@botcord/daemon 0.2.16 → 0.2.17

package/dist/agent-discovery.d.ts

@@ -49,6 +49,12 @@ export interface DiscoveryFs {
 export interface DiscoveryOptions extends DiscoveryFs {
     /** Directory to scan. Defaults to {@link DEFAULT_CREDENTIALS_DIR}. */
     credentialsDir?: string;
+    /**
+     * Optional daemon target Hub. When set, auto-discovered credentials whose
+     * hubUrl points at a different host are skipped so preview/prod identities
+     * are not mixed by accident.
+     */
+    expectedHubUrl?: string;
 }
 /**
  * Scan the credentials directory and return one entry per valid BotCord

package/dist/agent-discovery.js

@@ -66,6 +66,10 @@ export function discoverAgentCredentials(opts = {}) {
             warnings.push(`credentials at ${file} missing agentId; skipped`);
             continue;
         }
+        if (opts.expectedHubUrl && !sameHubHost(creds.hubUrl, opts.expectedHubUrl)) {
+            warnings.push(`credential skipped: hubUrl does not match daemon environment (${file})`);
+            continue;
+        }
         const existing = byAgent.get(creds.agentId);
         if (!existing) {
             byAgent.set(creds.agentId, { creds, credentialsFile: file, mtimeMs });
@@ -116,6 +120,16 @@ export function discoverAgentCredentials(opts = {}) {
 function errMsg(err) {
     return err instanceof Error ? err.message : String(err);
 }
+function sameHubHost(a, b) {
+    if (!a || !b)
+        return true;
+    try {
+        return new URL(a).host === new URL(b).host;
+    }
+    catch {
+        return true;
+    }
+}
 /**
  * Resolve the list of agents the daemon should bind at boot.
  *

package/dist/daemon.js

@@ -116,11 +116,15 @@ function buildDaemonLogger() {
  */
 export async function startDaemon(opts) {
     const logger = opts.log ?? buildDaemonLogger();
+    const userAuth = opts.userAuth === undefined
+        ? tryLoadUserAuth(logger)
+        : opts.userAuth;
+    const expectedHubUrl = opts.hubBaseUrl ?? userAuth?.current?.hubUrl;
     // Resolve boot agents: explicit `agents` config wins; otherwise scan the
     // credentials directory. A zero-agent result is valid in P1 — the daemon
     // still starts with zero channels so operators can drop credentials in
     // and restart without re-running `init`.
-    const boot = opts.bootAgents ?? resolveBootAgents(opts.config);
+    const boot = opts.bootAgents ?? resolveBootAgents(opts.config, { expectedHubUrl });
     for (const w of boot.warnings) {
         logger.warn("daemon.discovery.warning", { message: w });
     }
@@ -316,9 +320,6 @@ export async function startDaemon(opts) {
     // when user-auth hasn't been set up yet. Operators can `login` later
     // without restarting, but for P0 we require a restart to pick it up.
     let controlChannel = null;
-    const userAuth = opts.userAuth === undefined
-        ? tryLoadUserAuth(logger)
-        : opts.userAuth;
     if (userAuth?.current && !opts.disableControlChannel) {
         logger.info("control-channel: enabling", {
             userId: userAuth.current.userId,

