npm - @aion0/bastion - Versions diffs - 0.1.7 - Mend

@aion0/bastion 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (377) hide show

package/LICENSE +21 -0
package/README.md +183 -0
package/README.zh.md +468 -0
package/config/default.yaml +73 -0
package/dist/cli/commands/config.d.ts +3 -0
package/dist/cli/commands/config.d.ts.map +1 -0
package/dist/cli/commands/config.js +31 -0
package/dist/cli/commands/config.js.map +1 -0
package/dist/cli/commands/env.d.ts +3 -0
package/dist/cli/commands/env.d.ts.map +1 -0
package/dist/cli/commands/env.js +83 -0
package/dist/cli/commands/env.js.map +1 -0
package/dist/cli/commands/health.d.ts +3 -0
package/dist/cli/commands/health.d.ts.map +1 -0
package/dist/cli/commands/health.js +45 -0
package/dist/cli/commands/health.js.map +1 -0
package/dist/cli/commands/openclaw.d.ts +3 -0
package/dist/cli/commands/openclaw.d.ts.map +1 -0
package/dist/cli/commands/openclaw.js +1062 -0
package/dist/cli/commands/openclaw.js.map +1 -0
package/dist/cli/commands/proxy.d.ts +8 -0
package/dist/cli/commands/proxy.d.ts.map +1 -0
package/dist/cli/commands/proxy.js +433 -0
package/dist/cli/commands/proxy.js.map +1 -0
package/dist/cli/commands/start.d.ts +3 -0
package/dist/cli/commands/start.d.ts.map +1 -0
package/dist/cli/commands/start.js +62 -0
package/dist/cli/commands/start.js.map +1 -0
package/dist/cli/commands/stats.d.ts +3 -0
package/dist/cli/commands/stats.d.ts.map +1 -0
package/dist/cli/commands/stats.js +32 -0
package/dist/cli/commands/stats.js.map +1 -0
package/dist/cli/commands/stop.d.ts +3 -0
package/dist/cli/commands/stop.d.ts.map +1 -0
package/dist/cli/commands/stop.js +28 -0
package/dist/cli/commands/stop.js.map +1 -0
package/dist/cli/commands/token.d.ts +3 -0
package/dist/cli/commands/token.d.ts.map +1 -0
package/dist/cli/commands/token.js +32 -0
package/dist/cli/commands/token.js.map +1 -0
package/dist/cli/commands/trust-ca.d.ts +3 -0
package/dist/cli/commands/trust-ca.d.ts.map +1 -0
package/dist/cli/commands/trust-ca.js +44 -0
package/dist/cli/commands/trust-ca.js.map +1 -0
package/dist/cli/commands/wrap.d.ts +3 -0
package/dist/cli/commands/wrap.d.ts.map +1 -0
package/dist/cli/commands/wrap.js +70 -0
package/dist/cli/commands/wrap.js.map +1 -0
package/dist/cli/daemon.d.ts +11 -0
package/dist/cli/daemon.d.ts.map +1 -0
package/dist/cli/daemon.js +82 -0
package/dist/cli/daemon.js.map +1 -0
package/dist/cli/index.d.ts +3 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +35 -0
package/dist/cli/index.js.map +1 -0
package/dist/config/index.d.ts +3 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +60 -0
package/dist/config/index.js.map +1 -0
package/dist/config/manager.d.ts +12 -0
package/dist/config/manager.d.ts.map +1 -0
package/dist/config/manager.js +73 -0
package/dist/config/manager.js.map +1 -0
package/dist/config/paths.d.ts +10 -0
package/dist/config/paths.d.ts.map +1 -0
package/dist/config/paths.js +16 -0
package/dist/config/paths.js.map +1 -0
package/dist/config/schema.d.ts +85 -0
package/dist/config/schema.d.ts.map +1 -0
package/dist/config/schema.js +3 -0
package/dist/config/schema.js.map +1 -0
package/dist/dashboard/api-routes.d.ts +6 -0
package/dist/dashboard/api-routes.d.ts.map +1 -0
package/dist/dashboard/api-routes.js +671 -0
package/dist/dashboard/api-routes.js.map +1 -0
package/dist/dashboard/api.d.ts +4 -0
package/dist/dashboard/api.d.ts.map +1 -0
package/dist/dashboard/api.js +25 -0
package/dist/dashboard/api.js.map +1 -0
package/dist/dashboard/page.d.ts +3 -0
package/dist/dashboard/page.d.ts.map +1 -0
package/dist/dashboard/page.js +1622 -0
package/dist/dashboard/page.js.map +1 -0
package/dist/dlp/actions.d.ts +13 -0
package/dist/dlp/actions.d.ts.map +1 -0
package/dist/dlp/actions.js +3 -0
package/dist/dlp/actions.js.map +1 -0
package/dist/dlp/ai-validator.d.ts +28 -0
package/dist/dlp/ai-validator.d.ts.map +1 -0
package/dist/dlp/ai-validator.js +214 -0
package/dist/dlp/ai-validator.js.map +1 -0
package/dist/dlp/engine.d.ts +34 -0
package/dist/dlp/engine.d.ts.map +1 -0
package/dist/dlp/engine.js +342 -0
package/dist/dlp/engine.js.map +1 -0
package/dist/dlp/entropy.d.ts +22 -0
package/dist/dlp/entropy.d.ts.map +1 -0
package/dist/dlp/entropy.js +43 -0
package/dist/dlp/entropy.js.map +1 -0
package/dist/dlp/message-cache.d.ts +45 -0
package/dist/dlp/message-cache.d.ts.map +1 -0
package/dist/dlp/message-cache.js +251 -0
package/dist/dlp/message-cache.js.map +1 -0
package/dist/dlp/patterns/context-aware.d.ts +4 -0
package/dist/dlp/patterns/context-aware.d.ts.map +1 -0
package/dist/dlp/patterns/context-aware.js +45 -0
package/dist/dlp/patterns/context-aware.js.map +1 -0
package/dist/dlp/patterns/high-confidence.d.ts +4 -0
package/dist/dlp/patterns/high-confidence.d.ts.map +1 -0
package/dist/dlp/patterns/high-confidence.js +140 -0
package/dist/dlp/patterns/high-confidence.js.map +1 -0
package/dist/dlp/patterns/prompt-injection.d.ts +4 -0
package/dist/dlp/patterns/prompt-injection.d.ts.map +1 -0
package/dist/dlp/patterns/prompt-injection.js +244 -0
package/dist/dlp/patterns/prompt-injection.js.map +1 -0
package/dist/dlp/patterns/validated.d.ts +4 -0
package/dist/dlp/patterns/validated.d.ts.map +1 -0
package/dist/dlp/patterns/validated.js +21 -0
package/dist/dlp/patterns/validated.js.map +1 -0
package/dist/dlp/remote-sync.d.ts +47 -0
package/dist/dlp/remote-sync.d.ts.map +1 -0
package/dist/dlp/remote-sync.js +252 -0
package/dist/dlp/remote-sync.js.map +1 -0
package/dist/dlp/semantics.d.ts +27 -0
package/dist/dlp/semantics.d.ts.map +1 -0
package/dist/dlp/semantics.js +93 -0
package/dist/dlp/semantics.js.map +1 -0
package/dist/dlp/structure.d.ts +25 -0
package/dist/dlp/structure.d.ts.map +1 -0
package/dist/dlp/structure.js +86 -0
package/dist/dlp/structure.js.map +1 -0
package/dist/dlp/validators.d.ts +6 -0
package/dist/dlp/validators.d.ts.map +1 -0
package/dist/dlp/validators.js +46 -0
package/dist/dlp/validators.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +200 -0
package/dist/index.js.map +1 -0
package/dist/license/verify.d.ts +18 -0
package/dist/license/verify.d.ts.map +1 -0
package/dist/license/verify.js +71 -0
package/dist/license/verify.js.map +1 -0
package/dist/metrics/collector.d.ts +11 -0
package/dist/metrics/collector.d.ts.map +1 -0
package/dist/metrics/collector.js +17 -0
package/dist/metrics/collector.js.map +1 -0
package/dist/metrics/dashboard.d.ts +6 -0
package/dist/metrics/dashboard.d.ts.map +1 -0
package/dist/metrics/dashboard.js +66 -0
package/dist/metrics/dashboard.js.map +1 -0
package/dist/metrics/pricing.d.ts +10 -0
package/dist/metrics/pricing.d.ts.map +1 -0
package/dist/metrics/pricing.js +62 -0
package/dist/metrics/pricing.js.map +1 -0
package/dist/optimizer/cache.d.ts +14 -0
package/dist/optimizer/cache.d.ts.map +1 -0
package/dist/optimizer/cache.js +58 -0
package/dist/optimizer/cache.js.map +1 -0
package/dist/optimizer/estimator.d.ts +6 -0
package/dist/optimizer/estimator.d.ts.map +1 -0
package/dist/optimizer/estimator.js +12 -0
package/dist/optimizer/estimator.js.map +1 -0
package/dist/optimizer/reorder.d.ts +9 -0
package/dist/optimizer/reorder.d.ts.map +1 -0
package/dist/optimizer/reorder.js +27 -0
package/dist/optimizer/reorder.js.map +1 -0
package/dist/optimizer/trimmer.d.ts +9 -0
package/dist/optimizer/trimmer.d.ts.map +1 -0
package/dist/optimizer/trimmer.js +47 -0
package/dist/optimizer/trimmer.js.map +1 -0
package/dist/plugin-api/index.d.ts +3 -0
