@nordbyte/nordrelay 0.6.0 → 0.8.0

package/plugins/nordrelay/scripts/nordrelay.mjs

@@ -35,6 +35,10 @@ function readRuntimePackageVersion() {
 function parseArgs(argv) {
   const copy = [...argv];
   let command = "foreground";
+  if (copy[0] === "--help" || copy[0] === "-h") {
+    command = "help";
+    copy.shift();
+  }
   if (copy[0] === "--version" || copy[0] === "-v") {
     command = "version";
     copy.shift();
@@ -53,6 +57,7 @@ function parseArgs(argv) {
     port: undefined,
     restartAfterUpdate: true,
     updateMethod: undefined,
+    buildBeforeStart: false,
   };
 
   for (let i = 0; i < copy.length; i += 1) {
@@ -63,6 +68,7 @@ function parseArgs(argv) {
     else if (arg === "--host") options.host = requireValue(copy, ++i, arg);
     else if (arg === "--port") options.port = Number.parseInt(requireValue(copy, ++i, arg), 10);
     else if (arg === "--method") options.updateMethod = requireValue(copy, ++i, arg);
+    else if (arg === "--build") options.buildBeforeStart = true;
     else if (arg === "--no-restart") options.restartAfterUpdate = false;
     else if (arg === "--restart") options.restartAfterUpdate = true;
     else if (arg === "--token") options.telegramBotToken = requireValue(copy, ++i, arg);
@@ -70,10 +76,16 @@ function parseArgs(argv) {
     else if (arg === "--enable-discord") options.enableDiscord = true;
     else if (arg === "--discord-token") options.discordBotToken = requireValue(copy, ++i, arg);
     else if (arg === "--discord-client-id") options.discordClientId = requireValue(copy, ++i, arg);
+    else if (arg === "--enable-slack") options.enableSlack = true;
+    else if (arg === "--slack-bot-token") options.slackBotToken = requireValue(copy, ++i, arg);
+    else if (arg === "--slack-app-token") options.slackAppToken = requireValue(copy, ++i, arg);
+    else if (arg === "--slack-signing-secret") options.slackSigningSecret = requireValue(copy, ++i, arg);
     else if (arg === "--admin-email") options.adminEmail = requireValue(copy, ++i, arg);
     else if (arg === "--admin-name") options.adminName = requireValue(copy, ++i, arg);
     else if (arg === "--admin-password") options.adminPassword = requireValue(copy, ++i, arg);
     else if (arg === "--telegram-user-id") options.telegramUserId = requireValue(copy, ++i, arg);
+    else if (arg === "--slack-user-id") options.slackUserId = requireValue(copy, ++i, arg);
+    else if (arg === "--slack-team-id") options.slackTeamId = requireValue(copy, ++i, arg);
     else if (arg === "--state-backend") options.stateBackend = requireValue(copy, ++i, arg);
     else if (arg === "--enable-pi") options.enablePi = true;
     else if (arg === "--enable-hermes") options.enableHermes = true;
@@ -226,6 +238,7 @@ function formatDashboardUrl(endpoint) {
 async function commandStart(options, settings = {}) {
   await mkdirp(options.home);
   loadEnvFiles(options.home);
+  await prepareRuntimeForLaunch(options);
   const dashboard = resolveDashboardEndpoint(options);
 
   const currentPid = await readPid(options.pidFile);
@@ -243,7 +256,7 @@ async function commandStart(options, settings = {}) {
   });
 
