@afffun/codexbot 1.0.71 → 1.0.73

package/bin/codexbot.mjs

@@ -1,6 +1,11 @@
 #!/usr/bin/env node
 
-import { runCodexbotCli } from '../src/entrypoint.mjs';
+import { formatCliError, runCodexbotCli } from '../src/entrypoint.mjs';
 
-const exitCode = await runCodexbotCli(process.argv.slice(2));
-process.exit(exitCode);
+try {
+  const exitCode = await runCodexbotCli(process.argv.slice(2));
+  process.exit(exitCode);
+} catch (err) {
+  process.stderr.write(`${formatCliError(err)}\n`);
+  process.exit(1);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@afffun/codexbot",
-  "version": "1.0.71",
+  "version": "1.0.73",
   "description": "Thin npm bootstrap CLI for installing and operating Codexbot nodes",
   "type": "module",
   "author": "john88188 <john88188@outlook.com>",

package/src/activation_service.mjs

@@ -0,0 +1,262 @@
+import fsSyncDefault from 'node:fs';
+import fs from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import { spawn } from 'node:child_process';
+import readline from 'node:readline/promises';
+
+import { buildInstallLicenseClaimUrl, getDefaultDistributionConfig } from './config_service.mjs';
+import { resolveInstalledControlLayout } from './installed_layout_service.mjs';
+
+function trim(value, fallback = '') {
+  const text = String(value ?? '').trim();
+  return text || String(fallback ?? '').trim();
+}
+
+function createPrompter({ stdin, stdout } = {}) {
+  const input = stdin || process.stdin;
+  const output = stdout || process.stdout;
+  if (!input?.isTTY || !output?.isTTY) {
+    return {
+      interactive: false,
+      ask: async () => '',
+      close: async () => {},
+    };
+  }
+  const rl = readline.createInterface({ input, output });
+  return {
+    interactive: true,
+    ask: async (prompt) => trim(await rl.question(prompt)),
+    close: async () => {
+      rl.close();
+    },
+  };
+}
+
+function runChildCapture(spawnFn, command, args, options = {}) {
+  return new Promise((resolve, reject) => {
+    const child = spawnFn(command, args, {
+      stdio: ['ignore', 'pipe', 'pipe'],
+      ...options,
+    });
+    let stdout = '';
+    let stderr = '';
+    child.stdout?.on('data', (chunk) => {
+      stdout += Buffer.from(chunk).toString('utf8');
+    });
+    child.stderr?.on('data', (chunk) => {
+      stderr += Buffer.from(chunk).toString('utf8');
+    });
+    child.on('error', reject);
+    child.on('exit', (code, signal) => {
+      if (signal) {
+        reject(new Error(`${command} exited via signal ${signal}`));
+        return;
+      }
+      resolve({ code: Number(code || 0), stdout, stderr });
+    });
+  });
+}
+
+function runChildInherit(spawnFn, command, args, options = {}) {
+  return new Promise((resolve, reject) => {
+    const child = spawnFn(command, args, {
+      stdio: 'inherit',
+      ...options,
+    });
+    child.on('error', reject);
+    child.on('exit', (code, signal) => {
+      if (signal) {
+        reject(new Error(`${command} exited via signal ${signal}`));
+        return;
+      }
+      resolve(Number(code || 0));
+    });
+  });
+}
+
+function resolveControlLayout({ fsSync, pathModule, processImpl, options }) {
+  return resolveInstalledControlLayout({
+    fsSync,
+    pathModule,
+    env: processImpl.env,
+    profile: options.layoutProfile,
+    appDir: options.appDir,
+    controlEnvFile: options.controlEnvFile,
+    controlUser: options.controlUser,
+    codexHomeDir: options.codexHomeDir,
+  });
+}
+
+async function readJsonResponse(response) {
+  const text = await response.text();
+  try {
+    return text ? JSON.parse(text) : {};
+  } catch {
+    return {};
+  }
+}
+
+function buildClaimFailureMessage(error, claimUrl) {
+  const lines = [trim(error?.message, 'license claim failed')];
+  lines.push('');
+  lines.push('The node remains installed but activation is still pending.');
+  lines.push(`Retry with: codexbot activate --license-key '<your-license-key>' --license-claim-url '${claimUrl}'`);
+  lines.push('Or complete activation manually after obtaining an activation package.');
+  return lines.join('\n');
+}
+
+export function createNpmDistributionActivationService(deps = {}) {
+  const fsPromises = deps.fsPromises || fs;
+  const fsSync = deps.fsSync || fsSyncDefault;
+  const osModule = deps.osModule || os;
+  const pathModule = deps.pathModule || path;
+  const spawnFn = deps.spawnFn || spawn;
+  const processImpl = deps.processImpl || process;
+  const fetchFn = deps.fetchFn || fetch;
+  const logger = deps.logger || console;
+  const promptFactory = deps.promptFactory || createPrompter;
+
+  async function resolveLicenseKey(options = {}) {
+    const explicit = trim(options.licenseKey);
+    if (explicit) return explicit;
+    const prompter = promptFactory({
+      stdin: processImpl.stdin,
+      stdout: processImpl.stdout,
+    });
+    try {
+      if (Boolean(options.nonInteractive) || !prompter.interactive) {
+        throw new Error('license key is required');
+      }
+      const entered = trim(await prompter.ask('License key: '));
+      if (!entered) throw new Error('license key is required');
+      return entered;
+    } finally {
+      await prompter.close().catch(() => {});
+    }
+  }
+
+  async function readInstalledNodeIdentity(layout, options = {}) {
+    const scriptPath = pathModule.join(layout.appDir, 'scripts', 'codexbot_node_identity.sh');
+    const isRoot = typeof processImpl.getuid === 'function' ? processImpl.getuid() === 0 : false;
+    const command = isRoot ? 'bash' : 'sudo';
+    const commandArgs = isRoot
+      ? [scriptPath, '--control-env-file', layout.controlEnvFile]
+      : ['bash', scriptPath, '--control-env-file', layout.controlEnvFile];
+    const result = await runChildCapture(spawnFn, command, commandArgs);
+    if (result.code !== 0) {
+      throw new Error(trim(result.stderr || result.stdout, 'failed to read node identity'));
+    }
+    let payload = {};
+    try {
+      payload = JSON.parse(result.stdout);
+    } catch {
+      throw new Error('node identity output is not valid JSON');
+    }
+    return payload;
+  }
+
+  async function fetchActivationPackage({ claimUrl, licenseKey, identity }) {
+    const response = await fetchFn(claimUrl, {
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        'user-agent': 'codexbot-npm-cli/1.0',
+      },
+      body: JSON.stringify({
+        licenseKey,
+        fingerprint: trim(identity?.machineFingerprint),
+        node: {
+          id: trim(identity?.nodeId),
+          ...(identity?.payload && typeof identity.payload === 'object' && !Array.isArray(identity.payload) ? identity.payload : {}),
+        },
+      }),
+    });
+    const payload = await readJsonResponse(response);
+    if (!response.ok) {
+      const err = new Error(trim(payload?.error?.message || payload?.message, `license claim http ${response.status}`));
+      err.code = trim(payload?.error?.code || payload?.code, `HTTP_${response.status}`);
+      err.statusCode = response.status;
+      err.payload = payload;
+      throw err;
+    }
+    return payload;
+  }
+
+  async function writeActivationPackage(tempDir, activation = {}) {
+    const licenseFile = pathModule.join(tempDir, 'license.json');
+    const licensePublicKeyFile = pathModule.join(tempDir, 'license-public.pem');
+    const licenseServerPublicKeyFile = pathModule.join(tempDir, 'license-server-public.pem');
+    await fsPromises.writeFile(licenseFile, `${JSON.stringify(activation.license || {}, null, 2)}\n`, 'utf8');
+    await fsPromises.writeFile(licensePublicKeyFile, `${trim(activation.licensePublicKey)}\n`, 'utf8');
+    await fsPromises.writeFile(licenseServerPublicKeyFile, `${trim(activation.licenseServerPublicKey)}\n`, 'utf8');
+    return {
+      licenseFile,
+      licensePublicKeyFile,
+      licenseServerPublicKeyFile,
+    };
+  }
+
+  async function runLocalActivationScript(layout, files) {
+    const scriptPath = pathModule.join(layout.appDir, 'scripts', 'codexbot_activate.sh');
+    const isRoot = typeof processImpl.getuid === 'function' ? processImpl.getuid() === 0 : false;
+    const baseArgs = [
+      scriptPath,
+      '--control-env-file', layout.controlEnvFile,
+      '--license-file', files.licenseFile,
+      '--license-public-key-file', files.licensePublicKeyFile,
+      '--license-server-public-key-file', files.licenseServerPublicKeyFile,
+      '--start',
+    ];
+    const command = isRoot ? 'bash' : 'sudo';
+    const commandArgs = isRoot ? baseArgs : ['bash', ...baseArgs];
+    return runChildInherit(spawnFn, command, commandArgs);
+  }
+
+  async function claimAndActivate(options = {}) {
+    const defaults = getDefaultDistributionConfig(processImpl.env);
+    const licenseKey = await resolveLicenseKey(options);
+    const claimUrl = buildInstallLicenseClaimUrl({
+      installBaseUrl: options.installBaseUrl || defaults.installBaseUrl,
+      claimUrl: options.licenseClaimUrl || defaults.licenseClaimUrl,
+      allowHttp: Boolean(options.allowHttp),
+    });
+    const layout = resolveControlLayout({
+      fsSync,
+      pathModule,
+      processImpl,
+      options,
+    });
+    const tempDir = await fsPromises.mkdtemp(pathModule.join(osModule.tmpdir(), 'codexbot-activation-'));
+    try {
+      logger.log('==> Read node identity');
+      const identity = await readInstalledNodeIdentity(layout, options);
+      logger.log(`==> Claim activation package from ${claimUrl}`);
+      const claim = await fetchActivationPackage({ claimUrl, licenseKey, identity });
+      const activation = claim?.activation || {};
+      if (!activation.license || !trim(activation.licensePublicKey) || !trim(activation.licenseServerPublicKey)) {
+        throw new Error('claim response is missing activation package files');
+      }
+      const files = await writeActivationPackage(tempDir, activation);
+      logger.log('==> Activate installed node');
+      const exitCode = await runLocalActivationScript(layout, files);
+      if (exitCode !== 0) {
+        throw new Error(`activation script exited with code ${exitCode}`);
+      }
+      return {
+        ok: true,
+        claim,
+      };
+    } catch (error) {
+      const wrapped = new Error(buildClaimFailureMessage(error, claimUrl));
+      wrapped.cause = error;
+      throw wrapped;
+    } finally {
+      await fsPromises.rm(tempDir, { recursive: true, force: true }).catch(() => {});
+    }
+  }
+
+  return {
+    claimAndActivate,
+  };
+}

