@intent-systems/nexus 2026.1.5-4 → 2026.1.5-5

package/dist/auto-reply/reply/directives.js

@@ -1,9 +1,9 @@
-import { normalizeElevatedLevel, normalizeThinkLevel, normalizeVerboseLevel, } from "../thinking.js";
+import { normalizeElevatedLevel, normalizeReasoningLevel, normalizeThinkLevel, normalizeVerboseLevel, } from "../thinking.js";
 export function extractThinkDirective(body) {
     if (!body)
         return { cleaned: "", hasDirective: false };
     // Match the longest keyword first to avoid partial captures (e.g. "/think:high")
-    const match = body.match(/(?:^|\s)\/(?:thinking|think|t)\s*:?\s*([a-zA-Z-]+)\b/i);
+    const match = body.match(/(?:^|\s)\/(?:thinking|think|t)(?=$|\s|:)\s*:?\s*([a-zA-Z-]+)?\b/i);
     const thinkLevel = normalizeThinkLevel(match?.[1]);
     const cleaned = match
         ? body.replace(match[0], "").replace(/\s+/g, " ").trim()
@@ -45,6 +45,21 @@ export function extractElevatedDirective(body) {
         hasDirective: !!match,
     };
 }
+export function extractReasoningDirective(body) {
+    if (!body)
+        return { cleaned: "", hasDirective: false };
+    const match = body.match(/(?:^|\s)\/(?:reasoning|reason)(?=$|\s|:)\s*:?\s*([a-zA-Z-]+)?\b/i);
+    const reasoningLevel = normalizeReasoningLevel(match?.[1]);
+    const cleaned = match
+        ? body.replace(match[0], "").replace(/\s+/g, " ").trim()
+        : body.trim();
+    return {
+        cleaned,
+        reasoningLevel,
+        rawLevel: match?.[1],
+        hasDirective: !!match,
+    };
+}
 export function extractStatusDirective(body) {
     if (!body)
         return { cleaned: "", hasDirective: false };

package/dist/auto-reply/reply/model-selection.js

@@ -122,7 +122,8 @@ export function resolveModelDirectiveSelection(params) {
             if (params.provider && provider !== normalizeProviderId(params.provider))
                 continue;
             const haystack = `${provider}/${model}`.toLowerCase();
-            if (haystack.includes(fragment) || model.toLowerCase().includes(fragment)) {
+            if (haystack.includes(fragment) ||
+                model.toLowerCase().includes(fragment)) {
                 candidates.push({ provider, model });
             }
         }
@@ -132,7 +133,10 @@ export function resolveModelDirectiveSelection(params) {
             for (const [aliasKey, entry] of aliasIndex.byAlias.entries()) {
                 if (!aliasKey.includes(fragment))
                     continue;
-                aliasMatches.push({ provider: entry.ref.provider, model: entry.ref.model });
+                aliasMatches.push({
+                    provider: entry.ref.provider,
+                    model: entry.ref.model,
+                });
             }
             for (const match of aliasMatches) {
                 const key = modelKey(match.provider, match.model);
@@ -176,7 +180,8 @@ export function resolveModelDirectiveSelection(params) {
     }
     const resolvedKey = modelKey(resolved.ref.provider, resolved.ref.model);
     if (allowedModelKeys.size === 0 || allowedModelKeys.has(resolvedKey)) {
-        const alias = resolved.alias ?? pickAliasForKey(resolved.ref.provider, resolved.ref.model);
+        const alias = resolved.alias ??
+            pickAliasForKey(resolved.ref.provider, resolved.ref.model);
         return {
             selection: {
                 provider: resolved.ref.provider,

package/dist/auto-reply/reply/queue.js

@@ -370,8 +370,8 @@ function defaultQueueModeForProvider(provider) {
 export function resolveQueueSettings(params) {
     const providerKey = params.provider?.trim().toLowerCase();
     const queueCfg = params.cfg.routing?.queue;
-    const providerModeRaw = providerKey && queueCfg?.byProvider
-        ? queueCfg.byProvider[providerKey]
+    const providerModeRaw = providerKey && queueCfg?.byChannel
+        ? queueCfg.byChannel[providerKey]
         : undefined;
     const resolvedMode = params.inlineMode ??
         normalizeQueueMode(params.sessionEntry?.queueMode) ??

