@hamp10/agentforge 0.2.21 → 0.2.23

package/bin/agentforge.js

@@ -4,8 +4,10 @@ import { Command } from 'commander';
 import fs from 'fs';
 import path from 'path';
 import os from 'os';
+import crypto from 'crypto';
 import open from 'open';
-import { execSync, spawn } from 'child_process';
+import { execSync, spawn, spawnSync } from 'child_process';
+import http from 'http';
 import { AgentForgeWorker } from '../src/worker.js';
 import { OpenClawCLI } from '../src/OpenClawCLI.js';
 import { checkAndUpdate } from '../src/selfUpdate.js';
@@ -13,6 +15,8 @@ import { runSupervisor, detachSupervisor, stopSupervisor } from '../src/supervis
 
 const CONFIG_DIR = path.join(os.homedir(), '.agentforge');
 const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+const SUPERVISOR_PID_FILE = path.join(CONFIG_DIR, 'supervisor.pid');
+const WORKER_PID_FILE = path.join(CONFIG_DIR, 'worker.pid');
 
 process.on('unhandledRejection', (reason) => {
   console.error('❌ Unhandled promise rejection:', reason instanceof Error ? reason.message : reason);
@@ -51,6 +55,206 @@ function saveConfig(config) {
   fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));
 }
 
+function readPidFile(file) {
+  try {
+    if (!fs.existsSync(file)) return null;
+    const pid = Number.parseInt(fs.readFileSync(file, 'utf8').trim(), 10);
+    return Number.isFinite(pid) && pid > 0 ? pid : null;
+  } catch {
+    return null;
+  }
+}
+
+function isRunningPid(pid) {
+  if (!pid) return false;
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function getRuntimeStatus() {
+  const supervisorPid = readPidFile(SUPERVISOR_PID_FILE);
+  const workerPid = readPidFile(WORKER_PID_FILE);
+  return {
+    supervisorPid,
+    workerPid,
+    supervisorRunning: isRunningPid(supervisorPid),
+    workerRunning: isRunningPid(workerPid),
+  };
+}
+
+function runQuiet(command, args = []) {
+  return spawnSync(command, args, {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+}
+
+function commandExists(command) {
+  return runQuiet('which', [command]).status === 0;
+}
+
+function pathContainsDir(dir) {
+  const normalized = path.resolve(dir).replace(/\/$/, '');
+  return (process.env.PATH || '')
+    .split(path.delimiter)
+    .map(entry => {
+      try { return path.resolve(entry).replace(/\/$/, ''); } catch { return entry.replace(/\/$/, ''); }
+    })
+    .includes(normalized);
+}
+
+function getShellProfilePath() {
+  const shell = process.env.SHELL || '';
+  if (shell.includes('zsh')) return path.join(os.homedir(), '.zshrc');
+  if (shell.includes('bash')) {
+    const bashrc = path.join(os.homedir(), '.bashrc');
+    return fs.existsSync(bashrc) ? bashrc : path.join(os.homedir(), '.bash_profile');
+  }
+  return path.join(os.homedir(), '.profile');
+}
+
+function addPathToShellProfile(binDir) {
+  if (!pathContainsDir(binDir)) {
+    process.env.PATH = `${binDir}${path.delimiter}${process.env.PATH || ''}`;
+  }
+
+  const profileFile = getShellProfilePath();
+  const exportLine = `export PATH="${binDir}:$PATH" # Added by AgentForge`;
+
+  try {
+    if (fs.existsSync(profileFile)) {
+      const existing = fs.readFileSync(profileFile, 'utf8');
+      if (existing.includes(binDir)) return { profileFile, changed: false };
+    }
+    fs.appendFileSync(profileFile, `\n${exportLine}\n`);
+    return { profileFile, changed: true };
+  } catch (error) {
+    return { profileFile, changed: false, error };
+  }
+}
+
+function npmGlobalBinForPrefix(prefix) {
+  return process.platform === 'win32' ? prefix : path.join(prefix, 'bin');
+}
+
+function npmGlobalRoot() {
+  const result = runQuiet('npm', ['root', '-g']);
+  return result.status === 0 ? result.stdout.trim() : null;
+}
+
+function npmPrefix() {
+  const result = runQuiet('npm', ['config', 'get', 'prefix']);
+  return result.status === 0 ? result.stdout.trim() : null;
+}
+
+function canWriteNpmRoot(rootDir) {
+  if (!rootDir) return false;
+  const testDir = path.join(rootDir, `.agentforge-write-test-${process.pid}`);
+  try {
+    fs.mkdirSync(testDir, { recursive: true });
+    fs.rmSync(testDir, { recursive: true, force: true });
+    return true;
+  } catch {
+    try { fs.rmSync(testDir, { recursive: true, force: true }); } catch {}
+    return false;
+  }
+}
+
+function ensureUserOwnedNpmGlobal() {
+  if (!commandExists('npm')) {
+    return { ok: false, message: 'npm is not installed. Install Node.js LTS from https://nodejs.org.' };
+  }
+
+  let prefix = npmPrefix();
+  let root = npmGlobalRoot();
+
+  if (!canWriteNpmRoot(root)) {
+    const userPrefix = path.join(os.homedir(), '.npm-global');
+    fs.mkdirSync(path.join(userPrefix, 'bin'), { recursive: true });
+    fs.mkdirSync(path.join(userPrefix, 'lib', 'node_modules'), { recursive: true });
+
+    const setPrefix = spawnSync('npm', ['config', 'set', 'prefix', userPrefix], {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'pipe'],
+    });
+    if (setPrefix.status !== 0) {
+      return {
+        ok: false,
+        message: `Could not configure npm to use ${userPrefix}: ${setPrefix.stderr || setPrefix.stdout}`.trim(),
+      };
+    }
+
+    prefix = userPrefix;
+    root = path.join(userPrefix, 'lib', 'node_modules');
+  }
+
+  const binDir = npmGlobalBinForPrefix(prefix);
+  fs.mkdirSync(binDir, { recursive: true });
+  const pathUpdate = addPathToShellProfile(binDir);
+  return { ok: true, prefix, root, binDir, pathUpdate };
+}
+
+function installOpenClawRuntime() {
+  const npmReady = ensureUserOwnedNpmGlobal();
+  if (!npmReady.ok) return npmReady;
+
+  const result = spawnSync('npm', ['install', '-g', 'openclaw', '--quiet'], {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+    env: { ...process.env, PATH: `${npmReady.binDir}${path.delimiter}${process.env.PATH || ''}` },
+  });
+
+  if (result.status !== 0) {
+    return {
+      ok: false,
+      message: (result.stderr || result.stdout || 'npm install -g openclaw failed').trim(),
+    };
+  }
+
+  process.env.PATH = `${npmReady.binDir}${path.delimiter}${process.env.PATH || ''}`;
+  return { ok: true, ...npmReady };
+}
+
+function printMissingRuntimeHelp() {
+  console.error('');
+  console.error('❌ Agent runtime not found on this Mac.');
+  console.error('');
+  console.error('   Your dashboard API key validates model access, but this machine still');
+  console.error('   needs a local agent runtime so agents can use the browser, shell, and files.');
+  console.error('');
+  console.error('   Fix:');
+  console.error('     curl -fsSL https://agentforgeai-production.up.railway.app/install.sh | bash');
+  console.error('');
+  console.error('   Or, if AgentForge is already installed:');
+  console.error('     agentforge setup');
+  console.error('');
+}
+
+function ensureRuntimeAvailableForStart(config) {
+  if (config.provider === 'local') return true;
+  if (OpenClawCLI.isAvailable()) return true;
+
+  console.log('');
+  console.log('OpenClaw was not found. Installing the local agent runtime...');
+  const installed = installOpenClawRuntime();
+  if (installed.ok && OpenClawCLI.isAvailable()) {
+    console.log('✅ OpenClaw installed');
+    console.log('');
+    return true;
+  }
+
+  if (!installed.ok) {
+    console.error('');
+    console.error(`OpenClaw install failed: ${installed.message}`);
+  }
+  printMissingRuntimeHelp();
+  return false;
+}
+
 const _pkg = JSON.parse(fs.readFileSync(new URL('../package.json', import.meta.url), 'utf8'));
 
