@agentlayer.tech/wallet 0.1.13 → 0.1.14

package/.openclaw/AGENTS.md

@@ -4,17 +4,25 @@
 These instructions apply to the entire `.openclaw/` tree.
 
 ## Purpose
-This tree contains local OpenClaw host-side workspace assets. In the current repo, its primary responsibility is the `agent-wallet` extension that bridges OpenClaw to the authoritative Python `agent-wallet` backend.
+This tree contains local OpenClaw host-side workspace assets. In the current repo, its main responsibilities are:
+
+- the `agent-wallet` extension that bridges OpenClaw to the authoritative Python `agent-wallet` backend
+- the `pay-bridge` extension that bridges OpenClaw to the local `pay` CLI for paid API discovery and execution
 
 ## Current structure
 - `.openclaw/extensions/agent-wallet/index.ts` — TypeScript extension entrypoint registered by OpenClaw.
 - `.openclaw/extensions/agent-wallet/openclaw.plugin.json` — plugin manifest and config schema.
 - `.openclaw/extensions/agent-wallet/package.json` — extension package metadata.
 - `.openclaw/extensions/agent-wallet/skills/wallet-operator/SKILL.md` — user-facing operational wallet safety guidance.
+- `.openclaw/extensions/pay-bridge/index.ts` — TypeScript entrypoint for the local `pay` CLI bridge.
+- `.openclaw/extensions/pay-bridge/openclaw.plugin.json` — plugin manifest and config schema for pay tools.
+- `.openclaw/extensions/pay-bridge/core.mjs` — local `pay` command execution and output shaping.
+- `.openclaw/extensions/pay-bridge/skills/pay-operator/SKILL.md` — user-facing operational guidance for paid API usage.
 
 ## Design intent
 - Keep the TypeScript extension thin and host-oriented.
 - Let Python own wallet logic, policy, approvals, signing rules, and Solana implementation details.
+- Let `pay` remain the source of truth for paid API wallet/account behavior.
 - Let the extension focus on:
   - resolving config
   - locating the Python package
@@ -27,6 +35,7 @@ This tree contains local OpenClaw host-side workspace assets. In the current rep
 
 ### Keep bridge logic thin
 - Do not duplicate business logic from Python unless OpenClaw requires it at registration time.
+- Do not duplicate payment protocol logic from `pay`; prefer invoking the local CLI and shaping its output.
 - Do not reimplement approval validation, transaction policy, wallet derivation, or Solana-specific rules in TypeScript.
 - Prefer forwarding config into the CLI bridge and letting Python decide runtime behavior.
 - Treat this layer as a transport and schema bridge, not an execution authority.

package/.openclaw/extensions/pay-bridge/README.md

@@ -0,0 +1,32 @@
+# pay-bridge
+
+Thin OpenClaw bridge to the locally installed `pay` CLI.
+
+This plugin is intentionally separate from `agent-wallet`:
+
+- `agent-wallet` remains the execution wallet stack for Solana/EVM/BTC
+- `pay-bridge` only discovers and calls paid APIs through `pay`
+- the `pay` wallet stays separate from the AgentLayer wallet runtime
+
+## Exposed tools
+
+- `pay_status`
+- `pay_wallet_info`
+- `pay_search_services`
+- `pay_get_service_endpoints`
+- `pay_api_request`
+
+## Intended workflow
+
+1. `pay_status`
+2. `pay_search_services`
+3. `pay_get_service_endpoints`
+4. `pay_api_request`
+
+`pay_api_request` is deliberately narrow:
+
+- it requires a `service_fqn`, `resource`, and `url`
+- it validates the URL against `pay skills endpoints`
+- it requires `purpose` and `user_confirmed=true`
+
+This keeps the bridge thin and prevents it from becoming a generic arbitrary paid-curl launcher.

