nextclaw 0.8.33 → 0.8.35

package/dist/cli/index.js

@@ -6,9 +6,9 @@ import { APP_NAME as APP_NAME5, APP_TAGLINE } from "@nextclaw/core";
 
 // src/cli/runtime.ts
 import {
-  loadConfig as loadConfig6,
-  saveConfig as saveConfig5,
-  getConfigPath as getConfigPath3,
+  loadConfig as loadConfig7,
+  saveConfig as saveConfig6,
+  getConfigPath as getConfigPath4,
   getDataDir as getDataDir7,
   ConfigSchema as ConfigSchema2,
   getWorkspacePath as getWorkspacePath6,
@@ -16,6 +16,7 @@ import {
   MessageBus as MessageBus2,
   AgentLoop as AgentLoop2,
   ProviderManager as ProviderManager2,
+  resolveConfigSecrets as resolveConfigSecrets3,
   APP_NAME as APP_NAME4,
   DEFAULT_WORKSPACE_DIR,
   DEFAULT_WORKSPACE_PATH
@@ -25,7 +26,7 @@ import {
   resolvePluginChannelMessageToolHints as resolvePluginChannelMessageToolHints2,
   setPluginRuntimeBridge as setPluginRuntimeBridge2
 } from "@nextclaw/openclaw-compat";
-import { existsSync as existsSync9, mkdirSync as mkdirSync5, readFileSync as readFileSync6, writeFileSync as writeFileSync4 } from "fs";
+import { existsSync as existsSync9, mkdirSync as mkdirSync5, readFileSync as readFileSync7, writeFileSync as writeFileSync4 } from "fs";
 import { join as join6, resolve as resolve9 } from "path";
 import { createInterface as createInterface2 } from "readline";
 import { fileURLToPath as fileURLToPath4 } from "url";
@@ -1312,9 +1313,332 @@ var ConfigCommands = class {
   }
 };
 
+// src/cli/commands/secrets.ts
+import { readFileSync as readFileSync3 } from "fs";
+import {
+  buildReloadPlan as buildReloadPlan2,
+  diffConfigPaths as diffConfigPaths2,
+  getConfigPath,
+  loadConfig as loadConfig3,
+  resolveConfigSecrets,
+  saveConfig as saveConfig3
+} from "@nextclaw/core";
+var SECRET_SOURCES = ["env", "file", "exec"];
+function normalizeSecretSource(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const normalized = value.trim().toLowerCase();
+  return SECRET_SOURCES.includes(normalized) ? normalized : null;
+}
+function normalizeOptionalString(value) {
+  if (typeof value !== "string") {
+    return void 0;
+  }
+  const trimmed = value.trim();
+  return trimmed || void 0;
+}
+function parseTimeoutMs(value) {
+  if (value === void 0 || value === null || value === "") {
+    return void 0;
+  }
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    throw new Error(`invalid timeout: ${String(value)}`);
+  }
+  return Math.trunc(parsed);
+}
+function inferProviderAlias(config2, ref) {
+  const explicit = normalizeOptionalString(ref.provider);
+  if (explicit) {
+    return explicit;
+  }
+  const defaultAlias = normalizeOptionalString(config2.secrets.defaults[ref.source]);
+  if (defaultAlias) {
+    return defaultAlias;
+  }
+  return ref.source;
+}
+function summarizeAudit(items) {
+  const ok = items.filter((item) => item.ok).length;
+  return {
+    total: items.length,
+    ok,
+    failed: items.length - ok
+  };
+}
+function parseRefsPatch(raw) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    throw new Error("refs patch must be an object");
+  }
+  const output = {};
+  for (const [path, value] of Object.entries(raw)) {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+      throw new Error(`invalid ref for ${path}`);
+    }
+    const source = normalizeSecretSource(value.source);
+    const id = normalizeOptionalString(value.id);
+    const provider = normalizeOptionalString(value.provider);
+    if (!source || !id) {
+      throw new Error(`invalid ref for ${path}: source/id is required`);
+    }
+    output[path] = { source, ...provider ? { provider } : {}, id };
+  }
+  return output;
+}
+function parseApplyFile(raw) {
+  const data = JSON.parse(raw);
+  if (!data || typeof data !== "object" || Array.isArray(data)) {
+    throw new Error("apply file must be an object");
+  }
+  const record = data;
+  if (record.refs || record.providers || record.defaults || Object.prototype.hasOwnProperty.call(record, "enabled")) {
+    const patch = {};
+    if (Object.prototype.hasOwnProperty.call(record, "enabled")) {
+      patch.enabled = Boolean(record.enabled);
+    }
+    if (record.defaults && typeof record.defaults === "object" && !Array.isArray(record.defaults)) {
+      patch.defaults = record.defaults;
+    }
+    if (record.providers && typeof record.providers === "object" && !Array.isArray(record.providers)) {
+      patch.providers = record.providers;
+    }
+    if (record.refs) {
+      patch.refs = parseRefsPatch(record.refs);
+    }