package/src/args_service.mjs

@@ -12,6 +12,7 @@ function readOptionValue(argv, index, name) {
 function parseBootstrapOptions(argv = []) {
   const options = {
     channel: '',
+    installBaseUrl: '',
     updateBaseUrl: '',
     manifestUrl: '',
     publicKeyUrl: '',
@@ -20,6 +21,23 @@ function parseBootstrapOptions(argv = []) {
     token: '',
     allowHttp: false,
     noSignature: false,
+    nonInteractive: false,
+    connector: '',
+    telegramBotToken: '',
+    telegramChatIds: '',
+    wecomBotId: '',
+    wecomSecret: '',
+    wecomTencentDocsApiKey: '',
+    openAiApiKey: '',
+    deferLicenseActivation: false,
+    licenseKey: '',
+    licenseClaimUrl: '',
+    licenseFile: '',
+    licensePublicKeyFile: '',
+    licenseServerPublicKeyFile: '',
+    seedEnvFile: '',
+    seedConnectorsStateFile: '',
+    seedConnectorsCredentialsFile: '',
     forwardedArgs: [],
   };
 
@@ -31,6 +49,11 @@ function parseBootstrapOptions(argv = []) {
       i += 1;
       continue;
     }
+    if (token === '--install-base-url') {
+      options.installBaseUrl = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
     if (token === '--update-base-url') {
       options.updateBaseUrl = readOptionValue(argv, i, token);
       i += 1;
@@ -66,6 +89,89 @@ function parseBootstrapOptions(argv = []) {
       options.forwardedArgs.push(token);
       continue;
     }
+    if (token === '--non-interactive' || token === '--no-prompt') {
+      options.nonInteractive = true;
+      continue;
+    }
+    if (token === '--connector') {
+      options.connector = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--telegram-bot-token') {
+      options.telegramBotToken = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--telegram-chat-ids') {
+      options.telegramChatIds = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--wecom-bot-id') {
+      options.wecomBotId = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--wecom-secret') {
+      options.wecomSecret = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--wecom-tencent-docs-api-key') {
+      options.wecomTencentDocsApiKey = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--openai-api-key') {
+      options.openAiApiKey = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--defer-license-activation') {
+      options.deferLicenseActivation = true;
+      continue;
+    }
+    if (token === '--license-key') {
+      options.licenseKey = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--license-claim-url') {
+      options.licenseClaimUrl = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--license-file') {
+      options.licenseFile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--license-public-key-file') {
+      options.licensePublicKeyFile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--license-server-public-key-file') {
+      options.licenseServerPublicKeyFile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--seed-env-file') {
+      options.seedEnvFile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--seed-connectors-state-file') {
+      options.seedConnectorsStateFile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--seed-connectors-credentials-file') {
+      options.seedConnectorsCredentialsFile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
     if (token === '--no-signature') {
       options.noSignature = true;
       options.forwardedArgs.push(token);
@@ -77,7 +183,7 @@ function parseBootstrapOptions(argv = []) {
   return options;
 }
 
