@agent-vm/agent-vm 0.0.20

package/dist/cli/init-command.js

@@ -0,0 +1,645 @@
+import { execFileSync } from 'node:child_process';
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import readline from 'node:readline/promises';
+import { DEFAULT_BASE_INSTRUCTIONS, DEFAULT_PLAN_AGENT_INSTRUCTIONS, DEFAULT_PLAN_REVIEWER_INSTRUCTIONS, DEFAULT_WORK_AGENT_INSTRUCTIONS, DEFAULT_WORK_REVIEWER_INSTRUCTIONS, DEFAULT_WRAPUP_INSTRUCTIONS, } from '@agent-vm/agent-vm-worker';
+import { resolveGondolinMinimumZigVersion, resolveGondolinPackageSpec, } from '@agent-vm/gondolin-adapter';
+import { z } from 'zod';
+import { SYSTEM_CACHE_IDENTIFIER_FILENAME, buildDefaultSystemCacheIdentifier, } from '../config/system-cache-identifier.js';
+import { buildDefaultProjectNamespace } from '../runtime/project-namespace.js';
+import { getKeychainTokenSource, hasServiceAccountToken, storeServiceAccountToken, } from './keychain-credential.js';
+import { openClawPluginVendorDirectory, syncBundledOpenClawPluginBundle, } from './openclaw-plugin-bundle.js';
+import { renderVmHostSystemDockerfile, renderVmHostSystemReadme, renderVmHostSystemStartScript, renderVmHostSystemSystemdUnit, } from './vm-host-system-templates.js';
+export const secretsProviderSchema = z.enum(['1password', 'environment']);
+export const imageArchitectureSchema = z.enum(['aarch64', 'x86_64']);
+const defaultGatewayIngressPort = 18791;
+const defaultOpenClawExtensionsPath = '/home/openclaw/.openclaw/extensions';
+function resolveGatewayConfigFileName(gatewayType) {
+    return gatewayType === 'worker' ? 'worker.json' : 'openclaw.json';
+}
+const localPathProfile = {
+    cacheDir: '../cache',
+    createLocalRuntimeDirectories: true,
+    gatewayConfig: (zoneId, gatewayType) => `./gateways/${zoneId}/${resolveGatewayConfigFileName(gatewayType)}`,
+    gatewayStateDir: (zoneId) => `../state/${zoneId}`,
+    gatewayWorkspaceDir: (zoneId) => `../workspaces/${zoneId}`,
+    gatewayBuildConfig: (gatewayType) => `../vm-images/gateways/${gatewayType}/build-config.json`,
+    gatewayDockerfile: (gatewayType) => `../vm-images/gateways/${gatewayType}/Dockerfile`,
+    toolVmBuildConfig: '../vm-images/tool-vms/default/build-config.json',
+    toolWorkspaceRoot: '../workspaces/tools',
+};
+const podPathProfile = {
+    cacheDir: '/var/agent-vm/cache',
+    createLocalRuntimeDirectories: false,
+    gatewayConfig: (zoneId, gatewayType) => `/etc/agent-vm/gateways/${zoneId}/${resolveGatewayConfigFileName(gatewayType)}`,
+    gatewayStateDir: () => '/var/agent-vm/state',
+    gatewayWorkspaceDir: () => '/var/agent-vm/workspace',
+    gatewayBuildConfig: (gatewayType) => `/etc/agent-vm/vm-images/gateways/${gatewayType}/build-config.json`,
+    gatewayDockerfile: (gatewayType) => `/etc/agent-vm/vm-images/gateways/${gatewayType}/Dockerfile`,
+    toolVmBuildConfig: '/etc/agent-vm/vm-images/tool-vms/default/build-config.json',
+    toolWorkspaceRoot: '/var/agent-vm/workspace/tools',
+};
+function resolveScaffoldPathProfile(paths) {
+    return paths === 'pod' ? podPathProfile : localPathProfile;
+}
+function defaultToolVmImageProfiles(gatewayType, pathProfile) {
+    if (gatewayType !== 'openclaw') {
+        return {};
+    }
+    return {
+        default: {
+            type: 'toolVm',
+            buildConfig: pathProfile.toolVmBuildConfig,
+        },
+    };
+}
+function defaultToolProfiles(gatewayType, pathProfile) {
+    if (gatewayType !== 'openclaw') {
+        return {};
+    }
+    return {
