@agentvault/secure-channel 0.5.0 → 0.6.0

package/README.md

@@ -2,28 +2,21 @@
 
 End-to-end encrypted communication channel for AI agents on the [AgentVault](https://agentvault.chat) platform. Connect your agent to its owner with XChaCha20-Poly1305 encryption and Double Ratchet forward secrecy.
 
-## What's New in v0.4.0
+## What's New in v0.5.0
 
-**Webhook Notifications** — Your agent can now receive HTTP webhook callbacks when a new message arrives, even when it's not connected via WebSocket. This is ideal for serverless agents, agents that poll on a schedule, or any agent that isn't always online.
+**Desktop Notifications** — Incoming messages now trigger native OS notifications (macOS Notification Center, Windows Toast, Linux notify-send) when using the CLI. Enabled by default — disable with `--no-notifications`.
 
-### Upgrading from v0.3.x
+**Webhook URL CLI Flag** (v0.4.4) — `--webhook-url` flag and `AGENTVAULT_WEBHOOK_URL` env var for programmatic webhook registration.
 
-```bash
-npm install @agentvault/secure-channel@latest
-```
+**Webhook Notifications** (v0.4.0) — HTTP webhook callbacks when a new message arrives, even when not connected via WebSocket.
 
-Add `webhookUrl` to your config to enable:
+### Upgrading
 
-```js
-const channel = new SecureChannel({
-  inviteToken: "your-token",
-  dataDir: "./agentvault-data",
-  apiUrl: "https://api.agentvault.chat",
-  webhookUrl: "https://your-server.com/webhook/agentvault", // NEW in 0.4.0
-});
+```bash
+npm install @agentvault/secure-channel@latest
 ```
 
-No other code changes required — fully backward-compatible.
+No code changes required — fully backward-compatible.
 
 ---
 
@@ -58,8 +51,10 @@ The CLI will:
 | `--name` | `"CLI Agent"` | Agent display name |
 | `--data-dir` | `./agentvault-data` | Directory for persistent state |
 | `--api-url` | `https://api.agentvault.chat` | API endpoint |
+| `--webhook-url` | (none) | URL for HTTP webhook notifications |
+| `--no-notifications` | (notifications on) | Disable OS desktop notifications |
 
-Environment variables (`AGENTVAULT_INVITE_TOKEN`, `AGENTVAULT_AGENT_NAME`, `AGENTVAULT_DATA_DIR`, `AGENTVAULT_API_URL`) work as alternatives to flags.
+Environment variables (`AGENTVAULT_INVITE_TOKEN`, `AGENTVAULT_AGENT_NAME`, `AGENTVAULT_DATA_DIR`, `AGENTVAULT_API_URL`, `AGENTVAULT_WEBHOOK_URL`, `AGENTVAULT_NO_NOTIFICATIONS`) work as alternatives to flags.
 
 ### Option 2: SDK (Programmatic)
 
@@ -216,6 +211,32 @@ AgentVault supports multiple owner devices (e.g., desktop + mobile). The channel
 
 No additional configuration needed — multi-device is handled transparently.
 
+## Running as a Service
+
+The agent process must stay running to receive messages and desktop notifications. Use [pm2](https://pm2.keymetrics.io/) to keep it alive:
+
+```bash
+# Install pm2 globally
+npm install -g pm2
+
+# Start your agent as a background service
+pm2 start npx --name "my-agent" -- @agentvault/secure-channel \
+  --token=YOUR_TOKEN --name="My Agent"
+
+# View logs
+pm2 logs my-agent
+
+# Auto-restart on crash
+pm2 save
+
+# Stop the agent
+pm2 stop my-agent
+```
+
+pm2 keeps the process running if the terminal closes and auto-restarts on crashes. Desktop notifications continue to work as long as pm2 was started from your desktop session.
+
+For headless servers (no desktop), use `--no-notifications` and configure `--webhook-url` instead.
+
 ## Security
 
 - **XChaCha20-Poly1305** symmetric encryption (192-bit nonces)

