npm - @onklave/agent-cli - Versions diffs - 0.1.48 → 0.1.50 - Mend

@onklave/agent-cli 0.1.48 → 0.1.50

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/main.js +1005 -74
package/package.json +1 -1

package/main.js CHANGED Viewed

@@ -8,9 +8,24 @@ var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require
 // _apps/@onklave/agent-cli/src/services/credential-store.ts
 import * as fs from "fs";
-import * as path from "path";
-import * as os from "os";
+import * as path2 from "path";
 import { createRequire } from "module";
+// _apps/@onklave/agent-cli/src/services/config-paths.ts
+import * as os from "os";
+import * as path from "path";
+function resolveConfigDir() {
+  const override = process.env["ONKLAVE_CONFIG_DIR"];
+  if (override && override.trim()) {
+    return override.trim();
+  }
+  return path.join(os.homedir(), ".config", "onklave");
+}
+function credentialsFilePath() {
+  return path.join(resolveConfigDir(), "credentials.json");
+}
+// _apps/@onklave/agent-cli/src/services/credential-store.ts
 var nodeRequire = createRequire(import.meta.url);
 var KEYTAR_SERVICE = "onklave-agent-cli";
 var KEYTAR_ACCOUNT = "default";
@@ -33,13 +48,13 @@ function warnFallback(reason) {
   }
   warnedFallback = true;
   console.warn(
-    `[onklave] OS keychain unavailable (${reason}); falling back to file store at ~/.config/onklave/credentials.json`
+    `[onklave] OS keychain unavailable (${reason}); falling back to file store at ${credentialsFilePath()}`
   );
 }
 var CredentialStore = class {
   constructor() {
-    this.configDir = path.join(os.homedir(), ".config", "onklave");
-    this.credentialsPath = path.join(this.configDir, "credentials.json");
+    this.configDir = resolveConfigDir();
+    this.credentialsPath = path2.join(this.configDir, "credentials.json");
   }
   /*
    * Read the full credentials object, keychain-first.
@@ -364,7 +379,7 @@ async function whoamiCommand() {
 // _apps/@onklave/agent-cli/src/services/config-resolver.ts
 import * as fs2 from "fs";
-import * as path2 from "path";
+import * as path3 from "path";
 import * as os2 from "os";
 var DEFAULT_MODEL = "claude-sonnet-4-20250514";
 var DEFAULT_TIMEOUT = 120;
@@ -456,7 +471,7 @@ var ConfigResolver = class {
     const fromFlags = {};
     if (typeof flags["task"] === "string") fromFlags.task = flags["task"];
     if (typeof flags["context"] === "string")
-      fromFlags.context = path2.resolve(flags["context"]);
+      fromFlags.context = path3.resolve(flags["context"]);
     if (typeof flags["persona"] === "string")
       fromFlags.persona = flags["persona"];
     if (typeof flags["workflow"] === "string")
@@ -482,7 +497,7 @@ var ConfigResolver = class {
    * Load .onklave.json from the given directory.
    */
   loadOnklaveJson(cwd) {
-    const filePath = path2.join(cwd, ".onklave.json");
+    const filePath = path3.join(cwd, ".onklave.json");
     if (!fs2.existsSync(filePath)) {
       return null;
     }
@@ -500,7 +515,7 @@ var ConfigResolver = class {
    * Load global config from ~/.config/onklave/config.json.
    */
   loadGlobalConfig() {
-    const filePath = path2.join(
+    const filePath = path3.join(
       os2.homedir(),
       ".config",
       "onklave",
@@ -520,8 +535,8 @@ var ConfigResolver = class {
    * Save a value to the global config file.
    */
   saveGlobalConfig(key, value) {
-    const configDir = path2.join(os2.homedir(), ".config", "onklave");
-    const filePath = path2.join(configDir, "config.json");
+    const configDir = path3.join(os2.homedir(), ".config", "onklave");
+    const filePath = path3.join(configDir, "config.json");
     if (!fs2.existsSync(configDir)) {
       fs2.mkdirSync(configDir, { recursive: true, mode: 448 });
     }
@@ -774,8 +789,8 @@ var PlatformClient = class {
   /*
    * Make an authenticated HTTP request to the platform.