package/dist/auto-reply/reply.js

@@ -35,7 +35,7 @@ export { extractElevatedDirective, extractThinkDirective, extractVerboseDirectiv
 export { extractQueueDirective } from "./reply/queue.js";
 export { extractReplyToTag } from "./reply/reply-tags.js";
 const BARE_SESSION_RESET_PROMPT = "A new session was started via /new or /reset. Say hi briefly (1-2 sentences) and ask what the user wants to do next. Do not mention internal steps, files, tools, or reasoning.";
-const CONTROL_COMMAND_PREFIX_RE = /^\/(?:status|help|thinking|think|t|verbose|v|elevated|elev|model|queue|activation|send|restart|reset|new|compact)\b/i;
+const CONTROL_COMMAND_PREFIX_RE = /^\/(?:status|help|thinking|think|t|reasoning|reason|verbose|v|elevated|elev|model|queue|activation|send|restart|reset|new|compact)\b/i;
 function normalizeAllowToken(value) {
     if (!value)
         return "";

package/dist/auto-reply/thinking.js

@@ -21,6 +21,8 @@ export function normalizeThinkLevel(raw) {
         "max",
     ].includes(key))
         return "high";
+    if (["xhigh", "x-high", "extra-high"].includes(key))
+        return "xhigh";
     if (["think"].includes(key))
         return "minimal";
     return undefined;
@@ -47,3 +49,16 @@ export function normalizeElevatedLevel(raw) {
         return "on";
     return undefined;
 }
+// Normalize reasoning visibility flags used to control <think> output.
+export function normalizeReasoningLevel(raw) {
+    if (!raw)
+        return undefined;
+    const key = raw.toLowerCase();
+    if (["off", "false", "no", "0"].includes(key))
+        return "off";
+    if (["on", "true", "yes", "1"].includes(key))
+        return "on";
+    if (["stream", "live"].includes(key))
+        return "stream";
+    return undefined;
+}

package/dist/browser/chrome.js

@@ -7,7 +7,7 @@ import { ensurePortAvailable } from "../infra/ports.js";
 import { createSubsystemLogger } from "../logging.js";
 import { CONFIG_DIR } from "../utils.js";
 import { normalizeCdpWsUrl } from "./cdp.js";
-import { DEFAULT_NEXUS_BROWSER_COLOR, DEFAULT_NEXUS_BROWSER_PROFILE_NAME } from "./constants.js";
+import { DEFAULT_NEXUS_BROWSER_COLOR, DEFAULT_NEXUS_BROWSER_PROFILE_NAME, } from "./constants.js";
 const log = createSubsystemLogger("browser").child("chrome");
 function exists(filePath) {
     try {

package/dist/browser/client.js

@@ -96,6 +96,8 @@ export async function browserSnapshot(baseUrl, opts) {
         q.set("targetId", opts.targetId);
     if (typeof opts.limit === "number")
         q.set("limit", String(opts.limit));
+    if (typeof opts.maxChars === "number")
+        q.set("maxChars", String(opts.maxChars));
     if (opts.profile)
         q.set("profile", opts.profile);
     return await fetchBrowserJson(`${baseUrl}/snapshot?${q.toString()}`, {