-function parseAuthOptions(argv = []) {
+function parseLayoutOptions(argv = []) {
   const options = {
     layoutProfile: '',
     appDir: '',
@@ -118,6 +224,71 @@ function parseAuthOptions(argv = []) {
   return options;
 }
 
+function parseActivationOptions(argv = []) {
+  const options = {
+    ...parseLayoutOptions([]),
+    installBaseUrl: '',
+    licenseClaimUrl: '',
+    allowHttp: false,
+    nonInteractive: false,
+    licenseKey: '',
+  };
+  for (let i = 0; i < argv.length; i += 1) {
+    const token = trim(argv[i]);
+    if (!token) continue;
+    if (token === '--license-key') {
+      options.licenseKey = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--install-base-url') {
+      options.installBaseUrl = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--license-claim-url') {
+      options.licenseClaimUrl = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--allow-http') {
+      options.allowHttp = true;
+      continue;
+    }
+    if (token === '--non-interactive' || token === '--no-prompt') {
+      options.nonInteractive = true;
+      continue;
+    }
+    if (token === '--layout-profile') {
+      options.layoutProfile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--app-dir') {
+      options.appDir = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--control-env-file') {
+      options.controlEnvFile = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--control-user') {
+      options.controlUser = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    if (token === '--codex-home-dir') {
+      options.codexHomeDir = readOptionValue(argv, i, token);
+      i += 1;
+      continue;
+    }
+    throw new Error(`unknown activate arg: ${token}`);
+  }
+  return options;
+}
+
 export function parseCliArgs(argv = []) {
   const args = Array.isArray(argv) ? argv.map((item) => String(item || '')) : [];
   const command = trim(args[0]).toLowerCase();
@@ -128,7 +299,7 @@ export function parseCliArgs(argv = []) {
     return { action: 'version' };
   }
   if (command === 'doctor') {
-    return { action: 'doctor', options: parseAuthOptions(args.slice(1)) };
+    return { action: 'doctor', options: parseLayoutOptions(args.slice(1)) };
   }
   if (command === 'install') {
     return { action: 'install', options: parseBootstrapOptions(args.slice(1)) };
@@ -136,12 +307,15 @@ export function parseCliArgs(argv = []) {
   if (command === 'upgrade') {
     return { action: 'upgrade', options: parseBootstrapOptions(args.slice(1)) };
   }
+  if (command === 'activate') {
+    return { action: 'activate', options: parseActivationOptions(args.slice(1)) };
+  }
   if (command === 'auth') {
     const sub = trim(args[1]).toLowerCase() || 'status';
     if (!['status', 'login', 'login-link', 'logout'].includes(sub)) {
       throw new Error(`unknown auth subcommand: ${sub}`);
     }
-    return { action: 'auth', mode: sub, options: parseAuthOptions(args.slice(2)) };
+    return { action: 'auth', mode: sub, options: parseLayoutOptions(args.slice(2)) };
   }
   throw new Error(`unknown command: ${command}`);
 }

package/src/config_service.mjs

@@ -1,3 +1,4 @@
+const DEFAULT_INSTALL_BASE_URL = 'https://codexbotinstall.afffun.com';
 const DEFAULT_UPDATE_BASE_URL = 'https://codexbotupdate.afffun.com';
 const DEFAULT_CHANNEL = 'stable';
 
@@ -28,9 +29,59 @@ function assertHttps(value, { allowHttp = false, label = 'url' } = {}) {
 
 export function getDefaultDistributionConfig(env = process.env) {
   return {
+    installBaseUrl: normalizeBaseUrl(env.CODEXBOT_INSTALL_BASE_URL, DEFAULT_INSTALL_BASE_URL),
     updateBaseUrl: normalizeBaseUrl(env.CODEXBOT_UPDATE_BASE_URL, DEFAULT_UPDATE_BASE_URL),
     channel: normalizeChannel(env.CODEXBOT_INSTALL_CHANNEL, DEFAULT_CHANNEL),
     authToken: trim(env.CODEXBOT_UPDATE_TOKEN || env.CODEX_REMOTE_UPDATE_AUTH_TOKEN, ''),
+    licenseClaimUrl: trim(env.CODEXBOT_LICENSE_CLAIM_URL, ''),
+  };
+}
+
+export function buildInstallLicenseClaimUrl({
+  installBaseUrl = DEFAULT_INSTALL_BASE_URL,
+  claimUrl = '',
+  allowHttp = false,
+} = {}) {
+  const resolvedInstallBaseUrl = normalizeBaseUrl(installBaseUrl, DEFAULT_INSTALL_BASE_URL);
+  const resolvedClaimUrl = trim(claimUrl) || `${resolvedInstallBaseUrl}/v1/install/license/claim`;
+  return assertHttps(resolvedClaimUrl, { allowHttp, label: 'license claim url' });
+}
+
+export function buildPublicInstallUrls({
+  installBaseUrl = DEFAULT_INSTALL_BASE_URL,
+  updateBaseUrl = DEFAULT_UPDATE_BASE_URL,
+  channel = DEFAULT_CHANNEL,
+  manifestUrl = '',
+  publicKeyUrl = '',
+  installRemoteUrl = '',
+  runtimeManifestUrl = '',
+  packageDownloadBaseUrl = '',
+  allowHttp = false,
+} = {}) {
+  const resolvedInstallBaseUrl = normalizeBaseUrl(installBaseUrl, DEFAULT_INSTALL_BASE_URL);
+  const resolvedUpdateBaseUrl = normalizeBaseUrl(updateBaseUrl, DEFAULT_UPDATE_BASE_URL);
+  const resolvedChannel = normalizeChannel(channel, DEFAULT_CHANNEL);
+  const publicRoot = `${resolvedInstallBaseUrl}/v1/install/${resolvedChannel}`;
+  const updateRoot = `${resolvedUpdateBaseUrl}/v1/channels/${resolvedChannel}`;
+  const urls = {
+    installBaseUrl: resolvedInstallBaseUrl,
+    updateBaseUrl: resolvedUpdateBaseUrl,
+    channel: resolvedChannel,
+    manifestUrl: trim(manifestUrl) || `${publicRoot}/manifest.json`,
+    publicKeyUrl: trim(publicKeyUrl) || `${publicRoot}/packages/latest/update-public.pem`,
+    installRemoteUrl: trim(installRemoteUrl) || `${publicRoot}/packages/latest/install-remote.sh`,
+    runtimeManifestUrl: trim(runtimeManifestUrl) || `${updateRoot}/manifest.json`,
+    packageDownloadBaseUrl: trim(packageDownloadBaseUrl) || `${publicRoot}/packages`,
+  };
+  return {
+    installBaseUrl: assertHttps(urls.installBaseUrl, { allowHttp, label: 'install base url' }),
+    updateBaseUrl: assertHttps(urls.updateBaseUrl, { allowHttp, label: 'update base url' }),
+    channel: urls.channel,
+    manifestUrl: assertHttps(urls.manifestUrl, { allowHttp, label: 'manifest url' }),
+    publicKeyUrl: assertHttps(urls.publicKeyUrl, { allowHttp, label: 'public key url' }),
+    installRemoteUrl: assertHttps(urls.installRemoteUrl, { allowHttp, label: 'install-remote url' }),
+    runtimeManifestUrl: assertHttps(urls.runtimeManifestUrl, { allowHttp, label: 'runtime manifest url' }),
+    packageDownloadBaseUrl: assertHttps(urls.packageDownloadBaseUrl, { allowHttp, label: 'package download base url' }),
   };
 }
 

