@hanzo/bot 2026.3.7 → 2026.3.8

package/dist/gateway-cli-DjWebqxe.js

@@ -0,0 +1,1436 @@
+import { d as colorize, f as isRich, p as theme, s as setVerbose } from "./globals-d3aR1MYC.js";
+import { g as resolveStateDir, t as CONFIG_PATH, u as resolveGatewayPort } from "./paths-BMo6kTge.js";
+import { n as defaultRuntime } from "./runtime-CvdZtNmJ.js";
+import { a as setConsoleSubsystemFilter, o as setConsoleTimestampPrefix, t as createSubsystemLogger } from "./subsystem-C6poMade.js";
+import "./boolean-ydSOedIP.js";
+import "./store-D8F_4CRR.js";
+import { G as writeConfigFile, R as createConfigIO, V as readConfigFileSnapshot, z as loadConfig } from "./auth-profiles-BtxyXCZY.js";
+import { t as formatCliCommand } from "./command-format-MESnUO9S.js";
+import { A as resolveDefaultAgentWorkspaceDir, j as resolveWorkspaceTemplateDir } from "./agent-scope-BcruZHHR.js";
+import { v as resolveUserPath, x as shortenHomePath } from "./utils-BnC3HGtm.js";
+import "./openclaw-root-T5G2ldGE.js";
+import "./logger-DyQjakwH.js";
+import "./exec-B8Hv4Nkd.js";
+import { a as hasConfiguredSecretInput } from "./types.secrets-CpVqMFti.js";
+import "./github-copilot-token-BKQ4nXAw.js";
+import "./manifest-registry-m_hXBIk-.js";
+import "./version-DT-JIO28.js";
+import "./registry-DnJ84ILp.js";
+import "./ip-C7WWCRN7.js";
+import "./dock-nMBfeGKa.js";
+import "./tokens-C3eENCf9.js";
+import "./compact-CuLMew-8.js";
+import "./accounts-C04lw_uh.js";
+import "./plugins-CCkC0dRo.js";
+import "./logging-kuFzZMsG.js";
+import "./send-CIW-foVz.js";
+import "./send-CFNNbHEA.js";
+import "./machine-name-BWZ0tBHk.js";
+import "./deliver-Bge0HwrF.js";
+import "./diagnostic-CXxZq_XY.js";
+import "./restart-D97MOP8K.js";
+import "./accounts-CtzU1wJb.js";
+import "./image-ops-Bnk-bI_x.js";
+import "./send-CZtdjq0Y.js";
+import "./pi-model-discovery-6_opNECD.js";
+import { g as GATEWAY_CLIENT_NAMES, h as GATEWAY_CLIENT_MODES } from "./message-channel-DOpIvru6.js";
+import "./pi-embedded-helpers-CCkKNz_h.js";
+import "./sandbox-DKscghPx.js";
+import "./tool-catalog-3w4XiWhy.js";
+import "./chrome-D4EfbMKb.js";
+import "./tailscale-DRFhBuh-.js";
+import { n as pickPrimaryTailnetIPv4 } from "./tailnet-CInGXmk9.js";
+import "./ws-BwH2d97O.js";
+import { a as resolveGatewayAuth } from "./auth-CWHo884l.js";
+import "./server-context-CcW_Z5sB.js";
+import "./frontmatter-B0viix_h.js";
+import "./skills-Cp-zTGor.js";
+import "./path-alias-guards-Bz8AnRb7.js";
+import "./paths-BBXgPm_n.js";
+import "./redact-B1GVGbib.js";
+import { o as isErrno } from "./errors-ClLWB67m.js";
+import "./fs-safe-CFIinCN2.js";
+import "./proxy-env-a_fwG5uV.js";
+import "./store-DCoVH3mG.js";
+import { a as formatPortDiagnostics, n as inspectPortUsage, t as ensurePortAvailable } from "./ports-BxwhTkI2.js";
+import "./ports-lsof-C-KFQ3hh.js";
+import "./trash-DHZNy01S.js";
+import "./server-middleware-BtyTo4hI.js";
+import "./sessions-BkKVGWHa.js";
+import "./accounts-BVV0eCmx.js";
+import "./paths-gTdorMgW.js";
+import "./chat-envelope-DVKDDTSu.js";
+import "./tool-images-BwtNIRsT.js";
+import "./thinking-C0gzzPsv.js";
+import "./models-config-D_IvpQGa.js";
+import "./exec-approvals-allowlist-dlIMsRq0.js";
+import "./exec-safe-bin-runtime-policy-Ds-cMyOt.js";
+import "./model-catalog-DtjVcDuN.js";
+import "./fetch-BPh3R9xH.js";
+import "./audio-transcription-runner-bvBQs8UB.js";
+import "./fetch-guard-hL-C2yQz.js";
+import "./image-m1GU1uco.js";
+import "./tool-display-qTfeZx-b.js";
+import "./api-key-rotation-C0toONXd.js";
+import "./proxy-fetch-B-9MM6tH.js";
+import "./ir-BjnGKA2N.js";
+import "./render-CUAKPmvZ.js";
+import "./target-errors-CkcKdefZ.js";
+import "./commands-BoGUirwW.js";
+import "./commands-registry-Dn_5_JYs.js";
+import "./session-cost-usage-CBHvFXhD.js";
+import "./sqlite-BOrw_KhN.js";
+import "./device-identity-DtdLP7QQ.js";
+import "./client-Bvvecv3V.js";
+import { n as callGateway } from "./call-DL23sPxF.js";
+import "./pairing-token-BIAdQuAM.js";
+import "./fetch-DyJnPUwL.js";
+import "./pairing-store-CXFEv3Gr.js";
+import "./exec-approvals-Bh1osORd.js";
+import "./nodes-screen-X8daVm8e.js";
+import "./system-run-command-Kw0jxir0.js";
+import "./session-utils-t4ZmEDMj.js";
+import { n as formatTokenCount, r as formatUsd } from "./usage-format-zuuFSdkg.js";
+import "./skill-commands-Dyi0nIIE.js";
+import "./pi-tools.policy-U1G3dAzL.js";
+import "./workspace-dirs-BgwJ2Axm.js";
+import "./channel-activity-DItBzFyQ.js";
+import "./tables-D4LxfXpk.js";
+import "./server-lifecycle-DWK8vMXD.js";
+import "./with-timeout-DKgjtZv2.js";
+import "./stagger-Cek4Eizw.js";
+import "./channel-selection-BnXQH0vV.js";
+import "./plugin-auto-enable-3v7X3qMK.js";
+import "./send-C2xEPjDg.js";
+import "./outbound-attachment-Bm82Qbyl.js";
+import "./delivery-queue-BVKd_xSI.js";
+import "./send-BSbPEzn5.js";
+import "./proxy-CUsDSClP.js";
+import "./timeouts-DEnpCqGd.js";
+import "./runtime-config-collectors-CML7zUqZ.js";
+import "./command-secret-targets-C382v6Qd.js";
+import { c as handleReset } from "./onboard-helpers-BkwNJPNU.js";
+import "./prompt-style-DB_OyH4q.js";
+import "./pairing-labels-B_3GjgjR.js";
+import "./memory-cli-yvsbLFgi.js";
+import "./manager-BVqjeGyT.js";
+import { t as formatDocsLink } from "./links-DZZ9QxWA.js";
+import { n as runCommandWithRuntime } from "./cli-utils-CCaEbxAz.js";
+import { t as formatHelpExamples } from "./help-format-Ce4Xueed.js";
+import { n as withProgress } from "./progress-DB5E2Y0L.js";
+import "./skills-status-NIhVZfqm.js";
+import "./path-env-CgmdxEc7.js";
+import "./dangerous-tools-B9LIt3MU.js";
+import { n as inheritOptionFromParent } from "./command-options-ZvhOayEd.js";
+import "./agents.config-OuZqDEe6.js";
+import "./install-safe-path-BxdyoAni.js";
+import "./skill-scanner-C6efDeWr.js";
+import "./issue-format-BMPYbT1P.js";
+import "./status-DNPn0STZ.js";
+import "./channels-status-issues-DXNaEL8i.js";
+import "./redact-snapshot-DDgxiqE4.js";
+import "./daemon-install-helpers-BtOiCRD1.js";
+import "./runtime-guard-jpG1v0SY.js";
+import "./gateway-install-token-olAkdWwV.js";
+import "./systemd-tjVNbfBk.js";
+import "./service-DnXLOpYd.js";
+import "./lifecycle-core-fN_BonzB.js";
+import "./systemd-hints-Da4Q7Orc.js";
+import { t as parsePort$1 } from "./parse-port-DjjWDROB.js";
+import { n as addGatewayServiceCommands } from "./daemon-cli-C6ZVajFI.js";
+import { t as probeGateway } from "./probe-AK77B0YW.js";
+import "./diagnostics-GQuagqCt.js";
+import "./table-BP6N5EYA.js";
+import { n as resolveWideAreaDiscoveryDomain } from "./widearea-dns-9PZLZ6zk.js";
+import { i as toOptionString, n as extractGatewayMiskeys, r as maybeExplainGatewayServiceStop, t as describeUnknownError } from "./shared-DKj9yygb.js";
+import { t as discoverGatewayBeacons } from "./bonjour-discovery-C1SH2QqR.js";
+import { t as resolveConfiguredSecretInputString } from "./resolve-configured-secret-input-string-D9uWNIsN.js";
+import { i as pickGatewaySelfPresence } from "./status-DN8lRmcz.js";
+import { a as styleHealthChannelLine, t as formatHealthChannelLines } from "./health-Cs-k6kLT.js";