 program
@@ -203,18 +407,7 @@ program
       process.exit(1);
     }
 
-    // Check that a working AI backend is configured
-    if (config.provider !== 'local' && !OpenClawCLI.isAvailable()) {
-      console.error('');
-      console.error('❌ No AI backend configured.');
-      console.error('');
-      console.error('   AgentForge needs an AI model to run agents.');
-      console.error('   Configure a local model server (Ollama, LM Studio, Jan, etc.):');
-      console.error('');
-      console.error('     agentforge local --url http://localhost:11434 --model llama3.1:8b');
-      console.error('');
-      console.error('   Then run:  agentforge start');
-      console.error('');
+    if (!ensureRuntimeAvailableForStart(config)) {
       process.exit(1);
     }
 
@@ -254,8 +447,18 @@ program
     const MAX_LOG_BYTES = 5 * 1024 * 1024;
     let logStream = fs.createWriteStream(logFile, { flags: 'a' });
     logStream.write(`\n\n===== Worker started ${new Date().toISOString()} =====\n\n`);
+    const serializeLogArg = (arg) => {
+      if (typeof arg === 'string') return arg;
+      if (arg instanceof Error) return arg.stack || `${arg.name || 'Error'}: ${arg.message || ''}`.trim();
+      try {
+        const json = JSON.stringify(arg);
+        return json === undefined ? String(arg) : json;
+      } catch {
+        return String(arg);
+      }
+    };
     const writeLog = (level, args) => {
-      const line = `[${new Date().toISOString()}] [${level}] ${args.map(a => (typeof a === 'string' ? a : JSON.stringify(a))).join(' ')}\n`;
+      const line = `[${new Date().toISOString()}] [${level}] ${args.map(serializeLogArg).join(' ')}\n`;
       try {
         logStream.write(line);
         if (fs.statSync(logFile).size > MAX_LOG_BYTES) {
@@ -277,16 +480,15 @@ program
 
     // Graceful shutdown
     process.on('SIGINT',  () => { console.log('\n[SIGINT received — stopping]');   worker.shutdown(0); }); // Ctrl+C: clean stop
-    process.on('SIGTERM', () => { console.log('\n[SIGTERM received — restarting]'); worker.shutdown(1); }); // kill: supervisor restarts
+    process.on('SIGTERM', () => { console.log('\n[SIGTERM received — stopping]'); worker.shutdown(0); }); // agentforge stop / supervisor shutdown
     process.on('SIGHUP',  () => { console.log('\n[SIGHUP received — restarting]');  worker.shutdown(1); }); // terminal close: supervisor restarts
 
     try {
       await worker.initialize();
       await worker.connect();
 
-      // Auto-start AgentForge Browser so every machine gets browser tools without a separate setup step.
-      // On macOS: install the Chrome wrapper app, seed sessions, and launch it.
-      // On other platforms: skip silently — agents fall back to web_fetch / screenshot_and_describe.
+      // Auto-start AgentForge Browser on demand — no LaunchAgent, worker manages lifecycle.
+      // On macOS: seed sessions and launch directly. On other platforms: skip silently.
       if (process.platform === 'darwin') {
         try {
           if (isBrowserRunning()) {
@@ -296,7 +498,7 @@ program
             if (browserBin) {
               installAgentBrowserApp();
               seedBrowserProfile();
-              installLaunchAgent(browserBin);
+              launchBrowserDirect(browserBin);
               console.log('🌐 AgentForge Browser started (port 9223)');
             } else {
               console.warn('⚠️  No browser found — install Chrome for full browser tool support');
@@ -307,6 +509,62 @@ program
         }
       }
 
+      // Session vault: pull cookies from server so sessions logged in on other
+      // machines are immediately available here. Then inject into browser so
+      // agents can use them immediately. Finally push updated local sessions.
+      try {
+        await pullSessionsFromVault(config.token, baseUrl);
+        // Await injection so the browser has the cookies before we push back
+        if (fs.existsSync(SESSIONS_FILE)) await injectSavedSessions().catch(() => {});
+        // Push local browser sessions to vault (captures any newer cookies in the live browser)
+        await pushSessionsToVault(config.token, baseUrl);
+      } catch {}
+
+      // Machine login: ensure the dashboard browser is authenticated using the worker token.
+      // This runs immediately on startup and every 5 minutes, so session expiry or server
+      // restarts with a new SESSION_SECRET are healed automatically — no manual GitHub login needed.
+      await ensureDashboardAuth(config.token, baseUrl).catch(() => {});
+      setInterval(() => {
+        ensureDashboardAuth(config.token, baseUrl).catch(() => {});
+      }, 5 * 60 * 1000);
+
+      // Sync sessions every 5 minutes: push local → vault (macOS only), so other
+      // machines always have fresh cookies when they pull on their next startup.
+      setInterval(() => {
+        pushSessionsToVault(config.token, baseUrl).catch(() => {});
+      }, 5 * 60 * 1000);
+
+      // Session injection watcher: when Chrome appears (started on-demand by openclaw
+      // for a task), inject vault sessions into it immediately so sites stay logged in.
+      // Does NOT restart Chrome — only reacts when Chrome comes up on its own.
+      if (process.platform === 'darwin') {
+        let _browserWasRunning = isBrowserRunning();
+        let _injecting = false;
+        setInterval(async () => {
+          try {
+            const running = isBrowserRunning();
+            if (running && !_browserWasRunning && !_injecting) {
+              // Chrome just appeared — inject sessions (set flags FIRST to prevent concurrent runs)
+              _browserWasRunning = running;
+              _injecting = true;
+              try {
+                console.log('🌐 Browser appeared — injecting sessions...');
+                await new Promise(r => setTimeout(r, 2000)); // let CDP stabilize
+                await pullSessionsFromVault(config.token, baseUrl).catch(() => {});
+                if (fs.existsSync(SESSIONS_FILE)) await injectSavedSessions().catch(() => {});
+                await pushSessionsToVault(config.token, baseUrl).catch(() => {});
+                console.log('✅ Sessions restored into new browser');
+              } finally {
+                _injecting = false;
+              }
+            } else {
+              _browserWasRunning = running;
+            }
+          } catch {}
+        }, 5 * 1000); // check every 5 seconds
+      }
+
+
       console.log('');
       console.log('✅ Worker running');
       console.log('   Press Ctrl+C to stop');
@@ -334,16 +592,32 @@ program
     } else if (OpenClawCLI.isAvailable()) {
       console.log(`AI Backend:    ✅ openclaw`);
     } else {
-      console.log(`AI Backend:    ❌ Not configured`);
+      console.log(`AI Backend:    ❌ OpenClaw not found`);
     }
 
     console.log(`Config file: ${CONFIG_FILE}`);
     console.log('');
 
