@keychat-io/keychat-openclaw 0.1.8

package/README.md

@@ -0,0 +1,231 @@
+# Keychat — OpenClaw Channel Plugin
+
+E2E encrypted AI agent communication via Keychat protocol.
+
+## What is this?
+
+This plugin gives your OpenClaw agent a **sovereign identity** — a self-generated Public Key ID (Nostr keypair) — and enables **end-to-end encrypted communication** using the Signal Protocol over Nostr relays.
+
+Your agent becomes a full Keychat citizen: it can receive friend requests, establish Signal Protocol sessions, and exchange messages with Keychat app users. All messages are encrypted with forward and backward secrecy — not even relay operators can read them.
+
+## Install
+
+### Option A: OpenClaw plugin (recommended)
+
+```bash
+openclaw plugins install @keychat-io/keychat
+openclaw gateway restart
+```
+
+The bridge binary is auto-downloaded on first start. Supported platforms: macOS (ARM/x64), Linux (x64/ARM64).
+
+### Option B: Shell script
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/keychat-io/keychat-openclaw/main/scripts/install.sh | bash
+```
+
+This clones the repo, downloads the binary, registers the plugin, and restarts the gateway in one step.
+
+### Security Warnings
+
+During installation, OpenClaw's security scanner may show two warnings. Both are expected:
+
+| Warning | Reason |
+|---------|--------|
+| Shell command execution (bridge-client.ts) | Keychat's Signal Protocol and MLS Protocol encryption are implemented in Rust. The plugin spawns a Rust sidecar process to bridge between Node.js and the native crypto layer. |
+| Shell command execution (keychain.ts) | Agent identity mnemonics are stored in the OS keychain (macOS Keychain / Linux libsecret) rather than plain files, which is the more secure option. |
+
+Source code is fully open: [github.com/keychat-io/keychat-openclaw](https://github.com/keychat-io/keychat-openclaw)
+
+### Upgrade
+
+```bash
+# npm plugin
+openclaw plugins install @keychat-io/keychat@latest
+openclaw gateway restart
+
+# shell script (re-run the same command)
+curl -fsSL https://raw.githubusercontent.com/keychat-io/keychat-openclaw/main/scripts/install.sh | bash
+```
+
+### Connect
+
+1. Run `openclaw status` to find your agent's **npub**
+2. Open the [Keychat app](https://keychat.io) → tap **Add Contact** on the home page
+3. Paste the agent's npub and confirm
+4. The agent will automatically accept the friend request and establish an encrypted session
+
+You can also scan the QR code instead of pasting the npub:
+
+```bash
+# View QR code in terminal
+chafa ~/.openclaw/keychat/qr-default.png
+# or generate from npub
+qrencode -t ANSIUTF8 "https://www.keychat.io/u/?k=YOUR_NPUB"
+```
+
+## Configuration
+
+All options go under `channels.keychat` in your OpenClaw config:
+
+| Option             | Type     | Default                      | Description                                               |
+| ------------------ | -------- | ---------------------------- | --------------------------------------------------------- |
+| `enabled`          | boolean  | `false`                      | Enable/disable the Keychat channel                        |
+| `name`             | string   | —                            | Display name for this account                             |
+| `relays`           | string[] | `["wss://relay.keychat.io"]` | Nostr relay WebSocket URLs                                |
+| `dmPolicy`         | enum     | `"pairing"`                  | Access policy: `pairing`, `allowlist`, `open`, `disabled` |
+| `allowFrom`        | string[] | `[]`                         | Allowed sender pubkeys (npub or hex)                      |
+| `mnemonic`         | string   | —                            | Identity mnemonic (auto-generated, stored in keychain)    |
+| `publicKey`        | string   | —                            | Derived hex public key (read-only)                        |
+| `npub`             | string   | —                            | Derived bech32 npub (read-only)                           |
+| `lightningAddress` | string   | —                            | Lightning address for receiving payments                  |
+| `nwcUri`           | string   | —                            | Nostr Wallet Connect URI for wallet access                |
+| `markdown`         | object   | —                            | Markdown formatting overrides                             |
+
+### DM Policies
+
+- **`pairing`** (default): New contacts require owner approval via OpenClaw's pairing system
+- **`allowlist`**: Only pubkeys in `allowFrom` can communicate
+- **`open`**: Anyone can message the agent
+- **`disabled`**: No inbound messages accepted
+
+## Lightning Wallet
+
+Keychat supports Lightning payments:
+
+### Lightning Address (receive-only)
+
+Configure a Lightning address so your agent can generate invoices:
+
+```json
+{
+  "lightningAddress": "user@walletofsatoshi.com"
+}
+```
+
+The agent can create invoices via LNURL-pay protocol. Note: payment verification depends on the provider (some don't support verify URLs).
+
+### Nostr Wallet Connect (NWC)