package/dist/channel.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAa3C,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EAKb,MAAM,YAAY,CAAC;AAiDpB,qBAAa,aAAc,SAAQ,YAAY;IAiBjC,OAAO,CAAC,MAAM;IAhB1B,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,sBAAsB,CAAc;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,SAAS,CAGH;IACd,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;gBAE7B,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,iEAAiE;IACjE,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAED,2CAA2C;IAC3C,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,6CAA6C;IAC7C,IAAI,YAAY,IAAI,MAAM,CAEzB;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsC5B;;OAEG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAyCtE,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAoB3B;;;OAGG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC;IAsC1F;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;YAiCtE,OAAO;IAgDrB,OAAO,CAAC,KAAK;YAgCC,SAAS;IAyIvB,OAAO,CAAC,QAAQ;IAsEhB;;;;OAIG;YACW,sBAAsB;IAwFpC;;;OAGG;YACW,oBAAoB;IAqClC;;;OAGG;YACW,uBAAuB;IAkCrC;;;;OAIG;YACW,mBAAmB;IAkEjC;;;OAGG;YACW,mBAAmB;IA4FjC,OAAO,CAAC,kBAAkB;IAiB1B,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,YAAY;IAKpB;;;OAGG;YACW,aAAa;CAc5B"}
+{"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAa3C,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EAKb,MAAM,YAAY,CAAC;AAiDpB,qBAAa,aAAc,SAAQ,YAAY;IAiBjC,OAAO,CAAC,MAAM;IAhB1B,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,sBAAsB,CAAc;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,SAAS,CAGH;IACd,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;gBAE7B,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,iEAAiE;IACjE,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAED,2CAA2C;IAC3C,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,6CAA6C;IAC7C,IAAI,YAAY,IAAI,MAAM,CAEzB;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsC5B;;OAEG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAyCtE,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAoB3B;;;OAGG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC;IAsC1F;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;YAiCtE,OAAO;IAgDrB,OAAO,CAAC,KAAK;YAsCC,SAAS;IAyIvB,OAAO,CAAC,QAAQ;IAsEhB;;;;OAIG;YACW,sBAAsB;IAwFpC;;;OAGG;YACW,oBAAoB;IAqClC;;;OAGG;YACW,uBAAuB;IAkCrC;;;;OAIG;YACW,mBAAmB;IAkEjC;;;OAGG;YACW,mBAAmB;IA4FjC,OAAO,CAAC,kBAAkB;IAiB1B,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,YAAY;IAKpB;;;OAGG;YACW,aAAa;CAc5B"}

package/dist/cli.js

@@ -89,7 +89,7 @@ var randomValuesStandard;
 var crypto;
 var randomValueNodeJS;
 var _Module = Module;
-Module.ready = new Promise(function(resolve2, reject) {
+Module.ready = new Promise(function(resolve3, reject) {
   var Module2 = _Module;
   Module2.onAbort = reject;
   Module2.print = function(what) {
@@ -101,13 +101,13 @@ Module.ready = new Promise(function(resolve2, reject) {
   Module2.onRuntimeInitialized = function() {
     try {
       Module2._crypto_secretbox_keybytes();
-      resolve2();
+      resolve3();
     } catch (err2) {
       reject(err2);
     }
   };
   Module2.useBackupModule = function() {
-    return new Promise(function(resolve3, reject2) {
+    return new Promise(function(resolve4, reject2) {
       var Module3 = {};
       Module3.onAbort = reject2;
       Module3.getRandomValue = _Module.getRandomValue;
@@ -120,7 +120,7 @@ Module.ready = new Promise(function(resolve2, reject) {
         Object.keys(Module3).forEach(function(k2) {
           _Module[k2] = Module3[k2];
         });
-        resolve3();
+        resolve4();
       };
       var Module3 = typeof Module3 != "undefined" ? Module3 : {};
       var ENVIRONMENT_IS_WEB2 = !!globalThis.window;
@@ -180,13 +180,13 @@ Module.ready = new Promise(function(resolve2, reject) {
           }
           readAsync2 = async (url) => {
             if (isFileURI2(url)) {
