npm - @tokagent/tokagentos - Versions diffs - 2.0.32 → 2.0.34 - Mend

@tokagent/tokagentos 2.0.32 → 2.0.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/templates/fullstack-app/scripts/clear-db-llm-secrets.mjs +84 -0
package/templates/fullstack-app/scripts/verify-llm-plugins.mjs +122 -0
package/templates-manifest.json +1 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@tokagent/tokagentos",
-  "version": "2.0.32",
+  "version": "2.0.34",
   "description": "tokagentOS CLI - Create and upgrade tokagentOS project templates",
   "type": "module",
   "bin": {

package/templates/fullstack-app/scripts/clear-db-llm-secrets.mjs ADDED Viewed

@@ -0,0 +1,84 @@
+#!/usr/bin/env node
+/**
+ * Remove LLM provider API keys (OPENROUTER, ANTHROPIC, OPENAI, GOOGLE, GROQ)
+ * from the agents DB table. mergeDbSettings() in @elizaos/core loads
+ * agents.secrets and agents.settings.secrets into character.settings.secrets
+ * on every boot, and runtime.getSetting() checks character.settings.secrets
+ * BEFORE process.env — so a stale DB-stored key shadows the .env value
+ * forever. After running this, .env becomes the source of truth.
+ *
+ * Run with the agent STOPPED (`Ctrl-C` your `bun run dev`):
+ *   bun run scripts/clear-db-llm-secrets.mjs
+ */
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { existsSync } from "node:fs";
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const PROJECT_ROOT = path.resolve(__dirname, "..");
+const DB_DIR = path.join(PROJECT_ROOT, ".eliza", ".elizadb");
+if (!existsSync(DB_DIR)) {
+  console.error(`PGLite directory not found at ${DB_DIR}`);
+  process.exit(1);
+}
+const LLM_KEYS = [
+  "OPENROUTER_API_KEY",
+  "ANTHROPIC_API_KEY",
+  "OPENAI_API_KEY",
+  "GOOGLE_GENERATIVE_AI_API_KEY",
+  "GOOGLE_API_KEY",
+  "GROQ_API_KEY",
+];
+const { PGlite } = await import("@electric-sql/pglite");
+const db = new PGlite(DB_DIR);
+await db.waitReady;
+const before = await db.query(
+  "SELECT id, name, secrets, settings FROM agents",
+);
+console.log(`Agents in DB: ${before.rows.length}`);
+for (const row of before.rows) {
+  const id = row.id;
+  const name = row.name;
+  const topSecrets = row.secrets && typeof row.secrets === "object" ? row.secrets : {};
+  const settingsSecrets =
+    row.settings &&
+    typeof row.settings === "object" &&
+    row.settings.secrets &&
+    typeof row.settings.secrets === "object"
+      ? row.settings.secrets
+      : {};
+  const allKeys = new Set([
+    ...Object.keys(topSecrets),
+    ...Object.keys(settingsSecrets),
+  ]);
+  const llmKeysPresent = [...allKeys].filter((k) => LLM_KEYS.includes(k));
+  if (llmKeysPresent.length === 0) {
+    console.log(`  ${name} (${id}): no LLM keys stored ✓`);
+    continue;
+  }
+  console.log(`  ${name} (${id}): clearing ${llmKeysPresent.join(", ")}`);
+  const newTopSecrets = { ...topSecrets };
+  const newSettings =
+    row.settings && typeof row.settings === "object" ? { ...row.settings } : {};
+  const newSettingsSecrets = { ...settingsSecrets };
+  for (const k of llmKeysPresent) {
+    delete newTopSecrets[k];
+    delete newSettingsSecrets[k];
+  }
+  newSettings.secrets = newSettingsSecrets;
+  await db.query(
+    "UPDATE agents SET secrets = $1, settings = $2 WHERE id = $3",
+    [
+      JSON.stringify(newTopSecrets),
+      JSON.stringify(newSettings),
+      id,
+    ],
+  );
+}
+console.log("\nDone. Restart `bun run dev` — .env is now the source of truth.");
+await db.close();