   const logFd = fs.openSync(options.logFile, "a");
-  const child = spawn(process.execPath, [SCRIPT_PATH, "foreground", ...options.rawFlags], {
+  const child = spawn(process.execPath, [SCRIPT_PATH, "foreground", ...runtimeForwardFlags(options.rawFlags)], {
     cwd: RUNTIME_ROOT,
     detached: true,
     env: process.env,
@@ -410,6 +423,8 @@ async function commandStatus(options) {
   console.log(`OpenClaw CLI: ${state.openClawCli || "-"}`);
   console.log(`Claude Code CLI: ${state.claudeCodeCli || "-"}`);
   console.log(`OpenClaw Gateway: ${state.openClawGateway || process.env.OPENCLAW_GATEWAY_URL || "-"}`);
+  console.log(`Peers: ${state.peerEnabled ? state.peerUrl || "enabled" : "disabled"}`);
+  if (state.peerTlsFingerprint) console.log(`Peer TLS fingerprint: ${state.peerTlsFingerprint}`);
   console.log(`WebUI: ${formatDashboardUrl(dashboard)} (${webStatus})`);
   console.log(`Log: ${options.logFile}`);
   console.log(`WebUI log: ${options.webLogFile}`);
@@ -675,10 +690,22 @@ async function commandInit(options) {
   const discordClientId = enableDiscord === "true"
     ? options.discordClientId || process.env.DISCORD_CLIENT_ID || await ask(null, "Discord client ID", "")
     : "";
+  const enableSlack = options.enableSlack ? "true" : await askChoice(null, "Enable Slack", "false");
+  const slackBotToken = enableSlack === "true"
+    ? options.slackBotToken || process.env.SLACK_BOT_TOKEN || await ask(null, "Slack bot token", "")
+    : "";
+  const slackAppToken = enableSlack === "true"
+    ? options.slackAppToken || process.env.SLACK_APP_TOKEN || await ask(null, "Slack app-level token for Socket Mode", "")
+    : "";
+  const slackSigningSecret = enableSlack === "true"
+    ? options.slackSigningSecret || process.env.SLACK_SIGNING_SECRET || await ask(null, "Slack signing secret (optional for Socket Mode)", "")
+    : "";
   const adminEmail = options.adminEmail || await ask(null, "Admin email", "");
   const adminName = options.adminName || await ask(null, "Admin name", "Admin");
   const adminPassword = options.adminPassword || await askSecret(null, "Admin password", "");
   const telegramUserId = options.telegramUserId || await ask(null, "Optional Telegram user id to link", "");
+  const slackUserId = options.slackUserId || await ask(null, "Optional Slack user id to link", "");
+  const slackTeamId = slackUserId ? (options.slackTeamId || await ask(null, "Optional Slack team id for linked user", "")) : "";
   const enableCodex = options.disableCodex ? "false" : await askChoice(null, "Enable Codex", "true");
   const enablePi = options.enablePi ? "true" : await askChoice(null, "Enable Pi", "false");
   const enableHermes = options.enableHermes ? "true" : await askChoice(null, "Enable Hermes", "false");
@@ -688,7 +715,9 @@ async function commandInit(options) {
 
   if (enableTelegram === "true" && !telegramBotToken) throw new Error("Telegram bot token is required when Telegram is enabled.");
   if (enableDiscord === "true" && !discordBotToken) throw new Error("Discord bot token is required when Discord is enabled.");
-  if (enableTelegram !== "true" && enableDiscord !== "true") throw new Error("At least one chat adapter must be enabled.");
+  if (enableSlack === "true" && !slackBotToken) throw new Error("Slack bot token is required when Slack is enabled.");
+  if (enableSlack === "true" && !slackAppToken) throw new Error("Slack app-level token is required for default Socket Mode.");
+  if (enableTelegram !== "true" && enableDiscord !== "true" && enableSlack !== "true") throw new Error("At least one chat adapter must be enabled.");
   if (!adminEmail) throw new Error("Admin email is required.");
   if (!adminPassword) throw new Error("Admin password is required.");
   if (enableCodex !== "true" && enablePi !== "true" && enableHermes !== "true" && enableOpenClaw !== "true" && enableClaudeCode !== "true") throw new Error("At least one agent must be enabled.");
@@ -713,6 +742,13 @@ async function commandInit(options) {
     "DISCORD_COMMAND_MODE=both",
     "DISCORD_MESSAGE_CONTENT_ENABLED=true",
     "DISCORD_AUTO_REGISTER_COMMANDS=true",
+    `SLACK_ENABLED=${enableSlack}`,
+    `SLACK_BOT_TOKEN=${slackBotToken}`,
+    `SLACK_APP_TOKEN=${slackAppToken}`,
+    `SLACK_SIGNING_SECRET=${slackSigningSecret}`,
+    "SLACK_SOCKET_MODE=true",
+    "SLACK_MESSAGE_CONTENT_ENABLED=true",
+    "SLACK_AUTO_SEND_ARTIFACTS=false",
     `NORDRELAY_CODEX_ENABLED=${enableCodex}`,
     `NORDRELAY_PI_ENABLED=${enablePi}`,
     `NORDRELAY_HERMES_ENABLED=${enableHermes}`,
@@ -727,6 +763,11 @@ async function commandInit(options) {
     "OPENCLAW_DEFAULT_PROFILE=default",
     "CLAUDE_CODE_DEFAULT_PROFILE=default",
     "CLAUDE_CODE_MAX_TURNS=100",
+    "NORDRELAY_PEER_ENABLED=false",
+    "NORDRELAY_PEER_HOST=127.0.0.1",
+    "NORDRELAY_PEER_PORT=31979",
+    "NORDRELAY_PEER_TLS_ENABLED=true",
+    "NORDRELAY_PEER_REQUIRE_TLS=true",
     `NORDRELAY_STATE_BACKEND=${stateBackend === "sqlite" ? "sqlite" : "json"}`,
     "TELEGRAM_TRANSPORT=polling",
     "TELEGRAM_AUTO_SEND_ARTIFACTS=false",
@@ -740,6 +781,8 @@ async function commandInit(options) {
     displayName: adminName || adminEmail,
     password: adminPassword,
     telegramUserId: telegramUserId ? Number(telegramUserId) : undefined,
+    slackUserId: slackUserId || undefined,
+    slackTeamId: slackTeamId || undefined,
   });
   console.log(`Wrote ${envPath}`);
   console.log(`Created admin user ${adminEmail}.`);
@@ -755,6 +798,165 @@ async function createUserStore(home) {
   return new mod.UserStore(home);
 }
 
