@analyticscli/growth-engineer 0.1.1-preview.3 → 0.1.1-preview.30

package/dist/runtime/openclaw-growth-wizard.mjs

@@ -16,6 +16,7 @@ const ENABLE_ISOLATED_SECRET_RUNNER_WIZARD = false;
 const DEFAULT_GROWTH_INTERVAL_MINUTES = 90;
 const DEFAULT_CONNECTOR_HEALTH_INTERVAL_MINUTES = 360;
 const DEFAULT_SCHEDULER_PROOF_PATH = 'data/openclaw-growth-engineer/runtime/scheduler-proof.jsonl';
+const DELETE_SECRET = '__OPENCLAW_DELETE_SECRET__';
 const GROWTH_ENGINEER_PACKAGE_SPEC = process.env.OPENCLAW_GROWTH_ENGINEER_PACKAGE || '@analyticscli/growth-engineer@preview';
 const RUNTIME_DIR = path.dirname(fileURLToPath(import.meta.url));
 const ACCOUNT_SIGNAL_CONNECTOR_KEYS = [
@@ -84,7 +85,7 @@ const CONNECTOR_DEFINITIONS = [
         key: 'paddle',
         label: 'Paddle Billing metrics',
         summary: 'Read web checkout, revenue, MRR, refunds, chargebacks, and active subscriber metrics.',
-        needs: 'A Paddle API key with metrics.read permission for the live account.',
+        needs: 'A scoped Paddle API key for the live account with metrics.read permission.',
     },
     {
         key: 'seo',
@@ -108,7 +109,7 @@ const CONNECTOR_DEFINITIONS = [
         key: 'asc',
         label: 'ASC / App Store Connect CLI',
         summary: 'Read App Store analytics, reviews/ratings, builds/TestFlight/release context, subscriptions, purchases, and crash totals.',
-        needs: 'ASC_KEY_ID, ASC_ISSUER_ID, and the AuthKey_XXXX.p8 content or path.',
+        needs: 'Two App Store Connect API keys: a Sales and Reports or Finance key for ongoing use, plus a temporary Admin key for one-time analytics bootstrap.',
     },
     {
         key: 'stripe',
@@ -906,7 +907,9 @@ function sourceCommandNeedsActiveConfig(sourceName, command) {
     const value = String(command || '').toLowerCase();
     return (normalized === 'sentry' ||
         normalized === 'glitchtip' ||
+        normalized === 'paddle' ||
         normalized === 'coolify' ||
+        value.includes('export-paddle-summary') ||
         value.includes('export-sentry-summary') ||
         value.includes('export-coolify-summary') ||
         value.includes('exporters coolify-summary'));
@@ -1646,9 +1649,88 @@ async function connectorKeysForHealthCheck(configPath) {
         configured.add(key);
     return orderConnectors([...configured]);
 }
+function connectorKeyFromRunnerHealthKey(key) {
+    const normalized = String(key || '').trim();
+    if (normalized === 'analyticscli')
+        return 'analytics';
+    if (normalized === 'appStoreConnect')
+        return 'asc';
+    const connector = normalizeConnectorProgressKey(normalized);
+    return connector || null;
+}
+function activeIncidentStatusLabel(status) {
+    const normalized = String(status || '').trim();
+    return normalized || 'blocked';
+}
+async function readActiveConnectorIncidents(configPath) {
+    const statePath = deriveStatePathFromConfigPath(configPath);
+    const state = await readJsonIfPresent(statePath).catch(() => null);
+    const healthState = state?.connectorHealth;
+    if (!healthState ||
+        healthState.lastStatusOk !== false ||
+        !healthState.activeIncidentFingerprint) {
+        return {};
+    }
+    const alertJsonPath = healthState.lastAlertJsonPath
+        ? path.resolve(String(healthState.lastAlertJsonPath))
+        : path.resolve(path.dirname(statePath), 'runtime/connector-health/latest.json');
+    const alertJson = await readJsonIfPresent(alertJsonPath).catch(() => null);
+    const unhealthyConnectors = Array.isArray(alertJson?.unhealthyConnectors)
+        ? alertJson.unhealthyConnectors
+        : [];
+    const incidents = {};
+    for (const entry of unhealthyConnectors) {
+        const key = connectorKeyFromRunnerHealthKey(entry?.key);
+        if (!key)
+            continue;
+        incidents[key] = {
+            ...entry,
+            status: activeIncidentStatusLabel(entry?.status),
+            detail: String(entry?.detail || 'Runner still has an active connector-health incident').trim(),
+            activeRunnerIncident: true,
+            activeIncidentFingerprint: healthState.activeIncidentFingerprint,
+            lastCheckedAt: healthState.lastCheckedAt || null,
+        };
+    }
+    return incidents;
+}
+function mergeActiveConnectorIncidents(healthByConnector, activeIncidents) {
+    if (!activeIncidents || Object.keys(activeIncidents).length === 0) {
+        return healthByConnector;
+    }
+    return Object.fromEntries(CONNECTOR_KEYS.map((key) => {
+        const liveHealth = getConnectorHealth(key, healthByConnector);
+        const incident = activeIncidents[key];
+        if (!incident)
+            return [key, liveHealth];
+        if (liveHealth.status === 'connected') {
+            return [
+                key,
+                {
+                    ...liveHealth,
+                    status: 'partial',
+                    detail: `Live wizard check passed, but the runner still has an active ${incident.status} incident; run the connector health job once to record recovery.`,
+                    activeRunnerIncident: true,
+                    activeIncidentFingerprint: incident.activeIncidentFingerprint,
+                    lastCheckedAt: incident.lastCheckedAt,
+                },
+            ];
+        }
+        return [
+            key,
+            {
+                ...liveHealth,
+                ...incident,
+                status: incident.status || liveHealth.status || 'blocked',
+                detail: incident.detail || liveHealth.detail,
+            },
+        ];
+    }));
+}
 async function getConnectorPickerHealth(configPath, onProgress = () => { }, onlyConnectors = []) {
+    const activeIncidents = await readActiveConnectorIncidents(configPath);
     if (!(await fileExists(configPath))) {
-        return Object.fromEntries(CONNECTOR_KEYS.map((key) => [
+        const fallbackHealth = Object.fromEntries(CONNECTOR_KEYS.map((key) => [
             key,
             {
                 status: isConnectorLocallyConfigured(key) ? 'unknown' : 'not_connected',
@@ -1657,9 +1739,11 @@ async function getConnectorPickerHealth(configPath, onProgress = () => { }, only
                     : '',
             },
         ]));
+        return mergeActiveConnectorIncidents(fallbackHealth, activeIncidents);
     }
     if (onlyConnectors.length === 0) {
-        return Object.fromEntries(CONNECTOR_KEYS.map((key) => [key, getConnectorHealth(key, {})]));
+        const fallbackHealth = Object.fromEntries(CONNECTOR_KEYS.map((key) => [key, getConnectorHealth(key, {})]));
+        return mergeActiveConnectorIncidents(fallbackHealth, activeIncidents);
     }
     const onlyArg = ` --only-connectors ${quote(orderConnectors(onlyConnectors).join(','))}`;
     const result = await runCommandCaptureWithProgress(`${nodeRuntimeScriptCommand('openclaw-growth-status.mjs')} --config ${quote(configPath)} --json --progress-json${onlyArg}`, onProgress);
@@ -1675,7 +1759,8 @@ async function getConnectorPickerHealth(configPath, onProgress = () => { }, only
         coolify: connectors.coolify,
         asc: connectors.appStoreConnect,
     };
-    return Object.fromEntries(CONNECTOR_KEYS.map((key) => [key, getConnectorHealth(key, healthByConnector)]));
+    const liveHealth = Object.fromEntries(CONNECTOR_KEYS.map((key) => [key, getConnectorHealth(key, healthByConnector)]));
+    return mergeActiveConnectorIncidents(liveHealth, activeIncidents);
 }
 function renderConnectorPicker(cursorIndex, selected, required, healthByConnector = {}, warning = '', copy = {}) {
     process.stdout.write('\x1b[2J\x1b[H');
@@ -1995,13 +2080,60 @@ function parseJsonFromStdout(stdout) {
     const starts = [firstBrace, firstBracket].filter((index) => index >= 0);
     if (starts.length === 0)
         return null;
+    const start = Math.min(...starts);
+    const jsonText = extractFirstJsonValue(raw, start);
+    if (!jsonText)
+        return null;
     try {
-        return JSON.parse(raw.slice(Math.min(...starts)));
+        return JSON.parse(jsonText);
     }
     catch {
         return null;
     }
 }
+function extractFirstJsonValue(raw, start) {
+    const open = raw[start];
+    const close = open === '{' ? '}' : open === '[' ? ']' : '';
+    if (!close)
+        return '';
+    let depth = 0;
+    let inString = false;
+    let escaped = false;
+    for (let index = start; index < raw.length; index += 1) {
+        const char = raw[index];
+        if (inString) {
+            if (escaped) {
+                escaped = false;
+            }
+            else if (char === '\\') {
+                escaped = true;
+            }
+            else if (char === '"') {
+                inString = false;
+            }
+            continue;
+        }
+        if (char === '"') {
+            inString = true;
+            continue;
+        }
+        if (char === open)
+            depth += 1;
+        if (char === close) {
+            depth -= 1;
+            if (depth === 0)
+                return raw.slice(start, index + 1);
+        }
+    }
+    return '';
+}
+function stripProgressOutput(value) {
+    return String(value || '')
+        .split(/\r?\n/)
+        .filter((line) => !line.startsWith('OPENCLAW_PROGRESS '))
+        .join('\n')
+        .trim();
+}
 function clearTerminal() {
     if (process.stdout.isTTY) {
         process.stdout.write('\x1b[2J\x1b[H');
@@ -2042,6 +2174,21 @@ function getPassingConnectorKeys(payload, failedConnectors = new Set()) {
