 'node:path';
 import { z } from 'zod';
@@ -258,7 +258,7 @@ const secureStoreSchema = z.object({
 
 export type RuntimeConfigFile = z.infer<typeof configFileSchema>;
 
-const DEFAULT_SCRYPT_COST = 32768;
+const DEFAULT_SCRYPT_COST = 16384;
 const DEFAULT_SCRYPT_BLOCK_SIZE = 8;
 const DEFAULT_SCRYPT_PARALLELIZATION = 1;
 
@@ -415,6 +415,23 @@ export async function loadConfig(path: string = 'agent-config.json', options: Lo
   return result.data;
 }
 
+export function updateSecureStore(
+  path: string,
+  password: string,
+  updates: Partial<LocalSecretPayload>,
+): void {
+  const secrets = decryptSecretPayload(path, password);
+  const updated = { ...secrets, ...updates };
+  const encrypted = encryptSecretPayload(updated, password);
+  const secureStorePath = expandHomeDir(path);
+  writeFileSync(secureStorePath, JSON.stringify(encrypted, null, 2), { mode: 0o600 });
+  try {
+    chmodSync(secureStorePath, 0o600);
+  } catch {
+    // Best effort
+  }
+}
+
 export function generateSampleConfig(agentId: string, apiUrl: string): string {
   const config: RuntimeConfigFile = {
     agentId,