morpheus-cli 0.6.5 → 0.6.7

package/README.md

@@ -82,8 +82,11 @@ Minimal `env.docker`:
 ```env
 OPENAI_API_KEY=sk-...
 THE_ARCHITECT_PASS=changeme
+MORPHEUS_SECRET=<generate-a-random-secret>
 ```
 
+> **Tip:** Generate a secure `MORPHEUS_SECRET` with: `openssl rand -base64 32` or `node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"`
+
 **2. Run:**
 
 ```bash
@@ -121,6 +124,7 @@ docker run -d \
   -p 3333:3333 \
   -e OPENAI_API_KEY=sk-... \
   -e THE_ARCHITECT_PASS=changeme \
+  -e MORPHEUS_SECRET=<generate-a-random-secret> \
   -v morpheus_data:/root/.morpheus \
   morpheus
 ```
@@ -133,6 +137,7 @@ docker run -d \
   -p 3333:3333 \
   -e OPENAI_API_KEY=sk-... \
   -e THE_ARCHITECT_PASS=changeme \
+  -e MORPHEUS_SECRET=<generate-a-random-secret> \
   -e MORPHEUS_TELEGRAM_ENABLED=true \
   -e MORPHEUS_TELEGRAM_TOKEN=<bot-token> \
   -e MORPHEUS_TELEGRAM_ALLOWED_USERS=123456789 \
@@ -148,6 +153,7 @@ docker run -d \
   -p 3333:3333 \
   -e OPENAI_API_KEY=sk-... \
   -e THE_ARCHITECT_PASS=changeme \
+  -e MORPHEUS_SECRET=<generate-a-random-secret> \
   -e MORPHEUS_DISCORD_ENABLED=true \
   -e MORPHEUS_DISCORD_TOKEN=<bot-token> \
   -e MORPHEUS_DISCORD_ALLOWED_USERS=987654321 \
@@ -365,7 +371,7 @@ Provider-specific keys:
 - `THE_ARCHITECT_PASS`
 
 Security:
-- `MORPHEUS_SECRET` — AES-256-GCM key for encrypting Trinity database passwords (required when using Trinity)
+- `MORPHEUS_SECRET` — AES-256-GCM encryption key for Trinity database passwords and agent API keys. When set, all API keys saved via UI or config file are automatically encrypted at rest.
 
 Generic Morpheus overrides (selected):
 

package/dist/channels/discord.js

@@ -7,6 +7,7 @@ import { SQLiteChatMessageHistory } from '../runtime/memory/sqlite.js';
 import { DisplayManager } from '../runtime/display.js';
 import { ConfigManager } from '../config/manager.js';
 import { createTelephonist } from '../runtime/telephonist.js';
+import { getUsableApiKey } from '../runtime/trinity-crypto.js';
 // ─── Slash Command Definitions ────────────────────────────────────────────────
 const SLASH_COMMANDS = [
     new SlashCommandBuilder()
@@ -219,8 +220,8 @@ export class DiscordAdapter {
             await channel.send('Audio transcription is currently disabled.');
             return;
         }
-        const apiKey = config.audio.apiKey ||
-            (config.llm.provider === config.audio.provider ? config.llm.api_key : undefined);
+        const apiKey = getUsableApiKey(config.audio.apiKey) ||
+            (config.llm.provider === config.audio.provider ? getUsableApiKey(config.llm.api_key) : undefined);
         if (!apiKey) {
             this.display.log(`Audio transcription failed: No API key for provider '${config.audio.provider}'`, { source: 'Telephonist', level: 'error' });
             await channel.send(`Audio transcription requires an API key for provider '${config.audio.provider}'.`);