+import { n as startGatewayServer } from "./server-CG9eco0N.js";
+import "./control-ui-assets-Co9rmXkB.js";
+import "./channel-account-context-DGbGZhGz.js";
+import "./runtime-BBknab-X.js";
+import "./onboarding.secret-input-BDId1_5K.js";
+import "./onboarding-gbgi-zx9.js";
+import { p as setGatewayWsLogStyle } from "./push-apns-D7Kl5IlU.js";
+import "./gmail-setup-utils-DuoBM8ed.js";
+import "./node-command-policy-CeKPGmlP.js";
+import "./audit-BWNRwu8g.js";
+import "./node-service-BLMp6VWJ.js";
+import "./status.update-Cd4sMxYz.js";
+import "./skills-install-LXdiRh5j.js";
+import "./update-runner-BDHtvoca.js";
+import { t as GatewayLockError } from "./gateway-lock-DNpln_70.js";
+import "./workspace-CedZZfvJ.js";
+import { n as forceFreePortAndWait, r as waitForPortBindable } from "./ports-BG0KrTF5.js";
+import { t as runGatewayLoop } from "./run-loop-Zvh_699t.js";
+import { spawn } from "node:child_process";
+import os from "node:os";
+import path from "node:path";
+import fs from "node:fs";
+import net from "node:net";
+
+//#region src/infra/ssh-config.ts
+function parsePort(value) {
+	if (!value) return;
+	const parsed = Number.parseInt(value, 10);
+	if (!Number.isFinite(parsed) || parsed <= 0) return;
+	return parsed;
+}
+function parseSshConfigOutput(output) {
+	const result = { identityFiles: [] };
+	const lines = output.split("\n");
+	for (const raw of lines) {
+		const line = raw.trim();
+		if (!line) continue;
+		const [key, ...rest] = line.split(/\s+/);
+		const value = rest.join(" ").trim();
+		if (!key || !value) continue;
+		switch (key) {
+			case "user":
+				result.user = value;
+				break;
+			case "hostname":
+				result.host = value;
+				break;
+			case "port":
+				result.port = parsePort(value);
+				break;
+			case "identityfile":
+				if (value !== "none") result.identityFiles.push(value);
+				break;
+			default: break;
+		}
+	}
+	return result;
+}
+async function resolveSshConfig(target, opts = {}) {
+	const sshPath = "/usr/bin/ssh";
+	const args = ["-G"];
+	if (target.port > 0 && target.port !== 22) args.push("-p", String(target.port));
+	if (opts.identity?.trim()) args.push("-i", opts.identity.trim());
+	const userHost = target.user ? `${target.user}@${target.host}` : target.host;
+	args.push("--", userHost);
+	return await new Promise((resolve) => {
+		const child = spawn(sshPath, args, { stdio: [
+			"ignore",
+			"pipe",
+			"ignore"
+		] });
+		let stdout = "";
+		child.stdout?.setEncoding("utf8");
+		child.stdout?.on("data", (chunk) => {
+			stdout += String(chunk);
+		});
+		const timeoutMs = Math.max(200, opts.timeoutMs ?? 800);
+		const timer = setTimeout(() => {
+			try {
+				child.kill("SIGKILL");
+			} finally {
+				resolve(null);
+			}
+		}, timeoutMs);
+		child.once("error", () => {
+			clearTimeout(timer);
+			resolve(null);
+		});
+		child.once("exit", (code) => {
+			clearTimeout(timer);
+			if (code !== 0 || !stdout.trim()) {
+				resolve(null);
+				return;
+			}
+			resolve(parseSshConfigOutput(stdout));
+		});
+	});
+}
+
+//#endregion
+//#region src/infra/ssh-tunnel.ts
+function parseSshTarget(raw) {
+	const trimmed = raw.trim().replace(/^ssh\s+/, "");
+	if (!trimmed) return null;
+	const [userPart, hostPart] = trimmed.includes("@") ? (() => {
+		const idx = trimmed.indexOf("@");
+		const user = trimmed.slice(0, idx).trim();
+		const host = trimmed.slice(idx + 1).trim();
+		return [user || void 0, host];
+	})() : [void 0, trimmed];
+	const colonIdx = hostPart.lastIndexOf(":");
+	if (colonIdx > 0 && colonIdx < hostPart.length - 1) {
+		const host = hostPart.slice(0, colonIdx).trim();
+		const portRaw = hostPart.slice(colonIdx + 1).trim();
+		const port = Number.parseInt(portRaw, 10);
+		if (!host || !Number.isFinite(port) || port <= 0) return null;
+		if (host.startsWith("-")) return null;
+		return {
+			user: userPart,
+			host,
+			port
+		};
+	}
+	if (!hostPart) return null;
+	if (hostPart.startsWith("-")) return null;
+	return {
+		user: userPart,
+		host: hostPart,
+		port: 22
+	};
+}
+async function pickEphemeralPort() {
+	return await new Promise((resolve, reject) => {
+		const server = net.createServer();
+		server.once("error", reject);
+		server.listen(0, "127.0.0.1", () => {
+			const addr = server.address();
+			server.close(() => {
+				if (!addr || typeof addr === "string") {
+					reject(/* @__PURE__ */ new Error("failed to allocate a local port"));
+					return;
+				}
+				resolve(addr.port);
+			});
+		});
+	});
+}
+async function canConnectLocal(port) {
+	return await new Promise((resolve) => {
+		const socket = net.connect({
+			host: "127.0.0.1",
+			port
+		});
+		const done = (ok) => {
+			socket.removeAllListeners();
+			socket.destroy();
+			resolve(ok);
+		};
+		socket.once("connect", () => done(true));
+		socket.once("error", () => done(false));
+		socket.setTimeout(250, () => done(false));
+	});
+}
+async function waitForLocalListener(port, timeoutMs) {
+	const startedAt = Date.now();
+	while (Date.now() - startedAt < timeoutMs) {
+		if (await canConnectLocal(port)) return;
+		await new Promise((r) => setTimeout(r, 50));
+	}
+	throw new Error(`ssh tunnel did not start listening on localhost:${port}`);
+}
+async function startSshPortForward(opts) {
+	const parsed = parseSshTarget(opts.target);
+	if (!parsed) throw new Error(`invalid SSH target: ${opts.target}`);
+	let localPort = opts.localPortPreferred;
+	try {
+		await ensurePortAvailable(localPort);
+	} catch (err) {
+		if (isErrno(err) && err.code === "EADDRINUSE") localPort = await pickEphemeralPort();
+		else throw err;
+	}
+	const userHost = parsed.user ? `${parsed.user}@${parsed.host}` : parsed.host;
+	const args = [
+		"-N",
+		"-L",
+		`${localPort}:127.0.0.1:${opts.remotePort}`,
+		"-p",
+		String(parsed.port),
+		"-o",
+		"ExitOnForwardFailure=yes",
+		"-o",
+		"BatchMode=yes",
+		"-o",
+		"StrictHostKeyChecking=yes",
+		"-o",
+		"UpdateHostKeys=yes",
+		"-o",
+		"ConnectTimeout=5",
+		"-o",
+		"ServerAliveInterval=15",
+		"-o",
+		"ServerAliveCountMax=3"
+	];
+	if (opts.identity?.trim()) args.push("-i", opts.identity.trim());
+	args.push("--", userHost);
+	const stderr = [];
+	const child = spawn("/usr/bin/ssh", args, { stdio: [
+		"ignore",
+		"ignore",
+		"pipe"
+	] });
+	child.stderr?.setEncoding("utf8");
+	child.stderr?.on("data", (chunk) => {
+		const lines = String(chunk).split("\n").map((l) => l.trim()).filter(Boolean);
+		stderr.push(...lines);
+	});
+	const stop = async () => {
+		if (child.killed) return;
+		child.kill("SIGTERM");
+		await new Promise((resolve) => {
+			const t = setTimeout(() => {
+				try {
+					child.kill("SIGKILL");
+				} finally {
+					resolve();
+				}
+			}, 1500);
+			child.once("exit", () => {
+				clearTimeout(t);
+				resolve();
+			});
+		});
+	};
+	try {
+		await Promise.race([waitForLocalListener(localPort, Math.max(250, opts.timeoutMs)), new Promise((_, reject) => {
+			child.once("exit", (code, signal) => {
+				reject(/* @__PURE__ */ new Error(`ssh exited (${code ?? "null"}${signal ? `/${signal}` : ""})`));
+			});
+		})]);
+	} catch (err) {
+		await stop();