+async function peerModules() {
+  const required = [
+    "peer-store.js",
+    "peer-identity.js",
+    "peer-client.js",
+  ];
+  for (const file of required) {
+    const modulePath = path.join(RUNTIME_ROOT, "dist", file);
+    if (!fs.existsSync(modulePath)) {
+      throw new Error(`Missing peer runtime. Run \`npm run build\` in ${RUNTIME_ROOT}.`);
+    }
+  }
+  const [store, identity, client] = await Promise.all(required.map((file) => import(pathToFileURL(path.join(RUNTIME_ROOT, "dist", file)).href)));
+  return { store, identity, client };
+}
+
+function parsePeerFlags(argv) {
+  const copy = [...argv];
+  const subcommand = copy[0] && !copy[0].startsWith("-") ? copy.shift() : "list";
+  const flags = { subcommand, url: undefined };
+  if (["add", "test", "check", "revoke"].includes(subcommand) && copy[0] && !copy[0].startsWith("-")) {
+    flags.url = copy.shift();
+    flags.id = flags.url;
+  }
+  for (let i = 0; i < copy.length; i += 1) {
+    const arg = copy[i];
+    if (arg === "--name") flags.name = requireValue(copy, ++i, arg);
+    else if (arg === "--code") flags.code = requireValue(copy, ++i, arg);
+    else if (arg === "--expect-fingerprint") flags.expectFingerprint = requireValue(copy, ++i, arg);
+    else if (arg === "--public-url") flags.publicUrl = requireValue(copy, ++i, arg);
+    else if (arg === "--expires" || arg === "--expires-minutes") flags.expiresMinutes = Number.parseInt(requireValue(copy, ++i, arg), 10);
+    else if (arg === "--scopes") flags.scopes = requireValue(copy, ++i, arg);
+    else if (arg === "--agents") flags.agents = requireValue(copy, ++i, arg);
+    else if (arg === "--workspaces") flags.workspaces = requireValue(copy, ++i, arg);
+    else if (arg === "--workspace-aliases" || arg === "--aliases") flags.workspaceAliases = requireValue(copy, ++i, arg);
+  }
+  return flags;
+}
+
+function csv(value) {
+  return value ? value.split(",").map((item) => item.trim()).filter(Boolean) : undefined;
+}
+
+function aliasMap(value) {
+  if (!value) return undefined;
+  return Object.fromEntries(value.split(",").map((item) => item.split("=", 2).map((part) => part.trim())).filter(([alias, workspace]) => alias && workspace));
+}
+
+async function commandPeer(options) {
+  await mkdirp(options.home);
+  loadEnvFiles(options.home);
+  const flags = parsePeerFlags(options.rawFlags);
+  const { store: storeMod, identity: identityMod, client: clientMod } = await peerModules();
+  const store = new storeMod.PeerStore(options.home);
+  const identity = identityMod.loadOrCreatePeerIdentity(options.home, process.env.NORDRELAY_PEER_NAME);
+
+  if (flags.subcommand === "identity") {
+    console.log(`Node ID: ${identity.public.nodeId}`);
+    console.log(`Name: ${identity.public.name}`);
+    console.log(`Fingerprint: ${identity.public.fingerprint}`);
+    console.log(`Created: ${identity.public.createdAt}`);
+    return;
+  }
+
+  if (flags.subcommand === "list") {
+    const peers = store.listPublic();
+    if (peers.length === 0) {
+      console.log("No peers configured.");
+      console.log("Create an invite with `nordrelay peer invite` or add a peer with `nordrelay peer add <url> --code <code>`.");
+      return;
+    }
+    for (const peer of peers) {
+      console.log(`${peer.id} ${peer.enabled ? "enabled" : "disabled"} ${peer.name}`);
+      console.log(`  URL: ${peer.url || "-"}`);
+      console.log(`  Node: ${peer.nodeId} ${peer.fingerprint}`);
+      console.log(`  Direction: ${peer.direction}`);
+      console.log(`  Scopes: ${peer.scopes.join(",") || "-"}`);
+      console.log(`  Agents: ${peer.allowedAgents.join(",") || "all"}`);
+      const aliases = Object.entries(peer.workspaceAliases || {}).map(([alias, workspace]) => `${alias}=${workspace}`).join(",");
+      if (aliases) console.log(`  Workspace aliases: ${aliases}`);
+      if (peer.lastSeenAt) console.log(`  Last seen: ${peer.lastSeenAt}`);
+      if (peer.lastLatencyMs !== undefined) console.log(`  Latency: ${peer.lastLatencyMs}ms`);
+      if (peer.remoteVersion) console.log(`  Remote version: ${peer.remoteVersion}`);
+      if (peer.lastError) console.log(`  Last error: ${peer.lastError}`);
+    }
+    return;
+  }
+
+  if (flags.subcommand === "invite") {
+    const url = process.env.NORDRELAY_PEER_PUBLIC_URL || `${process.env.NORDRELAY_PEER_TLS_ENABLED === "false" ? "http" : "https"}://${process.env.NORDRELAY_PEER_HOST || "127.0.0.1"}:${process.env.NORDRELAY_PEER_PORT || "31979"}`;
+    const peerEnabled = process.env.NORDRELAY_PEER_ENABLED === "true";
+    if (!peerEnabled) {
+      console.log("Warning: peer server is disabled. The invite can be created, but pairing will fail until NORDRELAY_PEER_ENABLED=true and NordRelay is restarted.");