package/dist/channels/telegram.js

@@ -8,6 +8,7 @@ import { spawn } from 'child_process';
 import { ConfigManager } from '../config/manager.js';
 import { DisplayManager } from '../runtime/display.js';
 import { createTelephonist } from '../runtime/telephonist.js';
+import { getUsableApiKey } from '../runtime/trinity-crypto.js';
 import { readPid, isProcessRunning, checkStalePid } from '../runtime/lifecycle.js';
 import { SQLiteChatMessageHistory } from '../runtime/memory/sqlite.js';
 import { SatiRepository } from '../runtime/memory/sati/repository.js';
@@ -281,8 +282,8 @@ export class TelegramAdapter {
                     await ctx.reply("Audio transcription is currently disabled.");
                     return;
                 }
-                const apiKey = config.audio.apiKey ||
-                    (config.llm.provider === config.audio.provider ? config.llm.api_key : undefined);
+                const apiKey = getUsableApiKey(config.audio.apiKey) ||
+                    (config.llm.provider === config.audio.provider ? getUsableApiKey(config.llm.api_key) : undefined);
                 if (!apiKey) {
                     this.display.log(`Audio transcription failed: No API key available for provider '${config.audio.provider}'`, { source: 'Telephonist', level: 'error' });
                     await ctx.reply(`Audio transcription requires an API key for provider '${config.audio.provider}'. Please configure \`audio.apiKey\` or use the same provider as your LLM.`);

package/dist/cli/commands/start.js

@@ -1,6 +1,7 @@
 import { Command } from 'commander';
 import chalk from 'chalk';
 import fs from 'fs-extra';
+import path from 'path';
 import { confirm } from '@inquirer/prompts';
 import { scaffold } from '../../runtime/scaffold.js';
 import { DisplayManager } from '../../runtime/display.js';
@@ -21,6 +22,35 @@ import { TaskWorker } from '../../runtime/tasks/worker.js';
 import { TaskNotifier } from '../../runtime/tasks/notifier.js';
 import { ChronosWorker } from '../../runtime/chronos/worker.js';
 import { ChronosRepository } from '../../runtime/chronos/repository.js';
+// Load .env file explicitly in start command
+const envPath = path.join(process.cwd(), '.env');
+if (fs.existsSync(envPath)) {
+    try {
+        const envConfig = fs.readFileSync(envPath, 'utf-8');
+        envConfig.split('\n').forEach(line => {
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith('#'))
+                return;
+            const match = trimmed.match(/^([^=]+)=(.*)$/);
+            if (match) {
+                const key = match[1].trim();
+                let value = match[2].trim();
+                // Remove quotes if present
+                if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
+                    value = value.slice(1, -1);
+                }
+                // Don't overwrite existing env vars
+                if (!process.env[key]) {
+                    process.env[key] = value;
+                }
+            }
+        });
+        console.log('[DEBUG] Loaded .env file from:', envPath);
+    }
+    catch (err) {
+        console.error('[WARN] Failed to load .env:', err);
+    }
+}
 export const startCommand = new Command('start')
     .description('Start the Morpheus agent')
     .option('--ui', 'Enable web UI', true)