    */
-  async request(method, path12, body, extraHeaders) {
-    const url = `${this.baseUrl}${GATEWAY_SERVICE_PREFIX}${path12}`;
+  async request(method, path14, body, extraHeaders) {
+    const url = `${this.baseUrl}${GATEWAY_SERVICE_PREFIX}${path14}`;
     const headers = {
       Authorization: `Bearer ${this.token}`,
       "Content-Type": "application/json",
@@ -1250,33 +1265,33 @@ var AuditStreamer = class {
 // _apps/@onklave/agent-cli/src/services/guardrail-enforcer.ts
 import * as fs3 from "fs";
-import * as path3 from "path";
+import * as path4 from "path";
 function safeRealpath(target) {
-  let current = path3.resolve(target);
+  let current = path4.resolve(target);
   const tail = [];
   for (let i = 0; i < 4096; i++) {
     try {
       const real = fs3.realpathSync(current);
-      return tail.length ? path3.join(real, ...tail.reverse()) : real;
+      return tail.length ? path4.join(real, ...tail.reverse()) : real;
     } catch {
-      const parent = path3.dirname(current);
+      const parent = path4.dirname(current);
       if (parent === current) break;
-      tail.push(path3.basename(current));
+      tail.push(path4.basename(current));
       current = parent;
     }
   }
-  return path3.resolve(target);
+  return path4.resolve(target);
 }
 function isPathWithin(target, root) {
   const realRoot = safeRealpath(root);
   const realTarget = safeRealpath(target);
   if (realTarget === realRoot) return true;
-  const rootWithSep = realRoot.endsWith(path3.sep) ? realRoot : realRoot + path3.sep;
+  const rootWithSep = realRoot.endsWith(path4.sep) ? realRoot : realRoot + path4.sep;
   return realTarget.startsWith(rootWithSep);
 }
 function checkWorkspaceAccess(contextPath, allowedRoots) {
   const real = safeRealpath(contextPath);
-  if (real === path3.parse(real).root) {
+  if (real === path4.parse(real).root) {
     return {
       allowed: false,
       reason: `Refusing to run with the filesystem root "${real}" as the workspace.`
@@ -1387,8 +1402,8 @@ var GuardrailEnforcer = class {
       "id_rsa",
       "id_ed25519"
     ];
-    const basename3 = path3.basename(realPath);
-    const normForward = realPath.split(path3.sep).join("/");
+    const basename3 = path4.basename(realPath);
+    const normForward = realPath.split(path4.sep).join("/");
     for (const sensitive of sensitivePatterns) {
       if (basename3 === sensitive || normForward.includes(`/${sensitive}`)) {
         return {
@@ -1530,7 +1545,7 @@ var HeartbeatService = class {
 // _apps/@onklave/agent-cli/src/services/cli-version.ts
 import * as fs4 from "node:fs";
-import * as path4 from "node:path";
+import * as path5 from "node:path";
 import { fileURLToPath } from "node:url";
 // _apps/@onklave/agent-cli/src/services/daemon-update-checker.service.ts
@@ -1621,14 +1636,14 @@ function parseSemverNumeric(v) {
 // _apps/@onklave/agent-cli/src/services/cli-version.ts
 function readPackageVersion() {
   try {
-    const moduleDir = path4.dirname(fileURLToPath(import.meta.url));
+    const moduleDir = path5.dirname(fileURLToPath(import.meta.url));
     const candidates = [
-      path4.join(moduleDir, "package.json"),
+      path5.join(moduleDir, "package.json"),
       // bundled: dist root
-      path4.join(moduleDir, "..", "package.json"),
-      path4.join(moduleDir, "..", "..", "package.json"),
+      path5.join(moduleDir, "..", "package.json"),
+      path5.join(moduleDir, "..", "..", "package.json"),
       // dev: src/services -> root
-      path4.join(moduleDir, "..", "..", "..", "package.json")
+      path5.join(moduleDir, "..", "..", "..", "package.json")
     ];
     for (const p of candidates) {
       if (!fs4.existsSync(p)) continue;
@@ -1661,7 +1676,7 @@ function collectPosture() {
 }
 // _apps/@onklave/agent-cli/src/commands/run.command.ts