+        standard: {
+            memory: '1G',
+            cpus: 1,
+            workspaceRoot: pathProfile.toolWorkspaceRoot,
+            imageProfile: 'default',
+        },
+    };
+}
+const defaultSystemConfig = (zoneId, gatewayType, projectNamespace, secretsProvider, pathProfile) => ({
+    host: {
+        controllerPort: 18800,
+        projectNamespace,
+        githubToken: defaultHostGithubToken(secretsProvider),
+        ...(secretsProvider === '1password'
+            ? {
+                secretsProvider: {
+                    type: '1password',
+                    tokenSource: getKeychainTokenSource(),
+                },
+            }
+            : {}),
+    },
+    cacheDir: pathProfile.cacheDir,
+    imageProfiles: {
+        gateways: {
+            [gatewayType]: {
+                type: gatewayType,
+                buildConfig: pathProfile.gatewayBuildConfig(gatewayType),
+                dockerfile: pathProfile.gatewayDockerfile(gatewayType),
+            },
+        },
+        toolVms: defaultToolVmImageProfiles(gatewayType, pathProfile),
+    },
+    zones: [
+        {
+            id: zoneId,
+            gateway: {
+                type: gatewayType,
+                memory: '2G',
+                cpus: 2,
+                port: defaultGatewayIngressPort,
+                config: pathProfile.gatewayConfig(zoneId, gatewayType),
+                imageProfile: gatewayType,
+                stateDir: pathProfile.gatewayStateDir(zoneId),
+                workspaceDir: pathProfile.gatewayWorkspaceDir(zoneId),
+            },
+            secrets: defaultSecretsForGatewayType(zoneId, gatewayType, secretsProvider),
+            allowedHosts: defaultAllowedHostsForGatewayType(gatewayType),
+            websocketBypass: defaultWebsocketBypassForGatewayType(gatewayType),
+            ...(gatewayType === 'openclaw' ? { toolProfile: 'standard' } : {}),
+        },
+    ],
+    toolProfiles: defaultToolProfiles(gatewayType, pathProfile),
+    tcpPool: {
+        basePort: 19000,
+        size: 5,
+    },
+});
+function assertNeverSecretsProvider(value) {
+    throw new Error(`Unhandled secrets provider: ${String(value)}`);
+}
+function defaultHostGithubToken(secretsProvider) {
+    switch (secretsProvider) {
+        case '1password':
+            return { source: '1password', ref: 'op://agent-vm/github-token/credential' };
+        case 'environment':
+            return { source: 'environment', envVar: 'GITHUB_TOKEN' };
+        default:
+            return assertNeverSecretsProvider(secretsProvider);
+    }
+}
+function secretFromShape(shape, secretsProvider) {
+    const hostsField = shape.hosts ? { hosts: shape.hosts } : {};
+    switch (secretsProvider) {
+        case '1password':
+            return {
+                source: '1password',
+                ref: shape.opRef,
+                injection: shape.injection,
+                ...hostsField,
+            };
+        case 'environment':
+            return {
+                source: 'environment',
+                envVar: shape.envVar,
+                injection: shape.injection,
+                ...hostsField,
+            };
+        default:
+            return assertNeverSecretsProvider(secretsProvider);
+    }
+}
+function defaultSecretsForGatewayType(zoneId, gatewayType, secretsProvider) {
+    if (gatewayType === 'worker') {
+        return {
+            GITHUB_TOKEN: secretFromShape({
+                envVar: 'GITHUB_TOKEN',
