hyperclaw 5.4.0 → 5.4.2

package/dist/logger-DkHzhh56.js

@@ -0,0 +1,86 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const require_paths = require('./paths-AIyBxIzm.js');
+const require_paths$1 = require('./paths-DPovhojT.js');
+const chalk = require_chunk.__toESM(require("chalk"));
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+
+//#region src/logging/logger.ts
+require_paths$1.init_paths();
+const LEVEL_COLOR = {
+	debug: chalk.default.gray,
+	info: chalk.default.cyan,
+	warn: chalk.default.yellow,
+	error: chalk.default.red,
+	silent: chalk.default.gray
+};
+const getLogDir = () => path.default.join(require_paths.getHyperClawDir(), "logs");
+const getLogFile = () => path.default.join(getLogDir(), "hyperclaw.log");
+const MAX_LOG_BYTES = 5 * 1024 * 1024;
+function formatConsole(entry) {
+	const ts = chalk.default.gray(entry.ts.slice(11, 23));
+	const level = LEVEL_COLOR[entry.level](entry.level.toUpperCase().padEnd(5));
+	const mod = chalk.default.blue(`[${entry.module}]`);
+	const data = entry.data ? chalk.default.gray(" " + JSON.stringify(entry.data)) : "";
+	return `  ${ts} ${level} ${mod} ${entry.message}${data}`;
+}
+async function tailLog(lines = 50) {
+	if (!await fs_extra.default.pathExists(getLogFile())) {
+		console.log(chalk.default.gray("\n  No log file yet. Start the daemon first.\n"));
+		return;
+	}
+	const content = await fs_extra.default.readFile(getLogFile(), "utf8");
+	const all = content.trim().split("\n").filter(Boolean);
+	const tail = all.slice(-lines);
+	console.log(chalk.default.bold.cyan(`\n  📋 LAST ${tail.length} LOG ENTRIES\n`));
+	for (const line of tail) try {
+		const entry = JSON.parse(line);
+		console.log(formatConsole(entry));
+	} catch {
+		console.log(chalk.default.gray("  " + line));
+	}
+	console.log();
+}
+async function streamLog() {
+	console.log(chalk.default.bold.cyan("\n  📡 STREAMING LOGS (Ctrl+C to stop)\n"));
+	await fs_extra.default.ensureDir(getLogDir());
+	await fs_extra.default.ensureFile(getLogFile());
+	const { createReadStream } = await import("fs");
+	const { Tail } = await import("tail").catch(() => ({ Tail: null }));
+	if (Tail) {
+		const tail = new Tail(getLogFile());
+		tail.on("line", (line) => {
+			try {
+				const entry = JSON.parse(line);
+				console.log(formatConsole(entry));
+			} catch {
+				console.log(chalk.default.gray("  " + line));
+			}
+		});
+		await new Promise(() => {});
+	} else {
+		const { spawn } = await import("child_process");
+		const proc = spawn("tail", ["-f", getLogFile()], { stdio: [
+			"ignore",
+			"pipe",
+			"ignore"
+		] });
+		proc.stdout?.on("data", (chunk) => {
+			const lines = chunk.toString().split("\n");
+			for (const line of lines) {
+				if (!line.trim()) continue;
+				try {
+					const entry = JSON.parse(line);
+					console.log(formatConsole(entry));
+				} catch {
+					console.log(chalk.default.gray("  " + line));
+				}
+			}
+		});
+		await new Promise(() => {});
+	}
+}
+
+//#endregion
+exports.streamLog = streamLog;
+exports.tailLog = tailLog;

package/dist/logger-Oty9sC13.js

@@ -0,0 +1,86 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const require_paths = require('./paths-AIyBxIzm.js');
+const require_paths$1 = require('./paths-DPovhojT.js');
+const chalk = require_chunk.__toESM(require("chalk"));
