feat: rename pass_mgr → secret-mgr, add ego-mgr binary and skill

M1: Rename pass_mgr to secret-mgr
- Rename directory, binary, and Go module
- Update install.mjs to build/install secret-mgr
- Update pcexec.ts to support secret-mgr patterns (with legacy pass_mgr compat)
- Update plugin config schema (passMgrPath → secretMgrPath)
- Create new skills/secret-mgr/SKILL.md
- install.mjs now initializes ego.json on install

M2: Implement ego-mgr binary (Go)
- Agent Scope and Public Scope column management
- Commands: add column/public-column, delete, set, get, show, list columns
- pcexec environment validation (AGENT_VERIFY, AGENT_ID, AGENT_WORKSPACE)
- File locking for concurrent write safety
- Proper exit codes per spec (0-6)
- Agent auto-registration on read/write
- Global column name uniqueness enforcement

M3: ego-mgr Skill
- Create skills/ego-mgr/SKILL.md with usage guide and examples

Ref: REQUIREMENTS_EGO_MGR.md

README.md

@@ -6,7 +6,7 @@
 
 # PaddedCell
 
-OpenClaw plugin for secure password management, safe command execution, and coordinated agent restart.
+OpenClaw plugin for secure secret management, agent identity management, safe command execution, and coordinated agent restart.
 
 ## ⚠️ Security Model
 
@@ -16,7 +16,7 @@ OpenClaw plugin for secure password management, safe command execution, and coor
 
 ## Features
 
-### 1. pass\_mgr — Password Manager (Go)
+### 1. secret-mgr — Secret Manager (Go)
 
 AES-256-GCM encryption with a **build-time secret** injected at compile time.
 Secrets are stored per-agent under `pc-pass-store/<agent-id>/<key>.gpg`.
@@ -24,23 +24,41 @@ Secrets are stored per-agent under `pc-pass-store/<agent-id>/<key>.gpg`.
 **Agent commands** (require pcguard — must run through pcexec):
 
 ```bash
-pass_mgr list                                     # List keys for current agent
-pass_mgr get-secret --key <key>                    # Output secret
-pass_mgr get-username --key <key>                  # Output username
-pass_mgr set --key <key> --secret <s> [--username <u>]  # Set entry
-pass_mgr generate --key <key> [--username <u>]     # Generate random secret
-pass_mgr unset --key <key>                         # Delete entry
-pass_mgr get <key>                                 # Legacy (maps to get-secret)
+secret-mgr list                                     # List keys for current agent
+secret-mgr get-secret --key <key>                    # Output secret
+secret-mgr get-username --key <key>                  # Output username
+secret-mgr set --key <key> --secret <s> [--username <u>]  # Set entry
+secret-mgr generate --key <key> [--username <u>]     # Generate random secret
+secret-mgr unset --key <key>                         # Delete entry
+secret-mgr get <key>                                 # Legacy (maps to get-secret)
 ```
 
 **Admin commands** (human-only — rejected if any `AGENT_*` env var is set):
 
 ```bash
-pass_mgr admin handoff [file]       # Export build secret to file (default: pc-pass-store.secret)
-pass_mgr admin init-from [file]     # Re-encrypt all data from old build secret to current
+secret-mgr admin handoff [file]       # Export build secret to file (default: pc-pass-store.secret)
+secret-mgr admin init-from [file]     # Re-encrypt all data from old build secret to current
 ```
 
-### 2. pcguard — Exec Guard (Go)
+### 2. ego-mgr — Agent Identity Manager (Go)
+
+Manages agent personal information (name, email, timezone, etc.) stored in `~/.openclaw/ego.json`.
+
+Supports **Agent Scope** (per-agent values) and **Public Scope** (shared by all agents).
+
+**Commands** (require pcguard — must run through pcexec):
+
+```bash
+ego-mgr add column <name> [--default <val>]          # Add agent-scope field
+ego-mgr add public-column <name> [--default <val>]   # Add public-scope field
+ego-mgr delete <name>                                 # Delete field and all values
+ego-mgr set <name> <value>                            # Set field value
+ego-mgr get <name>                                    # Get field value
+ego-mgr show                                          # Show all fields and values
+ego-mgr list columns                                  # List all field names
+```
+
+### 3. pcguard — Exec Guard (Go)
 
 Validates that a process is running inside a pcexec context by checking environment sentinels (`AGENT_VERIFY`, `AGENT_ID`, `AGENT_WORKSPACE`). Returns exit code 1 if any check fails.
 
