hyperclaw 4.0.2 → 5.0.1

package/dist/manager-B2Gls5RG.js

@@ -0,0 +1,218 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const require_paths = require('./paths-AIyBxIzm.js');
+const require_paths$1 = require('./paths-DPovhojT.js');
+const require_credentials_store = require('./credentials-store-CA8UtK0T.js');
+const chalk = require_chunk.__toESM(require("chalk"));
+const ora = require_chunk.__toESM(require("ora"));
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+const os = require_chunk.__toESM(require("os"));
+
+//#region src/secrets/manager.ts
+require_paths$1.init_paths();
+const KNOWN_SECRETS = [
+	{
+		key: "TAVILY_API_KEY",
+		description: "Tavily web search API key",
+		requiredBy: ["web-search"]
+	},
+	{
+		key: "DEEPL_API_KEY",
+		description: "DeepL translation API key",
+		requiredBy: ["translator"]
+	},
+	{
+		key: "GITHUB_TOKEN",
+		description: "GitHub personal access token",
+		requiredBy: ["github"]
+	},
+	{
+		key: "OPENWEATHER_API_KEY",
+		description: "OpenWeatherMap API key",
+		requiredBy: ["weather"]
+	},
+	{
+		key: "GOOGLE_CALENDAR_CREDS",
+		description: "Google Calendar OAuth credentials",
+		requiredBy: ["calendar"]
+	},
+	{
+		key: "DATABASE_URL",
+		description: "Database connection URL",
+		requiredBy: ["db-reader"]
+	},
+	{
+		key: "HA_URL",
+		description: "Home Assistant URL",
+		requiredBy: ["home-assistant"]
+	},
+	{
+		key: "HA_TOKEN",
+		description: "Home Assistant long-lived token",
+		requiredBy: ["home-assistant"]
+	},
+	{
+		key: "ANTHROPIC_API_KEY",
+		description: "Anthropic API key",
+		requiredBy: ["provider:anthropic"]
+	},
+	{
+		key: "OPENAI_API_KEY",
+		description: "OpenAI API key",
+		requiredBy: ["provider:openai"]
+	},
+	{
+		key: "OPENROUTER_API_KEY",
+		description: "OpenRouter API key",
+		requiredBy: ["provider:openrouter"]
+	},
+	{
+		key: "XAI_API_KEY",
+		description: "xAI (Grok) API key",
+		requiredBy: ["provider:xai"]
+	},
+	{
+		key: "GOOGLE_AI_API_KEY",
+		description: "Google AI Studio API key",
+		requiredBy: ["provider:google"]
+	},
+	{
+		key: "HYPERCLAW_GATEWAY_TOKEN",
+		description: "Gateway shared auth token",
+		requiredBy: ["gateway"]
+	}
+];
+function mask(val) {
+	if (val.length <= 8) return "***";
+	return val.slice(0, 4) + "***" + val.slice(-3);
+}
+var SecretsManager = class {
+	envFile;
+	shellRcFiles;
+	creds;
+	constructor() {
+		const hcDir = require_paths.getHyperClawDir();
+		this.envFile = require_paths.getEnvFilePath();
+		const home = os.default.homedir();
+		this.shellRcFiles = [
+			path.default.join(home, ".bashrc"),
+			path.default.join(home, ".zshrc"),
+			path.default.join(home, ".profile")
+		];
+		this.creds = new require_credentials_store.CredentialsStore(hcDir);
+	}
+	resolveSecret(key) {
+		if (process.env[key]) return {
+			source: "env",
+			masked: mask(process.env[key]),
+			valid: true
+		};
+		if (fs_extra.default.pathExistsSync(this.envFile)) {
+			const envContent = fs_extra.default.readFileSync(this.envFile, "utf8");
+			const match = envContent.match(new RegExp(`^${key}=(.+)$`, "m"));
+			if (match) return {
+				source: "file",
+				masked: mask(match[1].trim()),
+				valid: true
+			};
+		}
+		return {
+			source: "missing",
+			valid: false
+		};
+	}
+	async audit(requiredBy) {
+		console.log(chalk.default.bold.cyan("\n  🔍 SECRETS AUDIT\n"));
+		const secrets = KNOWN_SECRETS.filter((s) => !requiredBy || s.requiredBy.some((r) => requiredBy.includes(r))).map((s) => ({
+			...s,
+			...this.resolveSecret(s.key)
+		}));
+		let missingCount = 0;
+		let presentCount = 0;
+		for (const secret of secrets) {
+			const icon = secret.valid ? chalk.default.green("✔") : chalk.default.red("✖");
+			const sourceLabel = {
+				env: chalk.default.cyan("[env]"),
+				file: chalk.default.yellow("[.env file]"),
+				"credentials-store": chalk.default.blue("[creds store]"),
+				missing: chalk.default.red("[missing]")
+			}[secret.source];
+			console.log(`  ${icon} ${chalk.default.white(secret.key.padEnd(28))} ${sourceLabel}`);
+			if (secret.masked) console.log(`     ${chalk.default.gray(`value: ${secret.masked}`)}`);