+                opRef: 'op://agent-vm/github-token/credential',
+                injection: 'http-mediation',
+                hosts: ['api.github.com'],
+            }, secretsProvider),
+            OPENAI_API_KEY: secretFromShape({
+                envVar: 'OPENAI_API_KEY',
+                opRef: 'op://agent-vm/workers-openai/credential',
+                injection: 'http-mediation',
+                hosts: ['api.openai.com'],
+            }, secretsProvider),
+        };
+    }
+    return {
+        DISCORD_BOT_TOKEN: secretFromShape({
+            envVar: 'DISCORD_BOT_TOKEN',
+            opRef: `op://agent-vm/${zoneId}-discord/bot-token`,
+            injection: 'env',
+        }, secretsProvider),
+        PERPLEXITY_API_KEY: secretFromShape({
+            envVar: 'PERPLEXITY_API_KEY',
+            opRef: `op://agent-vm/${zoneId}-perplexity/credential`,
+            injection: 'http-mediation',
+            hosts: ['api.perplexity.ai'],
+        }, secretsProvider),
+        OPENCLAW_GATEWAY_TOKEN: secretFromShape({
+            envVar: 'OPENCLAW_GATEWAY_TOKEN',
+            opRef: `op://agent-vm/${zoneId}-gateway-auth/password`,
+            injection: 'env',
+        }, secretsProvider),
+    };
+}
+function defaultAllowedHostsForGatewayType(gatewayType) {
+    if (gatewayType === 'worker') {
+        return [
+            'api.anthropic.com',
+            'api.openai.com',
+            'auth.openai.com',
+            'api.github.com',
+            'github.com',
+            'registry.npmjs.org',
+        ];
+    }
+    return [
+        'api.openai.com',
+        'auth.openai.com',
+        'api.perplexity.ai',
+        'discord.com',
+        'cdn.discordapp.com',
+        'api.github.com',
+        'registry.npmjs.org',
+    ];
+}
+function defaultWebsocketBypassForGatewayType(gatewayType) {
+    if (gatewayType === 'worker') {
+        return [];
+    }
+    return [
+        'gateway.discord.gg:443',
+        'web.whatsapp.com:443',
+        'g.whatsapp.net:443',
+        'mmg.whatsapp.net:443',
+    ];
+}
+function envVarsForGatewayType(gatewayType) {
+    switch (gatewayType) {
+        case 'worker':
+            return ['GITHUB_TOKEN', 'OPENAI_API_KEY'];
+        case 'openclaw':
+            return ['GITHUB_TOKEN', 'DISCORD_BOT_TOKEN', 'PERPLEXITY_API_KEY', 'OPENCLAW_GATEWAY_TOKEN'];
+        default: {
+            const exhaustive = gatewayType;
+            throw new Error(`Unhandled gateway type: ${String(exhaustive)}`);
+        }
+    }
+}
+function defaultEnvTemplate(gatewayType, secretsProvider) {
+    switch (secretsProvider) {
+        case '1password':
+            return `# agent-vm environment configuration
+# 1Password token is stored in macOS Keychain by agent-vm init.
+# Only set this for CI or non-macOS environments:
+# OP_SERVICE_ACCOUNT_TOKEN=
+`;
+        case 'environment': {
+            const lines = [
+                '# agent-vm environment configuration (environment-backed secrets)',
+                '# Populate these variables in your runtime (container env, CI, shell, etc.).',
+                '',
+                ...envVarsForGatewayType(gatewayType).map((name) => `# ${name}=`),
+            ];
+            return `${lines.join('\n')}\n`;
+        }
+        default:
+            return assertNeverSecretsProvider(secretsProvider);
+    }
+}
+const gatewayDockerfileAuthBoundaryNote = `# NOTE: Do not bake auth tokens or credential material into this gateway image.