-              return new Promise((resolve4, reject3) => {
+              return new Promise((resolve5, reject3) => {
                 var xhr = new XMLHttpRequest();
                 xhr.open("GET", url, true);
                 xhr.responseType = "arraybuffer";
                 xhr.onload = () => {
                   if (xhr.status == 200 || xhr.status == 0 && xhr.response) {
-                    resolve4(xhr.response);
+                    resolve5(xhr.response);
                     return;
                   }
                   reject3(xhr.status);
@@ -40099,9 +40099,9 @@ Module.ready = new Promise(function(resolve2, reject) {
         }
         var info = getWasmImports2();
         if (Module3["instantiateWasm"]) {
-          return new Promise((resolve4, reject3) => {
+          return new Promise((resolve5, reject3) => {
             Module3["instantiateWasm"](info, (inst, mod) => {
-              resolve4(receiveInstance(inst, mod));
+              resolve5(receiveInstance(inst, mod));
             });
           });
         }
@@ -41004,13 +41004,13 @@ Module.ready = new Promise(function(resolve2, reject) {
       }
       readAsync = async (url) => {
         if (isFileURI(url)) {
-          return new Promise((resolve3, reject2) => {
+          return new Promise((resolve4, reject2) => {
             var xhr = new XMLHttpRequest();
             xhr.open("GET", url, true);
             xhr.responseType = "arraybuffer";
             xhr.onload = () => {
               if (xhr.status == 200 || xhr.status == 0 && xhr.response) {
-                resolve3(xhr.response);
+                resolve4(xhr.response);
                 return;
               }
               reject2(xhr.status);
@@ -41124,9 +41124,9 @@ Module.ready = new Promise(function(resolve2, reject) {
     }
     var info = getWasmImports();
     if (Module2["instantiateWasm"]) {
-      return new Promise((resolve3, reject2) => {
+      return new Promise((resolve4, reject2) => {
         Module2["instantiateWasm"](info, (inst, mod) => {
-          resolve3(receiveInstance(inst, mod));
+          resolve4(receiveInstance(inst, mod));
         });
       });
     }
@@ -45013,6 +45013,9 @@ async function enrollDevice(apiUrl2, inviteToken, identityPkHex, ephemeralPkHex,
 }
 async function pollDeviceStatus(apiUrl2, deviceId) {
   const res = await fetch(`${apiUrl2}/api/v1/devices/${deviceId}/status`);
+  if (res.status === 429) {
+    return { device_id: deviceId, status: "PENDING", fingerprint: "", rateLimited: true };
+  }
   if (!res.ok) {
     const detail = await res.text();
     throw new Error(`Status poll failed (${res.status}): ${detail}`);
@@ -45033,7 +45036,7 @@ async function activateDevice(apiUrl2, deviceId) {
 }
 
 // src/channel.ts
-var POLL_INTERVAL_MS = 3e3;
+var POLL_INTERVAL_MS = 6e3;
 var RECONNECT_BASE_MS = 1e3;
 var RECONNECT_MAX_MS = 3e4;
 function migratePersistedState(raw) {
@@ -45318,6 +45321,10 @@ var SecureChannel = class extends EventEmitter {
           this.config.apiUrl,
           this._deviceId
         );
+        if (status.rateLimited) {
+          this._pollTimer = setTimeout(doPoll, POLL_INTERVAL_MS * 2);
+          return;
+        }
         if (status.status === "APPROVED") {
           await this._activate();
           return;
@@ -45768,10 +45775,137 @@ var SecureChannel = class extends EventEmitter {
 };
 
 // src/cli.ts
-import { resolve } from "node:path";
+import { resolve as resolve2 } from "node:path";
 import { createInterface } from "node:readline";
-import notifier from "node-notifier";
+
+// src/setup.ts
+import { execSync } from "node:child_process";
+import { resolve } from "node:path";
+async function runSetupCommand(options) {