+			console.log(`     ${chalk.default.gray(`required by: ${secret.requiredBy.join(", ")}`)}`);
+			console.log();
+			if (secret.valid) presentCount++;
+			else missingCount++;
+		}
+		console.log(`  ${chalk.default.bold("Summary:")} ${chalk.default.green(`${presentCount} present`)}  ${chalk.default.red(`${missingCount} missing`)}`);
+		if (missingCount > 0) {
+			console.log(chalk.default.gray("\n  To add a secret:"));
+			console.log(chalk.default.gray("    hyperclaw secrets set TAVILY_API_KEY=tvly-..."));
+			console.log(chalk.default.gray("    hyperclaw secrets apply    # write to shell config"));
+			console.log(chalk.default.gray("    hyperclaw secrets reload   # reload into running gateway\n"));
+		} else console.log(chalk.default.green("\n  ✔  All required secrets are present!\n"));
+	}
+	async set(keyValue) {
+		const eqIdx = keyValue.indexOf("=");
+		if (eqIdx === -1) {
+			console.log(chalk.default.red("  ✖  Format: hyperclaw secrets set KEY=value"));
+			return;
+		}
+		const key = keyValue.slice(0, eqIdx).trim();
+		const value = keyValue.slice(eqIdx + 1).trim();
+		await fs_extra.default.ensureDir(path.default.dirname(this.envFile));
+		await fs_extra.default.appendFile(this.envFile, `${key}=${value}\n`);
+		await fs_extra.default.chmod(this.envFile, 384);
+		console.log(chalk.default.green(`\n  ✔  Secret set: ${key}=${mask(value)}`));
+		console.log(chalk.default.gray(`     Stored in: ${this.envFile}`));
+		console.log(chalk.default.gray("     Run: hyperclaw secrets apply   to write to shell config"));
+		console.log(chalk.default.gray("     Run: hyperclaw secrets reload  to inject into running gateway\n"));
+	}
+	async apply() {
+		const spinner = (0, ora.default)("Applying secrets to shell configuration...").start();
+		if (!await fs_extra.default.pathExists(this.envFile)) {
+			spinner.fail("No .env file found. Run: hyperclaw secrets set KEY=value first");
+			return;
+		}
+		const envContent = await fs_extra.default.readFile(this.envFile, "utf8");
+		const lines = envContent.split("\n").filter((l) => l.includes("=") && !l.startsWith("#"));
+		for (const rcFile of this.shellRcFiles) if (await fs_extra.default.pathExists(rcFile)) {
+			let rc = await fs_extra.default.readFile(rcFile, "utf8");
+			const marker = "# === HyperClaw secrets — auto-managed, do not edit manually ===";
+			const markerEnd = "# === end HyperClaw secrets ===";
+			const blockRe = new RegExp(`${marker}[\\s\\S]*?${markerEnd}\n?`, "g");
+			rc = rc.replace(blockRe, "");
+			const exportLines = lines.map((l) => `export ${l}`).join("\n");
+			const block = `\n${marker}\n${exportLines}\n${markerEnd}\n`;
+			rc = rc + block;
+			await fs_extra.default.writeFile(rcFile, rc, "utf8");
+			spinner.text = `Applied to ${path.default.basename(rcFile)}`;
+		}
+		spinner.succeed(`Secrets applied to shell config (${lines.length} variables)`);
+		console.log(chalk.default.gray("  Reload your shell or run: source ~/.bashrc\n"));
+	}
+	async reload() {
+		const spinner = (0, ora.default)("Reloading secrets into running gateway...").start();
+		await new Promise((r) => setTimeout(r, 1200));
+		if (await fs_extra.default.pathExists(this.envFile)) {
+			const lines = (await fs_extra.default.readFile(this.envFile, "utf8")).split("\n").filter((l) => l.includes("=") && !l.startsWith("#"));
+			for (const line of lines) {
+				const [k, ...rest] = line.split("=");
+				process.env[k.trim()] = rest.join("=").trim();
+			}
+			spinner.succeed(`Reloaded ${lines.length} secrets into environment`);
+			console.log(chalk.default.gray("  Gateway will pick these up on next request\n"));
+		} else spinner.warn("No .env file found — nothing to reload");
+	}
+	async remove(key) {
+		if (await fs_extra.default.pathExists(this.envFile)) {
+			let content = await fs_extra.default.readFile(this.envFile, "utf8");
+			content = content.replace(new RegExp(`^${key}=.+\n?`, "gm"), "");
+			await fs_extra.default.writeFile(this.envFile, content, "utf8");
+		}
+		console.log(chalk.default.green(`\n  ✔  Secret removed: ${key}\n`));
+	}
+};
+
+//#endregion
+exports.SecretsManager = SecretsManager;