package/dist/config/manager.js

@@ -6,6 +6,8 @@ import { setByPath } from './utils.js';
 import { ConfigSchema } from './schemas.js';
 import { migrateConfigFile } from '../runtime/migration.js';
 import { resolveApiKey, resolveModel, resolveNumeric, resolveString, resolveBoolean, resolveProvider, resolveStringArray } from './precedence.js';
+import { encrypt, safeDecrypt, looksLikeEncrypted, canEncrypt } from '../runtime/trinity-crypto.js';
+import { DisplayManager } from '../runtime/display.js';
 export class ConfigManager {
     static instance;
     config = DEFAULT_CONFIG;
@@ -16,6 +18,89 @@ export class ConfigManager {
         }
         return ConfigManager.instance;
     }
+    /**
+     * Decrypts API keys in config if they appear to be encrypted.
+     * Fail-open: returns original value if decryption fails.
+     */
+    decryptAgentApiKeys(config) {
+        const decrypted = { ...config };
+        // Helper to decrypt a single key
+        const tryDecrypt = (apiKey) => {
+            if (!apiKey)
+                return undefined;
+            if (!looksLikeEncrypted(apiKey))
+                return apiKey;
+            const decrypted = safeDecrypt(apiKey);
+            return decrypted ?? apiKey; // Return original if decryption fails
+        };
+        // Decrypt Oracle/LLM
+        if (decrypted.llm.api_key) {
+            decrypted.llm = { ...decrypted.llm, api_key: tryDecrypt(decrypted.llm.api_key) };
+        }
+        // Decrypt Sati
+        if (decrypted.sati?.api_key) {
+            decrypted.sati = { ...decrypted.sati, api_key: tryDecrypt(decrypted.sati.api_key) };
+        }
+        // Decrypt Apoc
+        if (decrypted.apoc?.api_key) {
+            decrypted.apoc = { ...decrypted.apoc, api_key: tryDecrypt(decrypted.apoc.api_key) };
+        }
+        // Decrypt Neo
+        if (decrypted.neo?.api_key) {
+            decrypted.neo = { ...decrypted.neo, api_key: tryDecrypt(decrypted.neo.api_key) };
+        }
+        // Decrypt Trinity
+        if (decrypted.trinity?.api_key) {
+            decrypted.trinity = { ...decrypted.trinity, api_key: tryDecrypt(decrypted.trinity.api_key) };
+        }
+        // Decrypt Audio (Telephonist)
+        if (decrypted.audio?.apiKey) {
+            decrypted.audio = { ...decrypted.audio, apiKey: tryDecrypt(decrypted.audio.apiKey) };
+        }
+        return decrypted;
+    }
+    /**
+     * Encrypts API keys in config if MORPHEUS_SECRET is set.
+     */
+    encryptAgentApiKeys(config) {
+        if (!canEncrypt())
+            return config;
+        const encrypted = { ...config };
+        // Helper to encrypt a single key
+        const tryEncrypt = (apiKey) => {
+            if (!apiKey)
+                return undefined;
+            // Don't double-encrypt
+            if (looksLikeEncrypted(apiKey))
+                return apiKey;
+            return encrypt(apiKey);
+        };
+        // Encrypt Oracle/LLM
+        if (encrypted.llm.api_key) {
+            encrypted.llm = { ...encrypted.llm, api_key: tryEncrypt(encrypted.llm.api_key) };
+        }
+        // Encrypt Sati
+        if (encrypted.sati?.api_key) {
+            encrypted.sati = { ...encrypted.sati, api_key: tryEncrypt(encrypted.sati.api_key) };
+        }
+        // Encrypt Apoc
+        if (encrypted.apoc?.api_key) {
+            encrypted.apoc = { ...encrypted.apoc, api_key: tryEncrypt(encrypted.apoc.api_key) };
+        }
+        // Encrypt Neo
+        if (encrypted.neo?.api_key) {
+            encrypted.neo = { ...encrypted.neo, api_key: tryEncrypt(encrypted.neo.api_key) };
+        }
+        // Encrypt Trinity
+        if (encrypted.trinity?.api_key) {
+            encrypted.trinity = { ...encrypted.trinity, api_key: tryEncrypt(encrypted.trinity.api_key) };
+        }
+        // Encrypt Audio (Telephonist)
+        if (encrypted.audio?.apiKey) {
+            encrypted.audio = { ...encrypted.audio, apiKey: tryEncrypt(encrypted.audio.apiKey) };
+        }
+        return encrypted;
+    }
     async load() {
         try {
             await migrateConfigFile();
@@ -222,9 +307,16 @@ export class ConfigManager {
     }
     async save(newConfig) {
         // Deep merge or overwrite? simpler to overwrite for now or merge top level
-        const updated = { ...this.config, ...newConfig };
+        let updated = { ...this.config, ...newConfig };
+        // Encrypt API keys before saving if MORPHEUS_SECRET is set
+        updated = this.encryptAgentApiKeys(updated);
         // Validate before saving
         const valid = ConfigSchema.parse(updated);
+        // Warn if saving without encryption
+        if (!canEncrypt()) {
+            const display = DisplayManager.getInstance();
+            display.log('API keys saved in PLAINTEXT. Set MORPHEUS_SECRET environment variable to enable AES-256-GCM encryption.', { source: 'ConfigManager', level: 'warning' });
+        }
         await fs.ensureDir(PATHS.root);
         await fs.writeFile(PATHS.config, yaml.dump(valid), 'utf8');
         this.config = valid;
@@ -285,4 +377,28 @@ export class ConfigManager {
         }
         return defaults;
     }
+    /**
+     * Returns encryption status for all agent API keys.
+     */
+    getEncryptionStatus() {
+        const checkKey = (apiKey) => {
+            if (!apiKey)
+                return true; // No key = not plaintext
+            return looksLikeEncrypted(apiKey);
+        };
+        const apiKeysEncrypted = {
+            oracle: checkKey(this.config.llm.api_key),
+            sati: checkKey(this.config.sati?.api_key),
+            neo: checkKey(this.config.neo?.api_key),
+            apoc: checkKey(this.config.apoc?.api_key),
+            trinity: checkKey(this.config.trinity?.api_key),
+            audio: checkKey(this.config.audio?.apiKey),
+        };
+        const hasPlaintextKeys = Object.values(apiKeysEncrypted).some(encrypted => !encrypted);
+        return {
+            morpheusSecretSet: canEncrypt(),
+            apiKeysEncrypted,
+            hasPlaintextKeys,
+        };
+    }
 }