@@ -50,15 +68,15 @@ pcguard || exit 1
 # ... rest of script
 ```
 
-### 3. pcexec — Safe Execution Tool (TypeScript)
+### 4. pcexec — Safe Execution Tool (TypeScript)
 
 Drop-in replacement for `exec` that:
-- Resolves `$(pass_mgr get-secret --key <key>)` and legacy `$(pass_mgr get <key>)` inline
+- Resolves `$(secret-mgr get-secret --key <key>)` and legacy `$(pass_mgr get-secret --key <key>)` inline
 - Sanitizes all resolved passwords from stdout/stderr
 - Injects `AGENT_VERIFY`, `AGENT_ID`, `AGENT_WORKSPACE` environment variables
-- Appends `$(openclaw path)/bin` to `PATH` (making `pcguard` and `pass_mgr` available)
+- Appends `$(openclaw path)/bin` to `PATH` (making `pcguard`, `secret-mgr`, and `ego-mgr` available)
 
-### 4. safe-restart — Coordinated Restart (TypeScript)
+### 5. safe-restart — Coordinated Restart (TypeScript)
 
 Agent state management and coordinated gateway restart.
 
@@ -75,10 +93,15 @@ PaddedCell/
 │   ├── openclaw.plugin.json
 │   ├── package.json
 │   └── tsconfig.json
-├── pass_mgr/            # Go password manager binary
+├── secret-mgr/          # Go secret manager binary
+│   └── src/main.go
+├── ego-mgr/             # Go agent identity manager binary
 │   └── src/main.go
 ├── pcguard/             # Go exec guard binary
 │   └── src/main.go
+├── skills/              # Agent skills
+│   ├── secret-mgr/SKILL.md
+│   └── ego-mgr/SKILL.md
 ├── dist/padded-cell/    # Build output
 ├── install.mjs          # Installer
 └── README.md
@@ -100,7 +123,7 @@ node install.mjs --build-only
 node install.mjs --uninstall
 ```
 
-The installer automatically generates a random 32-byte build secret (stored in `.build-secret`, gitignored) and injects it into `pass_mgr` at compile time. Subsequent builds reuse the same secret.
+The installer automatically generates a random 32-byte build secret (stored in `.build-secret`, gitignored) and injects it into `secret-mgr` at compile time. Subsequent builds reuse the same secret.
 
 ### Install paths
 
@@ -114,14 +137,14 @@ When you rebuild PaddedCell (which generates a new build secret), existing encry
 
 ```bash
 # 1. Before updating — export current build secret
-~/.openclaw/bin/pass_mgr admin handoff
+~/.openclaw/bin/secret-mgr admin handoff
 
 # 2. Rebuild & reinstall (generates new .build-secret)
 rm .build-secret
 node install.mjs
 
 # 3. After updating — re-encrypt data with new secret
-~/.openclaw/bin/pass_mgr admin init-from
+~/.openclaw/bin/secret-mgr admin init-from
 
 # 4. Restart gateway
 openclaw gateway restart
@@ -131,17 +154,23 @@ openclaw gateway restart
 
 ```bash
 # Agent sets and gets private passwords (via pcexec)
-pass_mgr set --key myservice --secret s3cret --username admin
-pass_mgr get-secret --key myservice
-pass_mgr get-username --key myservice
+secret-mgr set --key myservice --secret s3cret --username admin
+secret-mgr get-secret --key myservice
+secret-mgr get-username --key myservice
 
 # Shared scope (.public)
-pass_mgr set --public --key shared-api --secret s3cret
-pass_mgr list --public
-pass_mgr get-secret --public --key shared-api
+secret-mgr set --public --key shared-api --secret s3cret
+secret-mgr list --public
+secret-mgr get-secret --public --key shared-api
 
 # Use in shell commands (pcexec resolves and sanitizes)
-curl -u "$(pass_mgr get-username --key myservice):$(pass_mgr get-secret --key myservice)" https://api.example.com
+curl -u "$(secret-mgr get-username --key myservice):$(secret-mgr get-secret --key myservice)" https://api.example.com
+
+# Agent identity management (via pcexec)
+ego-mgr add column name
+ego-mgr set name "小智"
+ego-mgr add public-column timezone --default UTC
+ego-mgr show
 ```
 
 ## License