morpheus-cli 0.6.4 → 0.6.6

package/README.md

@@ -82,8 +82,11 @@ Minimal `env.docker`:
 ```env
 OPENAI_API_KEY=sk-...
 THE_ARCHITECT_PASS=changeme
+MORPHEUS_SECRET=<generate-a-random-secret>
 ```
 
+> **Tip:** Generate a secure `MORPHEUS_SECRET` with: `openssl rand -base64 32` or `node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"`
+
 **2. Run:**
 
 ```bash
@@ -121,6 +124,7 @@ docker run -d \
   -p 3333:3333 \
   -e OPENAI_API_KEY=sk-... \
   -e THE_ARCHITECT_PASS=changeme \
+  -e MORPHEUS_SECRET=<generate-a-random-secret> \
   -v morpheus_data:/root/.morpheus \
   morpheus
 ```
@@ -133,6 +137,7 @@ docker run -d \
   -p 3333:3333 \
   -e OPENAI_API_KEY=sk-... \
   -e THE_ARCHITECT_PASS=changeme \
+  -e MORPHEUS_SECRET=<generate-a-random-secret> \
   -e MORPHEUS_TELEGRAM_ENABLED=true \
   -e MORPHEUS_TELEGRAM_TOKEN=<bot-token> \
   -e MORPHEUS_TELEGRAM_ALLOWED_USERS=123456789 \
@@ -148,6 +153,7 @@ docker run -d \
   -p 3333:3333 \
   -e OPENAI_API_KEY=sk-... \
   -e THE_ARCHITECT_PASS=changeme \
+  -e MORPHEUS_SECRET=<generate-a-random-secret> \
   -e MORPHEUS_DISCORD_ENABLED=true \
   -e MORPHEUS_DISCORD_TOKEN=<bot-token> \
   -e MORPHEUS_DISCORD_ALLOWED_USERS=987654321 \
@@ -365,7 +371,7 @@ Provider-specific keys:
 - `THE_ARCHITECT_PASS`
 
 Security:
-- `MORPHEUS_SECRET` — AES-256-GCM key for encrypting Trinity database passwords (required when using Trinity)
+- `MORPHEUS_SECRET` — AES-256-GCM encryption key for Trinity database passwords and agent API keys. When set, all API keys saved via UI or config file are automatically encrypted at rest.
 
 Generic Morpheus overrides (selected):
 

package/dist/channels/discord.js

@@ -7,6 +7,7 @@ import { SQLiteChatMessageHistory } from '../runtime/memory/sqlite.js';
 import { DisplayManager } from '../runtime/display.js';
 import { ConfigManager } from '../config/manager.js';
 import { createTelephonist } from '../runtime/telephonist.js';
+import { getUsableApiKey } from '../runtime/trinity-crypto.js';
 // ─── Slash Command Definitions ────────────────────────────────────────────────
 const SLASH_COMMANDS = [
     new SlashCommandBuilder()
@@ -219,8 +220,8 @@ export class DiscordAdapter {
             await channel.send('Audio transcription is currently disabled.');
             return;
         }
-        const apiKey = config.audio.apiKey ||
-            (config.llm.provider === config.audio.provider ? config.llm.api_key : undefined);
+        const apiKey = getUsableApiKey(config.audio.apiKey) ||
+            (config.llm.provider === config.audio.provider ? getUsableApiKey(config.llm.api_key) : undefined);
         if (!apiKey) {
             this.display.log(`Audio transcription failed: No API key for provider '${config.audio.provider}'`, { source: 'Telephonist', level: 'error' });
             await channel.send(`Audio transcription requires an API key for provider '${config.audio.provider}'.`);