-import * as path5 from "path";
+import * as path6 from "path";
 // _apps/@onklave/agent-cli/src/tui/render.tsx
 import { render } from "ink";
@@ -2361,7 +2376,7 @@ async function runCommand(args) {
   }
   const addDirs = [
     .../* @__PURE__ */ new Set([
-      path5.resolve(resolvedConfig.context),
+      path6.resolve(resolvedConfig.context),
       ...effectiveAllowedRoots
     ])
   ];
@@ -2825,7 +2840,7 @@ async function denyCommand(args) {
 // _apps/@onklave/agent-cli/src/commands/doctor.command.ts
 import * as fs6 from "fs";
-import * as path6 from "path";
+import * as path7 from "path";
 // _apps/@onklave/agent-cli/src/services/command-exists.ts
 import { execSync } from "child_process";
@@ -2955,7 +2970,7 @@ function checkNodeVersion() {
   };
 }
 function checkProjectConfig() {
-  const configPath = path6.join(process.cwd(), ".onklave.json");
+  const configPath = path7.join(process.cwd(), ".onklave.json");
   if (fs6.existsSync(configPath)) {
     try {
       const raw = fs6.readFileSync(configPath, "utf-8");
@@ -3009,9 +3024,9 @@ async function checkWebSocket() {
 // _apps/@onklave/agent-cli/src/commands/init.command.ts
 import * as fs7 from "fs";
-import * as path7 from "path";
+import * as path8 from "path";
 async function initCommand() {
-  const configPath = path7.join(process.cwd(), ".onklave.json");
+  const configPath = path8.join(process.cwd(), ".onklave.json");
   if (fs7.existsSync(configPath)) {
     console.error("Error: .onklave.json already exists in this directory.");
     console.log("To overwrite, delete the existing file first.");
@@ -3019,7 +3034,7 @@ async function initCommand() {
     return;
   }
   const template = {
-    project: path7.basename(process.cwd()),
+    project: path8.basename(process.cwd()),
     org: "",
     description: "",
     defaults: {
@@ -3279,8 +3294,9 @@ async function logsCommand(args) {
 }
 // _apps/@onklave/agent-cli/src/commands/daemon.command.ts
-import * as fs10 from "fs";
-import * as path10 from "path";
+import * as fs11 from "fs";
+import * as path12 from "path";
+import * as os7 from "os";
 // _apps/@onklave/agent-cli/src/services/daemon-comms.service.ts
 var DaemonCommsService = class {
@@ -3707,8 +3723,8 @@ var PlatformBrokerClient = class {
       params
     );
   }
-  async request(method, path12, body) {
-    const url = `${this.baseUrl}/agent-orchestration${path12}`;
+  async request(method, path14, body) {
+    const url = `${this.baseUrl}/agent-orchestration${path14}`;
     const response = await fetch(url, {
       method,
       headers: {
@@ -3744,20 +3760,28 @@ var PlatformBrokerClient = class {
 // _apps/@onklave/agent-cli/src/services/work-item-runner.service.ts
 import { spawn as spawn2 } from "child_process";
+import * as crypto from "crypto";
 import * as fs8 from "fs";
 import * as os5 from "os";
-import * as path8 from "path";
+import * as path9 from "path";
 var WorkItemRunner = class {
   constructor(opts = {}) {
+    /**
+     * Per-cache-dir promise chain serialising the short git prepare/cleanup
+     * sections so concurrent tasks on the same repo don't race on the shared
+     * `.git` (worktree add/remove, fetch). Keyed by absolute cache dir.
+     */
+    this.repoLocks = /* @__PURE__ */ new Map();
     this.sessionManager = opts.sessionManager ?? new SessionManager();
     this.git = opts.git ?? defaultGit;
     this.model = opts.model ?? "claude-sonnet-4-6";
     this.timeoutSeconds = opts.timeoutSeconds ?? 1800;
+    this.cacheRoot = opts.cacheRoot ?? path9.join(os5.homedir(), ".onklave", "clones");
   }
   /**
-   * Clone → branch → run Claude Code. Returns the run outcome; never throws —
-   * failures are mapped to a `failed` result with an error summary so the
-   * caller can always report a status back to the broker.