package/dist/openclaw-discovery.js

@@ -4,34 +4,23 @@ import path from "node:path";
 import { log as daemonLog } from "./log.js";
 import { probeOpenclawAgents } from "./provision.js";
 const DEFAULT_SEARCH_PATHS = ["~/.openclaw/", "/etc/openclaw/"];
-const DEFAULT_PORTS = [18789];
+const DEFAULT_PORTS = [18789, 16200];
 export async function discoverLocalOpenclawGateways(opts = {}) {
     const found = [];
     for (const root of opts.searchPaths ?? DEFAULT_SEARCH_PATHS) {
         found.push(...discoverFromConfigDir(root));
     }
     const env = opts.env ?? process.env;
-    const envUrl = env.OPENCLAW_ACP_URL;
-    if (envUrl) {
-        const item = {
-            name: nameFromUrl(envUrl),
-            url: envUrl,
-            source: "env",
-        };
-        if (env.OPENCLAW_ACP_TOKEN)
-            item.token = env.OPENCLAW_ACP_TOKEN;
-        else if (env.OPENCLAW_ACP_TOKEN_FILE)
-            item.tokenFile = env.OPENCLAW_ACP_TOKEN_FILE;
-        found.push(item);
-    }
+    found.push(...discoverFromEnv(env));
+    const envAuth = pickOpenclawEnvAuth(env);
     const ports = opts.defaultPorts ?? DEFAULT_PORTS;
     if (ports.length > 0) {
         await Promise.all(ports.map(async (port) => {
             const url = `ws://127.0.0.1:${port}`;
             try {
-                const res = await probeOpenclawAgents({ url }, { probe: opts.probe, timeoutMs: opts.timeoutMs });
+                const res = await probeOpenclawAgents({ url, ...envAuth }, { probe: opts.probe, timeoutMs: opts.timeoutMs });
                 if (res.ok) {
-                    found.push({ name: nameFromUrl(url), url, source: "default-port" });
+                    found.push({ name: nameFromUrl(url), url, source: "default-port", ...envAuth });
                 }
             }
             catch (err) {
@@ -44,6 +33,45 @@ export async function discoverLocalOpenclawGateways(opts = {}) {
     }
     return dedupeDiscovered(found);
 }
+function discoverFromEnv(env) {
+    const url = pickEnv(env, "OPENCLAW_ACP_URL") ??
+        pickEnv(env, "OPENCLAW_GATEWAY_URL") ??
+        urlFromGatewayPort(env);
+    if (!url)
+        return [];
+    return [
+        {
+            name: nameFromUrl(url),
+            url,
+            source: "env",
+            ...pickOpenclawEnvAuth(env),
+        },
+    ];
+}
+function pickOpenclawEnvAuth(env) {
+    const token = pickEnv(env, "OPENCLAW_ACP_TOKEN") ?? pickEnv(env, "OPENCLAW_GATEWAY_TOKEN");
+    if (token)
+        return { token };
+    const tokenFile = pickEnv(env, "OPENCLAW_ACP_TOKEN_FILE") ?? pickEnv(env, "OPENCLAW_GATEWAY_TOKEN_FILE");
+    if (tokenFile)
+        return { tokenFile };
+    return {};
+}
+function urlFromGatewayPort(env) {
+    const raw = pickEnv(env, "OPENCLAW_GATEWAY_PORT");
+    if (!raw)
+        return undefined;
+    const port = Number(raw);
+    if (!Number.isInteger(port) || port <= 0 || port > 65535)
+        return undefined;
+    return `ws://127.0.0.1:${port}`;
+}
+function pickEnv(env, key) {
+    const value = env[key];
+    if (typeof value === "string" && value.trim())
+        return value.trim();
+    return undefined;
+}
 export function mergeOpenclawGateways(cfg, found) {
     const existing = cfg.openclawGateways ?? [];
     const byUrl = new Map();

package/dist/provision.js

@@ -534,6 +534,17 @@ export async function adoptDiscoveredOpenclawAgents(ctx) {
         failed: [],
     };
     for (const gw of cfg.openclawGateways ?? []) {
+        if (localOpenclawAcpDisabled(gw.url)) {
+            result.skipped.push({
+                gateway: gw.name,
+                reason: "acp_disabled",
+            });
+            daemonLog.warn("openclaw discovery: gateway found but ACP runtime disabled", {
+                gateway: gw.name,
+                url: gw.url,
+            });
+            continue;
+        }
         let probeResult;
         try {
             probeResult = await probeOpenclawAgents(gw, {
@@ -611,6 +622,20 @@ export async function adoptDiscoveredOpenclawAgents(ctx) {
     }
     return result;
 }
+function localOpenclawAcpDisabled(rawUrl) {
+    if (!isLoopbackUrl(rawUrl))
+        return false;
+    try {
+        const file = path.join(homedir(), ".openclaw", "openclaw.json");
+        if (!existsSync(file))
+            return false;
+        const cfg = JSON.parse(readFileSync(file, "utf8"));
+        return cfg?.acp?.enabled === false;
+    }
+    catch {
+        return false;
+    }
+}
 async function revokeAgent(params, ctx) {
     if (!params.agentId) {
         throw new Error("revoke_agent requires params.agentId");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botcord/daemon",
-  "version": "0.2.16",
+  "version": "0.2.17",
   "description": "BotCord local daemon — bridges Hub inbox push to local Claude Code / Codex / Gemini CLIs",
   "type": "module",
   "bin": {

package/src/__tests__/agent-discovery.test.ts

@@ -159,6 +159,44 @@ describe("resolveBootAgents", () => {
     expect(res.agents[0].credentialsFile).toBe("/creds/x.json");
   });
 