+    } else {
+      const probe = await clientMod.checkPeerEndpoint(url, { timeoutMs: 2500 });
+      if (!probe.ok) {
+        console.log(`Warning: peer endpoint is not reachable from this machine: ${probe.detail}`);
+      }
+    }
+    const created = store.createInvitation({
+      name: flags.name,
+      expiresInMs: Number.isFinite(flags.expiresMinutes) ? flags.expiresMinutes * 60 * 1000 : undefined,
+      scopes: csv(flags.scopes),
+      allowedAgents: csv(flags.agents),
+      allowedWorkspaceRoots: csv(flags.workspaces),
+      workspaceAliases: aliasMap(flags.workspaceAliases),
+    });
+    console.log(`Pairing code: ${created.code}`);
+    console.log(`Expires: ${created.invitation.expiresAt}`);
+    console.log(`Fingerprint: ${identity.public.fingerprint}`);
+    console.log(`Command: nordrelay peer add ${url} --code ${created.code}`);
+    return;
+  }
+
+  if (flags.subcommand === "add") {
+    const url = flags.url || await ask(null, "Peer URL", "");
+    const code = flags.code || await ask(null, "Pairing code", "");
+    const result = await clientMod.pairPeer({
+      url,
+      code,
+      name: flags.name,
+      publicUrl: flags.publicUrl,
+    }, identity, store);
+    console.log(`Added peer ${result.peer.name} (${result.peer.id}).`);
+    console.log(`Node: ${result.peer.nodeId}`);
+    console.log(`Fingerprint: ${result.peer.fingerprint}`);
+    if (result.tlsFingerprint) console.log(`TLS fingerprint: ${result.tlsFingerprint}`);
+    return;
+  }
+
+  if (flags.subcommand === "test") {
+    const id = flags.id || await ask(null, "Peer id", "");
+    const response = await new clientMod.RemoteRelayClient(store).rpc(id, "peer.ping");
+    console.log(`Peer ${id} ok: ${JSON.stringify(response)}`);
+    return;
+  }
+
+  if (flags.subcommand === "check") {
+    const url = flags.url || await ask(null, "Peer URL", "");
+    const probe = await clientMod.checkPeerEndpoint(url, { expectedTlsFingerprint: flags.expectFingerprint });
+    console.log(`Peer endpoint: ${probe.url}`);
+    console.log(`Status: ${probe.ok ? "reachable" : "unreachable"}`);
+    if (probe.latencyMs !== undefined) console.log(`Latency: ${probe.latencyMs}ms`);
+    if (probe.statusCode !== undefined) console.log(`HTTP status: ${probe.statusCode}`);
+    if (probe.tlsFingerprint) console.log(`TLS fingerprint: ${probe.tlsFingerprint}`);
+    console.log(`Detail: ${probe.detail}`);
+    if (!probe.ok) process.exitCode = 1;
+    return;
+  }
+
+  if (flags.subcommand === "revoke") {
+    const id = flags.id || await ask(null, "Peer id", "");
+    console.log(store.revokePeer(id) ? `Revoked peer ${id}.` : `Peer not found: ${id}`);
+    return;
+  }
+
+  throw new Error("Usage: nordrelay peer [identity|list|invite|add|test|check|revoke]");
+}
+
 function parseUserFlags(argv) {
   const copy = [...argv];
   const subcommand = copy[0] && !copy[0].startsWith("-") ? copy.shift() : "list";
@@ -767,6 +969,8 @@ function parseUserFlags(argv) {
     else if (arg === "--group" || arg === "--groups") flags.groups = requireValue(copy, ++i, arg);
     else if (arg === "--telegram-user-id") flags.telegramUserId = Number.parseInt(requireValue(copy, ++i, arg), 10);
     else if (arg === "--discord-user-id") flags.discordUserId = requireValue(copy, ++i, arg);
+    else if (arg === "--slack-user-id") flags.slackUserId = requireValue(copy, ++i, arg);
+    else if (arg === "--slack-team-id") flags.slackTeamId = requireValue(copy, ++i, arg);
     else if (arg === "--user-id") flags.userId = requireValue(copy, ++i, arg);
   }
   return flags;
@@ -798,8 +1002,8 @@ async function commandUser(options) {
       ? ["admin"]
       : (flags.groups ? flags.groups.split(",").map((item) => item.trim()).filter(Boolean) : ["user"]);
     const created = flags.subcommand === "create-admin"
-      ? store.createAdmin({ email, displayName: name, password, telegramUserId: flags.telegramUserId, discordUserId: flags.discordUserId })
-      : store.createUser({ email, displayName: name, password, groupIds, telegramUserId: flags.telegramUserId, discordUserId: flags.discordUserId });
+      ? store.createAdmin({ email, displayName: name, password, telegramUserId: flags.telegramUserId, discordUserId: flags.discordUserId, slackUserId: flags.slackUserId, slackTeamId: flags.slackTeamId })
+      : store.createUser({ email, displayName: name, password, groupIds, telegramUserId: flags.telegramUserId, discordUserId: flags.discordUserId, slackUserId: flags.slackUserId, slackTeamId: flags.slackTeamId });
     console.log(`Created user ${created.user.email} (${created.groups.map((group) => group.name).join(", ")}).`);
     return;
   }
@@ -834,6 +1038,17 @@ async function commandUser(options) {
     return;
   }
 