+   * Prepare workspace → run Claude Code → tear down. Returns the run outcome;
+   * never throws — failures are mapped to a `failed` result with an error
+   * summary so the caller can always report a status back to the broker.
    */
   async run(sessionId, workItem) {
     const repo = workItem.project?.repos?.[0];
@@ -3768,18 +3792,19 @@ var WorkItemRunner = class {
       };
     }
     const workDir = fs8.mkdtempSync(
-      path8.join(os5.tmpdir(), `onklave-pickup-${sessionId}-`)
+      path9.join(os5.tmpdir(), `onklave-pickup-${sessionId}-`)
     );
-    const repoDir = path8.join(workDir, sanitizeName(repo.name) || "repo");
+    const repoDir = path9.join(workDir, sanitizeName(repo.name) || "repo");
     const branchName = `onklave/work-item/${workItem.id}`;
+    const repoUrl = repo.url;
+    let cacheDir;
     try {
-      await this.git(["clone", repo.url, repoDir], workDir);
-      await this.git(["checkout", "-b", branchName], repoDir);
+      cacheDir = await this.prepareWorkspace(repoUrl, repoDir, branchName);
     } catch (err) {
       cleanup(workDir);
       return {
         status: "failed",
-        summary: `Failed to prepare workspace for ${repo.url}: ${err.message}`,
+        summary: `Failed to prepare workspace for ${repoUrl}: ${err.message}`,
         branchName
       };
     }
@@ -3792,7 +3817,7 @@ var WorkItemRunner = class {
     });
     const writeCheck = guardrails.checkPathAccess(repoDir, "write");
     if (!writeCheck.allowed) {
-      cleanup(workDir);
+      await this.cleanupWorkspace(workDir, repoDir, cacheDir, branchName);
       return {
         status: "failed",
         summary: `Guardrails blocked the workspace: ${writeCheck.reason}`,
@@ -3839,7 +3864,7 @@ var WorkItemRunner = class {
         }
       });
     });
-    cleanup(workDir);
+    await this.cleanupWorkspace(workDir, repoDir, cacheDir, branchName);
     if (exitCode === 0) {
       return {
         status: "in_review",
@@ -3854,6 +3879,89 @@ var WorkItemRunner = class {
       branchName
     };
   }
+  /**
+   * Lay down a working tree for the task at `repoDir` on a fresh `branchName`.
+   *
+   * Fast path: ensure a persistent clone exists for the repo (clone once, fetch
+   * thereafter) and add a throwaway worktree for this task. Returns the cache
+   * dir so teardown can remove the worktree + branch.
+   *
+   * Fallback: on any failure of the cached path, do the original
+   * fresh-clone-then-branch into `repoDir` and return null (nothing cached to
+   * unwind). This keeps the optimization strictly non-regressing.
+   */
+  async prepareWorkspace(repoUrl, repoDir, branchName) {
+    const cacheDir = this.cacheDirFor(repoUrl);
+    try {
+      await this.withRepoLock(
+        cacheDir,
+        () => this.prepareViaWorktree(repoUrl, cacheDir, repoDir, branchName)
+      );
+      return cacheDir;
+    } catch {
+      cleanup(repoDir);
+      await this.git(["clone", repoUrl, repoDir], path9.dirname(repoDir));
+      await this.git(["checkout", "-b", branchName], repoDir);
+      return null;
+    }
+  }
+  /** Ensure the cache clone exists/up-to-date, then add a task worktree. */
+  async prepareViaWorktree(repoUrl, cacheDir, taskDir, branchName) {
+    if (fs8.existsSync(path9.join(cacheDir, ".git"))) {
+      await this.git(["fetch", "--prune", "origin"], cacheDir);
+    } else {
+      cleanup(cacheDir);
+      fs8.mkdirSync(path9.dirname(cacheDir), { recursive: true });
+      await this.git(["clone", repoUrl, cacheDir], path9.dirname(cacheDir));
+    }
+    await this.git(["worktree", "prune"], cacheDir);
+    await this.gitIgnoreError(["branch", "-D", branchName], cacheDir);
+    await this.git(
+      ["worktree", "add", "--force", "-b", branchName, taskDir, "origin/HEAD"],
+      cacheDir
+    );
+  }
+  /**
+   * Tear down a task workspace. For the worktree path this removes the linked
+   * worktree and deletes its branch from the cache (keeping the cache clone for
+   * reuse); for the fresh-clone path (`cacheDir === null`) it just removes the
+   * temp dir. Always best-effort — teardown failures never fail the run.