+  it("skips discovered credentials from a different Hub host", () => {
+    const res = resolveBootAgents(cfg(), {
+      credentialsDir: "/creds",
+      expectedHubUrl: "https://api.preview.botcord.chat",
+      readDir: () => ["prod.json", "preview.json"],
+      stat: () => fakeStat(1),
+      loadCredentials: (f) =>
+        f.endsWith("prod.json")
+          ? fakeCreds("ag_prod", { hubUrl: "https://api.botcord.chat" })
+          : fakeCreds("ag_preview", { hubUrl: "https://api.preview.botcord.chat" }),
+    });
+
+    expect(res.source).toBe("credentials");
+    expect(res.agents.map((a) => a.agentId)).toEqual(["ag_preview"]);
+    expect(res.warnings).toEqual([
+      "credential skipped: hubUrl does not match daemon environment (/creds/prod.json)",
+    ]);
+  });
+
+  it("filters by Hub host before resolving duplicate agentIds", () => {
+    const res = resolveBootAgents(cfg(), {
+      credentialsDir: "/creds",
+      expectedHubUrl: "https://api.preview.botcord.chat",
+      readDir: () => ["preview.json", "prod.json"],
+      stat: (p) => (p.endsWith("prod.json") ? fakeStat(200) : fakeStat(100)),
+      loadCredentials: (f) =>
+        f.endsWith("prod.json")
+          ? fakeCreds("ag_same", { hubUrl: "https://api.botcord.chat" })
+          : fakeCreds("ag_same", { hubUrl: "https://api.preview.botcord.chat" }),
+    });
+
+    expect(res.agents.map((a) => a.agentId)).toEqual(["ag_same"]);
+    expect(res.agents[0].credentialsFile).toBe("/creds/preview.json");
+    expect(res.warnings).toEqual([
+      "credential skipped: hubUrl does not match daemon environment (/creds/prod.json)",
+    ]);
+  });
+
   it("returns an empty agent list (not a throw) when discovery finds nothing", () => {
     const res = resolveBootAgents(cfg(), {
       credentialsDir: "/creds",

package/src/__tests__/openclaw-discovery.test.ts

@@ -3,6 +3,7 @@ import { tmpdir } from "node:os";
 import path from "node:path";
 import { afterEach, describe, expect, it, vi } from "vitest";
 import {
+  defaultOpenclawDiscoveryPorts,
   discoverLocalOpenclawGateways,
   mergeOpenclawGateways,
 } from "../openclaw-discovery.js";
@@ -108,6 +109,69 @@ describe("discoverLocalOpenclawGateways", () => {
     ]);
   });
 
+  it("uses OPENCLAW_GATEWAY_URL and gateway token env vars", async () => {
+    const found = await discoverLocalOpenclawGateways({
+      searchPaths: [],
+      defaultPorts: [],
+      env: {
+        OPENCLAW_GATEWAY_URL: "ws://127.0.0.1:16200",
+        OPENCLAW_GATEWAY_TOKEN: "gateway-token",
+      },
+    });
+
+    expect(found).toEqual([
+      expect.objectContaining({
+        url: "ws://127.0.0.1:16200",
+        token: "gateway-token",
+        source: "env",
+      }),
+    ]);
+  });
+
+  it("builds gateway URL from OPENCLAW_GATEWAY_PORT", async () => {
+    const found = await discoverLocalOpenclawGateways({
+      searchPaths: [],
+      defaultPorts: [],
+      env: {
+        OPENCLAW_GATEWAY_PORT: "16200",
+        OPENCLAW_GATEWAY_TOKEN: "gateway-token",
+      },
+    });
+
+    expect(found).toEqual([
+      expect.objectContaining({
+        url: "ws://127.0.0.1:16200",
+        token: "gateway-token",
+        source: "env",
+      }),
+    ]);
+  });
+
+  it("prefers OPENCLAW_ACP env vars over OPENCLAW_GATEWAY env vars", async () => {
+    const found = await discoverLocalOpenclawGateways({
+      searchPaths: [],
+      defaultPorts: [],
+      env: {
+        OPENCLAW_ACP_URL: "ws://127.0.0.1:18888",
+        OPENCLAW_ACP_TOKEN: "acp-token",
+        OPENCLAW_GATEWAY_URL: "ws://127.0.0.1:16200",
+        OPENCLAW_GATEWAY_TOKEN: "gateway-token",
+      },
+    });
+
+    expect(found).toEqual([
+      expect.objectContaining({
+        url: "ws://127.0.0.1:18888",
+        token: "acp-token",
+        source: "env",
+      }),
+    ]);
+  });
+
+  it("includes 16200 in default discovery ports", () => {
+    expect(defaultOpenclawDiscoveryPorts()).toEqual(expect.arrayContaining([18789, 16200]));
+  });
+
   it("adds default-port candidates only when the probe succeeds", async () => {
     const probe = vi.fn<WsEndpointProbeFn>(async ({ url }) => ({
       ok: url.includes("18789"),
@@ -125,6 +189,37 @@ describe("discoverLocalOpenclawGateways", () => {
     expect(found.map((g) => g.url)).toEqual(["ws://127.0.0.1:18789"]);
   });
 