+		const suffix = stderr.length > 0 ? `\n${stderr.join("\n")}` : "";
+		throw new Error(`${err instanceof Error ? err.message : String(err)}${suffix}`, { cause: err });
+	}
+	return {
+		parsedTarget: parsed,
+		localPort,
+		remotePort: opts.remotePort,
+		pid: typeof child.pid === "number" ? child.pid : null,
+		stderr,
+		stop
+	};
+}
+
+//#endregion
+//#region src/commands/gateway-status/helpers.ts
+function parseIntOrNull(value) {
+	const s = typeof value === "string" ? value.trim() : typeof value === "number" || typeof value === "bigint" ? String(value) : "";
+	if (!s) return null;
+	const n = Number.parseInt(s, 10);
+	return Number.isFinite(n) ? n : null;
+}
+function parseTimeoutMs(raw, fallbackMs) {
+	const value = typeof raw === "string" ? raw.trim() : typeof raw === "number" || typeof raw === "bigint" ? String(raw) : "";
+	if (!value) return fallbackMs;
+	const parsed = Number.parseInt(value, 10);
+	if (!Number.isFinite(parsed) || parsed <= 0) throw new Error(`invalid --timeout: ${value}`);
+	return parsed;
+}
+function normalizeWsUrl(value) {
+	const trimmed = value.trim();
+	if (!trimmed) return null;
+	if (!trimmed.startsWith("ws://") && !trimmed.startsWith("wss://")) return null;
+	return trimmed;
+}
+function resolveTargets(cfg, explicitUrl) {
+	const targets = [];
+	const add = (t) => {
+		if (!targets.some((x) => x.url === t.url)) targets.push(t);
+	};
+	const explicit = typeof explicitUrl === "string" ? normalizeWsUrl(explicitUrl) : null;
+	if (explicit) add({
+		id: "explicit",
+		kind: "explicit",
+		url: explicit,
+		active: true
+	});
+	const remoteUrl = typeof cfg.gateway?.remote?.url === "string" ? normalizeWsUrl(cfg.gateway.remote.url) : null;
+	if (remoteUrl) add({
+		id: "configRemote",
+		kind: "configRemote",
+		url: remoteUrl,
+		active: cfg.gateway?.mode === "remote"
+	});
+	add({
+		id: "localLoopback",
+		kind: "localLoopback",
+		url: `ws://127.0.0.1:${resolveGatewayPort(cfg)}`,
+		active: cfg.gateway?.mode !== "remote"
+	});
+	return targets;
+}
+function resolveProbeBudgetMs(overallMs, kind) {
+	if (kind === "localLoopback") return Math.min(800, overallMs);
+	if (kind === "sshTunnel") return Math.min(2e3, overallMs);
+	return Math.min(1500, overallMs);
+}
+function sanitizeSshTarget(value) {
+	if (typeof value !== "string") return null;
+	const trimmed = value.trim();
+	if (!trimmed) return null;
+	return trimmed.replace(/^ssh\\s+/, "");
+}
+function readGatewayTokenEnv(env = process.env) {
+	return env.OPENCLAW_GATEWAY_TOKEN?.trim() || env.CLAWDBOT_GATEWAY_TOKEN?.trim() || void 0;
+}
+function readGatewayPasswordEnv(env = process.env) {
+	return env.OPENCLAW_GATEWAY_PASSWORD?.trim() || env.CLAWDBOT_GATEWAY_PASSWORD?.trim() || void 0;
+}
+async function resolveAuthForTarget(cfg, target, overrides) {
+	const tokenOverride = overrides.token?.trim() ? overrides.token.trim() : void 0;
+	const passwordOverride = overrides.password?.trim() ? overrides.password.trim() : void 0;
+	if (tokenOverride || passwordOverride) return {
+		token: tokenOverride,
+		password: passwordOverride
+	};
+	const diagnostics = [];
+	const authMode = cfg.gateway?.auth?.mode;
+	const tokenOnly = authMode === "token";
+	const passwordOnly = authMode === "password";
+	const resolveToken = async (value, path) => {
+		const tokenResolution = await resolveConfiguredSecretInputString({
+			config: cfg,
+			env: process.env,
+			value,
+			path,
+			unresolvedReasonStyle: "detailed"
+		});
+		if (tokenResolution.unresolvedRefReason) diagnostics.push(tokenResolution.unresolvedRefReason);
+		return tokenResolution.value;
+	};
+	const resolvePassword = async (value, path) => {
+		const passwordResolution = await resolveConfiguredSecretInputString({
+			config: cfg,
+			env: process.env,
+			value,
+			path,
+			unresolvedReasonStyle: "detailed"
+		});
+		if (passwordResolution.unresolvedRefReason) diagnostics.push(passwordResolution.unresolvedRefReason);
+		return passwordResolution.value;
+	};
+	if (target.kind === "configRemote" || target.kind === "sshTunnel") {
+		const remoteTokenValue = cfg.gateway?.remote?.token;
+		const remotePasswordValue = (cfg.gateway?.remote)?.password;
+		const token = await resolveToken(remoteTokenValue, "gateway.remote.token");
+		return {
+			token,
+			password: token ? void 0 : await resolvePassword(remotePasswordValue, "gateway.remote.password"),
+			...diagnostics.length > 0 ? { diagnostics } : {}
+		};
+	}
+	if (authMode === "none" || authMode === "trusted-proxy") return {};
+	const envToken = readGatewayTokenEnv();
+	const envPassword = readGatewayPasswordEnv();
+	if (tokenOnly) {
+		if (envToken) return { token: envToken };
+		return {
+			token: await resolveToken(cfg.gateway?.auth?.token, "gateway.auth.token"),
+			...diagnostics.length > 0 ? { diagnostics } : {}
+		};
+	}
+	if (passwordOnly) {
+		if (envPassword) return { password: envPassword };
+		return {
+			password: await resolvePassword(cfg.gateway?.auth?.password, "gateway.auth.password"),
+			...diagnostics.length > 0 ? { diagnostics } : {}
+		};
+	}
+	if (envToken) return { token: envToken };
+	const token = await resolveToken(cfg.gateway?.auth?.token, "gateway.auth.token");
+	if (token) return {
+		token,
+		...diagnostics.length > 0 ? { diagnostics } : {}
+	};
+	if (envPassword) return {
+		password: envPassword,
+		...diagnostics.length > 0 ? { diagnostics } : {}
+	};
+	return {
+		token,
+		password: await resolvePassword(cfg.gateway?.auth?.password, "gateway.auth.password"),
+		...diagnostics.length > 0 ? { diagnostics } : {}
+	};
+}
+function extractConfigSummary(snapshotUnknown) {
+	const snap = snapshotUnknown;
+	const path = typeof snap?.path === "string" ? snap.path : null;
+	const exists = Boolean(snap?.exists);
+	const valid = Boolean(snap?.valid);
+	const issuesRaw = Array.isArray(snap?.issues) ? snap.issues : [];
+	const legacyRaw = Array.isArray(snap?.legacyIssues) ? snap.legacyIssues : [];
+	const cfg = snap?.config ?? {};
+	const gateway = cfg.gateway ?? {};
+	const secretDefaults = (cfg.secrets ?? {}).defaults ?? void 0;
+	const wideArea = (cfg.discovery ?? {}).wideArea ?? {};
+	const remote = gateway.remote ?? {};
+	const auth = gateway.auth ?? {};
+	const controlUi = gateway.controlUi ?? {};
+	const tailscale = gateway.tailscale ?? {};
+	const authMode = typeof auth.mode === "string" ? auth.mode : null;
+	const authTokenConfigured = hasConfiguredSecretInput(auth.token, secretDefaults);
+	const authPasswordConfigured = hasConfiguredSecretInput(auth.password, secretDefaults);
+	const remoteUrl = typeof remote.url === "string" ? normalizeWsUrl(remote.url) : null;
+	const remoteTokenConfigured = hasConfiguredSecretInput(remote.token, secretDefaults);
+	const remotePasswordConfigured = hasConfiguredSecretInput(remote.password, secretDefaults);
+	const wideAreaEnabled = typeof wideArea.enabled === "boolean" ? wideArea.enabled : null;
+	return {
+		path,
+		exists,
+		valid,
+		issues: issuesRaw.filter((i) => Boolean(i && typeof i.path === "string" && typeof i.message === "string")).map((i) => ({
+			path: i.path,
+			message: i.message
+		})),
