@afffun/codexbot 1.0.71 → 1.0.72

package/bin/codexbot.mjs

@@ -1,6 +1,11 @@
 #!/usr/bin/env node
 
-import { runCodexbotCli } from '../src/entrypoint.mjs';
+import { formatCliError, runCodexbotCli } from '../src/entrypoint.mjs';
 
-const exitCode = await runCodexbotCli(process.argv.slice(2));
-process.exit(exitCode);
+try {
+  const exitCode = await runCodexbotCli(process.argv.slice(2));
+  process.exit(exitCode);
+} catch (err) {
+  process.stderr.write(`${formatCliError(err)}\n`);
+  process.exit(1);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@afffun/codexbot",
-  "version": "1.0.71",
+  "version": "1.0.72",
   "description": "Thin npm bootstrap CLI for installing and operating Codexbot nodes",
   "type": "module",
   "author": "john88188 <john88188@outlook.com>",

package/src/args_service.mjs

@@ -12,6 +12,7 @@ function readOptionValue(argv, index, name) {
 function parseBootstrapOptions(argv = []) {
   const options = {
     channel: '',
+    installBaseUrl: '',
     updateBaseUrl: '',
     manifestUrl: '',
     publicKeyUrl: '',
@@ -20,6 +21,21 @@ function parseBootstrapOptions(argv = []) {
     token: '',
     allowHttp: false,
     noSignature: false,
+    nonInteractive: false,
+    connector: '',
+    telegramBotToken: '',
+    telegramChatIds: '',
+    wecomBotId: '',
+    wecomSecret: '',
+    wecomTencentDocsApiKey: '',
+    openAiApiKey: '',
+    deferLicenseActivation: false,
+    licenseFile: '',
+    licensePublicKeyFile: '',
+    licenseServerPublicKeyFile: '',
+    seedEnvFile: '',
+    seedConnectorsStateFile: '',
+    seedConnectorsCredentialsFile: '',
     forwardedArgs: [],
   };
 
@@ -31,6 +47,11 @@ function parseBootstrapOptions(argv = []) {
       i += 1;
       continue;
     }
+    if (token === '--install-base-url') {
+      options.installBaseUrl = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
     if (token === '--update-base-url') {
       options.updateBaseUrl = readOptionValue(argv, i, token);
       i += 1;
@@ -66,6 +87,79 @@ function parseBootstrapOptions(argv = []) {
       options.forwardedArgs.push(token);
       continue;
     }
+    if (token === '--non-interactive' || token === '--no-prompt') {
+      options.nonInteractive = true;
+      continue;
+    }
+    if (token === '--connector') {
+      options.connector = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--telegram-bot-token') {
+      options.telegramBotToken = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--telegram-chat-ids') {
+      options.telegramChatIds = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--wecom-bot-id') {
+      options.wecomBotId = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--wecom-secret') {
+      options.wecomSecret = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--wecom-tencent-docs-api-key') {
+      options.wecomTencentDocsApiKey = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--openai-api-key') {
+      options.openAiApiKey = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--defer-license-activation') {
+      options.deferLicenseActivation = true;
+      continue;
+    }
+    if (token === '--license-file') {
+      options.licenseFile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--license-public-key-file') {
+      options.licensePublicKeyFile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--license-server-public-key-file') {
+      options.licenseServerPublicKeyFile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--seed-env-file') {
+      options.seedEnvFile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--seed-connectors-state-file') {
+      options.seedConnectorsStateFile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--seed-connectors-credentials-file') {
+      options.seedConnectorsCredentialsFile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
     if (token === '--no-signature') {
       options.noSignature = true;
       options.forwardedArgs.push(token);

package/src/config_service.mjs

@@ -1,3 +1,4 @@
+const DEFAULT_INSTALL_BASE_URL = 'https://codexbotinstall.afffun.com';
 const DEFAULT_UPDATE_BASE_URL = 'https://codexbotupdate.afffun.com';
 const DEFAULT_CHANNEL = 'stable';
 
@@ -28,12 +29,51 @@ function assertHttps(value, { allowHttp = false, label = 'url' } = {}) {
 
 export function getDefaultDistributionConfig(env = process.env) {
   return {
+    installBaseUrl: normalizeBaseUrl(env.CODEXBOT_INSTALL_BASE_URL, DEFAULT_INSTALL_BASE_URL),
     updateBaseUrl: normalizeBaseUrl(env.CODEXBOT_UPDATE_BASE_URL, DEFAULT_UPDATE_BASE_URL),
     channel: normalizeChannel(env.CODEXBOT_INSTALL_CHANNEL, DEFAULT_CHANNEL),
     authToken: trim(env.CODEXBOT_UPDATE_TOKEN || env.CODEX_REMOTE_UPDATE_AUTH_TOKEN, ''),
   };
 }
 