package/src/entrypoint.mjs

@@ -1,6 +1,7 @@
 import fs from 'node:fs';
 import path from 'node:path';
 import { parseCliArgs } from './args_service.mjs';
+import { createNpmDistributionActivationService } from './activation_service.mjs';
 import { createNpmDistributionInstallService } from './install_service.mjs';
 import { createNpmDistributionAuthService } from './auth_service.mjs';
 
@@ -16,18 +17,43 @@ function renderUsage() {
     'Usage:',
     '  codexbot install [bootstrap options] [install-remote flags...]',
     '  codexbot upgrade [bootstrap options] [install-remote flags...]',
+    '  codexbot activate [activation options]',
     '  codexbot auth status|login|login-link|logout [layout overrides]',
     '  codexbot doctor [layout overrides]',
     '  codexbot version',
     '',
     'Bootstrap options:',
     '  --channel <stable|canary|...>',
+    '  --install-base-url <https://codexbotinstall.example.com>',
     '  --update-base-url <https://codexbotupdate.example.com>',
+    '  install defaults to an interactive seed wizard unless --non-interactive is used.',
+    '  --connector <telegram|wecom|skip>',
+    '  --telegram-bot-token <token>',
+    '  --telegram-chat-ids <id1,id2,...>',
+    '  --wecom-bot-id <botId>',
+    '  --wecom-secret <secret>',
+    '  --wecom-tencent-docs-api-key <apiKey>',
+    '  --openai-api-key <key>',
+    '  --license-key <key>',
+    '  install will auto-claim and activate when a license key is provided.',
+    '  --license-file </path/to/license.json>',
+    '  --license-public-key-file </path/to/license-public.pem>',
+    '  --license-server-public-key-file </path/to/license-server-public.pem>',
+    '  --defer-license-activation',
+    '  --non-interactive',
+    '  advanced seed flags such as --seed-env-file remain supported for automation',
     '  --manifest-url <url>',
     '  --public-key-url <url>',
     '  --install-remote-url <url>',
     '  --public-key-file </path/to/update-public.pem>',
-    '  --token <update server token>',
+    '  --token <protected update server token>',
+    '  --allow-http',
+    '',
+    'Activation options:',
+    '  --license-key <key>',
+    '  --install-base-url <https://codexbotinstall.example.com>',
+    '  --license-claim-url <https://codexbotinstall.example.com/v1/install/license/claim>',
+    '  --non-interactive',
     '  --allow-http',
     '',
     'Layout overrides:',
@@ -42,6 +68,7 @@ function renderUsage() {
 export async function runCodexbotCli(argv = [], deps = {}) {
   const logger = deps.logger || console;
   const installService = deps.installService || createNpmDistributionInstallService({ logger });
+  const activationService = deps.activationService || createNpmDistributionActivationService({ logger });
   const authService = deps.authService || createNpmDistributionAuthService({ logger });
   const cli = parseCliArgs(argv);
   if (cli.action === 'help') {
@@ -71,8 +98,18 @@ export async function runCodexbotCli(argv = [], deps = {}) {
   if (cli.action === 'upgrade') {
     return installService.runUpgradeCommand(cli.options || {});
   }
+  if (cli.action === 'activate') {
+    await activationService.claimAndActivate(cli.options || {});
+    return 0;
+  }
   if (cli.action === 'auth') {
     return authService.runAuthCommand(cli.mode, cli.options || {});
   }
   throw new Error(`unsupported action: ${cli.action}`);
 }
+
+export function formatCliError(err) {
+  const message = String(err?.message || err || '').trim();
+  if (!message) return 'codexbot failed';
+  return message;
+}