+  const { token: token2, name: name2, apiUrl: apiUrl2 } = options;
+  const dataDir2 = resolve(options.dataDir.replace(/^~/, process.env.HOME ?? "~"));
+  console.log(`
+\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+\u2551         AgentVault \u2014 First-Time Setup        \u2551
+\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
+
+  Agent name : ${name2}
+  Data dir   : ${dataDir2}
+  API        : ${apiUrl2}
+`);
+  let enrollDone = false;
+  const channel2 = new SecureChannel({
+    inviteToken: token2,
+    dataDir: dataDir2,
+    apiUrl: apiUrl2,
+    agentName: name2,
+    onMessage: () => {
+    },
+    // Not handling messages during setup
+    onStateChange: (state) => {
+      switch (state) {
+        case "enrolling":
+          console.log("  Enrolling with AgentVault server...");
+          break;
+        case "polling":
+          console.log("  Waiting for approval in your AgentVault dashboard...");
+          if (channel2.fingerprint) {
+            console.log(`
+  Fingerprint: ${channel2.fingerprint}`);
+            console.log("  Verify this fingerprint matches the one shown in your dashboard");
+            console.log("  before clicking Approve.\n");
+          }
+          break;
+        case "activating":
+          console.log("  Approved! Setting up encryption...");
+          break;
+        case "ready":
+          enrollDone = true;
+          console.log("  \u2705 Enrollment complete! Secure channel established.\n");
+          break;
+        case "error":
+          console.error("  \u274C Setup encountered an error.");
+          break;
+      }
+    }
+  });
+  channel2.on("error", (err) => {
+    console.error(`
+  \u274C Setup failed: ${err.message}
+`);
+    process.exit(1);
+  });
+  await new Promise((res, rej) => {
+    const check = setInterval(() => {
+      if (enrollDone) {
+        clearInterval(check);
+        res();
+      }
+    }, 500);
+    channel2.start().catch((err) => {
+      clearInterval(check);
+      rej(err);
+    });
+  });
+  await channel2.stop();
+  console.log("  Registering AgentVault channel in OpenClaw config...\n");
+  const patchCommands = [
+    `openclaw config set channels.agentvault.dataDir "${dataDir2}"`,
+    `openclaw config set channels.agentvault.apiUrl "${apiUrl2}"`,
+    `openclaw config set channels.agentvault.agentName "${name2}"`
+  ];
+  let configPatched = false;
+  for (const cmd of patchCommands) {
+    try {
+      execSync(cmd, { stdio: "pipe" });
+      configPatched = true;
+    } catch {
+      configPatched = false;
+      break;
+    }
+  }
+  if (configPatched) {
+    console.log(`  \u2705 Channel registered in OpenClaw config.
+
+  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  Restart OpenClaw to activate the secure channel:
+
+    openclaw gateway restart
+
+  After restart, your AgentVault UI will route
+  encrypted messages directly into your agent.
+  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+`);
+  } else {
+    console.log(`  \u26A0\uFE0F  Could not auto-configure OpenClaw (is 'openclaw' in your PATH?).
+  Add this to your OpenClaw config (openclaw.yaml or openclaw.json) manually:
+
+  channels:
+    agentvault:
+      dataDir: "${dataDir2}"
+      apiUrl: "${apiUrl2}"
+      agentName: "${name2}"
+
+  Then restart OpenClaw:
+    openclaw gateway restart
+`);
+  }
+}
+
+// src/cli.ts
+var _notifier = null;
+async function tryNotify(title, message) {
+  try {
+    if (!_notifier) {
+      const mod = await import("node-notifier");
+      _notifier = mod.default ?? mod;
+    }
+    _notifier.notify({ title, message, sound: true });
+  } catch {
+  }
+}
 var args = process.argv.slice(2);