package/dist/config/precedence.js

@@ -136,3 +136,110 @@ export function resolveProvider(genericEnvVar, configFileValue, defaultValue) {
     }
     return defaultValue;
 }
+/**
+ * Check if a configuration value is being overridden by an environment variable.
+ * Returns true if the value comes from an environment variable (either provider-specific or generic).
+ */
+export function isOverriddenByEnv(provider, genericEnvVar, configFileValue) {
+    const providerSpecificVars = {
+        'openai': 'OPENAI_API_KEY',
+        'anthropic': 'ANTHROPIC_API_KEY',
+        'openrouter': 'OPENROUTER_API_KEY',
+        'ollama': '',
+        'gemini': 'GOOGLE_API_KEY'
+    };
+    const providerSpecificVar = providerSpecificVars[provider];
+    // Check if provider-specific variable is set
+    if (providerSpecificVar && process.env[providerSpecificVar]) {
+        return true;
+    }
+    // Check if generic variable is set
+    if (process.env[genericEnvVar]) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Check if a generic configuration value is being overridden by an environment variable.
+ */
+export function isEnvVarSet(envVarName) {
+    return process.env[envVarName] !== undefined && process.env[envVarName] !== '';
+}
+/**
+ * Get list of all active environment variable overrides for agent configurations.
+ */
+export function getActiveEnvOverrides() {
+    const overrides = {};
+    // LLM/Oracle
+    if (isEnvVarSet('MORPHEUS_LLM_PROVIDER'))
+        overrides['llm.provider'] = true;
+    if (isEnvVarSet('MORPHEUS_LLM_MODEL'))
+        overrides['llm.model'] = true;
+    if (isEnvVarSet('MORPHEUS_LLM_TEMPERATURE'))
+        overrides['llm.temperature'] = true;
+    if (isEnvVarSet('MORPHEUS_LLM_MAX_TOKENS'))
+        overrides['llm.max_tokens'] = true;
+    if (isEnvVarSet('MORPHEUS_LLM_API_KEY'))
+        overrides['llm.api_key'] = true;
+    if (isEnvVarSet('MORPHEUS_LLM_CONTEXT_WINDOW'))
+        overrides['llm.context_window'] = true;
+    // Provider-specific API keys
+    if (isEnvVarSet('OPENAI_API_KEY'))
+        overrides['llm.api_key_openai'] = true;
+    if (isEnvVarSet('ANTHROPIC_API_KEY'))
+        overrides['llm.api_key_anthropic'] = true;
+    if (isEnvVarSet('GOOGLE_API_KEY'))
+        overrides['llm.api_key_gemini'] = true;
+    if (isEnvVarSet('OPENROUTER_API_KEY'))
+        overrides['llm.api_key_openrouter'] = true;
+    // Sati
+    if (isEnvVarSet('MORPHEUS_SATI_PROVIDER'))
+        overrides['sati.provider'] = true;
+    if (isEnvVarSet('MORPHEUS_SATI_MODEL'))
+        overrides['sati.model'] = true;
+    if (isEnvVarSet('MORPHEUS_SATI_TEMPERATURE'))
+        overrides['sati.temperature'] = true;
+    if (isEnvVarSet('MORPHEUS_SATI_API_KEY'))
+        overrides['sati.api_key'] = true;
+    // Neo
+    if (isEnvVarSet('MORPHEUS_NEO_PROVIDER'))
+        overrides['neo.provider'] = true;
+    if (isEnvVarSet('MORPHEUS_NEO_MODEL'))
+        overrides['neo.model'] = true;
+    if (isEnvVarSet('MORPHEUS_NEO_TEMPERATURE'))
+        overrides['neo.temperature'] = true;
+    if (isEnvVarSet('MORPHEUS_NEO_API_KEY'))
+        overrides['neo.api_key'] = true;
+    // Apoc
+    if (isEnvVarSet('MORPHEUS_APOC_PROVIDER'))
+        overrides['apoc.provider'] = true;
+    if (isEnvVarSet('MORPHEUS_APOC_MODEL'))
+        overrides['apoc.model'] = true;