package/src/install_seed_service.mjs

@@ -0,0 +1,417 @@
+import fs from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import readline from 'node:readline/promises';
+
+function trim(value, fallback = '') {
+  const text = String(value ?? '').trim();
+  return text || String(fallback ?? '').trim();
+}
+
+function normalizeConnectorChoice(value) {
+  const raw = trim(value).toLowerCase();
+  if (raw === 'telegram') return 'telegram';
+  if (raw === 'wecom') return 'wecom';
+  if (raw === 'skip' || raw === 'none') return 'skip';
+  return '';
+}
+
+function normalizeList(input) {
+  return Array.from(new Set(
+    String(input || '')
+      .split(/[,\n]/)
+      .map((item) => trim(item))
+      .filter(Boolean),
+  ));
+}
+
+function normalizeYesNo(input, fallback = false) {
+  const raw = trim(input).toLowerCase();
+  if (!raw) return Boolean(fallback);
+  if (['y', 'yes', '1', 'true'].includes(raw)) return true;
+  if (['n', 'no', '0', 'false'].includes(raw)) return false;
+  return Boolean(fallback);
+}
+
+function buildConnectorCapabilities(type) {
+  if (type === 'telegram') {
+    return {
+      supportsEdit: true,
+      supportsButtons: true,
+      supportsAudioIn: true,
+      supportsAudioOut: true,
+      supportsFileUpload: true,
+      supportsStreaming: true,
+      supportsWebSocket: false,
+      supportsWebhook: true,
+      supportsPolling: true,
+      supportsOAuth: false,
+    };
+  }
+  if (type === 'wecom') {
+    return {
+      supportsEdit: false,
+      supportsButtons: false,
+      supportsAudioIn: true,
+      supportsAudioOut: false,
+      supportsFileUpload: true,
+      supportsStreaming: true,
+      supportsWebSocket: true,
+      supportsWebhook: false,
+      supportsPolling: false,
+      supportsOAuth: false,
+    };
+  }
+  return {};
+}
+
+function buildTelegramSeed(nowIso, {
+  botToken,
+  allowedChatIds,
+  baseUrl = 'https://api.telegram.org',
+  fileBaseUrl = 'https://api.telegram.org/file',
+} = {}) {
+  const connectorId = 'telegram-primary';
+  const configured = Boolean(trim(botToken) && allowedChatIds.length > 0);
+  const updatedAt = nowIso();
+  return {
+    connectorId,
+    descriptor: {
+      connectorId,
+      type: 'telegram',
+      name: connectorId,
+      displayName: 'Telegram',
+      source: 'managed',
+      managed: true,
+      status: configured ? 'authorized' : 'draft',
+      mode: 'polling',
+      capabilities: buildConnectorCapabilities('telegram'),
+      config: {
+        baseUrl,
+        fileBaseUrl,
+      },
+      binding: {
+        allowedChats: allowedChatIds,
+      },
+      runtime: {
+        desiredEnabled: true,
+        configured,
+        authModes: ['bot_token'],
+      },
+      health: {
+        state: configured ? 'idle' : 'misconfigured',
+        lastError: configured ? '' : 'missing telegram bot token or allowed chats',
+      },
+      auth: {
+        supportedModes: ['bot_token'],
+        mode: configured ? 'bot_token' : '',
+        state: configured ? 'configured' : 'unconfigured',
+        configured,
+        credentialRef: `cred_${connectorId}`,
+        storedKeys: configured ? ['botToken'] : [],
+        redirectUri: '',
+        authorizeUrl: '',
+        scopes: [],
+        tokenExchangeConfigured: false,
+        hasAccessToken: false,
+        hasRefreshToken: false,
+        lastAuthorizedAt: configured ? updatedAt : '',
+        lastError: configured ? '' : 'missing telegram bot token or allowed chats',
+        lastErrorAt: configured ? '' : updatedAt,
+      },
+      createdAt: updatedAt,
+      updatedAt,
+    },
+    credentials: {
+      connectorId,
+      credentialRef: `cred_${connectorId}`,
+      authMode: 'bot_token',
+      values: configured ? { botToken: trim(botToken) } : {},
+      oauth: {},
+      updatedAt,
+    },
+  };
+}
+
+function buildWecomSeed(nowIso, {
+  botId,
+  secret,
+  tencentDocsApiKey = '',
+  websocketUrl = 'wss://openws.work.weixin.qq.com',
+} = {}) {
+  const connectorId = 'wecom-primary';
+  const configured = Boolean(trim(botId) && trim(secret));
+  const updatedAt = nowIso();
+  const storedKeys = [];
+  if (trim(botId)) storedKeys.push('botId');
+  if (trim(secret)) storedKeys.push('secret');
+  if (trim(tencentDocsApiKey)) storedKeys.push('tencentDocsApiKey');
+  return {
+    connectorId,
+    descriptor: {
+      connectorId,
+      type: 'wecom',
+      name: connectorId,
+      displayName: 'WeCom',
+      source: 'managed',
+      managed: true,
+      status: configured ? 'authorized' : 'draft',
+      mode: 'websocket',
+      capabilities: buildConnectorCapabilities('wecom'),
+      config: {
+        botId: trim(botId),
+        websocketUrl,
+        dmPolicy: 'open',
+        groupPolicy: 'open',
+        sendThinkingMessage: false,
+        tencentDocsEnabled: Boolean(trim(tencentDocsApiKey)),
+      },
+      binding: {},
+      runtime: {
+        desiredEnabled: true,
+        configured,
+        authModes: ['bot_secret'],
+      },
+      health: {
+        state: configured ? 'idle' : 'misconfigured',
+        lastError: configured ? '' : 'missing fields: botId, secret',
+      },
+      auth: {
+        supportedModes: ['bot_secret'],
+        mode: configured ? 'bot_secret' : '',
+        state: configured ? 'configured' : 'unconfigured',
+        configured,
+        credentialRef: `cred_${connectorId}`,
+        storedKeys,
+        redirectUri: '',
+        authorizeUrl: '',
+        scopes: [],
+        tokenExchangeConfigured: false,
+        hasAccessToken: false,
+        hasRefreshToken: false,
+        lastAuthorizedAt: configured ? updatedAt : '',
+        lastError: configured ? '' : 'missing fields: botId, secret',
+        lastErrorAt: configured ? '' : updatedAt,
+      },
+      createdAt: updatedAt,
+      updatedAt,
+    },
+    credentials: {
+      connectorId,
+      credentialRef: `cred_${connectorId}`,
+      authMode: 'bot_secret',
+      values: {
+        ...(trim(botId) ? { botId: trim(botId) } : {}),
+        ...(trim(secret) ? { secret: trim(secret) } : {}),
+        ...(trim(tencentDocsApiKey) ? { tencentDocsApiKey: trim(tencentDocsApiKey) } : {}),
+      },
+      oauth: {},
+      updatedAt,
+    },
+  };
+}
+
+function createPrompter({ stdin, stdout } = {}) {
+  const input = stdin || process.stdin;
+  const output = stdout || process.stdout;
+  if (!input?.isTTY || !output?.isTTY) {
+    return {
+      interactive: false,
+      ask: async () => '',
+      close: async () => {},
+    };
+  }
+  const rl = readline.createInterface({ input, output });
+  return {
+    interactive: true,
+    ask: async (prompt) => trim(await rl.question(prompt)),
+    close: async () => {
+      rl.close();
+    },
+  };
+}
+
+async function ensureReadableFile(fsPromises, filePath, label) {
+  const target = trim(filePath);
+  if (!target) return '';
+  try {
+    await fsPromises.access(target);
+  } catch {
+    throw new Error(`${label} not found: ${target}`);
+  }
+  return target;
+}
+
+function renderEnvFile(values = {}) {
+  const lines = Object.entries(values)
+    .filter(([, value]) => trim(value))
+    .map(([key, value]) => `${key}=${String(value)}`);
+  return lines.length ? `${lines.join('\n')}\n` : '';
+}
+
+export function createNpmDistributionInstallSeedService(deps = {}) {
+  const fsPromises = deps.fsPromises || fs;
+  const osModule = deps.osModule || os;
+  const pathModule = deps.pathModule || path;
+  const processImpl = deps.processImpl || process;
+  const logger = deps.logger || console;
+  const nowIso = deps.nowIso || (() => new Date().toISOString());
+  const promptFactory = deps.promptFactory || createPrompter;
+
+  async function prepareInstallSeed(options = {}) {
+    const explicitSeedFiles = Boolean(
+      trim(options.seedEnvFile)