+# Runtime auth must flow through controller HTTP mediation. Keep token env
+# names, registry auth files, and build args out of this Dockerfile so a
+# future edit cannot accidentally turn a runtime secret into image state.`;
+const defaultGatewayDockerfile = `FROM node:24-slim
+
+${gatewayDockerfileAuthBoundaryNote}
+
+ENV PNPM_HOME=/pnpm
+ENV PATH=\${PNPM_HOME}:\${PATH}
+
+RUN apt-get update && \\
+    apt-get install -y --no-install-recommends \\
+      openssh-server \\
+      ca-certificates \\
+      git \\
+      curl \\
+      python3 && \\
+    rm -rf /var/lib/apt/lists/* && \\
+    update-ca-certificates && \\
+    corepack enable && \\
+    pnpm add -g openclaw@2026.4.2 && \\
+    OPENCLAW_PACKAGE_ROOT="$(pnpm root -g)/openclaw" && \\
+    (cd "$OPENCLAW_PACKAGE_ROOT" && node scripts/postinstall-bundled-plugins.mjs) && \\
+    mkdir -p /opt/openclaw-sdk && \\
+    ln -sf "$OPENCLAW_PACKAGE_ROOT/dist/plugin-sdk/sandbox.js" /opt/openclaw-sdk/sandbox.js && \\
+    printf '#!/bin/sh\\nexec /pnpm/openclaw "$@"\\n' > /usr/local/bin/openclaw && \\
+    chmod 755 /usr/local/bin/openclaw && \\
+    useradd -m -s /bin/bash openclaw && \\
+    mkdir -p ${defaultOpenClawExtensionsPath} /home/openclaw/workspace /run/sshd /root && \\
+    chown -R openclaw:openclaw /home/openclaw && \\
+    ln -sf /proc/self/fd /dev/fd 2>/dev/null || true
+
+COPY vendor/gondolin ${defaultOpenClawExtensionsPath}/gondolin
+`;
+const defaultLocalWorkerGatewayDockerfile = `FROM node:24-slim
+
+${gatewayDockerfileAuthBoundaryNote}
+
+RUN apt-get update && \\
+    apt-get install -y --no-install-recommends \\
+      openssh-server \\
+      ca-certificates \\
+      git \\
+      curl \\
+      python3 && \\
+    rm -rf /var/lib/apt/lists/* && \\
+    update-ca-certificates && \\
+    npm install -g @openai/codex @agent-vm/agent-vm-worker && \\
+    mkdir -p /opt/agent-vm-worker && \\
+    ln -s /usr/local/lib/node_modules/@agent-vm/agent-vm-worker /opt/agent-vm-worker && \\
+    useradd -m -s /bin/bash coder && \\
+    mkdir -p /workspace /run/sshd /state && \\
+    chown -R coder:coder /workspace /state && \\
+    ln -sf /proc/self/fd /dev/fd 2>/dev/null || true
+`;
+const defaultPodWorkerGatewayDockerfile = `FROM node:24-slim
+
+${gatewayDockerfileAuthBoundaryNote}
+
+RUN apt-get update && \\
+    apt-get install -y --no-install-recommends \\
+      openssh-server \\
+      ca-certificates \\
+      git \\
+      curl \\
+      python3 && \\
+    rm -rf /var/lib/apt/lists/* && \\
+    update-ca-certificates && \\
+    npm install -g @openai/codex && \\
+    useradd -m -s /bin/bash coder && \\
+    mkdir -p /workspace /run/sshd /state && \\
+    chown -R coder:coder /workspace /state && \\
+    ln -sf /proc/self/fd /dev/fd 2>/dev/null || true
+
+# Install GitHub CLI. The agent uses gh for PR creation; GitHub
+# auth is mediated by the controller proxy rather than exposed in
+# the VM environment.
+RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \\
+      -o /usr/share/keyrings/githubcli-archive-keyring.gpg && \\
+    chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg && \\
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \\
+      > /etc/apt/sources.list.d/github-cli.list && \\
+    apt-get update && \\
+    apt-get install -y --no-install-recommends gh && \\
+    rm -rf /var/lib/apt/lists/*
+
+# Install agent-vm-worker from deploy output copied into this directory
+# by the container-host runtime stage at build time.
+# pnpm deploy does not create a .bin entry for the deployed package itself,
+# so point directly at the package bin entrypoint.
+COPY agent-vm-worker/ /opt/agent-vm-worker/
+RUN chmod +x /opt/agent-vm-worker/dist/main.js && \\
+    ln -s /opt/agent-vm-worker/dist/main.js /usr/local/bin/agent-vm-worker
+`;
+function defaultWorkerGatewayDockerfile(paths) {
+    return paths === 'pod' ? defaultPodWorkerGatewayDockerfile : defaultLocalWorkerGatewayDockerfile;
+}
+const defaultGatewayBuildConfig = (architecture) => ({
+    arch: architecture,
+    distro: 'alpine',
+    alpine: {
+        version: '3.23.0',
+        kernelPackage: 'linux-virt',
+        kernelImage: 'vmlinuz-virt',
+        rootfsPackages: [],
+        initramfsPackages: [],
+    },
+    oci: {
+        image: 'agent-vm-gateway:latest',
+        pullPolicy: 'never',
+    },
+    rootfs: {
+        label: 'gondolin-root',
+        sizeMb: 4096,
+    },
+});
+const defaultToolBuildConfig = (architecture) => ({
+    arch: architecture,
+    distro: 'alpine',
+    alpine: {
+        version: '3.23.0',
+        kernelPackage: 'linux-virt',
+        kernelImage: 'vmlinuz-virt',
+        rootfsPackages: [],
+        initramfsPackages: [],
+    },
+    oci: {
+        image: 'agent-vm-tool:latest',
+        pullPolicy: 'never',
+    },
+    rootfs: {
+        label: 'tool-root',
+        sizeMb: 2048,
+    },
+});
+const defaultOpenClawConfig = (zoneId, gatewayIngressPort) => ({
+    gateway: {
+        auth: { mode: 'token' },
+        bind: 'loopback',
+        controlUi: {
+            allowedOrigins: [
+                `http://127.0.0.1:${gatewayIngressPort}`,
+                `http://localhost:${gatewayIngressPort}`,
+            ],
+        },
+        mode: 'local',
+        port: 18789,
+    },
+    agents: {
+        defaults: {
+            model: { primary: 'openai-codex/gpt-5.4' },
+            sandbox: { backend: 'gondolin', mode: 'all', scope: 'session' },
+            workspace: '/home/openclaw/workspace',
+        },
+    },
+    tools: { elevated: { enabled: false } },
+    plugins: {
+        load: {
+            paths: [defaultOpenClawExtensionsPath],
+        },
+        entries: {
+            gondolin: {
+                enabled: true,
+                config: {
+                    controllerUrl: 'http://controller.vm.host:18800',
+                    zoneId,
+                },
+            },
+        },
+    },
+    channels: {},
+});
+const defaultWorkerPromptFiles = [
+    { fileName: 'base.md', content: DEFAULT_BASE_INSTRUCTIONS },
+    { fileName: 'plan-agent.md', content: DEFAULT_PLAN_AGENT_INSTRUCTIONS },
+    { fileName: 'plan-reviewer.md', content: DEFAULT_PLAN_REVIEWER_INSTRUCTIONS },
+    { fileName: 'work-agent.md', content: DEFAULT_WORK_AGENT_INSTRUCTIONS },
+    { fileName: 'work-reviewer.md', content: DEFAULT_WORK_REVIEWER_INSTRUCTIONS },
+    { fileName: 'wrapup.md', content: DEFAULT_WRAPUP_INSTRUCTIONS },
+];
+function defaultWorkerPromptReference(fileName) {
+    return { path: `./prompts/${fileName}` };
+}
+const defaultWorkerGatewayConfig = () => ({
+    defaults: {
+        provider: 'codex',
+        model: 'latest-medium',
+    },
+    phases: {
+        plan: {
+            cycle: { kind: 'review', cycleCount: 2 },
+            agentInstructions: defaultWorkerPromptReference('plan-agent.md'),
+            reviewerInstructions: defaultWorkerPromptReference('plan-reviewer.md'),