+   */
+  async cleanupWorkspace(workDir, taskDir, cacheDir, branchName) {
+    if (cacheDir) {
+      await this.withRepoLock(cacheDir, async () => {
+        await this.gitIgnoreError(
+          ["worktree", "remove", "--force", taskDir],
+          cacheDir
+        );
+        await this.gitIgnoreError(["worktree", "prune"], cacheDir);
+        await this.gitIgnoreError(["branch", "-D", branchName], cacheDir);
+      });
+    }
+    cleanup(workDir);
+  }
+  /** Absolute cache dir for a repo URL — stable hash, collision-safe enough. */
+  cacheDirFor(repoUrl) {
+    const hash = crypto.createHash("sha1").update(repoUrl).digest("hex").slice(0, 16);
+    return path9.join(this.cacheRoot, hash);
+  }
+  /** Run a git command, swallowing a non-zero exit (best-effort cleanup). */
+  gitIgnoreError(args, cwd) {
+    return this.git(args, cwd).catch(() => void 0);
+  }
+  /** Serialise an async section against others sharing the same key. */
+  withRepoLock(key, fn) {
+    const prev = this.repoLocks.get(key) ?? Promise.resolve();
+    const next = prev.then(fn, fn);
+    this.repoLocks.set(
+      key,
+      next.then(
+        () => void 0,
+        () => void 0
+      )
+    );
+    return next;
+  }
 };
 function buildTask(workItem) {
   const parts = [workItem.title];
@@ -4195,8 +4303,7 @@ var DaemonUpgradeService = class {
 // _apps/@onklave/agent-cli/src/services/daemon-state.service.ts
 import * as fs9 from "fs";
-import * as path9 from "path";
-import * as os7 from "os";
+import * as path10 from "path";
 var VALID_TRANSITIONS = {
   installing: ["registered"],
   registered: ["starting"],
@@ -4207,10 +4314,10 @@ var VALID_TRANSITIONS = {
   stopped: ["starting"]
 };
 function defaultStateFilePath() {
-  return path9.join(os7.homedir(), ".config", "onklave", "daemon.state.json");
+  return path10.join(resolveConfigDir(), "daemon.state.json");
 }
 function defaultPidFilePath() {
-  return path9.join(os7.homedir(), ".config", "onklave", "daemon.pid");
+  return path10.join(resolveConfigDir(), "daemon.pid");
 }
 var DaemonStateError = class extends Error {
   constructor(message) {
@@ -4285,7 +4392,7 @@ var DaemonStateService = class {
     }
   }
   persist(reason) {
-    const dir = path9.dirname(this.stateFile);
+    const dir = path10.dirname(this.stateFile);
     fs9.mkdirSync(dir, { recursive: true });
     const payload = {
       state: this.current,
@@ -4428,6 +4535,568 @@ function emitUnitFile(flavour) {
   }
 }
+// _apps/@onklave/agent-cli/src/services/daemon-installer.service.ts
+import * as fs10 from "fs";
+import * as path11 from "path";
+import { execFileSync } from "child_process";
+var LAUNCHD_LABEL = "app.onklave.daemon";
+var SYSTEMD_UNIT_NAME = "onklave-daemon";
+var WINDOWS_TASK_NAME = "OnklaveDaemon";
+var SYSTEMD_SYSTEM_UNIT_PATH = `/etc/systemd/system/${SYSTEMD_UNIT_NAME}.service`;
+var LINUX_SERVICE_USER = "onklave";
+var WINDOWS_SERVICE_ACCOUNT = "NT AUTHORITY\\LocalService";
+function xmlEscape(value) {
+  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+function macPlistPath(homeDir) {