+    return patch;
+  }
+  return { refs: parseRefsPatch(record) };
+}
+var SecretsCommands = class {
+  constructor(deps) {
+    this.deps = deps;
+  }
+  secretsAudit(opts = {}) {
+    const config2 = loadConfig3();
+    const configPath = getConfigPath();
+    const refs = config2.secrets.refs;
+    const items = [];
+    for (const [path, ref] of Object.entries(refs)) {
+      const provider = inferProviderAlias(config2, ref);
+      const scopedConfig = structuredClone(config2);
+      scopedConfig.secrets.refs = { [path]: ref };
+      try {
+        const resolved = resolveConfigSecrets(scopedConfig, { configPath });
+        const parsedPath = parseRequiredConfigPath(path);
+        const target = getAtConfigPath(resolved, parsedPath);
+        if (!target.found) {
+          items.push({
+            path,
+            source: ref.source,
+            provider,
+            id: ref.id,
+            ok: false,
+            detail: "resolved but path not found"
+          });
+          continue;
+        }
+        const resolvedValue = target.value;
+        const detail = typeof resolvedValue === "string" ? `resolved (length=${resolvedValue.length})` : `resolved (${typeof resolvedValue})`;
+        items.push({
+          path,
+          source: ref.source,
+          provider,
+          id: ref.id,
+          ok: true,
+          detail
+        });
+      } catch (error) {
+        items.push({
+          path,
+          source: ref.source,
+          provider,
+          id: ref.id,
+          ok: false,
+          detail: String(error)
+        });
+      }
+    }
+    const summary = summarizeAudit(items);
+    if (opts.json) {
+      console.log(JSON.stringify({ summary, items }, null, 2));
+    } else if (!items.length) {
+      console.log("No secret refs configured.");
+    } else {
+      for (const item of items) {
+        const status = item.ok ? "OK" : "ERROR";
+        console.log(
+          `[${status}] ${item.path} <- ${item.source}:${item.provider}:${item.id} (${item.detail})`
+        );
+      }
+      console.log(`Summary: total=${summary.total}, ok=${summary.ok}, failed=${summary.failed}`);
+    }
+    const strict = Boolean(opts.strict);
+    if (strict && summary.failed > 0) {
+      process.exitCode = 1;
+    }
+  }
+  async secretsConfigure(opts) {
+    const alias = normalizeOptionalString(opts.provider);
+    if (!alias) {
+      throw new Error("provider alias is required");
+    }
+    const prevConfig = loadConfig3();
+    const nextConfig = structuredClone(prevConfig);
+    const remove = Boolean(opts.remove);
+    if (remove) {
+      delete nextConfig.secrets.providers[alias];
+      for (const source of SECRET_SOURCES) {
+        if (nextConfig.secrets.defaults[source] === alias) {
+          delete nextConfig.secrets.defaults[source];
+        }
+      }
+    } else {
+      const source = normalizeSecretSource(opts.source);
+      if (!source) {
+        throw new Error("source is required and must be one of env/file/exec");
+      }
+      if (source === "env") {
+        nextConfig.secrets.providers[alias] = {
+          source,
+          ...normalizeOptionalString(opts.prefix) ? { prefix: normalizeOptionalString(opts.prefix) } : {}
+        };
+      } else if (source === "file") {
+        const path = normalizeOptionalString(opts.path);
+        if (!path) {
+          throw new Error("file source requires --path");
+        }
+        nextConfig.secrets.providers[alias] = {
+          source,
+          path,
+          format: "json"
+        };
+      } else {
+        const command = normalizeOptionalString(opts.command);
+        if (!command) {
+          throw new Error("exec source requires --command");
+        }
+        nextConfig.secrets.providers[alias] = {
+          source,
+          command,
+          args: Array.isArray(opts.arg) ? opts.arg : [],
+          ...normalizeOptionalString(opts.cwd) ? { cwd: normalizeOptionalString(opts.cwd) } : {},
+          timeoutMs: parseTimeoutMs(opts.timeoutMs) ?? 5e3
+        };
+      }
+      if (opts.setDefault) {
+        nextConfig.secrets.defaults[source] = alias;
+      }
+    }
+    resolveConfigSecrets(nextConfig, { configPath: getConfigPath() });
+    saveConfig3(nextConfig);
+    await this.requestRestartForConfigDiff({
+      prevConfig,
+      nextConfig,
+      reason: `secrets.configure ${alias}`,
+      manualMessage: "Secrets provider updated. Restart the gateway if required."