package/dist/plugin-api/index.d.ts.map +1 -0
package/dist/plugin-api/index.js +6 -0
package/dist/plugin-api/index.js.map +1 -0
package/dist/plugin-api/types.d.ts +77 -0
package/dist/plugin-api/types.d.ts.map +1 -0
package/dist/plugin-api/types.js +6 -0
package/dist/plugin-api/types.js.map +1 -0
package/dist/plugins/adapter.d.ts +12 -0
package/dist/plugins/adapter.d.ts.map +1 -0
package/dist/plugins/adapter.js +116 -0
package/dist/plugins/adapter.js.map +1 -0
package/dist/plugins/builtin/audit-logger.d.ts +9 -0
package/dist/plugins/builtin/audit-logger.d.ts.map +1 -0
package/dist/plugins/builtin/audit-logger.js +53 -0
package/dist/plugins/builtin/audit-logger.js.map +1 -0
package/dist/plugins/builtin/dlp-scanner.d.ts +19 -0
package/dist/plugins/builtin/dlp-scanner.d.ts.map +1 -0
package/dist/plugins/builtin/dlp-scanner.js +284 -0
package/dist/plugins/builtin/dlp-scanner.js.map +1 -0
package/dist/plugins/builtin/metrics-collector.d.ts +4 -0
package/dist/plugins/builtin/metrics-collector.d.ts.map +1 -0
package/dist/plugins/builtin/metrics-collector.js +111 -0
package/dist/plugins/builtin/metrics-collector.js.map +1 -0
package/dist/plugins/builtin/token-optimizer.d.ts +10 -0
package/dist/plugins/builtin/token-optimizer.d.ts.map +1 -0
package/dist/plugins/builtin/token-optimizer.js +120 -0
package/dist/plugins/builtin/token-optimizer.js.map +1 -0
package/dist/plugins/builtin/tool-guard.d.ts +20 -0
package/dist/plugins/builtin/tool-guard.d.ts.map +1 -0
package/dist/plugins/builtin/tool-guard.js +259 -0
package/dist/plugins/builtin/tool-guard.js.map +1 -0
package/dist/plugins/context.d.ts +8 -0
package/dist/plugins/context.d.ts.map +1 -0
package/dist/plugins/context.js +33 -0
package/dist/plugins/context.js.map +1 -0
package/dist/plugins/event-bus.d.ts +9 -0
package/dist/plugins/event-bus.d.ts.map +1 -0
package/dist/plugins/event-bus.js +25 -0
package/dist/plugins/event-bus.js.map +1 -0
package/dist/plugins/index.d.ts +18 -0
package/dist/plugins/index.d.ts.map +1 -0
package/dist/plugins/index.js +148 -0
package/dist/plugins/index.js.map +1 -0
package/dist/plugins/loader.d.ts +14 -0
package/dist/plugins/loader.d.ts.map +1 -0
package/dist/plugins/loader.js +98 -0
package/dist/plugins/loader.js.map +1 -0
package/dist/plugins/types.d.ts +91 -0
package/dist/plugins/types.d.ts.map +1 -0
package/dist/plugins/types.js +3 -0
package/dist/plugins/types.js.map +1 -0
package/dist/proxy/certs.d.ts +10 -0
package/dist/proxy/certs.d.ts.map +1 -0
package/dist/proxy/certs.js +110 -0
package/dist/proxy/certs.js.map +1 -0
package/dist/proxy/connect.d.ts +11 -0
package/dist/proxy/connect.d.ts.map +1 -0
package/dist/proxy/connect.js +298 -0
package/dist/proxy/connect.js.map +1 -0
package/dist/proxy/forwarder.d.ts +14 -0
package/dist/proxy/forwarder.d.ts.map +1 -0
package/dist/proxy/forwarder.js +342 -0
package/dist/proxy/forwarder.js.map +1 -0
package/dist/proxy/passthrough.d.ts +4 -0
package/dist/proxy/passthrough.d.ts.map +1 -0
package/dist/proxy/passthrough.js +68 -0
package/dist/proxy/passthrough.js.map +1 -0
package/dist/proxy/providers/anthropic.d.ts +4 -0
package/dist/proxy/providers/anthropic.d.ts.map +1 -0
package/dist/proxy/providers/anthropic.js +46 -0
package/dist/proxy/providers/anthropic.js.map +1 -0
package/dist/proxy/providers/classify.d.ts +14 -0
package/dist/proxy/providers/classify.d.ts.map +1 -0
package/dist/proxy/providers/classify.js +37 -0
package/dist/proxy/providers/classify.js.map +1 -0
package/dist/proxy/providers/claude-web.d.ts +8 -0
package/dist/proxy/providers/claude-web.d.ts.map +1 -0
package/dist/proxy/providers/claude-web.js +50 -0
package/dist/proxy/providers/claude-web.js.map +1 -0
package/dist/proxy/providers/gemini.d.ts +4 -0
package/dist/proxy/providers/gemini.d.ts.map +1 -0
package/dist/proxy/providers/gemini.js +38 -0
package/dist/proxy/providers/gemini.js.map +1 -0
package/dist/proxy/providers/index.d.ts +27 -0
package/dist/proxy/providers/index.d.ts.map +1 -0
package/dist/proxy/providers/index.js +32 -0
package/dist/proxy/providers/index.js.map +1 -0
package/dist/proxy/providers/messaging.d.ts +2 -0
package/dist/proxy/providers/messaging.d.ts.map +1 -0
package/dist/proxy/providers/messaging.js +53 -0
package/dist/proxy/providers/messaging.js.map +1 -0
package/dist/proxy/providers/openai.d.ts +4 -0
package/dist/proxy/providers/openai.d.ts.map +1 -0
package/dist/proxy/providers/openai.js +38 -0
package/dist/proxy/providers/openai.js.map +1 -0
package/dist/proxy/providers/telegram.d.ts +8 -0
package/dist/proxy/providers/telegram.d.ts.map +1 -0
package/dist/proxy/providers/telegram.js +35 -0
package/dist/proxy/providers/telegram.js.map +1 -0
package/dist/proxy/router.d.ts +12 -0
package/dist/proxy/router.d.ts.map +1 -0
package/dist/proxy/router.js +26 -0
package/dist/proxy/router.js.map +1 -0
package/dist/proxy/safety.d.ts +13 -0
package/dist/proxy/safety.d.ts.map +1 -0
package/dist/proxy/safety.js +58 -0
package/dist/proxy/safety.js.map +1 -0
package/dist/proxy/server.d.ts +8 -0
package/dist/proxy/server.d.ts.map +1 -0
package/dist/proxy/server.js +126 -0
package/dist/proxy/server.js.map +1 -0
package/dist/proxy/streaming.d.ts +21 -0
package/dist/proxy/streaming.d.ts.map +1 -0
package/dist/proxy/streaming.js +70 -0
package/dist/proxy/streaming.js.map +1 -0
package/dist/storage/database.d.ts +6 -0
package/dist/storage/database.d.ts.map +1 -0
package/dist/storage/database.js +44 -0
package/dist/storage/database.js.map +1 -0
package/dist/storage/encryption.d.ts +11 -0
package/dist/storage/encryption.d.ts.map +1 -0
package/dist/storage/encryption.js +47 -0
package/dist/storage/encryption.js.map +1 -0
package/dist/storage/migrations.d.ts +3 -0
package/dist/storage/migrations.d.ts.map +1 -0
package/dist/storage/migrations.js +265 -0
package/dist/storage/migrations.js.map +1 -0
package/dist/storage/repositories/audit-log.d.ts +115 -0
package/dist/storage/repositories/audit-log.d.ts.map +1 -0
package/dist/storage/repositories/audit-log.js +586 -0
package/dist/storage/repositories/audit-log.js.map +1 -0
package/dist/storage/repositories/cache.d.ts +26 -0
package/dist/storage/repositories/cache.d.ts.map +1 -0
package/dist/storage/repositories/cache.js +44 -0
package/dist/storage/repositories/cache.js.map +1 -0
package/dist/storage/repositories/dlp-config-history.d.ts +17 -0
package/dist/storage/repositories/dlp-config-history.d.ts.map +1 -0
package/dist/storage/repositories/dlp-config-history.js +30 -0
package/dist/storage/repositories/dlp-config-history.js.map +1 -0
package/dist/storage/repositories/dlp-events.d.ts +35 -0
package/dist/storage/repositories/dlp-events.d.ts.map +1 -0
package/dist/storage/repositories/dlp-events.js +57 -0
package/dist/storage/repositories/dlp-events.js.map +1 -0
package/dist/storage/repositories/dlp-patterns.d.ts +70 -0
package/dist/storage/repositories/dlp-patterns.d.ts.map +1 -0
package/dist/storage/repositories/dlp-patterns.js +187 -0
package/dist/storage/repositories/dlp-patterns.js.map +1 -0
package/dist/storage/repositories/optimizer-events.d.ts +28 -0
package/dist/storage/repositories/optimizer-events.d.ts.map +1 -0
package/dist/storage/repositories/optimizer-events.js +49 -0
package/dist/storage/repositories/optimizer-events.js.map +1 -0
package/dist/storage/repositories/plugin-events.d.ts +34 -0
package/dist/storage/repositories/plugin-events.d.ts.map +1 -0