+  return path11.join(
+    homeDir,
+    "Library",
+    "LaunchAgents",
+    `${LAUNCHD_LABEL}.plist`
+  );
+}
+function macLogDir(homeDir) {
+  return path11.join(homeDir, "Library", "Logs", "onklave");
+}
+function macPlist(inp) {
+  const logDir = macLogDir(inp.homeDir);
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>${LAUNCHD_LABEL}</string>
+    <key>ProgramArguments</key>
+    <array>
+        <string>${inp.nodePath}</string>
+        <string>${inp.cliPath}</string>
+        <string>daemon</string>
+    </array>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>KeepAlive</key>
+    <dict>
+        <key>SuccessfulExit</key>
+        <false/>
+        <key>Crashed</key>
+        <true/>
+    </dict>
+    <key>ThrottleInterval</key>
+    <integer>10</integer>
+    <key>ProcessType</key>
+    <string>Background</string>
+    <key>StandardOutPath</key>
+    <string>${path11.join(logDir, "daemon.out.log")}</string>
+    <key>StandardErrorPath</key>
+    <string>${path11.join(logDir, "daemon.err.log")}</string>
+</dict>
+</plist>
+`;
+}
+function macInstallPlan(inp) {
+  const plistPath = macPlistPath(inp.homeDir);
+  const domainTarget = `gui/${inp.uid ?? ""}`;
+  const serviceTarget = `${domainTarget}/${LAUNCHD_LABEL}`;
+  const commands = [
+    // Tear down any prior agent so bootstrap doesn't fail on a stale label.
+    { argv: ["launchctl", "bootout", serviceTarget], optional: true }
+  ];
+  if (inp.start) {
+    commands.push({
+      argv: ["launchctl", "bootstrap", domainTarget, plistPath]
+    });
+    commands.push({ argv: ["launchctl", "kickstart", "-k", serviceTarget] });
+  }
+  return {
+    platform: "darwin",
+    manager: "launchd",
+    serviceLabel: LAUNCHD_LABEL,
+    files: [{ filePath: plistPath, contents: macPlist(inp) }],
+    commands,
+    ensureDirs: [macLogDir(inp.homeDir)],
+    startsNow: inp.start
+  };
+}
+function macUninstallPlan(homeDir, uid) {
+  const serviceTarget = `gui/${uid ?? ""}/${LAUNCHD_LABEL}`;
+  return {
+    platform: "darwin",
+    manager: "launchd",
+    serviceLabel: LAUNCHD_LABEL,
+    removeFiles: [macPlistPath(homeDir)],
+    commands: [
+      { argv: ["launchctl", "bootout", serviceTarget], optional: true }
+    ]
+  };
+}
+function systemdUnitPath(homeDir) {
+  return path11.join(
+    homeDir,
+    ".config",
+    "systemd",
+    "user",
+    `${SYSTEMD_UNIT_NAME}.service`
+  );
+}
+function systemdUnit(inp) {
+  return `[Unit]
+Description=Onklave Agent CLI Daemon
+Documentation=https://docs.onklave.app/cli/daemon
+After=network-online.target
+Wants=network-online.target
+[Service]
+Type=simple
+ExecStart=${inp.nodePath} ${inp.cliPath} daemon
+ExecStop=${inp.nodePath} ${inp.cliPath} daemon drain
+Restart=on-failure
+RestartSec=10s
+StartLimitIntervalSec=300
+StartLimitBurst=5
+KillSignal=SIGTERM
+TimeoutStopSec=1830s
+[Install]
+WantedBy=default.target
+`;
+}
+function linuxInstallPlan(inp) {
+  const commands = [
+    { argv: ["systemctl", "--user", "daemon-reload"] },
+    // enable --now starts + enables; enable (no --now) just enables for login.
