@botcord/daemon 0.2.28 → 0.2.30

package/dist/agent-workspace.d.ts

@@ -54,6 +54,14 @@ export declare function ensureAgentHermesWorkspace(agentId: string, opts?: {
     hermesHome: string;
     hermesWorkspace: string;
 };
+/**
+ * Seed BotCord's bundled Hermes skills into a user-owned Hermes profile used
+ * by attach mode. Unlike `ensureAgentHermesWorkspace({ attached: true })`,
+ * this intentionally writes only the managed `botcord*` skill directories
+ * under the profile's `skills/` directory; it does not touch `.env`,
+ * `config.yaml`, sessions, or any user-authored skills.
+ */
+export declare function ensureAttachedHermesProfileSkills(profileHome: string): void;
 /**
  * Idempotently create the agent's home / workspace / state directories and
  * seed the workspace Markdown files. Existing files are never overwritten —

package/dist/agent-workspace.js

@@ -334,8 +334,8 @@ export function ensureAgentHermesWorkspace(agentId, opts = {}) {
     // Attach mode: HERMES_HOME points at the user's `~/.hermes/profiles/<n>/`
     // so we MUST NOT touch the per-agent isolated home. The cwd
     // (`hermesWorkspace`) is still ours and `prepareTurn` writes AGENTS.md
-    // there — that's the only thing the daemon is allowed to author when
-    // attached to a user-owned profile.
+    // there. Profile-owned skill seeding is handled separately by
+    // `ensureAttachedHermesProfileSkills`.
     if (opts.attached) {
         return { hermesHome, hermesWorkspace };
     }
@@ -420,6 +420,16 @@ function seedCodexSkills(codexHome) {
 function seedHermesAgentSkills(hermesHome) {
     copyBundledSkills(path.join(hermesHome, "skills"));
 }
+/**
+ * Seed BotCord's bundled Hermes skills into a user-owned Hermes profile used
+ * by attach mode. Unlike `ensureAgentHermesWorkspace({ attached: true })`,
+ * this intentionally writes only the managed `botcord*` skill directories
+ * under the profile's `skills/` directory; it does not touch `.env`,
+ * `config.yaml`, sessions, or any user-authored skills.
+ */
+export function ensureAttachedHermesProfileSkills(profileHome) {
+    seedHermesAgentSkills(profileHome);
+}
 /**
  * Idempotently create the agent's home / workspace / state directories and
  * seed the workspace Markdown files. Existing files are never overwritten —

package/dist/gateway/runtimes/claude-code.js

@@ -88,22 +88,13 @@ export class ClaudeCodeAdapter extends NdjsonStreamAdapter {
             args.push("--resume", opts.sessionId);
         }
         // Permission-mode policy:
-        //  - owner: bypassPermissions (owner fully trusts their own agent; daemon
-        //    has no authorization-relay UI yet, so any other mode causes Bash /
-        //    WebFetch / MCP tool calls to deadlock waiting for a prompt that
-        //    never reaches the user — see issue #332 for the planned MCP-bridge
-        //    relay that will let us tighten this back up).
-        //  - non-owner (trusted/public): default (let Claude Code prompt / reject
-        //    per its own rules — we must NOT auto-bypass for agents the operator
-        //    doesn't own).
-        // `extraArgs` still wins — operators who know what they're doing can override either.
+        // Daemon-driven Claude Code runs are non-interactive. Any mode that waits
+        // for a local permission prompt can deadlock tool use (Bash / WebFetch /
+        // MCP) because there is no prompt relay back to the user yet. Default to
+        // bypassPermissions for every trust tier; operators who need a stricter
+        // posture can still override with route/defaultRoute extraArgs.
         if (!opts.extraArgs?.some((a) => a.startsWith("--permission-mode"))) {
-            if (opts.trustLevel === "owner") {
-                args.push("--permission-mode", "bypassPermissions");
-            }
-            else {
-                args.push("--permission-mode", "default");
-            }
+            args.push("--permission-mode", "bypassPermissions");
         }
         // Claude Code's `--append-system-prompt` is applied per invocation and NOT
         // persisted in the resumed session transcript — ideal for memory / digest