+export function buildPublicInstallUrls({
+  installBaseUrl = DEFAULT_INSTALL_BASE_URL,
+  updateBaseUrl = DEFAULT_UPDATE_BASE_URL,
+  channel = DEFAULT_CHANNEL,
+  manifestUrl = '',
+  publicKeyUrl = '',
+  installRemoteUrl = '',
+  runtimeManifestUrl = '',
+  packageDownloadBaseUrl = '',
+  allowHttp = false,
+} = {}) {
+  const resolvedInstallBaseUrl = normalizeBaseUrl(installBaseUrl, DEFAULT_INSTALL_BASE_URL);
+  const resolvedUpdateBaseUrl = normalizeBaseUrl(updateBaseUrl, DEFAULT_UPDATE_BASE_URL);
+  const resolvedChannel = normalizeChannel(channel, DEFAULT_CHANNEL);
+  const publicRoot = `${resolvedInstallBaseUrl}/v1/install/${resolvedChannel}`;
+  const updateRoot = `${resolvedUpdateBaseUrl}/v1/channels/${resolvedChannel}`;
+  const urls = {
+    installBaseUrl: resolvedInstallBaseUrl,
+    updateBaseUrl: resolvedUpdateBaseUrl,
+    channel: resolvedChannel,
+    manifestUrl: trim(manifestUrl) || `${publicRoot}/manifest.json`,
+    publicKeyUrl: trim(publicKeyUrl) || `${publicRoot}/packages/latest/update-public.pem`,
+    installRemoteUrl: trim(installRemoteUrl) || `${publicRoot}/packages/latest/install-remote.sh`,
+    runtimeManifestUrl: trim(runtimeManifestUrl) || `${updateRoot}/manifest.json`,
+    packageDownloadBaseUrl: trim(packageDownloadBaseUrl) || `${publicRoot}/packages`,
+  };
+  return {
+    installBaseUrl: assertHttps(urls.installBaseUrl, { allowHttp, label: 'install base url' }),
+    updateBaseUrl: assertHttps(urls.updateBaseUrl, { allowHttp, label: 'update base url' }),
+    channel: urls.channel,
+    manifestUrl: assertHttps(urls.manifestUrl, { allowHttp, label: 'manifest url' }),
+    publicKeyUrl: assertHttps(urls.publicKeyUrl, { allowHttp, label: 'public key url' }),
+    installRemoteUrl: assertHttps(urls.installRemoteUrl, { allowHttp, label: 'install-remote url' }),
+    runtimeManifestUrl: assertHttps(urls.runtimeManifestUrl, { allowHttp, label: 'runtime manifest url' }),
+    packageDownloadBaseUrl: assertHttps(urls.packageDownloadBaseUrl, { allowHttp, label: 'package download base url' }),
+  };
+}
+
 export function buildRemoteInstallUrls({
   updateBaseUrl = DEFAULT_UPDATE_BASE_URL,
   channel = DEFAULT_CHANNEL,

package/src/entrypoint.mjs

@@ -22,12 +22,27 @@ function renderUsage() {
     '',
     'Bootstrap options:',
     '  --channel <stable|canary|...>',
+    '  --install-base-url <https://codexbotinstall.example.com>',
     '  --update-base-url <https://codexbotupdate.example.com>',
+    '  install defaults to an interactive seed wizard unless --non-interactive is used.',
+    '  --connector <telegram|wecom|skip>',
+    '  --telegram-bot-token <token>',
+    '  --telegram-chat-ids <id1,id2,...>',
+    '  --wecom-bot-id <botId>',
+    '  --wecom-secret <secret>',
+    '  --wecom-tencent-docs-api-key <apiKey>',
+    '  --openai-api-key <key>',
+    '  --license-file </path/to/license.json>',
+    '  --license-public-key-file </path/to/license-public.pem>',
+    '  --license-server-public-key-file </path/to/license-server-public.pem>',
+    '  --defer-license-activation',
+    '  --non-interactive',
+    '  advanced seed flags such as --seed-env-file remain supported for automation',
     '  --manifest-url <url>',
     '  --public-key-url <url>',
     '  --install-remote-url <url>',
     '  --public-key-file </path/to/update-public.pem>',
-    '  --token <update server token>',
+    '  --token <protected update server token>',
     '  --allow-http',
     '',
     'Layout overrides:',
@@ -76,3 +91,9 @@ export async function runCodexbotCli(argv = [], deps = {}) {
   }
   throw new Error(`unsupported action: ${cli.action}`);
 }
+
+export function formatCliError(err) {
+  const message = String(err?.message || err || '').trim();
+  if (!message) return 'codexbot failed';
+  return message;
+}