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+
+//#region src/logging/logger.ts
+require_paths$1.init_paths();
+const LEVEL_COLOR = {
+	debug: chalk.default.gray,
+	info: chalk.default.cyan,
+	warn: chalk.default.yellow,
+	error: chalk.default.red,
+	silent: chalk.default.gray
+};
+const getLogDir = () => path.default.join(require_paths.getHyperClawDir(), "logs");
+const getLogFile = () => path.default.join(getLogDir(), "hyperclaw.log");
+const MAX_LOG_BYTES = 5 * 1024 * 1024;
+function formatConsole(entry) {
+	const ts = chalk.default.gray(entry.ts.slice(11, 23));
+	const level = LEVEL_COLOR[entry.level](entry.level.toUpperCase().padEnd(5));
+	const mod = chalk.default.blue(`[${entry.module}]`);
+	const data = entry.data ? chalk.default.gray(" " + JSON.stringify(entry.data)) : "";
+	return `  ${ts} ${level} ${mod} ${entry.message}${data}`;
+}
+async function tailLog(lines = 50) {
+	if (!await fs_extra.default.pathExists(getLogFile())) {
+		console.log(chalk.default.gray("\n  No log file yet. Start the daemon first.\n"));
+		return;
+	}
+	const content = await fs_extra.default.readFile(getLogFile(), "utf8");
+	const all = content.trim().split("\n").filter(Boolean);
+	const tail = all.slice(-lines);
+	console.log(chalk.default.bold.cyan(`\n  📋 LAST ${tail.length} LOG ENTRIES\n`));
+	for (const line of tail) try {
+		const entry = JSON.parse(line);
+		console.log(formatConsole(entry));
+	} catch {
+		console.log(chalk.default.gray("  " + line));
+	}
+	console.log();
+}
+async function streamLog() {
+	console.log(chalk.default.bold.cyan("\n  📡 STREAMING LOGS (Ctrl+C to stop)\n"));
+	await fs_extra.default.ensureDir(getLogDir());
+	await fs_extra.default.ensureFile(getLogFile());
+	const { createReadStream } = await import("fs");
+	const { Tail } = await import("tail").catch(() => ({ Tail: null }));
+	if (Tail) {
+		const tail = new Tail(getLogFile());
+		tail.on("line", (line) => {
+			try {
+				const entry = JSON.parse(line);
+				console.log(formatConsole(entry));
+			} catch {
+				console.log(chalk.default.gray("  " + line));
+			}
+		});
+		await new Promise(() => {});
+	} else {
+		const { spawn } = await import("child_process");
+		const proc = spawn("tail", ["-f", getLogFile()], { stdio: [
+			"ignore",
+			"pipe",
+			"ignore"
+		] });
+		proc.stdout?.on("data", (chunk) => {
+			const lines = chunk.toString().split("\n");
+			for (const line of lines) {
+				if (!line.trim()) continue;
+				try {
+					const entry = JSON.parse(line);
+					console.log(formatConsole(entry));
+				} catch {
+					console.log(chalk.default.gray("  " + line));
+				}
+			}
+		});
+		await new Promise(() => {});
+	}
+}
+
+//#endregion
+exports.streamLog = streamLog;
+exports.tailLog = tailLog;

package/dist/manager-3-q8zuAW.js

@@ -0,0 +1,250 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const require_paths = require('./paths-AIyBxIzm.js');
+const require_paths$1 = require('./paths-DPovhojT.js');
+const require_credentials_store = require('./credentials-store-CXq4kZub.js');
+const chalk = require_chunk.__toESM(require("chalk"));
+const ora = require_chunk.__toESM(require("ora"));
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+const os = require_chunk.__toESM(require("os"));
+
+//#region src/secrets/manager.ts