+    if (isEnvVarSet('MORPHEUS_APOC_TEMPERATURE'))
+        overrides['apoc.temperature'] = true;
+    if (isEnvVarSet('MORPHEUS_APOC_API_KEY'))
+        overrides['apoc.api_key'] = true;
+    if (isEnvVarSet('MORPHEUS_APOC_WORKING_DIR'))
+        overrides['apoc.working_dir'] = true;
+    if (isEnvVarSet('MORPHEUS_APOC_TIMEOUT_MS'))
+        overrides['apoc.timeout_ms'] = true;
+    // Trinity
+    if (isEnvVarSet('MORPHEUS_TRINITY_PROVIDER'))
+        overrides['trinity.provider'] = true;
+    if (isEnvVarSet('MORPHEUS_TRINITY_MODEL'))
+        overrides['trinity.model'] = true;
+    if (isEnvVarSet('MORPHEUS_TRINITY_TEMPERATURE'))
+        overrides['trinity.temperature'] = true;
+    if (isEnvVarSet('MORPHEUS_TRINITY_API_KEY'))
+        overrides['trinity.api_key'] = true;
+    // Audio
+    if (isEnvVarSet('MORPHEUS_AUDIO_PROVIDER'))
+        overrides['audio.provider'] = true;
+    if (isEnvVarSet('MORPHEUS_AUDIO_MODEL'))
+        overrides['audio.model'] = true;
+    if (isEnvVarSet('MORPHEUS_AUDIO_API_KEY'))
+        overrides['audio.apiKey'] = true;
+    if (isEnvVarSet('MORPHEUS_AUDIO_MAX_DURATION'))
+        overrides['audio.maxDurationSeconds'] = true;
+    return overrides;
+}

package/dist/http/api.js

@@ -18,6 +18,7 @@ import { Trinity } from '../runtime/trinity.js';
 import { ChronosRepository } from '../runtime/chronos/repository.js';
 import { ChronosWorker } from '../runtime/chronos/worker.js';
 import { createChronosJobRouter, createChronosConfigRouter } from './routers/chronos.js';
+import { getActiveEnvOverrides } from '../config/precedence.js';
 async function readLastLines(filePath, n) {
     try {
         const content = await fs.readFile(filePath, 'utf8');
@@ -813,6 +814,34 @@ export function createApiRouter(oracle, chronosWorker) {
             res.status(500).json({ error: error.message });
         }
     });
+    // ─── Encryption Status ─────────────────────────────────────────────────────
+    router.get('/config/encryption-status', (req, res) => {
+        try {
+            const status = configManager.getEncryptionStatus();
+            res.json(status);
+        }
+        catch (error) {
+            res.status(500).json({ error: error.message });
+        }
+    });
+    // ─── Environment Variable Overrides ────────────────────────────────────────
+    router.get('/config/env-overrides', (req, res) => {
+        try {
+            const overrides = getActiveEnvOverrides();
+            // Debug log to see what's being detected
+            // console.log('[DEBUG] Env overrides:', JSON.stringify(overrides, null, 2));
+            // console.log('[DEBUG] Sample env vars:', {
+            //   MORPHEUS_LLM_PROVIDER: !!process.env.MORPHEUS_LLM_PROVIDER,
+            //   MORPHEUS_LLM_MODEL: !!process.env.MORPHEUS_LLM_MODEL,
+            //   OPENAI_API_KEY: !!process.env.OPENAI_API_KEY,
+            // });
+            res.json(overrides);
+        }
+        catch (error) {
+            console.error('[ERROR] Failed to get env overrides:', error);
+            res.status(500).json({ error: error.message });
+        }
+    });
     // ─── Trinity Databases CRUD ─────────────────────────────────────────────────
     const DatabaseCreateSchema = z.object({
         name: z.string().min(1).max(100),