 }
 function summarizeFailureReason(detail) {
     const text = String(detail || '').replace(/\s+/g, ' ').trim();
+    if (/ASC Reports key auth failed: .*\.p8 key could not be parsed/i.test(text)) {
+        return 'ASC Reports key auth failed: the .p8 key could not be parsed';
+    }
+    if (/ASC Setup Admin key auth failed: .*\.p8 key could not be parsed/i.test(text)) {
+        return 'ASC Setup Admin key auth failed: the .p8 key could not be parsed';
+    }
+    if (/ASC Reports key auth failed: .*\.p8 file permissions are too open/i.test(text)) {
+        return 'ASC Reports key auth failed: .p8 file permissions are too open';
+    }
+    if (/ASC Setup Admin key auth failed: .*\.p8 file permissions are too open/i.test(text)) {
+        return 'ASC Setup Admin key auth failed: .p8 file permissions are too open';
+    }
+    if (/ASC .*\.p8 private key is invalid|invalid private key|failed to parse|sequence truncated|malformed|asn1/i.test(text)) {
+        return 'ASC auth failed: the .p8 key could not be parsed';
+    }
     if (/token has been revoked/i.test(text))
         return 'token has been revoked';
     if (/unauthorized|UNAUTHORIZED/i.test(text))
@@ -2075,7 +2222,7 @@ function summarizeFailureFix(connector, blockers) {
         return 'Paste a RevenueCat v2 secret API key with read-only project permissions, then rerun setup.';
     }
     if (connector === 'paddle') {
-        return 'Paste a Paddle API key with metrics.read permission for the live account, then rerun setup.';
+        return 'Paste a live Paddle API key from Developer Tools > Authentication v2 with metrics.read permission, then rerun setup.';
     }
     if (connector === 'seo') {
         return 'Configure Search Console read access. Leave GSC_SITE_URL empty to scan all verified properties in the account, or set it only when you intentionally want one property.';
@@ -2084,6 +2231,21 @@ function summarizeFailureFix(connector, blockers) {
         return 'Paste a Coolify base URL and read-only API token from Keys & Tokens / API tokens, then rerun setup.';
     }
     if (connector === 'asc') {
+        if (/invalid value: ['"]?state|parameter has an invalid value: ['"]?state|--state/i.test(combined)) {
+            return 'Update Growth Engineer and rerun ASC setup. Setup no longer uses the flaky ASC analytics request state filter.';
+        }
+        if (/file permissions are too open|too permissive|chmod 600/i.test(combined)) {
+            return 'Rerun ASC setup. The wizard saves a secure local copy of AuthKey_<KEY_ID>.p8 with chmod 600 before testing.';
+        }
+        if (/Reports key auth failed|Reports key/i.test(combined) && /private key|could not be parsed|failed to parse|asn1/i.test(combined)) {
+            return 'Use the original downloaded AuthKey_<KEY_ID>.p8 file for the Reports key. The wizard bypasses old asc keychain/config credentials during setup.';
+        }
+        if (/Setup Admin key auth failed|Admin key/i.test(combined) && /private key|could not be parsed|failed to parse|asn1/i.test(combined)) {
+            return 'Use the original downloaded AuthKey_<KEY_ID>.p8 file for the Setup Admin key. This key is temporary and should have the Admin role.';
+        }
+        if (/invalid|truncated|malformed|private key|could not be parsed|failed to parse|asn1/i.test(combined)) {
+            return 'Use the original downloaded AuthKey_<KEY_ID>.p8 for the Reports key. Old pasted ASC_PRIVATE_KEY values are removed when you choose a file path.';
+        }
         return 'Rerun ASC setup and verify ASC credentials, key role access, and `asc apps list --output json`.';
     }
     if (isAccountSignalConnector(connector)) {
@@ -2132,21 +2294,15 @@ function printConciseSetupBlockers(payload, command, options = {}) {
         process.stdout.write(`Live checks passed: ${passingConnectors.map(connectorTitle).join(', ')}.\n`);
     }
     if (groups.size > 0) {
-        process.stdout.write('\nNeeds fix:\n');
+        process.stdout.write('\nNeeds attention:\n');
         for (const [connector, connectorBlockers] of groups.entries()) {
             const primary = connectorBlockers[0] || {};
-            const reasons = [
-                ...new Set(connectorBlockers
-                    .map((blocker) => summarizeFailureReason(blocker.detail || blocker.check))
-                    .filter(Boolean)),
-            ];
             process.stdout.write(`- ${connectorTitle(connector)}: ${summarizeFailureReason(primary.detail || primary.check)}\n`);
-            process.stdout.write(`  Why: ${reasons.join('; ')}.\n`);
             process.stdout.write(`  Fix: ${summarizeFailureFix(connector, connectorBlockers)}\n`);
         }
     }
     printDeferredSetupNotes(blockers, focusConnectors);
-    if (groups.size > 0 || !options.hideRerunWhenClean) {
+    if (!options.hideRerun && (groups.size > 0 || !options.hideRerunWhenClean)) {
         process.stdout.write(`\nRerun: ${command}\n`);
     }
 }
@@ -2202,11 +2358,10 @@ function printSetupFailure({ result, payload, command }) {
     }
     const reason = result.code === null ? 'setup command did not report an exit code' : `setup command exited with code ${result.code}`;
     process.stdout.write(`Reason: ${reason}.\n`);
-    const output = truncate(result.stderr || result.stdout);
+    const output = truncate(stripProgressOutput(result.stderr) || stripProgressOutput(result.stdout));
     if (output) {
         process.stdout.write(`Details: ${output}\n`);
     }
-    process.stdout.write(`Run manually for full output: ${command}\n`);
 }
 function printSetupSuccess(payload) {
     process.stdout.write('\nSUCCESS: Connector setup finished.\n');
@@ -2291,9 +2446,9 @@ function isDeferredGitHubFailure(failure) {
     return (name === 'project:github-repo' ||
         (name === 'connection:github' && /project\.githubRepo|repo is missing|repo is not configured/i.test(detail)));
 }
-function healthStatusLabel(status) {
+function healthStatusLabel(status, spinner = '') {
     if (status === 'running')
-        return 'running';
+        return spinner ? `running ${spinner}` : 'running';
     if (status === 'pass')
         return 'done';
     if (status === 'warn')
@@ -2302,18 +2457,27 @@ function healthStatusLabel(status) {
         return 'needs attention';
     if (status === 'deferred')
         return 'deferred';
-    return 'pending';
+    return spinner ? `pending ${spinner}` : 'pending';
 }
-function renderHealthProgress(items, message = 'Live checks running...', title = 'Health check') {
+function renderHealthProgress(items, message = 'Live checks running...', title = 'Health check', options = {}) {
     if (process.stdout.isTTY)
         clearTerminal();
-    const finished = items.filter((item) => !['pending', 'running'].includes(String(item.status || ''))).length;
+    const final = Boolean(options.final);
+    const visibleItems = final
+        ? items.filter((item) => !['pending', 'running'].includes(String(item.status || '')) && item.key !== 'finalize')
+        : items;
+    const finished = visibleItems.filter((item) => !['pending', 'running'].includes(String(item.status || ''))).length;
     process.stdout.write(`${title}\n`);
     process.stdout.write('------------\n');
     process.stdout.write(`${message}\n\n`);
-    process.stdout.write(`${finished}/${items.length} checks finished.\n\n`);
-    for (const item of items) {
-        process.stdout.write(`[${healthStatusLabel(item.status)}] ${item.label}: ${item.detail}\n`);
+    if (final) {
+        process.stdout.write('');
+    }
+    else {
+        process.stdout.write(`${finished}/${visibleItems.length} checks finished.\n\n`);
+    }
+    for (const item of visibleItems) {
+        process.stdout.write(`[${healthStatusLabel(item.status, options.spinner || '')}] ${item.label}: ${item.detail}\n`);
     }
 }
 function updateHealthProgress(items, event) {
@@ -2424,22 +2588,41 @@ function updateProgressItem(items, key, status, detail) {
 }
 async function runSetupCommandWithProgress(command, env, selected, message) {
     const plan = buildSetupTestProgressPlan(selected);
-    renderHealthProgress(plan, `${message}\nDo not close this terminal yet.`, 'Connector setup test');
+    const spinnerFrames = ['-', '\\', '|', '/'];
+    let spinnerIndex = 0;
+    let currentMessage = message;
+    const render = (nextMessage = currentMessage, options = {}) => {
+        currentMessage = nextMessage;
+        renderHealthProgress(plan, currentMessage, 'Connector setup test', {
+            ...options,
+            spinner: spinnerFrames[spinnerIndex++ % spinnerFrames.length],
+        });
+    };
+    render(message);
+    const spinnerInterval = process.stdout.isTTY
+        ? setInterval(() => render(currentMessage), 800)
+        : null;
     const progressCommand = command.includes('--progress-json') ? command : `${command} --progress-json`;
     const result = await runCommandCaptureWithProgress(progressCommand, (event) => {
-        if (updateHealthProgress(plan, event)) {
-            const primaryFinished = primaryProgressItemsFinished(plan);
-            if (primaryFinished) {
-                updateProgressItem(plan, 'finalize', 'running', 'command still running; parsing final output and follow-up work');
-            }
-            const message = primaryFinished
-                ? 'Checks finished. Finalizing result; do not close this terminal yet.'