+  if (flags.subcommand === "link-slack") {
+    const email = flags.email || await ask(null, "Email", "");
+    const slackUserId = flags.slackUserId || await ask(null, "Slack user id", "");
+    const teamId = flags.slackTeamId || await ask(null, "Slack team id (optional)", "");
+    const user = store.getUserByEmail(email);
+    if (!user) throw new Error(`User not found: ${email}`);
+    store.linkSlackUser(user.user.id, { slackUserId, teamId: teamId || undefined });
+    console.log(`Linked Slack user ${slackUserId} to ${user.user.email}.`);
+    return;
+  }
+
   if (flags.subcommand === "link-code" || flags.subcommand === "telegram-link-code") {
     const email = flags.email || await ask(null, "Email", "");
     const user = store.getUserByEmail(email);
@@ -854,7 +1069,17 @@ async function commandUser(options) {
     return;
   }
 
-  throw new Error("Usage: nordrelay user [list|create-admin|create|reset-password|link-telegram|link-discord|link-code|telegram-link-code|discord-link-code]");
+  if (flags.subcommand === "slack-link-code") {
+    const email = flags.email || await ask(null, "Email", "");
+    const user = store.getUserByEmail(email);
+    if (!user) throw new Error(`User not found: ${email}`);
+    const code = store.createSlackLinkCode(user.user.id);
+    console.log(`Slack link code for ${user.user.email}: ${code.code}`);
+    console.log(`Expires: ${code.expiresAt}`);
+    return;
+  }
+
+  throw new Error("Usage: nordrelay user [list|create-admin|create|reset-password|link-telegram|link-discord|link-slack|link-code|telegram-link-code|discord-link-code|slack-link-code]");
 }
 