+
+For full wallet access (create invoices, check balance, verify payments), configure NWC:
+
+```json
+{
+  "nwcUri": "nostr+walletconnect://pubkey?relay=wss://...&secret=..."
+}
+```
+
+Generate an NWC connection string from your wallet app (Keychat, Alby Hub, Mutiny, Coinos, etc.).
+
+**Security note**: The agent can receive payments freely. Outbound payments require owner approval — the agent will forward the invoice to the owner instead of paying directly.
+
+## Architecture
+
+```
+┌──────────────┐    JSON-RPC     ┌─────────────────────┐    Nostr     ┌─────────┐
+│  OpenClaw    │◄──────────────►│  keychat-openclaw  │◄───────────►│  Relays  │
+│  (TypeScript │    stdin/stdout │  (Rust sidecar)     │  WebSocket  │         │
+│   plugin)    │                │                     │             │         │
+└──────────────┘                └─────────────────────┘             └─────────┘
+                                  │ Signal Protocol DB │
+                                  │ (SQLite)           │
+                                  └────────────────────┘
+```
+
+- **TypeScript plugin** (`src/channel.ts`): Integrates with OpenClaw's channel system, handles routing, pairing, and message dispatch
+- **Rust sidecar** (`bridge/`): Manages Signal Protocol sessions, Nostr transport, encryption/decryption
+- **Communication**: JSON-RPC over stdin/stdout of spawned child process
+- **Encryption**: Signal Protocol (Double Ratchet) for E2E encryption
+- **Transport**: Nostr relays (kind:4 DMs + kind:1059 Gift Wrap for friend requests)
+
+## Pairing
+
+1. Agent starts and logs its **npub** and **contact URL**
+2. User opens the URL or scans the QR code in the Keychat app
+3. Keychat app sends a **friend request** (Gift Wrap, kind:1059)
+4. Agent processes the hello, establishes Signal session, and replies
+5. If `dmPolicy` is `pairing`, the owner must approve via `openclaw pair approve keychat <pubkey>`
+6. Once approved, full bidirectional encrypted chat is established
+
+## Security
+
+- **E2E Encryption**: All messages encrypted with Signal Protocol — relay operators cannot read content
+- **Forward Secrecy**: Compromising current keys doesn't reveal past messages (Double Ratchet)
+- **Backward Secrecy**: New messages use fresh keys after each exchange
+- **Sovereign Identity**: Agent generates its own keypair — no third-party identity provider
+- **Key Storage**: Mnemonic stored in system keychain (macOS Keychain, Linux secret service); falls back to config file
+- **Ephemeral Senders**: Each outbound message uses a fresh Nostr keypair, preventing metadata correlation
+- **Receiving Address Rotation**: Ratchet-derived addresses rotate per message, preventing traffic analysis
+
+## Troubleshooting
+
+### Bridge not starting
+
+- Ensure the binary exists: `ls bridge/target/release/keychat-openclaw`
+- Rebuild: `cd bridge && cargo build --release`
+- Check logs for startup errors
+
+### Relay connection issues
+
+- Verify relay URLs are correct WebSocket endpoints (`wss://...`)
+- Test relay connectivity: `websocat wss://relay.keychat.io`
+- Try alternative relays
+
+### Session corruption
+
+- If messages fail to decrypt, the plugin will automatically warn the peer
+- The peer should re-add the agent as a contact to establish a new session
+- As a last resort, delete the Signal DB: `rm ~/.openclaw/keychat/signal-default.db` and restart
+
+### Messages not delivered
+
+- Check if the bridge is responsive: look for health check logs
+- The plugin queues failed messages (up to 100) and retries every 30s
+- Pending messages are also flushed after bridge restart
+
+### No QR code generated
+
+- Install the `qrcode` npm package: `npm install qrcode`
+- The contact URL in logs works without QR code
+
+## Development
+
+### Building
+
+```bash
+# Build the Rust sidecar
+cd bridge && cargo build --release
+
+# Run tests
+cargo test
+```
+
+### Project Structure
+
+```
+├── src/
+│   ├── channel.ts        # Main channel plugin (OpenClaw integration)
+│   ├── bridge-client.ts  # TypeScript RPC client for the Rust sidecar
+│   ├── config-schema.ts  # Zod config schema
+│   ├── keychain.ts       # System keychain integration
+│   ├── lightning.ts      # Lightning address (LNURL-pay) support
+│   ├── nwc.ts            # Nostr Wallet Connect (NIP-47) client
+│   ├── media.ts          # Blossom media encryption/upload
+│   ├── qrcode.ts         # QR code generation
+│   ├── runtime.ts        # Plugin runtime accessor
+│   └── types.ts          # Account types and resolvers
+├── bridge/
+│   └── src/
+│       ├── main.rs       # Sidecar entry point (stdin/stdout loop)
+│       ├── rpc.rs        # JSON-RPC dispatch
+│       ├── signal.rs     # Signal Protocol manager
+│       ├── protocol.rs   # Keychat protocol types
+│       ├── mls.rs        # MLS large group support
+│       └── transport.rs  # Nostr relay transport
+├── scripts/
+│   └── install.sh        # One-line installer
+├── index.ts              # Plugin entry point
+├── openclaw.plugin.json  # Plugin manifest
+└── LICENSE               # AGPL-3.0
+```