package/dist/storage/repositories/plugin-events.js +64 -0
package/dist/storage/repositories/plugin-events.js.map +1 -0
package/dist/storage/repositories/requests.d.ts +68 -0
package/dist/storage/repositories/requests.d.ts.map +1 -0
package/dist/storage/repositories/requests.js +113 -0
package/dist/storage/repositories/requests.js.map +1 -0
package/dist/storage/repositories/sessions.d.ts +23 -0
package/dist/storage/repositories/sessions.d.ts.map +1 -0
package/dist/storage/repositories/sessions.js +42 -0
package/dist/storage/repositories/sessions.js.map +1 -0
package/dist/storage/repositories/tool-calls.d.ts +49 -0
package/dist/storage/repositories/tool-calls.d.ts.map +1 -0
package/dist/storage/repositories/tool-calls.js +61 -0
package/dist/storage/repositories/tool-calls.js.map +1 -0
package/dist/storage/repositories/tool-guard-rules.d.ts +50 -0
package/dist/storage/repositories/tool-guard-rules.d.ts.map +1 -0
package/dist/storage/repositories/tool-guard-rules.js +120 -0
package/dist/storage/repositories/tool-guard-rules.js.map +1 -0
package/dist/tool-guard/alert.d.ts +30 -0
package/dist/tool-guard/alert.d.ts.map +1 -0
package/dist/tool-guard/alert.js +113 -0
package/dist/tool-guard/alert.js.map +1 -0
package/dist/tool-guard/extractor.d.ts +10 -0
package/dist/tool-guard/extractor.d.ts.map +1 -0
package/dist/tool-guard/extractor.js +309 -0
package/dist/tool-guard/extractor.js.map +1 -0
package/dist/tool-guard/rules.d.ts +18 -0
package/dist/tool-guard/rules.d.ts.map +1 -0
package/dist/tool-guard/rules.js +255 -0
package/dist/tool-guard/rules.js.map +1 -0
package/dist/tool-guard/streaming-guard.d.ts +57 -0
package/dist/tool-guard/streaming-guard.d.ts.map +1 -0
package/dist/tool-guard/streaming-guard.js +389 -0
package/dist/tool-guard/streaming-guard.js.map +1 -0
package/dist/utils/hash.d.ts +2 -0
package/dist/utils/hash.d.ts.map +1 -0
package/dist/utils/hash.js +8 -0
package/dist/utils/hash.js.map +1 -0
package/dist/utils/logger.d.ts +11 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +54 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/timeout.d.ts +5 -0
package/dist/utils/timeout.d.ts.map +1 -0
package/dist/utils/timeout.js +26 -0
package/dist/utils/timeout.js.map +1 -0
package/dist/version.d.ts +5 -0
package/dist/version.d.ts.map +1 -0
package/dist/version.js +23 -0
package/dist/version.js.map +1 -0
package/package.json +67 -0

package/dist/cli/commands/openclaw.js ADDED Viewed

@@ -0,0 +1,1062 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerOpenclawCommand = registerOpenclawCommand;
+const node_child_process_1 = require("node:child_process");
+const node_crypto_1 = require("node:crypto");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
+const IS_WIN = (0, node_os_1.platform)() === 'win32';
+const index_js_1 = require("../../config/index.js");
+const certs_js_1 = require("../../proxy/certs.js");
+const daemon_js_1 = require("../daemon.js");
+const paths_js_1 = require("../../config/paths.js");
+const OPENCLAW_DIR = (0, node_path_1.join)(paths_js_1.paths.bastionDir, 'openclaw');
+const DEFAULT_PORT = 18789;
+const DEFAULT_IMAGE = 'openclaw:local';
+/** Brew shim for Docker — maps `brew install` to `apt-get install` so OpenClaw skills install correctly */
+const BREW_SHIM_CONTENT = `#!/bin/sh
+# brew shim for Debian/Ubuntu Docker containers
+# Maps common brew commands to apt-get equivalents
+# Package name mapping (brew name -> apt name)
+map_pkg() {
+  case "$1" in
+    ripgrep) echo "ripgrep" ;;
+    fd) echo "fd-find" ;;
+    bat) echo "bat" ;;
+    fzf) echo "fzf" ;;
+    jq) echo "jq" ;;
+    yq) echo "yq" ;;
+    tree) echo "tree" ;;
+    wget) echo "wget" ;;
+    curl) echo "curl" ;;
+    git) echo "git" ;;
+    gh) echo "gh" ;;
+    sqlite) echo "sqlite3" ;;
+    python3|python) echo "python3" ;;
+    *) echo "$1" ;;
+  esac
+}
+case "$1" in
+  install)
+    shift
+    PKGS=""
+    for pkg in "$@"; do
+      case "$pkg" in -*)  continue ;; esac
+      PKGS="$PKGS $(map_pkg "$pkg")"
+    done
+    if [ -n "$PKGS" ]; then
+      apt-get update -qq 2>/dev/null
+      apt-get install -y -qq $PKGS
+    fi
+    ;;
+  uninstall|remove)
+    shift
+    PKGS=""
+    for pkg in "$@"; do
+      case "$pkg" in -*) continue ;; esac
+      PKGS="$PKGS $(map_pkg "$pkg")"
+    done
+    if [ -n "$PKGS" ]; then
+      apt-get remove -y -qq $PKGS
+    fi
+    ;;
+  list)
+    dpkg -l 2>/dev/null | tail -n +6 | awk '{print $2}'
+    ;;
+  --version|-v)
+    echo "brew-shim 1.0 (apt-get wrapper for Docker)"
+    ;;
+  *)
+    echo "brew-shim: unsupported command '$1' (only install/uninstall/list supported)" >&2
+    exit 1
+    ;;
+esac
+`;
+/** Proxy bootstrap script content — mounted into containers / local via NODE_OPTIONS="--import ..." */
+const PROXY_BOOTSTRAP_CONTENT = `// proxy-bootstrap.mjs — forces all Node.js HTTP/HTTPS through the proxy
+// Uses createRequire for writable CJS refs (ESM namespaces are read-only). No undici dependency.
+// Set BASTION_PROXY_DEBUG=1 for diagnostic output.
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+const http = require('node:http');
+const https = require('node:https');
+const tls = require('node:tls');
+const proxyUrl = process.env.HTTPS_PROXY || process.env.HTTP_PROXY || process.env.https_proxy || process.env.http_proxy;
+const D = !!process.env.BASTION_PROXY_DEBUG, L = (...a) => D && console.error('[proxy-bootstrap]', ...a);
+if (proxyUrl) {
+  L('proxy:', proxyUrl);
+  const noProxyList = (process.env.NO_PROXY || process.env.no_proxy || '').split(',').map(s => s.trim().toLowerCase()).filter(Boolean);
+  L('no_proxy:', noProxyList.join(', '));
+  const shouldBypass = (h) => { h = (h || '').toLowerCase(); return noProxyList.some(np => h === np || h.endsWith('.' + np)); };
+  const proxy = new URL(proxyUrl), pH = proxy.hostname, pP = parseInt(proxy.port, 10) || 80;
+  try {
+    const _cc = https.Agent.prototype.createConnection;
+    class T extends https.Agent {
+      createConnection(o, cb) {
+        const h = o.hostname || o.host || o.servername, p = o.port || 443;
+        if (!h || shouldBypass(h)) return _cc.call(this, o, cb);
+        L('tunnel:', h + ':' + p);
+        const r = http.request({ hostname: pH, port: pP, method: 'CONNECT', path: h+':'+p, headers: { Host: h+':'+p } });
+        r.on('connect', (res, sock) => { if (res.statusCode !== 200) { sock.destroy(); cb?.(new Error('CONNECT '+h+':'+p+' failed: '+res.statusCode)); return; } cb?.(null, tls.connect({ socket: sock, servername: h })); });
+        r.on('error', e => cb?.(e)); r.end();
+      }
+    }
+    https.globalAgent = new T({ keepAlive: true });
+    L('https.globalAgent patched');
+  } catch (e) { L('WARN: https.globalAgent patch failed:', e.message); }
+  const _origFetch = globalThis.fetch;
+  if (typeof _origFetch === 'function') {
+    globalThis.fetch = async function(input, init) {
+      let url;
+      try { if (typeof input === 'string') url = new URL(input); else if (input instanceof URL) url = new URL(input.href); else if (input instanceof Request) url = new URL(input.url); } catch {}
+      if (!url || url.protocol !== 'https:' || shouldBypass(url.hostname)) return _origFetch.call(globalThis, input, init);
+      L('fetch proxy:', url.hostname + url.pathname);
+      // Use Request to normalize headers and body (handles string, URLSearchParams, Blob, FormData, ArrayBuffer, ReadableStream, etc.)