+require_credentials_store.init_credentials_store();
+require_paths$1.init_paths();
+const KNOWN_SECRETS = [
+	{
+		key: "TAVILY_API_KEY",
+		description: "Tavily web search API key",
+		requiredBy: ["web-search"]
+	},
+	{
+		key: "DEEPL_API_KEY",
+		description: "DeepL translation API key",
+		requiredBy: ["translator"]
+	},
+	{
+		key: "GITHUB_TOKEN",
+		description: "GitHub personal access token",
+		requiredBy: ["github"]
+	},
+	{
+		key: "OPENWEATHER_API_KEY",
+		description: "OpenWeatherMap API key",
+		requiredBy: ["weather"]
+	},
+	{
+		key: "GOOGLE_CALENDAR_CREDS",
+		description: "Google Calendar OAuth credentials",
+		requiredBy: ["calendar"]
+	},
+	{
+		key: "DATABASE_URL",
+		description: "Database connection URL",
+		requiredBy: ["db-reader"]
+	},
+	{
+		key: "HA_URL",
+		description: "Home Assistant URL",
+		requiredBy: ["home-assistant"]
+	},
+	{
+		key: "HA_TOKEN",
+		description: "Home Assistant long-lived token",
+		requiredBy: ["home-assistant"]
+	},
+	{
+		key: "ANTHROPIC_API_KEY",
+		description: "Anthropic API key",
+		requiredBy: ["provider:anthropic"]
+	},
+	{
+		key: "OPENAI_API_KEY",
+		description: "OpenAI API key",
+		requiredBy: ["provider:openai"]
+	},
+	{
+		key: "OPENROUTER_API_KEY",
+		description: "OpenRouter API key",
+		requiredBy: ["provider:openrouter"]
+	},
+	{
+		key: "XAI_API_KEY",
+		description: "xAI (Grok) API key",
+		requiredBy: ["provider:xai"]
+	},
+	{
+		key: "GOOGLE_AI_API_KEY",
+		description: "Google AI Studio API key",
+		requiredBy: ["provider:google"]
+	},
+	{
+		key: "HYPERCLAW_GATEWAY_TOKEN",
+		description: "Gateway shared auth token",
+		requiredBy: ["gateway"]
+	}
+];
+function mask(val) {
+	if (val.length <= 8) return "***";
+	return val.slice(0, 4) + "***" + val.slice(-3);
+}
+function escapeRegex(s) {
+	return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+var SecretsManager = class {
+	envFile;
+	shellRcFiles;
+	creds;
+	constructor() {
+		const hcDir = require_paths.getHyperClawDir();
+		this.envFile = require_paths.getEnvFilePath();
+		const home = os.default.homedir();
+		const isWin = process.platform === "win32";
+		this.shellRcFiles = isWin ? [path.default.join(home, "Documents", "WindowsPowerShell", "Microsoft.PowerShell_profile.ps1"), path.default.join(home, ".powershell_profile.ps1")] : [
+			path.default.join(home, ".bashrc"),
+			path.default.join(home, ".zshrc"),
+			path.default.join(home, ".profile")
+		];
+		this.creds = new require_credentials_store.CredentialsStore(hcDir);
+	}
+	resolveSecret(key) {
+		if (process.env[key]) return {
+			source: "env",
+			masked: mask(process.env[key]),
+			valid: true
+		};
+		if (fs_extra.default.pathExistsSync(this.envFile)) {
+			const envContent = fs_extra.default.readFileSync(this.envFile, "utf8");
+			const match = envContent.match(new RegExp(`^${key}=(.+)$`, "m"));
+			if (match) return {
+				source: "file",
+				masked: mask(match[1].trim()),
+				valid: true
+			};
+		}
+		return {
+			source: "missing",
+			valid: false
+		};
+	}
+	async audit(requiredBy) {
+		console.log(chalk.default.bold.cyan("\n  🔍 SECRETS AUDIT\n"));
+		const secrets = KNOWN_SECRETS.filter((s) => !requiredBy || s.requiredBy.some((r) => requiredBy.includes(r))).map((s) => ({
+			...s,
+			...this.resolveSecret(s.key)
+		}));
+		let missingCount = 0;
