@exagent/agent 0.3.3 → 0.3.5

package/dist/{chunk-F4TCYYTD.js → chunk-WTECTX2Z.js}

@@ -1,6 +1,6 @@
 // src/config.ts
 import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
-import { existsSync, readFileSync, writeFileSync } from "fs";
+import { chmodSync, existsSync, readFileSync, writeFileSync } from "fs";
 import { homedir } from "os";
 import { resolve } from "path";
 import { z } from "zod";
@@ -276,6 +276,17 @@ ${issues}`);
   }
   return result.data;
 }
+function updateSecureStore(path, password, updates) {
+  const secrets = decryptSecretPayload(path, password);
+  const updated = { ...secrets, ...updates };
+  const encrypted = encryptSecretPayload(updated, password);
+  const secureStorePath = expandHomeDir(path);
+  writeFileSync(secureStorePath, JSON.stringify(encrypted, null, 2), { mode: 384 });
+  try {
+    chmodSync(secureStorePath, 384);
+  } catch {
+  }
+}
 function generateSampleConfig(agentId, apiUrl) {
   const config = {
     agentId,
@@ -6287,6 +6298,7 @@ export {
   writeConfigFile,
   encryptSecretPayload,
   loadConfig,
+  updateSecureStore,
   generateSampleConfig,
   writeSampleConfig,
   CHAIN_CONFIGS,

package/dist/cli.js

@@ -6,9 +6,10 @@ import {
   listTemplates,
   loadConfig,
   readConfigFile,
+  updateSecureStore,
   writeConfigFile,
   writeSampleConfig
-} from "./chunk-F4TCYYTD.js";
+} from "./chunk-WTECTX2Z.js";
 
 // src/cli.ts
 import { Command } from "commander";
@@ -78,6 +79,87 @@ function printError(message) {
   console.log(`  ${pc.red("\u2717")} ${message}`);
 }
 