package/dist/gateway/runtimes/codex.js

@@ -159,8 +159,12 @@ export class CodexAdapter extends NdjsonStreamAdapter {
         // Sandbox / approval policy. Expressed as `-c` overrides because
         // `codex exec resume` rejects `-s` / `--full-auto`. `-c` works on both
         // the fresh `exec` and `exec resume` paths.
-        //  - owner turn: bypass approvals + sandbox (owner trusts their agent)
-        //  - non-owner turn: `workspace-write` sandbox + on-request approvals
+        //
+        // Daemon-driven Codex runs are non-interactive. Any mode that waits for a
+        // local approval prompt can deadlock tool use because there is no prompt
+        // relay back to the user yet. Default to bypassing both approvals and the
+        // sandbox for every trust tier; operators who need a stricter posture can
+        // still override with route/defaultRoute extraArgs.
         const hasSandboxOverride = opts.extraArgs?.some((a) => a === "-s" ||
             a.startsWith("--sandbox") ||
             a === "--full-auto" ||
@@ -168,12 +172,7 @@ export class CodexAdapter extends NdjsonStreamAdapter {
             a.startsWith("-c sandbox_mode=") ||
             a.startsWith("-csandbox_mode=")) ?? false;
         if (!hasSandboxOverride) {
-            if (opts.trustLevel === "owner") {
-                tail.push("-c", 'sandbox_mode="danger-full-access"', "-c", 'approval_policy="never"');
-            }
-            else {
-                tail.push("-c", 'sandbox_mode="workspace-write"', "-c", 'approval_policy="on-request"');
-            }
+            tail.push("-c", 'sandbox_mode="danger-full-access"', "-c", 'approval_policy="never"');
         }
         tail.push("--skip-git-repo-check", "--json");
         if (opts.extraArgs?.length)

package/dist/gateway/runtimes/hermes-agent.js

@@ -1,7 +1,7 @@
 import { existsSync, mkdirSync, readdirSync, readFileSync, renameSync, statSync, writeFileSync } from "node:fs";
 import { homedir } from "node:os";
 import path from "node:path";
-import { agentHermesHomeDir, agentHermesWorkspaceDir, ensureAgentHermesWorkspace, } from "../../agent-workspace.js";
+import { agentHermesHomeDir, agentHermesWorkspaceDir, ensureAttachedHermesProfileSkills, ensureAgentHermesWorkspace, } from "../../agent-workspace.js";
 import { buildCliEnv } from "../cli-resolver.js";
 import { AcpRuntimeAdapter, } from "./acp-stream.js";
 import { firstExistingPath, readCommandVersion, resolveCommandOnPath, resolveHomePath, } from "./probe.js";
@@ -234,9 +234,10 @@ export class HermesAgentAdapter extends AcpRuntimeAdapter {
         };
         // Attach mode: BotCord agent shares a hermes profile (state.db /
         // sessions / skills / .env) with the user's command-line `hermes`. In
-        // this mode we DO NOT seed a private home — the profile is wholly owned
-        // by the user, and AGENTS.md is written under the per-agent
-        // hermes-workspace cwd (NOT into the profile root) by `prepareTurn`.
+        // this mode we DO NOT seed a private home — AGENTS.md is written under
+        // the per-agent hermes-workspace cwd (NOT into the profile root) by
+        // `prepareTurn`, while bundled BotCord skills are installed into the
+        // attached profile's `skills/` directory so hermes can discover them.
         if (opts.hermesProfile) {
             env.HERMES_HOME = hermesProfileHomeDir(opts.hermesProfile);
         }
@@ -262,6 +263,9 @@ export class HermesAgentAdapter extends AcpRuntimeAdapter {
         const { hermesWorkspace } = ensureAgentHermesWorkspace(opts.accountId, {
             attached: !!opts.hermesProfile,
         });
+        if (opts.hermesProfile) {
+            ensureAttachedHermesProfileSkills(hermesProfileHomeDir(opts.hermesProfile));
+        }
         const target = path.join(hermesWorkspace, "AGENTS.md");
         const tmp = path.join(hermesWorkspace, `.AGENTS.md.${process.pid}.tmp`);
         mkdirSync(hermesWorkspace, { recursive: true, mode: 0o700 });

package/dist/provision.d.ts

@@ -115,6 +115,9 @@ export type WsEndpointProbeFn = (args: {
             name?: string;
             provider?: string;
         };
+        botcordBinding?: {
+            agentId: string;
+        };
     }>;
     error?: string;
 }>;