+var subcommand = args[0]?.startsWith("--") ? null : args[0] ?? null;
 var flags = {};
 for (const arg of args) {
   const kvMatch = arg.match(/^--(\w[\w-]*)=(.+)$/);
@@ -45787,12 +45921,45 @@ var dataDir = flags["data-dir"] || process.env.AGENTVAULT_DATA_DIR || "./agentva
 var apiUrl = flags["api-url"] || process.env.AGENTVAULT_API_URL || "https://api.agentvault.chat";
 var webhookUrl = flags["webhook-url"] || process.env.AGENTVAULT_WEBHOOK_URL;
 var noNotifications = flags["no-notifications"] === "true" || process.env.AGENTVAULT_NO_NOTIFICATIONS === "1";
+if (subcommand === "setup") {
+  if (!token) {
+    console.error(`
+AgentVault Setup
+
+Usage:
+  npx @agentvault/secure-channel setup --token=YOUR_INVITE_TOKEN
+
+Options:
+  --token=TOKEN      Invite token from the AgentVault dashboard (required)
+  --name=NAME        Agent display name (default: "CLI Agent")
+  --data-dir=PATH    Directory for persistent state (default: ~/.openclaw/agentvault)
+  --api-url=URL      API endpoint (default: https://api.agentvault.chat)
+
+This command:
+  1. Enrolls this machine as your agent with AgentVault
+  2. Waits for your approval in the AgentVault dashboard
+  3. Saves the encrypted session to --data-dir
+  4. Registers the agentvault channel in your OpenClaw config
+
+After setup, restart OpenClaw \u2014 messages will flow automatically.
+`);
+    process.exit(1);
+  }
+  await runSetupCommand({
+    token,
+    name,
+    apiUrl,
+    dataDir: flags["data-dir"] || process.env.AGENTVAULT_DATA_DIR || "~/.openclaw/agentvault"
+  });
+  process.exit(0);
+}
 if (!token) {
   console.error(`
 AgentVault Secure Channel CLI
 
 Usage:
-  npx @agentvault/secure-channel --token=YOUR_INVITE_TOKEN
+  npx @agentvault/secure-channel setup --token=TOKEN    # First-time OpenClaw setup
+  npx @agentvault/secure-channel --token=TOKEN          # Standalone interactive CLI
 
 Options:
   --token=TOKEN          Invite token from the AgentVault dashboard (required on first run)
@@ -45800,7 +45967,7 @@ Options:
   --data-dir=PATH        Directory for persistent state (default: ./agentvault-data)
   --api-url=URL          API endpoint (default: https://api.agentvault.chat)
   --webhook-url=URL      URL for HTTP webhook notifications on new messages
-  --no-notifications     Disable OS desktop notifications (enabled by default)
+  --no-notifications     Disable OS desktop notifications
 
 Environment variables:
   AGENTVAULT_INVITE_TOKEN       Same as --token
@@ -45810,9 +45977,12 @@ Environment variables:
   AGENTVAULT_WEBHOOK_URL        Same as --webhook-url
   AGENTVAULT_NO_NOTIFICATIONS   Set to "1" to disable desktop notifications
 
-Example:
+Examples:
+  # One-time OpenClaw setup (recommended):
+  npx @agentvault/secure-channel setup --token=av_tok_abc123
+
+  # Standalone interactive CLI:
   npx @agentvault/secure-channel --token=av_tok_abc123 --name="My Agent"
-  npx @agentvault/secure-channel --token=av_tok_abc123 --webhook-url=https://myapp.com/webhook
 `);
   process.exit(1);
 }
@@ -45828,7 +45998,7 @@ var stateMessages = {
 };
 var channel = new SecureChannel({
   inviteToken: token,
-  dataDir: resolve(dataDir),
+  dataDir: resolve2(dataDir),
   apiUrl,
   agentName: name,
   webhookUrl,
@@ -45839,11 +46009,7 @@ var channel = new SecureChannel({
     process.stdout.write("\n> ");
     if (!noNotifications) {
       const body = plaintext.length > 100 ? plaintext.slice(0, 100) + "..." : plaintext;
-      notifier.notify({
-        title: "AgentVault \u2014 New Message",
-        message: body,
-        sound: true
-      });
+      void tryNotify("AgentVault \u2014 New Message", body);
     }
   },
   onStateChange: (state) => {