+    });
+    if (opts.json) {
+      console.log(JSON.stringify({ ok: true, providers: nextConfig.secrets.providers, defaults: nextConfig.secrets.defaults }, null, 2));
+      return;
+    }
+    console.log(`Secrets provider ${remove ? "removed" : "configured"}: ${alias}`);
+  }
+  async secretsApply(opts) {
+    const prevConfig = loadConfig3();
+    const nextConfig = structuredClone(prevConfig);
+    if (opts.enable && opts.disable) {
+      throw new Error("cannot set --enable and --disable at the same time");
+    }
+    if (opts.enable) {
+      nextConfig.secrets.enabled = true;
+    }
+    if (opts.disable) {
+      nextConfig.secrets.enabled = false;
+    }
+    if (opts.file) {
+      const raw = readFileSync3(opts.file, "utf-8");
+      const patch = parseApplyFile(raw);
+      if (patch.defaults) {
+        nextConfig.secrets.defaults = patch.defaults;
+      }
+      if (patch.providers) {
+        nextConfig.secrets.providers = patch.providers;
+      }
+      if (patch.refs) {
+        nextConfig.secrets.refs = {
+          ...nextConfig.secrets.refs,
+          ...patch.refs
+        };
+      }
+    }
+    if (opts.path) {
+      const path = opts.path.trim();
+      if (!path) {
+        throw new Error("path is empty");
+      }
+      if (opts.remove) {
+        delete nextConfig.secrets.refs[path];
+      } else {
+        const source = normalizeSecretSource(opts.source);
+        const id = normalizeOptionalString(opts.id);
+        if (!source || !id) {
+          throw new Error("apply single ref requires --source and --id");
+        }
+        const provider = normalizeOptionalString(opts.provider);
+        nextConfig.secrets.refs[path] = {
+          source,
+          id,
+          ...provider ? { provider } : {}
+        };
+      }
+    } else if (opts.remove && !opts.file) {
+      throw new Error("--remove requires --path");
+    }
+    resolveConfigSecrets(nextConfig, { configPath: getConfigPath() });
+    saveConfig3(nextConfig);
+    await this.requestRestartForConfigDiff({
+      prevConfig,
+      nextConfig,
+      reason: "secrets.apply",
+      manualMessage: "Secrets updated. Restart the gateway if required."
+    });
+    if (opts.json) {
+      console.log(JSON.stringify({ ok: true, secrets: nextConfig.secrets }, null, 2));
+      return;
+    }
+    console.log("Secrets applied.");
+  }
+  async secretsReload(opts = {}) {
+    const config2 = loadConfig3();
+    const configPath = getConfigPath();
+    resolveConfigSecrets(config2, { configPath });
+    saveConfig3(config2);
+    if (opts.json) {
+      console.log(JSON.stringify({ ok: true, message: "secrets reload signal emitted" }, null, 2));
+      return;
+    }
+    console.log("Secrets reload signal emitted.");
+  }
+  async requestRestartForConfigDiff(params) {
+    const changedPaths = diffConfigPaths2(params.prevConfig, params.nextConfig);
+    if (!changedPaths.length) {
+      return;
+    }
+    const plan = buildReloadPlan2(changedPaths);
+    if (plan.restartRequired.length === 0) {
+      return;
+    }
+    await this.deps.requestRestart({
+      reason: `${params.reason} (${plan.restartRequired.join(", ")})`,
+      manualMessage: params.manualMessage
+    });
+  }
+};
+
 // src/cli/commands/channels.ts
 import { spawnSync as spawnSync3 } from "child_process";
-import { BUILTIN_CHANNEL_PLUGIN_IDS, getWorkspacePath as getWorkspacePath2, loadConfig as loadConfig3, saveConfig as saveConfig3, PROVIDERS as PROVIDERS2 } from "@nextclaw/core";
+import { BUILTIN_CHANNEL_PLUGIN_IDS, getWorkspacePath as getWorkspacePath2, loadConfig as loadConfig4, saveConfig as saveConfig4, PROVIDERS as PROVIDERS2 } from "@nextclaw/core";
 import { buildPluginStatusReport as buildPluginStatusReport2, enablePluginInConfig as enablePluginInConfig2, getPluginChannelBindings } from "@nextclaw/openclaw-compat";
 var CHANNEL_LABELS = {
   telegram: "Telegram",
@@ -1333,7 +1657,7 @@ var ChannelCommands = class {
     this.deps = deps;
   }
   channelsStatus() {
-    const config2 = loadConfig3();
+    const config2 = loadConfig4();
     console.log("Channel Status");
     const channelConfig = config2.channels;
     for (const channelId of BUILTIN_CHANNEL_PLUGIN_IDS) {
@@ -1372,7 +1696,7 @@ var ChannelCommands = class {