 async function commandDoctor(options) {
@@ -864,16 +1089,55 @@ async function commandDoctor(options) {
   const userSnapshot = userStore?.snapshot();
   const checks = [];
   checks.push(check("Node.js >= 22", Number.parseInt(process.versions.node.split(".")[0], 10) >= 22, process.version));
-  const telegramEnabled = process.env.TELEGRAM_ENABLED !== "false";
-  const discordEnabled = process.env.DISCORD_ENABLED === "true";
-  checks.push(check("Telegram bot token", !telegramEnabled || Boolean(process.env.TELEGRAM_BOT_TOKEN), telegramEnabled ? (process.env.TELEGRAM_BOT_TOKEN ? "configured" : "missing") : "disabled", telegramEnabled ? "fail" : "warn"));
-  checks.push(check("Discord bot token", !discordEnabled || Boolean(process.env.DISCORD_BOT_TOKEN), discordEnabled ? (process.env.DISCORD_BOT_TOKEN ? "configured" : "missing") : "disabled", discordEnabled ? "fail" : "warn"));
-  checks.push(check("Discord client ID", !discordEnabled || Boolean(process.env.DISCORD_CLIENT_ID), discordEnabled ? (process.env.DISCORD_CLIENT_ID ? "configured" : "missing; slash command auto-registration disabled") : "disabled", "warn"));
+  const telegramRequested = process.env.TELEGRAM_ENABLED !== "false";
+  const discordRequested = process.env.DISCORD_ENABLED === "true";
+  const slackRequested = process.env.SLACK_ENABLED === "true";
+  const slackSocketMode = process.env.SLACK_SOCKET_MODE !== "false";
+  const telegramUsable = telegramRequested && Boolean(process.env.TELEGRAM_BOT_TOKEN);
+  const discordUsable = discordRequested && Boolean(process.env.DISCORD_BOT_TOKEN);
+  const slackUsable = slackRequested && Boolean(process.env.SLACK_BOT_TOKEN) && (slackSocketMode ? Boolean(process.env.SLACK_APP_TOKEN) : Boolean(process.env.SLACK_SIGNING_SECRET));
+  checks.push(check(
+    "Telegram bot token",
+    !telegramRequested || telegramUsable,
+    telegramRequested ? (telegramUsable ? "configured" : "missing; Telegram adapter will be disabled") : "disabled",
+    telegramRequested && !discordUsable && !slackUsable ? "fail" : "warn",
+  ));
+  checks.push(check(
+    "Discord bot token",
+    !discordRequested || discordUsable,
+    discordRequested ? (discordUsable ? "configured" : "missing; Discord adapter will be disabled") : "disabled",
+    discordRequested && !telegramUsable && !slackUsable ? "fail" : "warn",
+  ));
+  checks.push(check(
+    "Slack bot token",
+    !slackRequested || Boolean(process.env.SLACK_BOT_TOKEN),
+    slackRequested ? (process.env.SLACK_BOT_TOKEN ? "configured" : "missing; Slack adapter will be disabled") : "disabled",
+    slackRequested && !telegramUsable && !discordUsable ? "fail" : "warn",
+  ));
+  checks.push(check(
+    slackSocketMode ? "Slack app token" : "Slack signing secret",
+    !slackRequested || slackUsable,
+    slackRequested ? (slackUsable ? "configured" : `missing; ${slackSocketMode ? "Socket Mode requires SLACK_APP_TOKEN" : "HTTP mode requires SLACK_SIGNING_SECRET"}`) : "disabled",
+    slackRequested && !telegramUsable && !discordUsable ? "fail" : "warn",
+  ));
+  checks.push(check(
+    "Usable chat adapter",
+    telegramUsable || discordUsable || slackUsable,
+    [telegramUsable ? "Telegram" : "", discordUsable ? "Discord" : "", slackUsable ? "Slack" : ""].filter(Boolean).join(" and ") || "none",
+    "fail",
+  ));
+  checks.push(check("Discord client ID", !discordUsable || Boolean(process.env.DISCORD_CLIENT_ID), discordUsable ? (process.env.DISCORD_CLIENT_ID ? "configured" : "missing; slash command auto-registration disabled") : "disabled", "warn"));
   checks.push(check("User store", Boolean(userStore), userStore ? userStore.filePath : "missing runtime", userStore ? "pass" : "fail"));
   checks.push(check("Admin user", Boolean(userSnapshot?.adminConfigured), userSnapshot?.adminConfigured ? "configured" : "missing"));
   checks.push(check("WebUI login", true, "required for every dashboard request"));
   checks.push(check("Telegram access", true, "requires linked active users and enabled group chats"));
   checks.push(check("Discord access", true, "requires linked active users and enabled channels"));
+  checks.push(check("Slack access", true, "requires linked active users and enabled channels"));
+  const peerEnabled = process.env.NORDRELAY_PEER_ENABLED === "true";
+  const peerTlsEnabled = process.env.NORDRELAY_PEER_TLS_ENABLED !== "false";
+  const peerHost = process.env.NORDRELAY_PEER_HOST || "127.0.0.1";
+  checks.push(check("Peer server", peerEnabled, peerEnabled ? `${peerHost}:${process.env.NORDRELAY_PEER_PORT || "31979"}` : "disabled", "warn"));
+  checks.push(check("Peer TLS", !peerEnabled || peerTlsEnabled || isLoopbackName(peerHost), peerTlsEnabled ? "enabled" : "plaintext loopback only", peerEnabled ? "fail" : "warn"));
   checks.push(check("Codex enabled flag", process.env.NORDRELAY_CODEX_ENABLED !== "false", `NORDRELAY_CODEX_ENABLED=${process.env.NORDRELAY_CODEX_ENABLED ?? "true"}`));
   checks.push(check("Pi enabled flag", process.env.NORDRELAY_PI_ENABLED === "true" || process.env.NORDRELAY_PI_ENABLED === undefined, `NORDRELAY_PI_ENABLED=${process.env.NORDRELAY_PI_ENABLED ?? "false"}`, process.env.NORDRELAY_PI_ENABLED === "true" ? "pass" : "warn"));
   checks.push(check("Hermes enabled flag", process.env.NORDRELAY_HERMES_ENABLED === "true", `NORDRELAY_HERMES_ENABLED=${process.env.NORDRELAY_HERMES_ENABLED ?? "false"}`, process.env.NORDRELAY_HERMES_ENABLED === "true" ? "pass" : "warn"));
@@ -978,6 +1242,7 @@ async function checkOpenClawGateway() {
 async function commandWeb(options) {
   await mkdirp(options.home);
   loadEnvFiles(options.home);
+  await prepareRuntimeForLaunch(options);
   await ensureConnectorStartedForWeb(options);
   await startWebDashboard(options, { detached: false });
 }
@@ -1077,6 +1342,7 @@ async function startWebDashboard(options, settings = {}) {
 async function commandForeground(options) {
   await mkdirp(options.home);
   loadEnvFiles(options.home);
+  await prepareRuntimeForLaunch(options);
   process.chdir(RUNTIME_ROOT);
 
   await writeJsonAtomic(options.stateFile, {
@@ -1162,6 +1428,157 @@ async function resolveRuntimeEntry() {
   return null;
 }
 