package/dist/browser/config.js

@@ -56,7 +56,8 @@ function ensureDefaultProfile(profiles, defaultColor, legacyCdpPort, derivedDefa
 }
 export function resolveBrowserConfig(cfg) {
     const enabled = cfg?.enabled ?? DEFAULT_NEXUS_BROWSER_ENABLED;
-    const envControlUrl = (process.env.NEXUS_BROWSER_CONTROL_URL ?? process.env.NEXUS_BROWSER_CONTROL_URL)?.trim();
+    const envControlUrl = (process.env.NEXUS_BROWSER_CONTROL_URL ??
+        process.env.NEXUS_BROWSER_CONTROL_URL)?.trim();
     const derivedControlPort = (() => {
         const raw = (process.env.NEXUS_GATEWAY_PORT ?? process.env.NEXUS_GATEWAY_PORT)?.trim();
         if (!raw)
@@ -69,7 +70,10 @@ export function resolveBrowserConfig(cfg) {
     const derivedControlUrl = derivedControlPort
         ? `http://127.0.0.1:${derivedControlPort}`
         : null;
-    const controlInfo = parseHttpUrl(cfg?.controlUrl ?? envControlUrl ?? derivedControlUrl ?? DEFAULT_NEXUS_BROWSER_CONTROL_URL, "browser.controlUrl");
+    const controlInfo = parseHttpUrl(cfg?.controlUrl ??
+        envControlUrl ??
+        derivedControlUrl ??
+        DEFAULT_NEXUS_BROWSER_CONTROL_URL, "browser.controlUrl");
     const controlPort = controlInfo.port;
     const defaultColor = normalizeHexColor(cfg?.color);
     const derivedCdpRange = deriveDefaultBrowserCdpPortRange(controlPort);

package/dist/browser/pw-tools-core.js

@@ -20,6 +20,9 @@ export async function snapshotAiViaPlaywright(opts) {
     const result = await maybe._snapshotForAI({
         timeout: Math.max(500, Math.min(60_000, Math.floor(opts.timeoutMs ?? 5000))),
         track: "response",
+        ...(typeof opts.maxChars === "number" && Number.isFinite(opts.maxChars)
+            ? { maxChars: Math.max(1, Math.floor(opts.maxChars)) }
+            : {}),
     });
     return { snapshot: String(result?.full ?? "") };
 }

package/dist/browser/routes/agent.js

@@ -1,6 +1,7 @@
 import path from "node:path";
 import { ensureMediaDir, saveMediaBuffer } from "../../media/store.js";
 import { captureScreenshot, snapshotAria } from "../cdp.js";
+import { DEFAULT_AI_SNAPSHOT_MAX_CHARS } from "../constants.js";
 import { DEFAULT_BROWSER_SCREENSHOT_MAX_BYTES, DEFAULT_BROWSER_SCREENSHOT_MAX_SIDE, normalizeBrowserScreenshot, } from "../screenshot.js";
 import { getProfileContext, jsonError, toBoolean, toNumber, toStringArray, toStringOrEmpty, } from "./utils.js";
 const SELECTOR_UNSUPPORTED_MESSAGE = [
@@ -498,6 +499,18 @@ export function registerBrowserAgentRoutes(app, ctx) {
                     ? "ai"
                     : "aria";
         const limit = typeof req.query.limit === "string" ? Number(req.query.limit) : undefined;
+        const maxCharsRaw = typeof req.query.maxChars === "string" ||
+            typeof req.query.maxChars === "number"
+            ? Number(req.query.maxChars)
+            : undefined;
+        const maxChars = format === "ai" &&
+            typeof maxCharsRaw === "number" &&
+            Number.isFinite(maxCharsRaw) &&
+            maxCharsRaw > 0
+            ? Math.floor(maxCharsRaw)
+            : format === "ai"
+                ? DEFAULT_AI_SNAPSHOT_MAX_CHARS
+                : undefined;
         try {
             const tab = await profileCtx.ensureTabAvailable(targetId || undefined);
             if (format === "ai") {
@@ -507,6 +520,7 @@ export function registerBrowserAgentRoutes(app, ctx) {
                 const snap = await pw.snapshotAiViaPlaywright({
                     cdpUrl: profileCtx.profile.cdpUrl,
                     targetId: tab.targetId,
+                    maxChars,
                 });
                 return res.json({
                     ok: true,