       console.error("--channel is required");
       process.exit(1);
     }
-    const config2 = loadConfig3();
+    const config2 = loadConfig4();
     const workspaceDir = getWorkspacePath2(config2.agents.defaults.workspace);
     const pluginRegistry = loadPluginRegistry(config2, workspaceDir);
     const bindings = getPluginChannelBindings(pluginRegistry);
@@ -1415,7 +1739,7 @@ var ChannelCommands = class {
     }
     let next = mergePluginConfigView(config2, nextView, bindings);
     next = enablePluginInConfig2(next, binding.pluginId);
-    saveConfig3(next);
+    saveConfig4(next);
     console.log(`Configured channel "${binding.channelId}" via plugin "${binding.pluginId}".`);
     await this.deps.requestRestart({
       reason: `channel configured via plugin: ${binding.pluginId}`,
@@ -1502,14 +1826,15 @@ var CronCommands = class {
 
 // src/cli/commands/diagnostics.ts
 import { createServer as createNetServer } from "net";
-import { existsSync as existsSync5, readFileSync as readFileSync3 } from "fs";
+import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
 import { resolve as resolve6 } from "path";
 import {
   APP_NAME,
-  getConfigPath,
+  getConfigPath as getConfigPath2,
   getDataDir as getDataDir4,
   getWorkspacePath as getWorkspacePath3,
-  loadConfig as loadConfig4,
+  hasSecretRef,
+  loadConfig as loadConfig5,
   PROVIDERS as PROVIDERS3
 } from "@nextclaw/core";
 var DiagnosticsCommands = class {
@@ -1670,8 +1995,8 @@ var DiagnosticsCommands = class {
     process.exitCode = exitCode;
   }
   async collectRuntimeStatus(params) {
-    const configPath = getConfigPath();
-    const config2 = loadConfig4();
+    const configPath = getConfigPath2();
+    const config2 = loadConfig5();
     const workspacePath = getWorkspacePath3(config2.agents.defaults.workspace);
     const serviceStatePath = resolve6(getDataDir4(), "run", "service.json");
     const fixActions = [];
@@ -1694,6 +2019,7 @@ var DiagnosticsCommands = class {
     const orphanSuspected = !running && configuredHealth.state === "ok";
     const providers = PROVIDERS3.map((spec) => {
       const provider = config2.providers[spec.name];
+      const apiKeyRefSet = hasSecretRef(config2, `providers.${spec.name}.apiKey`);
       if (!provider) {
         return { name: spec.displayName ?? spec.name, configured: false, detail: "missing config" };
       }
@@ -1706,8 +2032,8 @@ var DiagnosticsCommands = class {
       }
       return {
         name: spec.displayName ?? spec.name,
-        configured: Boolean(provider.apiKey),
-        detail: provider.apiKey ? "apiKey set" : "apiKey not set"
+        configured: Boolean(provider.apiKey) || apiKeyRefSet,
+        detail: provider.apiKey ? "apiKey set" : apiKeyRefSet ? "apiKey ref set" : "apiKey not set"
       };
     });
     const issues = [];
@@ -1804,7 +2130,7 @@ var DiagnosticsCommands = class {
       return [];
     }
     try {
-      const lines = readFileSync3(path, "utf-8").split(/\r?\n/).filter(Boolean);
+      const lines = readFileSync4(path, "utf-8").split(/\r?\n/).filter(Boolean);
       if (lines.length <= maxLines) {
         return lines;
       }
@@ -1852,19 +2178,20 @@ import chokidar from "chokidar";
 
 // src/cli/gateway/controller.ts
 import { createHash } from "crypto";
-import { existsSync as existsSync6, readFileSync as readFileSync4 } from "fs";
+import { existsSync as existsSync6, readFileSync as readFileSync5 } from "fs";
 import {
   buildConfigSchema,
   ConfigSchema,
+  normalizeInlineSecretRefs,
   redactConfigObject
 } from "@nextclaw/core";
 var hashRaw = (raw) => createHash("sha256").update(raw).digest("hex");
-var readConfigSnapshot = (getConfigPath4) => {
-  const path = getConfigPath4();
+var readConfigSnapshot = (getConfigPath5) => {
+  const path = getConfigPath5();
   let raw = "";
   let parsed = {};
   if (existsSync6(path)) {
-    raw = readFileSync4(path, "utf-8");
+    raw = readFileSync5(path, "utf-8");
     try {
       parsed = JSON.parse(raw);
     } catch {
@@ -1874,7 +2201,7 @@ var readConfigSnapshot = (getConfigPath4) => {
   let config2;
   let valid = true;
   try {
-    config2 = ConfigSchema.parse(parsed);
+    config2 = ConfigSchema.parse(normalizeInlineSecretRefs(parsed));
   } catch {
     config2 = ConfigSchema.parse({});