-                : 'Connector setup test is still running. Do not close this terminal yet.';
-            renderHealthProgress(plan, message, 'Connector setup test');
+        if (!updateHealthProgress(plan, event))
+            return;
+        const primaryFinished = primaryProgressItemsFinished(plan);
+        if (primaryFinished) {
+            updateProgressItem(plan, 'finalize', 'running', 'finishing');
         }
-    }, { env, timeoutMs: 180_000 });
+        render(primaryFinished ? 'Finishing setup test...' : 'Testing connector setup...');
+    }, { env, timeoutMs: 180_000 }).finally(() => {
+        if (spinnerInterval)
+            clearInterval(spinnerInterval);
+    });
+    const payload = parseJsonFromStdout(result.stdout);
+    if (Array.isArray(payload?.blockers) && payload.blockers.length > 0) {
+        if (process.stdout.isTTY)
+            clearTerminal();
+        return result;
+    }
     updateProgressItem(plan, 'finalize', 'pass', 'result received');
-    renderHealthProgress(plan, 'Connector setup test finished.', 'Connector setup test');
+    renderHealthProgress(plan, 'Connector setup test finished.', 'Connector setup test', { final: true });
     return result;
 }
 async function saveSecretsImmediately(secrets) {
@@ -2447,19 +2630,19 @@ async function saveSecretsImmediately(secrets) {
         return false;
     const secretsFile = resolveSecretsFile();
     await writeSecretsFile(secretsFile, secrets);
-    Object.assign(process.env, secrets);
+    applySecretsToProcessEnv(secrets);
     process.stdout.write(`Saved local secrets to ${secretsFile} with chmod 600.\n`);
     return true;
 }
-async function runImmediateConnectorHealthCheck({ rl, configPath, connector, secrets, sentryAccounts = [], }) {
+async function runImmediateConnectorHealthCheck({ rl, configPath, connector, secrets, runtimeEnv = {}, sentryAccounts = [], paddleAccounts = [], }) {
     if (connector === 'sentry' && sentryAccounts.length > 0) {
         await upsertSentryAccountsConfig(configPath, sentryAccounts);
     }
+    if (connector === 'paddle' && paddleAccounts.length > 0) {
+        await upsertPaddleAccountsConfig(configPath, paddleAccounts);
+    }
     await saveSecretsImmediately(secrets);
-    const env = {
-        ...process.env,
-        ...secrets,
-    };
+    const env = mergeRuntimeEnv(secrets, connector === 'asc' ? { ASC_BYPASS_KEYCHAIN: '1' } : {}, runtimeEnv);
     const command = `${nodeRuntimeScriptCommand('openclaw-growth-start.mjs')} --config ${quote(configPath)} --setup-only --connectors ${quote(connector)} --only-connectors ${quote(connector)}`;
     let result = await runSetupCommandWithProgress(command, env, [connector], `Checking ${connectorLabel(connector)} immediately after setup...`);
     let payload = parseJsonFromStdout(result.stdout);
@@ -2468,6 +2651,7 @@ async function runImmediateConnectorHealthCheck({ rl, configPath, connector, sec
         printConciseSetupBlockers(payload, command, {
             focusConnectors: [connector],
             hideRerunWhenClean: true,
+            hideRerun: true,
         });
         const retry = await askYesNo(rl, `Re-enter ${connectorLabel(connector)} configuration now?`, true);
         return { ok: false, retry, result, payload };
@@ -2599,12 +2783,26 @@ function resolveSecretsFile() {
         return path.join(process.env.HOME, '.config', 'openclaw-growth', 'secrets.env');
     return path.resolve('.openclaw-growth-secrets.env');
 }
-function resolveAscPrivateKeyPath(keyId) {
+function resolveAscPrivateKeyPath(keyId, suffix = '') {
     const safeKeyId = (keyId || 'OPENCLAW').trim().replace(/[^a-zA-Z0-9_-]/g, '_') || 'OPENCLAW';
     const baseDir = process.env.HOME
         ? path.join(process.env.HOME, '.config', 'openclaw-growth')
         : path.resolve('.openclaw-growth');
-    return path.join(baseDir, `AuthKey_${safeKeyId}.p8`);
+    return path.join(baseDir, `AuthKey_${safeKeyId}${suffix}.p8`);
+}
+function inferAscKeyIdFromPrivateKeyPath(filePath) {
+    const fileName = path.basename(String(filePath || '').trim());
+    const match = fileName.match(/^AuthKey_([A-Za-z0-9]+)\.p8$/);
+    return match?.[1] || '';
+}
+async function copyAscPrivateKeyToSecurePath(sourcePath, keyId, suffix = '') {
+    const destinationPath = resolveAscPrivateKeyPath(keyId, suffix);
+    await fs.mkdir(path.dirname(destinationPath), { recursive: true, mode: 0o700 });
+    if (path.resolve(sourcePath) !== path.resolve(destinationPath)) {
+        await fs.copyFile(sourcePath, destinationPath);
+    }
+    await fs.chmod(destinationPath, 0o600);
+    return destinationPath;
 }
 function renderEnvValue(value) {
     return `"${String(value).replace(/\\/g, '\\\\').replace(/"/g, '\\"').replace(/\$/g, '\\$')}"`;
@@ -2629,6 +2827,10 @@ async function readSecretsFile(filePath) {
 async function writeSecretsFile(filePath, nextValues) {
     const current = await readSecretsFile(filePath);
     for (const [key, value] of Object.entries(nextValues)) {
+        if (value === DELETE_SECRET) {
+            current.delete(key);
+            continue;
+        }
         if (value.trim())
             current.set(key, value.trim());
     }
@@ -2642,6 +2844,30 @@ async function writeSecretsFile(filePath, nextValues) {
     await fs.writeFile(filePath, lines.join('\n'), { encoding: 'utf8', mode: 0o600 });
     await fs.chmod(filePath, 0o600);
 }
+function applySecretsToProcessEnv(nextValues) {
+    for (const [key, value] of Object.entries(nextValues)) {
+        if (value === DELETE_SECRET) {
+            delete process.env[key];
+            continue;
+        }
+        if (value.trim())
+            process.env[key] = value.trim();
+    }
+}
+function mergeRuntimeEnv(...sources) {
+    const env = { ...process.env };
+    for (const source of sources) {
+        for (const [key, value] of Object.entries(source || {})) {
+            if (value === DELETE_SECRET) {
+                delete env[key];
+                continue;
+            }
+            if (String(value || '').trim())
+                env[key] = String(value).trim();
+        }
+    }
+    return env;
+}
 function renderBashSingleQuoted(value) {
     return `'${String(value).replace(/'/g, `'\\''`)}'`;
 }
@@ -3133,6 +3359,71 @@ async function verifySentryAccountsConfig(configPath, expectedAccounts) {
     }
     return { ok: true, detail: `${realAccounts.length} active Sentry-compatible account(s) configured` };
 }
+async function upsertPaddleAccountsConfig(configPath, accounts) {
+    if (!accounts.length || !(await fileExists(configPath)))
+        return false;
+    const config = await readJsonFile(configPath);
+    const existingAccounts = Array.isArray(config?.sources?.paddle?.accounts)
+        ? config.sources.paddle.accounts
+        : [];
+    const merged = new Map();
+    for (const account of existingAccounts) {
+        const id = String(account?.id || account?.key || account?.label || '').trim();
+        if (id)
+            merged.set(id, account);
+    }
+    for (const account of accounts) {
+        merged.set(account.id, {
+            ...(merged.get(account.id) || {}),
+            ...account,
+        });
+    }
+    const tokenEnv = accounts[0]?.tokenEnv || config?.sources?.paddle?.tokenEnv || config?.secrets?.paddleTokenEnv || 'PADDLE_API_KEY';
+    config.sources = {
+        ...(config.sources || {}),
+        paddle: {
+            ...(config.sources?.paddle || {}),
+            enabled: true,
+            mode: 'command',
+            command: normalizeWizardSourceCommand('paddle', config.sources?.paddle || {}, configPath),
+            environment: config.sources?.paddle?.environment || 'live',
+            tokenEnv,
+            accounts: [...merged.values()],
+        },
+    };
+    config.secrets = {
+        ...(config.secrets || {}),
+        paddleTokenEnv: tokenEnv,