package/dist/runtime/providers/factory.js

@@ -5,6 +5,7 @@ import { ChatGoogleGenerativeAI } from "@langchain/google-genai";
 import { ProviderError } from "../errors.js";
 import { createAgent, createMiddleware } from "langchain";
 import { DisplayManager } from "../display.js";
+import { getUsableApiKey } from "../trinity-crypto.js";
 export class ProviderFactory {
     static buildMonitoringMiddleware() {
         const display = DisplayManager.getInstance();
@@ -26,24 +27,25 @@ export class ProviderFactory {
         });
     }
     static buildModel(config) {
+        const usableApiKey = getUsableApiKey(config.api_key);
         switch (config.provider) {
             case 'openai':
                 return new ChatOpenAI({
                     modelName: config.model,
                     temperature: config.temperature,
-                    apiKey: process.env.OPENAI_API_KEY || config.api_key,
+                    apiKey: process.env.OPENAI_API_KEY || usableApiKey,
                 });
             case 'anthropic':
                 return new ChatAnthropic({
                     modelName: config.model,
                     temperature: config.temperature,
-                    apiKey: process.env.ANTHROPIC_API_KEY || config.api_key,
+                    apiKey: process.env.ANTHROPIC_API_KEY || usableApiKey,
                 });
             case 'openrouter':
                 return new ChatOpenAI({
                     modelName: config.model,
                     temperature: config.temperature,
-                    apiKey: process.env.OPENROUTER_API_KEY || config.api_key,
+                    apiKey: process.env.OPENROUTER_API_KEY || usableApiKey,
                     configuration: {
                         baseURL: config.base_url || 'https://openrouter.ai/api/v1'
                     }
@@ -52,13 +54,13 @@ export class ProviderFactory {
                 return new ChatOllama({
                     model: config.model,
                     temperature: config.temperature,
-                    baseUrl: config.base_url || config.api_key,
+                    baseUrl: config.base_url || usableApiKey,
                 });
             case 'gemini':
                 return new ChatGoogleGenerativeAI({
                     model: config.model,
                     temperature: config.temperature,
-                    apiKey: process.env.GOOGLE_API_KEY || config.api_key
+                    apiKey: process.env.GOOGLE_API_KEY || usableApiKey
                 });
             default:
                 throw new Error(`Unsupported provider: ${config.provider}`);