+      const normalized = new Request(input, init);
+      const method = normalized.method;
+      const hdrs = {}; for (const [k, v] of normalized.headers) hdrs[k] = v;
+      const bodyBuf = normalized.body ? Buffer.from(await normalized.arrayBuffer()) : null;
+      return new Promise((resolve, reject) => {
+        const req = https.request({ hostname: url.hostname, port: url.port || 443, path: url.pathname + url.search, method, headers: hdrs }, (res) => {
+          const stream = new ReadableStream({ start(ctrl) { res.on('data', c => ctrl.enqueue(new Uint8Array(c))); res.on('end', () => ctrl.close()); res.on('error', e => ctrl.error(e)); } });
+          const rh = new Headers(); for (const [k, v] of Object.entries(res.headers)) { if (v == null) continue; if (Array.isArray(v)) v.forEach(x => rh.append(k, x)); else rh.set(k, v); }
+          resolve(new Response(stream, { status: res.statusCode, statusText: res.statusMessage, headers: rh }));
+        });
+        if (init?.signal) { if (init.signal.aborted) { req.destroy(); reject(new DOMException('The operation was aborted.', 'AbortError')); return; } init.signal.addEventListener('abort', () => { req.destroy(); reject(new DOMException('The operation was aborted.', 'AbortError')); }); }
+        req.on('error', reject);
+        if (bodyBuf) { req.end(bodyBuf); } else { req.end(); }
+      });
+    };
+    L('fetch wrapped');
+  }
+} else { L('no proxy URL found, skipping'); }
+`;
+// ── shared helpers ───────────────────────────────────────────────────────────
+function generateToken() {
+    return (0, node_crypto_1.randomBytes)(32).toString('hex');
+}
+function checkBastion() {
+    const status = (0, daemon_js_1.getDaemonStatus)();
+    if (!status.running) {
+        console.error('Bastion is not running. Start it first: bastion start');
+        process.exit(1);
+    }
+}
+function checkDocker() {
+    try {
+        (0, node_child_process_1.execSync)('docker info', { stdio: 'pipe' });
+    }
+    catch {
+        console.error('Docker is not available. Please install and start Docker.');
+        process.exit(1);
+    }
+}
+function checkCACert() {
+    const caPath = (0, certs_js_1.getCACertPath)();
+    if (!(0, node_fs_1.existsSync)(caPath)) {
+        console.error('Bastion CA cert not found. Run bastion start first to generate it.');
+        process.exit(1);
+    }
+    return caPath;
+}
+function getBastionPort() {
+    const config = (0, index_js_1.loadConfig)();
+    return config.server.port;
+}
+function getBastionHost() {
+    const config = (0, index_js_1.loadConfig)();
+    return config.server.host;
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+// ── docker helpers ───────────────────────────────────────────────────────────
+function instanceDir(name) {
+    return (0, node_path_1.join)(OPENCLAW_DIR, 'docker', name);
+}
+function envVal(name, key) {
+    const envFile = (0, node_path_1.join)(instanceDir(name), '.env');
+    if (!(0, node_fs_1.existsSync)(envFile))
+        return '';
+    const content = (0, node_fs_1.readFileSync)(envFile, 'utf-8');
+    const match = content.match(new RegExp(`^${key}=(.*)$`, 'm'));
+    return match?.[1] ?? '';
+}
+function writeEnvFile(dir, vars) {
+    const content = Object.entries(vars)
+        .map(([k, v]) => `${k}=${v}`)
+        .join('\n') + '\n';
+    (0, node_fs_1.writeFileSync)((0, node_path_1.join)(dir, '.env'), content, 'utf-8');
+}
+function generateComposeFile(image) {
+    return `services:
+  openclaw-gateway:
+    image: \${OPENCLAW_IMAGE:-${image}}
+    environment:
+      HOME: /home/node
+      TERM: xterm-256color
+      OPENCLAW_GATEWAY_TOKEN: \${OPENCLAW_GATEWAY_TOKEN}
+      CLAUDE_AI_SESSION_KEY: \${CLAUDE_AI_SESSION_KEY}
+      CLAUDE_WEB_SESSION_KEY: \${CLAUDE_WEB_SESSION_KEY}
+      CLAUDE_WEB_COOKIE: \${CLAUDE_WEB_COOKIE}
+    volumes:
+      - \${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
+      - \${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
+    ports:
+      - "\${OPENCLAW_GATEWAY_PORT:-18789}:18789"
+      - "\${OPENCLAW_BRIDGE_PORT:-18790}:18790"
+    init: true
+    restart: unless-stopped
+    command:
+      [
+        "node",
+        "dist/index.js",
+        "gateway",
+        "--bind",
+        "\${OPENCLAW_GATEWAY_BIND:-lan}",
+        "--port",
+        "18789",
+      ]
+  openclaw-cli:
+    image: \${OPENCLAW_IMAGE:-${image}}
+    environment:
+      HOME: /home/node
+      TERM: xterm-256color
+      OPENCLAW_GATEWAY_TOKEN: \${OPENCLAW_GATEWAY_TOKEN}
+      BROWSER: echo
+      CLAUDE_AI_SESSION_KEY: \${CLAUDE_AI_SESSION_KEY}
+      CLAUDE_WEB_SESSION_KEY: \${CLAUDE_WEB_SESSION_KEY}
+      CLAUDE_WEB_COOKIE: \${CLAUDE_WEB_COOKIE}
+    volumes:
+      - \${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
+      - \${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
+    stdin_open: true
+    tty: true
+    init: true
+    entrypoint: ["node", "dist/index.js"]
+`;
+}
+/** Bastion proxy overlay — merged via docker compose -f ... -f ... */
+function generateBastionOverride(caPath) {
+    return `services:
+  openclaw-gateway:
+    user: root
+    environment:
+      HOME: /home/node
+      HTTPS_PROXY: "http://openclaw-gw@host.docker.internal:\${BASTION_PORT:-8420}"
+      NODE_EXTRA_CA_CERTS: "/etc/ssl/certs/bastion-ca.crt"
+      NO_PROXY: "localhost,127.0.0.1,host.docker.internal,auth.openai.com"
+      NODE_OPTIONS: "--import /opt/bastion/proxy-bootstrap.mjs"
+    volumes:
+      - ${caPath}:/etc/ssl/certs/bastion-ca.crt:ro
+      - ./proxy-bootstrap.mjs:/opt/bastion/proxy-bootstrap.mjs:ro
+      - ./brew:/usr/local/bin/brew:ro
+  openclaw-cli:
+    user: root
+    environment:
+      HOME: /home/node
+      HTTPS_PROXY: "http://openclaw-cli@host.docker.internal:\${BASTION_PORT:-8420}"
+      NODE_EXTRA_CA_CERTS: "/etc/ssl/certs/bastion-ca.crt"
+      NO_PROXY: "localhost,127.0.0.1,host.docker.internal,auth.openai.com"
+      NODE_OPTIONS: "--import /opt/bastion/proxy-bootstrap.mjs"
+    volumes:
+      - ${caPath}:/etc/ssl/certs/bastion-ca.crt:ro
+      - ./proxy-bootstrap.mjs:/opt/bastion/proxy-bootstrap.mjs:ro
+      - ./brew:/usr/local/bin/brew:ro
+`;
+}
+/** Build the list of compose file args for an instance. */
+function composeFileArgs(name) {
+    const dir = instanceDir(name);
+    const args = ['-f', (0, node_path_1.join)(dir, 'docker-compose.yml')];
+    const overrideFile = (0, node_path_1.join)(dir, 'docker-compose.bastion.yml');
+    if ((0, node_fs_1.existsSync)(overrideFile)) {
+        args.push('-f', overrideFile);
+    }
+    return args;
+}
+/** Run docker compose scoped to an instance, inheriting stdio. Returns exit code. */
+function dc(name, args) {
+    const dir = instanceDir(name);