package/src/install_seed_service.mjs

@@ -0,0 +1,411 @@
+import fs from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import readline from 'node:readline/promises';
+
+function trim(value, fallback = '') {
+  const text = String(value ?? '').trim();
+  return text || String(fallback ?? '').trim();
+}
+
+function normalizeConnectorChoice(value) {
+  const raw = trim(value).toLowerCase();
+  if (raw === 'telegram') return 'telegram';
+  if (raw === 'wecom') return 'wecom';
+  if (raw === 'skip' || raw === 'none') return 'skip';
+  return '';
+}
+
+function normalizeList(input) {
+  return Array.from(new Set(
+    String(input || '')
+      .split(/[,\n]/)
+      .map((item) => trim(item))
+      .filter(Boolean),
+  ));
+}
+
+function normalizeYesNo(input, fallback = false) {
+  const raw = trim(input).toLowerCase();
+  if (!raw) return Boolean(fallback);
+  if (['y', 'yes', '1', 'true'].includes(raw)) return true;
+  if (['n', 'no', '0', 'false'].includes(raw)) return false;
+  return Boolean(fallback);
+}
+
+function buildConnectorCapabilities(type) {
+  if (type === 'telegram') {
+    return {
+      supportsEdit: true,
+      supportsButtons: true,
+      supportsAudioIn: true,
+      supportsAudioOut: true,
+      supportsFileUpload: true,
+      supportsStreaming: true,
+      supportsWebSocket: false,
+      supportsWebhook: true,
+      supportsPolling: true,
+      supportsOAuth: false,
+    };
+  }
+  if (type === 'wecom') {
+    return {
+      supportsEdit: false,
+      supportsButtons: false,
+      supportsAudioIn: true,
+      supportsAudioOut: false,
+      supportsFileUpload: true,
+      supportsStreaming: true,
+      supportsWebSocket: true,
+      supportsWebhook: false,
+      supportsPolling: false,
+      supportsOAuth: false,
+    };
+  }
+  return {};
+}
+
+function buildTelegramSeed(nowIso, {
+  botToken,
+  allowedChatIds,
+  baseUrl = 'https://api.telegram.org',
+  fileBaseUrl = 'https://api.telegram.org/file',
+} = {}) {
+  const connectorId = 'telegram-primary';
+  const configured = Boolean(trim(botToken) && allowedChatIds.length > 0);
+  const updatedAt = nowIso();
+  return {
+    connectorId,
+    descriptor: {
+      connectorId,
+      type: 'telegram',
+      name: connectorId,
+      displayName: 'Telegram',
+      source: 'managed',
+      managed: true,
+      status: configured ? 'authorized' : 'draft',
+      mode: 'polling',
+      capabilities: buildConnectorCapabilities('telegram'),
+      config: {
+        baseUrl,
+        fileBaseUrl,
+      },
+      binding: {
+        allowedChats: allowedChatIds,
+      },
+      runtime: {
+        desiredEnabled: true,
+        configured,
+        authModes: ['bot_token'],
+      },
+      health: {
+        state: configured ? 'idle' : 'misconfigured',
+        lastError: configured ? '' : 'missing telegram bot token or allowed chats',
+      },
+      auth: {
+        supportedModes: ['bot_token'],
+        mode: configured ? 'bot_token' : '',
+        state: configured ? 'configured' : 'unconfigured',
+        configured,
+        credentialRef: `cred_${connectorId}`,
+        storedKeys: configured ? ['botToken'] : [],
+        redirectUri: '',
+        authorizeUrl: '',
+        scopes: [],
+        tokenExchangeConfigured: false,
+        hasAccessToken: false,
+        hasRefreshToken: false,
+        lastAuthorizedAt: configured ? updatedAt : '',
+        lastError: configured ? '' : 'missing telegram bot token or allowed chats',
+        lastErrorAt: configured ? '' : updatedAt,
+      },
+      createdAt: updatedAt,
+      updatedAt,
+    },
+    credentials: {
+      connectorId,
+      credentialRef: `cred_${connectorId}`,
+      authMode: 'bot_token',
+      values: configured ? { botToken: trim(botToken) } : {},
+      oauth: {},
+      updatedAt,
+    },
+  };
+}
+
+function buildWecomSeed(nowIso, {
+  botId,
+  secret,
+  tencentDocsApiKey = '',
+  websocketUrl = 'wss://openws.work.weixin.qq.com',
+} = {}) {
+  const connectorId = 'wecom-primary';
+  const configured = Boolean(trim(botId) && trim(secret));
+  const updatedAt = nowIso();
+  const storedKeys = [];
+  if (trim(botId)) storedKeys.push('botId');
+  if (trim(secret)) storedKeys.push('secret');
+  if (trim(tencentDocsApiKey)) storedKeys.push('tencentDocsApiKey');
+  return {
+    connectorId,
+    descriptor: {
+      connectorId,
+      type: 'wecom',
+      name: connectorId,
+      displayName: 'WeCom',
+      source: 'managed',
+      managed: true,
+      status: configured ? 'authorized' : 'draft',
+      mode: 'websocket',
+      capabilities: buildConnectorCapabilities('wecom'),
+      config: {
+        botId: trim(botId),
+        websocketUrl,
+        dmPolicy: 'open',
+        groupPolicy: 'open',
+        sendThinkingMessage: false,
+        tencentDocsEnabled: Boolean(trim(tencentDocsApiKey)),
+      },
+      binding: {},
+      runtime: {
+        desiredEnabled: true,
+        configured,
+        authModes: ['bot_secret'],
+      },
+      health: {
+        state: configured ? 'idle' : 'misconfigured',
+        lastError: configured ? '' : 'missing fields: botId, secret',
+      },