+// src/llm-providers.ts
+var LLM_PROVIDERS = [
+  {
+    id: "openai",
+    label: "OpenAI",
+    models: [
+      { id: "gpt-5.2", label: "GPT-5.2" },
+      { id: "gpt-5.2-pro", label: "GPT-5.2 Pro" },
+      { id: "gpt-5-mini", label: "GPT-5 Mini" },
+      { id: "gpt-5-nano", label: "GPT-5 Nano" },
+      { id: "gpt-4o", label: "GPT-4o" },
+      { id: "gpt-4o-mini", label: "GPT-4o Mini" }
+    ]
+  },
+  {
+    id: "anthropic",
+    label: "Anthropic",
+    models: [
+      { id: "claude-opus-4-6", label: "Claude Opus 4.6" },
+      { id: "claude-sonnet-4-6", label: "Claude Sonnet 4.6" },
+      { id: "claude-haiku-4-5", label: "Claude Haiku 4.5" }
+    ]
+  },
+  {
+    id: "google",
+    label: "Google",
+    models: [
+      { id: "gemini-3-pro", label: "Gemini 3 Pro" },
+      { id: "gemini-3-flash", label: "Gemini 3 Flash" },
+      { id: "gemini-2.5-pro", label: "Gemini 2.5 Pro" },
+      { id: "gemini-2.5-flash", label: "Gemini 2.5 Flash" },
+      { id: "gemini-2.5-flash-lite", label: "Gemini 2.5 Flash Lite" }
+    ]
+  },
+  {
+    id: "deepseek",
+    label: "DeepSeek",
+    models: [
+      { id: "deepseek-chat", label: "DeepSeek Chat" },
+      { id: "deepseek-reasoner", label: "DeepSeek Reasoner" }
+    ]
+  },
+  {
+    id: "mistral",
+    label: "Mistral",
+    models: [
+      { id: "mistral-large-latest", label: "Mistral Large" },
+      { id: "mistral-small-latest", label: "Mistral Small" }
+    ]
+  },
+  {
+    id: "groq",
+    label: "Groq",
+    models: [
+      { id: "llama-3.3-70b-versatile", label: "Llama 3.3 70B" },
+      { id: "llama-3.1-8b-instant", label: "Llama 3.1 8B" },
+      { id: "mixtral-8x7b-32768", label: "Mixtral 8x7B" }
+    ]
+  },
+  {
+    id: "together",
+    label: "Together",
+    models: [
+      { id: "meta-llama/Meta-Llama-3.1-70B-Instruct-Turbo", label: "Llama 3.1 70B" },
+      { id: "meta-llama/Meta-Llama-3.1-8B-Instruct-Turbo", label: "Llama 3.1 8B" }
+    ]
+  },
+  {
+    id: "ollama",
+    label: "Ollama (local)",
+    models: [
+      { id: "llama3.1", label: "Llama 3.1" },
+      { id: "mistral", label: "Mistral" },
+      { id: "custom", label: "Custom (type model name)" }
+    ]
+  }
+];
+function getProvider(id) {
+  return LLM_PROVIDERS.find((p) => p.id === id);
+}
+
 // src/setup.ts
 function expandHomeDir(path) {
   if (!path.startsWith("~/")) return path;
@@ -172,99 +254,74 @@ async function setupWallet(config) {
   printDone(`Wallet imported: ${pc.dim(address)}`);
   return privateKey;
 }
-var LLM_PROVIDERS = ["openai", "anthropic", "google", "deepseek", "mistral", "groq", "together", "ollama"];
-async function setupLlm(config, bootstrapPayload) {
-  const hasRealLlmConfig = !!(bootstrapPayload.llm?.apiKey || config.llm?.apiKey);
+async function setupLlm(config) {
   if (isNonInteractive()) {
-    const provider2 = process.env.EXAGENT_LLM_PROVIDER || bootstrapPayload.llm?.provider || (hasRealLlmConfig ? config.llm?.provider : void 0);
-    const model2 = process.env.EXAGENT_LLM_MODEL || bootstrapPayload.llm?.model || (hasRealLlmConfig ? config.llm?.model : void 0);
-    const apiKey2 = process.env.EXAGENT_LLM_KEY || bootstrapPayload.llm?.apiKey || config.llm?.apiKey;
+    const provider2 = process.env.EXAGENT_LLM_PROVIDER || config.llm?.provider;
+    const model2 = process.env.EXAGENT_LLM_MODEL || config.llm?.model;
+    const apiKey2 = process.env.EXAGENT_LLM_KEY;
     if (!provider2) throw new Error("EXAGENT_LLM_PROVIDER required in non-interactive mode");
     if (!model2) throw new Error("EXAGENT_LLM_MODEL required in non-interactive mode");
     if (!apiKey2) throw new Error("EXAGENT_LLM_KEY required in non-interactive mode");
     printDone("LLM configured");
     return { provider: provider2, model: model2, apiKey: apiKey2 };
   }
-  let provider = bootstrapPayload.llm?.provider || (hasRealLlmConfig ? config.llm?.provider : void 0);
-  if (provider) {
-    printInfo(`Provider: ${pc.cyan(provider)} ${pc.dim("(from dashboard)")}`);
-  } else {
-    const selected = await clack.select({
-      message: "LLM provider:",
-      options: LLM_PROVIDERS.map((p) => ({ value: p, label: p }))
-    });
-    if (clack.isCancel(selected)) cancelled();
-    provider = selected;
-  }
-  let model = bootstrapPayload.llm?.model || (hasRealLlmConfig ? config.llm?.model : void 0);
-  if (model) {
-    printInfo(`Model: ${pc.cyan(model)} ${pc.dim("(from dashboard)")}`);
-  } else {
-    const entered = await clack.text({
-      message: "LLM model:",
-      placeholder: "gpt-4o",
-      validate: (val) => {
-        if (!val.trim()) return "Model name is required.";
-      }
-    });
-    if (clack.isCancel(entered)) cancelled();
-    model = entered;
-  }
-  let apiKey;
-  if (bootstrapPayload.llm?.apiKey) {
-    const useBootstrap = await clack.confirm({
-      message: "LLM API key received from dashboard. Use it?",
-      initialValue: true
-    });
-    if (clack.isCancel(useBootstrap)) cancelled();
-    if (useBootstrap) {
-      apiKey = bootstrapPayload.llm.apiKey;
-    }
-  }
-  if (!apiKey) {
-    apiKey = config.llm?.apiKey;
-  }
-  if (!apiKey) {
-    const entered = await clack.password({
-      message: "LLM API key:",
-      validate: (val) => validateLlmKeyFormat(provider, val)
-    });
-    if (clack.isCancel(entered)) cancelled();
-    apiKey = entered;
-  }
+  const defaultProvider = config.llm?.provider;
+  const providerOptions = LLM_PROVIDERS.map((p) => ({ value: p.id, label: p.label }));
+  const selected = await clack.select({
+    message: "LLM provider:",
+    options: providerOptions,
+    initialValue: defaultProvider || void 0
+  });
+  if (clack.isCancel(selected)) cancelled();
+  const provider = selected;
+  const defaultModel = config.llm?.model;
+  const providerInfo = getProvider(provider);