package/.openclaw/extensions/pay-bridge/core.mjs

@@ -0,0 +1,287 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+
+const execFileAsync = promisify(execFile);
+const ANSI_RE = /\u001b\[[0-9;]*m/g;
+
+function stripAnsi(text) {
+  return String(text || "").replace(ANSI_RE, "");
+}
+
+function nonEmptyLines(text) {
+  return stripAnsi(text)
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter(Boolean);
+}
+
+function extractLastJsonValue(text) {
+  const lines = nonEmptyLines(text);
+  for (let i = lines.length - 1; i >= 0; i -= 1) {
+    const candidate = lines[i];
+    if (!candidate.startsWith("{") && !candidate.startsWith("[")) continue;
+    try {
+      return JSON.parse(candidate);
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
+
+function collectStringLeaves(value, acc = new Set()) {
+  if (typeof value === "string") {
+    acc.add(value);
+    return acc;
+  }
+  if (Array.isArray(value)) {
+    for (const item of value) collectStringLeaves(item, acc);
+    return acc;
+  }
+  if (value && typeof value === "object") {
+    for (const item of Object.values(value)) collectStringLeaves(item, acc);
+  }
+  return acc;
+}
+
+function withAccountArgs(args, account) {
+  if (!account) return args;
+  return [...args, "--account", account];
+}
+
+export function resolvePayBinary(config = {}) {
+  return (
+    config.payBinary ||
+    process.env.OPENCLAW_PAY_BINARY ||
+    "pay"
+  );
+}
+
+export async function runPayCommand(payBinary, args, options = {}) {
+  const { cwd, input = null } = options;
+  let stdout = "";
+  let stderr = "";
+  try {
+    const result = await execFileAsync(payBinary, args, {
+      cwd,
+      env: { ...process.env },
+      input,
+      maxBuffer: 1024 * 1024 * 8,
+    });
+    stdout = result.stdout ?? "";
+    stderr = result.stderr ?? "";
+  } catch (error) {
+    stdout = typeof error?.stdout === "string" ? error.stdout : "";
+    stderr = typeof error?.stderr === "string" ? error.stderr : "";
+    const payload = extractLastJsonValue(stdout) || extractLastJsonValue(stderr);
+    const message =
+      payload?.error?.message ||
+      payload?.message ||
+      stripAnsi(stderr || stdout || error?.message || "pay command failed").trim() ||
+      "pay command failed";
+    const wrapped = new Error(message);
+    wrapped.stdout = stdout;
+    wrapped.stderr = stderr;
+    wrapped.details = payload && typeof payload === "object" ? payload : null;
+    throw wrapped;
+  }
+  return { stdout, stderr };
+}
+
+export function parseWhoamiOutput(stdout) {
+  const lines = nonEmptyLines(stdout);
+  const systemUser = lines[0] || null;
+  const noAccount = lines.some((line) => /no mainnet account/i.test(line));
+  return {
+    system_user: systemUser,
+    has_mainnet_account: !noAccount,
+    raw_lines: lines,
+  };
+}
+
+export function parseAccountListOutput(stdout) {
+  const lines = nonEmptyLines(stdout);
+  const noAccounts = lines.some((line) => /no accounts found/i.test(line));
+  return {
+    has_accounts: !noAccounts,
+    raw_lines: lines,
+  };
+}
+
+export async function getPayStatus(config = {}, options = {}) {
+  const payBinary = resolvePayBinary(config);
+  const versionResult = await runPayCommand(payBinary, ["--version"], options);
+  const whoamiResult = await runPayCommand(
+    payBinary,
+    withAccountArgs(["whoami"], config.defaultAccount),
+    options
+  );
+  const accountListResult = await runPayCommand(payBinary, ["account", "list"], options);
+  return {
+    installed: true,
+    pay_binary: payBinary,
+    version: stripAnsi(versionResult.stdout).trim() || null,
+    account_configured: parseWhoamiOutput(whoamiResult.stdout).has_mainnet_account,
+    has_any_accounts: parseAccountListOutput(accountListResult.stdout).has_accounts,
+    whoami: parseWhoamiOutput(whoamiResult.stdout),
+    accounts: parseAccountListOutput(accountListResult.stdout),
+  };
+}
+
+export async function getPayWalletInfo(config = {}, options = {}) {
+  const payBinary = resolvePayBinary(config);
+  const whoamiResult = await runPayCommand(
+    payBinary,
+    withAccountArgs(["whoami"], config.defaultAccount),
+    options
+  );
+  const accountListResult = await runPayCommand(payBinary, ["account", "list"], options);
+  return {
+    pay_binary: payBinary,
+    default_account: config.defaultAccount || null,
+    whoami: parseWhoamiOutput(whoamiResult.stdout),
+    accounts: parseAccountListOutput(accountListResult.stdout),
+    notes: [
+      "This wallet is managed by pay.sh and is separate from the AgentLayer execution wallet.",
+    ],
+  };
+}
+
+export async function searchPayServices(config = {}, params = {}, options = {}) {