+  it("attaches gateway token fallback to default-port discovery", async () => {
+    const probe = vi.fn<WsEndpointProbeFn>(async () => ({
+      ok: true,
+      agents: [],
+    }));
+
+    const found = await discoverLocalOpenclawGateways({
+      searchPaths: [],
+      defaultPorts: [16200],
+      probe,
+      timeoutMs: 10,
+      env: {
+        OPENCLAW_GATEWAY_TOKEN: "gateway-token",
+      },
+    });
+
+    expect(probe).toHaveBeenCalledWith(
+      expect.objectContaining({
+        url: "ws://127.0.0.1:16200",
+        token: "gateway-token",
+      }),
+    );
+    expect(found).toEqual([
+      expect.objectContaining({
+        url: "ws://127.0.0.1:16200",
+        token: "gateway-token",
+        source: "default-port",
+      }),
+    ]);
+  });
+
   it("prefers config-file auth details over lower-priority duplicate sources", async () => {
     const dir = tempDir();
     writeFileSync(

package/src/__tests__/provision.test.ts

@@ -887,6 +887,56 @@ describe("adoptDiscoveredOpenclawAgents", () => {
     });
   });
 
+  it("skips auto-adopt when local OpenClaw ACP is explicitly disabled", async () => {
+    await withSandboxHome(async ({ tmp, fs, path: nodePath }) => {
+      const credDir = nodePath.join(tmp, ".botcord", "credentials");
+      fs.mkdirSync(credDir, { recursive: true });
+      fs.writeFileSync(
+        nodePath.join(credDir, "ag_seed.json"),
+        JSON.stringify({
+          version: 1,
+          hubUrl: "https://hub.example",
+          agentId: "ag_seed",
+          keyId: "k_seed",
+          privateKey: Buffer.alloc(32, 8).toString("base64"),
+          savedAt: new Date().toISOString(),
+        }),
+      );
+      const openclawDir = nodePath.join(tmp, ".openclaw");
+      fs.mkdirSync(openclawDir, { recursive: true });
+      fs.writeFileSync(
+        nodePath.join(openclawDir, "openclaw.json"),
+        JSON.stringify({ acp: { enabled: false } }),
+      );
+      mockState.cfg = {
+        defaultRoute: { adapter: "claude-code", cwd: "/tmp" },
+        routes: [],
+        streamBlocks: true,
+        agents: ["ag_seed"],
+        openclawGateways: [{ name: "local", url: "ws://127.0.0.1:18789" }],
+      };
+      const register = vi.fn();
+      const probe = vi.fn<Parameters<typeof adoptDiscoveredOpenclawAgents>[0]["probe"]>(
+        async () => ({ ok: true, agents: [{ id: "main" }] }),
+      );
+
+      const res = await adoptDiscoveredOpenclawAgents({
+        gateway: makeFakeGateway(["ag_seed"]) as unknown as Parameters<typeof adoptDiscoveredOpenclawAgents>[0]["gateway"],
+        register: register as unknown as Parameters<typeof adoptDiscoveredOpenclawAgents>[0]["register"],
+        cfg: mockState.cfg as unknown as DaemonConfig,
+        probe,
+      });
+
+      expect(res).toEqual({
+        adopted: [],
+        skipped: [{ gateway: "local", reason: "acp_disabled" }],
+        failed: [],
+      });
+      expect(probe).not.toHaveBeenCalled();
+      expect(register).not.toHaveBeenCalled();
+    });
+  });
+
   it("uses the OpenClaw workspace identity name when agents.list has no name", async () => {
     await withSandboxHome(async ({ tmp, fs, path: nodePath }) => {
       const credDir = nodePath.join(tmp, ".botcord", "credentials");