package/docs/setup-guide.md

@@ -0,0 +1,124 @@
+# Keychat — Setup Guide
+
+Step-by-step instructions to get your OpenClaw agent communicating via Keychat.
+
+## Prerequisites
+
+- **macOS or Linux** (arm64 or x86_64)
+- **Node.js 20+**
+- **OpenClaw**: Installed and configured (`openclaw gateway status` should work)
+
+## Step 1: Install the Plugin
+
+```bash
+openclaw plugins install @keychat-io/keychat
+```
+
+This auto-downloads the pre-compiled Rust sidecar binary for your platform. No Rust toolchain needed.
+
+> **Building from source** (optional): If no pre-compiled binary is available for your platform, install [Rust](https://rustup.rs/) and run `cd bridge && cargo build --release`.
+
+## Step 2: Configure OpenClaw
+
+Edit `~/.openclaw/openclaw.json` and add the Keychat channel config:
+
+```json
+{
+  "channels": {
+    "keychat": {
+      "enabled": true,
+      "relays": [
+        "wss://relay.keychat.io",
+        "wss://relay.damus.io"
+      ],
+      "dmPolicy": "pairing"
+    }
+  }
+}
+```
+
+### DM Policies
+
+| Policy | Description |
+|--------|-------------|
+| `pairing` | New contacts require owner approval (default) |
+| `allowlist` | Only pubkeys in `allowFrom` can communicate |
+| `open` | Anyone can message the agent |
+| `disabled` | No inbound messages accepted |
+
+## Step 3: Restart the Gateway
+
+```bash
+openclaw gateway restart
+```
+
+Watch the logs for your agent's Keychat ID:
+
+```
+═══════════════════════════════════════════════════
+  🔑 Agent Keychat ID (scan with Keychat app):
+
+  npub1...
+
+  Add contact link:
+  https://www.keychat.io/u/?k=npub1...
+═══════════════════════════════════════════════════
+```
+
+A QR code is also saved to `~/.openclaw/keychat/qr-default.png`.
+
+## Step 4: Connect with Keychat App
+
+1. Open the [Keychat app](https://www.keychat.io/) on your phone
+2. Tap **Add Contact**
+3. Scan the QR code at `~/.openclaw/keychat/qr-default.png`, or paste the npub / contact URL
+4. Send a friend request
+5. If `dmPolicy` is `pairing`, approve the request:
+   ```bash
+   openclaw pair approve keychat <sender-pubkey>
+   ```
+
+## Step 5: Start Chatting
+
+Send a message from the Keychat app — your agent will respond with E2E encrypted messages.
+
+## Identity Management
+
+- **First run**: Agent auto-generates a mnemonic and stores it in your system keychain (macOS Keychain / Linux libsecret)
+- **Backup**: Export the mnemonic from your keychain if needed
+- **Restore**: Set `mnemonic` in the channel config to restore an existing identity on a new machine
+- **Signal DB**: Stored at `~/.openclaw/keychat/signal-default.db` — **do not delete** (destroys all encrypted sessions)
+
+## Verifying the Setup
+
+```bash
+openclaw gateway status
+```
+
+The Keychat channel should show as running with the agent's npub.
+
+## Lightning Wallet (Optional)
+
+Add a Lightning address for receiving payments:
+
+```json
+{
+  "channels": {
+    "keychat": {
+      "lightningAddress": "user@walletofsatoshi.com"
+    }
+  }
+}
+```
+
+For full wallet access (balance, payments), configure [Nostr Wallet Connect](https://github.com/nostr-protocol/nips/blob/master/47.md):
+
+```json
+{
+  "channels": {
+    "keychat": {
+      "nwcUri": "nostr+walletconnect://pubkey?relay=wss://...&secret=..."
+    }
+  }
+}
+```