+      auth: {
+        supportedModes: ['bot_secret'],
+        mode: configured ? 'bot_secret' : '',
+        state: configured ? 'configured' : 'unconfigured',
+        configured,
+        credentialRef: `cred_${connectorId}`,
+        storedKeys,
+        redirectUri: '',
+        authorizeUrl: '',
+        scopes: [],
+        tokenExchangeConfigured: false,
+        hasAccessToken: false,
+        hasRefreshToken: false,
+        lastAuthorizedAt: configured ? updatedAt : '',
+        lastError: configured ? '' : 'missing fields: botId, secret',
+        lastErrorAt: configured ? '' : updatedAt,
+      },
+      createdAt: updatedAt,
+      updatedAt,
+    },
+    credentials: {
+      connectorId,
+      credentialRef: `cred_${connectorId}`,
+      authMode: 'bot_secret',
+      values: {
+        ...(trim(botId) ? { botId: trim(botId) } : {}),
+        ...(trim(secret) ? { secret: trim(secret) } : {}),
+        ...(trim(tencentDocsApiKey) ? { tencentDocsApiKey: trim(tencentDocsApiKey) } : {}),
+      },
+      oauth: {},
+      updatedAt,
+    },
+  };
+}
+
+function createPrompter({ stdin, stdout } = {}) {
+  const input = stdin || process.stdin;
+  const output = stdout || process.stdout;
+  if (!input?.isTTY || !output?.isTTY) {
+    return {
+      interactive: false,
+      ask: async () => '',
+      close: async () => {},
+    };
+  }
+  const rl = readline.createInterface({ input, output });
+  return {
+    interactive: true,
+    ask: async (prompt) => trim(await rl.question(prompt)),
+    close: async () => {
+      rl.close();
+    },
+  };
+}
+
+async function ensureReadableFile(fsPromises, filePath, label) {
+  const target = trim(filePath);
+  if (!target) return '';
+  try {
+    await fsPromises.access(target);
+  } catch {
+    throw new Error(`${label} not found: ${target}`);
+  }
+  return target;
+}
+
+function renderEnvFile(values = {}) {
+  const lines = Object.entries(values)
+    .filter(([, value]) => trim(value))
+    .map(([key, value]) => `${key}=${String(value)}`);
+  return lines.length ? `${lines.join('\n')}\n` : '';
+}
+
+export function createNpmDistributionInstallSeedService(deps = {}) {
+  const fsPromises = deps.fsPromises || fs;
+  const osModule = deps.osModule || os;
+  const pathModule = deps.pathModule || path;
+  const processImpl = deps.processImpl || process;
+  const logger = deps.logger || console;
+  const nowIso = deps.nowIso || (() => new Date().toISOString());
+  const promptFactory = deps.promptFactory || createPrompter;
+
+  async function prepareInstallSeed(options = {}) {
+    const explicitSeedFiles = Boolean(
+      trim(options.seedEnvFile)
+      || trim(options.seedConnectorsStateFile)
+      || trim(options.seedConnectorsCredentialsFile),
+    );
+    const prompter = promptFactory({
+      stdin: processImpl.stdin,
+      stdout: processImpl.stdout,
+    });
+    const nonInteractive = Boolean(options.nonInteractive) || !prompter.interactive;
+    const tempDir = await fsPromises.mkdtemp(pathModule.join(osModule.tmpdir(), 'codexbot-install-seed-'));
+    const cleanup = async () => {
+      await prompter.close().catch(() => {});
+      await fsPromises.rm(tempDir, { recursive: true, force: true }).catch(() => {});
+    };
+
+    try {
+      const result = {
+        seedEnvFile: trim(options.seedEnvFile),
+        seedConnectorsStateFile: trim(options.seedConnectorsStateFile),
+        seedConnectorsCredentialsFile: trim(options.seedConnectorsCredentialsFile),
+        seedLicenseFile: '',
+        seedLicensePublicKeyFile: '',
+        seedLicenseServerPublicKeyFile: '',
+        deferLicenseActivation: Boolean(options.deferLicenseActivation),
+        summary: {
+          connector: 'skip',
+          connectorSeeded: false,
+          openAiSeeded: false,
+          licenseDeferred: false,
+        },
+        cleanup,
+      };
+
+      if (explicitSeedFiles) {
+        result.seedLicenseFile = trim(options.licenseFile);
+        result.seedLicensePublicKeyFile = trim(options.licensePublicKeyFile);
+        result.seedLicenseServerPublicKeyFile = trim(options.licenseServerPublicKeyFile);
+        if (!result.deferLicenseActivation
+          && !result.seedLicenseFile
+          && !result.seedLicensePublicKeyFile
+          && !result.seedLicenseServerPublicKeyFile) {
+          result.deferLicenseActivation = true;
+        }
+        result.summary.licenseDeferred = result.deferLicenseActivation;
+        return result;
+      }
+
+      let connector = normalizeConnectorChoice(options.connector);
+      const hasExplicitConnectorArgs = Boolean(
+        connector
+        || trim(options.telegramBotToken)
+        || trim(options.telegramChatIds)
+        || trim(options.wecomBotId)
+        || trim(options.wecomSecret)
+        || trim(options.wecomTencentDocsApiKey),
+      );
+      if (!connector && hasExplicitConnectorArgs) {
+        connector = trim(options.wecomBotId || options.wecomSecret || options.wecomTencentDocsApiKey) ? 'wecom' : 'telegram';
+      }
+      if (!connector && !nonInteractive) {
+        logger.log('==> Remote control channel setup');
