@exagent/agent 0.3.5 → 0.3.7

package/src/scrub-secrets.ts

@@ -1,39 +0,0 @@
-/**
- * Secret scrubbing utility — defense-in-depth protection against LLM responses
- * or log messages accidentally containing API keys, private keys, or tokens.
- *
- * Applied to:
- * - LLM response content before parsing (strategy/loader.ts)
- * - Strategy log output (runtime.ts context.log)
- */
-
-const SECRET_PATTERNS: Array<{ pattern: RegExp; label: string }> = [
-  // OpenAI API keys
-  { pattern: /sk-[a-zA-Z0-9]{20,}/g, label: '[REDACTED:openai-key]' },
-  // Anthropic API keys
-  { pattern: /sk-ant-[a-zA-Z0-9_-]{20,}/g, label: '[REDACTED:anthropic-key]' },
-  // Google API keys
-  { pattern: /AIza[a-zA-Z0-9_-]{35}/g, label: '[REDACTED:google-key]' },
-  // Private keys (64 hex chars after 0x)
-  { pattern: /0x[a-fA-F0-9]{64}/g, label: '[REDACTED:private-key]' },
-  // Agent tokens
-  { pattern: /exg_[a-fA-F0-9]{64}/g, label: '[REDACTED:agent-token]' },
-  // Bootstrap tokens
-  { pattern: /exb_[a-fA-F0-9]{64}/g, label: '[REDACTED:bootstrap-token]' },
-  // Generic long bearer tokens (base64-ish, 40+ chars)
-  { pattern: /Bearer\s+[A-Za-z0-9_-]{40,}/g, label: '[REDACTED:bearer-token]' },
-];
-
-/**
- * Scrub known secret patterns from text. Returns the scrubbed string.
- * Safe to call on any text — if no patterns match, returns the original unchanged.
- */
-export function scrubSecrets(text: string): string {
-  let result = text;
-  for (const { pattern, label } of SECRET_PATTERNS) {
-    // Reset lastIndex for global regexes
-    pattern.lastIndex = 0;
-    result = result.replace(pattern, label);
-  }
-  return result;
-}

package/src/setup.ts

@@ -1,384 +0,0 @@
-import { chmodSync, existsSync, mkdirSync, writeFileSync } from 'node:fs';
-import { homedir } from 'node:os';
-import { dirname, resolve } from 'node:path';
-import { generatePrivateKey, privateKeyToAccount } from 'viem/accounts';
-import * as clack from '@clack/prompts';
-import {
-  encryptSecretPayload,
-  getDefaultSecureStorePath,
-  readConfigFile,
-  type LocalSecretPayload,
-  type RuntimeConfigFile,
-  writeConfigFile,
-} from './config.js';
-import { printBanner, printStep, printDone, printInfo, printError, printSuccess, pc } from './ui.js';
-
-interface BootstrapPayload {
-  apiToken: string;
-  walletPrivateKey?: string;
-  llm?: {
-    provider?: string;
-    model?: string;
-    apiKey?: string;
-  };
-}
-
-function expandHomeDir(path: string): string {
-  if (!path.startsWith('~/')) return path;
-  return resolve(homedir(), path.slice(2));
-}
-
-function cancelled(): never {
-  clack.cancel('Setup cancelled.');
-  process.exit(0);
-}
-
-function isNonInteractive(): boolean {
-  return process.env.EXAGENT_NONINTERACTIVE === '1' || process.env.EXAGENT_NONINTERACTIVE === 'true';
-}
-
-const LLM_KEY_PREFIXES: Record<string, string> = {
-  openai: 'sk-',
-  anthropic: 'sk-ant-',
-};
-
-function validateLlmKeyFormat(provider: string, key: string): string | undefined {
-  if (!key.trim()) return 'API key is required.';
-  const expectedPrefix = LLM_KEY_PREFIXES[provider];
-  if (expectedPrefix && !key.startsWith(expectedPrefix)) {
-    return `${provider} API keys typically start with "${expectedPrefix}". Double-check your key.`;
-  }
-  if (key.length < 10) return 'API key seems too short.';
-}
-
-// ---------------------------------------------------------------------------
-// Step 1: Bootstrap
-// ---------------------------------------------------------------------------
-