+      || trim(options.seedConnectorsStateFile)
+      || trim(options.seedConnectorsCredentialsFile),
+    );
+    const prompter = promptFactory({
+      stdin: processImpl.stdin,
+      stdout: processImpl.stdout,
+    });
+    const nonInteractive = Boolean(options.nonInteractive) || !prompter.interactive;
+    const tempDir = await fsPromises.mkdtemp(pathModule.join(osModule.tmpdir(), 'codexbot-install-seed-'));
+    const cleanup = async () => {
+      await prompter.close().catch(() => {});
+      await fsPromises.rm(tempDir, { recursive: true, force: true }).catch(() => {});
+    };
+
+    try {
+      const result = {
+        seedEnvFile: trim(options.seedEnvFile),
+        seedConnectorsStateFile: trim(options.seedConnectorsStateFile),
+        seedConnectorsCredentialsFile: trim(options.seedConnectorsCredentialsFile),
+        seedLicenseFile: '',
+        seedLicensePublicKeyFile: '',
+        seedLicenseServerPublicKeyFile: '',
+        licenseKey: trim(options.licenseKey),
+        deferLicenseActivation: Boolean(options.deferLicenseActivation),
+        summary: {
+          connector: 'skip',
+          connectorSeeded: false,
+          openAiSeeded: false,
+          licenseDeferred: false,
+        },
+        cleanup,
+      };
+
+      if (explicitSeedFiles) {
+        if (result.licenseKey) {
+          throw new Error('license key cannot be combined with explicit license seed files');
+        }
+        result.seedLicenseFile = trim(options.licenseFile);
+        result.seedLicensePublicKeyFile = trim(options.licensePublicKeyFile);
+        result.seedLicenseServerPublicKeyFile = trim(options.licenseServerPublicKeyFile);
+        if (!result.deferLicenseActivation
+          && !result.seedLicenseFile
+          && !result.seedLicensePublicKeyFile
+          && !result.seedLicenseServerPublicKeyFile) {
+          result.deferLicenseActivation = true;
+        }
+        result.summary.licenseDeferred = result.deferLicenseActivation;
+        return result;
+      }
+
+      let connector = normalizeConnectorChoice(options.connector);
+      const hasExplicitConnectorArgs = Boolean(
+        connector
+        || trim(options.telegramBotToken)
+        || trim(options.telegramChatIds)
+        || trim(options.wecomBotId)
+        || trim(options.wecomSecret)
+        || trim(options.wecomTencentDocsApiKey),
+      );
+      if (!connector && hasExplicitConnectorArgs) {
+        connector = trim(options.wecomBotId || options.wecomSecret || options.wecomTencentDocsApiKey) ? 'wecom' : 'telegram';
+      }
+      if (!connector && !nonInteractive) {
+        logger.log('==> Remote control channel setup');
+        connector = normalizeConnectorChoice(await prompter.ask('Choose connector [telegram/wecom/skip] (default: skip): ')) || 'skip';
+      }
+      if (!connector) connector = 'skip';
+
+      const openAiApiKey = trim(options.openAiApiKey || (!nonInteractive ? await prompter.ask('OPENAI_API_KEY (optional, blank to skip): ') : ''));
+      if (openAiApiKey) {
+        const envFile = pathModule.join(tempDir, 'seed.env');
+        await fsPromises.writeFile(envFile, renderEnvFile({ OPENAI_API_KEY: openAiApiKey }), 'utf8');
+        result.seedEnvFile = envFile;
+        result.summary.openAiSeeded = true;
+      }
+
+      if (connector === 'telegram') {
+        const telegramBotToken = trim(options.telegramBotToken || (!nonInteractive ? await prompter.ask('Telegram bot token: ') : ''));
+        const telegramChatIds = normalizeList(options.telegramChatIds || (!nonInteractive ? await prompter.ask('Telegram allowed chat IDs (comma-separated): ') : ''));
+        if (!telegramBotToken || telegramChatIds.length === 0) {
+          throw new Error('Telegram connector requires bot token and at least one allowed chat ID');
+        }
+        const seed = buildTelegramSeed(nowIso, {
+          botToken: telegramBotToken,
+          allowedChatIds: telegramChatIds,
+        });
+        const stateFile = pathModule.join(tempDir, 'connectors.json');
+        const credentialsFile = pathModule.join(tempDir, 'connectors.credentials.json');
+        await fsPromises.writeFile(stateFile, `${JSON.stringify({ connectors: { [seed.connectorId]: seed.descriptor } }, null, 2)}\n`, 'utf8');
+        await fsPromises.writeFile(credentialsFile, `${JSON.stringify({ connectors: { [seed.connectorId]: seed.credentials } }, null, 2)}\n`, 'utf8');
+        result.seedConnectorsStateFile = stateFile;
+        result.seedConnectorsCredentialsFile = credentialsFile;
+        result.summary.connector = 'telegram';
+        result.summary.connectorSeeded = true;
+      } else if (connector === 'wecom') {
+        const wecomBotId = trim(options.wecomBotId || (!nonInteractive ? await prompter.ask('WeCom bot ID: ') : ''));
+        const wecomSecret = trim(options.wecomSecret || (!nonInteractive ? await prompter.ask('WeCom bot secret: ') : ''));
+        const wecomTencentDocsApiKey = trim(options.wecomTencentDocsApiKey || (!nonInteractive ? await prompter.ask('Tencent Docs API key (optional, blank to skip): ') : ''));
+        if (!wecomBotId || !wecomSecret) {
+          throw new Error('WeCom connector requires bot ID and secret');
+        }
+        const seed = buildWecomSeed(nowIso, {
+          botId: wecomBotId,
+          secret: wecomSecret,
+          tencentDocsApiKey: wecomTencentDocsApiKey,
+        });
+        const stateFile = pathModule.join(tempDir, 'connectors.json');
+        const credentialsFile = pathModule.join(tempDir, 'connectors.credentials.json');
+        await fsPromises.writeFile(stateFile, `${JSON.stringify({ connectors: { [seed.connectorId]: seed.descriptor } }, null, 2)}\n`, 'utf8');
+        await fsPromises.writeFile(credentialsFile, `${JSON.stringify({ connectors: { [seed.connectorId]: seed.credentials } }, null, 2)}\n`, 'utf8');
+        result.seedConnectorsStateFile = stateFile;
+        result.seedConnectorsCredentialsFile = credentialsFile;
+        result.summary.connector = 'wecom';
+        result.summary.connectorSeeded = true;
+      }
+
+      let licenseKey = result.licenseKey;
+      let licenseFile = trim(options.licenseFile);
+      let licensePublicKeyFile = trim(options.licensePublicKeyFile);
+      let licenseServerPublicKeyFile = trim(options.licenseServerPublicKeyFile);
+      if (licenseKey && (licenseFile || licensePublicKeyFile || licenseServerPublicKeyFile)) {
+        throw new Error('license key cannot be combined with direct license file inputs');
+      }
+      if (!licenseKey && !licenseFile && !licensePublicKeyFile && !licenseServerPublicKeyFile && !nonInteractive) {
+        licenseKey = trim(await prompter.ask('License key (optional, blank to skip and activate later): '));
+      }
+      if (!licenseKey && !licenseFile && !licensePublicKeyFile && !licenseServerPublicKeyFile) {
+        result.deferLicenseActivation = true;
+      }
+
+      if (licenseKey) {
+        result.licenseKey = licenseKey;
+        result.deferLicenseActivation = true;
+      }
+      const licenseProvided = Boolean(licenseFile || licensePublicKeyFile || licenseServerPublicKeyFile);
+      if (licenseProvided) {
+        result.seedLicenseFile = await ensureReadableFile(fsPromises, licenseFile, 'license file');
+        result.seedLicensePublicKeyFile = await ensureReadableFile(fsPromises, licensePublicKeyFile, 'license public key file');
+        result.seedLicenseServerPublicKeyFile = await ensureReadableFile(fsPromises, licenseServerPublicKeyFile, 'license server public key file');
+        result.deferLicenseActivation = false;
+      }
+
+      result.summary.licenseDeferred = result.deferLicenseActivation;
+      return result;
+    } catch (error) {
+      await cleanup();
+      throw error;
+    }
+  }
+
+  return {
+    prepareInstallSeed,
+  };
+}