+        connector = normalizeConnectorChoice(await prompter.ask('Choose connector [telegram/wecom/skip] (default: skip): ')) || 'skip';
+      }
+      if (!connector) connector = 'skip';
+
+      const openAiApiKey = trim(options.openAiApiKey || (!nonInteractive ? await prompter.ask('OPENAI_API_KEY (optional, blank to skip): ') : ''));
+      if (openAiApiKey) {
+        const envFile = pathModule.join(tempDir, 'seed.env');
+        await fsPromises.writeFile(envFile, renderEnvFile({ OPENAI_API_KEY: openAiApiKey }), 'utf8');
+        result.seedEnvFile = envFile;
+        result.summary.openAiSeeded = true;
+      }
+
+      if (connector === 'telegram') {
+        const telegramBotToken = trim(options.telegramBotToken || (!nonInteractive ? await prompter.ask('Telegram bot token: ') : ''));
+        const telegramChatIds = normalizeList(options.telegramChatIds || (!nonInteractive ? await prompter.ask('Telegram allowed chat IDs (comma-separated): ') : ''));
+        if (!telegramBotToken || telegramChatIds.length === 0) {
+          throw new Error('Telegram connector requires bot token and at least one allowed chat ID');
+        }
+        const seed = buildTelegramSeed(nowIso, {
+          botToken: telegramBotToken,
+          allowedChatIds: telegramChatIds,
+        });
+        const stateFile = pathModule.join(tempDir, 'connectors.json');
+        const credentialsFile = pathModule.join(tempDir, 'connectors.credentials.json');
+        await fsPromises.writeFile(stateFile, `${JSON.stringify({ connectors: { [seed.connectorId]: seed.descriptor } }, null, 2)}\n`, 'utf8');
+        await fsPromises.writeFile(credentialsFile, `${JSON.stringify({ connectors: { [seed.connectorId]: seed.credentials } }, null, 2)}\n`, 'utf8');
+        result.seedConnectorsStateFile = stateFile;
+        result.seedConnectorsCredentialsFile = credentialsFile;
+        result.summary.connector = 'telegram';
+        result.summary.connectorSeeded = true;
+      } else if (connector === 'wecom') {
+        const wecomBotId = trim(options.wecomBotId || (!nonInteractive ? await prompter.ask('WeCom bot ID: ') : ''));
+        const wecomSecret = trim(options.wecomSecret || (!nonInteractive ? await prompter.ask('WeCom bot secret: ') : ''));
+        const wecomTencentDocsApiKey = trim(options.wecomTencentDocsApiKey || (!nonInteractive ? await prompter.ask('Tencent Docs API key (optional, blank to skip): ') : ''));
+        if (!wecomBotId || !wecomSecret) {
+          throw new Error('WeCom connector requires bot ID and secret');
+        }
+        const seed = buildWecomSeed(nowIso, {
+          botId: wecomBotId,
+          secret: wecomSecret,
+          tencentDocsApiKey: wecomTencentDocsApiKey,
+        });
+        const stateFile = pathModule.join(tempDir, 'connectors.json');
+        const credentialsFile = pathModule.join(tempDir, 'connectors.credentials.json');
+        await fsPromises.writeFile(stateFile, `${JSON.stringify({ connectors: { [seed.connectorId]: seed.descriptor } }, null, 2)}\n`, 'utf8');
+        await fsPromises.writeFile(credentialsFile, `${JSON.stringify({ connectors: { [seed.connectorId]: seed.credentials } }, null, 2)}\n`, 'utf8');
+        result.seedConnectorsStateFile = stateFile;
+        result.seedConnectorsCredentialsFile = credentialsFile;
+        result.summary.connector = 'wecom';
+        result.summary.connectorSeeded = true;
+      }
+
+      let licenseFile = trim(options.licenseFile);
+      let licensePublicKeyFile = trim(options.licensePublicKeyFile);
+      let licenseServerPublicKeyFile = trim(options.licenseServerPublicKeyFile);
+      if (!result.deferLicenseActivation && !licenseFile && !licensePublicKeyFile && !licenseServerPublicKeyFile && !nonInteractive) {
+        const provideLicense = normalizeYesNo(await prompter.ask('Provide license materials now? [y/N]: '), false);
+        if (provideLicense) {
+          licenseFile = await prompter.ask('Path to license.json: ');
+          licensePublicKeyFile = await prompter.ask('Path to license-public.pem: ');
+          licenseServerPublicKeyFile = await prompter.ask('Path to license-server-public.pem: ');
+        } else {
+          result.deferLicenseActivation = true;
+        }
+      } else if (!licenseFile && !licensePublicKeyFile && !licenseServerPublicKeyFile) {
+        result.deferLicenseActivation = true;
+      }
+
+      const licenseProvided = Boolean(licenseFile || licensePublicKeyFile || licenseServerPublicKeyFile);
+      if (licenseProvided) {
+        result.seedLicenseFile = await ensureReadableFile(fsPromises, licenseFile, 'license file');
+        result.seedLicensePublicKeyFile = await ensureReadableFile(fsPromises, licensePublicKeyFile, 'license public key file');
+        result.seedLicenseServerPublicKeyFile = await ensureReadableFile(fsPromises, licenseServerPublicKeyFile, 'license server public key file');
+        result.deferLicenseActivation = false;
+      }
+
+      result.summary.licenseDeferred = result.deferLicenseActivation;
+      return result;
+    } catch (error) {
+      await cleanup();
+      throw error;
+    }
+  }
+
+  return {
+    prepareInstallSeed,
+  };
+}