+    const runtimeStatus = getRuntimeStatus();
+    if (runtimeStatus.supervisorRunning || runtimeStatus.workerRunning) {
+      const details = [
+        runtimeStatus.supervisorRunning ? `supervisor PID ${runtimeStatus.supervisorPid}` : null,
+        runtimeStatus.workerRunning ? `worker PID ${runtimeStatus.workerPid}` : null,
+      ].filter(Boolean).join(', ');
+      console.log(`Worker:       ✅ Running${details ? ` (${details})` : ''}`);
+    } else if (runtimeStatus.supervisorPid || runtimeStatus.workerPid) {
+      console.log('Worker:       ⚠️ PID file exists, but the process is not running');
+    } else {
+      console.log('Worker:       ⚠️ Not running');
+    }
+    console.log('');
+
     if (!config.token) {
       console.log('Run: agentforge login');
     } else if (config.provider !== 'local' && !OpenClawCLI.isAvailable()) {
-      console.log('Configure a backend first:  agentforge local --url http://localhost:11434 --model llama3.1:8b');
+      console.log('Run: agentforge setup');
+    } else if (runtimeStatus.supervisorRunning || runtimeStatus.workerRunning) {
+      console.log('Connected worker process is running.');
     } else {
       console.log('Ready to connect! Run: agentforge start');
     }
@@ -549,29 +823,30 @@ program
           allGood = false;
         }
       } catch {
-        console.log('❌ No AI backend configured');
-        console.log('   Fix: install Ollama (https://ollama.ai) then: agentforge local --model llama3.1:8b');
+        console.log('❌ OpenClaw runtime not found');
+        console.log('   Your dashboard API keys can be valid, but this Mac still needs OpenClaw');
+        console.log('   or a configured local model server to execute agents.');
+        console.log('   Fix: agentforge setup');
         allGood = false;
       }
     }
 
     // 4. Worker running
-    const supervisorPidFile = path.join(CONFIG_DIR, 'supervisor.pid');
-    const workerPidFile = path.join(CONFIG_DIR, 'worker.pid');
-    if (fs.existsSync(supervisorPidFile)) {
-      const pid = parseInt(fs.readFileSync(supervisorPidFile, 'utf8').trim());
-      try {
-        process.kill(pid, 0);
-        const wpid = fs.existsSync(workerPidFile) ? fs.readFileSync(workerPidFile, 'utf8').trim() : null;
-        console.log(`✅ Worker running (supervisor PID ${pid}${wpid ? ', worker PID ' + wpid : ''})`);
-      } catch {
-        console.log('⚠️  Supervisor PID file exists but process is not running');
-        console.log('   Fix: agentforge start');
-        allGood = false;
-      }
+    const runtimeStatus = getRuntimeStatus();
+    if (runtimeStatus.supervisorRunning || runtimeStatus.workerRunning) {
+      const details = [
+        runtimeStatus.supervisorRunning ? `supervisor PID ${runtimeStatus.supervisorPid}` : null,
+        runtimeStatus.workerRunning ? `worker PID ${runtimeStatus.workerPid}` : null,
+      ].filter(Boolean).join(', ');
+      console.log(`✅ Worker running (${details})`);
+    } else if (runtimeStatus.supervisorPid || runtimeStatus.workerPid) {
+      console.log('⚠️  Worker PID file exists but process is not running');
+      console.log('   Fix: agentforge start');
+      allGood = false;
     } else {
       console.log('⚠️  Worker not running');
       console.log('   Fix: agentforge start');
+      allGood = false;
     }
 
     console.log('');
@@ -586,47 +861,90 @@ program
 program
   .command('setup')
   .description('Interactive setup wizard — gets AgentForge running in minutes')
+  .option('--url <url>', 'Custom AgentForge URL')
+  .option('--token <token>', 'Pre-issued auth token (skips OAuth browser flow)')
+  .option('--no-start', 'Do not start the worker after setup')
   .option('--tailscale-key <key>', 'Tailscale auth key (from tailscale.com/admin/settings/keys)')
   .action(async (options) => {
-    const { execSync, spawnSync } = await import('child_process');
     const readline = await import('readline');
 
-    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-    const ask = (q) => new Promise(resolve => rl.question(q, resolve));
+    let rl = null;
+    const ask = (q) => {
+      if (!rl) rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+      return new Promise(resolve => rl.question(q, resolve));
+    };
+    const closeReadline = () => {
+      if (rl) {
+        rl.close();
+        rl = null;
+      }
+    };
+
+    const baseUrl = options.url ||
+      process.env.AGENTFORGE_URL ||
+      process.env.AGENTFORGE_SERVER ||
+      loadConfig().url ||
+      'https://agentforgeai-production.up.railway.app';
+    const preToken = options.token || process.env.AGENTFORGE_TOKEN;
 
     console.log('');
     console.log('🚀 AgentForge Setup');
     console.log('================================');
-    console.log('Getting your machine ready to run AI agents.\n');
+    console.log('Getting this machine ready to run AI agents.\n');
+
+    // ── Step 1: System checks ───────────────────────────────────────────────
+    console.log('Step 1/4: System checks\n');
+
+    const nodeMajor = Number.parseInt(process.versions.node.split('.')[0], 10);
+    if (!Number.isFinite(nodeMajor) || nodeMajor < 18) {
+      console.error(`❌ Node.js 18+ is required. Found ${process.version}.`);
+      console.error('   Install the Node.js LTS version from https://nodejs.org, then run setup again.');
+      process.exit(1);
+    }
+    console.log(`✅ Node.js ${process.version}`);
+
+    const npmReady = ensureUserOwnedNpmGlobal();
+    if (!npmReady.ok) {
+      console.error(`❌ ${npmReady.message}`);
+      process.exit(1);
+    }
+    console.log(`✅ npm global installs use ${npmReady.prefix}`);
+    if (npmReady.pathUpdate?.changed) {
+      console.log(`✅ Added ${npmReady.binDir} to PATH in ${npmReady.pathUpdate.profileFile}`);
+    } else if (npmReady.pathUpdate?.error) {
+      console.log(`⚠️  Could not update ${npmReady.pathUpdate.profileFile}; current terminal PATH was updated.`);
+    }
+    console.log('');
 