+  const modelOptions = providerInfo ? providerInfo.models.map((m) => ({ value: m.id, label: m.label })) : [{ value: defaultModel || "gpt-4o", label: defaultModel || "gpt-4o" }];
+  const selectedModel = await clack.select({
+    message: "LLM model:",
+    options: modelOptions,
+    initialValue: defaultModel || void 0
+  });
+  if (clack.isCancel(selectedModel)) cancelled();
+  const model = selectedModel;
+  const apiKey = await clack.password({
+    message: "LLM API key:",
+    validate: (val) => validateLlmKeyFormat(provider, val)
+  });
+  if (clack.isCancel(apiKey)) cancelled();
   printDone("LLM configured");
   return { provider, model, apiKey };
 }
 async function setupEncryption() {
   if (isNonInteractive()) {
-    const password3 = process.env.EXAGENT_PASSWORD;
-    if (!password3 || password3.length < 12) {
+    const password4 = process.env.EXAGENT_PASSWORD;
+    if (!password4 || password4.length < 12) {
       throw new Error("EXAGENT_PASSWORD must be at least 12 characters in non-interactive mode");
     }
-    return password3;
+    return password4;
   }
   printInfo(`Secrets encrypted with ${pc.cyan("AES-256-GCM")} (${pc.cyan("scrypt")} KDF)`);
   printInfo("The password never leaves this machine.");
   console.log();
-  const password2 = await clack.password({
+  const password3 = await clack.password({
     message: "Choose a device password (12+ characters):",
     validate: (val) => {
       if (val.length < 12) return "Password must be at least 12 characters.";
     }
   });
-  if (clack.isCancel(password2)) cancelled();
-  const confirm2 = await clack.password({
+  if (clack.isCancel(password3)) cancelled();
+  const confirm = await clack.password({
     message: "Confirm password:",
     validate: (val) => {
-      if (val !== password2) return "Passwords do not match.";
+      if (val !== password3) return "Passwords do not match.";
     }
   });
-  if (clack.isCancel(confirm2)) cancelled();
-  return password2;
+  if (clack.isCancel(confirm)) cancelled();
+  return password3;
 }
-function writeSecureStore(path, secrets, password2) {
+function writeSecureStore(path, secrets, password3) {
   const secureStorePath = expandHomeDir(path);
-  const encrypted = encryptSecretPayload(secrets, password2);
+  const encrypted = encryptSecretPayload(secrets, password3);
   const dir = dirname(secureStorePath);
   if (!existsSync(dir)) {
     mkdirSync(dir, { recursive: true, mode: 448 });
@@ -278,18 +335,26 @@ function writeSecureStore(path, secrets, password2) {
 }
 async function promptSecretPassword(question = "Device password:") {
   if (isNonInteractive()) {
-    const password3 = process.env.EXAGENT_PASSWORD || process.env.EXAGENT_SECRET_PASSWORD;
-    if (!password3) throw new Error("EXAGENT_PASSWORD required in non-interactive mode");
-    return password3;
+    const password4 = process.env.EXAGENT_PASSWORD || process.env.EXAGENT_SECRET_PASSWORD;
+    if (!password4) throw new Error("EXAGENT_PASSWORD required in non-interactive mode");
+    return password4;
   }
-  const password2 = await clack.password({ message: question });
-  if (clack.isCancel(password2)) cancelled();
-  return password2;
+  const password3 = await clack.password({ message: question });
+  if (clack.isCancel(password3)) cancelled();
+  return password3;
 }
 async function ensureLocalSetup(configPath) {
   const config = readConfigFile(configPath);
   const existingSecureStorePath = config.secrets?.secureStorePath ? expandHomeDir(config.secrets.secureStorePath) : null;
   if (existingSecureStorePath && !config.secrets?.bootstrapToken && existsSync(existingSecureStorePath) && !config.apiToken && !config.wallet?.privateKey && !config.llm.apiKey) {
+    printBanner();
+    printSuccess("Already set up", [
+      `${pc.cyan("npx exagent run")}       Start the agent`,
+      `${pc.cyan("npx exagent config")}    Change LLM API key or model`,
+      `${pc.cyan("npx exagent status")}    Check agent connection`,
+      "",
+      `${pc.dim("Dashboard:")}  ${pc.cyan("https://exagent.io")}`
+    ]);
     return;
   }
   printBanner();
@@ -298,18 +363,15 @@ async function ensureLocalSetup(configPath) {
   const bootstrapPayload = await consumeBootstrapPackage(config);
   if (config.secrets?.bootstrapToken) {
     printDone("Bootstrap package consumed");
-    if (bootstrapPayload.llm?.provider) {
-      printInfo(`LLM config received: ${pc.cyan(bootstrapPayload.llm.provider)}${bootstrapPayload.llm.model ? ` / ${pc.cyan(bootstrapPayload.llm.model)}` : ""}`);
-    }
   } else {
     printInfo("No bootstrap token \u2014 manual configuration");
   }
   printStep(2, 4, "Wallet setup");
   const walletPrivateKey = await setupWallet(config);
   printStep(3, 4, "LLM configuration");
-  const llm = await setupLlm(config, bootstrapPayload);
+  const llm = await setupLlm(config);
   printStep(4, 4, "Device encryption");
-  const password2 = await setupEncryption();
+  const password3 = await setupEncryption();
   const secrets = {
     apiToken: bootstrapPayload.apiToken || config.apiToken || "",
     walletPrivateKey,
@@ -343,23 +405,25 @@ async function ensureLocalSetup(configPath) {
   const secureStorePath = writeSecureStore(
     nextConfig.secrets?.secureStorePath || getDefaultSecureStorePath(nextConfig.agentId),
     secrets,
-    password2
+    password3
   );
   nextConfig.secrets = { secureStorePath };
   writeConfigFile(configPath, nextConfig);
   printDone(`Encrypted store: ${pc.dim(secureStorePath)}`);
   clack.outro(pc.green("Setup complete"));
   printSuccess("Ready", [
-    `${pc.cyan("npx exagent run")}      Start trading`,
-    `${pc.cyan("npx exagent status")}   Check connection`,
+    `${pc.cyan("npx exagent run")}       Start the agent`,
+    `${pc.cyan("npx exagent config")}    Change LLM API key or model`,
+    `${pc.cyan("npx exagent status")}    Check agent connection`,
     "",
     `${pc.dim("Dashboard:")}  ${pc.cyan("https://exagent.io")}`
   ]);
 }
 