+		legacyIssues: legacyRaw.filter((i) => Boolean(i && typeof i.path === "string" && typeof i.message === "string")).map((i) => ({
+			path: i.path,
+			message: i.message
+		})),
+		gateway: {
+			mode: typeof gateway.mode === "string" ? gateway.mode : null,
+			bind: typeof gateway.bind === "string" ? gateway.bind : null,
+			port: parseIntOrNull(gateway.port),
+			controlUiEnabled: typeof controlUi.enabled === "boolean" ? controlUi.enabled : null,
+			controlUiBasePath: typeof controlUi.basePath === "string" ? controlUi.basePath : null,
+			authMode,
+			authTokenConfigured,
+			authPasswordConfigured,
+			remoteUrl,
+			remoteTokenConfigured,
+			remotePasswordConfigured,
+			tailscaleMode: typeof tailscale.mode === "string" ? tailscale.mode : null
+		},
+		discovery: { wideAreaEnabled }
+	};
+}
+function buildNetworkHints(cfg) {
+	const tailnetIPv4 = pickPrimaryTailnetIPv4();
+	const port = resolveGatewayPort(cfg);
+	return {
+		localLoopbackUrl: `ws://127.0.0.1:${port}`,
+		localTailnetUrl: tailnetIPv4 ? `ws://${tailnetIPv4}:${port}` : null,
+		tailnetIPv4: tailnetIPv4 ?? null
+	};
+}
+function renderTargetHeader(target, rich) {
+	const kindLabel = target.kind === "localLoopback" ? "Local loopback" : target.kind === "sshTunnel" ? "Remote over SSH" : target.kind === "configRemote" ? target.active ? "Remote (configured)" : "Remote (configured, inactive)" : "URL (explicit)";
+	return `${colorize(rich, theme.heading, kindLabel)} ${colorize(rich, theme.muted, target.url)}`;
+}
+function renderProbeSummaryLine(probe, rich) {
+	if (probe.ok) {
+		const latency = typeof probe.connectLatencyMs === "number" ? `${probe.connectLatencyMs}ms` : "unknown";
+		return `${colorize(rich, theme.success, "Connect: ok")} (${latency}) · ${colorize(rich, theme.success, "RPC: ok")}`;
+	}
+	const detail = probe.error ? ` - ${probe.error}` : "";
+	if (probe.connectLatencyMs != null) {
+		const latency = typeof probe.connectLatencyMs === "number" ? `${probe.connectLatencyMs}ms` : "unknown";
+		return `${colorize(rich, theme.success, "Connect: ok")} (${latency}) · ${colorize(rich, theme.error, "RPC: failed")}${detail}`;
+	}
+	return `${colorize(rich, theme.error, "Connect: failed")}${detail}`;
+}
+
+//#endregion
+//#region src/commands/gateway-status.ts
+async function gatewayStatusCommand(opts, runtime) {
+	const startedAt = Date.now();
+	const cfg = loadConfig();
+	const rich = isRich() && opts.json !== true;
+	const overallTimeoutMs = parseTimeoutMs(opts.timeout, 3e3);
+	const wideAreaDomain = resolveWideAreaDiscoveryDomain({ configDomain: cfg.discovery?.wideArea?.domain });
+	const baseTargets = resolveTargets(cfg, opts.url);
+	const network = buildNetworkHints(cfg);
+	const discoveryTimeoutMs = Math.min(1200, overallTimeoutMs);
+	const discoveryPromise = discoverGatewayBeacons({
+		timeoutMs: discoveryTimeoutMs,
+		wideAreaDomain
+	});
+	let sshTarget = sanitizeSshTarget(opts.ssh) ?? sanitizeSshTarget(cfg.gateway?.remote?.sshTarget);
+	let sshIdentity = sanitizeSshTarget(opts.sshIdentity) ?? sanitizeSshTarget(cfg.gateway?.remote?.sshIdentity);
+	const remotePort = resolveGatewayPort(cfg);
+	let sshTunnelError = null;
+	let sshTunnelStarted = false;
+	if (!sshTarget) sshTarget = inferSshTargetFromRemoteUrl(cfg.gateway?.remote?.url);
+	if (sshTarget) {
+		const resolved = await resolveSshTarget(sshTarget, sshIdentity, overallTimeoutMs);
+		if (resolved) {
+			sshTarget = resolved.target;
+			if (!sshIdentity && resolved.identity) sshIdentity = resolved.identity;
+		}
+	}
+	const { discovery, probed } = await withProgress({
+		label: "Inspecting gateways…",
+		indeterminate: true,
+		enabled: opts.json !== true
+	}, async () => {
+		const tryStartTunnel = async () => {
+			if (!sshTarget) return null;
+			try {
+				const tunnel = await startSshPortForward({
+					target: sshTarget,
+					identity: sshIdentity ?? void 0,
+					localPortPreferred: remotePort,
+					remotePort,
+					timeoutMs: Math.min(1500, overallTimeoutMs)
+				});
+				sshTunnelStarted = true;
+				return tunnel;
+			} catch (err) {
+				sshTunnelError = err instanceof Error ? err.message : String(err);
+				return null;
+			}
+		};
+		const discoveryTask = discoveryPromise.catch(() => []);
+		const tunnelTask = sshTarget ? tryStartTunnel() : Promise.resolve(null);
+		const [discovery, tunnelFirst] = await Promise.all([discoveryTask, tunnelTask]);
+		if (!sshTarget && opts.sshAuto) {
+			const user = process.env.USER?.trim() || "";
+			const candidates = discovery.map((b) => {
+				const host = b.tailnetDns || b.lanHost || b.host;
+				if (!host?.trim()) return null;
+				const sshPort = typeof b.sshPort === "number" && b.sshPort > 0 ? b.sshPort : 22;
+				const base = user ? `${user}@${host.trim()}` : host.trim();
+				return sshPort !== 22 ? `${base}:${sshPort}` : base;
+			}).filter((candidate) => Boolean(candidate && parseSshTarget(candidate)));
+			if (candidates.length > 0) sshTarget = candidates[0] ?? null;
+		}
+		const tunnel = tunnelFirst || (sshTarget && !sshTunnelStarted && !sshTunnelError ? await tryStartTunnel() : null);
+		const tunnelTarget = tunnel ? {
+			id: "sshTunnel",
+			kind: "sshTunnel",
+			url: `ws://127.0.0.1:${tunnel.localPort}`,
+			active: true,
+			tunnel: {
+				kind: "ssh",
+				target: sshTarget ?? "",
+				localPort: tunnel.localPort,
+				remotePort,
+				pid: tunnel.pid
+			}
+		} : null;
+		const targets = tunnelTarget ? [tunnelTarget, ...baseTargets.filter((t) => t.url !== tunnelTarget.url)] : baseTargets;
+		try {
+			return {
+				discovery,
+				probed: await Promise.all(targets.map(async (target) => {
+					const authResolution = await resolveAuthForTarget(cfg, target, {
+						token: typeof opts.token === "string" ? opts.token : void 0,
+						password: typeof opts.password === "string" ? opts.password : void 0
+					});
+					const auth = {
+						token: authResolution.token,
+						password: authResolution.password
+					};
+					const timeoutMs = resolveProbeBudgetMs(overallTimeoutMs, target.kind);
+					const probe = await probeGateway({
+						url: target.url,
+						auth,
+						timeoutMs
+					});
+					return {
+						target,
+						probe,
+						configSummary: probe.configSnapshot ? extractConfigSummary(probe.configSnapshot) : null,
+						self: pickGatewaySelfPresence(probe.presence),
+						authDiagnostics: authResolution.diagnostics ?? []
+					};
+				}))
+			};
+		} finally {
+			if (tunnel) try {
+				await tunnel.stop();
+			} catch {}
+		}
+	});
+	const reachable = probed.filter((p) => p.probe.ok);
+	const ok = reachable.length > 0;
+	const multipleGateways = reachable.length > 1;
+	const primary = reachable.find((p) => p.target.kind === "explicit") ?? reachable.find((p) => p.target.kind === "sshTunnel") ?? reachable.find((p) => p.target.kind === "configRemote") ?? reachable.find((p) => p.target.kind === "localLoopback") ?? null;
+	const warnings = [];
+	if (sshTarget && !sshTunnelStarted) warnings.push({
+		code: "ssh_tunnel_failed",
+		message: sshTunnelError ? `SSH tunnel failed: ${String(sshTunnelError)}` : "SSH tunnel failed to start; falling back to direct probes."