+        paddleTokenRef: { source: 'env', provider: 'default', id: tokenEnv },
+    };
+    await writeJsonFile(configPath, config);
+    return true;
+}
+async function verifyPaddleAccountsConfig(configPath, expectedAccounts) {
+    if (!(await fileExists(configPath))) {
+        return { ok: false, detail: `${configPath} does not exist` };
+    }
+    const config = await readJsonFile(configPath);
+    const source = config?.sources?.paddle;
+    if (!source || source.enabled !== true) {
+        return { ok: false, detail: 'sources.paddle.enabled is not true' };
+    }
+    if (source.mode !== 'command') {
+        return { ok: false, detail: 'sources.paddle.mode is not command' };
+    }
+    const configuredAccounts = Array.isArray(source.accounts) ? source.accounts : [];
+    if (configuredAccounts.length === 0) {
+        return { ok: false, detail: 'sources.paddle.accounts contains no account' };
+    }
+    const configuredIds = new Set(configuredAccounts.map((account) => String(account?.id || account?.key || '').trim()).filter(Boolean));
+    const missingIds = expectedAccounts
+        .map((account) => String(account?.id || '').trim())
+        .filter((id) => id && !configuredIds.has(id));
+    if (missingIds.length > 0) {
+        return { ok: false, detail: `sources.paddle.accounts is missing configured account id(s): ${missingIds.join(', ')}` };
+    }
+    return { ok: true, detail: `${configuredAccounts.length} Paddle account(s) configured` };
+}
 async function upsertCoolifyConfig(configPath, { baseUrl, tokenEnv = 'COOLIFY_API_TOKEN' }) {
     if (!(await fileExists(configPath)))
         return false;
@@ -3232,11 +3523,14 @@ function validateAscPrivateKeyContent(value) {
         };
     }
 }
-async function askAscPrivateKeyContent(rl) {
-    process.stdout.write('\nPaste the full .p8 file content here. Leave the first line empty if you already saved the .p8 file on this host.\n');
-    process.stdout.write('The wizard validates the pasted key, stores it locally with chmod 600, and only saves ASC_PRIVATE_KEY_PATH.\n');
+async function askAscPrivateKeyContent(rl, options = {}) {
+    const envName = options.envName || 'ASC_PRIVATE_KEY';
+    const persistLabel = options.persistLabel || 'ASC_PRIVATE_KEY_PATH';
+    const keyLabel = options.keyLabel || 'this App Store Connect key';
+    process.stdout.write(`\nPaste the full .p8 file content for ${keyLabel}.\nLeave the first line empty if the .p8 file is already saved on this host.\n`);
+    process.stdout.write(`The wizard validates the pasted key, stores it locally with chmod 600, and only saves ${persistLabel}.\n`);
     while (true) {
-        const value = await readAscPrivateKeyPaste(rl);
+        const value = await readAscPrivateKeyPaste(rl, envName);
         if (!value.trim())
             return '';
         const validation = validateAscPrivateKeyContent(value);
@@ -3246,7 +3540,7 @@ async function askAscPrivateKeyContent(rl) {
         process.stdout.write('The .p8 was not saved. Paste the full file again from BEGIN to END, or leave empty to use a path.\n');
     }
 }
-async function readAscPrivateKeyPaste(rl) {
+async function readAscPrivateKeyPaste(rl, envName = 'ASC_PRIVATE_KEY') {
     return await new Promise((resolve, reject) => {
         let buffer = '';
         let settled = false;
@@ -3307,7 +3601,7 @@ async function readAscPrivateKeyPaste(rl) {
         process.stdin.setEncoding('utf8');
         process.stdin.on('data', onData);
         process.stdin.on('error', onError);
-        process.stdout.write('ASC_PRIVATE_KEY content: ');
+        process.stdout.write(`${envName} content: `);
         process.stdin.resume();
     });
 }
@@ -3315,9 +3609,11 @@ async function validateAscPrivateKeyPath(filePath) {
     const raw = await fs.readFile(filePath, 'utf8');
     return validateAscPrivateKeyContent(raw);
 }
-async function askAscPrivateKeyPath(rl) {
+async function askAscPrivateKeyPath(rl, options = {}) {
+    const label = options.label || 'ASC_PRIVATE_KEY_PATH (path to AuthKey_XXXX.p8, leave empty to skip)';
+    const defaultValue = options.defaultValue ?? process.env.ASC_PRIVATE_KEY_PATH ?? '';
     while (true) {
-        const privateKeyPath = await ask(rl, 'ASC_PRIVATE_KEY_PATH (path to AuthKey_XXXX.p8, leave empty to skip)', process.env.ASC_PRIVATE_KEY_PATH || '');
+        const privateKeyPath = await ask(rl, label, defaultValue);
         const trimmedPath = privateKeyPath.trim();
         if (!trimmedPath)
             return '';
@@ -3333,6 +3629,19 @@ async function askAscPrivateKeyPath(rl) {
         process.stdout.write('The ASC private key path was not saved. Paste a valid path, or leave empty to skip.\n');
     }
 }
+async function askAscPrivateKeyPathWithKeyId(rl, options = {}) {
+    const keyLabel = options.keyLabel || 'App Store Connect key';
+    while (true) {
+        const privateKeyPath = await askAscPrivateKeyPath(rl, options);
+        if (!privateKeyPath)
+            return { privateKeyPath: '', keyId: '' };
+        const keyId = inferAscKeyIdFromPrivateKeyPath(privateKeyPath);
+        if (keyId)
+            return { privateKeyPath, keyId };
+        process.stdout.write(`Could not infer Key ID for ${keyLabel} from the .p8 file name.\n`);
+        process.stdout.write('Use Apple\'s original downloaded file name: AuthKey_<KEY_ID>.p8. Do not rename the .p8 file.\n');
+    }
+}
 function printSection(title, lines = []) {
     process.stdout.write(`\n${ANSI.bold}${title}${ANSI.reset}\n`);
     process.stdout.write(`${'-'.repeat(title.length)}\n`);
@@ -3348,13 +3657,14 @@ function printBullets(lines) {
     }
     process.stdout.write('\n');
 }
+function bold(text) {
+    return `${ANSI.bold}${text}${ANSI.reset}`;
+}
 async function guideGitHubConnector(rl, secrets) {
     printSection('GitHub code access', [
-        'Use this when OpenClaw should read repo context or create GitHub delivery artifacts.',
-    ]);
-    printBullets([
-        'Open the token page, select the scopes you want, then paste the token here.',
-        'You can rerun this wizard later to change GitHub permissions.',
+        `${bold('Create token')} here: https://github.com/settings/tokens/new`,
+        `${bold('Scopes')}: public repos = public_repo, private repos/issues/PRs = repo.`,
+        `${bold('Only add workflow')} if OpenClaw should edit GitHub Actions files.`,
     ]);
     let hasGh = await commandExists('gh');
     if (!hasGh) {
@@ -3363,15 +3673,6 @@ async function guideGitHubConnector(rl, secrets) {
     if (hasGh) {
         process.stdout.write('GitHub CLI is available for helper commands.\n\n');
     }
-    process.stdout.write('Token URL: https://github.com/settings/tokens/new\n\n');
-    process.stdout.write(`${ANSI.bold}Suggested scopes${ANSI.reset}\n`);
-    printBullets([
-        'Public repo only: select `public_repo`.',
-        'Private repo access: select `repo` (classic GitHub tokens make private repo access broad).',
-        'Create issues / draft PRs in private repos: `repo` is the relevant classic-token scope.',
-        'Edit GitHub Actions workflow files: add `workflow` only if you explicitly want this.',
-        'Usually do not select: packages, admin:org, hooks, gist, user, delete_repo, enterprise, codespace, copilot.',
-    ]);
     const token = await maybePromptSecret(rl, 'Paste GITHUB_TOKEN into this local terminal', 'GITHUB_TOKEN');
     if (token)
         secrets.GITHUB_TOKEN = token;
@@ -3392,12 +3693,10 @@ function shouldForceFreshAnalyticsToken(healthByConnector = {}) {
     return ['blocked', 'partial'].includes(String(health?.status || '')) || /revoked|unauthorized|invalid token/i.test(detail);
 }
 async function guideAnalyticsConnector(rl, secrets, options = {}) {
-    printSection('AnalyticsCLI');
-    process.stdout.write('Create a readonly CLI token:\n');
-    process.stdout.write('1. Open https://dash.analyticscli.com/\n');