+		let presentCount = 0;
+		for (const secret of secrets) {
+			const icon = secret.valid ? chalk.default.green("✔") : chalk.default.red("✖");
+			const sourceLabel = {
+				env: chalk.default.cyan("[env]"),
+				file: chalk.default.yellow("[.env file]"),
+				"credentials-store": chalk.default.blue("[creds store]"),
+				missing: chalk.default.red("[missing]")
+			}[secret.source];
+			console.log(`  ${icon} ${chalk.default.white(secret.key.padEnd(28))} ${sourceLabel}`);
+			if (secret.masked) console.log(`     ${chalk.default.gray(`value: ${secret.masked}`)}`);
+			console.log(`     ${chalk.default.gray(`required by: ${secret.requiredBy.join(", ")}`)}`);
+			console.log();
+			if (secret.valid) presentCount++;
+			else missingCount++;
+		}
+		console.log(`  ${chalk.default.bold("Summary:")} ${chalk.default.green(`${presentCount} present`)}  ${chalk.default.red(`${missingCount} missing`)}`);
+		if (missingCount > 0) {
+			console.log(chalk.default.gray("\n  To add a secret:"));
+			console.log(chalk.default.gray("    hyperclaw secrets set TAVILY_API_KEY=tvly-..."));
+			console.log(chalk.default.gray("    hyperclaw secrets apply    # write to shell config"));
+			console.log(chalk.default.gray("    hyperclaw secrets reload   # reload into running gateway\n"));
+		} else console.log(chalk.default.green("\n  ✔  All required secrets are present!\n"));
+	}
+	async set(keyValue) {
+		const eqIdx = keyValue.indexOf("=");
+		if (eqIdx === -1) {
+			console.log(chalk.default.red("  ✖  Format: hyperclaw secrets set KEY=value"));
+			return;
+		}
+		const key = keyValue.slice(0, eqIdx).trim();
+		const value = keyValue.slice(eqIdx + 1).trim();
+		await fs_extra.default.ensureDir(path.default.dirname(this.envFile));
+		let content = await fs_extra.default.pathExists(this.envFile) ? await fs_extra.default.readFile(this.envFile, "utf8") : "";
+		const lineRe = new RegExp(`^${escapeRegex(key)}=.*$`, "m");
+		if (lineRe.test(content)) content = content.replace(lineRe, `${key}=${value}`);
+		else content = content.endsWith("\n") || content === "" ? content + `${key}=${value}\n` : content + `\n${key}=${value}\n`;
+		await fs_extra.default.writeFile(this.envFile, content, "utf8");
+		await fs_extra.default.chmod(this.envFile, 384);
+		console.log(chalk.default.green(`\n  ✔  Secret set: ${key}=${mask(value)}`));
+		console.log(chalk.default.gray(`     Stored in: ${this.envFile}`));
+		console.log(chalk.default.gray("     Run: hyperclaw secrets apply   to write to shell config"));
+		console.log(chalk.default.gray("     Restart gateway to use:        hyperclaw daemon restart\n"));
+	}
+	async apply() {
+		const spinner = (0, ora.default)("Applying secrets to shell configuration...").start();
+		if (!await fs_extra.default.pathExists(this.envFile)) {
+			spinner.fail("No .env file found. Run: hyperclaw secrets set KEY=value first");
+			return;
+		}
+		const envContent = await fs_extra.default.readFile(this.envFile, "utf8");
+		const lines = envContent.split("\n").filter((l) => l.includes("=") && !l.startsWith("#"));
+		for (const rcFile of this.shellRcFiles) {
+			await fs_extra.default.ensureDir(path.default.dirname(rcFile));
+			const exists = await fs_extra.default.pathExists(rcFile);
+			if (exists || rcFile.endsWith(".ps1")) {
+				if (exists) {