+	});
+	if (multipleGateways) warnings.push({
+		code: "multiple_gateways",
+		message: "Unconventional setup: multiple reachable gateways detected. Usually one gateway per network is recommended unless you intentionally run isolated profiles, like a rescue bot (see docs: /gateway#multiple-gateways-same-host).",
+		targetIds: reachable.map((p) => p.target.id)
+	});
+	for (const result of probed) {
+		if (result.authDiagnostics.length === 0) continue;
+		for (const diagnostic of result.authDiagnostics) warnings.push({
+			code: "auth_secretref_unresolved",
+			message: diagnostic,
+			targetIds: [result.target.id]
+		});
+	}
+	if (opts.json) {
+		runtime.log(JSON.stringify({
+			ok,
+			ts: Date.now(),
+			durationMs: Date.now() - startedAt,
+			timeoutMs: overallTimeoutMs,
+			primaryTargetId: primary?.target.id ?? null,
+			warnings,
+			network,
+			discovery: {
+				timeoutMs: discoveryTimeoutMs,
+				count: discovery.length,
+				beacons: discovery.map((b) => ({
+					instanceName: b.instanceName,
+					displayName: b.displayName ?? null,
+					domain: b.domain ?? null,
+					host: b.host ?? null,
+					lanHost: b.lanHost ?? null,
+					tailnetDns: b.tailnetDns ?? null,
+					gatewayPort: b.gatewayPort ?? null,
+					sshPort: b.sshPort ?? null,
+					wsUrl: (() => {
+						const host = b.tailnetDns || b.lanHost || b.host;
+						const port = b.gatewayPort ?? 18789;
+						return host ? `ws://${host}:${port}` : null;
+					})()
+				}))
+			},
+			targets: probed.map((p) => ({
+				id: p.target.id,
+				kind: p.target.kind,
+				url: p.target.url,
+				active: p.target.active,
+				tunnel: p.target.tunnel ?? null,
+				connect: {
+					ok: p.probe.ok,
+					latencyMs: p.probe.connectLatencyMs,
+					error: p.probe.error,
+					close: p.probe.close
+				},
+				self: p.self,
+				config: p.configSummary,
+				health: p.probe.health,
+				summary: p.probe.status,
+				presence: p.probe.presence
+			}))
+		}, null, 2));
+		if (!ok) runtime.exit(1);
+		return;
+	}
+	runtime.log(colorize(rich, theme.heading, "Gateway Status"));
+	runtime.log(ok ? `${colorize(rich, theme.success, "Reachable")}: yes` : `${colorize(rich, theme.error, "Reachable")}: no`);
+	runtime.log(colorize(rich, theme.muted, `Probe budget: ${overallTimeoutMs}ms`));
+	if (warnings.length > 0) {
+		runtime.log("");
+		runtime.log(colorize(rich, theme.warn, "Warning:"));
+		for (const w of warnings) runtime.log(`- ${w.message}`);
+	}
+	runtime.log("");
+	runtime.log(colorize(rich, theme.heading, "Discovery (this machine)"));
+	const discoveryDomains = wideAreaDomain ? `local. + ${wideAreaDomain}` : "local.";
+	runtime.log(discovery.length > 0 ? `Found ${discovery.length} gateway(s) via Bonjour (${discoveryDomains})` : `Found 0 gateways via Bonjour (${discoveryDomains})`);
+	if (discovery.length === 0) runtime.log(colorize(rich, theme.muted, "Tip: if the gateway is remote, mDNS won’t cross networks; use Wide-Area Bonjour (split DNS) or SSH tunnels."));
+	runtime.log("");
+	runtime.log(colorize(rich, theme.heading, "Targets"));
+	for (const p of probed) {
+		runtime.log(renderTargetHeader(p.target, rich));
+		runtime.log(`  ${renderProbeSummaryLine(p.probe, rich)}`);
+		if (p.target.tunnel?.kind === "ssh") runtime.log(`  ${colorize(rich, theme.muted, "ssh")}: ${colorize(rich, theme.command, p.target.tunnel.target)}`);
+		if (p.probe.ok && p.self) {
+			const host = p.self.host ?? "unknown";
+			const ip = p.self.ip ? ` (${p.self.ip})` : "";
+			const platform = p.self.platform ? ` · ${p.self.platform}` : "";
+			const version = p.self.version ? ` · app ${p.self.version}` : "";
+			runtime.log(`  ${colorize(rich, theme.info, "Gateway")}: ${host}${ip}${platform}${version}`);
+		}
+		if (p.configSummary) {
+			const c = p.configSummary;
+			const wideArea = c.discovery.wideAreaEnabled === true ? "enabled" : c.discovery.wideAreaEnabled === false ? "disabled" : "unknown";
+			runtime.log(`  ${colorize(rich, theme.info, "Wide-area discovery")}: ${wideArea}`);
+		}
+		runtime.log("");
+	}
+	if (!ok) runtime.exit(1);
+}
+function inferSshTargetFromRemoteUrl(rawUrl) {
+	if (typeof rawUrl !== "string") return null;
+	const trimmed = rawUrl.trim();
+	if (!trimmed) return null;
+	let host = null;
+	try {
+		host = new URL(trimmed).hostname || null;
+	} catch {
+		return null;
+	}
+	if (!host) return null;
+	const user = process.env.USER?.trim() || "";
+	return user ? `${user}@${host}` : host;
+}
+function buildSshTarget(input) {
+	const host = input.host?.trim() ?? "";
+	if (!host) return null;
+	const user = input.user?.trim() ?? "";
+	const base = user ? `${user}@${host}` : host;
+	const port = input.port ?? 22;
+	if (port && port !== 22) return `${base}:${port}`;
+	return base;
+}
+async function resolveSshTarget(rawTarget, identity, overallTimeoutMs) {
+	const parsed = parseSshTarget(rawTarget);
+	if (!parsed) return null;
+	const config = await resolveSshConfig(parsed, {
+		identity: identity ?? void 0,
+		timeoutMs: Math.min(800, overallTimeoutMs)
+	});
+	if (!config) return {
+		target: rawTarget,
+		identity: identity ?? void 0
+	};
+	const target = buildSshTarget({
+		user: config.user ?? parsed.user,
+		host: config.host ?? parsed.host,
+		port: config.port ?? parsed.port
+	});
+	if (!target) return {
+		target: rawTarget,
+		identity: identity ?? void 0
+	};
+	return {
+		target,
+		identity: identity ?? config.identityFiles.find((entry) => entry.trim().length > 0)?.trim() ?? void 0
+	};
+}
+
+//#endregion
+//#region src/cli/gateway-cli/call.ts
+const gatewayCallOpts = (cmd) => cmd.option("--url <url>", "Gateway WebSocket URL (defaults to gateway.remote.url when configured)").option("--token <token>", "Gateway token (if required)").option("--password <password>", "Gateway password (password auth)").option("--timeout <ms>", "Timeout in ms", "10000").option("--expect-final", "Wait for final response (agent)", false).option("--json", "Output JSON", false);
+const callGatewayCli = async (method, opts, params) => withProgress({
+	label: `Gateway ${method}`,
+	indeterminate: true,
+	enabled: opts.json !== true
+}, async () => await callGateway({
+	url: opts.url,
+	token: opts.token,
+	password: opts.password,
+	method,
+	params,
+	expectFinal: Boolean(opts.expectFinal),
+	timeoutMs: Number(opts.timeout ?? 1e4),
+	clientName: GATEWAY_CLIENT_NAMES.CLI,
+	mode: GATEWAY_CLIENT_MODES.CLI
+}));
+
+//#endregion
+//#region src/cli/gateway-cli/discover.ts
+function parseDiscoverTimeoutMs(raw, fallbackMs) {
+	if (raw === void 0 || raw === null) return fallbackMs;
+	const value = typeof raw === "string" ? raw.trim() : typeof raw === "number" || typeof raw === "bigint" ? String(raw) : null;
+	if (value === null) throw new Error("invalid --timeout");
+	if (!value) return fallbackMs;
+	const parsed = Number.parseInt(value, 10);
+	if (!Number.isFinite(parsed) || parsed <= 0) throw new Error(`invalid --timeout: ${value}`);
+	return parsed;
+}
+function pickBeaconHost(beacon) {
+	const host = beacon.host || beacon.tailnetDns || beacon.lanHost;
+	return host?.trim() ? host.trim() : null;
+}
+function pickGatewayPort(beacon) {
+	const port = beacon.port ?? beacon.gatewayPort ?? 18789;
+	return port > 0 ? port : 18789;
+}
+function dedupeBeacons(beacons) {
+	const out = [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const b of beacons) {
+		const host = pickBeaconHost(b) ?? "";
+		const key = [
+			b.domain ?? "",
+			b.instanceName ?? "",
+			b.displayName ?? "",
+			host,
+			String(b.port ?? ""),
+			String(b.gatewayPort ?? "")
+		].join("|");
+		if (seen.has(key)) continue;
+		seen.add(key);
+		out.push(b);
+	}
+	return out;
+}
+function renderBeaconLines(beacon, rich) {
+	const nameRaw = (beacon.displayName || beacon.instanceName || "Gateway").trim();
+	const domainRaw = (beacon.domain || "local.").trim();
+	const title = colorize(rich, theme.accentBright, nameRaw);
+	const domain = colorize(rich, theme.muted, domainRaw);
+	const host = pickBeaconHost(beacon);