package/dist/canvas-host/server.js

@@ -126,7 +126,7 @@ async function resolveFilePath(rootReal, urlPath) {
     }
 }
 function isDisabledByEnv() {
-    if (process.env.NEXUS_SKIP_CANVAS_HOST === "1" || process.env.NEXUS_SKIP_CANVAS_HOST === "1")
+    if (process.env.NEXUS_SKIP_CANVAS_HOST === "1")
         return true;
     if (process.env.NODE_ENV === "test")
         return true;

package/dist/capabilities/detector.js

@@ -1,10 +1,9 @@
 import fs from "node:fs";
 import path from "node:path";
+import { getSkillMetadata, isConfigPathTruthy, loadWorkspaceSkillEntries, resolveRuntimePlatform, resolveSkillConfig, } from "../agents/skills.js";
 import { loadConfig } from "../config/config.js";
-import { resolveStateDir } from "../config/paths.js";
-import { getSkillMetadata, isConfigPathTruthy, loadWorkspaceSkillEntries, resolveSkillConfig, resolveRuntimePlatform, } from "../agents/skills.js";
 import { ensureCredentialIndexSync } from "../credentials/store.js";
-import { NEXUS_ROOT } from "../utils.js";
+import { MANAGED_SKILLS_DIR, NEXUS_ROOT } from "../utils.js";
 import { loadCapabilityRegistry } from "./registry.js";
 const STATUS_PRIORITY = [
     "active",
@@ -58,7 +57,7 @@ function setupLooksCredentialed(raw) {
         lowered.includes("key"));
 }
 function detectSkillUsageActive(skillName) {
-    const usageLog = path.join(resolveStateDir(), "nexus", "skills", skillName, "usage.log");
+    const usageLog = path.join(MANAGED_SKILLS_DIR, skillName, "usage.log");
     try {
         const stat = fs.statSync(usageLog);
         return stat.isFile() && stat.size > 0;
@@ -67,7 +66,7 @@ function detectSkillUsageActive(skillName) {
         return false;
     }
 }
-function resolveSkillType(skillName, metadata) {
+function resolveSkillType(_skillName, metadata) {
     if (metadata?.type)
         return metadata.type;
     const requires = metadata?.requires;
@@ -78,11 +77,16 @@ function resolveSkillType(skillName, metadata) {
     return "guide";
 }
 function resolveSkillProviderStatus(params) {
-    const { skillName, providerId, config, credentialServices, metadata, setupHint } = params;
+    const { skillName, providerId, config, credentialServices, metadata, setupHint, } = params;
     const platform = resolveRuntimePlatform();
     const skillType = resolveSkillType(skillName, metadata);
     if (metadata?.os?.length && !metadata.os.includes(platform)) {
-        return { id: providerId, kind: "skill", status: "unavailable", reason: "os" };
+        return {
+            id: providerId,
+            kind: "skill",
+            status: "unavailable",
+            reason: "os",
+        };
     }
     const skillKey = metadata?.skillKey ?? skillName;
     const skillConfig = resolveSkillConfig(config, skillKey);
@@ -108,15 +112,27 @@ function resolveSkillProviderStatus(params) {
         return true;
     });
     if (missingEnv.length > 0) {
-        return { id: providerId, kind: "skill", status: "needs_setup", reason: "missing_env" };
+        return {
+            id: providerId,
+            kind: "skill",
+            status: "needs_setup",
+            reason: "missing_env",
+        };
     }
     const missingConfig = (requires?.config ?? []).filter((configPath) => !isConfigPathTruthy(config, configPath));
     if (missingConfig.length > 0) {
-        return { id: providerId, kind: "skill", status: "needs_setup", reason: "missing_config" };
+        return {
+            id: providerId,
+            kind: "skill",
+            status: "needs_setup",
+            reason: "missing_config",