package/index.ts

@@ -0,0 +1,108 @@
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk";
+import { keychatPlugin, getAgentKeychatId, getAgentKeychatUrl, getAllAgentContacts } from "./src/channel.js";
+import { setKeychatRuntime } from "./src/runtime.js";
+import { existsSync } from "node:fs";
+
+const plugin = {
+  id: "keychat",
+  name: "Keychat",
+  description:
+    "Keychat channel plugin — sovereign identity + E2E encrypted chat. " +
+    "Agent generates its own Public Key ID, just like a human Keychat user.",
+  configSchema: emptyPluginConfigSchema(),
+  register(api: OpenClawPluginApi) {
+    console.log("[keychat] register() called");
+    try {
+      setKeychatRuntime(api.runtime);
+      console.log("[keychat] runtime set, registering channel...");
+      api.registerChannel({ plugin: keychatPlugin });
+      console.log("[keychat] channel registered successfully");
+
+      // Register keychat_identity agent tool so the agent can fetch ID info
+      // and send it to the user on whatever channel they're on
+      api.registerTool({
+        name: "keychat_identity",
+        label: "Keychat Identity",
+        description:
+          "Get the Keychat identity (npub, contact link, QR code path) for all active agent accounts. " +
+          "Call this after Keychat setup/install to retrieve the agent's Keychat ID and share it with the user.",
+        parameters: { type: "object", properties: {}, required: [] },
+        async execute(_toolCallId: string, _params: any) {
+          const contacts = getAllAgentContacts();
+          if (contacts.length === 0) {
+            return {
+              details: null,
+              content: [
+                {
+                  type: "text" as const,
+                  text: "No Keychat accounts are active yet. The bridge may still be starting — try again in a few seconds.",
+                },
+              ],
+            };
+          }
+          const result = contacts.map((c) => ({
+            accountId: c.accountId,
+            npub: c.npub,
+            contactUrl: c.contactUrl,
+            qrCodePath: c.qrCodePath,
+            qrExists: existsSync(c.qrCodePath),
+          }));
+          return {
+            details: null,
+            content: [
+              {
+                type: "text" as const,
+                text: JSON.stringify(result, null, 2),
+              },
+            ],
+          };
+        },
+      });
+
+      // Register /keychat-id command to show agent Keychat ID, link, and QR
+      api.registerCommand({
+        name: "keychat-id",
+        description: "Show Keychat agent ID(s), contact link(s), and QR code path(s)",
+        handler: () => {
+          const contacts = getAllAgentContacts();
+          if (contacts.length === 0) {
+            return { text: "⚠️ No Keychat accounts are active yet. Wait for the bridge to start." };
+          }
+          const lines = contacts.map((c) => {
+            const qrExists = existsSync(c.qrCodePath);
+            return [
+              `🔑 **${c.accountId}**`,
+              `  npub: \`${c.npub}\``,
+              `  📱 Link: ${c.contactUrl}`,
+              qrExists
+                ? `  🖼️ QR: ${c.qrCodePath}`
+                : `  (QR image not found)`,
+            ].join("\n");
+          });
+          return { text: lines.join("\n\n") };
+        },
+      });
+    } catch (err) {
+      console.error("[keychat] register failed:", err);
+    }
+  },
+};
+
+export default plugin;
+export { getAgentKeychatId, getAgentKeychatUrl, getAllAgentContacts, resetPeerSession } from "./src/channel.js";
+export { generateQRDataUrl } from "./src/qrcode.js";
+export {
+  requestInvoice,
+  fetchLnurlPayMetadata,
+  verifyPayment,
+  formatSats,
+  lightningAddressToLnurlp,
+} from "./src/lightning.js";
+export {
+  NwcClient,
+  parseNwcUri,
+  initNwc,
+  getNwcClient,
+  disconnectNwc,
+} from "./src/nwc.js";