+async function prepareRuntimeForLaunch(options) {
+  if (options.buildBeforeStart) {
+    await buildRuntime();
+    options.buildBeforeStart = false;
+    return;
+  }
+  warnIfRuntimeBuildIsStale();
+}
+
+function runtimeForwardFlags(flags) {
+  return flags.filter((flag) => flag !== "--build");
+}
+
+async function buildRuntime() {
+  if (!isSourceRuntime()) {
+    throw new Error(`Runtime build is only available from a source checkout. Current runtime: ${RUNTIME_ROOT}`);
+  }
+  const npm = resolveNpmSpawnCommand();
+  if (!npm) {
+    throw new Error("npm was not found. Install Node.js/npm or add npm to PATH.");
+  }
+  console.log("Building NordRelay runtime...");
+  await runInteractiveStep("Build runtime", npm.command, [...npm.argsPrefix, "run", "build"], {
+    cwd: RUNTIME_ROOT,
+    shell: npm.shell,
+  });
+}
+
+function warnIfRuntimeBuildIsStale() {
+  const status = runtimeBuildStatus();
+  if (!status || !status.stale) {
+    return;
+  }
+  const source = status.sourcePath ? path.relative(RUNTIME_ROOT, status.sourcePath) : "source files";
+  const target = status.targetPath ? path.relative(RUNTIME_ROOT, status.targetPath) : "dist";
+  const reason = status.missing
+    ? `missing ${target}`
+    : `${source} is newer than ${target}`;
+  console.warn(`Warning: NordRelay runtime build may be stale (${reason}). Run \`nordrelay restart --build\` or \`npm run build\`.`);
+}
+
+function runtimeBuildStatus() {
+  if (!isSourceRuntime()) {
+    return null;
+  }
+  const source = newestMtime([
+    path.join(RUNTIME_ROOT, "src"),
+    path.join(RUNTIME_ROOT, "plugins", "nordrelay", "scripts"),
+    path.join(RUNTIME_ROOT, "scripts"),
+    path.join(RUNTIME_ROOT, "package.json"),
+    path.join(RUNTIME_ROOT, "tsconfig.json"),
+    path.join(RUNTIME_ROOT, "tsconfig.webui.json"),
+  ]);
+  const distTargets = [
+    path.join(RUNTIME_ROOT, "dist", "index.js"),
+    path.join(RUNTIME_ROOT, "dist", "web-dashboard.js"),
+    path.join(RUNTIME_ROOT, "dist", "webui-assets", "dashboard.js"),
+    path.join(RUNTIME_ROOT, "dist", "webui-assets", "dashboard.css"),
+  ];
+  const missingTarget = distTargets.find((target) => !fs.existsSync(target));
+  if (missingTarget) {
+    return {
+      stale: true,
+      missing: true,
+      sourcePath: source.path,
+      sourceMtimeMs: source.mtimeMs,
+      targetPath: missingTarget,
+      targetMtimeMs: 0,
+    };
+  }
+  const target = oldestMtime(distTargets);
+  return {
+    stale: source.mtimeMs > target.mtimeMs,
+    missing: false,
+    sourcePath: source.path,
+    sourceMtimeMs: source.mtimeMs,
+    targetPath: target.path,
+    targetMtimeMs: target.mtimeMs,
+  };
+}
+
+function isSourceRuntime() {
+  return fs.existsSync(path.join(RUNTIME_ROOT, "src", "index.ts")) &&
+    fs.existsSync(path.join(RUNTIME_ROOT, "scripts", "build-web-assets.mjs"));
+}
+
+function newestMtime(paths) {
+  let newest = { path: null, mtimeMs: 0 };
+  for (const itemPath of paths) {
+    const candidate = newestMtimeForPath(itemPath);
+    if (candidate.mtimeMs > newest.mtimeMs) {
+      newest = candidate;
+    }
+  }
+  return newest;
+}
+
+function newestMtimeForPath(itemPath) {
+  if (!fs.existsSync(itemPath)) {
+    return { path: itemPath, mtimeMs: 0 };
+  }
+  const stat = fs.statSync(itemPath);
+  if (!stat.isDirectory()) {
+    return { path: itemPath, mtimeMs: stat.mtimeMs };
+  }
+  let newest = { path: itemPath, mtimeMs: stat.mtimeMs };
+  for (const entry of fs.readdirSync(itemPath, { withFileTypes: true })) {
+    if (entry.name === "node_modules" || entry.name === "dist" || entry.name === ".git") {
+      continue;
+    }
+    const candidate = newestMtimeForPath(path.join(itemPath, entry.name));
+    if (candidate.mtimeMs > newest.mtimeMs) {
+      newest = candidate;
+    }
+  }
+  return newest;
+}
+
+function oldestMtime(paths) {
+  let oldest = { path: null, mtimeMs: Number.POSITIVE_INFINITY };
+  for (const itemPath of paths) {
+    const mtimeMs = fs.statSync(itemPath).mtimeMs;
+    if (mtimeMs < oldest.mtimeMs) {
+      oldest = { path: itemPath, mtimeMs };
+    }
+  }
+  return oldest;
+}
+
+async function runInteractiveStep(label, command, args, settings = {}) {
+  console.log(`${label}: ${formatCommand(command, args)}`);
+  const useShell = Boolean(settings.shell);
+  const child = spawn(useShell ? formatShellCommand(command, args) : command, useShell ? [] : args, {
+    cwd: settings.cwd || RUNTIME_ROOT,
+    env: process.env,
+    shell: useShell,
+    stdio: "inherit",
+    windowsHide: false,
+  });
+  const exit = await new Promise((resolve, reject) => {
+    child.once("error", reject);
+    child.once("exit", (code, signal) => resolve({ code, signal }));
+  });
+  if (exit.signal) {
+    throw new Error(`${label} stopped with signal ${exit.signal}`);
+  }
+  if (exit.code !== 0) {
+    throw new Error(`${label} failed with exit code ${exit.code ?? "unknown"}`);
+  }
+}
+
 async function resolveWebRuntimeEntry() {
   const distEntry = path.join(RUNTIME_ROOT, "dist", "web-dashboard.js");
   if (fs.existsSync(distEntry)) {
@@ -1307,6 +1724,10 @@ function isWindowsShellScript(filePath) {
   return process.platform === "win32" && /\.(?:cmd|bat)$/i.test(filePath);
 }
 