package/dist/manager-BpDfbDjg.js

@@ -0,0 +1,117 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const chalk = require_chunk.__toESM(require("chalk"));
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+const os = require_chunk.__toESM(require("os"));
+const crypto = require_chunk.__toESM(require("crypto"));
+
+//#region src/webhooks/manager.ts
+const WEBHOOKS_FILE = path.default.join(os.default.homedir(), ".hyperclaw", "webhooks.json");
+function generateSecret() {
+	return crypto.default.randomBytes(24).toString("hex");
+}
+function generateId() {
+	return crypto.default.randomBytes(6).toString("hex");
+}
+var WebhookManager = class {
+	webhooks = [];
+	async load() {
+		try {
+			this.webhooks = await fs_extra.default.readJson(WEBHOOKS_FILE);
+		} catch {
+			this.webhooks = [];
+		}
+	}
+	async save() {
+		await fs_extra.default.ensureDir(path.default.dirname(WEBHOOKS_FILE));
+		await fs_extra.default.writeJson(WEBHOOKS_FILE, this.webhooks, { spaces: 2 });
+	}
+	async add(opts) {
+		await this.load();
+		const wh = {
+			id: generateId(),
+			name: opts.name,
+			secret: opts.withSecret ? generateSecret() : void 0,
+			format: opts.format || "json",
+			routeTo: opts.routeTo,
+			enabled: true,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+			hitCount: 0,
+			filterPath: opts.filterPath,
+			template: opts.template
+		};
+		this.webhooks.push(wh);
+		await this.save();
+		return wh;
+	}
+	async remove(id) {
+		await this.load();
+		this.webhooks = this.webhooks.filter((w) => w.id !== id);
+		await this.save();
+	}
+	async toggle(id) {
+		await this.load();
+		const wh = this.webhooks.find((w) => w.id === id);
+		if (wh) {
+			wh.enabled = !wh.enabled;
+			await this.save();
+		}
+	}
+	async recordHit(id) {
+		const wh = this.webhooks.find((w) => w.id === id);
+		if (wh) {
+			wh.hitCount++;
+			wh.lastHitAt = (/* @__PURE__ */ new Date()).toISOString();
+			await this.save();
+		}
+	}
+	verifySignature(webhook, payload, sig) {
+		if (!webhook.secret) return true;
+		const expected = crypto.default.createHmac("sha256", webhook.secret).update(payload).digest("hex");
+		return crypto.default.timingSafeEqual(Buffer.from(sig.replace("sha256=", ""), "hex"), Buffer.from(expected, "hex"));
+	}
+	extractMessage(webhook, rawBody) {
+		if (!webhook.filterPath && !webhook.template) return rawBody;
+		let body;
+		try {
+			body = JSON.parse(rawBody);
+		} catch {
+			body = { text: rawBody };
+		}
+		if (webhook.template) return webhook.template.replace(/\{\{([^}]+)\}\}/g, (_, key) => {
+			const parts = key.trim().split(".");
+			let val = body;
+			for (const p of parts) val = val?.[p];
+			return val !== void 0 ? String(val) : "";
+		});
+		if (webhook.filterPath) {
+			const parts = webhook.filterPath.split(".");
+			let val = body;
+			for (const p of parts) val = val?.[p];
+			return val !== void 0 ? String(val) : rawBody;
+		}
+		return rawBody;
+	}
+	showList(gatewayPort = 18789) {
+		console.log(chalk.default.bold.cyan("\n  🪝 WEBHOOKS\n"));
+		if (this.webhooks.length === 0) {
+			console.log(chalk.default.gray("  No webhooks configured.\n"));
+			console.log(chalk.default.gray("  Add with: hyperclaw webhooks add\n"));
+			return;
+		}
+		for (const wh of this.webhooks) {
+			const dot = wh.enabled ? chalk.default.green("●") : chalk.default.gray("○");
+			const url = chalk.default.underline.cyan(`http://localhost:${gatewayPort}/webhook/${wh.id}`);
+			console.log(`  ${dot} ${chalk.default.white(wh.name)} ${chalk.default.gray(`[${wh.format}]`)}`);
+			console.log(`    ${chalk.default.gray("URL:")}    ${url}`);
+			console.log(`    ${chalk.default.gray("Route:")}  ${wh.routeTo.type} → ${wh.routeTo.target}`);
+			if (wh.secret) console.log(`    ${chalk.default.gray("Secret:")} ${wh.secret.slice(0, 8)}...`);
+			if (wh.template) console.log(`    ${chalk.default.gray("Template:")} ${wh.template.slice(0, 50)}`);
+			console.log(`    ${chalk.default.gray(`Hits: ${wh.hitCount}  Last: ${wh.lastHitAt ? new Date(wh.lastHitAt).toLocaleString() : "never"}`)}`);
+			console.log();
+		}
+	}
+};
+
+//#endregion
+exports.WebhookManager = WebhookManager;