package/openclaw.plugin.json

@@ -0,0 +1,38 @@
+{
+  "id": "keychat",
+  "channels": ["keychat"],
+  "name": "Keychat",
+  "description": "Sovereign identity + E2E encrypted chat via Signal Protocol over Nostr relays. Lightning wallet support via LNURL-pay and NWC.",
+  "version": "0.1.0",
+  "repository": "https://github.com/keychat-io/keychat-openclaw",
+  "license": "AGPL-3.0",
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "name": { "type": "string", "description": "Display name for this account" },
+      "enabled": { "type": "boolean", "description": "Enable/disable the Keychat channel" },
+      "markdown": { "type": "object", "description": "Markdown formatting overrides" },
+      "mnemonic": { "type": "string", "description": "Identity mnemonic (auto-generated, stored in keychain)" },
+      "publicKey": { "type": "string", "description": "Derived hex public key (read-only)" },
+      "npub": { "type": "string", "description": "Derived bech32 npub (read-only)" },
+      "relays": {
+        "type": "array",
+        "items": { "type": "string" },
+        "description": "Nostr relay WebSocket URLs"
+      },
+      "dmPolicy": {
+        "type": "string",
+        "enum": ["pairing", "allowlist", "open", "disabled"],
+        "description": "DM access policy"
+      },
+      "allowFrom": {
+        "type": "array",
+        "items": { "type": ["string", "number"] },
+        "description": "Allowed sender pubkeys (npub or hex)"
+      },
+      "lightningAddress": { "type": "string", "description": "Lightning address for receiving payments" },
+      "nwcUri": { "type": "string", "description": "Nostr Wallet Connect URI" }
+    }
+  }
+}

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "@keychat-io/keychat-openclaw",
+  "version": "0.1.8",
+  "description": "Keychat — E2E encrypted chat + Lightning wallet for OpenClaw agents",
+  "license": "AGPL-3.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/keychat-io/keychat-openclaw.git"
+  },
+  "type": "module",
+  "scripts": {
+    "postinstall": "node scripts/postinstall.mjs"
+  },
+  "dependencies": {
+    "@nostr-dev-kit/ndk": "^3.0.0",
+    "qrcode": "^1.5.4",
+    "zod": "^4.3.6"
+  },
+  "openclaw": {
+    "extensions": [
+      "./index.ts"
+    ],
+    "channel": {
+      "id": "keychat",
+      "label": "Keychat",
+      "selectionLabel": "Keychat (E2E Encrypted)",
+      "docsPath": "/channels/keychat",
+      "docsLabel": "keychat",
+      "blurb": "Sovereign identity + E2E encrypted chat via Signal Protocol over Nostr relays.",
+      "order": 56
+    }
+  }
+}