+        };
     }
     const credentialHints = requires?.credentials ?? [];
     const requiresCredential = setupLooksCredentialed(setupHint ?? "");
-    if (skillType === "connector" || credentialHints.length > 0 || requiresCredential) {
+    if (skillType === "connector" ||
+        credentialHints.length > 0 ||
+        requiresCredential) {
         const aliases = new Set();
         for (const entry of [providerId, ...credentialHints]) {
             for (const alias of resolveCredentialAliases(entry))
@@ -124,7 +140,12 @@ function resolveSkillProviderStatus(params) {
         }
         const hasCred = Array.from(aliases).some((alias) => credentialServices.has(alias));
         if (!hasCred) {
-            return { id: providerId, kind: "skill", status: "needs_setup", reason: "missing_credentials" };
+            return {
+                id: providerId,
+                kind: "skill",
+                status: "needs_setup",
+                reason: "missing_credentials",
+            };
         }
     }
     if (detectSkillUsageActive(skillName)) {
@@ -162,7 +183,9 @@ export function detectCapabilities(params) {
         const metadata = getSkillMetadata(entry);
         const key = normalizeProviderId(metadata?.skillKey ?? entry.skill.name);
         skillMap.set(key, { name: entry.skill.name, metadata });
-        const provides = (metadata?.provides ?? []).map((cap) => cap.trim()).filter(Boolean);
+        const provides = (metadata?.provides ?? [])
+            .map((cap) => cap.trim())
+            .filter(Boolean);
         for (const capId of provides) {
             const normalizedCap = capId.trim();
             if (!normalizedCap)
@@ -176,7 +199,10 @@ export function detectCapabilities(params) {
     const capabilities = [];
     for (const capability of registry.all) {
         const extraProviders = providesMap.get(capability.id) ?? [];
-        const providerList = Array.from(new Set([...capability.providers.map(normalizeProviderId), ...extraProviders]));
+        const providerList = Array.from(new Set([
+            ...capability.providers.map(normalizeProviderId),
+            ...extraProviders,
+        ]));
         const providerStatuses = [];
         for (const provider of providerList) {
             const normalized = normalizeProviderId(provider);
@@ -195,7 +221,11 @@ export function detectCapabilities(params) {
                 providerStatuses.push(resolveCredentialProviderStatus(normalized, credentialServices));
             }
             else {
-                providerStatuses.push({ id: normalized, kind: "unknown", status: "unavailable" });
+                providerStatuses.push({
+                    id: normalized,
+                    kind: "unknown",
+                    status: "unavailable",
+                });
             }
         }
         const status = pickBestStatus(providerStatuses.map((p) => p.status));
@@ -206,7 +236,8 @@ export function detectCapabilities(params) {
         active: capabilities.filter((c) => c.status === "active").length,
         ready: capabilities.filter((c) => c.status === "ready").length,
         needs_setup: capabilities.filter((c) => c.status === "needs_setup").length,
-        needs_install: capabilities.filter((c) => c.status === "needs_install").length,
+        needs_install: capabilities.filter((c) => c.status === "needs_install")
+            .length,
         unavailable: capabilities.filter((c) => c.status === "unavailable").length,
         broken: capabilities.filter((c) => c.status === "broken").length,
     };