-    // ── Step 1: Authentication ──────────────────────────────────────────────
+    // ── Step 2: Authentication ──────────────────────────────────────────────
     const config = loadConfig();
-    if (config.token) {
-      console.log('✅ Step 1/2: Already logged in\n');
+    const alreadyLoggedIn = config.token && config.url === baseUrl && !preToken;
+    if (alreadyLoggedIn) {
+      console.log('✅ Step 2/4: Already logged in\n');
     } else {
-      console.log('Step 1/2: Log in to AgentForge\n');
-      console.log('A browser window will open — log in there and come back.\n');
-      rl.close();
+      console.log('Step 2/4: Log in to AgentForge\n');
+      if (!preToken) console.log('A browser window will open. Log in there and come back here.\n');
 
       // Spawn login as a child process with inherited stdio so the interactive
       // OAuth flow works (readline on stdin, browser opens, polling, etc.)
-      const { spawnSync: sp } = await import('child_process');
-      const loginResult = sp(process.execPath, [process.argv[1], 'login'], { stdio: 'inherit' });
+      const loginArgs = [process.argv[1], 'login', '--url', baseUrl];
+      if (preToken) loginArgs.push('--token', preToken);
+      const loginResult = spawnSync(process.execPath, loginArgs, {
+        stdio: 'inherit',
+        env: { ...process.env, AGENTFORGE_URL: baseUrl },
+      });
       if (loginResult.status !== 0) {
         console.error('\n❌ Login failed — run: agentforge login');
         process.exit(1);
       }
-
-      // Re-open readline for the rest of setup
-      const rl2 = readline.createInterface({ input: process.stdin, output: process.stdout });
-      Object.assign(rl, rl2); // replace for remaining ask() calls (won't be used further)
       console.log('');
     }
 
-    // ── Step 2: AI Backend ──────────────────────────────────────────────────
-    console.log('Step 2/2: AI Backend\n');
+    // ── Step 3: AI Backend ──────────────────────────────────────────────────
+    console.log('Step 3/4: AI backend\n');
 
     const freshConfig = loadConfig();
+    let backendReady = false;
 
     if (freshConfig.provider === 'local') {
       const localUrl = freshConfig.localUrl || 'http://localhost:11434';
@@ -640,12 +958,27 @@ program
             console.log(`   ⚠️  Model "${freshConfig.localModel}" not found. Available: ${models.slice(0, 5).join(', ')}`);
           }
           console.log('');
+          backendReady = true;
         }
       } catch {
-        console.log(`⚠️  Configured local server at ${localUrl} is not reachable. Make sure it's running.\n`);
+        if (OpenClawCLI.isAvailable()) {
+          const openclawConfig = loadConfig();
+          delete openclawConfig.provider;
+          delete openclawConfig.localUrl;
+          delete openclawConfig.localModel;
+          saveConfig(openclawConfig);
+          console.log(`⚠️  Configured local server at ${localUrl} is not reachable.`);
+          console.log('✅ openclaw is available, so setup will use openclaw instead.\n');
+          backendReady = true;
+        } else {
+          console.log(`❌ Configured local server at ${localUrl} is not reachable.`);
+          console.log('   Start that model server, or install OpenClaw/Ollama and run setup again.\n');
+          process.exit(1);
+        }
       }
     } else if (OpenClawCLI.isAvailable()) {
       console.log('✅ openclaw detected and ready\n');
+      backendReady = true;
     } else {
       // Probe all common local model servers
       const probes = [
@@ -671,51 +1004,72 @@ program
       console.log('');
 
       if (found.length === 0) {
-        console.log('');
-        console.log('No local model server detected.\n');
-        console.log('AgentForge needs an AI model to power your agents. The easiest option is Ollama:\n');
-        console.log('  1. Go to https://ollama.ai and install it');
-        console.log('  2. Run: ollama pull llama3.1:8b');
-        console.log('  3. Run: agentforge setup   (come back here when done)');
-        console.log('');
-        console.log('You can also use LM Studio, Jan, llama.cpp, or openclaw.');
-        rl.close();
-        process.exit(0);
+        console.log('\nOpenClaw was not found. Installing the local agent runtime...');
+        const installed = installOpenClawRuntime();
+        if (installed.ok && OpenClawCLI.isAvailable()) {
+          console.log('✅ OpenClaw installed and ready\n');
+          backendReady = true;
+        } else {
+          if (!installed.ok) {
+            console.log(`❌ OpenClaw install failed: ${installed.message}`);
+          }
+          console.log('');
+          console.log('AgentForge needs OpenClaw or a local OpenAI-compatible model server.');
+          console.log('Your dashboard API key validates model access; it does not install');
+          console.log('the local runtime that runs browser, shell, and file tools on this Mac.');
+          console.log('');
+          console.log('Run this again after OpenClaw is installed:');
+          console.log('  agentforge setup');
+          console.log('');
+          console.log('Local model option: install Ollama from https://ollama.ai, then run:');
+          console.log('  ollama pull llama3.1:8b');
+          console.log('  agentforge setup');
+          closeReadline();
+          process.exit(0);
+        }
       }
 
       // Let user pick if multiple found, or auto-select if only one
-      let chosen = found[0];
-      if (found.length > 1) {
-        console.log('\nFound these model servers:\n');
-        found.forEach((b, i) => {
-          console.log(`  ${i + 1}. ${b.name} (${b.url}) — ${b.models.length} model(s): ${b.models.slice(0, 3).join(', ')}`);
-        });
-        const ans = await ask(`\nWhich one to use? [1]: `);
-        const idx = parseInt(ans.trim()) - 1;
-        chosen = found[isNaN(idx) || idx < 0 || idx >= found.length ? 0 : idx];
-      } else {
-        console.log(`\nFound: ${chosen.name} (${chosen.url}) with ${chosen.models.length} model(s)`);
-      }
+      if (!backendReady) {
+        let chosen = found[0];
+        if (found.length > 1) {
+          console.log('\nFound these model servers:\n');
+          found.forEach((b, i) => {
+            console.log(`  ${i + 1}. ${b.name} (${b.url}) — ${b.models.length} model(s): ${b.models.slice(0, 3).join(', ')}`);
+          });
+          const ans = await ask(`\nWhich one to use? [1]: `);
+          const idx = parseInt(ans.trim()) - 1;
+          chosen = found[isNaN(idx) || idx < 0 || idx >= found.length ? 0 : idx];
+        } else {
+          console.log(`\nFound: ${chosen.name} (${chosen.url}) with ${chosen.models.length} model(s)`);
+        }
 
-      // Pick model
-      let model = chosen.models[0] || 'llama3.1:8b';
-      if (chosen.models.length > 1) {
-        console.log(`\nAvailable models: ${chosen.models.join(', ')}`);
-        const ans = await ask(`Model to use [${model}]: `);
-        if (ans.trim()) model = ans.trim();
-      } else if (chosen.models.length === 1) {
-        console.log(`Using model: ${model}`);
-      }
+        // Pick model
+        let model = chosen.models[0] || 'llama3.1:8b';
+        if (chosen.models.length > 1) {
+          console.log(`\nAvailable models: ${chosen.models.join(', ')}`);
+          const ans = await ask(`Model to use [${model}]: `);
+          if (ans.trim()) model = ans.trim();
+        } else if (chosen.models.length === 1) {
+          console.log(`Using model: ${model}`);
+        }
 