+            agentTurnTimeoutMs: 900_000,
+            reviewerTurnTimeoutMs: 900_000,
+            skills: [],
+        },
+        work: {
+            cycle: { kind: 'review', cycleCount: 4 },
+            agentInstructions: defaultWorkerPromptReference('work-agent.md'),
+            reviewerInstructions: defaultWorkerPromptReference('work-reviewer.md'),
+            agentTurnTimeoutMs: 2_700_000,
+            reviewerTurnTimeoutMs: 900_000,
+            skills: [],
+        },
+        wrapup: {
+            instructions: defaultWorkerPromptReference('wrapup.md'),
+            turnTimeoutMs: 900_000,
+            skills: [],
+        },
+    },
+    instructions: defaultWorkerPromptReference('base.md'),
+    mcpServers: [],
+    verification: [],
+    verificationTimeoutMs: 300_000,
+    branchPrefix: 'agent/',
+    stateDir: '/state',
+});
+async function writeFileIfMissing(filePath, content, overwrite = false) {
+    await fs.mkdir(path.dirname(filePath), { recursive: true });
+    if (overwrite) {
+        await fs.writeFile(filePath, content, { encoding: 'utf8' });
+        return 'created';
+    }
+    try {
+        await fs.writeFile(filePath, content, {
+            encoding: 'utf8',
+            flag: 'wx',
+        });
+        return 'created';
+    }
+    catch (error) {
+        if (typeof error === 'object' && error !== null && 'code' in error && error.code === 'EEXIST') {
+            return 'skipped';
+        }
+        throw error;
+    }
+}
+export function scaffoldAgentVmProject(options, dependencies = {}) {
+    return scaffoldAgentVmProjectInternal(options, dependencies);
+}
+async function scaffoldAgentVmProjectInternal(options, dependencies = {}) {
+    if (options.hostSystemType === 'container') {
+        if (options.gatewayType !== 'worker') {
+            throw new Error('Container-host scaffolds currently support only worker gateways.');
+        }
+        if (options.architecture !== 'x86_64') {
+            throw new Error('Container-host scaffolds currently support only x86_64. Use macos-local for aarch64 or add container-host arm64 support first.');
+        }
+    }
+    const created = [];
+    const skipped = [];
+    const gatewayType = options.gatewayType;
+    const architecture = options.architecture;
+    const overwrite = options.overwrite ?? false;
+    const pathProfile = resolveScaffoldPathProfile(options.paths);
+    const projectNamespace = options.projectNamespace ?? (await buildDefaultProjectNamespace(options.targetDir));
+    const systemConfigPath = path.join(options.targetDir, 'config', 'system.json');
+    const systemConfigStatus = await writeFileIfMissing(systemConfigPath, `${JSON.stringify(defaultSystemConfig(options.zoneId, gatewayType, projectNamespace, options.secretsProvider, pathProfile), null, '\t')}\n`, overwrite);
+    (systemConfigStatus === 'created' ? created : skipped).push('config/system.json');
+    const systemCacheIdentifierPath = path.join(options.targetDir, 'config', SYSTEM_CACHE_IDENTIFIER_FILENAME);
+    const systemCacheIdentifier = buildDefaultSystemCacheIdentifier(options.hostSystemType ? { hostSystemType: options.hostSystemType } : {});
+    const systemCacheIdentifierStatus = await writeFileIfMissing(systemCacheIdentifierPath, `${JSON.stringify(systemCacheIdentifier, null, '\t')}\n`, overwrite);
+    (systemCacheIdentifierStatus === 'created' ? created : skipped).push(`config/${SYSTEM_CACHE_IDENTIFIER_FILENAME}`);
+    if (options.writeLocalEnvironmentFile) {
+        const envFilePath = path.join(options.targetDir, '.env.local');
+        const envFileStatus = await writeFileIfMissing(envFilePath, defaultEnvTemplate(gatewayType, options.secretsProvider), overwrite);
+        (envFileStatus === 'created' ? created : skipped).push('.env.local');
+        if (envFileStatus === 'created' && options.secretsProvider === '1password') {
+            const generateAgeIdentityKey = dependencies.generateAgeIdentityKey ??