+	const gatewayPort = pickGatewayPort(beacon);
+	const scheme = beacon.gatewayTls ? "wss" : "ws";
+	const wsUrl = host ? `${scheme}://${host}:${gatewayPort}` : null;
+	const lines = [`- ${title} ${domain}`];
+	if (beacon.tailnetDns) lines.push(`  ${colorize(rich, theme.info, "tailnet")}: ${beacon.tailnetDns}`);
+	if (beacon.lanHost) lines.push(`  ${colorize(rich, theme.info, "lan")}: ${beacon.lanHost}`);
+	if (beacon.host) lines.push(`  ${colorize(rich, theme.info, "host")}: ${beacon.host}`);
+	if (wsUrl) lines.push(`  ${colorize(rich, theme.muted, "ws")}: ${colorize(rich, theme.command, wsUrl)}`);
+	if (beacon.role) lines.push(`  ${colorize(rich, theme.muted, "role")}: ${beacon.role}`);
+	if (beacon.transport) lines.push(`  ${colorize(rich, theme.muted, "transport")}: ${beacon.transport}`);
+	if (beacon.gatewayTls) {
+		const fingerprint = beacon.gatewayTlsFingerprintSha256 ? `sha256 ${beacon.gatewayTlsFingerprintSha256}` : "enabled";
+		lines.push(`  ${colorize(rich, theme.muted, "tls")}: ${fingerprint}`);
+	}
+	if (typeof beacon.sshPort === "number" && beacon.sshPort > 0 && host) {
+		const ssh = `ssh -N -L 18789:127.0.0.1:18789 <user>@${host} -p ${beacon.sshPort}`;
+		lines.push(`  ${colorize(rich, theme.muted, "ssh")}: ${colorize(rich, theme.command, ssh)}`);
+	}
+	return lines;
+}
+
+//#endregion
+//#region src/cli/gateway-cli/dev.ts
+const DEV_IDENTITY_NAME = "C3-PO";
+const DEV_IDENTITY_THEME = "protocol droid";
+const DEV_IDENTITY_EMOJI = "🤖";
+const DEV_AGENT_WORKSPACE_SUFFIX = "dev";
+async function loadDevTemplate(name, fallback) {
+	try {
+		const templateDir = await resolveWorkspaceTemplateDir();
+		const raw = await fs.promises.readFile(path.join(templateDir, name), "utf-8");
+		if (!raw.startsWith("---")) return raw;
+		const endIndex = raw.indexOf("\n---", 3);
+		if (endIndex === -1) return raw;
+		return raw.slice(endIndex + 4).replace(/^\s+/, "");
+	} catch {
+		return fallback;
+	}
+}
+const resolveDevWorkspaceDir = (env = process.env) => {
+	const baseDir = resolveDefaultAgentWorkspaceDir(env, os.homedir);
+	if (env.OPENCLAW_PROFILE?.trim().toLowerCase() === "dev") return baseDir;
+	return `${baseDir}-${DEV_AGENT_WORKSPACE_SUFFIX}`;
+};
+async function writeFileIfMissing(filePath, content) {
+	try {
+		await fs.promises.writeFile(filePath, content, {
+			encoding: "utf-8",
+			flag: "wx"
+		});
+	} catch (err) {
+		if (err.code !== "EEXIST") throw err;
+	}
+}
+async function ensureDevWorkspace(dir) {
+	const resolvedDir = resolveUserPath(dir);
+	await fs.promises.mkdir(resolvedDir, { recursive: true });
+	const [agents, soul, tools, identity, user] = await Promise.all([
+		loadDevTemplate("AGENTS.dev.md", `# AGENTS.md - OpenClaw Dev Workspace\n\nDefault dev workspace for openclaw gateway --dev.\n`),
+		loadDevTemplate("SOUL.dev.md", `# SOUL.md - Dev Persona\n\nProtocol droid for debugging and operations.\n`),
+		loadDevTemplate("TOOLS.dev.md", `# TOOLS.md - User Tool Notes (editable)\n\nAdd your local tool notes here.\n`),
+		loadDevTemplate("IDENTITY.dev.md", `# IDENTITY.md - Agent Identity\n\n- Name: ${DEV_IDENTITY_NAME}\n- Creature: protocol droid\n- Vibe: ${DEV_IDENTITY_THEME}\n- Emoji: ${DEV_IDENTITY_EMOJI}\n`),
+		loadDevTemplate("USER.dev.md", `# USER.md - User Profile\n\n- Name:\n- Preferred address:\n- Notes:\n`)
+	]);
+	await writeFileIfMissing(path.join(resolvedDir, "AGENTS.md"), agents);
+	await writeFileIfMissing(path.join(resolvedDir, "SOUL.md"), soul);
+	await writeFileIfMissing(path.join(resolvedDir, "TOOLS.md"), tools);
+	await writeFileIfMissing(path.join(resolvedDir, "IDENTITY.md"), identity);
+	await writeFileIfMissing(path.join(resolvedDir, "USER.md"), user);
+}
+async function ensureDevGatewayConfig(opts) {
+	const workspace = resolveDevWorkspaceDir();
+	if (opts.reset) await handleReset("full", workspace, defaultRuntime);
+	const configPath = createConfigIO().configPath;
+	const configExists = fs.existsSync(configPath);
+	if (!opts.reset && configExists) return;
+	await writeConfigFile({
+		gateway: {
+			mode: "local",
+			bind: "loopback"
+		},
+		agents: {
+			defaults: {
+				workspace,
+				skipBootstrap: true
+			},
+			list: [{
+				id: "dev",
+				default: true,
+				workspace,
+				identity: {
+					name: DEV_IDENTITY_NAME,
+					theme: DEV_IDENTITY_THEME,
+					emoji: DEV_IDENTITY_EMOJI
+				}
+			}]
+		}
+	});
+	await ensureDevWorkspace(workspace);
+	defaultRuntime.log(`Dev config ready: ${shortenHomePath(configPath)}`);
+	defaultRuntime.log(`Dev workspace ready: ${shortenHomePath(resolveUserPath(workspace))}`);
+}
+
+//#endregion
+//#region src/cli/gateway-cli/run.ts
+const gatewayLog = createSubsystemLogger("gateway");
+const GATEWAY_RUN_VALUE_KEYS = [
+	"port",
+	"bind",
+	"token",
+	"auth",
+	"password",
+	"tailscale",
+	"wsLog",
+	"rawStreamPath"
+];
+const GATEWAY_RUN_BOOLEAN_KEYS = [
+	"tailscaleResetOnExit",
+	"allowUnconfigured",
+	"dev",
+	"reset",
+	"force",
+	"verbose",
+	"claudeCliLogs",
+	"compact",
+	"rawStream"
+];
+const GATEWAY_AUTH_MODES = [
+	"none",
+	"token",
+	"password",
+	"trusted-proxy"
+];
+const GATEWAY_TAILSCALE_MODES = [
+	"off",
+	"serve",
+	"funnel"
+];
+function parseEnumOption(raw, allowed) {
+	if (!raw) return null;
+	return allowed.includes(raw) ? raw : null;
+}
+function formatModeChoices(modes) {
+	return modes.map((mode) => `"${mode}"`).join("|");
+}
+function formatModeErrorList(modes) {
+	const quoted = modes.map((mode) => `"${mode}"`);
+	if (quoted.length === 0) return "";
+	if (quoted.length === 1) return quoted[0];
+	if (quoted.length === 2) return `${quoted[0]} or ${quoted[1]}`;
+	return `${quoted.slice(0, -1).join(", ")}, or ${quoted[quoted.length - 1]}`;
+}
+function resolveGatewayRunOptions(opts, command) {
+	const resolved = { ...opts };
+	for (const key of GATEWAY_RUN_VALUE_KEYS) {
+		const inherited = inheritOptionFromParent(command, key);
+		if (key === "wsLog") {
+			resolved[key] = inherited ?? resolved[key];
+			continue;
+		}
+		resolved[key] = resolved[key] ?? inherited;
+	}
+	for (const key of GATEWAY_RUN_BOOLEAN_KEYS) {
+		const inherited = inheritOptionFromParent(command, key);
+		resolved[key] = Boolean(resolved[key] || inherited);
+	}
+	return resolved;
+}
+async function runGatewayCommand$1(opts) {
+	const isDevProfile = process.env.OPENCLAW_PROFILE?.trim().toLowerCase() === "dev";
+	const devMode = Boolean(opts.dev) || isDevProfile;
+	if (opts.reset && !devMode) {
+		defaultRuntime.error("Use --reset with --dev.");
+		defaultRuntime.exit(1);
+		return;
+	}
+	setConsoleTimestampPrefix(true);
+	setVerbose(Boolean(opts.verbose));
+	if (opts.claudeCliLogs) {
+		setConsoleSubsystemFilter(["agent/claude-cli"]);
+		process.env.OPENCLAW_CLAUDE_CLI_LOG_OUTPUT = "1";
+	}
+	const wsLogRaw = opts.compact ? "compact" : opts.wsLog;
+	const wsLogStyle = wsLogRaw === "compact" ? "compact" : wsLogRaw === "full" ? "full" : "auto";
+	if (wsLogRaw !== void 0 && wsLogRaw !== "auto" && wsLogRaw !== "compact" && wsLogRaw !== "full") {
+		defaultRuntime.error("Invalid --ws-log (use \"auto\", \"full\", \"compact\")");
+		defaultRuntime.exit(1);
+	}
+	setGatewayWsLogStyle(wsLogStyle);
+	if (opts.rawStream) process.env.OPENCLAW_RAW_STREAM = "1";
+	const rawStreamPath = toOptionString(opts.rawStreamPath);
+	if (rawStreamPath) process.env.OPENCLAW_RAW_STREAM_PATH = rawStreamPath;
+	if (devMode) await ensureDevGatewayConfig({ reset: Boolean(opts.reset) });
+	const cfg = loadConfig();
+	const portOverride = parsePort$1(opts.port);
+	if (opts.port !== void 0 && portOverride === null) {
+		defaultRuntime.error("Invalid port");
+		defaultRuntime.exit(1);
+	}
+	const port = portOverride ?? resolveGatewayPort(cfg);
+	if (!Number.isFinite(port) || port <= 0) {
+		defaultRuntime.error("Invalid port");
+		defaultRuntime.exit(1);
+	}
+	const bindRaw = toOptionString(opts.bind) ?? cfg.gateway?.bind ?? "loopback";
+	const bind = bindRaw === "loopback" || bindRaw === "lan" || bindRaw === "auto" || bindRaw === "custom" || bindRaw === "tailnet" ? bindRaw : null;