+					const backup = rcFile + ".hyperclaw.bak";
+					await fs_extra.default.copy(rcFile, backup, { overwrite: true });
+				}
+				let rc = exists ? await fs_extra.default.readFile(rcFile, "utf8") : "";
+				const marker = "# === HyperClaw secrets — auto-managed, do not edit manually ===";
+				const markerEnd = "# === end HyperClaw secrets ===";
+				const blockRe = new RegExp(`${escapeRegex(marker)}[\\s\\S]*?${escapeRegex(markerEnd)}\n?`, "g");
+				rc = rc.replace(blockRe, "");
+				const isWin = process.platform === "win32" && rcFile.endsWith(".ps1");
+				const exportLines = isWin ? lines.map((l) => {
+					const eq = l.indexOf("=");
+					if (eq <= 0) return "";
+					const k = l.slice(0, eq).trim();
+					let v = l.slice(eq + 1).trim();
+					if (v.includes("\n") || v.includes("\r")) console.log(chalk.default.yellow(`  ⚠  Secret ${k} contains newlines — may need manual edit in ${path.default.basename(rcFile)}`));
+					v = v.replace(/\\/g, "\\\\").replace(/"/g, "`\"").replace(/\$/g, "`$");
+					return `$env:${k} = "${v}"`;
+				}).join("\n") : lines.map((l) => `export ${l}`).join("\n");
+				const block = `\n${marker}\n${exportLines}\n${markerEnd}\n`;
+				rc = rc + block;
+				await fs_extra.default.writeFile(rcFile, rc, "utf8");
+				spinner.text = `Applied to ${path.default.basename(rcFile)}`;
+			}
+		}
+		spinner.succeed(`Secrets applied to shell config (${lines.length} variables)`);
+		const reloadHint = process.platform === "win32" ? chalk.default.gray("  Open a new PowerShell window to load the profile.\n") : chalk.default.gray("  Reload your shell or run: source ~/.bashrc\n");
+		console.log(reloadHint);
+	}
+	async reload() {
+		const spinner = (0, ora.default)("Reloading secrets into running gateway...").start();
+		await new Promise((r) => setTimeout(r, 1200));
+		if (await fs_extra.default.pathExists(this.envFile)) {
+			const lines = (await fs_extra.default.readFile(this.envFile, "utf8")).split("\n").filter((l) => l.includes("=") && !l.startsWith("#"));
+			let injected = 0;
+			for (const line of lines) {
+				const [k, ...rest] = line.split("=");
+				const key = k.trim();
+				if (key && !(key in process.env)) {
+					process.env[key] = rest.join("=").trim();
+					injected++;
+				}
+			}
+			spinner.succeed(`Reloaded ${injected} secrets into this CLI process (${lines.length - injected} skipped — already set)`);
+			console.log(chalk.default.gray("  Restart the gateway to pick up changes: hyperclaw daemon restart\n"));
+		} else spinner.warn("No .env file found — nothing to reload");
+	}
+	async remove(key) {
+		if (await fs_extra.default.pathExists(this.envFile)) {
+			let content = await fs_extra.default.readFile(this.envFile, "utf8");
+			content = content.replace(new RegExp(`^${escapeRegex(key)}=.*\n?`, "gm"), "");
+			await fs_extra.default.writeFile(this.envFile, content, "utf8");
+		}
+		console.log(chalk.default.green(`\n  ✔  Secret removed: ${key}\n`));
+	}
+};
+
+//#endregion
+exports.SecretsManager = SecretsManager;

package/dist/manager-BIc6zzZV.js

@@ -0,0 +1,250 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const require_paths = require('./paths-AIyBxIzm.js');
+const require_paths$1 = require('./paths-DPovhojT.js');
+const require_credentials_store = require('./credentials-store-onL1tYct.js');