+                (() => {
+                    const keygenOutput = execFileSync('age-keygen', [], { encoding: 'utf8' });
+                    return keygenOutput
+                        .split('\n')
+                        .find((line) => line.startsWith('AGE-SECRET-KEY-'))
+                        ?.trim();
+                });
+            let ageIdentityKey;
+            try {
+                ageIdentityKey = generateAgeIdentityKey();
+            }
+            catch (error) {
+                const message = error instanceof Error ? error.message : String(error);
+                (dependencies.reportWarning ?? ((warning) => process.stderr.write(`${warning}\n`)))(`[init] age-keygen not available; skipping AGE_IDENTITY_KEY. Install age if you need sops-backed secrets. (${message})`);
+            }
+            if (ageIdentityKey) {
+                await fs.appendFile(envFilePath, `AGE_IDENTITY_KEY=${ageIdentityKey}\n`, 'utf8');
+            }
+        }
+    }
+    const configFileName = resolveGatewayConfigFileName(gatewayType);
+    const configPath = path.join(options.targetDir, 'config', 'gateways', options.zoneId, configFileName);
+    const configStatus = await writeFileIfMissing(configPath, `${JSON.stringify(gatewayType === 'openclaw'
+        ? defaultOpenClawConfig(options.zoneId, defaultGatewayIngressPort)
+        : defaultWorkerGatewayConfig(), null, '\t')}\n`, overwrite);
+    (configStatus === 'created' ? created : skipped).push(`config/gateways/${options.zoneId}/${configFileName}`);
+    if (gatewayType === 'worker') {
+        const promptFileResults = await Promise.all(defaultWorkerPromptFiles.map(async (promptFile) => {
+            const promptFilePath = path.join(options.targetDir, 'config', 'gateways', options.zoneId, 'prompts', promptFile.fileName);
+            return {
+                fileName: promptFile.fileName,
+                status: await writeFileIfMissing(promptFilePath, `${promptFile.content}\n`, overwrite),
+            };
+        }));
+        for (const promptFileResult of promptFileResults) {
+            const promptFileStatus = promptFileResult.status;
+            (promptFileStatus === 'created' ? created : skipped).push(`config/gateways/${options.zoneId}/prompts/${promptFileResult.fileName}`);
+        }
+    }
+    const gatewayDockerfilePath = path.join(options.targetDir, 'vm-images', 'gateways', gatewayType, 'Dockerfile');
+    const gatewayDockerfileStatus = await writeFileIfMissing(gatewayDockerfilePath, gatewayType === 'openclaw'
+        ? defaultGatewayDockerfile
+        : defaultWorkerGatewayDockerfile(options.paths), overwrite);
+    (gatewayDockerfileStatus === 'created' ? created : skipped).push(`vm-images/gateways/${gatewayType}/Dockerfile`);
+    const gatewayBuildConfigPath = path.join(options.targetDir, 'vm-images', 'gateways', gatewayType, 'build-config.json');
+    const gatewayBuildConfigStatus = await writeFileIfMissing(gatewayBuildConfigPath, `${JSON.stringify(defaultGatewayBuildConfig(architecture), null, '\t')}\n`, overwrite);
+    (gatewayBuildConfigStatus === 'created' ? created : skipped).push(`vm-images/gateways/${gatewayType}/build-config.json`);
+    if (gatewayType === 'openclaw') {
+        const pluginCopyStatus = await (dependencies.copyBundledOpenClawPlugin ?? syncBundledOpenClawPluginBundle)(options.targetDir, gatewayType);
+        (pluginCopyStatus === 'created' ? created : skipped).push(openClawPluginVendorDirectory(gatewayType));
+    }