package/dist/channels/telegram.js

@@ -8,6 +8,7 @@ import { spawn } from 'child_process';
 import { ConfigManager } from '../config/manager.js';
 import { DisplayManager } from '../runtime/display.js';
 import { createTelephonist } from '../runtime/telephonist.js';
+import { getUsableApiKey } from '../runtime/trinity-crypto.js';
 import { readPid, isProcessRunning, checkStalePid } from '../runtime/lifecycle.js';
 import { SQLiteChatMessageHistory } from '../runtime/memory/sqlite.js';
 import { SatiRepository } from '../runtime/memory/sati/repository.js';
@@ -281,8 +282,8 @@ export class TelegramAdapter {
                     await ctx.reply("Audio transcription is currently disabled.");
                     return;
                 }
-                const apiKey = config.audio.apiKey ||
-                    (config.llm.provider === config.audio.provider ? config.llm.api_key : undefined);
+                const apiKey = getUsableApiKey(config.audio.apiKey) ||
+                    (config.llm.provider === config.audio.provider ? getUsableApiKey(config.llm.api_key) : undefined);
                 if (!apiKey) {
                     this.display.log(`Audio transcription failed: No API key available for provider '${config.audio.provider}'`, { source: 'Telephonist', level: 'error' });
                     await ctx.reply(`Audio transcription requires an API key for provider '${config.audio.provider}'. Please configure \`audio.apiKey\` or use the same provider as your LLM.`);
@@ -811,8 +812,9 @@ export class TelegramAdapter {
             return;
         }
         try {
+            const globalTz = this.config.getChronosConfig().timezone;
             const { parse: chronoParse } = await import('chrono-node');
-            const results = chronoParse(fullText);
+            const results = chronoParse(fullText, { timezone: globalTz });
             if (!results.length) {
                 await ctx.reply('Could not detect a time expression. Try: `/chronos Check disk space tomorrow at 9am`', { parse_mode: 'Markdown' });
                 return;
@@ -821,7 +823,6 @@ export class TelegramAdapter {
             const match = results[0];
             const matchedText = fullText.slice(match.index, match.index + match.text.length);
             const prompt = (fullText.slice(0, match.index) + fullText.slice(match.index + match.text.length)).replace(/\s+/g, ' ').trim() || fullText;
-            const globalTz = this.config.getChronosConfig().timezone;
             const { parseScheduleExpression } = await import('../runtime/chronos/parser.js');
             const schedule = parseScheduleExpression(matchedText, 'once', { timezone: globalTz });
             const formatted = new Date(schedule.next_run_at).toLocaleString('en-US', {

package/dist/cli/commands/start.js

@@ -1,6 +1,7 @@
 import { Command } from 'commander';
 import chalk from 'chalk';
 import fs from 'fs-extra';
+import path from 'path';
 import { confirm } from '@inquirer/prompts';
 import { scaffold } from '../../runtime/scaffold.js';
 import { DisplayManager } from '../../runtime/display.js';
@@ -21,6 +22,35 @@ import { TaskWorker } from '../../runtime/tasks/worker.js';
 import { TaskNotifier } from '../../runtime/tasks/notifier.js';
 import { ChronosWorker } from '../../runtime/chronos/worker.js';
 import { ChronosRepository } from '../../runtime/chronos/repository.js';
+// Load .env file explicitly in start command
+const envPath = path.join(process.cwd(), '.env');
+if (fs.existsSync(envPath)) {
+    try {
+        const envConfig = fs.readFileSync(envPath, 'utf-8');
+        envConfig.split('\n').forEach(line => {
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith('#'))
+                return;
+            const match = trimmed.match(/^([^=]+)=(.*)$/);
+            if (match) {
+                const key = match[1].trim();
+                let value = match[2].trim();
+                // Remove quotes if present
+                if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
+                    value = value.slice(1, -1);
+                }
+                // Don't overwrite existing env vars
+                if (!process.env[key]) {
+                    process.env[key] = value;
+                }
+            }
+        });
+        console.log('[DEBUG] Loaded .env file from:', envPath);
+    }
+    catch (err) {
+        console.error('[WARN] Failed to load .env:', err);
+    }
+}
 export const startCommand = new Command('start')
     .description('Start the Morpheus agent')
     .option('--ui', 'Enable web UI', true)