package/dist/provision.js

@@ -10,7 +10,7 @@ import path from "node:path";
 import { BotCordClient, CONTROL_FRAME_TYPES, defaultCredentialsFile, derivePublicKey, loadStoredCredentials, writeCredentialsFile, } from "@botcord/protocol-core";
 import { loadConfig, resolveConfiguredAgentIds, saveConfig, } from "./config.js";
 import { BOTCORD_CHANNEL_TYPE, buildManagedRoutes, prepareGatewayProfile, } from "./daemon-config-map.js";
-import { agentHomeDir, agentStateDir, agentWorkspaceDir, applyAgentIdentity, ensureAgentWorkspace, } from "./agent-workspace.js";
+import { agentHomeDir, agentStateDir, agentWorkspaceDir, applyAgentIdentity, ensureAttachedHermesProfileSkills, ensureAgentWorkspace, } from "./agent-workspace.js";
 import { detectRuntimes, getAdapterModule } from "./adapters/runtimes.js";
 import { hermesProfileHomeDir, isValidHermesProfileName, listHermesProfiles, } from "./gateway/runtimes/hermes-agent.js";
 import { log as daemonLog } from "./log.js";
@@ -285,6 +285,9 @@ async function installLocalAgent(credentials, ctx) {
             keyId: credentials.keyId,
             savedAt: credentials.savedAt,
         });
+        if (credentials.runtime === "hermes-agent" && credentials.hermesProfile) {
+            ensureAttachedHermesProfileSkills(hermesProfileHomeDir(credentials.hermesProfile));
+        }
     }
     catch (err) {
         try {
@@ -1454,7 +1457,7 @@ export async function collectRuntimeSnapshotAsync(opts = {}) {
                 entry.diagnostics = [{ code: "gateway_unreachable", message: res.error }];
             }
             if (res.agents)
-                entry.agents = res.agents;
+                entry.agents = annotateOpenclawAgentsWithBotcordBindings(g.name, res.agents);
             return entry;
         }
         catch (err) {
@@ -1473,6 +1476,27 @@ export async function collectRuntimeSnapshotAsync(opts = {}) {
     out.runtimes = base.runtimes.map((r) => r.id === "openclaw-acp" ? { ...r, endpoints } : r);
     return out;
 }
+function annotateOpenclawAgentsWithBotcordBindings(gateway, agents) {
+    const bindings = openclawBindingIndex();
+    return agents.map((agent) => {
+        const botcordAgentId = bindings.get(`${gateway}\0${agent.id}`);
+        if (!botcordAgentId)
+            return agent;
+        return { ...agent, botcordBinding: { agentId: botcordAgentId } };
+    });
+}
+function openclawBindingIndex() {
+    const out = new Map();
+    const discovered = discoverAgentCredentials({
+        credentialsDir: path.join(homedir(), ".botcord", "credentials"),
+    });
+    for (const agent of discovered.agents) {
+        if (!agent.openclawGateway || !agent.openclawAgent)
+            continue;
+        out.set(`${agent.openclawGateway}\0${agent.openclawAgent}`, agent.agentId);
+    }
+    return out;
+}
 /**
  * Reconcile every agent identity carried by the `hello.agents` snapshot
  * against the on-disk `identity.md`. Best-effort: a malformed entry or a

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botcord/daemon",
-  "version": "0.2.28",
+  "version": "0.2.30",
   "description": "BotCord local daemon — bridges Hub inbox push to local Claude Code / Codex / Gemini CLIs",
   "type": "module",
   "bin": {

package/src/__tests__/agent-workspace.test.ts

@@ -18,6 +18,7 @@ import {
   agentStateDir,
   agentWorkspaceDir,
   applyAgentIdentity,
+  ensureAttachedHermesProfileSkills,
   ensureAgentCodexHome,
   ensureAgentHermesWorkspace,
   ensureAgentWorkspace,
@@ -150,6 +151,23 @@ describe("ensureAgentWorkspace", () => {
     expect(reseeded).toContain("name: botcord");
   });
 