 // src/cli.ts
+import * as clack2 from "@clack/prompts";
 var program = new Command();
-program.name("exagent").description("Exagent \u2014 LLM trading agent runtime").version("0.3.3");
+program.name("exagent").description("Exagent \u2014 LLM trading agent runtime").version("0.3.5");
 program.command("init").description("Create a sample agent configuration file").option("--agent-id <id>", "Agent ID (from dashboard)", "my-agent").option("--api-url <url>", "API server URL", "http://localhost:3002").option("--config <path>", "Config file path", "agent-config.json").action((opts) => {
   printBanner();
   writeSampleConfig(opts.agentId, opts.apiUrl, opts.config);
@@ -435,4 +499,95 @@ program.command("status").description("Check agent status").option("--config <pa
     process.exit(1);
   }
 });
+program.command("config").description("Change LLM provider, model, or API key").option("--config <path>", "Config file path", "agent-config.json").action(async (opts) => {
+  try {
+    printBanner();
+    const config = readConfigFile(opts.config);
+    const secureStorePath = config.secrets?.secureStorePath;
+    if (!secureStorePath) {
+      printError("No secure store found. Run setup first: npx exagent setup");
+      process.exit(1);
+    }
+    clack2.intro(pc.bold("Agent Configuration"));
+    const password3 = await promptSecretPassword();
+    const currentConfig = await loadConfig(opts.config, {
+      getSecretPassword: async () => password3
+    });
+    const currentProvider = currentConfig.llm.provider;
+    const currentModel = currentConfig.llm.model || "not set";
+    const currentKey = currentConfig.llm.apiKey;
+    const maskedKey = currentKey ? `${currentKey.slice(0, 7)}...${currentKey.slice(-4)}` : "not set";
+    printInfo(`Provider:  ${pc.cyan(currentProvider)}`);
+    printInfo(`Model:     ${pc.cyan(currentModel)}`);
+    printInfo(`API key:   ${pc.dim(maskedKey)}`);
+    console.log();
+    const action = await clack2.select({
+      message: "What would you like to change?",
+      options: [
+        { value: "key", label: "LLM API key" },
+        { value: "all", label: "Provider, model, and API key" }
+      ]
+    });
+    if (clack2.isCancel(action)) {
+      clack2.cancel("Cancelled.");
+      process.exit(0);
+    }
+    let newProvider = currentProvider;
+    let newModel = currentModel;
+    if (action === "all") {
+      const selectedProvider = await clack2.select({
+        message: "LLM provider:",
+        options: LLM_PROVIDERS.map((p) => ({ value: p.id, label: p.label })),
+        initialValue: currentProvider || void 0
+      });
+      if (clack2.isCancel(selectedProvider)) {
+        clack2.cancel("Cancelled.");
+        process.exit(0);
+      }
+      newProvider = selectedProvider;
+      const provider = getProvider(newProvider);
+      const modelOptions = provider ? provider.models.map((m) => ({ value: m.id, label: m.label })) : [{ value: currentModel, label: currentModel }];
+      const selectedModel = await clack2.select({
+        message: "LLM model:",
+        options: modelOptions,
+        initialValue: currentModel || void 0
+      });
+      if (clack2.isCancel(selectedModel)) {
+        clack2.cancel("Cancelled.");
+        process.exit(0);
+      }
+      newModel = selectedModel;
+    }
+    const newKey = await clack2.password({
+      message: "New LLM API key:",
+      validate: (val) => {
+        if (!val?.trim()) return "API key is required.";
+        if (val.length < 10) return "API key seems too short.";
+      }
+    });
+    if (clack2.isCancel(newKey)) {
+      clack2.cancel("Cancelled.");
+      process.exit(0);
+    }
+    updateSecureStore(secureStorePath, password3, { llmApiKey: newKey });
+    const updatedConfig = readConfigFile(opts.config);
+    updatedConfig.llm = {
+      ...updatedConfig.llm,
+      provider: newProvider,
+      model: newModel
+    };
+    writeConfigFile(opts.config, updatedConfig);
+    clack2.outro(pc.green("Configuration updated"));
+    printSuccess("Updated", [
+      `${pc.dim("Provider:")}  ${pc.cyan(newProvider)}`,
+      `${pc.dim("Model:")}     ${pc.cyan(newModel)}`,
+      `${pc.dim("API key:")}   ${pc.dim(`${newKey.slice(0, 7)}...${newKey.slice(-4)}`)}`,
+      "",
+      `Run ${pc.cyan("npx exagent run")} to start with the new configuration.`
+    ]);
+  } catch (err) {
+    printError(err.message);
+    process.exit(1);
+  }
+});
 program.parse();