+  const payBinary = resolvePayBinary(config);
+  const args = ["skills", "search"];
+  if (params.query) args.push(String(params.query));
+  if (params.category) args.push("--category", String(params.category));
+  args.push("--json");
+  const { stdout, stderr } = await runPayCommand(
+    payBinary,
+    withAccountArgs(args, params.account || config.defaultAccount),
+    options
+  );
+  const parsed = JSON.parse(stdout.trim() || "{}");
+  return {
+    query: params.query || "",
+    category: params.category || null,
+    results: parsed,
+    warnings: nonEmptyLines(stderr),
+  };
+}
+
+export async function getPayServiceEndpoints(config = {}, params = {}, options = {}) {
+  const payBinary = resolvePayBinary(config);
+  const args = [
+    "skills",
+    "endpoints",
+    String(params.service_fqn),
+    String(params.resource),
+    "--json",
+  ];
+  const { stdout, stderr } = await runPayCommand(
+    payBinary,
+    withAccountArgs(args, params.account || config.defaultAccount),
+    options
+  );
+  const parsed = JSON.parse(stdout.trim() || "{}");
+  return {
+    service_fqn: String(params.service_fqn),
+    resource: String(params.resource),
+    endpoints: parsed,
+    warnings: nonEmptyLines(stderr),
+  };
+}
+
+function ensureHttps(url, requireHttps = true) {
+  if (!requireHttps) return;
+  const parsed = new URL(url);
+  if (parsed.protocol !== "https:") {
+    throw new Error("pay_api_request only allows https URLs.");
+  }
+}
+
+function appendQuery(url, query) {
+  const parsed = new URL(url);
+  if (query && typeof query === "object") {
+    for (const [key, value] of Object.entries(query)) {
+      if (value === undefined || value === null) continue;
+      parsed.searchParams.set(key, String(value));
+    }
+  }
+  return parsed.toString();
+}
+
+export function endpointPayloadContainsUrl(endpointPayload, url) {
+  const strings = collectStringLeaves(endpointPayload);
+  return strings.has(url);
+}
+
+export async function executePayApiRequest(config = {}, params = {}, options = {}) {
+  if (params.user_confirmed !== true) {
+    throw new Error("pay_api_request requires user_confirmed=true.");
+  }
+  if (!params.purpose || !String(params.purpose).trim()) {
+    throw new Error("pay_api_request requires a non-empty purpose.");
+  }
+  if (!params.service_fqn || !params.resource || !params.url) {
+    throw new Error("pay_api_request requires service_fqn, resource, and url.");
+  }
+  if (params.json_body !== undefined && params.text_body !== undefined) {
+    throw new Error("Provide either json_body or text_body, not both.");
+  }
+
+  const endpointData = await getPayServiceEndpoints(config, {
+    account: params.account,
+    resource: params.resource,
+    service_fqn: params.service_fqn,
+  }, options);
+
+  const finalUrl = appendQuery(String(params.url), params.query);
+  ensureHttps(finalUrl, config.requireHttps !== false);
+  if (!endpointPayloadContainsUrl(endpointData.endpoints, String(params.url))) {
+    throw new Error("The requested URL is not present in pay_get_service_endpoints for this service/resource.");
+  }
+
+  const payBinary = resolvePayBinary(config);
+  const method = String(params.method || "GET").toUpperCase();
+  const args = ["curl"];
+  if (params.account || config.defaultAccount) {
+    args.push("--account", String(params.account || config.defaultAccount));
+  }
+  args.push("--request", method);
+
+  const headers = params.headers && typeof params.headers === "object" ? params.headers : {};
+  for (const [key, value] of Object.entries(headers)) {
+    args.push("--header", `${key}: ${String(value)}`);
+  }
+
+  if (params.json_body !== undefined) {
+    const hasContentType = Object.keys(headers).some((key) => key.toLowerCase() === "content-type");
+    if (!hasContentType) {
+      args.push("--header", "content-type: application/json");
+    }
+    args.push("--data", JSON.stringify(params.json_body));
+  } else if (params.text_body !== undefined) {
+    args.push("--data", String(params.text_body));
+  }
+
+  args.push(finalUrl);
+  const { stdout, stderr } = await runPayCommand(payBinary, args, options);
+  const trimmed = stdout.trim();
+  let responseBody = trimmed;
+  if (params.parse_json_response !== false) {
+    try {
+      responseBody = JSON.parse(trimmed);
+    } catch {
+      responseBody = trimmed;
+    }
+  }
+  return {
+    method,
+    purpose: String(params.purpose),
+    request_url: finalUrl,
+    service_fqn: String(params.service_fqn),
+    resource: String(params.resource),
+    response: responseBody,
+    raw_response_text: trimmed,
+    warnings: nonEmptyLines(stderr),
+  };
+}