     valid = false;
@@ -2031,7 +2358,7 @@ var GatewayControllerImpl = class {
     }
     let validated;
     try {
-      validated = ConfigSchema.parse(parsedRaw);
+      validated = ConfigSchema.parse(normalizeInlineSecretRefs(parsedRaw));
     } catch (err) {
       return { ok: false, error: `invalid config: ${String(err)}` };
     }
@@ -2074,7 +2401,7 @@ var GatewayControllerImpl = class {
     const merged = mergeDeep(snapshot.config, patch);
     let validated;
     try {
-      validated = ConfigSchema.parse(merged);
+      validated = ConfigSchema.parse(normalizeInlineSecretRefs(merged));
     } catch (err) {
       return { ok: false, error: `invalid config: ${String(err)}` };
     }
@@ -2141,8 +2468,8 @@ var GatewayControllerImpl = class {
 
 // src/cli/config-reloader.ts
 import {
-  buildReloadPlan as buildReloadPlan2,
-  diffConfigPaths as diffConfigPaths2,
+  buildReloadPlan as buildReloadPlan3,
+  diffConfigPaths as diffConfigPaths3,
   ChannelManager
 } from "@nextclaw/core";
 var ConfigReloader = class {
@@ -2168,13 +2495,13 @@ var ConfigReloader = class {
     this.options.reloadPlugins = callback;
   }
   async applyReloadPlan(nextConfig) {
-    const changedPaths = diffConfigPaths2(this.currentConfig, nextConfig);
+    const changedPaths = diffConfigPaths3(this.currentConfig, nextConfig);
     if (!changedPaths.length) {
       return;
     }
     this.currentConfig = nextConfig;
     this.options.providerManager?.setConfig(nextConfig);
-    const plan = buildReloadPlan2(changedPaths);
+    const plan = buildReloadPlan3(changedPaths);
     if (plan.reloadPlugins) {
       await this.reloadPlugins(nextConfig);
       console.log("Config reload: plugins reloaded.");
@@ -2482,17 +2809,18 @@ var {
   ChannelManager: ChannelManager2,
   CronService: CronService2,
   getApiBase,
-  getConfigPath: getConfigPath2,
+  getConfigPath: getConfigPath3,
   getDataDir: getDataDir5,
   getProvider,
   getProviderName,
   getWorkspacePath: getWorkspacePath5,
   HeartbeatService,
   LiteLLMProvider,
-  loadConfig: loadConfig5,
+  loadConfig: loadConfig6,
   MessageBus,
   ProviderManager,
-  saveConfig: saveConfig4,
+  resolveConfigSecrets: resolveConfigSecrets2,
+  saveConfig: saveConfig5,
   SessionManager,
   parseAgentScopedSessionKey: parseAgentScopedSessionKey2
 } = NextclawCore;
@@ -2508,7 +2836,8 @@ var ServiceCommands = class {
     this.deps = deps;
   }
   async startGateway(options = {}) {
-    const config2 = loadConfig5();
+    const runtimeConfigPath = getConfigPath3();
+    const config2 = resolveConfigSecrets2(loadConfig6(), { configPath: runtimeConfigPath });
     const workspace = getWorkspacePath5(config2.agents.defaults.workspace);
     let pluginRegistry = loadPluginRegistry(config2, workspace);
     let extensionRegistry = toExtensionRegistry(pluginRegistry);
@@ -2553,7 +2882,7 @@ var ServiceCommands = class {
       sessionManager,
       providerManager,
       makeProvider: (nextConfig) => this.makeProvider(nextConfig, { allowMissing: true }) ?? this.makeMissingProvider(nextConfig),
-      loadConfig: loadConfig5,
+      loadConfig: () => resolveConfigSecrets2(loadConfig6(), { configPath: runtimeConfigPath }),
       getExtensionChannels: () => extensionRegistry.channels,
       onRestartRequired: (paths) => {
         void this.deps.requestRestart({
@@ -2567,8 +2896,8 @@ var ServiceCommands = class {
       reloader,
       cron: cron2,
       sessionManager,
-      getConfigPath: getConfigPath2,
-      saveConfig: saveConfig4,
+      getConfigPath: getConfigPath3,
+      saveConfig: saveConfig5,
       requestRestart: async (options2) => {
         await this.deps.requestRestart({
           reason: options2?.reason ?? "gateway tool restart",
@@ -2594,7 +2923,7 @@ var ServiceCommands = class {
       resolveMessageToolHints: ({ channel, accountId }) => resolvePluginChannelMessageToolHints({
         registry: pluginRegistry,
         channel,
-        cfg: loadConfig5(),
+        cfg: resolveConfigSecrets2(loadConfig6(), { configPath: runtimeConfigPath }),
         accountId
       })
     });
@@ -2620,14 +2949,14 @@ var ServiceCommands = class {
     });
     let pluginChannelBindings = getPluginChannelBindings2(pluginRegistry);
     setPluginRuntimeBridge({