+    const envFile = (0, node_path_1.join)(dir, '.env');
+    return new Promise((resolve) => {
+        const child = (0, node_child_process_1.spawn)('docker', [
+            'compose',
+            ...composeFileArgs(name),
+            '--env-file', envFile,
+            '-p', `openclaw-${name}`,
+            ...args,
+        ], { stdio: 'inherit' });
+        child.on('close', (code) => resolve(code ?? 1));
+        child.on('error', (err) => {
+            console.error(`docker compose error: ${err.message}`);
+            resolve(1);
+        });
+    });
+}
+/** Run docker compose and capture stdout. */
+function dcOutput(name, args) {
+    const dir = instanceDir(name);
+    const envFile = (0, node_path_1.join)(dir, '.env');
+    try {
+        return (0, node_child_process_1.execSync)([
+            'docker', 'compose',
+            ...composeFileArgs(name),
+            '--env-file', envFile,
+            '-p', `openclaw-${name}`,
+            ...args,
+        ].map(a => `"${a}"`).join(' '), { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+    }
+    catch {
+        return '';
+    }
+}
+/** Sync .env token with the token in openclaw.json (onboard may change it) */
+function syncToken(name) {
+    const configDir = envVal(name, 'OPENCLAW_CONFIG_DIR');
+    const configFile = (0, node_path_1.join)(configDir, 'openclaw.json');
+    if (!(0, node_fs_1.existsSync)(configFile))
+        return;
+    try {
+        const cfg = JSON.parse((0, node_fs_1.readFileSync)(configFile, 'utf-8'));
+        const configToken = cfg?.gateway?.auth?.token;
+        if (!configToken)
+            return;
+        const envToken = envVal(name, 'OPENCLAW_GATEWAY_TOKEN');
+        if (configToken !== envToken) {
+            const envFile = (0, node_path_1.join)(instanceDir(name), '.env');
+            let content = (0, node_fs_1.readFileSync)(envFile, 'utf-8');
+            content = content.replace(/^OPENCLAW_GATEWAY_TOKEN=.*$/m, `OPENCLAW_GATEWAY_TOKEN=${configToken}`);
+            (0, node_fs_1.writeFileSync)(envFile, content, 'utf-8');
+            console.log('    (synced .env token with onboard config)');
+        }
+    }
+    catch {
+        // best-effort
+    }
+}
+/** Ensure gateway config is correct for Docker networking */
+function fixBind(name) {
+    const configDir = envVal(name, 'OPENCLAW_CONFIG_DIR');
+    const configFile = (0, node_path_1.join)(configDir, 'openclaw.json');
+    if (!(0, node_fs_1.existsSync)(configFile))
+        return;
+    try {
+        const cfg = JSON.parse((0, node_fs_1.readFileSync)(configFile, 'utf-8'));
+        let changed = false;
+        if (!cfg.gateway)
+            cfg.gateway = {};
+        // bind=lan required for Docker container networking
+        if (cfg.gateway.bind !== 'lan') {
+            cfg.gateway.bind = 'lan';
+            changed = true;
+        }
+        // non-loopback bind requires controlUi origin config
+        if (!cfg.gateway.controlUi)
+            cfg.gateway.controlUi = {};
+        if (!cfg.gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback) {
+            cfg.gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback = true;
+            changed = true;
+        }
+        if (changed) {
+            (0, node_fs_1.writeFileSync)(configFile, JSON.stringify(cfg, null, 2), 'utf-8');
+            console.log('    (fixed gateway config for Docker networking)');
+        }
+    }
+    catch {
+        // best-effort
+    }
+}
+/** Approve all pending device pairing requests */
+function approveDevices(name) {
+    const configDir = envVal(name, 'OPENCLAW_CONFIG_DIR');
+    const pendingPath = (0, node_path_1.join)(configDir, 'devices', 'pending.json');
+    const pairedPath = (0, node_path_1.join)(configDir, 'devices', 'paired.json');
+    if (!(0, node_fs_1.existsSync)(pendingPath))
+        return;
+    try {
+        const pending = JSON.parse((0, node_fs_1.readFileSync)(pendingPath, 'utf-8'));
+        if (!pending || Object.keys(pending).length === 0)
+            return;
+        let paired = {};
+        if ((0, node_fs_1.existsSync)(pairedPath)) {
+            paired = JSON.parse((0, node_fs_1.readFileSync)(pairedPath, 'utf-8'));
+        }
+        let count = 0;
+        for (const [, dev] of Object.entries(pending)) {
+            const deviceId = dev.deviceId;
+            paired[deviceId] = {
+                deviceId: dev.deviceId,
+                publicKey: dev.publicKey,
+                platform: dev.platform,
+                clientId: dev.clientId,
+                clientMode: dev.clientMode ?? 'webchat',
+                role: dev.role ?? 'operator',
+                roles: dev.roles ?? ['operator'],
+                scopes: dev.scopes ?? [],
+                pairedAt: Date.now(),
+            };
+            count++;
+        }
+        (0, node_fs_1.mkdirSync)((0, node_path_1.join)(configDir, 'devices'), { recursive: true });
+        (0, node_fs_1.writeFileSync)(pairedPath, JSON.stringify(paired, null, 2), 'utf-8');
+        (0, node_fs_1.writeFileSync)(pendingPath, JSON.stringify({}, null, 2), 'utf-8');
+        console.log(`    (auto-approved ${count} pending device(s))`);
+    }
+    catch {
+        // best-effort
+    }
+}
+// ── local helpers ────────────────────────────────────────────────────────────
+const LOCAL_DIR = (0, node_path_1.join)(OPENCLAW_DIR, 'local');
+const LOCAL_PID_FILE = (0, node_path_1.join)(LOCAL_DIR, 'openclaw.pid');
+function localPidFile(name) {
+    return (0, node_path_1.join)(LOCAL_DIR, `${name}.pid`);
+}
+function localMetaFile(name) {
+    return (0, node_path_1.join)(LOCAL_DIR, `${name}.json`);
+}
+function isProcessRunning(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function findOpenclawBin() {
+    try {
+        const cmd = IS_WIN ? 'where openclaw' : 'which openclaw';
+        return (0, node_child_process_1.execSync)(cmd, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim().split('\n')[0];
+    }
+    catch {
+        // not in PATH
+    }
+    // Common install locations
+    const candidates = IS_WIN
+        ? [(0, node_path_1.join)((0, node_os_1.homedir)(), '.openclaw', 'bin', 'openclaw.cmd')]
+        : [
+            (0, node_path_1.join)((0, node_os_1.homedir)(), '.openclaw', 'bin', 'openclaw'),
+            '/usr/local/bin/openclaw',
+        ];
+    return candidates.find((p) => (0, node_fs_1.existsSync)(p)) ?? null;
+}
+// ── register ─────────────────────────────────────────────────────────────────
+function registerOpenclawCommand(program) {
+    const openclaw = program
+        .command('openclaw')
+        .description('Manage OpenClaw instances routed through Bastion');
+    // ════════════════════════════════════════════════════════════════════════════
+    // bastion openclaw docker ...