package/dist/config/manager.js

@@ -6,6 +6,8 @@ import { setByPath } from './utils.js';
 import { ConfigSchema } from './schemas.js';
 import { migrateConfigFile } from '../runtime/migration.js';
 import { resolveApiKey, resolveModel, resolveNumeric, resolveString, resolveBoolean, resolveProvider, resolveStringArray } from './precedence.js';
+import { encrypt, safeDecrypt, looksLikeEncrypted, canEncrypt } from '../runtime/trinity-crypto.js';
+import { DisplayManager } from '../runtime/display.js';
 export class ConfigManager {
     static instance;
     config = DEFAULT_CONFIG;
@@ -16,6 +18,89 @@ export class ConfigManager {
         }
         return ConfigManager.instance;
     }
+    /**
+     * Decrypts API keys in config if they appear to be encrypted.
+     * Fail-open: returns original value if decryption fails.
+     */
+    decryptAgentApiKeys(config) {
+        const decrypted = { ...config };
+        // Helper to decrypt a single key
+        const tryDecrypt = (apiKey) => {
+            if (!apiKey)
+                return undefined;
+            if (!looksLikeEncrypted(apiKey))
+                return apiKey;
+            const decrypted = safeDecrypt(apiKey);
+            return decrypted ?? apiKey; // Return original if decryption fails
+        };
+        // Decrypt Oracle/LLM
+        if (decrypted.llm.api_key) {
+            decrypted.llm = { ...decrypted.llm, api_key: tryDecrypt(decrypted.llm.api_key) };
+        }
+        // Decrypt Sati
+        if (decrypted.sati?.api_key) {
+            decrypted.sati = { ...decrypted.sati, api_key: tryDecrypt(decrypted.sati.api_key) };
+        }
+        // Decrypt Apoc
+        if (decrypted.apoc?.api_key) {
+            decrypted.apoc = { ...decrypted.apoc, api_key: tryDecrypt(decrypted.apoc.api_key) };
+        }
+        // Decrypt Neo
+        if (decrypted.neo?.api_key) {
+            decrypted.neo = { ...decrypted.neo, api_key: tryDecrypt(decrypted.neo.api_key) };
+        }
+        // Decrypt Trinity
+        if (decrypted.trinity?.api_key) {
+            decrypted.trinity = { ...decrypted.trinity, api_key: tryDecrypt(decrypted.trinity.api_key) };
+        }
+        // Decrypt Audio (Telephonist)
+        if (decrypted.audio?.apiKey) {
+            decrypted.audio = { ...decrypted.audio, apiKey: tryDecrypt(decrypted.audio.apiKey) };
+        }
+        return decrypted;
+    }
+    /**
+     * Encrypts API keys in config if MORPHEUS_SECRET is set.
+     */
+    encryptAgentApiKeys(config) {
+        if (!canEncrypt())
+            return config;
+        const encrypted = { ...config };
+        // Helper to encrypt a single key
+        const tryEncrypt = (apiKey) => {
+            if (!apiKey)
+                return undefined;
+            // Don't double-encrypt
+            if (looksLikeEncrypted(apiKey))
+                return apiKey;
+            return encrypt(apiKey);
+        };
+        // Encrypt Oracle/LLM
+        if (encrypted.llm.api_key) {
+            encrypted.llm = { ...encrypted.llm, api_key: tryEncrypt(encrypted.llm.api_key) };