package/.openclaw/extensions/pay-bridge/index.ts

@@ -0,0 +1,196 @@
+import {
+  executePayApiRequest,
+  getPayServiceEndpoints,
+  getPayStatus,
+  getPayWalletInfo,
+  searchPayServices,
+} from "./core.mjs";
+
+const PLUGIN_ID = "pay-bridge";
+
+function asContent(data) {
+  return {
+    content: [
+      {
+        type: "text",
+        text: JSON.stringify(data, null, 2),
+      },
+    ],
+  };
+}
+
+function resolvePluginConfig(api) {
+  const globalConfig = api?.config ?? {};
+  const pluginEntry = globalConfig?.plugins?.entries?.[PLUGIN_ID];
+  return pluginEntry?.config ?? globalConfig?.config ?? {};
+}
+
+function registerTool(api, definition) {
+  api.registerTool({
+    name: definition.name,
+    description: definition.description,
+    parameters: definition.parameters,
+    returns: {
+      type: "object",
+      additionalProperties: true,
+    },
+    async execute(_id, params = {}) {
+      const config = resolvePluginConfig(api);
+      let result;
+      if (definition.name === "pay_status") {
+        result = await getPayStatus(config, { cwd: process.cwd() });
+      } else if (definition.name === "pay_wallet_info") {
+        result = await getPayWalletInfo(config, { cwd: process.cwd() });
+      } else if (definition.name === "pay_search_services") {
+        result = await searchPayServices(config, params, { cwd: process.cwd() });
+      } else if (definition.name === "pay_get_service_endpoints") {
+        result = await getPayServiceEndpoints(config, params, { cwd: process.cwd() });
+      } else if (definition.name === "pay_api_request") {
+        result = await executePayApiRequest(config, params, { cwd: process.cwd() });
+      } else {
+        throw new Error(`Unsupported pay-bridge tool: ${definition.name}`);
+      }
+      return asContent(result);
+    },
+  });
+}
+
+const toolDefinitions = [
+  {
+    name: "pay_status",
+    description:
+      "Check whether the local pay.sh CLI is installed and whether a pay wallet/account is configured. Use this before any paid API workflow.",
+    parameters: {
+      type: "object",
+      properties: {},
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "pay_wallet_info",
+    description:
+      "Show pay wallet/account status. This wallet is separate from the AgentLayer execution wallet and is only for pay.sh API payments.",
+    parameters: {
+      type: "object",
+      properties: {},
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "pay_search_services",
+    description:
+      "Search the pay.sh skills catalog for paid APIs. Prefer this instead of guessing URLs manually.",
+    parameters: {
+      type: "object",
+      properties: {
+        query: {
+          type: "string",
+          description: "Search text for service names, descriptions, or endpoint paths.",
+        },
+        category: {
+          type: "string",
+          description: "Optional category filter such as ai_ml, maps, data, compute, search, crypto_finance.",
+        },
+        account: {
+          type: "string",
+          description: "Optional pay account override.",
+        },
+      },
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "pay_get_service_endpoints",
+    description:
+      "List the discoverable endpoints for a pay.sh service/resource pair and return their gateway URLs. Use the returned URL with pay_api_request.",
+    parameters: {
+      type: "object",
+      properties: {
+        service_fqn: {
+          type: "string",
+          description: "Fully qualified pay service name, for example solana-foundation/google/language.",
+        },
+        resource: {
+          type: "string",
+          description: "Resource name inside the service, for example entities or jobs.",
+        },
+        account: {
+          type: "string",
+          description: "Optional pay account override.",
+        },
+      },
+      required: ["service_fqn", "resource"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "pay_api_request",
+    description:
+      "Call a paid API through the local pay.sh CLI using a URL returned by pay_get_service_endpoints. Requires explicit user_confirmed=true and keeps the pay wallet separate from AgentLayer execution wallets.",
+    optional: true,
+    parameters: {
+      type: "object",
+      properties: {
+        service_fqn: {
+          type: "string",
+          description: "Fully qualified pay service name used to validate the request URL.",
+        },
+        resource: {
+          type: "string",
+          description: "Resource name used to validate the request URL.",
+        },
+        url: {
+          type: "string",
+          description: "Exact HTTPS gateway URL returned by pay_get_service_endpoints.",
+        },
+        method: {
+          type: "string",
+          description: "HTTP method such as GET or POST.",
+        },
+        headers: {
+          type: "object",
+          additionalProperties: { type: "string" },
+          description: "Optional HTTP headers.",
+        },
+        query: {
+          type: "object",
+          additionalProperties: true,
+          description: "Optional query parameters to append to the URL.",
+        },
+        json_body: {
+          description: "Optional JSON request body.",
+        },
+        text_body: {
+          type: "string",
+          description: "Optional raw text request body. Do not provide with json_body.",
+        },
+        account: {
+          type: "string",
+          description: "Optional pay account override.",
+        },
+        parse_json_response: {
+          type: "boolean",
+          description: "If true, attempt to parse the response body as JSON.",
+        },
+        purpose: {
+          type: "string",
+          description: "Short user-facing reason for this paid API call.",
+        },
+        user_confirmed: {
+          type: "boolean",
+          description: "Must be true for paid API requests.",
+        },
+      },
+      required: ["service_fqn", "resource", "url", "method", "purpose", "user_confirmed"],
+      additionalProperties: false,
+    },
+  },
+];
+
+export default function registerPayBridgePlugin(api) {
+  api?.logger?.info?.("[pay-bridge] registering pay.sh OpenClaw plugin");
+  for (const definition of toolDefinitions) {
+    registerTool(api, definition);
+  }
+  api?.logger?.info?.(`[pay-bridge] registered ${toolDefinitions.length} pay tools`);
+}