-      loadConfig: () => toPluginConfigView(loadConfig5(), pluginChannelBindings),
+      loadConfig: () => toPluginConfigView(resolveConfigSecrets2(loadConfig6(), { configPath: runtimeConfigPath }), pluginChannelBindings),
       writeConfigFile: async (nextConfigView) => {
         if (!nextConfigView || typeof nextConfigView !== "object" || Array.isArray(nextConfigView)) {
           throw new Error("plugin runtime writeConfigFile expects an object config");
         }
-        const current = loadConfig5();
+        const current = loadConfig6();
         const next = mergePluginConfigView(current, nextConfigView, pluginChannelBindings);
-        saveConfig4(next);
+        saveConfig5(next);
       },
       dispatchReplyWithBufferedBlockDispatcher: async ({ ctx, dispatcherOptions }) => {
         const bodyForAgent = typeof ctx.BodyForAgent === "string" ? ctx.BodyForAgent : "";
@@ -2698,7 +3027,7 @@ var ServiceCommands = class {
       console.log(`\u2713 Cron: ${cronStatus.jobs} scheduled jobs`);
     }
     console.log("\u2713 Heartbeat: every 30m");
-    const configPath = resolve7(getConfigPath2());
+    const configPath = resolve7(getConfigPath3());
     const watcher = chokidar.watch(configPath, {
       ignoreInitial: true,
       awaitWriteFinish: { stabilityThreshold: 200, pollInterval: 50 }
@@ -2842,7 +3171,7 @@ var ServiceCommands = class {
     });
   }
   async runForeground(options) {
-    const config2 = loadConfig5();
+    const config2 = loadConfig6();
     const uiConfig = resolveUiConfig(config2, options.uiOverrides);
     const uiUrl = resolveUiApiBase(uiConfig.host, uiConfig.port);
     if (options.open) {
@@ -2855,7 +3184,7 @@ var ServiceCommands = class {
     });
   }
   async startService(options) {
-    const config2 = loadConfig5();
+    const config2 = loadConfig6();
     const uiConfig = resolveUiConfig(config2, options.uiOverrides);
     const uiUrl = resolveUiApiBase(uiConfig.host, uiConfig.port);
     const apiUrl = `${uiUrl}/api`;
@@ -3038,7 +3367,7 @@ var ServiceCommands = class {
         return null;
       }
       console.error("Error: No API key configured.");
-      console.error(`Set one in ${getConfigPath2()} under providers section`);
+      console.error(`Set one in ${getConfigPath3()} under providers section`);
       process.exit(1);
     }
     return new LiteLLMProvider({
@@ -3071,7 +3400,7 @@ var ServiceCommands = class {
     const uiServer = startUiServer({
       host: uiConfig.host,
       port: uiConfig.port,
-      configPath: getConfigPath2(),
+      configPath: getConfigPath3(),
       staticDir: uiStaticDir ?? void 0,
       cronService,
       marketplace: {
@@ -3164,7 +3493,7 @@ var ServiceCommands = class {
     if (!source) {
       throw new Error("Git skill source is required");
     }
-    const workspace = getWorkspacePath5(loadConfig5().agents.defaults.workspace);
+    const workspace = getWorkspacePath5(loadConfig6().agents.defaults.workspace);
     const skillName = this.resolveGitSkillName(params.skill, source);
     const destination = this.resolveSkillInstallPath(workspace, params.installPath, skillName);
     const destinationSkillFile = join4(destination, "SKILL.md");
@@ -3246,7 +3575,7 @@ var ServiceCommands = class {
     return { message: summary, output };
   }
   async uninstallMarketplaceSkill(slug) {
-    const workspace = getWorkspacePath5(loadConfig5().agents.defaults.workspace);
+    const workspace = getWorkspacePath5(loadConfig6().agents.defaults.workspace);
     const targetDir = join4(workspace, "skills", slug);
     const skildDir = join4(workspace, ".agents", "skills", slug);
     const existingTargets = [targetDir, skildDir].filter((path) => existsSync7(path));
@@ -3262,7 +3591,7 @@ var ServiceCommands = class {
     };
   }
   installBuiltinMarketplaceSkill(slug, force) {
-    const workspace = getWorkspacePath5(loadConfig5().agents.defaults.workspace);
+    const workspace = getWorkspacePath5(loadConfig6().agents.defaults.workspace);
     const destination = join4(workspace, "skills", slug);
     const destinationSkillFile = join4(destination, "SKILL.md");
     if (existsSync7(destinationSkillFile) && !force) {
@@ -3424,7 +3753,7 @@ ${stderr}`.trim();
 };
 
 // src/cli/workspace.ts