+	if (!bind) {
+		defaultRuntime.error("Invalid --bind (use \"loopback\", \"lan\", \"tailnet\", \"auto\", or \"custom\")");
+		defaultRuntime.exit(1);
+		return;
+	}
+	if (opts.force) try {
+		const { killed, waitedMs, escalatedToSigkill } = await forceFreePortAndWait(port, {
+			timeoutMs: 2e3,
+			intervalMs: 100,
+			sigtermTimeoutMs: 700
+		});
+		if (killed.length === 0) gatewayLog.info(`force: no listeners on port ${port}`);
+		else {
+			for (const proc of killed) gatewayLog.info(`force: killed pid ${proc.pid}${proc.command ? ` (${proc.command})` : ""} on port ${port}`);
+			if (escalatedToSigkill) gatewayLog.info(`force: escalated to SIGKILL while freeing port ${port}`);
+			if (waitedMs > 0) gatewayLog.info(`force: waited ${waitedMs}ms for port ${port} to free`);
+		}
+		const bindWaitMs = await waitForPortBindable(port, {
+			timeoutMs: 3e3,
+			intervalMs: 150,
+			host: bind === "loopback" ? "127.0.0.1" : bind === "lan" ? "0.0.0.0" : bind === "custom" ? toOptionString(cfg.gateway?.customBindHost) : void 0
+		});
+		if (bindWaitMs > 0) gatewayLog.info(`force: waited ${bindWaitMs}ms for port ${port} to become bindable`);
+	} catch (err) {
+		defaultRuntime.error(`Force: ${String(err)}`);
+		defaultRuntime.exit(1);
+		return;
+	}
+	if (opts.token) {
+		const token = toOptionString(opts.token);
+		if (token) process.env.OPENCLAW_GATEWAY_TOKEN = token;
+	}
+	const authModeRaw = toOptionString(opts.auth);
+	const authMode = parseEnumOption(authModeRaw, GATEWAY_AUTH_MODES);
+	if (authModeRaw && !authMode) {
+		defaultRuntime.error(`Invalid --auth (use ${formatModeErrorList(GATEWAY_AUTH_MODES)})`);
+		defaultRuntime.exit(1);
+		return;
+	}
+	const tailscaleRaw = toOptionString(opts.tailscale);
+	const tailscaleMode = parseEnumOption(tailscaleRaw, GATEWAY_TAILSCALE_MODES);
+	if (tailscaleRaw && !tailscaleMode) {
+		defaultRuntime.error(`Invalid --tailscale (use ${formatModeErrorList(GATEWAY_TAILSCALE_MODES)})`);
+		defaultRuntime.exit(1);
+		return;
+	}
+	const passwordRaw = toOptionString(opts.password);
+	const tokenRaw = toOptionString(opts.token);
+	const snapshot = await readConfigFileSnapshot().catch(() => null);
+	const configExists = snapshot?.exists ?? fs.existsSync(CONFIG_PATH);
+	const configAuditPath = path.join(resolveStateDir(process.env), "logs", "config-audit.jsonl");
+	const mode = cfg.gateway?.mode;
+	if (!opts.allowUnconfigured && mode !== "local") {
+		if (!configExists) defaultRuntime.error(`Missing config. Run \`${formatCliCommand("openclaw setup")}\` or set gateway.mode=local (or pass --allow-unconfigured).`);
+		else {
+			defaultRuntime.error(`Gateway start blocked: set gateway.mode=local (current: ${mode ?? "unset"}) or pass --allow-unconfigured.`);
+			defaultRuntime.error(`Config write audit: ${configAuditPath}`);
+		}
+		defaultRuntime.exit(1);
+		return;
+	}
+	const miskeys = extractGatewayMiskeys(snapshot?.parsed);
+	const authOverride = authMode || passwordRaw || tokenRaw || authModeRaw ? {
+		...authMode ? { mode: authMode } : {},
+		...tokenRaw ? { token: tokenRaw } : {},
+		...passwordRaw ? { password: passwordRaw } : {}
+	} : void 0;
+	const resolvedAuth = resolveGatewayAuth({
+		authConfig: cfg.gateway?.auth,
+		authOverride,
+		env: process.env,
+		tailscaleMode: tailscaleMode ?? cfg.gateway?.tailscale?.mode ?? "off"
+	});
+	const resolvedAuthMode = resolvedAuth.mode;
+	const tokenValue = resolvedAuth.token;
+	const passwordValue = resolvedAuth.password;
+	const hasToken = typeof tokenValue === "string" && tokenValue.trim().length > 0;
+	const hasPassword = typeof passwordValue === "string" && passwordValue.trim().length > 0;
+	const tokenConfigured = hasToken || hasConfiguredSecretInput(authOverride?.token ?? cfg.gateway?.auth?.token, cfg.secrets?.defaults);
+	const passwordConfigured = hasPassword || hasConfiguredSecretInput(authOverride?.password ?? cfg.gateway?.auth?.password, cfg.secrets?.defaults);
+	const hasSharedSecret = resolvedAuthMode === "token" && tokenConfigured || resolvedAuthMode === "password" && passwordConfigured;
+	const canBootstrapToken = resolvedAuthMode === "token" && !tokenConfigured;
+	const authHints = [];
+	if (miskeys.hasGatewayToken) authHints.push("Found \"gateway.token\" in config. Use \"gateway.auth.token\" instead.");
+	if (miskeys.hasRemoteToken) authHints.push("\"gateway.remote.token\" is for remote CLI calls; it does not enable local gateway auth.");
+	if (resolvedAuthMode === "password" && !passwordConfigured) {
+		defaultRuntime.error([
+			"Gateway auth is set to password, but no password is configured.",
+			"Set gateway.auth.password (or OPENCLAW_GATEWAY_PASSWORD), or pass --password.",
+			...authHints
+		].filter(Boolean).join("\n"));
+		defaultRuntime.exit(1);
+		return;
+	}
+	if (resolvedAuthMode === "none") gatewayLog.warn("Gateway auth mode=none explicitly configured; all gateway connections are unauthenticated.");
+	if (bind !== "loopback" && !hasSharedSecret && !canBootstrapToken && resolvedAuthMode !== "trusted-proxy" && resolvedAuthMode !== "iam") {
+		defaultRuntime.error([
+			`Refusing to bind gateway to ${bind} without auth.`,
+			"Set gateway.auth.token/password (or OPENCLAW_GATEWAY_TOKEN/OPENCLAW_GATEWAY_PASSWORD) or pass --token/--password.",
+			...authHints
+		].filter(Boolean).join("\n"));
+		defaultRuntime.exit(1);
+		return;
+	}
+	const tailscaleOverride = tailscaleMode || opts.tailscaleResetOnExit ? {
+		...tailscaleMode ? { mode: tailscaleMode } : {},
+		...opts.tailscaleResetOnExit ? { resetOnExit: true } : {}
+	} : void 0;
+	try {
+		await runGatewayLoop({
+			runtime: defaultRuntime,
+			lockPort: port,
+			start: async () => await startGatewayServer(port, {
+				bind,
+				auth: authOverride,
+				tailscale: tailscaleOverride
+			})
+		});
+	} catch (err) {
+		if (err instanceof GatewayLockError || err && typeof err === "object" && err.name === "GatewayLockError") {
+			const errMessage = describeUnknownError(err);
+			defaultRuntime.error(`Gateway failed to start: ${errMessage}\nIf the gateway is supervised, stop it with: ${formatCliCommand("openclaw gateway stop")}`);
+			try {
+				const diagnostics = await inspectPortUsage(port);
+				if (diagnostics.status === "busy") for (const line of formatPortDiagnostics(diagnostics)) defaultRuntime.error(line);
+			} catch {}
+			await maybeExplainGatewayServiceStop();
+			defaultRuntime.exit(1);
+			return;
+		}
+		defaultRuntime.error(`Gateway failed to start: ${String(err)}`);
+		defaultRuntime.exit(1);
+	}
+}
+function addGatewayRunCommand(cmd) {
+	return cmd.option("--port <port>", "Port for the gateway WebSocket").option("--bind <mode>", "Bind mode (\"loopback\"|\"lan\"|\"tailnet\"|\"auto\"|\"custom\"). Defaults to config gateway.bind (or loopback).").option("--token <token>", "Shared token required in connect.params.auth.token (default: OPENCLAW_GATEWAY_TOKEN env if set)").option("--auth <mode>", `Gateway auth mode (${formatModeChoices(GATEWAY_AUTH_MODES)})`).option("--password <password>", "Password for auth mode=password").option("--tailscale <mode>", `Tailscale exposure mode (${formatModeChoices(GATEWAY_TAILSCALE_MODES)})`).option("--tailscale-reset-on-exit", "Reset Tailscale serve/funnel configuration on shutdown", false).option("--allow-unconfigured", "Allow gateway start without gateway.mode=local in config", false).option("--dev", "Create a dev config + workspace if missing (no BOOTSTRAP.md)", false).option("--reset", "Reset dev config + credentials + sessions + workspace (requires --dev)", false).option("--force", "Kill any existing listener on the target port before starting", false).option("--verbose", "Verbose logging to stdout/stderr", false).option("--claude-cli-logs", "Only show claude-cli logs in the console (includes stdout/stderr)", false).option("--ws-log <style>", "WebSocket log style (\"auto\"|\"full\"|\"compact\")", "auto").option("--compact", "Alias for \"--ws-log compact\"", false).option("--raw-stream", "Log raw model stream events to jsonl", false).option("--raw-stream-path <path>", "Raw stream jsonl path").action(async (opts, command) => {