-    process.stdout.write('2. Account -> API Keys\n');
-    process.stdout.write('3. Create Access Token\n');
-    process.stdout.write('4. Copy the Readonly CLI Token and paste it below\n\n');
+    printSection('AnalyticsCLI', [
+        `${bold('Create readonly CLI token')}: https://dash.analyticscli.com/`,
+        `${bold('Path')}: Account -> API Keys -> Create Access Token.`,
+    ]);
     const forceFresh = Boolean(options.forceFresh);
     if (forceFresh && process.env.ANALYTICSCLI_ACCESS_TOKEN) {
         process.stdout.write('Stored token failed. Paste a new token.\n\n');
@@ -3414,51 +3713,64 @@ async function guideAnalyticsConnector(rl, secrets, options = {}) {
 }
 async function guideRevenueCatConnector(rl, secrets) {
     printSection('RevenueCat monetization data', [
-        'Use this when OpenClaw should read subscription, product, entitlement, and revenue context.',
-    ]);
-    process.stdout.write('\nCreate a RevenueCat secret API key here:\n  https://app.revenuecat.com/\n\n');
-    printBullets([
-        'Select your app.',
-        'In the sidebar, choose "Apps & providers".',
-        'Click "API keys" and generate a new secret API key.',
-        'Name it "analyticscli" and choose API version 2.',
-        'Set Charts metrics permissions to read.',
-        'Set Customer information permissions to read.',
-        'Set Project configuration permissions to read.',
+        `${bold('Create secret API key')}: https://app.revenuecat.com/`,
+        `${bold('Path')}: Apps & providers -> API keys -> New secret key.`,
+        `${bold('Permissions')}: API v2, read for Charts metrics, Customer information, Project configuration.`,
     ]);
     const apiKey = await maybePromptSecret(rl, 'Paste REVENUECAT_API_KEY into this local terminal', 'REVENUECAT_API_KEY');
     if (apiKey)
         secrets.REVENUECAT_API_KEY = apiKey;
 }
+function paddleAccountIdFromLabel(label, index) {
+    const normalized = String(label || '')
+        .trim()
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, '_')
+        .replace(/^_+|_+$/g, '');
+    return normalized || `paddle_${index + 1}`;
+}
+function paddleTokenEnvForAccount(index, label) {
+    if (index === 0)
+        return 'PADDLE_API_KEY';
+    const suffix = paddleAccountIdFromLabel(label, index).toUpperCase().replace(/[^A-Z0-9]+/g, '_');
+    const base = suffix && suffix !== `PADDLE_${index + 1}` ? `PADDLE_API_KEY_${suffix}` : `PADDLE_API_KEY_${index + 1}`;
+    return base.replace(/_+/g, '_');
+}
 async function guidePaddleConnector(rl, secrets) {
     printSection('Paddle Billing metrics', [
-        'Use this when OpenClaw should read web checkout, revenue, MRR, refunds, chargebacks, and active subscriber metrics.',
+        `${bold('Create live API key')}: https://vendors.paddle.com/authentication-v2`,
+        `${bold('Minimum')}: metrics.read. Better: all read-only *.read scopes.`,
+        `${bold('Do not grant write scopes')} unless you explicitly need them elsewhere.`,
     ]);
-    process.stdout.write('\nCreate or update a Paddle API key here:\n  https://vendors.paddle.com/authentication\n\n');
-    printBullets([
-        'Open Paddle > Developer Tools > Authentication.',
-        'Create a new API key for the live account when you want production revenue evidence.',
-        'Grant `metrics.read`. Keep write permissions off unless another workflow explicitly needs them.',
-        'Do not select or hard-code a single product in the wizard; the Growth Engineer should keep account-level metrics context.',
-        'Paste the key here so it is stored only in the local chmod 600 secrets file.',
-    ]);
-    const apiKey = await maybePromptSecret(rl, 'Paste PADDLE_API_KEY into this local terminal', 'PADDLE_API_KEY');
-    if (apiKey)
-        secrets.PADDLE_API_KEY = apiKey;
+    const accounts = [];
+    let index = 0;
+    while (true) {
+        const label = await ask(rl, index === 0 ? 'Paddle account label' : 'Next Paddle account label (empty = done)', index === 0 ? 'Paddle' : '');
+        if (!label.trim())
+            break;
+        const tokenEnv = paddleTokenEnvForAccount(index, label);
+        const apiKey = await maybePromptSecret(rl, `Paste ${tokenEnv} into this local terminal`, tokenEnv);
+        if (apiKey)
+            secrets[tokenEnv] = apiKey;
+        accounts.push({
+            id: paddleAccountIdFromLabel(label, index),
+            label: label.trim(),
+            tokenEnv,
+            environment: 'live',
+        });
+        index += 1;
+        const addAnother = await askYesNo(rl, 'Add another Paddle account?', false);
+        if (!addAnother)
+            break;
+    }
+    return accounts;
 }
 async function guideSeoConnector(rl, secrets) {
     printSection('SEO / Google Search Console / DataForSEO', [
-        'Use this when OpenClaw should read organic search demand, GSC clicks/impressions/CTR/position, and optional paid keyword ideas.',
-    ]);
-    process.stdout.write('\nGoogle Search Console:\n  https://search.google.com/search-console\nGoogle Cloud service accounts:\n  https://console.cloud.google.com/iam-admin/serviceaccounts\nDataForSEO API dashboard:\n  https://app.dataforseo.com/api-dashboard\n\n');
-    printBullets([
-        'Preferred: give the token/service account access to all Search Console properties you want analyzed.',
-        'Leave the property URL empty to let the exporter list and query all verified GSC properties in the account.',
-        'Enter a property URL only when you intentionally want to restrict analysis to one site.',
-        'For OAuth token mode, paste a read-only Search Console token with `webmasters.readonly` scope.',
-        'For service-account mode, add the service account email as a restricted/full user in Search Console, then set GOOGLE_APPLICATION_CREDENTIALS or GSC_SERVICE_ACCOUNT_JSON outside this wizard.',
-        'DataForSEO is optional and paid. The exporter refuses paid calls unless the source command includes --confirm-paid and a small --max-paid-requests cap.',
-        'CSV-only mode is also supported with --gsc-csv or --csv in sources.seo.command.',
+        `${bold('GSC')}: https://search.google.com/search-console`,
+        `${bold('Service account')}: https://console.cloud.google.com/iam-admin/serviceaccounts`,
+        `${bold('Optional paid keyword data')}: https://app.dataforseo.com/api-dashboard`,
+        `${bold('Default')}: leave property URL empty to use all verified GSC properties.`,
     ]);
     const siteUrl = await ask(rl, 'Optional GSC property URL (empty = all verified properties)', process.env.GSC_SITE_URL || '');
     if (siteUrl.trim())
@@ -3476,10 +3788,15 @@ async function guideSeoConnector(rl, secrets) {
             secrets.DATAFORSEO_PASSWORD = password;
     }
 }
-function buildAccountSignalExtraSourceConfig(key, existing = {}) {
+function buildAccountSignalExtraSourceConfig(key, existing = {}, accounts = []) {
     const definition = getAccountSignalConnectorDefinition(key);
     if (!definition)
         return existing;
+    const accountConfig = accounts.length > 0
+        ? {
+            accounts: mergeConnectorAccounts(existing.accounts, accounts),
+        }
+        : {};
     return {
         ...buildExtraSourceConfig(definition.service, {
             key: definition.key,
@@ -3503,9 +3820,28 @@ function buildAccountSignalExtraSourceConfig(key, existing = {}) {
         signalKind: definition.sourceKind,
         experimental: Boolean(definition.experimental),
         hint: existing.hint || definition.signalHint,
+        ...accountConfig,
     };
 }
-async function upsertAccountSignalConnectorConfig(configPath, key) {
+function mergeConnectorAccounts(existingAccounts, nextAccounts) {
+    const merged = new Map();
+    for (const account of Array.isArray(existingAccounts) ? existingAccounts : []) {