package/src/install_service.mjs

@@ -2,16 +2,79 @@ import fs from 'node:fs/promises';
 import os from 'node:os';
 import path from 'node:path';
 import { spawn } from 'node:child_process';
-import { buildRemoteInstallUrls, getDefaultDistributionConfig } from './config_service.mjs';
+import {
+  buildPublicInstallUrls,
+  buildRemoteInstallUrls,
+  getDefaultDistributionConfig,
+} from './config_service.mjs';
+import { createNpmDistributionInstallSeedService } from './install_seed_service.mjs';
 
 function trim(value, fallback = '') {
   const text = String(value ?? '').trim();
   return text || String(fallback ?? '').trim();
 }
 
-async function ensureOkResponse(response, label) {
+function buildAuthFailureMessage({
+  label,
+  status,
+  statusText,
+  installBaseUrl,
+  channel,
+  updateBaseUrl,
+  authTokenPresent,
+  distributionMode = 'upgrade',
+} = {}) {
+  const lines = [
+    `${label} download failed: ${status} ${statusText}`,
+  ];
+  if (status === 401 || status === 403) {
+    lines.push('');
+    if (distributionMode === 'install') {
+      lines.push('The public Codexbot install facade rejected this request or could not proxy it upstream.');
+      lines.push('Retry with one of the following:');
+      lines.push(`- codexbot install --channel ${channel || 'stable'}`);
+      lines.push(`- codexbot install --install-base-url '${installBaseUrl || 'https://codexbotinstall.afffun.com'}' --update-base-url '${updateBaseUrl || 'https://codexbotupdate.afffun.com'}'`);
+      lines.push('- Verify the install facade is configured with upstream access to the protected update server.');
+      if (authTokenPresent) {
+        lines.push('- A token was provided, but public install should normally not require it; verify the install facade is not pointing at a protected route.');
+      }
+    } else {
+      lines.push('The Codexbot npm package is public, but the protected update channel still requires an update token.');
+      lines.push('Retry with one of the following:');
+      lines.push(`- codexbot upgrade --channel ${channel || 'stable'} --token '<UPDATE_SERVER_AUTH_TOKEN>'`);
+      lines.push(`- export CODEXBOT_UPDATE_TOKEN='<UPDATE_SERVER_AUTH_TOKEN>' && codexbot upgrade --channel ${channel || 'stable'}`);
+      lines.push(`- target update base: ${updateBaseUrl || 'https://codexbotupdate.afffun.com'}`);
+      if (authTokenPresent) {
+        lines.push('- A token was provided, but the server rejected it. Check that the token is valid for this update channel.');
+      } else {
+        lines.push('- No update token was provided for this request.');
+      }
+    }
+  }
+  return lines.join('\n');
+}
+
+async function ensureOkResponse(response, {
+  label,
+  installBaseUrl,
+  channel,
+  updateBaseUrl,
+  authTokenPresent = false,
+  distributionMode = 'upgrade',
+} = {}) {
   if (!response.ok) {
-    throw new Error(`${label} download failed: ${response.status} ${response.statusText}`);
+    const error = new Error(buildAuthFailureMessage({
+      label,
+      status: response.status,
+      statusText: response.statusText,
+      installBaseUrl,
+      channel,
+      updateBaseUrl,
+      authTokenPresent,
+      distributionMode,
+    }));
+    error.code = `HTTP_${response.status}`;
+    throw error;
   }
   return response;
 }
@@ -46,53 +109,113 @@ export function createNpmDistributionInstallService(deps = {}) {
   const spawnFn = deps.spawnFn || spawn;
   const processImpl = deps.processImpl || process;
   const logger = deps.logger || console;
+  const installSeedService = deps.installSeedService || createNpmDistributionInstallSeedService({
+    fsPromises,
+    osModule,
+    pathModule,
+    processImpl,
+    logger,