package/.openclaw/extensions/pay-bridge/openclaw.plugin.json

@@ -0,0 +1,34 @@
+{
+  "id": "pay-bridge",
+  "name": "pay.sh Bridge",
+  "description": "Thin OpenClaw bridge to the local pay.sh CLI for paid API discovery and execution.",
+  "version": "0.1.0",
+  "contracts": {
+    "tools": [
+      "pay_status",
+      "pay_wallet_info",
+      "pay_search_services",
+      "pay_get_service_endpoints",
+      "pay_api_request"
+    ]
+  },
+  "skills": ["skills/pay-operator"],
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "payBinary": {
+        "type": "string",
+        "description": "Absolute path or executable name for the local pay.sh binary."
+      },
+      "defaultAccount": {
+        "type": "string",
+        "description": "Optional pay account name to use when a tool call does not specify one."
+      },
+      "requireHttps": {
+        "type": "boolean",
+        "description": "If true, pay_api_request refuses non-HTTPS URLs."
+      }
+    }
+  }
+}

package/.openclaw/extensions/pay-bridge/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "pay-bridge",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "openclaw": {
+    "extensions": [
+      "./index.ts"
+    ]
+  }
+}

package/.openclaw/extensions/pay-bridge/skills/pay-operator/SKILL.md

@@ -0,0 +1,20 @@
+# pay-operator
+
+Use this skill when the user wants to discover or call paid APIs through `pay`.
+
+## Rules
+
+- Treat the `pay` wallet as separate from the AgentLayer execution wallet.
+- Do not use `agent-wallet` tools for `pay` account management.
+- Do not fall back to shell commands when the `pay-bridge` tools exist.
+- Prefer this order:
+  1. `pay_status`
+  2. `pay_search_services`
+  3. `pay_get_service_endpoints`
+  4. `pay_api_request`
+
+## Notes
+
+- `pay_api_request` requires `purpose` and `user_confirmed=true`.
+- Use the exact gateway URL returned by `pay_get_service_endpoints`.
+- If `pay_status` shows no configured account, stop and ask the user to finish `pay setup`.