package/scripts/install.sh

@@ -0,0 +1,154 @@
+#!/bin/bash
+# Keychat — one-line installer
+# Usage: curl -fsSL https://raw.githubusercontent.com/keychat-io/keychat-openclaw/main/scripts/install.sh | bash
+set -e
+
+REPO="keychat-io/keychat-openclaw"
+INSTALL_DIR="${OPENCLAW_EXTENSIONS:-$HOME/.openclaw/extensions}/keychat"
+BINARY="$INSTALL_DIR/bridge/target/release/keychat-openclaw"
+
+echo "🔑 Installing Keychat"
+echo ""
+
+# ── Check OpenClaw ──
+if ! command -v openclaw &>/dev/null; then
+  echo "❌ OpenClaw not found. Install it first: https://docs.openclaw.ai"
+  exit 1
+fi
+
+# ── Detect platform ──
+detect_artifact() {
+  local arch=$(uname -m)
+  local os=$(uname -s | tr '[:upper:]' '[:lower:]')
+  case "$os-$arch" in
+    darwin-arm64)  echo "keychat-openclaw-darwin-arm64" ;;
+    darwin-x86_64) echo "keychat-openclaw-darwin-x64" ;;
+    linux-x86_64)  echo "keychat-openclaw-linux-x64" ;;
+    linux-aarch64) echo "keychat-openclaw-linux-arm64" ;;
+    *) echo "" ;;
+  esac
+}
+
+# ── Clone or update repo ──
+if [ -d "$INSTALL_DIR/.git" ]; then
+  echo "📦 Updating existing installation..."
+  cd "$INSTALL_DIR"
+  git pull --ff-only 2>/dev/null || true
+else
+  echo "📦 Downloading Keychat..."
+  mkdir -p "$(dirname "$INSTALL_DIR")"
+  git clone --depth 1 "https://github.com/$REPO.git" "$INSTALL_DIR" 2>/dev/null
+  cd "$INSTALL_DIR"
+fi
+
+# ── Install npm dependencies ──
+npm install --omit=dev --silent 2>/dev/null || true
+
+# ── Get binary ──
+if [ -f "$BINARY" ]; then
+  echo "✅ Bridge binary already exists"
+else
+  ARTIFACT=$(detect_artifact)
+  DOWNLOADED=false
+
+  if [ -n "$ARTIFACT" ]; then
+    echo "📦 Downloading pre-compiled binary ($ARTIFACT)..."
+    URL="https://github.com/$REPO/releases/latest/download/$ARTIFACT"
+    mkdir -p "$(dirname "$BINARY")"
+    if curl -fSL "$URL" -o "$BINARY" 2>/dev/null; then
+      chmod +x "$BINARY"
+      echo "✅ Binary downloaded"
+      DOWNLOADED=true
+    fi
+  fi
+
+  if [ "$DOWNLOADED" = false ]; then
+    if command -v cargo &>/dev/null; then
+      echo "🔨 Building from source (this may take a few minutes)..."
+      cd "$INSTALL_DIR/bridge"
+      cargo build --release 2>&1 | tail -3
+      cd "$INSTALL_DIR"
+      if [ ! -f "$BINARY" ]; then
+        echo "❌ Build failed"
+        exit 1
+      fi
+      echo "✅ Built from source"
+    else
+      echo "❌ No pre-compiled binary for your platform and Rust not installed."
+      echo "   Install Rust: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh"
+      exit 1
+    fi
+  fi
+fi
+
+# ── Register plugin ──
+echo ""
+echo "📦 Registering plugin..."
+openclaw plugins install "$INSTALL_DIR" 2>&1 || true
+
+# ── Auto-configure ──
+CONFIG_FILE="$HOME/.openclaw/openclaw.json"
+if [ -f "$CONFIG_FILE" ]; then
+  if grep -q '"keychat"' "$CONFIG_FILE" 2>/dev/null; then
+    echo "ℹ️  Keychat already in config"
+  else
+    # Insert keychat into channels object
+    if command -v python3 &>/dev/null; then
+      python3 -c "
+import json, sys
+try:
+    with open('$CONFIG_FILE', 'r') as f:
+        cfg = json.load(f)
+    if 'channels' not in cfg:
+        cfg['channels'] = {}
+    cfg['channels']['keychat'] = {'enabled': True}
+    with open('$CONFIG_FILE', 'w') as f:
+        json.dump(cfg, f, indent=2, ensure_ascii=False)
+    print('✅ Keychat enabled in config')
+except Exception as e:
+    print(f'⚠️  Could not auto-configure: {e}')
+    print('   Add manually: \"keychat\": {{\"enabled\": true}} under channels')
+"
+    elif command -v node &>/dev/null; then
+      node -e "
+const fs = require('fs');
+try {
+  const cfg = JSON.parse(fs.readFileSync('$CONFIG_FILE', 'utf8'));
+  if (!cfg.channels) cfg.channels = {};
+  cfg.channels.keychat = { enabled: true };
+  fs.writeFileSync('$CONFIG_FILE', JSON.stringify(cfg, null, 2));
+  console.log('✅ Keychat enabled in config');
+} catch(e) {
+  console.log('⚠️  Could not auto-configure:', e.message);
+  console.log('   Add manually: \"keychat\": {\"enabled\": true} under channels');
+}
+"
+    else
+      echo "⚠️  Add to $CONFIG_FILE under \"channels\":"
+      echo '     "keychat": { "enabled": true }'
+    fi
+  fi
+else
+  echo "⚠️  Config not found at $CONFIG_FILE"
+  echo "   Run 'openclaw init' first, then re-run this installer"
+fi
+
+# ── Restart gateway ──
+echo ""
+echo "🔄 Restarting gateway..."
+openclaw gateway restart 2>&1 || true
+
+# ── Done ──
+echo ""
+echo "🎉 Keychat installed!"
+echo ""
+echo "Your agent's Keychat ID will appear in the gateway logs."
+echo "Run 'openclaw status' to see it."
+echo ""
+echo "To connect: open the Keychat app and scan the QR code."
+echo ""
+echo "View QR code in terminal:"
+echo "  chafa ~/.openclaw/keychat/qr-default.png"
+echo "  # or: qrencode -t ANSIUTF8 \"\$(openclaw status 2>/dev/null | grep -oP 'npub[a-z0-9]+' | head -1 | xargs -I{} echo 'https://www.keychat.io/u/?k={}')\""
+echo ""
+echo "Docs: https://github.com/$REPO"