+  it("seeds bundled skills into an attached Hermes profile without creating private home state", () => {
+    const profileHome = path.join(tmpHome, ".hermes", "profiles", "coder");
+    mkdirSync(profileHome, { recursive: true });
+
+    const { hermesHome, hermesWorkspace } = ensureAgentHermesWorkspace("ag_hermes_attach", {
+      attached: true,
+    });
+    ensureAttachedHermesProfileSkills(profileHome);
+
+    expect(existsSync(path.join(profileHome, "skills", "botcord", "SKILL.md"))).toBe(true);
+    expect(existsSync(path.join(profileHome, "skills", "botcord-user-guide", "SKILL.md"))).toBe(
+      true,
+    );
+    expect(existsSync(hermesWorkspace)).toBe(true);
+    expect(existsSync(hermesHome)).toBe(false);
+  });
+
   it("does not overwrite a user-modified memory.md on a second call", () => {
     ensureAgentWorkspace("ag_keep", {});
     const memoryPath = path.join(agentWorkspaceDir("ag_keep"), "memory.md");

package/src/__tests__/provision.test.ts

@@ -1527,6 +1527,11 @@ describe("provision_agent hermes profile attach", () => {
       >;
       expect(saved.hermesProfile).toBe("coder");
       expect(saved.runtime).toBe("hermes-agent");
+      expect(
+        fs.existsSync(
+          nodePath.join(tmp, ".hermes", "profiles", "coder", "skills", "botcord", "SKILL.md"),
+        ),
+      ).toBe(true);
     });
   });
 

package/src/__tests__/runtime-discovery.test.ts

@@ -146,6 +146,54 @@ describe("collectRuntimeSnapshotAsync", () => {
     ]);
   });
 
+  it("marks OpenClaw agent profiles that already have a BotCord binding", async () => {
+    const tmp = mkdtempSync(path.join(tmpdir(), "daemon-runtime-binding-"));
+    const prevHome = process.env.HOME;
+    process.env.HOME = tmp;
+    try {
+      mkdirSync(path.join(tmp, ".botcord", "credentials"), { recursive: true });
+      writeFileSync(
+        path.join(tmp, ".botcord", "credentials", "ag_bound.json"),
+        JSON.stringify({
+          hubUrl: "https://api.preview.botcord.chat",
+          agentId: "ag_bound",
+          keyId: "kid_bound",
+          privateKey: Buffer.alloc(32, 1).toString("base64"),
+          runtime: "openclaw-acp",
+          openclawGateway: "local",
+          openclawAgent: "swe",
+        }),
+      );
+      setRuntimes([
+        {
+          id: "openclaw-acp",
+          displayName: "OpenClaw",
+          binary: "openclaw",
+          supportsRun: true,
+          result: { available: true },
+        },
+      ]);
+
+      const snap = await collectRuntimeSnapshotAsync({
+        cfg: { openclawGateways: [{ name: "local", url: "ws://127.0.0.1:18789" }] },
+        wsProbe: async () => ({
+          ok: true,
+          agents: [{ id: "default" }, { id: "swe", name: "SWE" }],
+        }),
+      });
+
+      const runtime = snap.runtimes.find((r) => r.id === "openclaw-acp");
+      expect(runtime?.endpoints?.[0]?.agents).toEqual([
+        { id: "default" },
+        { id: "swe", name: "SWE", botcordBinding: { agentId: "ag_bound" } },
+      ]);
+    } finally {
+      if (prevHome === undefined) delete process.env.HOME;
+      else process.env.HOME = prevHome;
+      rmSync(tmp, { recursive: true, force: true });
+    }
+  });
+
   it("reports acp_disabled without probing the gateway", async () => {
     const tmp = mkdtempSync(path.join(tmpdir(), "daemon-runtime-openclaw-"));
     const prevHome = process.env.HOME;

package/src/agent-workspace.ts

@@ -370,8 +370,8 @@ export function ensureAgentHermesWorkspace(
   // Attach mode: HERMES_HOME points at the user's `~/.hermes/profiles/<n>/`
   // so we MUST NOT touch the per-agent isolated home. The cwd
   // (`hermesWorkspace`) is still ours and `prepareTurn` writes AGENTS.md
-  // there — that's the only thing the daemon is allowed to author when
-  // attached to a user-owned profile.
+  // there. Profile-owned skill seeding is handled separately by
+  // `ensureAttachedHermesProfileSkills`.
   if (opts.attached) {
     return { hermesHome, hermesWorkspace };
   }
@@ -462,6 +462,17 @@ function seedHermesAgentSkills(hermesHome: string): void {
   copyBundledSkills(path.join(hermesHome, "skills"));
 }
 