+        }
+        // Encrypt Sati
+        if (encrypted.sati?.api_key) {
+            encrypted.sati = { ...encrypted.sati, api_key: tryEncrypt(encrypted.sati.api_key) };
+        }
+        // Encrypt Apoc
+        if (encrypted.apoc?.api_key) {
+            encrypted.apoc = { ...encrypted.apoc, api_key: tryEncrypt(encrypted.apoc.api_key) };
+        }
+        // Encrypt Neo
+        if (encrypted.neo?.api_key) {
+            encrypted.neo = { ...encrypted.neo, api_key: tryEncrypt(encrypted.neo.api_key) };
+        }
+        // Encrypt Trinity
+        if (encrypted.trinity?.api_key) {
+            encrypted.trinity = { ...encrypted.trinity, api_key: tryEncrypt(encrypted.trinity.api_key) };
+        }
+        // Encrypt Audio (Telephonist)
+        if (encrypted.audio?.apiKey) {
+            encrypted.audio = { ...encrypted.audio, apiKey: tryEncrypt(encrypted.audio.apiKey) };
+        }
+        return encrypted;
+    }
     async load() {
         try {
             await migrateConfigFile();
@@ -222,9 +307,16 @@ export class ConfigManager {
     }
     async save(newConfig) {
         // Deep merge or overwrite? simpler to overwrite for now or merge top level
-        const updated = { ...this.config, ...newConfig };
+        let updated = { ...this.config, ...newConfig };
+        // Encrypt API keys before saving if MORPHEUS_SECRET is set
+        updated = this.encryptAgentApiKeys(updated);
         // Validate before saving
         const valid = ConfigSchema.parse(updated);
+        // Warn if saving without encryption
+        if (!canEncrypt()) {
+            const display = DisplayManager.getInstance();
+            display.log('API keys saved in PLAINTEXT. Set MORPHEUS_SECRET environment variable to enable AES-256-GCM encryption.', { source: 'ConfigManager', level: 'warning' });
+        }
         await fs.ensureDir(PATHS.root);
         await fs.writeFile(PATHS.config, yaml.dump(valid), 'utf8');
         this.config = valid;
@@ -285,4 +377,28 @@ export class ConfigManager {
         }
         return defaults;
     }
+    /**
+     * Returns encryption status for all agent API keys.
+     */
+    getEncryptionStatus() {
+        const checkKey = (apiKey) => {
+            if (!apiKey)
+                return true; // No key = not plaintext
+            return looksLikeEncrypted(apiKey);
+        };
+        const apiKeysEncrypted = {
+            oracle: checkKey(this.config.llm.api_key),
+            sati: checkKey(this.config.sati?.api_key),
+            neo: checkKey(this.config.neo?.api_key),
+            apoc: checkKey(this.config.apoc?.api_key),
+            trinity: checkKey(this.config.trinity?.api_key),
+            audio: checkKey(this.config.audio?.apiKey),
+        };
+        const hasPlaintextKeys = Object.values(apiKeysEncrypted).some(encrypted => !encrypted);
+        return {
+            morpheusSecretSet: canEncrypt(),
+            apiKeysEncrypted,
+            hasPlaintextKeys,
+        };
+    }
 }