+        const id = String(account?.id || account?.key || account?.label || '').trim();
+        if (id)
+            merged.set(id, account);
+    }
+    for (const account of nextAccounts) {
+        const id = String(account?.id || account?.key || account?.label || '').trim();
+        if (!id)
+            continue;
+        merged.set(id, {
+            ...(merged.get(id) || {}),
+            ...account,
+        });
+    }
+    return [...merged.values()];
+}
+async function upsertAccountSignalConnectorConfig(configPath, key, accounts = []) {
     const definition = getAccountSignalConnectorDefinition(key);
     if (!definition)
         return false;
@@ -3514,7 +3850,7 @@ async function upsertAccountSignalConnectorConfig(configPath, key) {
     const extra = Array.isArray(sources.extra) ? sources.extra : [];
     const nextExtra = extra.filter((source) => String(source?.key || source?.service || '') !== definition.key);
     const existing = extra.find((source) => String(source?.key || source?.service || '') === definition.key) || {};
-    nextExtra.push(buildAccountSignalExtraSourceConfig(key, existing));
+    nextExtra.push(buildAccountSignalExtraSourceConfig(key, existing, accounts));
     config.sources = {
         ...sources,
         extra: nextExtra,
@@ -3522,33 +3858,62 @@ async function upsertAccountSignalConnectorConfig(configPath, key) {
     await writeJsonFile(configPath, config);
     return true;
 }
+function accountSignalTokenEnvForAccount(baseEnv, key, index, label) {
+    if (index === 0)
+        return baseEnv;
+    const suffix = toConfigId(label || key, `${key}_${index + 1}`).toUpperCase().replace(/[^A-Z0-9]+/g, '_');
+    return `${baseEnv}_${suffix}`.replace(/_+/g, '_');
+}
 async function guideAccountSignalConnector(rl, secrets, key) {
     const definition = getAccountSignalConnectorDefinition(key);
     if (!definition)
-        return;
+        return [];
     printSection(definition.label, [
-        definition.summary,
-        'Setup is account-wide. Do not paste project IDs, app IDs, product IDs, package names, paywall IDs, service names, or tags here.',
+        `${bold('Docs')}: ${definition.docsUrl}`,
+        `${bold('Setup is account-wide')}. Do not paste project IDs, app IDs, product IDs, package names, paywall IDs, service names, or tags here.`,
+        `${bold('Paste only credentials')} below. The agent discovers accounts/apps/projects later.`,
     ]);
-    process.stdout.write(`Docs: ${definition.docsUrl}\n\n`);
-    printBullets(definition.steps);
-    for (const credential of definition.credentials) {
-        const defaultValue = credential.defaultValue ?? process.env[credential.env] ?? '';
-        const value = credential.optional
-            ? await maybePromptSecret(rl, credential.prompt, credential.env)
-            : await maybePromptSecret(rl, credential.prompt, credential.env);
-        const finalValue = value || defaultValue;
-        if (finalValue)
-            secrets[credential.env] = finalValue;
-        else if (!credential.optional) {
-            process.stdout.write(`${credential.env} was not saved. ${definition.label} setup remains pending; rerun this wizard when ready.\n`);
+    const accounts = [];
+    let index = 0;
+    while (true) {
+        const label = await ask(rl, index === 0 ? `${definition.label} account label` : `Next ${definition.label} account label (empty = done)`, index === 0 ? definition.label.replace(/\s+\(experimental\)$/i, '') : '');
+        if (!label.trim())
+            break;
+        const credentialEnvs = {};
+        for (const credential of definition.credentials) {
+            const envName = accountSignalTokenEnvForAccount(credential.env, key, index, label);
+            const defaultValue = index === 0 ? credential.defaultValue ?? process.env[credential.env] ?? '' : '';
+            const prompt = envName === credential.env ? credential.prompt : `${credential.prompt.replace(credential.env, envName)}`;
+            const value = credential.optional
+                ? await maybePromptSecret(rl, prompt, envName)
+                : await maybePromptSecret(rl, prompt, envName);
+            const finalValue = value || defaultValue;
+            credentialEnvs[credential.env] = envName;
+            if (finalValue)
+                secrets[envName] = finalValue;
+            else if (!credential.optional) {
+                process.stdout.write(`${envName} was not saved. ${definition.label} setup remains pending for ${label}; rerun this wizard when ready.\n`);
+            }
         }
+        accounts.push({
+            id: toConfigId(label, `${key}_${index + 1}`),
+            label: label.trim(),
+            credentialEnvs,
+            tokenEnv: credentialEnvs[definition.credentials[0]?.env] || definition.credentials[0]?.env || null,
+            accountWide: true,
+            projectScope: 'discover_from_account',
+        });
+        index += 1;
+        const addAnother = await askYesNo(rl, `Add another ${definition.label} account?`, false);
+        if (!addAnother)
+            break;
     }
+    return accounts;
 }
 async function guideSentryConnector(rl, secrets) {
     printSection('Sentry / GlitchTip', [
-        'Paste token, org, and base URL. Projects are discovered automatically.',
-        'Use `https://sentry.io` for Sentry Cloud or your GlitchTip/self-hosted base URL.',
+        `${bold('Base URL')}: https://sentry.io for Sentry Cloud, otherwise your GlitchTip/self-hosted URL.`,
+        `${bold('Token + org')} are needed. Project scope remains unpinned.`,
     ]);
     const accounts = [];
     let index = 0;
@@ -3600,7 +3965,7 @@ async function guideSentryConnector(rl, secrets) {
             let verifiedVisibleProjects = false;
             if (discovery.ok && discovery.projects.length > 0) {
                 verifiedVisibleProjects = true;
-                process.stdout.write(`Found ${discovery.projects.length} visible project(s). Project scope remains unpinned so OpenClaw/Hermes can decide per run.\n`);
+                process.stdout.write(`Found ${discovery.projects.length} visible project(s). Project scope remains unpinned.\n`);
             }
             else {
                 const fallbackOrgs = discoveredOrganizations
@@ -3657,19 +4022,12 @@ function normalizeCoolifyBaseUrl(value) {
 }
 async function guideCoolifyConnector(rl, secrets) {
     printSection('Coolify deployment monitoring', [
-        'Use this when OpenClaw should read deployment, resource, server, and health-check signals from Coolify.',
-        'The token should be read-only. Do not use "*" or sensitive-token permissions for normal monitoring.',
+        `${bold('Create read-only API token')} in Coolify.`,
+        `${bold('Do not use * or sensitive-token permissions')} for normal monitoring.`,
     ]);
     const baseUrl = normalizeCoolifyBaseUrl(await ask(rl, 'Coolify base URL', process.env.COOLIFY_BASE_URL || 'https://coolify.wotaso.com'));
     const tokenUrl = baseUrl ? `${baseUrl}/security/api-tokens` : 'https://<your-coolify-host>/security/api-tokens';
-    process.stdout.write(`\nToken page: ${tokenUrl}\n\n`);
-    printBullets([
-        'Open the Coolify dashboard.',
-        'In the sidebar, go to "Keys & Tokens".',
-        'Open "API tokens".',
-        'Create a new API key/token with read-only permissions.',
-        'Copy the token once and paste it into this local terminal.',
-    ]);
+    process.stdout.write(`${bold('Token page')}: ${tokenUrl}\n\n`);
     const token = await maybePromptSecret(rl, 'Paste COOLIFY_API_TOKEN into this local terminal', 'COOLIFY_API_TOKEN');
     if (baseUrl)
         secrets.COOLIFY_BASE_URL = baseUrl;
@@ -3679,56 +4037,131 @@ async function guideCoolifyConnector(rl, secrets) {
 }
 async function guideAscConnector(rl, secrets) {
     printSection('App Store Connect CLI', [