-      const newConfig = loadConfig();
-      newConfig.provider = 'local';
-      newConfig.localUrl = chosen.url;
-      newConfig.localModel = model;
-      saveConfig(newConfig);
-      console.log(`\n✅ Configured ${chosen.name} with model "${model}"\n`);
+        const newConfig = loadConfig();
+        newConfig.provider = 'local';
+        newConfig.localUrl = chosen.url;
+        newConfig.localModel = model;
+        saveConfig(newConfig);
+        console.log(`\n✅ Configured ${chosen.name} with model "${model}"\n`);
+        backendReady = true;
+      }
     }
 
-    rl.close();
+    closeReadline();
+
+    if (!backendReady) {
+      console.error('❌ No usable AI backend is configured.');
+      process.exit(1);
+    }
 
     // ── Optional: Tailscale (only shown if installed or key provided) ────────
     const tailscaleInstalled = spawnSync('which', ['tailscale'], { encoding: 'utf-8' }).status === 0;
@@ -731,22 +1085,49 @@ program
       console.log('✅ Tailscale installed (run "sudo tailscale up" to connect remotely)');
     }
 
+    // ── Step 4: Start worker ────────────────────────────────────────────────
+    console.log('');
+    console.log('Step 4/4: Start worker\n');
+
+    if (options.start === false) {
+      console.log('Skipping worker start because --no-start was provided.\n');
+    } else {
+      const runtimeStatus = getRuntimeStatus();
+      if (runtimeStatus.supervisorRunning || runtimeStatus.workerRunning) {
+        console.log('✅ Worker is already running\n');
+      } else {
+        const startResult = spawnSync(process.execPath, [
+          process.argv[1],
+          'start',
+          '--detach',
+          '--url',
+          baseUrl,
+        ], {
+          stdio: 'inherit',
+          env: { ...process.env, AGENTFORGE_URL: baseUrl },
+        });
+
+        if (startResult.status !== 0) {
+          console.error('\n❌ Worker did not start. Run: agentforge doctor');
+          process.exit(startResult.status || 1);
+        }
+        console.log('');
+      }
+    }
+
     console.log('');
     console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
     console.log('✅  Setup complete!');
     console.log('');
-    console.log('   Start your worker:');
-    console.log('');
-    console.log('     agentforge start');
-    console.log('');
-    console.log('   Then open your dashboard:');
+    console.log('   Dashboard:');
+    console.log(`   ${baseUrl}/dashboard`);
     console.log('');
-    console.log('     https://agentforgeai-production.up.railway.app/dashboard');
+    console.log('   Health check:');
+    console.log('   agentforge doctor');
     console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
     console.log('');
 
-    // Open the dashboard in their browser so they land there immediately
-    try { execSync('open https://agentforgeai-production.up.railway.app/dashboard'); } catch {}
+    try { await open(`${baseUrl}/dashboard`); } catch {}
   });
 
 // ── Browser helpers ──────────────────────────────────────────────────────────
@@ -758,11 +1139,13 @@ program
 
 const CDP_PORT = 9223;
 const BROWSER_PROFILE_DIR = path.join(CONFIG_DIR, 'browser');
+const SESSIONS_FILE = path.join(CONFIG_DIR, 'sessions.json');
 const LAUNCH_AGENT_LABEL = 'ai.agentforge.browser';
 const LAUNCH_AGENT_PLIST = path.join(
   os.homedir(), 'Library', 'LaunchAgents', `${LAUNCH_AGENT_LABEL}.plist`
 );
 const CHROME_BIN = '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome';
+const CHROMIUM_BIN = '/Applications/Chromium.app/Contents/MacOS/Chromium';
 
 // Returns Google Chrome path if installed — required for cookie seeding
 // (shared "Chrome Safe Storage" Keychain key makes copied cookies readable).
@@ -771,11 +1154,14 @@ function findGoogleChrome() {
 }
 
 // Returns the best available browser for running the agent profile.
-// Prefers Chrome (for seeding compatibility) but falls back to others.
+// Prefers the browser that matches the user's profile (for Keychain key compatibility).
+// Falls back to Chrome → Chromium → others.
 function findBrowser() {
+  // Always prefer Chrome — required for Keychain key compatibility with cookie seeding.
+  // Chrome takes priority even if no Chrome profile exists yet.
   const candidates = [
     CHROME_BIN,
-    '/Applications/Chromium.app/Contents/MacOS/Chromium',
+    CHROMIUM_BIN,
     '/Applications/Brave Browser.app/Contents/MacOS/Brave Browser',
     '/Applications/Microsoft Edge.app/Contents/MacOS/Microsoft Edge',
   ];
@@ -785,6 +1171,22 @@ function findBrowser() {
   return null;
 }
 