package/dist/config/precedence.js

@@ -136,3 +136,110 @@ export function resolveProvider(genericEnvVar, configFileValue, defaultValue) {
     }
     return defaultValue;
 }
+/**
+ * Check if a configuration value is being overridden by an environment variable.
+ * Returns true if the value comes from an environment variable (either provider-specific or generic).
+ */
+export function isOverriddenByEnv(provider, genericEnvVar, configFileValue) {
+    const providerSpecificVars = {
+        'openai': 'OPENAI_API_KEY',
+        'anthropic': 'ANTHROPIC_API_KEY',
+        'openrouter': 'OPENROUTER_API_KEY',
+        'ollama': '',
+        'gemini': 'GOOGLE_API_KEY'
+    };
+    const providerSpecificVar = providerSpecificVars[provider];
+    // Check if provider-specific variable is set
+    if (providerSpecificVar && process.env[providerSpecificVar]) {
+        return true;
+    }
+    // Check if generic variable is set
+    if (process.env[genericEnvVar]) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Check if a generic configuration value is being overridden by an environment variable.
+ */
+export function isEnvVarSet(envVarName) {
+    return process.env[envVarName] !== undefined && process.env[envVarName] !== '';
+}
+/**
+ * Get list of all active environment variable overrides for agent configurations.
+ */
+export function getActiveEnvOverrides() {
+    const overrides = {};
+    // LLM/Oracle
+    if (isEnvVarSet('MORPHEUS_LLM_PROVIDER'))
+        overrides['llm.provider'] = true;
+    if (isEnvVarSet('MORPHEUS_LLM_MODEL'))
+        overrides['llm.model'] = true;
+    if (isEnvVarSet('MORPHEUS_LLM_TEMPERATURE'))
+        overrides['llm.temperature'] = true;
+    if (isEnvVarSet('MORPHEUS_LLM_MAX_TOKENS'))
+        overrides['llm.max_tokens'] = true;
+    if (isEnvVarSet('MORPHEUS_LLM_API_KEY'))
+        overrides['llm.api_key'] = true;
+    if (isEnvVarSet('MORPHEUS_LLM_CONTEXT_WINDOW'))
+        overrides['llm.context_window'] = true;
+    // Provider-specific API keys
+    if (isEnvVarSet('OPENAI_API_KEY'))
+        overrides['llm.api_key_openai'] = true;
+    if (isEnvVarSet('ANTHROPIC_API_KEY'))
+        overrides['llm.api_key_anthropic'] = true;
+    if (isEnvVarSet('GOOGLE_API_KEY'))
+        overrides['llm.api_key_gemini'] = true;
+    if (isEnvVarSet('OPENROUTER_API_KEY'))
+        overrides['llm.api_key_openrouter'] = true;
+    // Sati
+    if (isEnvVarSet('MORPHEUS_SATI_PROVIDER'))
+        overrides['sati.provider'] = true;
+    if (isEnvVarSet('MORPHEUS_SATI_MODEL'))
+        overrides['sati.model'] = true;
+    if (isEnvVarSet('MORPHEUS_SATI_TEMPERATURE'))
+        overrides['sati.temperature'] = true;
+    if (isEnvVarSet('MORPHEUS_SATI_API_KEY'))
+        overrides['sati.api_key'] = true;
+    // Neo
+    if (isEnvVarSet('MORPHEUS_NEO_PROVIDER'))
+        overrides['neo.provider'] = true;
+    if (isEnvVarSet('MORPHEUS_NEO_MODEL'))
+        overrides['neo.model'] = true;
+    if (isEnvVarSet('MORPHEUS_NEO_TEMPERATURE'))
+        overrides['neo.temperature'] = true;
+    if (isEnvVarSet('MORPHEUS_NEO_API_KEY'))
+        overrides['neo.api_key'] = true;
+    // Apoc
+    if (isEnvVarSet('MORPHEUS_APOC_PROVIDER'))
+        overrides['apoc.provider'] = true;
+    if (isEnvVarSet('MORPHEUS_APOC_MODEL'))
+        overrides['apoc.model'] = true;
+    if (isEnvVarSet('MORPHEUS_APOC_TEMPERATURE'))
+        overrides['apoc.temperature'] = true;
+    if (isEnvVarSet('MORPHEUS_APOC_API_KEY'))
+        overrides['apoc.api_key'] = true;
+    if (isEnvVarSet('MORPHEUS_APOC_WORKING_DIR'))
+        overrides['apoc.working_dir'] = true;
+    if (isEnvVarSet('MORPHEUS_APOC_TIMEOUT_MS'))
+        overrides['apoc.timeout_ms'] = true;
+    // Trinity
+    if (isEnvVarSet('MORPHEUS_TRINITY_PROVIDER'))
+        overrides['trinity.provider'] = true;
+    if (isEnvVarSet('MORPHEUS_TRINITY_MODEL'))
+        overrides['trinity.model'] = true;
+    if (isEnvVarSet('MORPHEUS_TRINITY_TEMPERATURE'))
+        overrides['trinity.temperature'] = true;
+    if (isEnvVarSet('MORPHEUS_TRINITY_API_KEY'))
+        overrides['trinity.api_key'] = true;
+    // Audio
+    if (isEnvVarSet('MORPHEUS_AUDIO_PROVIDER'))
+        overrides['audio.provider'] = true;
+    if (isEnvVarSet('MORPHEUS_AUDIO_MODEL'))
+        overrides['audio.model'] = true;
+    if (isEnvVarSet('MORPHEUS_AUDIO_API_KEY'))
+        overrides['audio.apiKey'] = true;
+    if (isEnvVarSet('MORPHEUS_AUDIO_MAX_DURATION'))
+        overrides['audio.maxDurationSeconds'] = true;
+    return overrides;
+}