-async function consumeBootstrapPackage(config: RuntimeConfigFile): Promise<BootstrapPayload> {
-  if (!config.secrets?.bootstrapToken) {
-    return { apiToken: '' };
-  }
-
-  const apiHost = new URL(config.apiUrl).host;
-  printInfo(`Connecting to ${pc.cyan(apiHost)}...`);
-
-  const res = await fetch(`${config.apiUrl}/v1/agents/bootstrap/consume`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({
-      agentId: config.agentId,
-      token: config.secrets.bootstrapToken,
-    }),
-  });
-
-  if (!res.ok) {
-    const body = await res.text();
-    throw new Error(`Failed to consume bootstrap package: ${body}`);
-  }
-
-  const data = await res.json() as { payload: BootstrapPayload };
-  return data.payload;
-}
-
-// ---------------------------------------------------------------------------
-// Step 2: Wallet
-// ---------------------------------------------------------------------------
-
-async function setupWallet(config: RuntimeConfigFile): Promise<string> {
-  if (config.wallet?.privateKey) {
-    const account = privateKeyToAccount(config.wallet.privateKey as `0x${string}`);
-    printDone(`Using existing wallet: ${pc.dim(account.address)}`);
-    return config.wallet.privateKey;
-  }
-
-  // Non-interactive: env var wallet
-  if (isNonInteractive()) {
-    const mode = process.env.EXAGENT_WALLET_MODE || 'generate';
-    if (mode === 'import') {
-      const key = process.env.EXAGENT_WALLET_KEY;
-      if (!key || !/^0x[a-fA-F0-9]{64}$/.test(key)) {
-        throw new Error('EXAGENT_WALLET_KEY must be a valid 0x-prefixed 64-char hex private key in non-interactive mode');
-      }
-      const address = privateKeyToAccount(key as `0x${string}`).address;
-      printDone(`Wallet imported: ${pc.dim(address)}`);
-      return key;
-    }
-    const privateKey = generatePrivateKey();
-    const address = privateKeyToAccount(privateKey).address;
-    printDone(`Wallet created: ${pc.dim(address)}`);
-    return privateKey;
-  }
-
-  const method = await clack.select({
-    message: 'How would you like to set up your wallet?',
-    options: [
-      { value: 'generate', label: 'Generate new wallet locally', hint: 'recommended' },
-      { value: 'import', label: 'Import existing private key' },
-    ],
-  });
-  if (clack.isCancel(method)) cancelled();
-
-  if (method === 'generate') {
-    const privateKey = generatePrivateKey();
-    const address = privateKeyToAccount(privateKey).address;
-    printDone(`Wallet created: ${pc.dim(address)}`);
-    return privateKey;
-  }
-
-  // Import flow
-  const privateKey = await clack.password({
-    message: 'Wallet private key (0x...):',
-    validate: (val) => {
-      if (!/^0x[a-fA-F0-9]{64}$/.test(val)) {
-        return 'Invalid private key. Expected a 32-byte hex string prefixed with 0x.';
-      }
-    },
-  });
-  if (clack.isCancel(privateKey)) cancelled();
-
-  const address = privateKeyToAccount(privateKey as `0x${string}`).address;
-  printDone(`Wallet imported: ${pc.dim(address)}`);
-  return privateKey;
-}
-
-// ---------------------------------------------------------------------------
-// Step 3: LLM
-// ---------------------------------------------------------------------------
-
-import { LLM_PROVIDERS, getProvider } from './llm-providers.js';
-
-async function setupLlm(
-  config: RuntimeConfigFile,
-): Promise<{ provider: string; model: string; apiKey: string }> {
-  // LLM config is always entered locally — never pulled from bootstrap.
-  // Config file may have provider/model as defaults from the deploy wizard.