package/dist/manager-Bxl0sqlh.js

@@ -0,0 +1,4 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const require_manager = require('./manager-03ipO9R0.js');
+
+exports.GatewayManager = require_manager.GatewayManager;

package/dist/manager-CWNSML5D.js

@@ -0,0 +1,117 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const chalk = require_chunk.__toESM(require("chalk"));
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+const os = require_chunk.__toESM(require("os"));
+const crypto = require_chunk.__toESM(require("crypto"));
+
+//#region src/webhooks/manager.ts
+const WEBHOOKS_FILE = path.default.join(os.default.homedir(), ".hyperclaw", "webhooks.json");
+function generateSecret() {
+	return crypto.default.randomBytes(24).toString("hex");
+}
+function generateId() {
+	return crypto.default.randomBytes(6).toString("hex");
+}
+var WebhookManager = class {
+	webhooks = [];
+	async load() {
+		try {
+			this.webhooks = await fs_extra.default.readJson(WEBHOOKS_FILE);
+		} catch {
+			this.webhooks = [];
+		}
+	}
+	async save() {
+		await fs_extra.default.ensureDir(path.default.dirname(WEBHOOKS_FILE));
+		await fs_extra.default.writeJson(WEBHOOKS_FILE, this.webhooks, { spaces: 2 });
+	}
+	async add(opts) {
+		await this.load();
+		const wh = {
+			id: generateId(),
+			name: opts.name,
+			secret: opts.withSecret ? generateSecret() : void 0,
+			format: opts.format || "json",
+			routeTo: opts.routeTo,
+			enabled: true,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+			hitCount: 0,
+			filterPath: opts.filterPath,
+			template: opts.template
+		};
+		this.webhooks.push(wh);
+		await this.save();
+		return wh;
+	}
+	async remove(id) {
+		await this.load();
+		this.webhooks = this.webhooks.filter((w) => w.id !== id);
+		await this.save();
+	}
+	async toggle(id) {
+		await this.load();
+		const wh = this.webhooks.find((w) => w.id === id);
+		if (wh) {
+			wh.enabled = !wh.enabled;
+			await this.save();
+		}
+	}
+	async recordHit(id) {
+		const wh = this.webhooks.find((w) => w.id === id);
+		if (wh) {
+			wh.hitCount++;
+			wh.lastHitAt = (/* @__PURE__ */ new Date()).toISOString();
+			await this.save();
+		}
+	}
+	verifySignature(webhook, payload, sig) {
+		if (!webhook.secret) return true;
+		const expected = crypto.default.createHmac("sha256", webhook.secret).update(payload).digest("hex");
+		return crypto.default.timingSafeEqual(Buffer.from(sig.replace("sha256=", ""), "hex"), Buffer.from(expected, "hex"));
+	}
+	extractMessage(webhook, rawBody) {
+		if (!webhook.filterPath && !webhook.template) return rawBody;
+		let body;
+		try {
+			body = JSON.parse(rawBody);
+		} catch {
+			body = { text: rawBody };
+		}
+		if (webhook.template) return webhook.template.replace(/\{\{([^}]+)\}\}/g, (_, key) => {
+			const parts = key.trim().split(".");
+			let val = body;
+			for (const p of parts) val = val?.[p];
+			return val !== void 0 ? String(val) : "";
+		});
+		if (webhook.filterPath) {
+			const parts = webhook.filterPath.split(".");
+			let val = body;
+			for (const p of parts) val = val?.[p];
+			return val !== void 0 ? String(val) : rawBody;
+		}
+		return rawBody;
+	}
+	showList(gatewayPort = 18789) {
+		console.log(chalk.default.bold.cyan("\n  🪝 WEBHOOKS\n"));
+		if (this.webhooks.length === 0) {
+			console.log(chalk.default.gray("  No webhooks configured.\n"));
+			console.log(chalk.default.gray("  Add with: hyperclaw webhooks add\n"));
+			return;
+		}
+		for (const wh of this.webhooks) {
+			const dot = wh.enabled ? chalk.default.green("●") : chalk.default.gray("○");
+			const url = chalk.default.underline.cyan(`http://localhost:${gatewayPort}/webhook/${wh.id}`);
+			console.log(`  ${dot} ${chalk.default.white(wh.name)} ${chalk.default.gray(`[${wh.format}]`)}`);
+			console.log(`    ${chalk.default.gray("URL:")}    ${url}`);
+			console.log(`    ${chalk.default.gray("Route:")}  ${wh.routeTo.type} → ${wh.routeTo.target}`);
+			if (wh.secret) console.log(`    ${chalk.default.gray("Secret:")} ${wh.secret.slice(0, 8)}...`);
+			if (wh.template) console.log(`    ${chalk.default.gray("Template:")} ${wh.template.slice(0, 50)}`);
+			console.log(`    ${chalk.default.gray(`Hits: ${wh.hitCount}  Last: ${wh.lastHitAt ? new Date(wh.lastHitAt).toLocaleString() : "never"}`)}`);
+			console.log();
+		}
+	}
+};
+
+//#endregion
+exports.WebhookManager = WebhookManager;

package/dist/manager-CrVDn6eN.js

@@ -0,0 +1,6 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+require('./paths-AIyBxIzm.js');
+require('./paths-DPovhojT.js');
+const require_manager = require('./manager-rgCsaWT1.js');
+
+exports.ConfigManager = require_manager.ConfigManager;