package/dist/runtime/tools/morpheus-tools.js

@@ -7,8 +7,58 @@ import { homedir } from "os";
 import Database from "better-sqlite3";
 import { TaskRepository } from "../tasks/repository.js";
 import { TaskRequestContext } from "../tasks/context.js";
+import { isEnvVarSet } from "../../config/precedence.js";
 // ─── Shared ───────────────────────────────────────────────────────────────────
 const shortMemoryDbPath = path.join(homedir(), ".morpheus", "memory", "short-memory.db");
+/**
+ * Map of config paths to their corresponding environment variable names.
+ * Used to check if a config field is being overridden by an env var.
+ */
+const CONFIG_TO_ENV_MAP = {
+    'llm.provider': ['MORPHEUS_LLM_PROVIDER'],
+    'llm.model': ['MORPHEUS_LLM_MODEL'],
+    'llm.temperature': ['MORPHEUS_LLM_TEMPERATURE'],
+    'llm.max_tokens': ['MORPHEUS_LLM_MAX_TOKENS'],
+    'llm.api_key': ['MORPHEUS_LLM_API_KEY', 'OPENAI_API_KEY', 'ANTHROPIC_API_KEY', 'GOOGLE_API_KEY', 'OPENROUTER_API_KEY'],
+    'llm.context_window': ['MORPHEUS_LLM_CONTEXT_WINDOW'],
+    'sati.provider': ['MORPHEUS_SATI_PROVIDER'],
+    'sati.model': ['MORPHEUS_SATI_MODEL'],
+    'sati.temperature': ['MORPHEUS_SATI_TEMPERATURE'],
+    'sati.api_key': ['MORPHEUS_SATI_API_KEY'],
+    'neo.provider': ['MORPHEUS_NEO_PROVIDER'],
+    'neo.model': ['MORPHEUS_NEO_MODEL'],
+    'neo.temperature': ['MORPHEUS_NEO_TEMPERATURE'],
+    'neo.api_key': ['MORPHEUS_NEO_API_KEY'],
+    'apoc.provider': ['MORPHEUS_APOC_PROVIDER'],
+    'apoc.model': ['MORPHEUS_APOC_MODEL'],
+    'apoc.temperature': ['MORPHEUS_APOC_TEMPERATURE'],
+    'apoc.api_key': ['MORPHEUS_APOC_API_KEY'],
+    'apoc.working_dir': ['MORPHEUS_APOC_WORKING_DIR'],
+    'apoc.timeout_ms': ['MORPHEUS_APOC_TIMEOUT_MS'],
+    'trinity.provider': ['MORPHEUS_TRINITY_PROVIDER'],
+    'trinity.model': ['MORPHEUS_TRINITY_MODEL'],
+    'trinity.temperature': ['MORPHEUS_TRINITY_TEMPERATURE'],
+    'trinity.api_key': ['MORPHEUS_TRINITY_API_KEY'],
+    'audio.provider': ['MORPHEUS_AUDIO_PROVIDER'],
+    'audio.model': ['MORPHEUS_AUDIO_MODEL'],
+    'audio.apiKey': ['MORPHEUS_AUDIO_API_KEY'],
+    'audio.maxDurationSeconds': ['MORPHEUS_AUDIO_MAX_DURATION'],
+};
+/**
+ * Checks if a config field is overridden by an environment variable.
+ */
+function isFieldOverriddenByEnv(fieldPath) {
+    const envVars = CONFIG_TO_ENV_MAP[fieldPath];
+    if (!envVars)
+        return false;
+    return envVars.some(envVar => isEnvVarSet(envVar));
+}
+/**
+ * Gets all fields that are overridden by environment variables.
+ */
+function getOverriddenFields() {
+    return Object.keys(CONFIG_TO_ENV_MAP).filter(isFieldOverriddenByEnv);
+}
 // ─── Config ───────────────────────────────────────────────────────────────────
 function setNestedValue(obj, dotPath, value) {
     const keys = dotPath.split(".");
@@ -43,23 +93,37 @@ export const ConfigQueryTool = tool(async ({ key }) => {
     }),
 });
 export const ConfigUpdateTool = tool(async ({ updates }) => {
-    try {
-        const configManager = ConfigManager.getInstance();
-        await configManager.load();
-        const currentConfig = configManager.get();
-        const newConfig = { ...currentConfig };
-        for (const key in updates) {
-            setNestedValue(newConfig, key, updates[key]);
+    const configManager = ConfigManager.getInstance();
+    await configManager.load();
+    // Check if any fields are overridden by environment variables
+    const overriddenFields = [];
+    for (const key in updates) {
+        if (isFieldOverriddenByEnv(key)) {
+            overriddenFields.push(key);
         }
-        await configManager.save(newConfig);
-        return JSON.stringify({ success: true, message: "Configuration updated successfully" });
     }
-    catch (error) {
-        return JSON.stringify({ error: `Failed to update configuration: ${error.message}` });
+    if (overriddenFields.length > 0) {
+        const envVarNames = overriddenFields
+            .flatMap(field => CONFIG_TO_ENV_MAP[field] || [])
+            .filter((v, i, arr) => arr.indexOf(v) === i) // Remove duplicates
+            .join(', ');