+const chalk = require_chunk.__toESM(require("chalk"));
+const ora = require_chunk.__toESM(require("ora"));
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+const os = require_chunk.__toESM(require("os"));
+
+//#region src/secrets/manager.ts
+require_credentials_store.init_credentials_store();
+require_paths$1.init_paths();
+const KNOWN_SECRETS = [
+	{
+		key: "TAVILY_API_KEY",
+		description: "Tavily web search API key",
+		requiredBy: ["web-search"]
+	},
+	{
+		key: "DEEPL_API_KEY",
+		description: "DeepL translation API key",
+		requiredBy: ["translator"]
+	},
+	{
+		key: "GITHUB_TOKEN",
+		description: "GitHub personal access token",
+		requiredBy: ["github"]
+	},
+	{
+		key: "OPENWEATHER_API_KEY",
+		description: "OpenWeatherMap API key",
+		requiredBy: ["weather"]
+	},
+	{
+		key: "GOOGLE_CALENDAR_CREDS",
+		description: "Google Calendar OAuth credentials",
+		requiredBy: ["calendar"]
+	},
+	{
+		key: "DATABASE_URL",
+		description: "Database connection URL",
+		requiredBy: ["db-reader"]
+	},
+	{
+		key: "HA_URL",
+		description: "Home Assistant URL",
+		requiredBy: ["home-assistant"]
+	},
+	{
+		key: "HA_TOKEN",
+		description: "Home Assistant long-lived token",
+		requiredBy: ["home-assistant"]
+	},
+	{
+		key: "ANTHROPIC_API_KEY",
+		description: "Anthropic API key",
+		requiredBy: ["provider:anthropic"]
+	},
+	{
+		key: "OPENAI_API_KEY",
+		description: "OpenAI API key",
+		requiredBy: ["provider:openai"]
+	},
+	{
+		key: "OPENROUTER_API_KEY",
+		description: "OpenRouter API key",
+		requiredBy: ["provider:openrouter"]
+	},
+	{
+		key: "XAI_API_KEY",
+		description: "xAI (Grok) API key",
+		requiredBy: ["provider:xai"]
+	},
+	{
+		key: "GOOGLE_AI_API_KEY",
+		description: "Google AI Studio API key",
+		requiredBy: ["provider:google"]
+	},
+	{
+		key: "HYPERCLAW_GATEWAY_TOKEN",
+		description: "Gateway shared auth token",
+		requiredBy: ["gateway"]
+	}
+];
+function mask(val) {
+	if (val.length <= 8) return "***";
+	return val.slice(0, 4) + "***" + val.slice(-3);
+}
+function escapeRegex(s) {
+	return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+var SecretsManager = class {
+	envFile;
+	shellRcFiles;
+	creds;
+	constructor() {
+		const hcDir = require_paths.getHyperClawDir();
+		this.envFile = require_paths.getEnvFilePath();
+		const home = os.default.homedir();
+		const isWin = process.platform === "win32";
+		this.shellRcFiles = isWin ? [path.default.join(home, "Documents", "WindowsPowerShell", "Microsoft.PowerShell_profile.ps1"), path.default.join(home, ".powershell_profile.ps1")] : [
+			path.default.join(home, ".bashrc"),
+			path.default.join(home, ".zshrc"),
+			path.default.join(home, ".profile")
+		];
+		this.creds = new require_credentials_store.CredentialsStore(hcDir);
+	}
+	resolveSecret(key) {
+		if (process.env[key]) return {
+			source: "env",
+			masked: mask(process.env[key]),
+			valid: true
+		};
+		if (fs_extra.default.pathExistsSync(this.envFile)) {
+			const envContent = fs_extra.default.readFileSync(this.envFile, "utf8");
+			const match = envContent.match(new RegExp(`^${key}=(.+)$`, "m"));
+			if (match) return {
+				source: "file",
+				masked: mask(match[1].trim()),
+				valid: true
+			};
+		}
+		return {
+			source: "missing",
+			valid: false
+		};
+	}