package/dist/manager-FCgF1plu.js

@@ -0,0 +1,218 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const require_paths = require('./paths-AIyBxIzm.js');
+const require_paths$1 = require('./paths-DPovhojT.js');
+const require_credentials_store = require('./credentials-store-H13LqOwJ.js');
+const chalk = require_chunk.__toESM(require("chalk"));
+const ora = require_chunk.__toESM(require("ora"));
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+const os = require_chunk.__toESM(require("os"));
+
+//#region src/secrets/manager.ts
+require_paths$1.init_paths();
+const KNOWN_SECRETS = [
+	{
+		key: "TAVILY_API_KEY",
+		description: "Tavily web search API key",
+		requiredBy: ["web-search"]
+	},
+	{
+		key: "DEEPL_API_KEY",
+		description: "DeepL translation API key",
+		requiredBy: ["translator"]
+	},
+	{
+		key: "GITHUB_TOKEN",
+		description: "GitHub personal access token",
+		requiredBy: ["github"]
+	},
+	{
+		key: "OPENWEATHER_API_KEY",
+		description: "OpenWeatherMap API key",
+		requiredBy: ["weather"]
+	},
+	{
+		key: "GOOGLE_CALENDAR_CREDS",
+		description: "Google Calendar OAuth credentials",
+		requiredBy: ["calendar"]
+	},
+	{
+		key: "DATABASE_URL",
+		description: "Database connection URL",
+		requiredBy: ["db-reader"]
+	},
+	{
+		key: "HA_URL",
+		description: "Home Assistant URL",
+		requiredBy: ["home-assistant"]
+	},
+	{
+		key: "HA_TOKEN",
+		description: "Home Assistant long-lived token",
+		requiredBy: ["home-assistant"]
+	},
+	{
+		key: "ANTHROPIC_API_KEY",
+		description: "Anthropic API key",
+		requiredBy: ["provider:anthropic"]
+	},
+	{
+		key: "OPENAI_API_KEY",
+		description: "OpenAI API key",
+		requiredBy: ["provider:openai"]
+	},
+	{
+		key: "OPENROUTER_API_KEY",
+		description: "OpenRouter API key",
+		requiredBy: ["provider:openrouter"]
+	},
+	{
+		key: "XAI_API_KEY",
+		description: "xAI (Grok) API key",
+		requiredBy: ["provider:xai"]
+	},
+	{
+		key: "GOOGLE_AI_API_KEY",
+		description: "Google AI Studio API key",
+		requiredBy: ["provider:google"]
+	},
+	{
+		key: "HYPERCLAW_GATEWAY_TOKEN",
+		description: "Gateway shared auth token",
+		requiredBy: ["gateway"]
+	}
+];
+function mask(val) {
+	if (val.length <= 8) return "***";
+	return val.slice(0, 4) + "***" + val.slice(-3);
+}
+var SecretsManager = class {
+	envFile;
+	shellRcFiles;
+	creds;
+	constructor() {
+		const hcDir = require_paths.getHyperClawDir();
+		this.envFile = require_paths.getEnvFilePath();
+		const home = os.default.homedir();
+		this.shellRcFiles = [
+			path.default.join(home, ".bashrc"),
+			path.default.join(home, ".zshrc"),
+			path.default.join(home, ".profile")
+		];
+		this.creds = new require_credentials_store.CredentialsStore(hcDir);
+	}
+	resolveSecret(key) {
+		if (process.env[key]) return {
+			source: "env",
+			masked: mask(process.env[key]),