-
-  // Non-interactive mode
-  if (isNonInteractive()) {
-    const provider = process.env.EXAGENT_LLM_PROVIDER || config.llm?.provider;
-    const model = process.env.EXAGENT_LLM_MODEL || config.llm?.model;
-    const apiKey = process.env.EXAGENT_LLM_KEY;
-    if (!provider) throw new Error('EXAGENT_LLM_PROVIDER required in non-interactive mode');
-    if (!model) throw new Error('EXAGENT_LLM_MODEL required in non-interactive mode');
-    if (!apiKey) throw new Error('EXAGENT_LLM_KEY required in non-interactive mode');
-    printDone('LLM configured');
-    return { provider, model, apiKey };
-  }
-
-  // Provider — use config as default selection if available
-  const defaultProvider = config.llm?.provider;
-  const providerOptions = LLM_PROVIDERS.map(p => ({ value: p.id, label: p.label }));
-  const selected = await clack.select({
-    message: 'LLM provider:',
-    options: providerOptions,
-    initialValue: defaultProvider || undefined,
-  });
-  if (clack.isCancel(selected)) cancelled();
-  const provider = selected;
-
-  // Model — show available models for the selected provider
-  const defaultModel = config.llm?.model;
-  const providerInfo = getProvider(provider);
-  const modelOptions = providerInfo
-    ? providerInfo.models.map(m => ({ value: m.id, label: m.label }))
-    : [{ value: defaultModel || 'gpt-4o', label: defaultModel || 'gpt-4o' }];
-  const selectedModel = await clack.select({
-    message: 'LLM model:',
-    options: modelOptions,
-    initialValue: defaultModel || undefined,
-  });
-  if (clack.isCancel(selectedModel)) cancelled();
-  const model = selectedModel;
-
-  // API Key — always prompt, never from bootstrap
-  const apiKey = await clack.password({
-    message: 'LLM API key:',
-    validate: (val) => validateLlmKeyFormat(provider, val),
-  });
-  if (clack.isCancel(apiKey)) cancelled();
-
-  printDone('LLM configured');
-  return { provider, model, apiKey };
-}
-
-// ---------------------------------------------------------------------------
-// Step 4: Encryption
-// ---------------------------------------------------------------------------
-
-async function setupEncryption(): Promise<string> {
-  // Non-interactive mode
-  if (isNonInteractive()) {
-    const password = process.env.EXAGENT_PASSWORD;
-    if (!password || password.length < 12) {
-      throw new Error('EXAGENT_PASSWORD must be at least 12 characters in non-interactive mode');
-    }
-    return password;
-  }
-
-  printInfo(`Secrets encrypted with ${pc.cyan('AES-256-GCM')} (${pc.cyan('scrypt')} KDF)`);
-  printInfo('The password never leaves this machine.');
-  console.log();
-
-  const password = await clack.password({
-    message: 'Choose a device password (12+ characters):',
-    validate: (val) => {
-      if (val.length < 12) return 'Password must be at least 12 characters.';
-    },
-  });
-  if (clack.isCancel(password)) cancelled();
-
-  const confirm = await clack.password({
-    message: 'Confirm password:',
-    validate: (val) => {
-      if (val !== password) return 'Passwords do not match.';
-    },
-  });
-  if (clack.isCancel(confirm)) cancelled();
-
-  return password;
-}
-
-// ---------------------------------------------------------------------------
-// Secure store
-// ---------------------------------------------------------------------------
-
-function writeSecureStore(path: string, secrets: LocalSecretPayload, password: string): string {
-  const secureStorePath = expandHomeDir(path);
-  const encrypted = encryptSecretPayload(secrets, password);
-  const dir = dirname(secureStorePath);
-  if (!existsSync(dir)) {
-    mkdirSync(dir, { recursive: true, mode: 0o700 });
-  }
-  writeFileSync(secureStorePath, JSON.stringify(encrypted, null, 2), { mode: 0o600 });
-  try {
-    chmodSync(secureStorePath, 0o600);
-  } catch {
-    // Best effort — some platforms ignore chmod semantics.