package/dist/http/api.js

@@ -18,6 +18,7 @@ import { Trinity } from '../runtime/trinity.js';
 import { ChronosRepository } from '../runtime/chronos/repository.js';
 import { ChronosWorker } from '../runtime/chronos/worker.js';
 import { createChronosJobRouter, createChronosConfigRouter } from './routers/chronos.js';
+import { getActiveEnvOverrides } from '../config/precedence.js';
 async function readLastLines(filePath, n) {
     try {
         const content = await fs.readFile(filePath, 'utf8');
@@ -813,6 +814,34 @@ export function createApiRouter(oracle, chronosWorker) {
             res.status(500).json({ error: error.message });
         }
     });
+    // ─── Encryption Status ─────────────────────────────────────────────────────
+    router.get('/config/encryption-status', (req, res) => {
+        try {
+            const status = configManager.getEncryptionStatus();
+            res.json(status);
+        }
+        catch (error) {
+            res.status(500).json({ error: error.message });
+        }
+    });
+    // ─── Environment Variable Overrides ────────────────────────────────────────
+    router.get('/config/env-overrides', (req, res) => {
+        try {
+            const overrides = getActiveEnvOverrides();
+            // Debug log to see what's being detected
+            // console.log('[DEBUG] Env overrides:', JSON.stringify(overrides, null, 2));
+            // console.log('[DEBUG] Sample env vars:', {
+            //   MORPHEUS_LLM_PROVIDER: !!process.env.MORPHEUS_LLM_PROVIDER,
+            //   MORPHEUS_LLM_MODEL: !!process.env.MORPHEUS_LLM_MODEL,
+            //   OPENAI_API_KEY: !!process.env.OPENAI_API_KEY,
+            // });
+            res.json(overrides);
+        }
+        catch (error) {
+            console.error('[ERROR] Failed to get env overrides:', error);
+            res.status(500).json({ error: error.message });
+        }
+    });
     // ─── Trinity Databases CRUD ─────────────────────────────────────────────────
     const DatabaseCreateSchema = z.object({
         name: z.string().min(1).max(100),

package/dist/runtime/chronos/parser.js

@@ -77,6 +77,64 @@ function intervalToCron(expression) {
         `Supported formats: "every N minutes/hours/days/weeks", "every minute/hour/day/week", ` +
         `"every monday [at 9am]", "every monday and friday at 18:30", "every weekday", "every weekend", "daily", "weekly".`);
 }
+/**
+ * Parses Portuguese time expressions and converts to ISO 8601 format.
+ * Handles patterns like "às 15h", "hoje às 15:30", "amanhã às 9h".
+ */
+function parsePortugueseTimeExpression(expression, refDate, timezone) {
+    const lower = expression.toLowerCase().trim();
+    // Pattern: "às 15h", "as 15h", "às 15:30", "as 15:30"
+    const timeOnlyMatch = lower.match(/^(?:à|a)s?\s+(\d{1,2})(?::(\d{2}))?h?$/);
+    if (timeOnlyMatch) {
+        let hour = parseInt(timeOnlyMatch[1], 10);
+        const minute = timeOnlyMatch[2] ? parseInt(timeOnlyMatch[2], 10) : 0;
+        // Create date by setting hours in the target timezone
+        // We use Intl.DateTimeFormat to properly handle timezone
+        const targetDate = new Date();
+        const tzDate = new Date(targetDate.toLocaleString('en-US', { timeZone: timezone }));
+        tzDate.setHours(hour, minute, 0, 0);
+        // If time is in the past today, schedule for tomorrow
+        if (tzDate.getTime() <= refDate.getTime()) {
+            tzDate.setDate(tzDate.getDate() + 1);
+        }
+        return tzDate;
+    }
+    // Pattern: "hoje às 15h", "hoje as 15:30"
+    const todayMatch = lower.match(/^hoje\s+(?:à|a)s?\s+(\d{1,2})(?::(\d{2}))?h?$/);