package/dist/index.js

@@ -43,7 +43,7 @@ import {
   loadConfig,
   loadStrategy,
   writeSampleConfig
-} from "./chunk-F4TCYYTD.js";
+} from "./chunk-WTECTX2Z.js";
 export {
   AcrossAdapter,
   AerodromeAdapter,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@exagent/agent",
-  "version": "0.3.3",
+  "version": "0.3.5",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/cli.ts

@@ -1,17 +1,18 @@
 #!/usr/bin/env node
 import { Command } from 'commander';
-import { loadConfig, writeSampleConfig } from './config.js';
+import { loadConfig, readConfigFile, writeConfigFile, updateSecureStore, writeSampleConfig } from './config.js';
 import { AgentRuntime } from './runtime.js';
 import { listTemplates } from './strategy/index.js';
 import { ensureLocalSetup, promptSecretPassword } from './setup.js';
-import { printBanner, printDone, printError, printSuccess, pc } from './ui.js';
+import { printBanner, printDone, printError, printInfo, printSuccess, pc } from './ui.js';
+import * as clack from '@clack/prompts';
 
 const program = new Command();
 
 program
   .name('exagent')
   .description('Exagent — LLM trading agent runtime')
-  .version('0.3.3');
+  .version('0.3.5');
 
 program
   .command('init')
@@ -119,4 +120,125 @@ program
     }
   });
 