-  }
-  return secureStorePath;
-}
-
-// ---------------------------------------------------------------------------
-// Public: password prompt (used by run/status commands)
-// ---------------------------------------------------------------------------
-
-export async function promptSecretPassword(question: string = 'Device password:'): Promise<string> {
-  if (isNonInteractive()) {
-    const password = process.env.EXAGENT_PASSWORD || process.env.EXAGENT_SECRET_PASSWORD;
-    if (!password) throw new Error('EXAGENT_PASSWORD required in non-interactive mode');
-    return password;
-  }
-  const password = await clack.password({ message: question });
-  if (clack.isCancel(password)) cancelled();
-  return password;
-}
-
-// ---------------------------------------------------------------------------
-// Main setup orchestrator
-// ---------------------------------------------------------------------------
-
-export async function ensureLocalSetup(configPath: string): Promise<void> {
-  const config = readConfigFile(configPath);
-  const existingSecureStorePath = config.secrets?.secureStorePath ? expandHomeDir(config.secrets.secureStorePath) : null;
-  if (
-    existingSecureStorePath &&
-    !config.secrets?.bootstrapToken &&
-    existsSync(existingSecureStorePath) &&
-    !config.apiToken &&
-    !config.wallet?.privateKey &&
-    !config.llm.apiKey
-  ) {
-    printBanner();
-    printSuccess('Already set up', [
-      `${pc.cyan('npx exagent run')}       Start the agent`,
-      `${pc.cyan('npx exagent config')}    Change LLM API key or model`,
-      `${pc.cyan('npx exagent status')}    Check agent connection`,
-      '',
-      `${pc.dim('Dashboard:')}  ${pc.cyan('https://exagent.io')}`,
-    ]);
-    return;
-  }
-
-  printBanner();
-
-  clack.intro(pc.bold('Agent Setup'));
-
-  // Step 1: Bootstrap
-  printStep(1, 4, 'Bootstrap package');
-  const bootstrapPayload = await consumeBootstrapPackage(config);
-  if (config.secrets?.bootstrapToken) {
-    printDone('Bootstrap package consumed');
-  } else {
-    printInfo('No bootstrap token — manual configuration');
-  }
-
-  // Step 2: Wallet
-  printStep(2, 4, 'Wallet setup');
-  const walletPrivateKey = await setupWallet(config);
-
-  // Step 3: LLM
-  printStep(3, 4, 'LLM configuration');
-  const llm = await setupLlm(config);
-
-  // Step 4: Encryption
-  printStep(4, 4, 'Device encryption');
-  const password = await setupEncryption();
-
-  // Build secrets and write
-  const secrets: LocalSecretPayload = {
-    apiToken: bootstrapPayload.apiToken || config.apiToken || '',
-    walletPrivateKey,
-    llmApiKey: llm.apiKey,
-  };
-
-  if (!secrets.apiToken) {
-    if (isNonInteractive()) {
-      const token = process.env.EXAGENT_API_TOKEN;
-      if (!token) throw new Error('EXAGENT_API_TOKEN required in non-interactive mode (no relay token from bootstrap)');
-      secrets.apiToken = token;
-    } else {
-      const token = await clack.password({
-        message: 'Agent relay token:',
-        validate: (val) => {
-          if (!val.trim()) return 'Relay token is required.';
-        },
-      });
-      if (clack.isCancel(token)) cancelled();
-      secrets.apiToken = token;
-    }
-  }
-
-  const nextConfig = structuredClone(config);
-  nextConfig.llm = {
-    ...nextConfig.llm,
-    provider: llm.provider as RuntimeConfigFile['llm']['provider'],
-    model: llm.model,
-  };
-
-  // Strip plaintext secrets from config file
-  delete nextConfig.apiToken;
-  delete nextConfig.wallet;
-  delete nextConfig.llm.apiKey;
-
-  const secureStorePath = writeSecureStore(
-    nextConfig.secrets?.secureStorePath || getDefaultSecureStorePath(nextConfig.agentId),
-    secrets,
-    password,
-  );
-
-  nextConfig.secrets = { secureStorePath };