+/**
+ * Seed BotCord's bundled Hermes skills into a user-owned Hermes profile used
+ * by attach mode. Unlike `ensureAgentHermesWorkspace({ attached: true })`,
+ * this intentionally writes only the managed `botcord*` skill directories
+ * under the profile's `skills/` directory; it does not touch `.env`,
+ * `config.yaml`, sessions, or any user-authored skills.
+ */
+export function ensureAttachedHermesProfileSkills(profileHome: string): void {
+  seedHermesAgentSkills(profileHome);
+}
+
 /**
  * Idempotently create the agent's home / workspace / state directories and
  * seed the workspace Markdown files. Existing files are never overwritten —

package/src/gateway/__tests__/claude-code-adapter.test.ts

@@ -263,7 +263,7 @@ process.stdout.write(JSON.stringify({type:"result", subtype:"success", session_i
       expect(argv[modeIdx + 1]).toBe("bypassPermissions");
     });
 
-    it("public → --permission-mode default", async () => {
+    it("public → --permission-mode bypassPermissions", async () => {
       const adapter = new ClaudeCodeAdapter({ binary: echoScript() });
       const ctrl = new AbortController();
       const res = await adapter.run({
@@ -277,10 +277,10 @@ process.stdout.write(JSON.stringify({type:"result", subtype:"success", session_i
       const argv = JSON.parse(res.text) as string[];
       const modeIdx = argv.indexOf("--permission-mode");
       expect(modeIdx).toBeGreaterThanOrEqual(0);
-      expect(argv[modeIdx + 1]).toBe("default");
+      expect(argv[modeIdx + 1]).toBe("bypassPermissions");
     });
 
-    it("trusted → --permission-mode default", async () => {
+    it("trusted → --permission-mode bypassPermissions", async () => {
       const adapter = new ClaudeCodeAdapter({ binary: echoScript() });
       const ctrl = new AbortController();
       const res = await adapter.run({
@@ -294,7 +294,7 @@ process.stdout.write(JSON.stringify({type:"result", subtype:"success", session_i
       const argv = JSON.parse(res.text) as string[];
       const modeIdx = argv.indexOf("--permission-mode");
       expect(modeIdx).toBeGreaterThanOrEqual(0);
-      expect(argv[modeIdx + 1]).toBe("default");
+      expect(argv[modeIdx + 1]).toBe("bypassPermissions");
     });
 
     it("systemContext → --append-system-prompt <text>", async () => {

package/src/gateway/__tests__/codex-adapter.test.ts

@@ -338,7 +338,7 @@ process.stdout.write(JSON.stringify({type:"item.completed", item:{id:"i0", type:
       expect(argv).not.toContain("-s");
     });
 
-    it("public → sandbox_mode=\"workspace-write\" + approval_policy=\"on-request\"", async () => {
+    it("public → sandbox_mode=\"danger-full-access\" + approval_policy=\"never\"", async () => {
       const adapter = new CodexAdapter({ binary: echoScript() });
       const ctrl = new AbortController();
       const res = await adapter.run({
@@ -350,12 +350,12 @@ process.stdout.write(JSON.stringify({type:"item.completed", item:{id:"i0", type:
         trustLevel: "public",
       });
       const argv = JSON.parse(res.text) as string[];
-      expect(argv).toContain('sandbox_mode="workspace-write"');
-      expect(argv).toContain('approval_policy="on-request"');
+      expect(argv).toContain('sandbox_mode="danger-full-access"');
+      expect(argv).toContain('approval_policy="never"');
       expect(argv).not.toContain("--dangerously-bypass-approvals-and-sandbox");
     });
 
-    it("trusted → sandbox_mode=\"workspace-write\" + approval_policy=\"on-request\"", async () => {
+    it("trusted → sandbox_mode=\"danger-full-access\" + approval_policy=\"never\"", async () => {
       const adapter = new CodexAdapter({ binary: echoScript() });
       const ctrl = new AbortController();
       const res = await adapter.run({
@@ -367,8 +367,8 @@ process.stdout.write(JSON.stringify({type:"item.completed", item:{id:"i0", type:
         trustLevel: "trusted",
       });
       const argv = JSON.parse(res.text) as string[];
-      expect(argv).toContain('sandbox_mode="workspace-write"');
-      expect(argv).toContain('approval_policy="on-request"');
+      expect(argv).toContain('sandbox_mode="danger-full-access"');
+      expect(argv).toContain('approval_policy="never"');
     });
 
     it("extraArgs `-s read-only` suppresses the default sandbox `-c`s", async () => {