+  });
 
   async function runRemoteInstall({
     mode,
     options = {},
   } = {}) {
     const defaults = getDefaultDistributionConfig(processImpl.env);
-    const urls = buildRemoteInstallUrls({
-      updateBaseUrl: options.updateBaseUrl || defaults.updateBaseUrl,
-      channel: options.channel || defaults.channel,
-      manifestUrl: options.manifestUrl,
-      publicKeyUrl: options.publicKeyUrl,
-      installRemoteUrl: options.installRemoteUrl,
-      allowHttp: Boolean(options.allowHttp),
-    });
-    const authToken = trim(options.token, defaults.authToken);
+    const distributionMode = trim(mode, 'auto') === 'install' ? 'install' : 'upgrade';
+    const urls = distributionMode === 'install'
+      ? buildPublicInstallUrls({
+        installBaseUrl: options.installBaseUrl || defaults.installBaseUrl,
+        updateBaseUrl: options.updateBaseUrl || defaults.updateBaseUrl,
+        channel: options.channel || defaults.channel,
+        manifestUrl: options.manifestUrl,
+        publicKeyUrl: options.publicKeyUrl,
+        installRemoteUrl: options.installRemoteUrl,
+        allowHttp: Boolean(options.allowHttp),
+      })
+      : buildRemoteInstallUrls({
+        updateBaseUrl: options.updateBaseUrl || defaults.updateBaseUrl,
+        channel: options.channel || defaults.channel,
+        manifestUrl: options.manifestUrl,
+        publicKeyUrl: options.publicKeyUrl,
+        installRemoteUrl: options.installRemoteUrl,
+        allowHttp: Boolean(options.allowHttp),
+      });
+    let installSeed = null;
+    const effectiveOptions = { ...options };
+    if (distributionMode === 'install') {
+      installSeed = await installSeedService.prepareInstallSeed(options);
+      effectiveOptions.seedEnvFile = trim(installSeed.seedEnvFile, effectiveOptions.seedEnvFile);
+      effectiveOptions.seedConnectorsStateFile = trim(installSeed.seedConnectorsStateFile, effectiveOptions.seedConnectorsStateFile);
+      effectiveOptions.seedConnectorsCredentialsFile = trim(installSeed.seedConnectorsCredentialsFile, effectiveOptions.seedConnectorsCredentialsFile);
+      effectiveOptions.licenseFile = trim(installSeed.seedLicenseFile, effectiveOptions.licenseFile);
+      effectiveOptions.licensePublicKeyFile = trim(installSeed.seedLicensePublicKeyFile, effectiveOptions.licensePublicKeyFile);
+      effectiveOptions.licenseServerPublicKeyFile = trim(installSeed.seedLicenseServerPublicKeyFile, effectiveOptions.licenseServerPublicKeyFile);
+      effectiveOptions.deferLicenseActivation = Boolean(installSeed.deferLicenseActivation || effectiveOptions.deferLicenseActivation);
+    }
+    const authToken = trim(effectiveOptions.token, defaults.authToken);
     const tempDir = await fsPromises.mkdtemp(pathModule.join(osModule.tmpdir(), 'codexbot-npm-'));
     const tempInstallPath = pathModule.join(tempDir, 'install-remote.sh');
     const tempKeyPath = pathModule.join(tempDir, 'update-public.pem');
     const headers = authToken ? { Authorization: `Bearer ${authToken}` } : {};
     try {
       logger.log(`==> Fetch install entry from ${urls.installRemoteUrl}`);
-      const installResponse = await ensureOkResponse(await fetchFn(urls.installRemoteUrl, { headers }), 'install-remote');
+      const installResponse = await ensureOkResponse(await fetchFn(urls.installRemoteUrl, { headers }), {
+        label: 'install-remote',
+        installBaseUrl: urls.installBaseUrl,
+        channel: urls.channel,
+        updateBaseUrl: urls.updateBaseUrl,
+        authTokenPresent: Boolean(authToken),
+        distributionMode,
+      });
       await writeResponseToFile(installResponse, tempInstallPath, fsPromises);
       await fsPromises.chmod(tempInstallPath, 0o755);
 