+		await runGatewayCommand$1(resolveGatewayRunOptions(opts, command));
+	});
+}
+
+//#endregion
+//#region src/cli/gateway-cli/register.ts
+function runGatewayCommand(action, label) {
+	return runCommandWithRuntime(defaultRuntime, action, (err) => {
+		const message = String(err);
+		defaultRuntime.error(label ? `${label}: ${message}` : message);
+		defaultRuntime.exit(1);
+	});
+}
+function parseDaysOption(raw, fallback = 30) {
+	if (typeof raw === "number" && Number.isFinite(raw)) return Math.max(1, Math.floor(raw));
+	if (typeof raw === "string" && raw.trim() !== "") {
+		const parsed = Number(raw);
+		if (Number.isFinite(parsed)) return Math.max(1, Math.floor(parsed));
+	}
+	return fallback;
+}
+function resolveGatewayRpcOptions(opts, command) {
+	const parentToken = inheritOptionFromParent(command, "token");
+	const parentPassword = inheritOptionFromParent(command, "password");
+	return {
+		...opts,
+		token: opts.token ?? parentToken,
+		password: opts.password ?? parentPassword
+	};
+}
+function renderCostUsageSummary(summary, days, rich) {
+	const totalCost = formatUsd(summary.totals.totalCost) ?? "$0.00";
+	const totalTokens = formatTokenCount(summary.totals.totalTokens) ?? "0";
+	const lines = [colorize(rich, theme.heading, `Usage cost (${days} days)`), `${colorize(rich, theme.muted, "Total:")} ${totalCost} · ${totalTokens} tokens`];
+	if (summary.totals.missingCostEntries > 0) lines.push(`${colorize(rich, theme.muted, "Missing entries:")} ${summary.totals.missingCostEntries}`);
+	const latest = summary.daily.at(-1);
+	if (latest) {
+		const latestCost = formatUsd(latest.totalCost) ?? "$0.00";
+		const latestTokens = formatTokenCount(latest.totalTokens) ?? "0";
+		lines.push(`${colorize(rich, theme.muted, "Latest day:")} ${latest.date} · ${latestCost} · ${latestTokens} tokens`);
+	}
+	return lines;
+}
+function registerGatewayCli(program) {
+	const gateway = addGatewayRunCommand(program.command("gateway").description("Run, inspect, and query the WebSocket Gateway").addHelpText("after", () => `\n${theme.heading("Examples:")}\n${formatHelpExamples([
+		["openclaw gateway run", "Run the gateway in the foreground."],
+		["openclaw gateway status", "Show service status and probe reachability."],
+		["openclaw gateway discover", "Find local and wide-area gateway beacons."],
+		["openclaw gateway call health", "Call a gateway RPC method directly."]
+	])}\n\n${theme.muted("Docs:")} ${formatDocsLink("/cli/gateway", "docs.openclaw.ai/cli/gateway")}\n`));
+	addGatewayRunCommand(gateway.command("run").description("Run the WebSocket Gateway (foreground)"));
+	addGatewayServiceCommands(gateway, { statusDescription: "Show gateway service status + probe the Gateway" });
+	gatewayCallOpts(gateway.command("call").description("Call a Gateway method").argument("<method>", "Method name (health/status/system-presence/cron.*)").option("--params <json>", "JSON object string for params", "{}").action(async (method, opts, command) => {
+		await runGatewayCommand(async () => {
+			const rpcOpts = resolveGatewayRpcOptions(opts, command);
+			const result = await callGatewayCli(method, rpcOpts, JSON.parse(String(opts.params ?? "{}")));
+			if (rpcOpts.json) {
+				defaultRuntime.log(JSON.stringify(result, null, 2));
+				return;
+			}
+			const rich = isRich();
+			defaultRuntime.log(`${colorize(rich, theme.heading, "Gateway call")}: ${colorize(rich, theme.muted, String(method))}`);
+			defaultRuntime.log(JSON.stringify(result, null, 2));
+		}, "Gateway call failed");
+	}));
+	gatewayCallOpts(gateway.command("usage-cost").description("Fetch usage cost summary from session logs").option("--days <days>", "Number of days to include", "30").action(async (opts, command) => {
+		await runGatewayCommand(async () => {
+			const rpcOpts = resolveGatewayRpcOptions(opts, command);
+			const days = parseDaysOption(opts.days);
+			const result = await callGatewayCli("usage.cost", rpcOpts, { days });
+			if (rpcOpts.json) {
+				defaultRuntime.log(JSON.stringify(result, null, 2));
+				return;
+			}
+			const rich = isRich();
+			const summary = result;
+			for (const line of renderCostUsageSummary(summary, days, rich)) defaultRuntime.log(line);
+		}, "Gateway usage cost failed");
+	}));
+	gatewayCallOpts(gateway.command("health").description("Fetch Gateway health").action(async (opts, command) => {
+		await runGatewayCommand(async () => {
+			const rpcOpts = resolveGatewayRpcOptions(opts, command);
+			const result = await callGatewayCli("health", rpcOpts);
+			if (rpcOpts.json) {
+				defaultRuntime.log(JSON.stringify(result, null, 2));
+				return;
+			}
+			const rich = isRich();
+			const obj = result && typeof result === "object" ? result : {};
+			const durationMs = typeof obj.durationMs === "number" ? obj.durationMs : null;
+			defaultRuntime.log(colorize(rich, theme.heading, "Gateway Health"));
+			defaultRuntime.log(`${colorize(rich, theme.success, "OK")}${durationMs != null ? ` (${durationMs}ms)` : ""}`);
+			if (obj.channels && typeof obj.channels === "object") for (const line of formatHealthChannelLines(obj)) defaultRuntime.log(styleHealthChannelLine(line, rich));
+		});
+	}));
+	gateway.command("probe").description("Show gateway reachability + discovery + health + status summary (local + remote)").option("--url <url>", "Explicit Gateway WebSocket URL (still probes localhost)").option("--ssh <target>", "SSH target for remote gateway tunnel (user@host or user@host:port)").option("--ssh-identity <path>", "SSH identity file path").option("--ssh-auto", "Try to derive an SSH target from Bonjour discovery", false).option("--token <token>", "Gateway token (applies to all probes)").option("--password <password>", "Gateway password (applies to all probes)").option("--timeout <ms>", "Overall probe budget in ms", "3000").option("--json", "Output JSON", false).action(async (opts, command) => {
+		await runGatewayCommand(async () => {
+			await gatewayStatusCommand(resolveGatewayRpcOptions(opts, command), defaultRuntime);
+		});
+	});
+	gateway.command("discover").description("Discover gateways via Bonjour (local + wide-area if configured)").option("--timeout <ms>", "Per-command timeout in ms", "2000").option("--json", "Output JSON", false).action(async (opts) => {
+		await runGatewayCommand(async () => {
+			const wideAreaDomain = resolveWideAreaDiscoveryDomain({ configDomain: loadConfig().discovery?.wideArea?.domain });
+			const timeoutMs = parseDiscoverTimeoutMs(opts.timeout, 2e3);
+			const domains = ["local.", ...wideAreaDomain ? [wideAreaDomain] : []];
+			const deduped = dedupeBeacons(await withProgress({
+				label: "Scanning for gateways…",
+				indeterminate: true,
+				enabled: opts.json !== true,
+				delayMs: 0
+			}, async () => await discoverGatewayBeacons({
+				timeoutMs,
+				wideAreaDomain
+			}))).toSorted((a, b) => String(a.displayName || a.instanceName).localeCompare(String(b.displayName || b.instanceName)));
+			if (opts.json) {
+				const enriched = deduped.map((b) => {
+					const host = pickBeaconHost(b);
+					const port = pickGatewayPort(b);
+					return {
+						...b,
+						wsUrl: host ? `ws://${host}:${port}` : null
+					};
+				});
+				defaultRuntime.log(JSON.stringify({
+					timeoutMs,
+					domains,
+					count: enriched.length,
+					beacons: enriched
+				}, null, 2));
+				return;
+			}
+			const rich = isRich();
+			defaultRuntime.log(colorize(rich, theme.heading, "Gateway Discovery"));
+			defaultRuntime.log(colorize(rich, theme.muted, `Found ${deduped.length} gateway(s) · domains: ${domains.join(", ")}`));
+			if (deduped.length === 0) return;
+			for (const beacon of deduped) for (const line of renderBeaconLines(beacon, rich)) defaultRuntime.log(line);
+		}, "gateway discover failed");
+	});
+}
+
+//#endregion
+export { registerGatewayCli };