-import { cpSync as cpSync2, existsSync as existsSync8, mkdirSync as mkdirSync4, readFileSync as readFileSync5, readdirSync, rmSync as rmSync4, writeFileSync as writeFileSync3 } from "fs";
+import { cpSync as cpSync2, existsSync as existsSync8, mkdirSync as mkdirSync4, readFileSync as readFileSync6, readdirSync, rmSync as rmSync4, writeFileSync as writeFileSync3 } from "fs";
 import { createRequire } from "module";
 import { dirname as dirname2, join as join5, resolve as resolve8 } from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
@@ -3465,7 +3794,7 @@ var WorkspaceManager = class {
         console.warn(`Warning: Template file missing: ${templatePath}`);
         continue;
       }
-      const raw = readFileSync5(templatePath, "utf-8");
+      const raw = readFileSync6(templatePath, "utf-8");
       const content = raw.replace(/\$\{APP_NAME\}/g, APP_NAME3);
       mkdirSync4(dirname2(filePath), { recursive: true });
       writeFileSync3(filePath, content);
@@ -3609,6 +3938,7 @@ var CliRuntime = class {
   workspaceManager;
   serviceCommands;
   configCommands;
+  secretsCommands;
   pluginCommands;
   channelCommands;
   cronCommands;
@@ -3622,6 +3952,9 @@ var CliRuntime = class {
     this.configCommands = new ConfigCommands({
       requestRestart: (params) => this.requestRestart(params)
     });
+    this.secretsCommands = new SecretsCommands({
+      requestRestart: (params) => this.requestRestart(params)
+    });
     this.pluginCommands = new PluginCommands();
     this.channelCommands = new ChannelCommands({
       logo: this.logo,
@@ -3822,14 +4155,14 @@ var CliRuntime = class {
     const source = options.source ?? "init";
     const prefix = options.auto ? "Auto init" : "Init";
     const force = Boolean(options.force);
-    const configPath = getConfigPath3();
+    const configPath = getConfigPath4();
     let createdConfig = false;
     if (!existsSync9(configPath)) {
       const config3 = ConfigSchema2.parse({});
-      saveConfig5(config3);
+      saveConfig6(config3);
       createdConfig = true;
     }
-    const config2 = loadConfig6();
+    const config2 = loadConfig7();
     const workspaceSetting = config2.agents.defaults.workspace;
     const workspacePath = !workspaceSetting || workspaceSetting === DEFAULT_WORKSPACE_PATH ? join6(getDataDir7(), DEFAULT_WORKSPACE_DIR) : expandHome2(workspaceSetting);
     const workspaceExisted = existsSync9(workspacePath);
@@ -3938,27 +4271,31 @@ ${this.logo} ${APP_NAME4} is ready! (${source})`);
     await this.serviceCommands.stopService();
   }
   async agent(opts) {
-    const config2 = loadConfig6();
+    const configPath = getConfigPath4();
+    const config2 = resolveConfigSecrets3(loadConfig7(), { configPath });
     const workspace = getWorkspacePath6(config2.agents.defaults.workspace);
     const pluginRegistry = loadPluginRegistry(config2, workspace);
     const extensionRegistry = toExtensionRegistry(pluginRegistry);
     logPluginDiagnostics(pluginRegistry);
     const pluginChannelBindings = getPluginChannelBindings3(pluginRegistry);
     setPluginRuntimeBridge2({
-      loadConfig: () => toPluginConfigView(loadConfig6(), pluginChannelBindings),
+      loadConfig: () => toPluginConfigView(
+        resolveConfigSecrets3(loadConfig7(), { configPath }),
+        pluginChannelBindings
+      ),
       writeConfigFile: async (nextConfigView) => {
         if (!nextConfigView || typeof nextConfigView !== "object" || Array.isArray(nextConfigView)) {
           throw new Error(
             "plugin runtime writeConfigFile expects an object config"
           );
         }
-        const current = loadConfig6();
+        const current = loadConfig7();
         const next = mergePluginConfigView(
           current,
           nextConfigView,
           pluginChannelBindings
         );
-        saveConfig5(next);
+        saveConfig6(next);
       }
     });
     try {
@@ -3985,7 +4322,7 @@ ${this.logo} ${APP_NAME4} is ready! (${source})`);
         resolveMessageToolHints: ({ channel, accountId }) => resolvePluginChannelMessageToolHints2({
           registry: pluginRegistry,
           channel,
-          cfg: loadConfig6(),
+          cfg: resolveConfigSecrets3(loadConfig7(), { configPath }),
           accountId
         })
       });