package/src/install_service.mjs

@@ -2,16 +2,80 @@ import fs from 'node:fs/promises';
 import os from 'node:os';
 import path from 'node:path';
 import { spawn } from 'node:child_process';
-import { buildRemoteInstallUrls, getDefaultDistributionConfig } from './config_service.mjs';
+import {
+  buildPublicInstallUrls,
+  buildRemoteInstallUrls,
+  getDefaultDistributionConfig,
+} from './config_service.mjs';
+import { createNpmDistributionActivationService } from './activation_service.mjs';
+import { createNpmDistributionInstallSeedService } from './install_seed_service.mjs';
 
 function trim(value, fallback = '') {
   const text = String(value ?? '').trim();
   return text || String(fallback ?? '').trim();
 }
 
-async function ensureOkResponse(response, label) {
+function buildAuthFailureMessage({
+  label,
+  status,
+  statusText,
+  installBaseUrl,
+  channel,
+  updateBaseUrl,
+  authTokenPresent,
+  distributionMode = 'upgrade',
+} = {}) {
+  const lines = [
+    `${label} download failed: ${status} ${statusText}`,
+  ];
+  if (status === 401 || status === 403) {
+    lines.push('');
+    if (distributionMode === 'install') {
+      lines.push('The public Codexbot install facade rejected this request or could not proxy it upstream.');
+      lines.push('Retry with one of the following:');
+      lines.push(`- codexbot install --channel ${channel || 'stable'}`);
+      lines.push(`- codexbot install --install-base-url '${installBaseUrl || 'https://codexbotinstall.afffun.com'}' --update-base-url '${updateBaseUrl || 'https://codexbotupdate.afffun.com'}'`);
+      lines.push('- Verify the install facade is configured with upstream access to the protected update server.');
+      if (authTokenPresent) {
+        lines.push('- A token was provided, but public install should normally not require it; verify the install facade is not pointing at a protected route.');
+      }
+    } else {
+      lines.push('The Codexbot npm package is public, but the protected update channel still requires an update token.');
+      lines.push('Retry with one of the following:');
+      lines.push(`- codexbot upgrade --channel ${channel || 'stable'} --token '<UPDATE_SERVER_AUTH_TOKEN>'`);
+      lines.push(`- export CODEXBOT_UPDATE_TOKEN='<UPDATE_SERVER_AUTH_TOKEN>' && codexbot upgrade --channel ${channel || 'stable'}`);
+      lines.push(`- target update base: ${updateBaseUrl || 'https://codexbotupdate.afffun.com'}`);
+      if (authTokenPresent) {
+        lines.push('- A token was provided, but the server rejected it. Check that the token is valid for this update channel.');
+      } else {
+        lines.push('- No update token was provided for this request.');
+      }
+    }
+  }
+  return lines.join('\n');
+}
+
+async function ensureOkResponse(response, {
+  label,
+  installBaseUrl,
+  channel,
+  updateBaseUrl,
+  authTokenPresent = false,
+  distributionMode = 'upgrade',
+} = {}) {
   if (!response.ok) {
-    throw new Error(`${label} download failed: ${response.status} ${response.statusText}`);
+    const error = new Error(buildAuthFailureMessage({
+      label,
+      status: response.status,
+      statusText: response.statusText,
+      installBaseUrl,
+      channel,
+      updateBaseUrl,
+      authTokenPresent,
+      distributionMode,
+    }));
+    error.code = `HTTP_${response.status}`;
+    throw error;
   }
   return response;
 }
@@ -46,53 +110,132 @@ export function createNpmDistributionInstallService(deps = {}) {
   const spawnFn = deps.spawnFn || spawn;
   const processImpl = deps.processImpl || process;
   const logger = deps.logger || console;
+  const installSeedService = deps.installSeedService || createNpmDistributionInstallSeedService({
+    fsPromises,
+    osModule,
+    pathModule,
+    processImpl,
+    logger,
+  });
+  const activationService = deps.activationService || createNpmDistributionActivationService({
+    fsPromises,
+    pathModule,
+    spawnFn,
+    processImpl,
+    fetchFn,
+    logger,
+  });
 