-        'Use this mainly for App Store analytics batch reports, plus builds, TestFlight, reviews, ratings, and store context.',
-        'The normal Growth Engineer path uses App Store Connect API-key reports. Experimental ASC web analytics is not part of setup.',
-    ]);
-    process.stdout.write('Create an App Store Connect API key here:\n  https://appstoreconnect.apple.com/access/integrations/api\n\n');
-    process.stdout.write('Roles to choose for this key:\n');
-    printBullets([
-        'Required for first setup: Admin, because Apple only allows Admin keys to create the initial Analytics Report Request.',
-        'Required for steady-state report downloads after the request exists: Sales and Reports, Finance, or Admin.',
-        'Recommended: Customer Support, for App Store ratings and review text.',
-        'Recommended: Developer, for builds, TestFlight, and delivery status.',
-        'Optional: App Manager, only if OpenClaw should also read or manage app metadata, pricing, or release settings.',
-        'Least privilege option: run setup once with Admin, then rotate Growth Engineer to a Sales and Reports key for ongoing analytics downloads.',
-    ]);
-    process.stdout.write('\nWhy Admin is requested during setup:\n');
-    printBullets([
-        'Growth Engineer automatically creates an ongoing App Analytics report request when none exists.',
-        'Without that request, Apple will not generate Impressions, Product Page Views, App Units, Conversion Rate, and related report instances.',
-        'A non-Admin key can read existing reports, but creation fails with a forbidden response.',
+        `${bold('Create 2 API keys')} here: https://appstoreconnect.apple.com/access/integrations/api`,
+        `1. ${bold('Reports key')} - role ${bold('Sales and Reports')} - saved for Growth Engineer.`,
+        `2. ${bold('Setup key')} - role ${bold('Admin')} - used once, then revoke.`,
     ]);
-    process.stdout.write('\nAfter creating the key, copy these values into this wizard:\n');
+    process.stdout.write(`${bold('Enter the Reports key now:')}\n`);
     printBullets([
-        'Issuer ID from the API keys page.',
-        'Key ID from the API key row or from the downloaded file name: AuthKey_<KEY_ID>.p8.',
-        'Download the .p8 file, open it, then paste the full file content into this terminal.',
-        'If the .p8 is already on this host, leave the content prompt empty and paste the file path instead.',
-        'Vendor Number from App Store Connect Sales and Trends > Reports, needed for Sales and Trends/App Units reports.',
+        `${bold('.p8 path')} to Apple\'s original ${bold('AuthKey_<KEY_ID>.p8')} file. ${bold('Do not rename it')}; KEY_ID is read from the filename.`,
+        `The wizard saves a secure local copy with ${bold('chmod 600')}.`,
+        `${bold('Issuer ID')} from the API keys page. Same value for both keys.`,
+        `${bold('Vendor Number')} from Sales and Trends > Reports.`,
     ]);
-    const keyId = await ask(rl, 'ASC_KEY_ID (leave empty to skip)', process.env.ASC_KEY_ID || '');
-    const issuerId = await ask(rl, 'ASC_ISSUER_ID (leave empty to skip)', process.env.ASC_ISSUER_ID || '');
-    if (keyId.trim())
-        secrets.ASC_KEY_ID = keyId.trim();
+    const normalKeyPath = await askAscPrivateKeyPathWithKeyId(rl, {
+        label: 'Reports .p8 path (AuthKey_<KEY_ID>.p8, empty = paste)',
+        defaultValue: process.env.ASC_PRIVATE_KEY_PATH || '',
+        keyLabel: 'the normal reporting key',
+    });
+    let keyId = normalKeyPath.keyId;
+    if (normalKeyPath.privateKeyPath) {
+        const securePrivateKeyPath = await copyAscPrivateKeyToSecurePath(normalKeyPath.privateKeyPath, keyId);
+        secrets.ASC_PRIVATE_KEY_PATH = securePrivateKeyPath;
+        secrets.ASC_PRIVATE_KEY = DELETE_SECRET;
+        secrets.ASC_PRIVATE_KEY_B64 = DELETE_SECRET;
+        secrets.ASC_KEY_ID = keyId;
+        process.stdout.write(`Inferred ASC_KEY_ID=${keyId} from ${path.basename(normalKeyPath.privateKeyPath)}.\n`);
+        process.stdout.write(`Saved secure Reports key copy to ${securePrivateKeyPath} with chmod 600.\n`);
+    }
+    const issuerId = await ask(rl, 'ASC_ISSUER_ID (same for both keys, empty = skip)', process.env.ASC_ISSUER_ID || '');
     if (issuerId.trim())
         secrets.ASC_ISSUER_ID = issuerId.trim();
-    const privateKeyContent = await askAscPrivateKeyContent(rl);
-    if (privateKeyContent) {
+    if (!normalKeyPath.privateKeyPath) {
+        keyId = await ask(rl, 'ASC_KEY_ID (from AuthKey_<KEY_ID>.p8, empty = skip)', process.env.ASC_KEY_ID || '');
+        if (keyId.trim())
+            secrets.ASC_KEY_ID = keyId.trim();
+        const privateKeyContent = await askAscPrivateKeyContent(rl, {
+            keyLabel: 'the normal reporting key',
+        });
+        if (!privateKeyContent)
+            return await guideAscBootstrapAdminKey(rl, issuerId.trim());
         const privateKeyPath = resolveAscPrivateKeyPath(keyId);
         await fs.mkdir(path.dirname(privateKeyPath), { recursive: true, mode: 0o700 });
         await fs.writeFile(privateKeyPath, privateKeyContent, { encoding: 'utf8', mode: 0o600 });
         await fs.chmod(privateKeyPath, 0o600);
         secrets.ASC_PRIVATE_KEY_PATH = privateKeyPath;
+        secrets.ASC_PRIVATE_KEY = DELETE_SECRET;
+        secrets.ASC_PRIVATE_KEY_B64 = DELETE_SECRET;
         process.stdout.write(`Saved ASC private key to ${privateKeyPath} with chmod 600.\n`);
     }
-    else {
-        const privateKeyPath = await askAscPrivateKeyPath(rl);
-        if (privateKeyPath.trim())
-            secrets.ASC_PRIVATE_KEY_PATH = privateKeyPath.trim();
-    }
-    const vendorNumber = await ask(rl, 'ASC_VENDOR_NUMBER for Sales and Trends/App Units (leave empty to skip)', process.env.ASC_VENDOR_NUMBER || process.env.ASC_ANALYTICS_VENDOR_NUMBER || '');
+    const vendorNumber = await ask(rl, 'ASC_VENDOR_NUMBER (Sales and Trends > Reports)', process.env.ASC_VENDOR_NUMBER || '');
     if (vendorNumber.trim())
         secrets.ASC_VENDOR_NUMBER = vendorNumber.trim();
+    return await guideAscBootstrapAdminKey(rl, issuerId.trim());
+}
+async function guideAscBootstrapAdminKey(rl, issuerIdDefault = '') {
+    const bootstrapEnv = {};
+    process.stdout.write(`\n${bold('Enter the Setup Admin key:')}\n`);
+    printBullets([
+        `${bold('Role must be Admin')} so Apple can create the first App Analytics report request.`,
+        `${bold('Use original AuthKey_<KEY_ID>.p8 filename')} so KEY_ID is read automatically.`,
+        `${bold('Not saved')} to secrets.env. The temporary secure copy is deleted after setup.`,
+    ]);
+    const bootstrapKeyPath = await askAscPrivateKeyPathWithKeyId(rl, {
+        label: 'Setup Admin .p8 path (AuthKey_<KEY_ID>.p8, empty = paste)',
+        defaultValue: '',
+        keyLabel: 'the temporary Admin key',
+    });
+    let bootstrapKeyId = bootstrapKeyPath.keyId;
+    let bootstrapIssuerId = String(issuerIdDefault || '').trim();
+    if (!bootstrapIssuerId) {
+        bootstrapIssuerId = await ask(rl, 'ASC_ISSUER_ID (same API keys page)', process.env.ASC_ISSUER_ID || '');
+    }
+    if (bootstrapKeyPath.privateKeyPath) {
+        const secureBootstrapPath = await copyAscPrivateKeyToSecurePath(bootstrapKeyPath.privateKeyPath, bootstrapKeyId, '_bootstrap_admin');
+        bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_PATH = secureBootstrapPath;
+        process.stdout.write(`Inferred ASC_BOOTSTRAP_KEY_ID=${bootstrapKeyId} from ${path.basename(bootstrapKeyPath.privateKeyPath)}.\n`);
+        process.stdout.write(`Saved secure temporary Admin key copy to ${secureBootstrapPath} with chmod 600.\n`);
+        bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_DELETE_AFTER_USE = '1';
+    }
+    else {
+        bootstrapKeyId = await ask(rl, 'ASC_BOOTSTRAP_KEY_ID (from AuthKey_<KEY_ID>.p8)', '');