+// Finds the user's primary browser profile for cookie seeding.
+// Returns { browserBin, srcDir } where browserBin is the binary that encrypted
+// the cookies (the agent browser must use the same binary to share the Keychain key).
+// Priority: Chrome (if profile exists) → Chromium (if profile exists) → null.
+function findUserBrowserProfile() {
+  const chromeSrcDir = path.join(os.homedir(), 'Library', 'Application Support', 'Google', 'Chrome', 'Default');
+  if (fs.existsSync(CHROME_BIN) && fs.existsSync(chromeSrcDir)) {
+    return { browserBin: CHROME_BIN, srcDir: chromeSrcDir };
+  }
+  const chromiumSrcDir = path.join(os.homedir(), 'Library', 'Application Support', 'Chromium', 'Default');
+  if (fs.existsSync(CHROMIUM_BIN) && fs.existsSync(chromiumSrcDir)) {
+    return { browserBin: CHROMIUM_BIN, srcDir: chromiumSrcDir };
+  }
+  return null;
+}
+
 function isBrowserRunning() {
   try {
     const out = execSync(`pgrep -f "remote-debugging-port=${CDP_PORT}" 2>/dev/null || true`).toString().trim();
@@ -813,11 +1215,10 @@ function isGoogleLoggedIn() {
 // Pass force=true to re-copy everything except Google cookies.
 // Must be called while the agent browser is NOT running (Cookies file is locked).
 function seedBrowserProfile(force = false) {
-  const chrome = findGoogleChrome();
-  if (!chrome) return 'no-chrome';
-  const srcDir = path.join(os.homedir(), 'Library', 'Application Support', 'Google', 'Chrome', 'Default');
+  const profile = findUserBrowserProfile();
+  if (!profile) return 'no-chrome';
+  const { srcDir } = profile;
   const destDir = path.join(BROWSER_PROFILE_DIR, 'Default');
-  if (!fs.existsSync(srcDir)) return 'no-chrome';
   const destCookies = path.join(destDir, 'Cookies');
   if (!force && fs.existsSync(destCookies)) return 'already-seeded';
   fs.mkdirSync(destDir, { recursive: true });
@@ -827,6 +1228,35 @@ function seedBrowserProfile(force = false) {
     const src = path.join(srcDir, f);
     if (fs.existsSync(src)) try { fs.copyFileSync(src, path.join(destDir, f)); } catch {}
   }
+
+  // Fix bookmarks: flatten any nested 'Bookmarks Bar' folder so items show in bar directly.
+  // Also enable the bookmarks bar in Preferences.
+  const bookmarksPath = path.join(destDir, 'Bookmarks');
+  if (fs.existsSync(bookmarksPath)) {
+    try {
+      const bm = JSON.parse(fs.readFileSync(bookmarksPath, 'utf8'));
+      const barRoot = bm.roots && bm.roots.bookmark_bar;
+      if (barRoot && Array.isArray(barRoot.children)) {
+        const children = barRoot.children;
+        // If the bar's only/first child is a folder named 'Bookmarks Bar' or 'Bookmarks bar', hoist its contents
+        const isNestedBar = children.length > 0 && children[0].type === 'folder' &&
+          /^bookmarks? ?bar$/i.test(children[0].name || '');
+        if (isNestedBar) {
+          barRoot.children = children[0].children || [];
+          fs.writeFileSync(bookmarksPath, JSON.stringify(bm, null, 2));
+        }
+      }
+    } catch {}
+  }
+  const prefsPath = path.join(destDir, 'Preferences');
+  if (fs.existsSync(prefsPath)) {
+    try {
+      const prefs = JSON.parse(fs.readFileSync(prefsPath, 'utf8'));
+      if (!prefs.bookmark_bar) prefs.bookmark_bar = {};
+      prefs.bookmark_bar.show_on_all_tabs = true;
+      fs.writeFileSync(prefsPath, JSON.stringify(prefs, null, 2));
+    } catch {}
+  }
   for (const dir of ['Local Storage', 'IndexedDB']) {
     const src = path.join(srcDir, dir);
     const dest = path.join(destDir, dir);
@@ -878,9 +1308,9 @@ print('ok')
 // Works while BOTH browsers are running — no restart needed.
 // Returns the number of cookies synced or -1 on error.
 function syncSessionCookies() {
-  const chrome = findGoogleChrome();
-  if (!chrome) return 0;
-  const srcDb = path.join(os.homedir(), 'Library', 'Application Support', 'Google', 'Chrome', 'Default', 'Cookies');
+  const profile = findUserBrowserProfile();
+  if (!profile) return 0;
+  const srcDb = path.join(profile.srcDir, 'Cookies');
   const destDb = path.join(BROWSER_PROFILE_DIR, 'Default', 'Cookies');
   if (!fs.existsSync(srcDb) || !fs.existsSync(destDb)) return 0;
 