package/src/gateway/runtimes/claude-code.ts

@@ -107,21 +107,13 @@ export class ClaudeCodeAdapter extends NdjsonStreamAdapter {
       args.push("--resume", opts.sessionId);
     }
     // Permission-mode policy:
-    //  - owner: bypassPermissions (owner fully trusts their own agent; daemon
-    //    has no authorization-relay UI yet, so any other mode causes Bash /
-    //    WebFetch / MCP tool calls to deadlock waiting for a prompt that
-    //    never reaches the user — see issue #332 for the planned MCP-bridge
-    //    relay that will let us tighten this back up).
-    //  - non-owner (trusted/public): default (let Claude Code prompt / reject
-    //    per its own rules — we must NOT auto-bypass for agents the operator
-    //    doesn't own).
-    // `extraArgs` still wins — operators who know what they're doing can override either.
+    // Daemon-driven Claude Code runs are non-interactive. Any mode that waits
+    // for a local permission prompt can deadlock tool use (Bash / WebFetch /
+    // MCP) because there is no prompt relay back to the user yet. Default to
+    // bypassPermissions for every trust tier; operators who need a stricter
+    // posture can still override with route/defaultRoute extraArgs.
     if (!opts.extraArgs?.some((a) => a.startsWith("--permission-mode"))) {
-      if (opts.trustLevel === "owner") {
-        args.push("--permission-mode", "bypassPermissions");
-      } else {
-        args.push("--permission-mode", "default");
-      }
+      args.push("--permission-mode", "bypassPermissions");
     }
     // Claude Code's `--append-system-prompt` is applied per invocation and NOT
     // persisted in the resumed session transcript — ideal for memory / digest

package/src/gateway/runtimes/codex.ts

@@ -171,8 +171,12 @@ export class CodexAdapter extends NdjsonStreamAdapter {
     // Sandbox / approval policy. Expressed as `-c` overrides because
     // `codex exec resume` rejects `-s` / `--full-auto`. `-c` works on both
     // the fresh `exec` and `exec resume` paths.
-    //  - owner turn: bypass approvals + sandbox (owner trusts their agent)
-    //  - non-owner turn: `workspace-write` sandbox + on-request approvals
+    //
+    // Daemon-driven Codex runs are non-interactive. Any mode that waits for a
+    // local approval prompt can deadlock tool use because there is no prompt
+    // relay back to the user yet. Default to bypassing both approvals and the
+    // sandbox for every trust tier; operators who need a stricter posture can
+    // still override with route/defaultRoute extraArgs.
     const hasSandboxOverride =
       opts.extraArgs?.some(
         (a) =>
@@ -184,21 +188,12 @@ export class CodexAdapter extends NdjsonStreamAdapter {
           a.startsWith("-csandbox_mode="),
       ) ?? false;
     if (!hasSandboxOverride) {
-      if (opts.trustLevel === "owner") {
-        tail.push(
-          "-c",
-          'sandbox_mode="danger-full-access"',
-          "-c",
-          'approval_policy="never"',
-        );
-      } else {
-        tail.push(
-          "-c",
-          'sandbox_mode="workspace-write"',
-          "-c",
-          'approval_policy="on-request"',
-        );
-      }
+      tail.push(
+        "-c",
+        'sandbox_mode="danger-full-access"',
+        "-c",
+        'approval_policy="never"',
+      );
     }
     tail.push("--skip-git-repo-check", "--json");
     if (opts.extraArgs?.length) tail.push(...opts.extraArgs);