package/dist/capabilities/registry.js

@@ -70,7 +70,8 @@ export function loadCapabilityRegistry() {
     for (const line of lines) {
         const headingMatch = line.match(/^###\s+(.+)$/);
         if (headingMatch) {
-            currentCategory = headingMatch[1]?.replace(/^[-–]\s*/, "").trim() || currentCategory;
+            currentCategory =
+                headingMatch[1]?.replace(/^[-–]\s*/, "").trim() || currentCategory;
             continue;
         }
         const tableMatch = line.match(/^\|\s*`([^`]+)`\s*\|\s*([^|]+)\|\s*([^|]+)\|\s*([^|]+)\|/);

package/dist/cli/cloud-cli.js

@@ -1,10 +1,10 @@
+import { spawn } from "node:child_process";
+import crypto from "node:crypto";
 import fs from "node:fs";
 import path from "node:path";
-import crypto from "node:crypto";
-import { spawn } from "node:child_process";
 import { scanCredentials } from "../commands/credential.js";
 import { openUrl } from "../commands/onboard-helpers.js";
-import { storeKeychainSecret, writeCredentialRecord, } from "../credentials/store.js";
+import { resolveDefaultEnvVar, storeKeychainSecret, writeCredentialRecord, } from "../credentials/store.js";
 import { NEXUS_ROOT, sleep } from "../utils.js";
 const DEFAULT_CLOUD_TIMEOUT_MS = 120_000;
 const DEFAULT_CLOUD_POLL_MS = 2_000;
@@ -77,6 +77,7 @@ async function storeHubToken(params) {
             value: params.token,
         });
     }
+    let envVar;
     if (storedInKeychain) {
         record = {
             owner: "user",
@@ -86,17 +87,18 @@ async function storeHubToken(params) {
         };
     }
     else {
+        envVar = resolveDefaultEnvVar({ service, type: "token" });
+        process.env[envVar] = params.token;
         record = {
             owner: "user",
             type: "token",
             configuredAt: now,
-            storage: { provider: "plaintext" },
-            token: params.token,
+            storage: { provider: "env", var: envVar },
         };
     }
     await writeCredentialRecord(service, account, authId, record);
     await scanCredentials();
-    return { storedInKeychain, account };
+    return { storedInKeychain, account, envVar };
 }
 function parseCloudLoginArgs(args) {
     let baseUrl = getHubBaseUrl();
@@ -296,7 +298,10 @@ async function handleCloudLogin(rawArgs) {
     }
     console.log(stored.storedInKeychain
         ? "   Token stored in keychain"
-        : "   Token stored in plaintext credentials");
+        : `   Token stored in env var ${stored.envVar ?? ""}`.trim());
+    if (!stored.storedInKeychain && stored.envVar) {
+        console.log(`   Persist it in your shell: export ${stored.envVar}=...`);
+    }
     if (cloudUrl) {
         console.log(`   Cloud URL: ${cloudUrl}`);
     }