@@ -4007,7 +4344,7 @@ ${this.logo} ${APP_NAME4} is ready! (${source})`);
       const historyFile = join6(getDataDir7(), "history", "cli_history");
       const historyDir = resolve9(historyFile, "..");
       mkdirSync5(historyDir, { recursive: true });
-      const history = existsSync9(historyFile) ? readFileSync6(historyFile, "utf-8").split("\n").filter(Boolean) : [];
+      const history = existsSync9(historyFile) ? readFileSync7(historyFile, "utf-8").split("\n").filter(Boolean) : [];
       const rl = createInterface2({
         input: process.stdin,
         output: process.stdout
@@ -4119,6 +4456,18 @@ ${this.logo} ${APP_NAME4} is ready! (${source})`);
   async configUnset(pathExpr) {
     await this.configCommands.configUnset(pathExpr);
   }
+  secretsAudit(opts = {}) {
+    this.secretsCommands.secretsAudit(opts);
+  }
+  async secretsConfigure(opts) {
+    await this.secretsCommands.secretsConfigure(opts);
+  }
+  async secretsApply(opts) {
+    await this.secretsCommands.secretsApply(opts);
+  }
+  async secretsReload(opts = {}) {
+    await this.secretsCommands.secretsReload(opts);
+  }
   channelsStatus() {
     this.channelCommands.channelsStatus();
   }
@@ -4205,6 +4554,16 @@ var config = program.command("config").description("Manage config values");
 config.command("get <path>").description("Get a config value by dot path").option("--json", "Output JSON", false).action((path, opts) => runtime.configGet(path, opts));
 config.command("set <path> <value>").description("Set a config value by dot path").option("--json", "Parse value as JSON", false).action((path, value, opts) => runtime.configSet(path, value, opts));
 config.command("unset <path>").description("Remove a config value by dot path").action((path) => runtime.configUnset(path));
+var secrets = program.command("secrets").description("Manage secrets refs/providers");
+secrets.command("audit").description("Audit secret refs resolution status").option("--json", "Output JSON", false).option("--strict", "Exit non-zero when unresolved refs exist", false).action((opts) => runtime.secretsAudit(opts));
+secrets.command("configure").description("Configure a secret provider alias").requiredOption("--provider <alias>", "Provider alias").option("--source <source>", "Provider source (env|file|exec)").option("--prefix <prefix>", "Env key prefix (env source)").option("--path <path>", "Secret JSON file path (file source)").option("--command <command>", "Command for exec source").option(
+  "--arg <value>",
+  "Exec argument (repeatable)",
+  (value, previous = []) => [...previous, value],
+  []
+).option("--cwd <dir>", "Exec working directory").option("--timeout-ms <ms>", "Exec timeout in milliseconds").option("--set-default", "Set as default alias for this source", false).option("--remove", "Remove provider alias", false).option("--json", "Output JSON", false).action((opts) => runtime.secretsConfigure(opts));
+secrets.command("apply").description("Apply secret refs/providers/defaults patch").option("--file <path>", "Apply patch from JSON file").option("--path <config-path>", "Single ref target config path").option("--source <source>", "Single ref source (env|file|exec)").option("--id <secret-id>", "Single ref secret id").option("--provider <alias>", "Single ref provider alias").option("--remove", "Remove single ref (--path required)", false).option("--enable", "Enable secrets resolution", false).option("--disable", "Disable secrets resolution", false).option("--json", "Output JSON", false).action((opts) => runtime.secretsApply(opts));
+secrets.command("reload").description("Trigger runtime secrets reload signal").option("--json", "Output JSON", false).action((opts) => runtime.secretsReload(opts));
 var channels = program.command("channels").description("Manage channels");
 channels.command("add").description("Configure a plugin channel (OpenClaw-compatible setup)").requiredOption("--channel <id>", "Plugin channel id").option("--code <code>", "Pairing code").option("--token <token>", "Connector token").option("--name <name>", "Display name").option("--url <url>", "API base URL").option("--http-url <url>", "Alias for --url").action((opts) => runtime.channelsAdd(opts));
 channels.command("status").description("Show channel status").action(() => runtime.channelsStatus());