+	async audit(requiredBy) {
+		console.log(chalk.default.bold.cyan("\n  🔍 SECRETS AUDIT\n"));
+		const secrets = KNOWN_SECRETS.filter((s) => !requiredBy || s.requiredBy.some((r) => requiredBy.includes(r))).map((s) => ({
+			...s,
+			...this.resolveSecret(s.key)
+		}));
+		let missingCount = 0;
+		let presentCount = 0;
+		for (const secret of secrets) {
+			const icon = secret.valid ? chalk.default.green("✔") : chalk.default.red("✖");
+			const sourceLabel = {
+				env: chalk.default.cyan("[env]"),
+				file: chalk.default.yellow("[.env file]"),
+				"credentials-store": chalk.default.blue("[creds store]"),
+				missing: chalk.default.red("[missing]")
+			}[secret.source];
+			console.log(`  ${icon} ${chalk.default.white(secret.key.padEnd(28))} ${sourceLabel}`);
+			if (secret.masked) console.log(`     ${chalk.default.gray(`value: ${secret.masked}`)}`);
+			console.log(`     ${chalk.default.gray(`required by: ${secret.requiredBy.join(", ")}`)}`);
+			console.log();
+			if (secret.valid) presentCount++;
+			else missingCount++;
+		}
+		console.log(`  ${chalk.default.bold("Summary:")} ${chalk.default.green(`${presentCount} present`)}  ${chalk.default.red(`${missingCount} missing`)}`);
+		if (missingCount > 0) {
+			console.log(chalk.default.gray("\n  To add a secret:"));
+			console.log(chalk.default.gray("    hyperclaw secrets set TAVILY_API_KEY=tvly-..."));
+			console.log(chalk.default.gray("    hyperclaw secrets apply    # write to shell config"));
+			console.log(chalk.default.gray("    hyperclaw secrets reload   # reload into running gateway\n"));
+		} else console.log(chalk.default.green("\n  ✔  All required secrets are present!\n"));
+	}
+	async set(keyValue) {
+		const eqIdx = keyValue.indexOf("=");
+		if (eqIdx === -1) {
+			console.log(chalk.default.red("  ✖  Format: hyperclaw secrets set KEY=value"));
+			return;
+		}
+		const key = keyValue.slice(0, eqIdx).trim();
+		const value = keyValue.slice(eqIdx + 1).trim();
+		await fs_extra.default.ensureDir(path.default.dirname(this.envFile));
+		let content = await fs_extra.default.pathExists(this.envFile) ? await fs_extra.default.readFile(this.envFile, "utf8") : "";
+		const lineRe = new RegExp(`^${escapeRegex(key)}=.*$`, "m");
+		if (lineRe.test(content)) content = content.replace(lineRe, `${key}=${value}`);
+		else content = content.endsWith("\n") || content === "" ? content + `${key}=${value}\n` : content + `\n${key}=${value}\n`;
+		await fs_extra.default.writeFile(this.envFile, content, "utf8");
+		await fs_extra.default.chmod(this.envFile, 384);
+		console.log(chalk.default.green(`\n  ✔  Secret set: ${key}=${mask(value)}`));
+		console.log(chalk.default.gray(`     Stored in: ${this.envFile}`));
+		console.log(chalk.default.gray("     Run: hyperclaw secrets apply   to write to shell config"));
+		console.log(chalk.default.gray("     Restart gateway to use:        hyperclaw daemon restart\n"));
+	}
+	async apply() {
+		const spinner = (0, ora.default)("Applying secrets to shell configuration...").start();
+		if (!await fs_extra.default.pathExists(this.envFile)) {
+			spinner.fail("No .env file found. Run: hyperclaw secrets set KEY=value first");
+			return;
+		}
+		const envContent = await fs_extra.default.readFile(this.envFile, "utf8");
+		const lines = envContent.split("\n").filter((l) => l.includes("=") && !l.startsWith("#"));