-      const publicKeyFile = trim(options.publicKeyFile, '');
+      const publicKeyFile = trim(effectiveOptions.publicKeyFile, '');
       const resolvedPublicKeyFile = publicKeyFile || tempKeyPath;
       if (!publicKeyFile) {
         logger.log(`==> Fetch update public key from ${urls.publicKeyUrl}`);
-        const keyResponse = await ensureOkResponse(await fetchFn(urls.publicKeyUrl, { headers }), 'update public key');
+        const keyResponse = await ensureOkResponse(await fetchFn(urls.publicKeyUrl, { headers }), {
+          label: 'update public key',
+          installBaseUrl: urls.installBaseUrl,
+          channel: urls.channel,
+          updateBaseUrl: urls.updateBaseUrl,
+          authTokenPresent: Boolean(authToken),
+          distributionMode,
+        });
         await writeResponseToFile(keyResponse, tempKeyPath, fsPromises);
       }
 
       const args = [
         tempInstallPath,
         '--manifest-url', urls.manifestUrl,
+        ...(distributionMode === 'install'
+          ? ['--runtime-remote-update-manifest-url', urls.runtimeManifestUrl]
+          : []),
+        ...(distributionMode === 'install'
+          ? ['--package-download-base-url', urls.packageDownloadBaseUrl]
+          : []),
         '--public-key-file', resolvedPublicKeyFile,
         '--channel', urls.channel,
         '--mode', trim(mode, 'auto'),
         ...(authToken ? ['--auth-token', authToken] : []),
-        ...(Array.isArray(options.forwardedArgs) ? options.forwardedArgs : []),
+        ...(effectiveOptions.deferLicenseActivation ? ['--defer-license-activation'] : []),
+        ...(trim(effectiveOptions.seedEnvFile) ? ['--seed-env-file', trim(effectiveOptions.seedEnvFile)] : []),
+        ...(trim(effectiveOptions.seedConnectorsStateFile) ? ['--seed-connectors-state-file', trim(effectiveOptions.seedConnectorsStateFile)] : []),
+        ...(trim(effectiveOptions.seedConnectorsCredentialsFile) ? ['--seed-connectors-credentials-file', trim(effectiveOptions.seedConnectorsCredentialsFile)] : []),
+        ...(trim(effectiveOptions.licenseFile) ? ['--seed-license-file', trim(effectiveOptions.licenseFile)] : []),
+        ...(trim(effectiveOptions.licensePublicKeyFile) ? ['--seed-license-public-key-file', trim(effectiveOptions.licensePublicKeyFile)] : []),
+        ...(trim(effectiveOptions.licenseServerPublicKeyFile) ? ['--seed-license-server-public-key-file', trim(effectiveOptions.licenseServerPublicKeyFile)] : []),
+        ...(Array.isArray(effectiveOptions.forwardedArgs) ? effectiveOptions.forwardedArgs : []),
       ];
       const isRoot = typeof processImpl.getuid === 'function' ? processImpl.getuid() === 0 : false;
       const command = isRoot ? 'bash' : 'sudo';
       const commandArgs = isRoot ? args : ['bash', ...args];
       return await runChild(spawnFn, command, commandArgs);
     } finally {
+      if (installSeed?.cleanup) {
+        await installSeed.cleanup().catch(() => {});
+      }
       await fsPromises.rm(tempDir, { recursive: true, force: true }).catch(() => {});
     }
   }