+    {
+      argv: inp.start ? ["systemctl", "--user", "enable", "--now", SYSTEMD_UNIT_NAME] : ["systemctl", "--user", "enable", SYSTEMD_UNIT_NAME]
+    }
+  ];
+  return {
+    platform: "linux",
+    manager: "systemd (user)",
+    serviceLabel: SYSTEMD_UNIT_NAME,
+    files: [
+      { filePath: systemdUnitPath(inp.homeDir), contents: systemdUnit(inp) }
+    ],
+    commands,
+    ensureDirs: [],
+    startsNow: inp.start
+  };
+}
+function linuxUninstallPlan(homeDir) {
+  return {
+    platform: "linux",
+    manager: "systemd (user)",
+    serviceLabel: SYSTEMD_UNIT_NAME,
+    removeFiles: [systemdUnitPath(homeDir)],
+    commands: [
+      {
+        argv: ["systemctl", "--user", "disable", "--now", SYSTEMD_UNIT_NAME],
+        optional: true
+      },
+      { argv: ["systemctl", "--user", "daemon-reload"], optional: true }
+    ]
+  };
+}
+function windowsTaskXmlPath(homeDir) {
+  return path11.join(homeDir, ".config", "onklave", `${WINDOWS_TASK_NAME}.xml`);
+}
+function windowsLogPath(homeDir) {
+  return path11.join(homeDir, ".config", "onklave", "logs", "daemon.log");
+}
+function windowsTaskXml(inp) {
+  const user = inp.windowsUser ?? "";
+  const logPath = windowsLogPath(inp.homeDir);
+  const innerCmd = `""${inp.nodePath}" "${inp.cliPath}" daemon >> "${logPath}" 2>&1"`;
+  return `<?xml version="1.0" encoding="UTF-16"?>
+<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
+  <RegistrationInfo>
+    <Description>Onklave Agent CLI Daemon</Description>
+    <URI>\\${WINDOWS_TASK_NAME}</URI>
+  </RegistrationInfo>
+  <Triggers>
+    <LogonTrigger>
+      <Enabled>true</Enabled>
+      <UserId>${xmlEscape(user)}</UserId>
+    </LogonTrigger>
+  </Triggers>
+  <Principals>
+    <Principal id="Author">
+      <UserId>${xmlEscape(user)}</UserId>
+      <LogonType>InteractiveToken</LogonType>
+      <RunLevel>LeastPrivilege</RunLevel>
+    </Principal>
+  </Principals>
+  <Settings>
+    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
+    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
+    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
+    <AllowHardTerminate>true</AllowHardTerminate>
+    <StartWhenAvailable>true</StartWhenAvailable>
+    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
+    <IdleSettings>
+      <StopOnIdleEnd>false</StopOnIdleEnd>
+      <RestartOnIdle>false</RestartOnIdle>
+    </IdleSettings>
+    <AllowStartOnDemand>true</AllowStartOnDemand>
+    <Enabled>true</Enabled>
+    <Hidden>false</Hidden>
+    <RunOnlyIfIdle>false</RunOnlyIfIdle>
+    <RestartOnFailure>
+      <Interval>PT1M</Interval>
+      <Count>3</Count>
+    </RestartOnFailure>
+    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
+  </Settings>
+  <Actions Context="Author">
+    <Exec>
+      <Command>cmd.exe</Command>
+      <Arguments>/c ${xmlEscape(innerCmd)}</Arguments>
+    </Exec>
+  </Actions>
+</Task>
+`;
+}
+function windowsInstallPlan(inp) {
+  const xmlPath = windowsTaskXmlPath(inp.homeDir);
+  const commands = [
+    {
+      argv: [
+        "schtasks",
+        "/create",
+        "/tn",
+        WINDOWS_TASK_NAME,
+        "/xml",
+        xmlPath,
+        "/f"
+      ]
+    }
+  ];
+  if (inp.start) {
+    commands.push({ argv: ["schtasks", "/run", "/tn", WINDOWS_TASK_NAME] });
+  }
+  return {
+    platform: "win32",
+    manager: "Task Scheduler",
+    serviceLabel: WINDOWS_TASK_NAME,
+    files: [{ filePath: xmlPath, contents: windowsTaskXml(inp) }],
+    commands,
+    ensureDirs: [path11.dirname(windowsLogPath(inp.homeDir))],
+    startsNow: inp.start
+  };
+}
+function windowsUninstallPlan(homeDir) {
+  return {
+    platform: "win32",
+    manager: "Task Scheduler",
+    serviceLabel: WINDOWS_TASK_NAME,
+    removeFiles: [windowsTaskXmlPath(homeDir)],
+    commands: [
+      { argv: ["schtasks", "/end", "/tn", WINDOWS_TASK_NAME], optional: true },
+      {
+        argv: ["schtasks", "/delete", "/tn", WINDOWS_TASK_NAME, "/f"],
+        optional: true
+      }
+    ]
+  };
+}
+function systemCredFilePath(configDir) {
+  return path11.join(configDir, "credentials.json");
+}
+function linuxSystemInstallPlan(inp) {
+  const configDir = inp.systemConfigDir ?? "/var/lib/onklave";
+  const unit = `[Unit]
+Description=Onklave Agent CLI Daemon
+Documentation=https://docs.onklave.app/cli/daemon
+After=network-online.target
+Wants=network-online.target
+[Service]
+Type=simple
+User=${LINUX_SERVICE_USER}
+Group=${LINUX_SERVICE_USER}
+Environment=NODE_ENV=production
+Environment=ONKLAVE_CONFIG_DIR=${configDir}
+ExecStart=${inp.nodePath} ${inp.cliPath} daemon
+ExecStop=${inp.nodePath} ${inp.cliPath} daemon drain
+Restart=on-failure
+RestartSec=10s
+StartLimitIntervalSec=300
+StartLimitBurst=5
+KillSignal=SIGTERM
+TimeoutStopSec=1830s
+# Hardening \u2014 the execution plane runs unprivileged (constitution \xA76).