+    // ════════════════════════════════════════════════════════════════════════════
+    const docker = openclaw
+        .command('docker')
+        .description('Manage OpenClaw via Docker Compose');
+    // bastion openclaw docker attach <container>
+    docker
+        .command('attach')
+        .description('Inject Bastion proxy into an already-running Docker container')
+        .argument('<container>', 'Docker container name or ID')
+        .option('--restart', 'Stop, commit, and re-run the container with proxy env vars baked in')
+        .action(async (container, options) => {
+        checkBastion();
+        checkDocker();
+        const caPath = checkCACert();
+        const bastionPort = getBastionPort();
+        // Verify container exists and is running
+        try {
+            const fmt = IS_WIN ? '"{{.State.Status}}"' : "'{{.State.Status}}'";
+            const state = (0, node_child_process_1.execSync)(`docker inspect --format ${fmt} "${container}"`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+            if (state !== 'running') {
+                console.error(`Container '${container}' is not running (state: ${state})`);
+                process.exit(1);
+            }
+        }
+        catch {
+            console.error(`Container '${container}' not found`);
+            process.exit(1);
+        }
+        // Copy CA cert into container
+        console.log(`Copying CA cert into ${container}...`);
+        (0, node_child_process_1.execSync)(`docker cp "${caPath}" "${container}:/etc/ssl/certs/bastion-ca.crt"`, { stdio: 'inherit' });
+        const envVars = {
+            HTTPS_PROXY: `http://host.docker.internal:${bastionPort}`,
+            NODE_EXTRA_CA_CERTS: '/etc/ssl/certs/bastion-ca.crt',
+            NO_PROXY: 'localhost,127.0.0.1,host.docker.internal',
+        };
+        if (options.restart) {
+            console.log('Restarting container with proxy env vars...');
+            const imgFmt = IS_WIN ? '"{{.Config.Image}}"' : "'{{.Config.Image}}'";
+            const imageName = (0, node_child_process_1.execSync)(`docker inspect --format ${imgFmt} "${container}"`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+            const tmpImage = `bastion-attach-${container}-${Date.now()}`;
+            (0, node_child_process_1.execSync)(`docker commit "${container}" "${tmpImage}"`, { stdio: 'inherit' });
+            (0, node_child_process_1.execSync)(`docker stop "${container}"`, { stdio: 'inherit' });
+            (0, node_child_process_1.execSync)(`docker rm "${container}"`, { stdio: 'inherit' });
+            const envFlags = Object.entries(envVars)
+                .map(([k, v]) => `-e ${k}="${v}"`)
+                .join(' ');
+            const volumeFlag = `-v "${caPath}:/etc/ssl/certs/bastion-ca.crt:ro"`;
+            (0, node_child_process_1.execSync)(`docker run -d --name "${container}" ${envFlags} ${volumeFlag} "${tmpImage}"`, { stdio: 'inherit' });
+            console.log(`Container '${container}' restarted with Bastion proxy.`);
+            console.log(`(Original image: ${imageName}, committed as: ${tmpImage})`);
+        }
+        else {
+            console.log('');
+            console.log('CA cert copied. Add these env vars to your docker-compose.yml or docker run:');
+            console.log('');
+            for (const [k, v] of Object.entries(envVars)) {
+                console.log(`  ${k}=${v}`);
+            }
+            console.log('');
+            console.log('And mount the CA cert volume:');
+            console.log(`  -v ${caPath}:/etc/ssl/certs/bastion-ca.crt:ro`);
+            console.log('');
+        }
+    });
+    // bastion openclaw docker up <name>
+    docker
+        .command('up')
+        .description('Create (if needed) and start an OpenClaw Docker instance')
+        .argument('<name>', 'Instance name')
+        .option('--port <port>', 'Gateway port', String(DEFAULT_PORT))
+        .option('--image <image>', 'Docker image', DEFAULT_IMAGE)
+        .option('--config-dir <path>', 'OpenClaw config directory (contains devices/, openclaw.json)')
+        .option('--workspace <path>', 'OpenClaw workspace directory')
+        .action(async (name, options) => {
+        checkBastion();
+        checkDocker();
+        const caPath = checkCACert();
+        const bastionPort = getBastionPort();
+        const port = parseInt(options.port, 10);
+        const bridgePort = port + 1;
+        const dir = instanceDir(name);
+        // If instance already exists, update overlay + bootstrap and start
+        if ((0, node_fs_1.existsSync)(dir)) {
+            console.log(`Instance '${name}' exists, starting...`);
+            // Always update proxy bootstrap + brew shim + Bastion override (idempotent)
+            (0, node_fs_1.writeFileSync)((0, node_path_1.join)(dir, 'proxy-bootstrap.mjs'), PROXY_BOOTSTRAP_CONTENT, 'utf-8');
+            (0, node_fs_1.writeFileSync)((0, node_path_1.join)(dir, 'brew'), BREW_SHIM_CONTENT, { mode: 0o755 });
+            (0, node_fs_1.writeFileSync)((0, node_path_1.join)(dir, 'docker-compose.bastion.yml'), generateBastionOverride(caPath), 'utf-8');
+            // Migrate old-style compose that had Bastion proxy baked in
+            const existingCompose = (0, node_fs_1.readFileSync)((0, node_path_1.join)(dir, 'docker-compose.yml'), 'utf-8');
+            if (existingCompose.includes('NODE_EXTRA_CA_CERTS')) {
+                const composeContent = generateComposeFile(options.image);
+                (0, node_fs_1.writeFileSync)((0, node_path_1.join)(dir, 'docker-compose.yml'), composeContent, 'utf-8');
+                console.log('    (migrated docker-compose.yml — Bastion proxy moved to docker-compose.bastion.yml)');
+            }
+            syncToken(name);
+            fixBind(name);
+            const code = await dc(name, ['up', '-d', '--force-recreate', 'openclaw-gateway']);
+            if (code !== 0)
+                process.exit(code);
+            await sleep(3000);
+            approveDevices(name);
+            const finalPort = envVal(name, 'OPENCLAW_GATEWAY_PORT') || String(port);
+            const finalToken = envVal(name, 'OPENCLAW_GATEWAY_TOKEN');
+            console.log('');
+            console.log(`Dashboard: http://127.0.0.1:${finalPort}/?token=${finalToken}`);
+            return;
+        }
+        // Create new instance
+        const configDir = options.configDir ?? (0, node_path_1.join)((0, node_os_1.homedir)(), `.openclaw-${name}`);
+        const workspaceDir = options.workspace ?? (0, node_path_1.join)((0, node_os_1.homedir)(), `openclaw-${name}`, 'workspace');
+        (0, node_fs_1.mkdirSync)(dir, { recursive: true });
+        (0, node_fs_1.mkdirSync)(configDir, { recursive: true });
+        (0, node_fs_1.mkdirSync)(workspaceDir, { recursive: true });
+        (0, node_fs_1.mkdirSync)((0, node_path_1.join)(configDir, 'devices'), { recursive: true });
+        const token = generateToken();
+        writeEnvFile(dir, {
+            OPENCLAW_IMAGE: options.image,
+            OPENCLAW_CONFIG_DIR: configDir,
+            OPENCLAW_WORKSPACE_DIR: workspaceDir,
+            OPENCLAW_GATEWAY_TOKEN: token,
+            OPENCLAW_GATEWAY_PORT: String(port),
+            OPENCLAW_BRIDGE_PORT: String(bridgePort),
+            OPENCLAW_GATEWAY_BIND: 'lan',
+            BASTION_PORT: String(bastionPort),
+            CLAUDE_AI_SESSION_KEY: '',
+            CLAUDE_WEB_SESSION_KEY: '',
+            CLAUDE_WEB_COOKIE: '',
+        });
+        (0, node_fs_1.writeFileSync)((0, node_path_1.join)(dir, 'docker-compose.yml'), generateComposeFile(options.image), 'utf-8');
+        (0, node_fs_1.writeFileSync)((0, node_path_1.join)(dir, 'docker-compose.bastion.yml'), generateBastionOverride(caPath), 'utf-8');
+        (0, node_fs_1.writeFileSync)((0, node_path_1.join)(dir, 'proxy-bootstrap.mjs'), PROXY_BOOTSTRAP_CONTENT, 'utf-8');
+        (0, node_fs_1.writeFileSync)((0, node_path_1.join)(dir, 'brew'), BREW_SHIM_CONTENT, { mode: 0o755 });
+        console.log(`==> Instance '${name}' created (gateway: ${port}, bridge: ${bridgePort})`);
+        console.log('==> Initializing gateway config...');
+        let code = await dc(name, ['run', '--rm', 'openclaw-cli', 'config', 'set', 'gateway.mode', 'local']);
+        if (code !== 0) {
+            console.error('Failed to initialize gateway config');
+            process.exit(code);
+        }
+        // Patch config before first start (controlUi origin, bind=lan)
+        fixBind(name);
+        console.log('==> Starting gateway...');
+        code = await dc(name, ['up', '-d', 'openclaw-gateway']);
+        if (code !== 0)
+            process.exit(code);
+        await sleep(3000);
+        console.log('');
+        console.log('==> Running interactive onboarding...');
+        console.log(`    When prompted for gateway token, use: ${token}`);
+        console.log('');
+        code = await dc(name, ['exec', 'openclaw-gateway', 'node', 'dist/index.js', 'onboard', '--no-install-daemon']);
+        if (code !== 0) {
+            console.error('Onboarding failed');
+            process.exit(code);
+        }
+        console.log('');
+        console.log('==> Applying post-onboard fixes...');
+        syncToken(name);
+        fixBind(name);
+        console.log('==> Restarting gateway...');
+        await dc(name, ['restart', 'openclaw-gateway']);
+        await sleep(3000);
+        approveDevices(name);
+        await dc(name, ['restart', 'openclaw-gateway']);
+        await sleep(2000);
+        const finalToken = envVal(name, 'OPENCLAW_GATEWAY_TOKEN');
+        console.log('');
+        console.log(`==> Instance '${name}' is ready!`);
+        console.log('');
+        console.log(`    Dashboard: http://127.0.0.1:${port}/?token=${finalToken}`);
+        console.log('');
+        console.log('    Open the URL above in your browser.');
+        console.log('    If prompted to pair, refresh the page — devices are auto-approved.');
+        console.log('');
+    });
+    // bastion openclaw docker run
+    docker
+        .command('run')
+        .description('Start OpenClaw via an existing docker-compose.yml with Bastion proxy')
+        .option('--compose <path>', 'Path to docker-compose.yml')
+        .option('--env-file <path>', 'Path to .env file for docker compose')
+        .option('-p, --project <name>', 'Docker compose project name', 'openclaw')
+        .action((options) => {
+        checkBastion();
+        checkDocker();
+        checkCACert();
+        const bastionPort = getBastionPort();
+        let composeFile = options.compose;
+        if (!composeFile) {
+            const candidates = [
+                (0, node_path_1.join)(process.cwd(), 'integration', 'openclaw-docker', 'docker-compose.yml'),
+                (0, node_path_1.join)(process.cwd(), 'docker-compose.yml'),
+            ];
+            composeFile = candidates.find((f) => (0, node_fs_1.existsSync)(f));
+            if (!composeFile) {
+                console.error('No docker-compose.yml found. Use --compose <path> to specify one.');
+                process.exit(1);
+            }
+        }
+        if (!(0, node_fs_1.existsSync)(composeFile)) {
+            console.error(`Compose file not found: ${composeFile}`);
+            process.exit(1);
+        }
+        console.log(`Using compose file: ${composeFile}`);
+        console.log(`Bastion proxy port: ${bastionPort}`);
+        const args = [
+            'compose',
+            '-f', composeFile,
+            ...(options.envFile ? ['--env-file', options.envFile] : []),
+            '-p', options.project,
+            'up', '-d',
+        ];
+        const env = { ...process.env, BASTION_PORT: String(bastionPort) };
+        const child = (0, node_child_process_1.spawn)('docker', args, { stdio: 'inherit', env });
+        child.on('close', (code) => {
+            if (code === 0) {
+                console.log('');
+                console.log('OpenClaw started with Bastion proxy.');
+            }
+            process.exitCode = code ?? 0;
+        });
+        child.on('error', (err) => {
+            console.error(`Failed to start: ${err.message}`);
+            process.exitCode = 1;
+        });
+    });
+    // bastion openclaw docker stop <name>
+    docker
+        .command('stop')
+        .description('Stop a Docker OpenClaw instance')
+        .argument('<name>', 'Instance name')
+        .action(async (name) => {
+        const dir = instanceDir(name);
+        if (!(0, node_fs_1.existsSync)(dir)) {
+            console.error(`Instance '${name}' does not exist.`);
+            process.exit(1);
+        }
+        console.log(`Stopping '${name}'...`);
+        const code = await dc(name, ['down']);
+        if (code !== 0)
+            process.exit(code);
+        console.log('Stopped.');
+    });
+    // bastion openclaw docker exec <name> [-- args...]