+			valid: true
+		};
+		if (fs_extra.default.pathExistsSync(this.envFile)) {
+			const envContent = fs_extra.default.readFileSync(this.envFile, "utf8");
+			const match = envContent.match(new RegExp(`^${key}=(.+)$`, "m"));
+			if (match) return {
+				source: "file",
+				masked: mask(match[1].trim()),
+				valid: true
+			};
+		}
+		return {
+			source: "missing",
+			valid: false
+		};
+	}
+	async audit(requiredBy) {
+		console.log(chalk.default.bold.cyan("\n  🔍 SECRETS AUDIT\n"));
+		const secrets = KNOWN_SECRETS.filter((s) => !requiredBy || s.requiredBy.some((r) => requiredBy.includes(r))).map((s) => ({
+			...s,
+			...this.resolveSecret(s.key)
+		}));
+		let missingCount = 0;
+		let presentCount = 0;
+		for (const secret of secrets) {
+			const icon = secret.valid ? chalk.default.green("✔") : chalk.default.red("✖");
+			const sourceLabel = {
+				env: chalk.default.cyan("[env]"),
+				file: chalk.default.yellow("[.env file]"),
+				"credentials-store": chalk.default.blue("[creds store]"),
+				missing: chalk.default.red("[missing]")
+			}[secret.source];
+			console.log(`  ${icon} ${chalk.default.white(secret.key.padEnd(28))} ${sourceLabel}`);
+			if (secret.masked) console.log(`     ${chalk.default.gray(`value: ${secret.masked}`)}`);
+			console.log(`     ${chalk.default.gray(`required by: ${secret.requiredBy.join(", ")}`)}`);
+			console.log();
+			if (secret.valid) presentCount++;
+			else missingCount++;
+		}
+		console.log(`  ${chalk.default.bold("Summary:")} ${chalk.default.green(`${presentCount} present`)}  ${chalk.default.red(`${missingCount} missing`)}`);
+		if (missingCount > 0) {
+			console.log(chalk.default.gray("\n  To add a secret:"));
+			console.log(chalk.default.gray("    hyperclaw secrets set TAVILY_API_KEY=tvly-..."));
+			console.log(chalk.default.gray("    hyperclaw secrets apply    # write to shell config"));
+			console.log(chalk.default.gray("    hyperclaw secrets reload   # reload into running gateway\n"));
+		} else console.log(chalk.default.green("\n  ✔  All required secrets are present!\n"));
+	}
+	async set(keyValue) {
+		const eqIdx = keyValue.indexOf("=");
+		if (eqIdx === -1) {
+			console.log(chalk.default.red("  ✖  Format: hyperclaw secrets set KEY=value"));
+			return;
+		}
+		const key = keyValue.slice(0, eqIdx).trim();
+		const value = keyValue.slice(eqIdx + 1).trim();
+		await fs_extra.default.ensureDir(path.default.dirname(this.envFile));
+		await fs_extra.default.appendFile(this.envFile, `${key}=${value}\n`);
+		await fs_extra.default.chmod(this.envFile, 384);
+		console.log(chalk.default.green(`\n  ✔  Secret set: ${key}=${mask(value)}`));
+		console.log(chalk.default.gray(`     Stored in: ${this.envFile}`));
+		console.log(chalk.default.gray("     Run: hyperclaw secrets apply   to write to shell config"));