+    if (todayMatch) {
+        let hour = parseInt(todayMatch[1], 10);
+        const minute = todayMatch[2] ? parseInt(todayMatch[2], 10) : 0;
+        const tzDate = new Date(new Date().toLocaleString('en-US', { timeZone: timezone }));
+        tzDate.setHours(hour, minute, 0, 0);
+        // If already passed, return null (can't schedule in the past)
+        if (tzDate.getTime() <= refDate.getTime()) {
+            return null;
+        }
+        return tzDate;
+    }
+    // Pattern: "amanhã às 15h", "amanha as 15:30", "amanhã às 15h da tarde"
+    const tomorrowMatch = lower.match(/^amanhã(?:ã)?\s+(?:à|a)s?\s+(\d{1,2})(?::(\d{2}))?h?(?:\s+(?:da|do)\s+(?:manhã|tarde|noite))?$/);
+    if (tomorrowMatch) {
+        let hour = parseInt(tomorrowMatch[1], 10);
+        const minute = tomorrowMatch[2] ? parseInt(tomorrowMatch[2], 10) : 0;
+        const tzDate = new Date(new Date().toLocaleString('en-US', { timeZone: timezone }));
+        tzDate.setDate(tzDate.getDate() + 1);
+        tzDate.setHours(hour, minute, 0, 0);
+        return tzDate;
+    }
+    // Pattern: "daqui a X minutos/horas/dias"
+    const relativeMatch = lower.match(/^daqui\s+a\s+(\d+)\s+(minutos?|horas?|dias?|semanas?)$/);
+    if (relativeMatch) {
+        const amount = parseInt(relativeMatch[1], 10);
+        const unit = relativeMatch[2];
+        const ms = unit.startsWith('min') ? amount * 60_000
+            : unit.startsWith('hor') ? amount * 3_600_000
+                : unit.startsWith('dia') ? amount * 86_400_000
+                    : amount * 7 * 86_400_000;
+        return new Date(refDate.getTime() + ms);
+    }
+    return null;
+}
 function formatDatetime(date, timezone) {
     try {
         return date.toLocaleString('en-US', {
@@ -110,13 +168,17 @@ export function parseScheduleExpression(expression, type, opts = {}) {
                             : amount * 7 * 86_400_000;
                 parsed = new Date(refDate.getTime() + ms);
             }
-            // 2. ISO 8601
+            // 2. Portuguese time expressions: "às 15h", "hoje às 15:30", "amanhã às 9h", "daqui a 30 minutos"
+            if (!parsed) {
+                parsed = parsePortugueseTimeExpression(expression, refDate, timezone);
+            }
+            // 3. ISO 8601
             if (!parsed) {
                 const isoDate = new Date(expression);
                 if (!isNaN(isoDate.getTime()))
                     parsed = isoDate;
             }
-            // 3. chrono-node NLP fallback ("tomorrow at 9am", "next friday", etc.)
+            // 4. chrono-node NLP fallback ("tomorrow at 9am", "next friday", etc.)
             if (!parsed) {
                 const results = chrono.parse(expression, { instant: refDate, timezone });
                 if (results.length > 0 && results[0].date()) {
@@ -125,7 +187,8 @@ export function parseScheduleExpression(expression, type, opts = {}) {
             }
             if (!parsed) {
                 throw new Error(`Could not parse date/time expression: "${expression}". ` +
-                    `Try: "in 30 minutes", "in 2 hours", "tomorrow at 9am", "next friday at 3pm", or an ISO 8601 datetime.`);
+                    `Try: "in 30 minutes", "in 2 hours", "tomorrow at 9am", "next friday at 3pm", ` +
+                    `"às 15h", "hoje às 15:30", "amanhã às 9h", "daqui a 30 minutos", or an ISO 8601 datetime.`);
             }
             if (parsed.getTime() <= refDate.getTime()) {
                 throw new Error(`Scheduled time must be in the future. Got: "${expression}" which resolves to ${parsed.toISOString()}.`);