+		for (const rcFile of this.shellRcFiles) {
+			await fs_extra.default.ensureDir(path.default.dirname(rcFile));
+			const exists = await fs_extra.default.pathExists(rcFile);
+			if (exists || rcFile.endsWith(".ps1")) {
+				if (exists) {
+					const backup = rcFile + ".hyperclaw.bak";
+					await fs_extra.default.copy(rcFile, backup, { overwrite: true });
+				}
+				let rc = exists ? await fs_extra.default.readFile(rcFile, "utf8") : "";
+				const marker = "# === HyperClaw secrets — auto-managed, do not edit manually ===";
+				const markerEnd = "# === end HyperClaw secrets ===";
+				const blockRe = new RegExp(`${escapeRegex(marker)}[\\s\\S]*?${escapeRegex(markerEnd)}\n?`, "g");
+				rc = rc.replace(blockRe, "");
+				const isWin = process.platform === "win32" && rcFile.endsWith(".ps1");
+				const exportLines = isWin ? lines.map((l) => {
+					const eq = l.indexOf("=");
+					if (eq <= 0) return "";
+					const k = l.slice(0, eq).trim();
+					let v = l.slice(eq + 1).trim();
+					if (v.includes("\n") || v.includes("\r")) console.log(chalk.default.yellow(`  ⚠  Secret ${k} contains newlines — may need manual edit in ${path.default.basename(rcFile)}`));
+					v = v.replace(/\\/g, "\\\\").replace(/"/g, "`\"").replace(/\$/g, "`$");
+					return `$env:${k} = "${v}"`;
+				}).join("\n") : lines.map((l) => `export ${l}`).join("\n");
+				const block = `\n${marker}\n${exportLines}\n${markerEnd}\n`;
+				rc = rc + block;
+				await fs_extra.default.writeFile(rcFile, rc, "utf8");
+				spinner.text = `Applied to ${path.default.basename(rcFile)}`;
+			}
+		}
+		spinner.succeed(`Secrets applied to shell config (${lines.length} variables)`);
+		const reloadHint = process.platform === "win32" ? chalk.default.gray("  Open a new PowerShell window to load the profile.\n") : chalk.default.gray("  Reload your shell or run: source ~/.bashrc\n");
+		console.log(reloadHint);
+	}
+	async reload() {
+		const spinner = (0, ora.default)("Reloading secrets into running gateway...").start();
+		await new Promise((r) => setTimeout(r, 1200));
+		if (await fs_extra.default.pathExists(this.envFile)) {
+			const lines = (await fs_extra.default.readFile(this.envFile, "utf8")).split("\n").filter((l) => l.includes("=") && !l.startsWith("#"));
+			let injected = 0;
+			for (const line of lines) {
+				const [k, ...rest] = line.split("=");
+				const key = k.trim();
+				if (key && !(key in process.env)) {
+					process.env[key] = rest.join("=").trim();
+					injected++;
+				}
+			}
+			spinner.succeed(`Reloaded ${injected} secrets into this CLI process (${lines.length - injected} skipped — already set)`);
+			console.log(chalk.default.gray("  Restart the gateway to pick up changes: hyperclaw daemon restart\n"));
+		} else spinner.warn("No .env file found — nothing to reload");
+	}
+	async remove(key) {
+		if (await fs_extra.default.pathExists(this.envFile)) {
+			let content = await fs_extra.default.readFile(this.envFile, "utf8");
+			content = content.replace(new RegExp(`^${escapeRegex(key)}=.*\n?`, "gm"), "");
+			await fs_extra.default.writeFile(this.envFile, content, "utf8");
+		}
+		console.log(chalk.default.green(`\n  ✔  Secret removed: ${key}\n`));
+	}
+};
+
+//#endregion
+exports.SecretsManager = SecretsManager;