@@ -913,14 +1343,226 @@ print(count)
   } catch { return -1; }
 }
 
+// ── Session Vault ─────────────────────────────────────────────────────────────
+// Cross-machine cookie sync via Railway server.
+//
+// Security model (Bitwarden-style):
+//   - Cookies are AES-256-GCM encrypted CLIENT-SIDE before leaving the machine.
+//   - Key is derived from the user's worker token via scrypt — never transmitted.
+//   - The Railway server stores ciphertext it cannot read.
+//   - A DB breach exposes encrypted blobs that are useless without the token.
+//
+// Merge model (client owns the merge):
+//   - push: capture live browser cookies → pull vault → decrypt → merge → encrypt → PUT
+//   - pull: GET → decrypt → merge into sessions.json
+//   - Server does a simple replace — it never inspects cookie contents.
+//
+// Google cookies are excluded (browser-fingerprint-bound, break on other machines).
+
+const VAULT_EXCLUDE_DOMAINS = ['google.com', 'googleapis.com', 'gstatic.com', 'youtube.com', 'accounts.google', 'googleadservices'];
+
+// Derives a 32-byte AES key from the user_id (user-scoped, same across all devices).
+// user_id is returned by the server GET /api/sessions/vault response.
+function _vaultKey(userId) {
+  return crypto.scryptSync(String(userId), 'agentforge-session-vault-v1', 32);
+}
+
+function _vaultEncrypt(userId, cookies) {
+  const key = _vaultKey(userId);
+  const iv = crypto.randomBytes(12); // 96-bit IV for GCM
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+  const data = Buffer.concat([cipher.update(JSON.stringify(cookies), 'utf8'), cipher.final()]);
+  return {
+    v: 1,
+    iv: iv.toString('base64'),
+    tag: cipher.getAuthTag().toString('base64'),
+    data: data.toString('base64'),
+  };
+}
+
+function _vaultDecrypt(userId, payload) {
+  if (!payload || payload.v !== 1) return null;
+  try {
+    const key = _vaultKey(userId);
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, Buffer.from(payload.iv, 'base64'));
+    decipher.setAuthTag(Buffer.from(payload.tag, 'base64'));
+    const plain = Buffer.concat([decipher.update(Buffer.from(payload.data, 'base64')), decipher.final()]);
+    return JSON.parse(plain.toString('utf8'));
+  } catch { return null; }
+}
+
+// Merge two cookie arrays by name+domain.
+// For persistent cookies (with expires), keep the one with the later expiry — this ensures
+// For persistent cookies, keep the one with the later expiry.
+// For session cookies (expires -1 or absent), incoming wins.
+function _mergeCookies(base, incoming) {
+  const merged = [...base];
+  for (const c of incoming) {
+    const idx = merged.findIndex(e => e.name === c.name && e.domain === c.domain);
+    if (idx < 0) { merged.push(c); continue; }
+    const existing = merged[idx];
+    // Both persistent: keep whichever expires later
+    if (c.expires > 0 && existing.expires > 0) {
+      if (c.expires > existing.expires) merged[idx] = c;
+      // else keep existing (it expires later)
+    } else {
+      // Session cookie or incoming persistent over existing session: incoming wins
+      merged[idx] = c;
+    }
+  }
+  return merged;
+}
+
+// Ensures the AgentForge dashboard browser tab is authenticated.
+// Uses the worker token to create a fresh server session via /auth/worker-token.
+// This heals expired sessions and server restarts with new SESSION_SECRETs automatically.
+async function ensureDashboardAuth(token, serverUrl) {
+  if (!isBrowserRunning()) return; // nothing to do if browser isn't running
+  try {
+    const tabsRes = await fetch(`http://127.0.0.1:${CDP_PORT}/json`);
+    const tabs = await tabsRes.json();
+    if (!tabs || tabs.length === 0) return;
+
+    // Find the dashboard tab (or any tab on the server domain)
+    const dashboardTab = tabs.find(t => t.url && t.url.includes(serverUrl.replace(/^https?:\/\//, '')));
+    if (!dashboardTab) return;
+
+    const currentUrl = dashboardTab.url || '';
+
+    // If on GitHub login page or login redirect — session is expired, re-auth now
+    // Also check on startup (always navigate to ensure fresh session)
+    const needsAuth = currentUrl.includes('github.com/login') ||
+                      currentUrl.includes('/auth/github') ||
+                      currentUrl.endsWith('/login') ||
+                      currentUrl.endsWith('/');
+
+    if (!needsAuth) return; // Dashboard is loaded and session is valid
+
+    const authUrl = `${serverUrl}/auth/worker-token?token=${encodeURIComponent(token)}`;
+    console.log('🔑 Dashboard session expired — re-authenticating via worker token...');
+
+    const { default: WebSocket } = await import('ws');
+    await new Promise((resolve) => {
+      const ws = new WebSocket(dashboardTab.webSocketDebuggerUrl);
+      const timer = setTimeout(() => { try { ws.close(); } catch {} resolve(); }, 8000);
+      ws.on('open', () => {
+        ws.send(JSON.stringify({
+          id: 1,
+          method: 'Page.navigate',
+          params: { url: authUrl }
+        }));
+      });
+      ws.on('message', (raw) => {
+        try {
+          const m = JSON.parse(raw);
+          if (m.id === 1) { clearTimeout(timer); try { ws.close(); } catch {} resolve(); }
+        } catch {}
+      });
+      ws.on('error', () => { clearTimeout(timer); resolve(); });
+    });
+
+    console.log('✅ Dashboard re-authentication initiated');
+  } catch (err) {
+    // Non-fatal — will retry on next interval
+  }
+}
+
+// Reads all plaintext cookies from the running agent browser via CDP Network.getAllCookies.
+// Returns [] if browser is not running.
+async function captureAgentBrowserCookies() {
+  if (!isBrowserRunning()) return [];
+  try {
+    const tabsRes = await fetch(`http://127.0.0.1:${CDP_PORT}/json`);
+    const tabs = await tabsRes.json();
+    if (!tabs || !tabs[0]) return [];
+    const { default: WebSocket } = await import('ws');
+    return await new Promise((resolve) => {
+      const ws = new WebSocket(tabs[0].webSocketDebuggerUrl);
+      const timer = setTimeout(() => { try { ws.close(); } catch {} resolve([]); }, 6000);
+      ws.on('open', () => {
+        ws.send(JSON.stringify({ id: 1, method: 'Network.getAllCookies', params: {} }));
+      });
+      ws.on('message', (raw) => {
+        try {
+          const m = JSON.parse(raw);
+          if (m.id === 1) {
+            clearTimeout(timer);
+            try { ws.close(); } catch {}
+            const cookies = (m.result?.cookies || []).filter(c =>
+              !VAULT_EXCLUDE_DOMAINS.some(d => (c.domain || '').includes(d))
+            );
+            resolve(cookies);
+          }
+        } catch { resolve([]); }
+      });
+      ws.on('error', () => { clearTimeout(timer); resolve([]); });
+    });
+  } catch { return []; }
+}
+
+// Fetches and decrypts the current vault contents.
+// Returns { cookies: [], userId: null } if vault is empty or decryption fails.
+// userId is user-scoped (same across all devices for the same GitHub account).
+async function _fetchVault(token, serverUrl) {
+  try {
+    const res = await fetch(`${serverUrl}/api/sessions/vault`, {
+      headers: { 'Authorization': `Bearer ${token}` },
+      signal: AbortSignal.timeout(10000),
+    });
+    if (!res.ok) return { cookies: [], userId: null };
+    const data = await res.json();
+    const userId = data.user_id || null;
+    if (!data.payload) return { cookies: [], userId };
+    const cookies = _vaultDecrypt(userId, data.payload) || [];
+    return { cookies, userId };
+  } catch { return { cookies: [], userId: null }; }
+}
+
+// Pushes cookies to the vault: capture browser → GET user_id + existing → merge → encrypt with user_id → PUT.
+// Only runs when the agent browser is available (no point pushing 0 cookies).
+async function pushSessionsToVault(token, serverUrl) {
+  if (!isBrowserRunning()) return;
+  try {
+    const [local, { cookies: existing, userId }] = await Promise.all([
+      captureAgentBrowserCookies(),
+      _fetchVault(token, serverUrl),
+    ]);
+    if (local.length === 0 || !userId) return;
+    const merged = _mergeCookies(existing, local); // local wins on conflict
+    const payload = _vaultEncrypt(userId, merged);
+    const res = await fetch(`${serverUrl}/api/sessions/vault`, {
+      method: 'PUT',
+      headers: { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' },
+      body: JSON.stringify({ payload }),
+      signal: AbortSignal.timeout(15000),
+    });
+    if (res.ok) console.log(`☁️  Session vault updated (${merged.length} cookie(s), encrypted)`);
+  } catch { /* non-fatal */ }
+}
+
+// Pulls cookies from the vault, decrypts, and merges into sessions.json.
+async function pullSessionsFromVault(token, serverUrl) {
+  try {
+    const { cookies: vaultCookies } = await _fetchVault(token, serverUrl);
+    if (vaultCookies.length === 0) return;
+    // Merge vault cookies into local sessions.json
+    saveSession(vaultCookies);
+    console.log(`☁️  Session vault synced (${vaultCookies.length} cookie(s), decrypted)`);
+  } catch { /* non-fatal */ }
+}
+
 // Creates /Applications/AgentForge Browser.app — a Chrome wrapper that:
 //  - Appears as a distinct app in the dock (own icon, own name)
 //  - Launches Chrome with the agent profile flags
 //  - Shares Chrome's "Chrome Safe Storage" Keychain key so seeded cookies work
 // Falls back to ~/Applications if /Applications isn't writable.
 function installAgentBrowserApp() {
-  const chrome = findGoogleChrome();
-  if (!chrome) return null; // Chrome required — Chromium can't share Keychain
+  // Use whichever browser matches the user's profile (Chrome or Chromium) so
+  // the agent browser shares the same "* Safe Storage" Keychain key and can
+  // decrypt seeded cookies. Falls back to any available browser.
+  const profile = findUserBrowserProfile();
+  const chrome = profile?.browserBin || findBrowser();
+  if (!chrome) return null;
 
   const appName = 'AgentForge Browser.app';
   let appDir = path.join('/Applications', appName);
@@ -1048,6 +1690,151 @@ print('ok')
   try { execSync(`python3 "${pyScript}" 2>/dev/null`); } catch {}
 }
 