package/src/agent-discovery.ts

@@ -66,6 +66,12 @@ export interface DiscoveryFs {
 export interface DiscoveryOptions extends DiscoveryFs {
   /** Directory to scan. Defaults to {@link DEFAULT_CREDENTIALS_DIR}. */
   credentialsDir?: string;
+  /**
+   * Optional daemon target Hub. When set, auto-discovered credentials whose
+   * hubUrl points at a different host are skipped so preview/prod identities
+   * are not mixed by accident.
+   */
+  expectedHubUrl?: string;
 }
 
 /**
@@ -137,6 +143,12 @@ export function discoverAgentCredentials(
       warnings.push(`credentials at ${file} missing agentId; skipped`);
       continue;
     }
+    if (opts.expectedHubUrl && !sameHubHost(creds.hubUrl, opts.expectedHubUrl)) {
+      warnings.push(
+        `credential skipped: hubUrl does not match daemon environment (${file})`,
+      );
+      continue;
+    }
 
     const existing = byAgent.get(creds.agentId);
     if (!existing) {
@@ -188,6 +200,15 @@ function errMsg(err: unknown): string {
   return err instanceof Error ? err.message : String(err);
 }
 
+function sameHubHost(a: string | undefined, b: string | undefined): boolean {
+  if (!a || !b) return true;
+  try {
+    return new URL(a).host === new URL(b).host;
+  } catch {
+    return true;
+  }
+}
+
 /** Result of composing explicit config + discovery into the final boot list. */
 export interface BootAgentsResult {
   /** Ordered list of agents the daemon should bind channels for. */

package/src/daemon.ts

@@ -217,12 +217,17 @@ function buildDaemonLogger(): GatewayLogger {
  */
 export async function startDaemon(opts: DaemonRuntimeOptions): Promise<DaemonHandle> {
   const logger = opts.log ?? buildDaemonLogger();
+  const userAuth =
+    opts.userAuth === undefined
+      ? tryLoadUserAuth(logger)
+      : opts.userAuth;
+  const expectedHubUrl = opts.hubBaseUrl ?? userAuth?.current?.hubUrl;
 
   // Resolve boot agents: explicit `agents` config wins; otherwise scan the
   // credentials directory. A zero-agent result is valid in P1 — the daemon
   // still starts with zero channels so operators can drop credentials in
   // and restart without re-running `init`.
-  const boot = opts.bootAgents ?? resolveBootAgents(opts.config);
+  const boot = opts.bootAgents ?? resolveBootAgents(opts.config, { expectedHubUrl });
   for (const w of boot.warnings) {
     logger.warn("daemon.discovery.warning", { message: w });
   }
@@ -455,10 +460,6 @@ export async function startDaemon(opts: DaemonRuntimeOptions): Promise<DaemonHan
   // when user-auth hasn't been set up yet. Operators can `login` later
   // without restarting, but for P0 we require a restart to pick it up.
   let controlChannel: ControlChannel | null = null;
-  const userAuth =
-    opts.userAuth === undefined
-      ? tryLoadUserAuth(logger)
-      : opts.userAuth;
   if (userAuth?.current && !opts.disableControlChannel) {
     logger.info("control-channel: enabling", {
       userId: userAuth.current.userId,

package/src/openclaw-discovery.ts

@@ -30,7 +30,7 @@ export interface MergeOpenclawGatewayResult {
 }
 
 const DEFAULT_SEARCH_PATHS = ["~/.openclaw/", "/etc/openclaw/"];
-const DEFAULT_PORTS = [18789];
+const DEFAULT_PORTS = [18789, 16200];
 
 export async function discoverLocalOpenclawGateways(
   opts: OpenclawGatewayDiscoveryOptions = {},
@@ -41,17 +41,8 @@ export async function discoverLocalOpenclawGateways(
   }
 
   const env = opts.env ?? process.env;
-  const envUrl = env.OPENCLAW_ACP_URL;
-  if (envUrl) {
-    const item: DiscoveredOpenclawGateway = {
-      name: nameFromUrl(envUrl),
-      url: envUrl,
-      source: "env",
-    };
-    if (env.OPENCLAW_ACP_TOKEN) item.token = env.OPENCLAW_ACP_TOKEN;
-    else if (env.OPENCLAW_ACP_TOKEN_FILE) item.tokenFile = env.OPENCLAW_ACP_TOKEN_FILE;
-    found.push(item);
-  }
+  found.push(...discoverFromEnv(env));
+  const envAuth = pickOpenclawEnvAuth(env);
 