package/dist/cli/credential-cli.js

@@ -1,5 +1,5 @@
 import { cancel, confirm, isCancel } from "@clack/prompts";
-import { addCredential, flagCredential, getCredential, getCredentialPaths, listCredentials, removeCredential, scanCredentialEnv, } from "../commands/credential.js";
+import { addCredential, flagCredential, getCredential, getCredentialPaths, getCredentialValue, importCliCredential, listCredentials, removeCredential, scanCredentialEnv, verifyCredentials, } from "../commands/credential.js";
 function parseFields(raw, fieldsArgs) {
     const out = {};
     if (raw) {
@@ -25,7 +25,9 @@ function parseFields(raw, fieldsArgs) {
     return out;
 }
 export function registerCredentialCli(program) {
-    const credential = program.command("credential").description("Manage credentials");
+    const credential = program
+        .command("credential")
+        .description("Manage credentials");
     credential
         .command("list")
         .description("List credentials from the index")
@@ -54,29 +56,72 @@ export function registerCredentialCli(program) {
         const paths = getCredentialPaths();
         console.log(`\nIndex: ${paths.indexPath}`);
     });
+    credential
+        .command("verify <service>")
+        .description("Verify credential status for a service")
+        .option("--json", "Output as JSON")
+        .action(async (service, opts) => {
+        const result = await verifyCredentials({ service });
+        if (!result) {
+            console.error("Credential service not found.");
+            process.exit(1);
+        }
+        if (opts.json) {
+            console.log(JSON.stringify(result, null, 2));
+            return;
+        }
+        const iconFor = (status) => status === "ok" ? "✅" : status === "skipped" ? "⚠️" : "❌";
+        console.log(`${result.ok ? "✅" : "❌"} ${result.service}: ${result.accounts} account(s) checked`);
+        for (const entry of result.checked) {
+            const err = entry.error ? ` - ${entry.error}` : "";
+            console.log(`  ${iconFor(entry.status)} ${entry.account} (${entry.authId})${err}`);
+        }
+        if (!result.ok) {
+            process.exit(1);
+        }
+    });
     credential
         .command("get")
-        .description("Get a credential record")
+        .description("Get a credential value")
         .requiredOption("--service <id>", "Service id")
         .requiredOption("--account <id>", "Account id")
         .requiredOption("--auth <id>", "Auth id")
         .option("--json", "Output as JSON")
+        .option("--record", "Show credential record instead of value")
         .action(async (opts) => {
-        const result = await getCredential({
+        const params = {
             service: opts.service,
             account: opts.account,
             authId: opts.auth,
-        });
-        if (!result) {
-            console.error("Credential not found.");
+        };
+        if (opts.record) {
+            const result = await getCredential(params);
+            if (!result) {
+                console.error("Credential not found.");
+                process.exit(1);
+            }
+            if (opts.json) {
+                console.log(JSON.stringify(result, null, 2));
+                return;
+            }
+            console.log(`\n${result.filePath}`);
+            console.log(JSON.stringify(result.record, null, 2));
+            return;
+        }
+        const valueResult = await getCredentialValue(params);
+        if (!valueResult) {
+            console.error("Credential value not found.");
             process.exit(1);
         }
         if (opts.json) {
-            console.log(JSON.stringify(result, null, 2));
+            console.log(JSON.stringify({
+                filePath: valueResult.filePath,
+                field: valueResult.field,
+                value: valueResult.value,
+            }, null, 2));
             return;
         }
-        console.log(`\n${result.filePath}`);
-        console.log(JSON.stringify(result.record, null, 2));
+        console.log(valueResult.value);
     });
     credential
         .command("add")
@@ -86,23 +131,55 @@ export function registerCredentialCli(program) {
         .requiredOption("--type <type>", "api_key | token | oauth | config")
         .option("--auth <id>", "Auth id (defaults to type)")
         .option("--owner <owner>", "shared | user | agent:<id>", "user")
-        .option("--storage <provider>", "plaintext | keychain | 1password | external", "plaintext")
-        .option("--value <value>", "Secret value for plaintext/keychain")
+        .option("--storage <provider>", "keychain | 1password | env | external")
+        .option("--value <value>", "Secret value for keychain")
         .option("--refresh-token <token>", "OAuth refresh token")
         .option("--expires-at <ts>", "Expiration (unix ms or ISO string)")
         .option("--vault <name>", "1Password vault")
         .option("--item <name>", "1Password item")
         .option("--fields <json>", "1Password field map as JSON")
         .option("--field <pair...>", "1Password field map: key=value")
-        .option("--sync-command <cmd>", "External sync command")
+        .option("--env-var <name>", "Env var name for env storage")
+        .option("--command <cmd>", "External command to fetch secret")
+        .option("--sync-command <cmd>", "External sync command (deprecated)")