   async function runRemoteInstall({
     mode,
     options = {},
   } = {}) {
     const defaults = getDefaultDistributionConfig(processImpl.env);
-    const urls = buildRemoteInstallUrls({
-      updateBaseUrl: options.updateBaseUrl || defaults.updateBaseUrl,
-      channel: options.channel || defaults.channel,
-      manifestUrl: options.manifestUrl,
-      publicKeyUrl: options.publicKeyUrl,
-      installRemoteUrl: options.installRemoteUrl,
-      allowHttp: Boolean(options.allowHttp),
-    });
-    const authToken = trim(options.token, defaults.authToken);
+    const distributionMode = trim(mode, 'auto') === 'install' ? 'install' : 'upgrade';
+    const urls = distributionMode === 'install'
+      ? buildPublicInstallUrls({
+        installBaseUrl: options.installBaseUrl || defaults.installBaseUrl,
+        updateBaseUrl: options.updateBaseUrl || defaults.updateBaseUrl,
+        channel: options.channel || defaults.channel,
+        manifestUrl: options.manifestUrl,
+        publicKeyUrl: options.publicKeyUrl,
+        installRemoteUrl: options.installRemoteUrl,
+        allowHttp: Boolean(options.allowHttp),
+      })
+      : buildRemoteInstallUrls({
+        updateBaseUrl: options.updateBaseUrl || defaults.updateBaseUrl,
+        channel: options.channel || defaults.channel,
+        manifestUrl: options.manifestUrl,
+        publicKeyUrl: options.publicKeyUrl,
+        installRemoteUrl: options.installRemoteUrl,
+        allowHttp: Boolean(options.allowHttp),
+      });
+    let installSeed = null;
+    const effectiveOptions = { ...options };
+    if (distributionMode === 'install') {
+      installSeed = await installSeedService.prepareInstallSeed(options);
+      effectiveOptions.seedEnvFile = trim(installSeed.seedEnvFile, effectiveOptions.seedEnvFile);
+      effectiveOptions.seedConnectorsStateFile = trim(installSeed.seedConnectorsStateFile, effectiveOptions.seedConnectorsStateFile);
+      effectiveOptions.seedConnectorsCredentialsFile = trim(installSeed.seedConnectorsCredentialsFile, effectiveOptions.seedConnectorsCredentialsFile);
+      effectiveOptions.licenseFile = trim(installSeed.seedLicenseFile, effectiveOptions.licenseFile);
+      effectiveOptions.licensePublicKeyFile = trim(installSeed.seedLicensePublicKeyFile, effectiveOptions.licensePublicKeyFile);
+      effectiveOptions.licenseServerPublicKeyFile = trim(installSeed.seedLicenseServerPublicKeyFile, effectiveOptions.licenseServerPublicKeyFile);
+      effectiveOptions.licenseKey = trim(installSeed.licenseKey, effectiveOptions.licenseKey);
+      effectiveOptions.deferLicenseActivation = Boolean(installSeed.deferLicenseActivation || effectiveOptions.deferLicenseActivation);
+    }
+    const authToken = trim(effectiveOptions.token, defaults.authToken);
     const tempDir = await fsPromises.mkdtemp(pathModule.join(osModule.tmpdir(), 'codexbot-npm-'));
     const tempInstallPath = pathModule.join(tempDir, 'install-remote.sh');
     const tempKeyPath = pathModule.join(tempDir, 'update-public.pem');
     const headers = authToken ? { Authorization: `Bearer ${authToken}` } : {};
     try {
       logger.log(`==> Fetch install entry from ${urls.installRemoteUrl}`);
-      const installResponse = await ensureOkResponse(await fetchFn(urls.installRemoteUrl, { headers }), 'install-remote');
+      const installResponse = await ensureOkResponse(await fetchFn(urls.installRemoteUrl, { headers }), {
+        label: 'install-remote',
+        installBaseUrl: urls.installBaseUrl,
+        channel: urls.channel,
+        updateBaseUrl: urls.updateBaseUrl,
+        authTokenPresent: Boolean(authToken),
+        distributionMode,
+      });
       await writeResponseToFile(installResponse, tempInstallPath, fsPromises);
       await fsPromises.chmod(tempInstallPath, 0o755);
 
-      const publicKeyFile = trim(options.publicKeyFile, '');
+      const publicKeyFile = trim(effectiveOptions.publicKeyFile, '');
       const resolvedPublicKeyFile = publicKeyFile || tempKeyPath;
       if (!publicKeyFile) {
         logger.log(`==> Fetch update public key from ${urls.publicKeyUrl}`);
-        const keyResponse = await ensureOkResponse(await fetchFn(urls.publicKeyUrl, { headers }), 'update public key');
+        const keyResponse = await ensureOkResponse(await fetchFn(urls.publicKeyUrl, { headers }), {
+          label: 'update public key',
+          installBaseUrl: urls.installBaseUrl,
+          channel: urls.channel,
+          updateBaseUrl: urls.updateBaseUrl,
+          authTokenPresent: Boolean(authToken),
+          distributionMode,
+        });
         await writeResponseToFile(keyResponse, tempKeyPath, fsPromises);
       }
 
       const args = [
         tempInstallPath,
         '--manifest-url', urls.manifestUrl,
+        ...(distributionMode === 'install'
+          ? ['--runtime-remote-update-manifest-url', urls.runtimeManifestUrl]
+          : []),
+        ...(distributionMode === 'install'
+          ? ['--package-download-base-url', urls.packageDownloadBaseUrl]
+          : []),
         '--public-key-file', resolvedPublicKeyFile,
         '--channel', urls.channel,
         '--mode', trim(mode, 'auto'),
         ...(authToken ? ['--auth-token', authToken] : []),
-        ...(Array.isArray(options.forwardedArgs) ? options.forwardedArgs : []),
+        ...(effectiveOptions.deferLicenseActivation ? ['--defer-license-activation'] : []),
+        ...(trim(effectiveOptions.seedEnvFile) ? ['--seed-env-file', trim(effectiveOptions.seedEnvFile)] : []),
+        ...(trim(effectiveOptions.seedConnectorsStateFile) ? ['--seed-connectors-state-file', trim(effectiveOptions.seedConnectorsStateFile)] : []),
+        ...(trim(effectiveOptions.seedConnectorsCredentialsFile) ? ['--seed-connectors-credentials-file', trim(effectiveOptions.seedConnectorsCredentialsFile)] : []),
+        ...(trim(effectiveOptions.licenseFile) ? ['--seed-license-file', trim(effectiveOptions.licenseFile)] : []),
+        ...(trim(effectiveOptions.licensePublicKeyFile) ? ['--seed-license-public-key-file', trim(effectiveOptions.licensePublicKeyFile)] : []),
+        ...(trim(effectiveOptions.licenseServerPublicKeyFile) ? ['--seed-license-server-public-key-file', trim(effectiveOptions.licenseServerPublicKeyFile)] : []),
+        ...(Array.isArray(effectiveOptions.forwardedArgs) ? effectiveOptions.forwardedArgs : []),
       ];
       const isRoot = typeof processImpl.getuid === 'function' ? processImpl.getuid() === 0 : false;
       const command = isRoot ? 'bash' : 'sudo';
       const commandArgs = isRoot ? args : ['bash', ...args];
-      return await runChild(spawnFn, command, commandArgs);
+      const exitCode = await runChild(spawnFn, command, commandArgs);
+      if (distributionMode === 'install' && exitCode === 0 && trim(effectiveOptions.licenseKey)) {
+        await activationService.claimAndActivate({
+          licenseKey: effectiveOptions.licenseKey,
+          installBaseUrl: urls.installBaseUrl,
+          licenseClaimUrl: effectiveOptions.licenseClaimUrl,
+          allowHttp: Boolean(effectiveOptions.allowHttp),
+          nonInteractive: true,
+        });
+      }
+      return exitCode;
     } finally {
+      if (installSeed?.cleanup) {
+        await installSeed.cleanup().catch(() => {});
+      }
       await fsPromises.rm(tempDir, { recursive: true, force: true }).catch(() => {});
     }
   }