+        const errorMsg = `BLOCKED_BY_ENV: Cannot update ${overriddenFields.join(', ')} because these fields are controlled by environment variables (${envVarNames}). To change them, edit your .env file and restart Morpheus.`;
+        throw new Error(errorMsg);
+    }
+    const currentConfig = configManager.get();
+    const newConfig = { ...currentConfig };
+    for (const key in updates) {
+        setNestedValue(newConfig, key, updates[key]);
     }
+    await configManager.save(newConfig);
+    return JSON.stringify({
+        success: true,
+        message: "Configuration updated successfully",
+        updatedFields: Object.keys(updates),
+    });
 }, {
     name: "morpheus_config_update",
-    description: "Updates configuration values with validation. Accepts an 'updates' object containing key-value pairs to update. Supports dot notation for nested fields (e.g. 'llm.model').",
+    description: "Updates configuration values with validation. Accepts an 'updates' object containing key-value pairs to update. Supports dot notation for nested fields (e.g. 'llm.model'). Note: Fields overridden by environment variables cannot be updated.",
     schema: z.object({
         updates: z.object({}).passthrough(),
     }),
@@ -77,30 +141,39 @@ export const DiagnosticTool = tool(async () => {
             const config = configManager.get();
             const requiredFields = ["llm", "logging", "ui"];
             const missingFields = requiredFields.filter((field) => !(field in config));
+            // Check MORPHEUS_SECRET
+            const hasSecret = !!process.env.MORPHEUS_SECRET;
             if (missingFields.length === 0) {
                 const sati = config.sati;
                 const apoc = config.apoc;
+                const details = {
+                    oracleProvider: config.llm?.provider,
+                    oracleModel: config.llm?.model,
+                    satiProvider: sati?.provider ?? `${config.llm?.provider} (inherited)`,
+                    satiModel: sati?.model ?? `${config.llm?.model} (inherited)`,
+                    apocProvider: apoc?.provider ?? `${config.llm?.provider} (inherited)`,
+                    apocModel: apoc?.model ?? `${config.llm?.model} (inherited)`,
+                    apocWorkingDir: apoc?.working_dir ?? "not set",
+                    uiEnabled: config.ui?.enabled,
+                    uiPort: config.ui?.port,
+                    morpheusSecret: hasSecret ? "configured ✓" : "NOT SET ⚠️",
+                };
                 components.config = {
-                    status: "healthy",
-                    message: "Configuration is valid and complete",
-                    details: {
-                        oracleProvider: config.llm?.provider,
-                        oracleModel: config.llm?.model,
-                        satiProvider: sati?.provider ?? `${config.llm?.provider} (inherited)`,
-                        satiModel: sati?.model ?? `${config.llm?.model} (inherited)`,
-                        apocProvider: apoc?.provider ?? `${config.llm?.provider} (inherited)`,
-                        apocModel: apoc?.model ?? `${config.llm?.model} (inherited)`,
-                        apocWorkingDir: apoc?.working_dir ?? "not set",
-                        uiEnabled: config.ui?.enabled,
-                        uiPort: config.ui?.port,
-                    },
+                    status: hasSecret ? "healthy" : "warning",
+                    message: hasSecret
+                        ? "Configuration is valid and complete"
+                        : "Configuration is valid but MORPHEUS_SECRET is not set. API keys and database passwords will be stored in plaintext.",
+                    details,
                 };
             }
             else {
                 components.config = {
                     status: "warning",
                     message: `Missing required configuration fields: ${missingFields.join(", ")}`,
-                    details: { missingFields },
+                    details: {
+                        missingFields,
+                        morpheusSecret: hasSecret ? "configured ✓" : "NOT SET ⚠️",
+                    },
                 };
             }
         }