+    docker
+        .command('exec')
+        .description('Run a command inside the OpenClaw gateway container')
+        .argument('<name>', 'Instance name')
+        .argument('[args...]', 'Command args (passed to openclaw CLI)')
+        .passThroughOptions()
+        .allowUnknownOption()
+        .action(async (name, args) => {
+        const dir = instanceDir(name);
+        if (!(0, node_fs_1.existsSync)(dir)) {
+            console.error(`Instance '${name}' does not exist.`);
+            process.exit(1);
+        }
+        const code = await dc(name, ['exec', 'openclaw-gateway', 'node', 'dist/index.js', ...args]);
+        if (code !== 0)
+            process.exit(code);
+    });
+    // bastion openclaw docker destroy <name>
+    docker
+        .command('destroy')
+        .description('Stop and remove a Docker OpenClaw instance (data dirs preserved)')
+        .argument('<name>', 'Instance name')
+        .action(async (name) => {
+        const dir = instanceDir(name);
+        if (!(0, node_fs_1.existsSync)(dir)) {
+            console.error(`Instance '${name}' does not exist.`);
+            process.exit(1);
+        }
+        // Read config/workspace paths before deleting
+        const configDir = envVal(name, 'OPENCLAW_CONFIG_DIR');
+        const workspaceDir = envVal(name, 'OPENCLAW_WORKSPACE_DIR');
+        // docker compose down -v
+        console.log(`Destroying instance '${name}'...`);
+        await dc(name, ['down', '-v']);
+        // Remove instance dir
+        const { rmSync } = require('node:fs');
+        rmSync(dir, { recursive: true, force: true });
+        console.log(`Instance '${name}' removed.`);
+        console.log('');
+        console.log('Data directories preserved (delete manually if needed):');
+        if (configDir)
+            console.log(`  ${configDir}`);
+        if (workspaceDir)
+            console.log(`  ${workspaceDir}`);
+        console.log('');
+        console.log(`To fully clean up: rm -rf ${configDir} ${workspaceDir}`);
+    });
+    // bastion openclaw docker status
+    docker
+        .command('status')
+        .description('List all Docker OpenClaw instances')
+        .action(() => {
+        const dockerDir = (0, node_path_1.join)(OPENCLAW_DIR, 'docker');
+        if (!(0, node_fs_1.existsSync)(dockerDir)) {
+            console.log('(no docker instances found)');
+            return;
+        }
+        const entries = (0, node_fs_1.readdirSync)(dockerDir, { withFileTypes: true })
+            .filter((d) => d.isDirectory());
+        if (entries.length === 0) {
+            console.log('(no docker instances found)');
+            return;
+        }
+        const header = { name: 'INSTANCE', status: 'STATUS', port: 'GATEWAY', bridge: 'BRIDGE', dashboard: 'DASHBOARD' };
+        const rows = [header];
+        for (const entry of entries) {
+            const name = entry.name;
+            const port = envVal(name, 'OPENCLAW_GATEWAY_PORT') || '-';
+            const bridge = envVal(name, 'OPENCLAW_BRIDGE_PORT') || '-';
+            const token = envVal(name, 'OPENCLAW_GATEWAY_TOKEN') || '';
+            let state = 'stopped';
+            try {
+                state = dcOutput(name, ['ps', '--format', '{{.State}}', 'openclaw-gateway']) || 'stopped';
+            }
+            catch {
+                // keep stopped
+            }
+            const dashboard = port !== '-' && token
+                ? `http://127.0.0.1:${port}/?token=${token}`
+                : '-';
+            rows.push({ name, status: state, port, bridge, dashboard });
+        }
+        const colWidths = {
+            name: Math.max(...rows.map((r) => r.name.length)) + 2,
+            status: Math.max(...rows.map((r) => r.status.length)) + 2,
+            port: Math.max(...rows.map((r) => r.port.length)) + 2,
+            bridge: Math.max(...rows.map((r) => r.bridge.length)) + 2,
+        };
+        for (const row of rows) {
+            console.log(row.name.padEnd(colWidths.name) +
+                row.status.padEnd(colWidths.status) +
+                row.port.padEnd(colWidths.port) +
+                row.bridge.padEnd(colWidths.bridge) +
+                row.dashboard);
+        }
+    });
+    // bastion openclaw docker logs <name>
+    docker
+        .command('logs')
+        .description('Show logs for a Docker OpenClaw instance')
+        .argument('<name>', 'Instance name')
+        .option('-f, --follow', 'Follow log output')
+        .action(async (name, options) => {
+        const dir = instanceDir(name);
+        if (!(0, node_fs_1.existsSync)(dir)) {
+            console.error(`Instance '${name}' does not exist.`);
+            process.exit(1);
+        }
+        const args = ['logs'];
+        if (options.follow)
+            args.push('-f');
+        args.push('openclaw-gateway');
+        const code = await dc(name, args);
+        if (code !== 0)
+            process.exit(code);
+    });
+    // ════════════════════════════════════════════════════════════════════════════
+    // bastion openclaw local ...