+        .option("--format <format>", "External command output format: raw|json")
+        .option("--json-path <path>", "JSON path for external output")
         .action(async (opts) => {
         const type = String(opts.type).trim();
         if (!["api_key", "token", "oauth", "config"].includes(type)) {
             console.error("Invalid --type");
             process.exit(1);
         }
-        const storage = String(opts.storage).trim();
+        const storageRaw = opts.storage ? String(opts.storage).trim() : "";
+        const storage = storageRaw || (process.platform === "darwin" ? "keychain" : "");
+        if (!storage) {
+            console.error("Missing --storage. Use keychain (macOS), 1password, env, or external.");
+            process.exit(1);
+        }
+        if (storage === "keychain" && !opts.value) {
+            console.error("Missing --value for keychain storage.");
+            process.exit(1);
+        }
+        if (storage === "env" && !opts.envVar) {
+            console.error("Missing --env-var for env storage.");
+            process.exit(1);
+        }
+        if (storage === "external" && !opts.command && !opts.syncCommand) {
+            console.error("Missing --command for external storage.");
+            process.exit(1);
+        }
+        if (opts.format && !["raw", "json"].includes(String(opts.format))) {
+            console.error("Invalid --format. Use raw or json.");
+            process.exit(1);
+        }
+        if (!["keychain", "1password", "env", "external"].includes(storage)) {
+            console.error("Invalid --storage. Use keychain, 1password, env, external.");
+            process.exit(1);
+        }
         const fields = parseFields(opts.fields, opts.field);
+        const format = opts.format === "raw" || opts.format === "json"
+            ? opts.format
+            : undefined;
         const expiresAt = opts.expiresAt && /^\d+$/.test(String(opts.expiresAt).trim())
             ? Number.parseInt(String(opts.expiresAt).trim(), 10)
             : opts.expiresAt;
@@ -121,14 +198,59 @@ export function registerCredentialCli(program) {
                         item: String(opts.item ?? ""),
                         fields,
                     }
-                    : storage === "external"
-                        ? { provider: "external", syncCommand: String(opts.syncCommand ?? "") }
-                        : { provider: "plaintext", value: opts.value },
+                    : storage === "env"
+                        ? { provider: "env", var: String(opts.envVar ?? "") }
+                        : storage === "external"
+                            ? {
+                                provider: "external",
+                                command: opts.command ? String(opts.command) : undefined,
+                                syncCommand: opts.syncCommand
+                                    ? String(opts.syncCommand)
+                                    : undefined,
+                                ...(format ? { format } : {}),
+                                jsonPath: opts.jsonPath
+                                    ? String(opts.jsonPath)
+                                    : undefined,
+                            }
+                            : { provider: "env", var: String(opts.envVar ?? "") },
             refreshToken: opts.refreshToken,
             expiresAt,
         });
         console.log(`Added credential at ${record.filePath}`);
     });
+    credential
+        .command("import <source>")
+        .description("Import external CLI credentials")
+        .option("--account <id>", "Account id override")
+        .option("--owner <owner>", "shared | user | agent:<id>", "user")
+        .option("--force", "Overwrite existing record")
+        .option("--json", "Output as JSON")
+        .option("--no-keychain-prompt", "Skip keychain prompts")
+        .action(async (source, opts) => {
+        const normalized = String(source ?? "").trim();
+        if (!["claude-cli", "codex-cli"].includes(normalized)) {
+            console.error("Invalid source. Use claude-cli or codex-cli.");
+            process.exit(1);
+        }
+        try {
+            const result = await importCliCredential({
+                source: normalized,
+                account: opts.account,
+                owner: opts.owner,
+                force: Boolean(opts.force),
+                allowKeychainPrompt: opts.keychainPrompt !== false,
+            });
+            if (opts.json) {
+                console.log(JSON.stringify(result, null, 2));
+                return;
+            }
+            console.log(`Imported ${result.source} credentials into ${result.profileId} (${result.filePath})`);
+        }
+        catch (err) {
+            console.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
     credential
         .command("remove")
         .description("Remove a credential record")

package/dist/cli/gateway-cli.js

@@ -1,5 +1,5 @@
 import fs from "node:fs";
-import { CONFIG_PATH_NEXUS, loadConfig, resolveGatewayPort } from "../config/config.js";
+import { CONFIG_PATH_NEXUS, loadConfig, resolveGatewayPort, } from "../config/config.js";
 import { GATEWAY_LAUNCH_AGENT_LABEL, GATEWAY_SYSTEMD_SERVICE_NAME, GATEWAY_WINDOWS_TASK_NAME, } from "../daemon/constants.js";
 import { resolveGatewayService } from "../daemon/service.js";
 import { callGateway, randomIdempotencyKey } from "../gateway/call.js";