+    if (gatewayType === 'openclaw') {
+        const toolBuildConfigPath = path.join(options.targetDir, 'vm-images', 'tool-vms', 'default', 'build-config.json');
+        const toolBuildConfigStatus = await writeFileIfMissing(toolBuildConfigPath, `${JSON.stringify(defaultToolBuildConfig(architecture), null, '\t')}\n`, overwrite);
+        (toolBuildConfigStatus === 'created' ? created : skipped).push('vm-images/tool-vms/default/build-config.json');
+    }
+    if (options.hostSystemType === 'container') {
+        const resolveZigVersion = dependencies.resolveGondolinMinimumZigVersion ?? resolveGondolinMinimumZigVersion;
+        const zigVersion = await resolveZigVersion();
+        const gondolinPackageSpec = await resolveGondolinPackageSpec();
+        const vmHostSystemFiles = [
+            ['Dockerfile', renderVmHostSystemDockerfile({ zigVersion, gondolinPackageSpec })],
+            ['start.sh', renderVmHostSystemStartScript({ zoneId: options.zoneId })],
+            ['agent-vm-controller.service', renderVmHostSystemSystemdUnit()],
+            ['README.md', renderVmHostSystemReadme({ zoneId: options.zoneId })],
+        ];
+        await Promise.all(vmHostSystemFiles.map(async ([relativeFilePath, content]) => {
+            const status = await writeFileIfMissing(path.join(options.targetDir, 'vm-host-system', relativeFilePath), content, overwrite);
+            (status === 'created' ? created : skipped).push(`vm-host-system/${relativeFilePath}`);
+        }));
+    }
+    if (pathProfile.createLocalRuntimeDirectories) {
+        await Promise.all([
+            path.join(options.targetDir, 'state', options.zoneId),
+            path.join(options.targetDir, 'workspaces', options.zoneId),
+            path.join(options.targetDir, 'workspaces', 'tools'),
+        ].map(async (directoryPath) => {
+            await fs.mkdir(directoryPath, { recursive: true });
+        }));
+    }
+    return { created, keychainStored: false, skipped };
+}
+/**
+ * Interactively prompt for the 1Password service account token and store it
+ * in macOS Keychain. Skips if stdin is not a TTY or if a token already exists.
+ */
+export async function promptAndStoreServiceAccountToken(dependencies = {}) {
+    const hasToken = dependencies.hasKeychainToken ?? hasServiceAccountToken;
+    const storeToken = dependencies.storeKeychainToken ?? storeServiceAccountToken;
+    if (hasToken()) {
+        return false;
+    }
+    if (!process.stdin.isTTY) {
+        return false;
+    }
+    // Use a muted output stream so readline doesn't echo the token
+    const { Writable } = await import('node:stream');
+    const mutedOutput = new Writable({
+        write(_chunk, _encoding, callback) {
+            callback();
+        },
+    });
+    const rl = dependencies.createReadlineInterface?.() ??
+        readline.createInterface({ input: process.stdin, output: mutedOutput, terminal: true });
+    try {
+        process.stderr.write('Paste your 1Password service account token (from https://my.1password.com/developer-tools/service-accounts):\n> ');
+        const token = await rl.question('');
+        process.stderr.write('\n');
+        const trimmedToken = token.trim();
+        if (!trimmedToken) {
+            return false;
+        }
+        storeToken(trimmedToken);
+        process.stderr.write('✓ Stored in macOS Keychain\n');
+        return true;
+    }
+    finally {
+        rl.close();
+    }
+}
+//# sourceMappingURL=init-command.js.map