package/src/gateway/runtimes/hermes-agent.ts

@@ -4,6 +4,7 @@ import path from "node:path";
 import {
   agentHermesHomeDir,
   agentHermesWorkspaceDir,
+  ensureAttachedHermesProfileSkills,
   ensureAgentHermesWorkspace,
 } from "../../agent-workspace.js";
 import { buildCliEnv } from "../cli-resolver.js";
@@ -277,9 +278,10 @@ export class HermesAgentAdapter extends AcpRuntimeAdapter {
     };
     // Attach mode: BotCord agent shares a hermes profile (state.db /
     // sessions / skills / .env) with the user's command-line `hermes`. In
-    // this mode we DO NOT seed a private home — the profile is wholly owned
-    // by the user, and AGENTS.md is written under the per-agent
-    // hermes-workspace cwd (NOT into the profile root) by `prepareTurn`.
+    // this mode we DO NOT seed a private home — AGENTS.md is written under
+    // the per-agent hermes-workspace cwd (NOT into the profile root) by
+    // `prepareTurn`, while bundled BotCord skills are installed into the
+    // attached profile's `skills/` directory so hermes can discover them.
     if (opts.hermesProfile) {
       env.HERMES_HOME = hermesProfileHomeDir(opts.hermesProfile);
     } else if (opts.accountId) {
@@ -304,6 +306,9 @@ export class HermesAgentAdapter extends AcpRuntimeAdapter {
     const { hermesWorkspace } = ensureAgentHermesWorkspace(opts.accountId, {
       attached: !!opts.hermesProfile,
     });
+    if (opts.hermesProfile) {
+      ensureAttachedHermesProfileSkills(hermesProfileHomeDir(opts.hermesProfile));
+    }
     const target = path.join(hermesWorkspace, "AGENTS.md");
     const tmp = path.join(hermesWorkspace, `.AGENTS.md.${process.pid}.tmp`);
     mkdirSync(hermesWorkspace, { recursive: true, mode: 0o700 });

package/src/provision.ts

@@ -52,6 +52,7 @@ import {
   agentStateDir,
   agentWorkspaceDir,
   applyAgentIdentity,
+  ensureAttachedHermesProfileSkills,
   ensureAgentWorkspace,
 } from "./agent-workspace.js";
 import { detectRuntimes, getAdapterModule } from "./adapters/runtimes.js";
@@ -431,6 +432,9 @@ async function installLocalAgent(
       keyId: credentials.keyId,
       savedAt: credentials.savedAt,
     });
+    if (credentials.runtime === "hermes-agent" && credentials.hermesProfile) {
+      ensureAttachedHermesProfileSkills(hermesProfileHomeDir(credentials.hermesProfile));
+    }
   } catch (err) {
     try {
       unlinkSync(credentialsFile);
@@ -1322,6 +1326,7 @@ export type WsEndpointProbeFn = (args: {
     name?: string;
     workspace?: string;
     model?: { name?: string; provider?: string };
+    botcordBinding?: { agentId: string };
   }>;
   error?: string;
 }>;
@@ -1377,6 +1382,7 @@ async function defaultWsProbe(args: {
     name?: string;
     workspace?: string;
     model?: { name?: string; provider?: string };
+    botcordBinding?: { agentId: string };
   }>;
   error?: string;
 }> {
@@ -1711,7 +1717,7 @@ export async function collectRuntimeSnapshotAsync(opts: {
           entry.error = res.error;
           entry.diagnostics = [{ code: "gateway_unreachable", message: res.error }];
         }
-        if (res.agents) entry.agents = res.agents;
+        if (res.agents) entry.agents = annotateOpenclawAgentsWithBotcordBindings(g.name, res.agents);
         return entry;
       } catch (err) {
         const message = err instanceof Error ? err.message : String(err);
@@ -1733,6 +1739,41 @@ export async function collectRuntimeSnapshotAsync(opts: {
   return out;
 }
 
+function annotateOpenclawAgentsWithBotcordBindings(
+  gateway: string,
+  agents: Array<{
+    id: string;
+    name?: string;
+    workspace?: string;
+    model?: { name?: string; provider?: string };
+  }>,
+): Array<{
+  id: string;
+  name?: string;
+  workspace?: string;
+  model?: { name?: string; provider?: string };
+  botcordBinding?: { agentId: string };
+}> {
+  const bindings = openclawBindingIndex();
+  return agents.map((agent) => {
+    const botcordAgentId = bindings.get(`${gateway}\0${agent.id}`);
+    if (!botcordAgentId) return agent;
+    return { ...agent, botcordBinding: { agentId: botcordAgentId } };
+  });
+}
+
+function openclawBindingIndex(): Map<string, string> {
+  const out = new Map<string, string>();
+  const discovered = discoverAgentCredentials({
+    credentialsDir: path.join(homedir(), ".botcord", "credentials"),
+  });
+  for (const agent of discovered.agents) {
+    if (!agent.openclawGateway || !agent.openclawAgent) continue;
+    out.set(`${agent.openclawGateway}\0${agent.openclawAgent}`, agent.agentId);
+  }
+  return out;
+}
+
 // ---------------------------------------------------------------------------
 // hello agents snapshot (lightweight identity sync)
 // ---------------------------------------------------------------------------