+    }
+    if (!bootstrapKeyId.trim() || !bootstrapIssuerId.trim())
+        return { bootstrapEnv };
+    bootstrapEnv.ASC_BOOTSTRAP_KEY_ID = bootstrapKeyId.trim();
+    bootstrapEnv.ASC_BOOTSTRAP_ISSUER_ID = bootstrapIssuerId.trim();
+    if (!bootstrapKeyPath.privateKeyPath) {
+        const bootstrapPrivateKeyContent = await askAscPrivateKeyContent(rl, {
+            envName: 'ASC_BOOTSTRAP_PRIVATE_KEY',
+            persistLabel: 'ASC_BOOTSTRAP_PRIVATE_KEY_PATH temporarily',
+            keyLabel: 'the temporary Admin key',
+        });
+        if (!bootstrapPrivateKeyContent)
+            return { bootstrapEnv };
+        const bootstrapPrivateKeyPath = resolveAscPrivateKeyPath(bootstrapKeyId, '_bootstrap_admin');
+        await fs.mkdir(path.dirname(bootstrapPrivateKeyPath), { recursive: true, mode: 0o700 });
+        await fs.writeFile(bootstrapPrivateKeyPath, bootstrapPrivateKeyContent, { encoding: 'utf8', mode: 0o600 });
+        await fs.chmod(bootstrapPrivateKeyPath, 0o600);
+        bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_PATH = bootstrapPrivateKeyPath;
+        bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_DELETE_AFTER_USE = '1';
+        process.stdout.write(`Saved temporary Admin ASC private key to ${bootstrapPrivateKeyPath} with chmod 600. It will be deleted after the setup check.\n`);
+    }
+    return { bootstrapEnv };
+}
+async function cleanupTemporaryAscBootstrapPrivateKey(bootstrapEnv = {}) {
+    const privateKeyPath = String(bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_PATH || '').trim();
+    const shouldDelete = String(bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_DELETE_AFTER_USE || '').trim().toLowerCase();
+    if (!privateKeyPath || !['1', 'true', 'yes'].includes(shouldDelete))
+        return;
+    if (privateKeyPath === String(bootstrapEnv.ASC_PRIVATE_KEY_PATH || process.env.ASC_PRIVATE_KEY_PATH || '').trim()) {
+        process.stdout.write('Temporary Admin .p8 path matches the steady-state ASC_PRIVATE_KEY_PATH; leaving it in place.\n');
+        process.stdout.write('You can also revoke the temporary Admin API key in App Store Connect.\n');
+        return;
+    }
+    try {
+        await fs.unlink(privateKeyPath);
+        process.stdout.write(`Deleted temporary Admin .p8 from ${privateKeyPath}.\n`);
+    }
+    catch (error) {
+        if (error?.code === 'ENOENT') {
+            process.stdout.write(`Temporary Admin .p8 was already absent at ${privateKeyPath}.\n`);
+            process.stdout.write('You can also revoke the temporary Admin API key in App Store Connect.\n');
+            return;
+        }
+        process.stdout.write(`Could not delete temporary Admin .p8 at ${privateKeyPath}: ${error instanceof Error ? error.message : String(error)}\n`);
+    }
+    process.stdout.write('You can also revoke the temporary Admin API key in App Store Connect.\n');
 }
 async function shouldRunSelfUpdate(workspaceRoot, force) {
     if (force)
@@ -3852,6 +4285,7 @@ async function runConnectorSetupSteps({ rl, args, selected, healthByConnector, a
     process.stdout.write('\n');
     const secrets = {};
     let sentryAccounts = [];
+    let paddleAccounts = [];
     let coolifyConfig = null;
     if (selected.includes('analytics')) {
         let forceFreshAnalyticsToken = shouldForceFreshAnalyticsToken(healthByConnector);
@@ -3900,12 +4334,13 @@ async function runConnectorSetupSteps({ rl, args, selected, healthByConnector, a
     if (selected.includes('paddle')) {
         while (true) {
             clearTerminal();
-            await guidePaddleConnector(rl, secrets);
+            paddleAccounts = await guidePaddleConnector(rl, secrets);
             const check = await runImmediateConnectorHealthCheck({
                 rl,
                 configPath: args.config,
                 connector: 'paddle',
                 secrets,
+                paddleAccounts,
             });
             if (!check.retry)
                 break;
@@ -3960,13 +4395,16 @@ async function runConnectorSetupSteps({ rl, args, selected, healthByConnector, a
     if (selected.includes('asc')) {
         while (true) {
             clearTerminal();
-            await guideAscConnector(rl, secrets);
-            const check = await runImmediateConnectorHealthCheck({
+            const ascSetup = await guideAscConnector(rl, secrets);
+            let bootstrapEnv = ascSetup?.bootstrapEnv || {};
+            let check = await runImmediateConnectorHealthCheck({
                 rl,
                 configPath: args.config,
                 connector: 'asc',
                 secrets,
+                runtimeEnv: bootstrapEnv,
             });
+            await cleanupTemporaryAscBootstrapPrivateKey(bootstrapEnv);
             if (!check.retry)
                 break;
         }
@@ -3974,8 +4412,8 @@ async function runConnectorSetupSteps({ rl, args, selected, healthByConnector, a
     for (const connector of selected.filter(isAccountSignalConnector)) {
         while (true) {
             clearTerminal();
-            await guideAccountSignalConnector(rl, secrets, connector);
-            await upsertAccountSignalConnectorConfig(args.config, connector);
+            const accountSignalAccounts = await guideAccountSignalConnector(rl, secrets, connector);
+            await upsertAccountSignalConnectorConfig(args.config, connector, accountSignalAccounts);
             const check = await runImmediateConnectorHealthCheck({
                 rl,
                 configPath: args.config,
@@ -4002,13 +4440,16 @@ async function runConnectorSetupSteps({ rl, args, selected, healthByConnector, a
             process.stdout.write(`Configured ${sentryAccounts.length} Sentry-compatible account(s) in ${args.config}.\n`);
         }
     }
+    if (paddleAccounts.length > 0 && await upsertPaddleAccountsConfig(args.config, paddleAccounts)) {
+        const readiness = await verifyPaddleAccountsConfig(args.config, paddleAccounts);
+        if (readiness.ok) {
+            process.stdout.write(`Configured ${paddleAccounts.length} Paddle account(s) in ${args.config}.\n`);
+        }
+    }
     if (coolifyConfig?.baseUrl && await upsertCoolifyConfig(args.config, coolifyConfig)) {
         process.stdout.write(`Configured Coolify monitoring for ${coolifyConfig.baseUrl} in ${args.config}.\n`);
     }
-    const env = {
-        ...process.env,
-        ...secrets,
-    };
+    const env = mergeRuntimeEnv(secrets, selected.includes('asc') ? { ASC_BYPASS_KEYCHAIN: '1' } : {});
     const command = `${nodeRuntimeScriptCommand('openclaw-growth-start.mjs')} --config ${quote(args.config)} --setup-only --connectors ${quote(selected.join(','))} --only-connectors ${quote(selected.join(','))}`;
     let setupResult = await runSetupCommandWithProgress(command, env, selected, 'Testing connector setup...');
     let setupPayload = parseJsonFromStdout(setupResult.stdout);
@@ -4026,6 +4467,19 @@ async function runConnectorSetupSteps({ rl, args, selected, healthByConnector, a
             });
         }
     }
+    if (paddleAccounts.length > 0 && await upsertPaddleAccountsConfig(args.config, paddleAccounts)) {
+        const readiness = await verifyPaddleAccountsConfig(args.config, paddleAccounts);
+        if (readiness.ok) {
+            process.stdout.write(`Paddle account config is up to date in ${args.config}.\n`);
+        }
+        else {
+            postSetupBlockers.push({
+                check: 'connection:paddle',
+                detail: readiness.detail,
+                remediation: 'Rerun Paddle setup so the active config persists sources.paddle.enabled=true and sources.paddle.accounts[].',
+            });
+        }
+    }
     if (coolifyConfig?.baseUrl && await upsertCoolifyConfig(args.config, coolifyConfig)) {
         process.stdout.write(`Coolify config is up to date in ${args.config}.\n`);
     }