package/.openclaw/extensions/pay-bridge/smoke_pay_bridge.mjs

@@ -0,0 +1,38 @@
+import assert from "node:assert/strict";
+
+import {
+  endpointPayloadContainsUrl,
+  parseAccountListOutput,
+  parseWhoamiOutput,
+} from "./core.mjs";
+
+const whoami = parseWhoamiOutput(`
+yuriytsygankov
+\u001b[2m(no mainnet account — run \`pay setup\`)\u001b[0m
+`);
+assert.equal(whoami.system_user, "yuriytsygankov");
+assert.equal(whoami.has_mainnet_account, false);
+
+const accounts = parseAccountListOutput(`
+\u001b[2mNo accounts found. Run \`pay account new\` to create one.\u001b[0m
+`);
+assert.equal(accounts.has_accounts, false);
+
+const endpointPayload = {
+  endpoints: [
+    {
+      method: "POST",
+      url: "https://api.example.com/v1/invoke",
+    },
+  ],
+};
+assert.equal(
+  endpointPayloadContainsUrl(endpointPayload, "https://api.example.com/v1/invoke"),
+  true
+);
+assert.equal(
+  endpointPayloadContainsUrl(endpointPayload, "https://api.example.com/v1/other"),
+  false
+);
+
+console.log("smoke_pay_bridge: ok");

package/CHANGELOG.md

@@ -2,6 +2,16 @@
 
 ## Unreleased
 
+## v0.1.14 - 2026-05-13
+
+- Added a separate `.openclaw/extensions/pay-bridge/` plugin that keeps
+  `pay.sh` API payments outside the main AgentLayer execution wallet stack.
+- Added OpenClaw tools for local `pay` discovery and execution:
+  `pay_status`, `pay_wallet_info`, `pay_search_services`,
+  `pay_get_service_endpoints`, and `pay_api_request`.
+- Updated the local OpenClaw installer/runtime config flow to package and
+  enable the `pay-bridge` plugin alongside `agent-wallet`, including its
+  tool allowlist and absolute `pay` binary path when available.
 - Added an optional Hermes Agent bridge plugin under `hermes/plugins/agent_wallet`
   that forwards into the existing Python wallet CLI instead of duplicating
   OpenClaw wallet tools or policy.

package/README.md

@@ -18,7 +18,7 @@ AgentLayer is a beta local-first wallet and finance stack for agents.
 The repository includes:
 
 - `agent-wallet/` - the main wallet backend for AgentLayer
-- `.openclaw/` - the local AgentLayer bridge layer
+- `.openclaw/` - the local AgentLayer bridge layer, including the OpenClaw wallet bridge and the `pay.sh` API-payments bridge
 - `hermes/` - optional Hermes Agent plugin bridge for the same wallet backend
 - `wdk-btc-wallet/` - the local Bitcoin wallet service
 - `wdk-evm-wallet/` - the local EVM wallet service

package/agent-wallet/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "openclaw-agent-wallet"
-version = "0.1.13"
+version = "0.1.14"
 description = "Plugin-friendly wallet backend for OpenClaw agents"
 requires-python = ">=3.10"
 dependencies = [

package/agent-wallet/scripts/install_openclaw_local_config.py

@@ -1,10 +1,11 @@
-"""Patch an OpenClaw config file for the agent-wallet plugin."""
+"""Patch an OpenClaw config file for the AgentLayer OpenClaw plugins."""
 
 from __future__ import annotations
 
 import argparse
 import json
 import os
+import shutil
 import sys
 from datetime import datetime, timezone
 from pathlib import Path
@@ -44,6 +45,15 @@ OPTIONAL_TOOLS = [
     "request_devnet_airdrop",
 ]
 
+PAY_BRIDGE_PLUGIN_ID = "pay-bridge"
+PAY_BRIDGE_TOOLS = [
+    "pay_status",
+    "pay_wallet_info",
+    "pay_search_services",
+    "pay_get_service_endpoints",
+    "pay_api_request",
+]
+
 
 def _default_config_path() -> Path:
     return Path(os.path.expanduser("~/.openclaw/openclaw.json"))
@@ -83,6 +93,13 @@ def _default_extension_path() -> Path:
     return _repo_root() / ".openclaw" / "extensions" / "agent-wallet"
 
 
+def _default_pay_bridge_extension_path() -> Path:
+    runtime_root = _trusted_runtime_root()
+    if runtime_root is not None:
+        return runtime_root / ".openclaw" / "extensions" / PAY_BRIDGE_PLUGIN_ID
+    return _repo_root() / ".openclaw" / "extensions" / PAY_BRIDGE_PLUGIN_ID
+
+
 def _default_package_root() -> Path:
     runtime_root = _trusted_runtime_root()
     if runtime_root is not None:
@@ -105,6 +122,14 @@ def _default_python_bin() -> str:
     return sys.executable
 