   const ports = opts.defaultPorts ?? DEFAULT_PORTS;
   if (ports.length > 0) {
@@ -60,11 +51,11 @@ export async function discoverLocalOpenclawGateways(
         const url = `ws://127.0.0.1:${port}`;
         try {
           const res = await probeOpenclawAgents(
-            { url },
+            { url, ...envAuth },
             { probe: opts.probe, timeoutMs: opts.timeoutMs },
           );
           if (res.ok) {
-            found.push({ name: nameFromUrl(url), url, source: "default-port" });
+            found.push({ name: nameFromUrl(url), url, source: "default-port", ...envAuth });
           }
         } catch (err) {
           daemonLog.debug("openclaw discovery default-port probe failed", {
@@ -79,6 +70,46 @@ export async function discoverLocalOpenclawGateways(
   return dedupeDiscovered(found);
 }
 
+function discoverFromEnv(env: NodeJS.ProcessEnv): DiscoveredOpenclawGateway[] {
+  const url =
+    pickEnv(env, "OPENCLAW_ACP_URL") ??
+    pickEnv(env, "OPENCLAW_GATEWAY_URL") ??
+    urlFromGatewayPort(env);
+  if (!url) return [];
+
+  return [
+    {
+      name: nameFromUrl(url),
+      url,
+      source: "env",
+      ...pickOpenclawEnvAuth(env),
+    },
+  ];
+}
+
+function pickOpenclawEnvAuth(env: NodeJS.ProcessEnv): { token?: string; tokenFile?: string } {
+  const token = pickEnv(env, "OPENCLAW_ACP_TOKEN") ?? pickEnv(env, "OPENCLAW_GATEWAY_TOKEN");
+  if (token) return { token };
+  const tokenFile =
+    pickEnv(env, "OPENCLAW_ACP_TOKEN_FILE") ?? pickEnv(env, "OPENCLAW_GATEWAY_TOKEN_FILE");
+  if (tokenFile) return { tokenFile };
+  return {};
+}
+
+function urlFromGatewayPort(env: NodeJS.ProcessEnv): string | undefined {
+  const raw = pickEnv(env, "OPENCLAW_GATEWAY_PORT");
+  if (!raw) return undefined;
+  const port = Number(raw);
+  if (!Number.isInteger(port) || port <= 0 || port > 65535) return undefined;
+  return `ws://127.0.0.1:${port}`;
+}
+
+function pickEnv(env: NodeJS.ProcessEnv, key: string): string | undefined {
+  const value = env[key];
+  if (typeof value === "string" && value.trim()) return value.trim();
+  return undefined;
+}
+
 export function mergeOpenclawGateways(
   cfg: DaemonConfig,
   found: DiscoveredOpenclawGateway[],

package/src/provision.ts

@@ -667,6 +667,17 @@ export async function adoptDiscoveredOpenclawAgents(ctx: {
     failed: [],
   };
   for (const gw of cfg.openclawGateways ?? []) {
+    if (localOpenclawAcpDisabled(gw.url)) {
+      result.skipped.push({
+        gateway: gw.name,
+        reason: "acp_disabled",
+      });
+      daemonLog.warn("openclaw discovery: gateway found but ACP runtime disabled", {
+        gateway: gw.name,
+        url: gw.url,
+      });
+      continue;
+    }
     let probeResult: Awaited<ReturnType<typeof probeOpenclawAgents>>;
     try {
       probeResult = await probeOpenclawAgents(gw, {
@@ -743,6 +754,18 @@ export async function adoptDiscoveredOpenclawAgents(ctx: {
   return result;
 }
 
+function localOpenclawAcpDisabled(rawUrl: string): boolean {
+  if (!isLoopbackUrl(rawUrl)) return false;
+  try {
+    const file = path.join(homedir(), ".openclaw", "openclaw.json");
+    if (!existsSync(file)) return false;
+    const cfg = JSON.parse(readFileSync(file, "utf8")) as any;
+    return cfg?.acp?.enabled === false;
+  } catch {
+    return false;
+  }
+}
+
 async function revokeAgent(
   params: RevokeAgentParams,
   ctx: { gateway: Gateway },