+// Saves cookies to sessions.json for persistence across browser restarts.
+// Call this after manually logging in to a site to persist that login.
+function saveSession(cookies) {
+  let sessions = { cookies: [] };
+  if (fs.existsSync(SESSIONS_FILE)) {
+    try { sessions = JSON.parse(fs.readFileSync(SESSIONS_FILE, 'utf8')); } catch {}
+  }
+  // Merge: update existing by name+domain, add new ones
+  for (const c of cookies) {
+    const idx = sessions.cookies.findIndex(s => s.name === c.name && s.domain === c.domain);
+    if (idx >= 0) sessions.cookies[idx] = c;
+    else sessions.cookies.push(c);
+  }
+  fs.writeFileSync(SESSIONS_FILE, JSON.stringify(sessions, null, 2));
+}
+
+async function sendPageCdpCommand(webSocketDebuggerUrl, method, params = {}, timeoutMs = 15000) {
+  const { default: WebSocket } = await import('ws');
+  return await new Promise((resolve, reject) => {
+    const ws = new WebSocket(webSocketDebuggerUrl);
+    const id = 1;
+    const timer = setTimeout(() => {
+      try { ws.close(); } catch {}
+      reject(new Error(`${method} timed out after ${timeoutMs}ms`));
+    }, timeoutMs);
+    ws.on('open', () => {
+      ws.send(JSON.stringify({ id, method, params }));
+    });
+    ws.on('message', (raw) => {
+      try {
+        const message = JSON.parse(raw);
+        if (message.id !== id) return;
+        clearTimeout(timer);
+        try { ws.close(); } catch {}
+        if (message.error) {
+          reject(new Error(message.error.message || JSON.stringify(message.error)));
+        } else {
+          resolve(message.result);
+        }
+      } catch (err) {
+        clearTimeout(timer);
+        try { ws.close(); } catch {}
+        reject(err);
+      }
+    });
+    ws.on('error', (err) => {
+      clearTimeout(timer);
+      reject(err);
+    });
+  });
+}
+
+// Injects cookies from sessions.json into the running browser via a page-level CDP
+// target. Avoid Puppeteer here: browser.pages() eagerly enables Network on every
+// tab, which can time out while Chrome is busy and makes startup look broken.
+// Page-level Network.setCookies writes to the real cookie store without that scan.
+async function injectSavedSessions() {
+  if (!fs.existsSync(SESSIONS_FILE)) return;
+  let sessions;
+  try { sessions = JSON.parse(fs.readFileSync(SESSIONS_FILE, 'utf8')); } catch { return; }
+  const cookies = sessions.cookies || [];
+  if (cookies.length === 0) return;
+
+  // Wait for CDP to be ready (up to 15s)
+  let ready = false;
+  for (let i = 0; i < 30; i++) {
+    await new Promise(r => setTimeout(r, 500));
+    try {
+      await new Promise((resolve, reject) => {
+        const req = http.get(`http://127.0.0.1:${CDP_PORT}/json`, r => { r.resume(); resolve(); });
+        req.on('error', reject);
+        req.setTimeout(500, () => { req.destroy(); reject(new Error('timeout')); });
+      });
+      ready = true;
+      break;
+    } catch {}
+  }
+  if (!ready) return;
+
+  await new Promise(r => setTimeout(r, 800));
+
+  try {
+    const tabsRes = await fetch(`http://127.0.0.1:${CDP_PORT}/json`);
+    const tabs = await tabsRes.json();
+    const page = tabs.find(t => t.type === 'page' && t.webSocketDebuggerUrl) || tabs.find(t => t.webSocketDebuggerUrl);
+    if (!page) return;
+
+    // Strip Chrome-internal fields that CDP rejects (sameParty, sourceScheme, sourcePort, partitionKey, etc.)
+    // Use only the fields that Network.setCookies accepts.
+    const VALID_COOKIE_FIELDS = new Set(['name','value','domain','path','secure','httpOnly','sameSite','expires']);
+    const sanitized = cookies.map(c => {
+      const s = {};
+      for (const k of VALID_COOKIE_FIELDS) if (c[k] !== undefined) s[k] = c[k];
+      if (s.expires !== undefined && s.expires <= 0) delete s.expires;
+      return s;
+    }).filter(c => c.name && c.value !== undefined);
+
+    // Try bulk inject first. If Chrome rejects the batch (invalid cookie fields from
+    // public suffix list or partition key issues), fall back to one-by-one so valid
+    // cookies still get set.
+    try {
+      await sendPageCdpCommand(page.webSocketDebuggerUrl, 'Network.setCookies', { cookies: sanitized }, 15000);
+      console.log(`🔑 Sessions injected (${sanitized.length} cookie(s)) via Network.setCookies`);
+    } catch (bulkErr) {
+      console.warn(`⚠️  Bulk cookie inject failed (${bulkErr.message}) — injecting one-by-one`);
+      let injected = 0, skipped = 0;
+      for (const cookie of sanitized) {
+        try {
+          await sendPageCdpCommand(page.webSocketDebuggerUrl, 'Network.setCookies', { cookies: [cookie] }, 5000);
+          injected++;
+        } catch { skipped++; }
+      }
+      console.log(`🔑 Sessions injected one-by-one: ${injected} ok, ${skipped} skipped`);
+    }
+  } catch (err) {
+    console.warn(`⚠️  Session injection failed: ${err.message}`);
+  }
+}
+
+function launchBrowserDirect(browserPath, startupUrl = 'https://agentforgeai-production.up.railway.app/dashboard') {
+  const args = [
+    `--remote-debugging-address=0.0.0.0`,
+    `--remote-debugging-port=${CDP_PORT}`,
+    `--user-data-dir=${BROWSER_PROFILE_DIR}`,
+    '--no-first-run',
+    '--no-default-browser-check',
+    '--disable-sync',
+    '--disable-component-update',
+    '--safebrowsing-disable-auto-update',
+    '--disable-background-networking',
+    '--disable-background-timer-throttling',
+    '--disable-backgrounding-occluded-windows',
+    '--disable-renderer-backgrounding',
+    '--disable-client-side-phishing-detection',
+    '--disable-hang-monitor',
+    '--disable-translate',
+    startupUrl,
+  ];
+  const logPath = path.join(CONFIG_DIR, 'browser.log');
+  const out = fs.openSync(logPath, 'a');
+  const proc = spawn(browserPath, args, { detached: true, stdio: ['ignore', out, out] });
+  proc.unref();
+  return true;
+}
+
 function installLaunchAgent(browserPath, startupUrl = 'https://agentforgeai-production.up.railway.app/dashboard') {
   const plist = `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -1066,6 +1853,13 @@ function installLaunchAgent(browserPath, startupUrl = 'https://agentforgeai-prod
     <string>--disable-sync</string>
     <string>--disable-component-update</string>
     <string>--safebrowsing-disable-auto-update</string>
+    <string>--disable-background-networking</string>
+    <string>--disable-background-timer-throttling</string>
+    <string>--disable-backgrounding-occluded-windows</string>
+    <string>--disable-renderer-backgrounding</string>
+    <string>--disable-client-side-phishing-detection</string>
+    <string>--disable-hang-monitor</string>
+    <string>--disable-translate</string>
     <string>${startupUrl}</string>
   </array>
   <key>RunAtLoad</key>
@@ -1111,7 +1905,7 @@ program
       }
       if (isBrowserRunning()) {
         console.log('Stopping agent browser to reseed...');
-        try { execSync(`launchctl unload "${LAUNCH_AGENT_PLIST}" 2>/dev/null`); } catch {}
+        execSync('pkill -9 Chromium 2>/dev/null || pkill -9 "Google Chrome" 2>/dev/null || true');
         execSync('sleep 2');
       }
       const result = seedBrowserProfile(true);
@@ -1120,7 +1914,7 @@ program
       } else {
         console.log('⚠️  Could not read Chrome profile.');
       }
-      installLaunchAgent(browser);
+      launchBrowserDirect(browser);
       console.log('✅ Agent browser restarted — log into Google in the browser window.');
       return;
     }
@@ -1132,7 +1926,7 @@ program
 
     installAgentBrowserApp();
     const result = seedBrowserProfile();
-    installLaunchAgent(browser);
+    launchBrowserDirect(browser);
     if (result === 'seeded') {
       console.log('✅ Agent browser launched — log into Google in the browser window (one time only).');
     } else {