+function isLoopbackName(host) {
+  return host === "127.0.0.1" || host === "::1" || host === "localhost";
+}
+
 function validateStateBackend() {
   const backend = process.env.NORDRELAY_STATE_BACKEND || "json";
   if (backend === "json") return { ok: true, detail: "NORDRELAY_STATE_BACKEND=json" };
@@ -1350,19 +1771,54 @@ function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
 
+function printHelp() {
+  console.log(`${APP_NAME} ${VERSION}`);
+  console.log("");
+  console.log("Usage: nordrelay <command> [options]");
+  console.log("");
+  console.log("Commands:");
+  console.log("  init                 Create local config and first admin user");
+  console.log("  user                 Manage users, groups, and channel links");
+  console.log("  peer                 Manage secure NordRelay peer federation");
+  console.log("  doctor               Validate the local setup");
+  console.log("  web, dashboard       Start the WebUI and connector");
+  console.log("  start                Start the connector");
+  console.log("  stop                 Stop the connector and WebUI");
+  console.log("  restart              Restart the connector");
+  console.log("  status               Show connector and WebUI status");
+  console.log("  update               Update NordRelay");
+  console.log("  foreground           Run the connector in the foreground");
+  console.log("  version              Print the installed version");
+  console.log("");
+  console.log("Options:");
+  console.log("  --home <path>        Runtime home directory");
+  console.log("  --host <host>        WebUI bind host");
+  console.log("  --port <port>        WebUI port");
+  console.log("  --build              Build source runtime before start/web/restart");
+  console.log("  --force              Overwrite existing config during init");
+  console.log("  --help, -h           Show this help");
+  console.log("  --version, -v        Show the installed version");
+}
+
 async function main() {
   const options = parseArgs(process.argv.slice(2));
+  if (options.command === "help") {
+    printHelp();
+    return;
+  }
   if (options.command === "start") return commandStart(options);
   if (options.command === "stop") return commandStop(options);
   if (options.command === "status") return commandStatus(options);
   if (options.command === "init") return commandInit(options);
   if (options.command === "user") return commandUser(options);
+  if (options.command === "peer") return commandPeer(options);
   if (options.command === "doctor") return commandDoctor(options);
   if (options.command === "update") return commandUpdate(options);
   if (options.command === "web" || options.command === "dashboard") return commandWeb(options);
   if (options.command === "restart") {
     await mkdirp(options.home);
     loadEnvFiles(options.home);
+    await prepareRuntimeForLaunch(options);
     const webWasRunning = await isWebDashboardRunning(options);
     await commandStop(options);
     await commandStart(options);
@@ -1378,7 +1834,8 @@ async function main() {
   }
 
   console.error(`Unknown command: ${options.command}`);
-  console.error("Usage: nordrelay [init|user|doctor|web|start|stop|restart|status|update|foreground|version]");
+  console.error("Usage: nordrelay [init|user|peer|doctor|web|start|stop|restart|status|update|foreground|version]");
+  console.error("Run `nordrelay --help` for details.");
   process.exitCode = 2;
 }