package/templates/fullstack-app/scripts/verify-llm-plugins.mjs CHANGED Viewed

@@ -149,6 +149,47 @@ function readDotenv() {
 }
 const env = readDotenv();
+/**
+ * Shell-env vs .env conflict check.
+ *
+ * Failure mode observed in the field: user rotates an API key in .env, but
+ * an old value is still exported in their shell from a prior `export` or a
+ * line in ~/.zshrc / ~/.bashrc. dotenv defaults to `override: false`, which
+ * means existing process.env values are NOT overwritten by .env. The agent
+ * sees the stale shell value, OpenRouter returns 401 "User not found", and
+ * the AI SDK surfaces the opaque `AI_NoOutputGeneratedError`. Changing the
+ * .env does nothing because the shell value still wins.
+ *
+ * We don't flip dotenv's `override` flag — that breaks legitimate CI/devops
+ * setups that intentionally pass secrets via env vars. Instead we detect
+ * the mismatch and tell the user which value will actually be used and how
+ * to fix it.
+ */
+const SHADOWED_KEYS = [
+  "OPENROUTER_API_KEY",
+  "ANTHROPIC_API_KEY",
+  "OPENAI_API_KEY",
+  "GOOGLE_GENERATIVE_AI_API_KEY",
+  "GROQ_API_KEY",
+  "TAVILY_API_KEY",
+];
+for (const key of SHADOWED_KEYS) {
+  const dotenvValue = env[key];
+  const shellValue = process.env[key];
+  if (dotenvValue && shellValue && dotenvValue !== shellValue) {
+    fail(
+      `${key} differs between your shell environment and .env.\n` +
+        `  shell  : ${shellValue.slice(0, 12)}…${shellValue.slice(-4)} (this is what the agent reads)\n` +
+        `  .env   : ${dotenvValue.slice(0, 12)}…${dotenvValue.slice(-4)} (this is what you probably edited)\n` +
+        `  dotenv runs with override:false by default, so the shell value wins. To fix:\n` +
+        `    unset ${key}   # remove from the current shell\n` +
+        `    grep -n ${key} ~/.zshrc ~/.zprofile ~/.bashrc ~/.bash_profile 2>/dev/null\n` +
+        `    # delete any matching lines, restart the shell, then re-run \`bun run dev\``,
+    );
+  }
+}
 if (env.OPENROUTER_API_KEY) {
   const MODEL_KEYS = [
     "OPENROUTER_SMALL_MODEL",
@@ -188,6 +229,87 @@ if (env.OPENROUTER_API_KEY) {
   }
 }
+/**
+ * DB-shadow check.
+ *
+ * Failure mode observed in the field: an LLM key set during first-boot
+ * onboarding is persisted into the `agents` table (`secrets` and
+ * `settings.secrets` columns). On every restart, mergeDbSettings() in
+ * @elizaos/core copies it into character.settings.secrets, and
+ * runtime.getSetting() reads that BEFORE process.env. So rotating .env
+ * does nothing — the DB value wins forever, even after .env is changed.
+ *
+ * We open PGLite read-only, scan agents.secrets and agents.settings.secrets,
+ * and warn loudly if any LLM key differs from .env. We don't auto-mutate
+ * the DB — clearing secrets is a destructive operation that should be
+ * explicit (use scripts/clear-db-llm-secrets.mjs).
+ *
+ * Best-effort only: skipped if PGLite isn't installed, the DB dir doesn't
+ * exist (fresh project), or the `agents` table isn't there yet (pre-boot).
+ */
+async function checkDbShadow() {
+  const dbDir = path.join(PROJECT_ROOT, ".eliza", ".elizadb");
+  if (!existsSync(dbDir)) return;
+  let PGlite;
+  try {
+    ({ PGlite } = await import("@electric-sql/pglite"));
+  } catch {
+    return;
+  }
+  let db;
+  try {
+    db = new PGlite(dbDir);
+    await db.waitReady;
+  } catch {
+    return;
+  }
+  try {
+    const result = await db.query(
+      "SELECT id, name, secrets, settings FROM agents",
+    );
+    for (const row of result.rows) {
+      const topSecrets =
+        row.secrets && typeof row.secrets === "object" ? row.secrets : {};
+      const settingsSecrets =
+        row.settings &&
+        typeof row.settings === "object" &&
+        row.settings.secrets &&
+        typeof row.settings.secrets === "object"
+          ? row.settings.secrets
+          : {};
+      for (const key of SHADOWED_KEYS) {
+        const dbValue = topSecrets[key] ?? settingsSecrets[key];
+        const dotenvValue = env[key];
+        if (!dbValue) continue;
+        if (!dotenvValue) {
+          // DB has it, .env doesn't. Probably set via onboarding UI and not
+          // mirrored. Not necessarily a bug — but flag it so the user knows.
+          continue;
+        }
+        if (dbValue !== dotenvValue) {
+          fail(
+            `${key} in PGLite database (agent "${row.name}") differs from .env.\n` +
+              `  db    : ${String(dbValue).slice(0, 12)}…${String(dbValue).slice(-4)} (this is what the agent reads)\n` +
+              `  .env  : ${String(dotenvValue).slice(0, 12)}…${String(dotenvValue).slice(-4)} (this is what you probably edited)\n` +
+              `  mergeDbSettings() in @elizaos/core loads the DB value into character.settings.secrets, and\n` +
+              `  runtime.getSetting() reads that BEFORE process.env. Editing .env doesn't help.\n` +
+              `  Fix: stop \`bun run dev\` and run \`bun run scripts/clear-db-llm-secrets.mjs\`,\n` +
+              `       then start again. .env will then be the source of truth.`,
+          );
+        }
+      }
+    }
+  } catch {
+    // agents table doesn't exist yet (fresh boot) — nothing to check.
+  } finally {
+    try {
+      await db.close();
+    } catch {}
+  }
+}
+await checkDbShadow();
 if (hadFailure) {
   console.error(
     "\n\x1b[31m[verify-llm-plugins]\x1b[0m One or more LLM-provider checks failed. Chat will not work until this is resolved.\n",

package/templates-manifest.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "version": "1.0.0",
-  "generatedAt": "2026-05-27T08:46:59.428Z",
+  "generatedAt": "2026-05-27T09:21:58.814Z",
   "repoUrl": "https://github.com/elizaos/eliza",
   "templates": [
     {