 
+def _default_pay_binary() -> str:
+    explicit = os.getenv("OPENCLAW_PAY_BINARY", "").strip()
+    if explicit:
+        return explicit
+    resolved = shutil.which("pay")
+    return resolved or "pay"
+
+
 def _default_user_id() -> str:
     return f"{os.getenv('USER', 'openclaw-user')}-local"
 
@@ -142,8 +167,10 @@ def build_parser() -> argparse.ArgumentParser:
         default=True,
     )
     parser.add_argument("--extension-path", default=str(_default_extension_path()))
+    parser.add_argument("--pay-bridge-extension-path", default=str(_default_pay_bridge_extension_path()))
     parser.add_argument("--package-root", default=str(_default_package_root()))
     parser.add_argument("--python-bin", default=_default_python_bin())
+    parser.add_argument("--pay-binary", default=_default_pay_binary())
     parser.add_argument("--write-master-key", action=argparse.BooleanOptionalAction, default=False)
     return parser
 
@@ -214,12 +241,20 @@ def main() -> None:
 
     plugins = data.setdefault("plugins", {})
     plugins["enabled"] = True
+    allow = plugins.setdefault("allow", [])
+    if args.plugin_id not in allow:
+        allow.append(args.plugin_id)
+    if PAY_BRIDGE_PLUGIN_ID not in allow:
+        allow.append(PAY_BRIDGE_PLUGIN_ID)
 
     load = plugins.setdefault("load", {})
     paths = load.setdefault("paths", [])
     extension_path_text = str(Path(args.extension_path).expanduser().resolve())
     if extension_path_text not in paths:
         paths.append(extension_path_text)
+    pay_bridge_extension_path_text = str(Path(args.pay_bridge_extension_path).expanduser().resolve())
+    if pay_bridge_extension_path_text not in paths:
+        paths.append(pay_bridge_extension_path_text)
 
     entries = plugins.setdefault("entries", {})
     effective_network = _normalize_network(args.backend, args.network)
@@ -272,10 +307,25 @@ def main() -> None:
         "enabled": True,
         "config": plugin_config,
     }
+    existing_pay_entry = entries.get(PAY_BRIDGE_PLUGIN_ID) if isinstance(entries.get(PAY_BRIDGE_PLUGIN_ID), dict) else {}
+    existing_pay_config = (
+        dict(existing_pay_entry.get("config"))
+        if isinstance(existing_pay_entry.get("config"), dict)
+        else {}
+    )
+    pay_bridge_config = {
+        **existing_pay_config,
+        "payBinary": args.pay_binary.strip() or _default_pay_binary(),
+        "requireHttps": bool(existing_pay_config.get("requireHttps", True)),
+    }
+    entries[PAY_BRIDGE_PLUGIN_ID] = {
+        "enabled": True,
+        "config": pay_bridge_config,
+    }
 
     tools = data.setdefault("tools", {})
     also_allow = tools.setdefault("alsoAllow", [])
-    for tool_name in OPTIONAL_TOOLS:
+    for tool_name in OPTIONAL_TOOLS + PAY_BRIDGE_TOOLS:
         if tool_name not in also_allow:
             also_allow.append(tool_name)
 
@@ -291,6 +341,7 @@ def main() -> None:
                 "config_path": str(config_path),
                 "backup_path": str(backup_path),
                 "extension_path": extension_path_text,
+                "pay_bridge_extension_path": pay_bridge_extension_path_text,
                 "python_bin": args.python_bin,
                 "package_root": plugin_config["packageRoot"],
                 "plugin_id": args.plugin_id,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentlayer.tech/wallet",
-  "version": "0.1.13",
+  "version": "0.1.14",
   "description": "NPM installer for the OpenClaw Agent Wallet local runtime.",
   "type": "module",
   "repository": {
@@ -38,6 +38,7 @@
     "agent-wallet/pyproject.toml",
     ".openclaw/AGENTS.md",
     ".openclaw/extensions/agent-wallet/",
+    ".openclaw/extensions/pay-bridge/",
     "hermes/plugins/agent_wallet/",
     "wdk-btc-wallet/src/",
     "wdk-btc-wallet/bootstrap.sh",
@@ -69,4 +70,4 @@
     "evm"
   ],
   "license": "SEE LICENSE IN LICENSE"
-}
+}