-  writeConfigFile(configPath, nextConfig);
-
-  printDone(`Encrypted store: ${pc.dim(secureStorePath)}`);
-
-  clack.outro(pc.green('Setup complete'));
-
-  printSuccess('Ready', [
-    `${pc.cyan('npx exagent run')}       Start the agent`,
-    `${pc.cyan('npx exagent config')}    Change LLM API key or model`,
-    `${pc.cyan('npx exagent status')}    Check agent connection`,
-    '',
-    `${pc.dim('Dashboard:')}  ${pc.cyan('https://exagent.io')}`,
-  ]);
-}

package/src/signal.ts

@@ -1,212 +0,0 @@
-import type { TradeSignal } from '@exagent/sdk';
-import type { RelayClient } from './relay.js';
-import type { FileStore } from './store.js';
-import { getLogger } from './logger.js';
-
-const SIGNAL_QUEUE_KEY = 'pending_trade_signals';
-const MAX_QUEUE_SIZE = 1000;
-
-interface QueuedSignal {
-  signal: TradeSignal;
-  reportType: 'trade' | 'perp_fill' | 'prediction_fill' | 'spot_fill' | 'bridge_fill';
-  queuedAt: number;
-}
-
-export class SignalReporter {
-  private relay: RelayClient;
-  private store: FileStore | null;
-  private pendingSignals: QueuedSignal[] = [];
-
-  constructor(relay: RelayClient, store?: FileStore) {
-    this.relay = relay;
-    this.store = store ?? null;
-
-    // Load persisted queue from store (survives process crashes)
-    if (this.store) {
-      const persisted = this.store.get<QueuedSignal[]>(SIGNAL_QUEUE_KEY);
-      if (persisted && Array.isArray(persisted)) {
-        this.pendingSignals = persisted;
-        if (this.pendingSignals.length > 0) {
-          getLogger().info('signal', 'Loaded queued signals from disk', { count: this.pendingSignals.length });
-        }
-      }
-    }
-  }
-
-  /** Flush all queued signals to the relay. Called on reconnect. */
-  flushQueue(): void {
-    if (this.pendingSignals.length === 0) return;
-    if (!this.relay.isConnected) return;
-
-    getLogger().info('signal', 'Flushing queued signals', { count: this.pendingSignals.length });
-    const signals = [...this.pendingSignals];
-    this.pendingSignals = [];
-    this.persistQueue();
-
-    for (const queued of signals) {
-      this.relay.sendTradeSignal(queued.signal);
-
-      // Also send the human-readable message
-      const sig = queued.signal;
-      switch (queued.reportType) {
-        case 'trade':
-          this.relay.sendMessage(
-            'trade_executed', 'success',
-            `${sig.side.toUpperCase()} ${sig.symbol}`,
-            `${sig.side} ${sig.size} ${sig.symbol} @ $${sig.price.toFixed(2)} on ${sig.venue} (queued)`,
-            { signal: sig },
-          );
-          break;
-        case 'perp_fill':
-          this.relay.sendMessage(
-            'perp_fill', 'success',
-            `Perp ${sig.side.toUpperCase()} ${sig.symbol}`,
-            `${sig.side} ${sig.size} ${sig.symbol} @ $${sig.price.toFixed(2)} (${sig.leverage ?? 1}x) (queued)`,
-            { signal: sig },
-          );
-          break;
-        case 'prediction_fill':
-          this.relay.sendMessage(
-            'prediction_fill', 'success',
-            `Prediction ${sig.side.toUpperCase()}`,
-            `${sig.side} $${sig.size.toFixed(2)} on ${sig.symbol} @ ${sig.price.toFixed(4)} (queued)`,
-            { signal: sig },
-          );
-          break;
-        case 'spot_fill':
-          this.relay.sendMessage(
-            'spot_fill', 'success',
-            `Spot ${sig.side.toUpperCase()} ${sig.symbol}`,
-            `${sig.side} ${sig.size} ${sig.symbol} @ $${sig.price.toFixed(4)} on ${sig.venue} (${sig.chain ?? 'unknown'}) (queued)`,
-            { signal: sig },
-          );
-          break;
-        case 'bridge_fill':
-          this.relay.sendMessage(
-            'bridge_fill', 'success',