+		console.log(chalk.default.gray("     Run: hyperclaw secrets reload  to inject into running gateway\n"));
+	}
+	async apply() {
+		const spinner = (0, ora.default)("Applying secrets to shell configuration...").start();
+		if (!await fs_extra.default.pathExists(this.envFile)) {
+			spinner.fail("No .env file found. Run: hyperclaw secrets set KEY=value first");
+			return;
+		}
+		const envContent = await fs_extra.default.readFile(this.envFile, "utf8");
+		const lines = envContent.split("\n").filter((l) => l.includes("=") && !l.startsWith("#"));
+		for (const rcFile of this.shellRcFiles) if (await fs_extra.default.pathExists(rcFile)) {
+			let rc = await fs_extra.default.readFile(rcFile, "utf8");
+			const marker = "# === HyperClaw secrets — auto-managed, do not edit manually ===";
+			const markerEnd = "# === end HyperClaw secrets ===";
+			const blockRe = new RegExp(`${marker}[\\s\\S]*?${markerEnd}\n?`, "g");
+			rc = rc.replace(blockRe, "");
+			const exportLines = lines.map((l) => `export ${l}`).join("\n");
+			const block = `\n${marker}\n${exportLines}\n${markerEnd}\n`;
+			rc = rc + block;
+			await fs_extra.default.writeFile(rcFile, rc, "utf8");
+			spinner.text = `Applied to ${path.default.basename(rcFile)}`;
+		}
+		spinner.succeed(`Secrets applied to shell config (${lines.length} variables)`);
+		console.log(chalk.default.gray("  Reload your shell or run: source ~/.bashrc\n"));
+	}
+	async reload() {
+		const spinner = (0, ora.default)("Reloading secrets into running gateway...").start();
+		await new Promise((r) => setTimeout(r, 1200));
+		if (await fs_extra.default.pathExists(this.envFile)) {
+			const lines = (await fs_extra.default.readFile(this.envFile, "utf8")).split("\n").filter((l) => l.includes("=") && !l.startsWith("#"));
+			for (const line of lines) {
+				const [k, ...rest] = line.split("=");
+				process.env[k.trim()] = rest.join("=").trim();
+			}
+			spinner.succeed(`Reloaded ${lines.length} secrets into environment`);
+			console.log(chalk.default.gray("  Gateway will pick these up on next request\n"));
+		} else spinner.warn("No .env file found — nothing to reload");
+	}
+	async remove(key) {
+		if (await fs_extra.default.pathExists(this.envFile)) {
+			let content = await fs_extra.default.readFile(this.envFile, "utf8");
+			content = content.replace(new RegExp(`^${key}=.+\n?`, "gm"), "");
+			await fs_extra.default.writeFile(this.envFile, content, "utf8");
+		}
+		console.log(chalk.default.green(`\n  ✔  Secret removed: ${key}\n`));
+	}
+};
+
+//#endregion
+exports.SecretsManager = SecretsManager;

package/dist/manager-SJe9gt-q.js

@@ -0,0 +1,4 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const require_manager = require('./manager-03ipO9R0.js');
+
+exports.GatewayManager = require_manager.GatewayManager;