+    // ════════════════════════════════════════════════════════════════════════════
+    const local = openclaw
+        .command('local')
+        .description('Manage OpenClaw running as a local process');
+    // bastion openclaw local start <name>
+    local
+        .command('start')
+        .description('Start OpenClaw locally with Bastion proxy')
+        .argument('<name>', 'Instance name')
+        .option('--port <port>', 'Gateway port', String(DEFAULT_PORT))
+        .option('--bin <path>', 'Path to openclaw binary')
+        .option('--config-dir <path>', 'OpenClaw config directory')
+        .option('--workspace <path>', 'OpenClaw workspace directory')
+        .option('--foreground', 'Run in foreground (default: daemon)')
+        .action((name, options) => {
+        checkBastion();
+        const caPath = checkCACert();
+        const bastionPort = getBastionPort();
+        const bastionHost = getBastionHost();
+        const port = parseInt(options.port, 10);
+        // Find openclaw binary
+        const bin = options.bin ?? findOpenclawBin();
+        if (!bin || !(0, node_fs_1.existsSync)(bin)) {
+            console.error('OpenClaw binary not found. Install openclaw or use --bin <path>.\n' +
+                'Or use "bastion openclaw docker" for Docker mode.');
+            process.exit(1);
+        }
+        // Check if already running
+        const pidFile = localPidFile(name);
+        if ((0, node_fs_1.existsSync)(pidFile)) {
+            const oldPid = parseInt((0, node_fs_1.readFileSync)(pidFile, 'utf-8').trim(), 10);
+            if (!isNaN(oldPid) && isProcessRunning(oldPid)) {
+                console.error(`Instance '${name}' is already running (PID ${oldPid}). Stop it first.`);
+                process.exit(1);
+            }
+            (0, node_fs_1.unlinkSync)(pidFile);
+        }
+        const configDir = options.configDir ?? (0, node_path_1.join)((0, node_os_1.homedir)(), `.openclaw-${name}`);
+        const workspaceDir = options.workspace ?? (0, node_path_1.join)((0, node_os_1.homedir)(), `openclaw-${name}`, 'workspace');
+        (0, node_fs_1.mkdirSync)(LOCAL_DIR, { recursive: true });
+        (0, node_fs_1.mkdirSync)(configDir, { recursive: true });
+        (0, node_fs_1.mkdirSync)(workspaceDir, { recursive: true });
+        // Ensure proxy bootstrap script exists
+        const bootstrapPath = (0, node_path_1.join)(paths_js_1.paths.bastionDir, 'proxy-bootstrap.mjs');
+        (0, node_fs_1.writeFileSync)(bootstrapPath, PROXY_BOOTSTRAP_CONTENT, 'utf-8');
+        // Build env with Bastion proxy
+        const env = {
+            ...process.env,
+            HTTPS_PROXY: `http://openclaw-local-${name}@${bastionHost}:${bastionPort}`,
+            NODE_EXTRA_CA_CERTS: caPath,
+            NO_PROXY: `${bastionHost},localhost,127.0.0.1`,
+            NODE_OPTIONS: `--import ${bootstrapPath}`,
+            HOME: (0, node_os_1.homedir)(),
+        };
+        const args = ['gateway', '--port', String(port), '--bind', 'localhost'];
+        // Save metadata
+        (0, node_fs_1.writeFileSync)(localMetaFile(name), JSON.stringify({
+            port,
+            configDir,
+            workspaceDir,
+            bin,
+            startedAt: new Date().toISOString(),
+        }, null, 2), 'utf-8');
+        if (options.foreground) {
+            console.log(`Starting OpenClaw '${name}' on port ${port} (foreground)...`);
+            console.log(`  Binary:    ${bin}`);
+            console.log(`  Config:    ${configDir}`);
+            console.log(`  Workspace: ${workspaceDir}`);
+            console.log(`  Proxy:     ${bastionHost}:${bastionPort}`);
+            console.log('');
+            const child = (0, node_child_process_1.spawn)(bin, args, {
+                stdio: 'inherit',
+                env,
+                cwd: workspaceDir,
+                ...(IS_WIN ? { shell: true } : {}),
+            });
+            // Write PID
+            if (child.pid) {
+                (0, node_fs_1.writeFileSync)(pidFile, String(child.pid), 'utf-8');
+            }
+            child.on('close', (code) => {
+                if ((0, node_fs_1.existsSync)(pidFile))
+                    (0, node_fs_1.unlinkSync)(pidFile);
+                process.exitCode = code ?? 0;
+            });
+            child.on('error', (err) => {
+                console.error(`Failed to start: ${err.message}`);
+                if ((0, node_fs_1.existsSync)(pidFile))
+                    (0, node_fs_1.unlinkSync)(pidFile);
+                process.exitCode = 1;
+            });
+        }
+        else {
+            console.log(`Starting OpenClaw '${name}' on port ${port} (daemon)...`);
+            const logFile = (0, node_path_1.join)(LOCAL_DIR, `${name}.log`);
+            const { openSync } = require('node:fs');
+            const logFd = openSync(logFile, 'a');
+            const child = (0, node_child_process_1.spawn)(bin, args, {
+                detached: true,
+                stdio: ['ignore', logFd, logFd],
+                env,
+                cwd: workspaceDir,
+                ...(IS_WIN ? { shell: true, windowsHide: true } : {}),
+            });
+            child.unref();
+            if (child.pid) {
+                (0, node_fs_1.writeFileSync)(pidFile, String(child.pid), 'utf-8');
+                console.log(`  PID:       ${child.pid}`);
+            }
+            console.log(`  Binary:    ${bin}`);
+            console.log(`  Port:      ${port}`);
+            console.log(`  Config:    ${configDir}`);
+            console.log(`  Workspace: ${workspaceDir}`);
+            console.log(`  Proxy:     ${bastionHost}:${bastionPort}`);
+            console.log(`  Log:       ${logFile}`);
+            console.log('');
+            console.log(`Dashboard: http://127.0.0.1:${port}/`);
+        }
+    });
+    // bastion openclaw local stop <name>
+    local
+        .command('stop')
+        .description('Stop a locally running OpenClaw instance')
+        .argument('<name>', 'Instance name')
+        .action((name) => {
+        const pidFile = localPidFile(name);
+        if (!(0, node_fs_1.existsSync)(pidFile)) {
+            console.error(`Instance '${name}' is not running (no PID file).`);
+            process.exit(1);
+        }
+        const pid = parseInt((0, node_fs_1.readFileSync)(pidFile, 'utf-8').trim(), 10);
+        if (isNaN(pid)) {
+            console.error('Invalid PID file.');
+            (0, node_fs_1.unlinkSync)(pidFile);
+            process.exit(1);
+        }
+        if (!isProcessRunning(pid)) {
+            console.log(`Instance '${name}' is not running (stale PID ${pid}).`);
+            (0, node_fs_1.unlinkSync)(pidFile);
+            return;
+        }
+        try {
+            process.kill(pid, 'SIGTERM');
+            console.log(`Stopped '${name}' (PID ${pid}).`);
+        }
+        catch (err) {
+            console.error(`Failed to stop PID ${pid}: ${err.message}`);
+        }
+        (0, node_fs_1.unlinkSync)(pidFile);
+    });
+    // bastion openclaw local status
+    local
+        .command('status')
+        .description('List all local OpenClaw instances')
+        .action(() => {
+        if (!(0, node_fs_1.existsSync)(LOCAL_DIR)) {
+            console.log('(no local instances found)');
+            return;
+        }
+        const metaFiles = (0, node_fs_1.readdirSync)(LOCAL_DIR).filter((f) => f.endsWith('.json'));
+        if (metaFiles.length === 0) {
+            console.log('(no local instances found)');
+            return;
+        }
+        const header = { name: 'INSTANCE', status: 'STATUS', port: 'PORT', pid: 'PID', dashboard: 'DASHBOARD' };
+        const rows = [header];
+        for (const file of metaFiles) {
+            const name = file.replace(/\.json$/, '');
+            const pidFile = localPidFile(name);
+            let port = '-';
+            let pidStr = '-';
+            let state = 'stopped';
+            try {
+                const meta = JSON.parse((0, node_fs_1.readFileSync)((0, node_path_1.join)(LOCAL_DIR, file), 'utf-8'));
+                port = String(meta.port ?? '-');
+            }
+            catch {
+                // ignore
+            }
+            if ((0, node_fs_1.existsSync)(pidFile)) {
+                const pid = parseInt((0, node_fs_1.readFileSync)(pidFile, 'utf-8').trim(), 10);
+                if (!isNaN(pid) && isProcessRunning(pid)) {
+                    state = 'running';
+                    pidStr = String(pid);
+                }
+                else {
+                    // Stale PID
+                    if ((0, node_fs_1.existsSync)(pidFile))
+                        (0, node_fs_1.unlinkSync)(pidFile);
+                }
+            }
+            const dashboard = port !== '-'
+                ? `http://127.0.0.1:${port}/`
+                : '-';
+            rows.push({ name, status: state, port, pid: pidStr, dashboard });
+        }
+        const colWidths = {
+            name: Math.max(...rows.map((r) => r.name.length)) + 2,
+            status: Math.max(...rows.map((r) => r.status.length)) + 2,
+            port: Math.max(...rows.map((r) => r.port.length)) + 2,
+            pid: Math.max(...rows.map((r) => r.pid.length)) + 2,
+        };
+        for (const row of rows) {
+            console.log(row.name.padEnd(colWidths.name) +
+                row.status.padEnd(colWidths.status) +
+                row.port.padEnd(colWidths.port) +
+                row.pid.padEnd(colWidths.pid) +
+                row.dashboard);
+        }
+    });
+    // bastion openclaw local logs <name>
+    local
+        .command('logs')
+        .description('Show logs for a local OpenClaw instance')
+        .argument('<name>', 'Instance name')
+        .option('-f, --follow', 'Follow log output')
+        .action((name, options) => {
+        const logFile = (0, node_path_1.join)(LOCAL_DIR, `${name}.log`);
+        if (!(0, node_fs_1.existsSync)(logFile)) {
+            console.error(`No log file found for '${name}'.`);
+            process.exit(1);
+        }
+        let child;
+        if (IS_WIN) {
+            // PowerShell Get-Content as replacement for tail
+            const psArgs = options.follow
+                ? ['-Command', `Get-Content -Path "${logFile}" -Tail 100 -Wait`]
+                : ['-Command', `Get-Content -Path "${logFile}" -Tail 100`];
+            child = (0, node_child_process_1.spawn)('powershell', psArgs, { stdio: 'inherit' });
+        }
+        else {
+            const tailArgs = options.follow
+                ? ['-f', logFile]
+                : ['-100', logFile];
+            child = (0, node_child_process_1.spawn)('tail', tailArgs, { stdio: 'inherit' });
+        }
+        child.on('close', (code) => {
+            process.exitCode = code ?? 0;
+        });
+    });
+}
+//# sourceMappingURL=openclaw.js.map