-            `Bridge ${sig.symbol}`,
-            `Bridged ${sig.size} ${sig.symbol} to ${sig.chain ?? 'unknown'} via ${sig.venue} (queued)`,
-            { signal: sig },
-          );
-          break;
-      }
-    }
-
-    getLogger().info('signal', 'Queue flushed successfully');
-  }
-
-  get queueSize(): number {
-    return this.pendingSignals.length;
-  }
-
-  private enqueue(signal: TradeSignal, reportType: QueuedSignal['reportType']): void {
-    this.pendingSignals.push({ signal, reportType, queuedAt: Date.now() });
-
-    // Evict oldest if over cap
-    while (this.pendingSignals.length > MAX_QUEUE_SIZE) {
-      this.pendingSignals.shift();
-    }
-
-    this.persistQueue();
-  }
-
-  private persistQueue(): void {
-    if (!this.store) return;
-    if (this.pendingSignals.length === 0) {
-      this.store.delete(SIGNAL_QUEUE_KEY);
-    } else {
-      this.store.set(SIGNAL_QUEUE_KEY, this.pendingSignals);
-    }
-  }
-
-  reportTrade(signal: TradeSignal): void {
-    if (!this.relay.isConnected) {
-      getLogger().warn('signal', 'Not connected to relay — trade signal queued locally', { symbol: signal.symbol });
-      this.enqueue(signal, 'trade');
-      return;
-    }
-
-    this.relay.sendTradeSignal(signal);
-    this.relay.sendMessage(
-      'trade_executed',
-      'success',
-      `${signal.side.toUpperCase()} ${signal.symbol}`,
-      `${signal.side} ${signal.size} ${signal.symbol} @ $${signal.price.toFixed(2)} on ${signal.venue}`,
-      { signal },
-    );
-  }
-
-  reportPerpFill(signal: TradeSignal): void {
-    if (!this.relay.isConnected) {
-      this.enqueue(signal, 'perp_fill');
-      return;
-    }
-
-    this.relay.sendTradeSignal(signal);
-    this.relay.sendMessage(
-      'perp_fill',
-      'success',
-      `Perp ${signal.side.toUpperCase()} ${signal.symbol}`,
-      `${signal.side} ${signal.size} ${signal.symbol} @ $${signal.price.toFixed(2)} (${signal.leverage ?? 1}x)`,
-      { signal },
-    );
-  }
-
-  reportPredictionFill(signal: TradeSignal): void {
-    if (!this.relay.isConnected) {
-      this.enqueue(signal, 'prediction_fill');
-      return;
-    }
-
-    this.relay.sendTradeSignal(signal);
-    this.relay.sendMessage(
-      'prediction_fill',
-      'success',
-      `Prediction ${signal.side.toUpperCase()}`,
-      `${signal.side} $${signal.size.toFixed(2)} on ${signal.symbol} @ ${signal.price.toFixed(4)}`,
-      { signal },
-    );
-  }
-
-  reportSpotFill(signal: TradeSignal): void {
-    if (!this.relay.isConnected) {
-      this.enqueue(signal, 'spot_fill');
-      return;
-    }
-
-    this.relay.sendTradeSignal(signal);
-    this.relay.sendMessage(
-      'spot_fill',
-      'success',
-      `Spot ${signal.side.toUpperCase()} ${signal.symbol}`,
-      `${signal.side} ${signal.size} ${signal.symbol} @ $${signal.price.toFixed(4)} on ${signal.venue} (${signal.chain ?? 'unknown'})`,
-      { signal },
-    );
-  }
-
-  reportBridgeFill(signal: TradeSignal): void {
-    if (!this.relay.isConnected) {
-      this.enqueue(signal, 'bridge_fill');
-      return;
-    }
-
-    this.relay.sendTradeSignal(signal);
-    this.relay.sendMessage(
-      'bridge_fill',
-      'success',
-      `Bridge ${signal.symbol}`,
-      `Bridged ${signal.size} ${signal.symbol} to ${signal.chain ?? 'unknown'} via ${signal.venue}`,
-      { signal },
-    );
-  }
-
-  reportError(title: string, body: string, data?: Record<string, unknown>): void {
-    if (!this.relay.isConnected) return;
-    this.relay.sendMessage('error', 'error', title, body, data);
-  }
-
-  reportInfo(title: string, body: string, data?: Record<string, unknown>): void {
-    if (!this.relay.isConnected) return;
-    this.relay.sendMessage('info', 'info', title, body, data);
-  }
-}