package/dist/runtime/chronos/parser.test.js

@@ -24,6 +24,71 @@ describe('parseScheduleExpression — once type', () => {
         expect(result.next_run_at).toBeGreaterThan(REF);
         expect(result.cron_normalized).toBeNull();
     });
+    it('parses Portuguese "às 15h" in America/Sao_Paulo timezone', () => {
+        const result = parseScheduleExpression('às 15h', 'once', {
+            timezone: 'America/Sao_Paulo',
+            referenceDate: REF,
+        });
+        expect(result.type).toBe('once');
+        expect(result.next_run_at).toBeGreaterThan(REF);
+        // Verify the hour is 15 in Sao Paulo timezone
+        const dateInTz = new Date(result.next_run_at).toLocaleString('en-US', {
+            timeZone: 'America/Sao_Paulo',
+            hour: '2-digit',
+            hour12: false,
+        });
+        expect(dateInTz).toContain('15:00');
+    });
+    it('parses Portuguese "hoje às 15:30"', () => {
+        // Use a reference time before 15:30 to ensure it schedules for today
+        const morningRef = new Date().setHours(9, 0, 0, 0);
+        const result = parseScheduleExpression('hoje às 15:30', 'once', {
+            timezone: 'America/Sao_Paulo',
+            referenceDate: morningRef,
+        });
+        expect(result.type).toBe('once');
+        const dateInTz = new Date(result.next_run_at).toLocaleString('en-US', {
+            timeZone: 'America/Sao_Paulo',
+            hour: '2-digit',
+            minute: '2-digit',
+            hour12: false,
+        });
+        expect(dateInTz).toContain('15:30');
+    });
+    it('parses Portuguese "amanhã às 9h"', () => {
+        const result = parseScheduleExpression('amanhã às 9h', 'once', {
+            timezone: 'America/Sao_Paulo',
+            referenceDate: REF,
+        });
+        expect(result.type).toBe('once');
+        const dateInTz = new Date(result.next_run_at).toLocaleString('en-US', {
+            timeZone: 'America/Sao_Paulo',
+            hour: '2-digit',
+            hour12: false,
+        });
+        expect(dateInTz).toContain('09:00');
+    });
+    it('parses Portuguese "daqui a 30 minutos"', () => {
+        const result = parseScheduleExpression('daqui a 30 minutos', 'once', {
+            timezone: 'America/Sao_Paulo',
+            referenceDate: REF,
+        });
+        expect(result.type).toBe('once');
+        // Should be approximately 30 minutes from now
+        const diffMinutes = (result.next_run_at - REF) / 1000 / 60;
+        expect(diffMinutes).toBeGreaterThanOrEqual(29);
+        expect(diffMinutes).toBeLessThanOrEqual(31);
+    });
+    it('parses Portuguese "daqui a 2 horas"', () => {
+        const result = parseScheduleExpression('daqui a 2 horas', 'once', {
+            timezone: 'America/Sao_Paulo',
+            referenceDate: REF,
+        });
+        expect(result.type).toBe('once');
+        const diffHours = (result.next_run_at - REF) / 1000 / 60 / 60;
+        expect(diffHours).toBeGreaterThanOrEqual(1.9);
+        expect(diffHours).toBeLessThanOrEqual(2.1);
+    });
 });
 describe('parseScheduleExpression — cron type', () => {
     it('parses a valid 5-field cron expression', () => {

package/dist/runtime/providers/factory.js

@@ -5,6 +5,7 @@ import { ChatGoogleGenerativeAI } from "@langchain/google-genai";
 import { ProviderError } from "../errors.js";
 import { createAgent, createMiddleware } from "langchain";
 import { DisplayManager } from "../display.js";
+import { getUsableApiKey } from "../trinity-crypto.js";
 export class ProviderFactory {
     static buildMonitoringMiddleware() {
         const display = DisplayManager.getInstance();
@@ -26,24 +27,25 @@ export class ProviderFactory {
         });
     }
     static buildModel(config) {
+        const usableApiKey = getUsableApiKey(config.api_key);
         switch (config.provider) {
             case 'openai':
                 return new ChatOpenAI({
                     modelName: config.model,
                     temperature: config.temperature,
-                    apiKey: process.env.OPENAI_API_KEY || config.api_key,
+                    apiKey: process.env.OPENAI_API_KEY || usableApiKey,
                 });
             case 'anthropic':
                 return new ChatAnthropic({
                     modelName: config.model,
                     temperature: config.temperature,
-                    apiKey: process.env.ANTHROPIC_API_KEY || config.api_key,
+                    apiKey: process.env.ANTHROPIC_API_KEY || usableApiKey,
                 });
             case 'openrouter':
                 return new ChatOpenAI({
                     modelName: config.model,
                     temperature: config.temperature,
-                    apiKey: process.env.OPENROUTER_API_KEY || config.api_key,
+                    apiKey: process.env.OPENROUTER_API_KEY || usableApiKey,
                     configuration: {
                         baseURL: config.base_url || 'https://openrouter.ai/api/v1'
                     }
@@ -52,13 +54,13 @@ export class ProviderFactory {
                 return new ChatOllama({
                     model: config.model,
                     temperature: config.temperature,
-                    baseUrl: config.base_url || config.api_key,
+                    baseUrl: config.base_url || usableApiKey,
                 });
             case 'gemini':
                 return new ChatGoogleGenerativeAI({
                     model: config.model,
                     temperature: config.temperature,
-                    apiKey: process.env.GOOGLE_API_KEY || config.api_key
+                    apiKey: process.env.GOOGLE_API_KEY || usableApiKey
                 });
             default:
                 throw new Error(`Unsupported provider: ${config.provider}`);