+import { LLM_PROVIDERS, getProvider } from './llm-providers.js';
+
+program
+  .command('config')
+  .description('Change LLM provider, model, or API key')
+  .option('--config <path>', 'Config file path', 'agent-config.json')
+  .action(async (opts) => {
+    try {
+      printBanner();
+      const config = readConfigFile(opts.config);
+      const secureStorePath = config.secrets?.secureStorePath;
+
+      if (!secureStorePath) {
+        printError('No secure store found. Run setup first: npx exagent setup');
+        process.exit(1);
+      }
+
+      clack.intro(pc.bold('Agent Configuration'));
+
+      // Decrypt current secrets
+      const password = await promptSecretPassword();
+      const currentConfig = await loadConfig(opts.config, {
+        getSecretPassword: async () => password,
+      });
+
+      // Show current LLM settings
+      const currentProvider = currentConfig.llm.provider;
+      const currentModel = currentConfig.llm.model || 'not set';
+      const currentKey = currentConfig.llm.apiKey;
+      const maskedKey = currentKey
+        ? `${currentKey.slice(0, 7)}...${currentKey.slice(-4)}`
+        : 'not set';
+
+      printInfo(`Provider:  ${pc.cyan(currentProvider)}`);
+      printInfo(`Model:     ${pc.cyan(currentModel)}`);
+      printInfo(`API key:   ${pc.dim(maskedKey)}`);
+      console.log();
+
+      const action = await clack.select({
+        message: 'What would you like to change?',
+        options: [
+          { value: 'key', label: 'LLM API key' },
+          { value: 'all', label: 'Provider, model, and API key' },
+        ],
+      });
+      if (clack.isCancel(action)) {
+        clack.cancel('Cancelled.');
+        process.exit(0);
+      }
+
+      let newProvider: string = currentProvider;
+      let newModel: string = currentModel;
+
+      if (action === 'all') {
+        const selectedProvider = await clack.select({
+          message: 'LLM provider:',
+          options: LLM_PROVIDERS.map(p => ({ value: p.id, label: p.label })),
+          initialValue: currentProvider || undefined,
+        });
+        if (clack.isCancel(selectedProvider)) {
+          clack.cancel('Cancelled.');
+          process.exit(0);
+        }
+        newProvider = selectedProvider;
+
+        const provider = getProvider(newProvider);
+        const modelOptions = provider
+          ? provider.models.map(m => ({ value: m.id, label: m.label }))
+          : [{ value: currentModel, label: currentModel }];
+
+        const selectedModel = await clack.select({
+          message: 'LLM model:',
+          options: modelOptions,
+          initialValue: currentModel || undefined,
+        });
+        if (clack.isCancel(selectedModel)) {
+          clack.cancel('Cancelled.');
+          process.exit(0);
+        }
+        newModel = selectedModel;
+      }
+
+      const newKey = await clack.password({
+        message: 'New LLM API key:',
+        validate: (val) => {
+          if (!val?.trim()) return 'API key is required.';
+          if (val.length < 10) return 'API key seems too short.';
+        },
+      });
+      if (clack.isCancel(newKey)) {
+        clack.cancel('Cancelled.');
+        process.exit(0);
+      }
+
+      // Update secure store with new API key
+      updateSecureStore(secureStorePath, password, { llmApiKey: newKey });
+
+      // Update config file with new provider/model
+      const updatedConfig = readConfigFile(opts.config);
+      updatedConfig.llm = {
+        ...updatedConfig.llm,
+        provider: newProvider as typeof updatedConfig.llm.provider,
+        model: newModel,
+      };
+      writeConfigFile(opts.config, updatedConfig);
+
+      clack.outro(pc.green('Configuration updated'));
+
+      printSuccess('Updated', [
+        `${pc.dim('Provider:')}  ${pc.cyan(newProvider)}`,
+        `${pc.dim('Model:')}     ${pc.cyan(newModel)}`,
+        `${pc.dim('API key:')}   ${pc.dim(`${newKey.slice(0, 7)}...${newKey.slice(-4)}`)}`,
+        '',
+        `Run ${pc.cyan('npx exagent run')} to start with the new configuration.`,
+      ]);
+    } catch (err) {
+      printError((err as Error).message);
+      process.exit(1);
+    }
+  });
+
 program.parse();

package/src/config.ts

@@ -1,5 +1,5 @@
 import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto';
-import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { chmodSync, existsSync, readFileSync, writeFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { dirname, resolve } from 'node:path';
 import { z } from 'zod';
@@ -415,6 +415,23 @@ export async function loadConfig(path: string = 'agent-config.json', options: Lo
   return result.data;
 }
 
+export function updateSecureStore(
+  path: string,
+  password: string,
+  updates: Partial<LocalSecretPayload>,
+): void {
+  const secrets = decryptSecretPayload(path, password);
+  const updated = { ...secrets, ...updates };
+  const encrypted = encryptSecretPayload(updated, password);
+  const secureStorePath = expandHomeDir(path);
+  writeFileSync(secureStorePath, JSON.stringify(encrypted, null, 2), { mode: 0o600 });
+  try {
+    chmodSync(secureStorePath, 0o600);
+  } catch {
+    // Best effort
+  }
+}
+
 export function generateSampleConfig(agentId: string, apiUrl: string): string {
   const config: RuntimeConfigFile = {
     agentId,