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ReadWritePaths=${configDir}
+[Install]
+WantedBy=multi-user.target
+`;
+  const commands = [
+    // Dedicated unprivileged service account. Idempotent: a re-run on a host
+    // that already has the user fails here and is swallowed.
+    {
+      argv: [
+        "useradd",
+        "--system",
+        "--no-create-home",
+        "--shell",
+        "/usr/sbin/nologin",
+        LINUX_SERVICE_USER
+      ],
+      optional: true
+    },
+    // chown after the cred file is written (executor writes files before
+    // commands) so the service account owns the dir + credentials.
+    {
+      argv: [
+        "chown",
+        "-R",
+        `${LINUX_SERVICE_USER}:${LINUX_SERVICE_USER}`,
+        configDir
+      ]
+    },
+    { argv: ["chmod", "700", configDir] },
+    { argv: ["systemctl", "daemon-reload"] },
+    {
+      argv: inp.start ? ["systemctl", "enable", "--now", SYSTEMD_UNIT_NAME] : ["systemctl", "enable", SYSTEMD_UNIT_NAME]
+    }
+  ];
+  return {
+    platform: "linux",
+    manager: "systemd (system)",
+    serviceLabel: SYSTEMD_UNIT_NAME,
+    files: [
+      { filePath: SYSTEMD_SYSTEM_UNIT_PATH, contents: unit, mode: 420 },
+      {
+        filePath: systemCredFilePath(configDir),
+        contents: inp.credentialsJson ?? "",
+        mode: 384
+      }
+    ],
+    commands,
+    ensureDirs: [configDir],
+    startsNow: inp.start
+  };
+}
+function windowsSystemInstallPlan(inp) {
+  const configDir = inp.systemConfigDir ?? "C:\\ProgramData\\Onklave";
+  const logDir = path11.join(configDir, "logs");
+  const svc = WINDOWS_TASK_NAME;
+  const env = `NODE_ENV=production ONKLAVE_CONFIG_DIR=${configDir}`;
+  const commands = [
+    // Idempotent: drop any prior service before re-installing.
+    { argv: ["nssm", "stop", svc], optional: true },
+    { argv: ["nssm", "remove", svc, "confirm"], optional: true },
+    { argv: ["nssm", "install", svc, inp.nodePath, inp.cliPath, "daemon"] },
+    { argv: ["nssm", "set", svc, "DisplayName", "Onklave Agent CLI Daemon"] },
+    {
+      argv: [
+        "nssm",
+        "set",
+        svc,
+        "Description",
+        "Long-running agent worker for the Onklave platform"
+      ]
+    },
+    { argv: ["nssm", "set", svc, "Start", "SERVICE_AUTO_START"] },
+    // Unprivileged built-in account (not LocalSystem) — spec §security.
+    { argv: ["nssm", "set", svc, "ObjectName", WINDOWS_SERVICE_ACCOUNT] },
+    { argv: ["nssm", "set", svc, "AppEnvironmentExtra", env] },
+    {
+      argv: [
+        "nssm",
+        "set",
+        svc,
+        "AppStdout",
+        path11.join(logDir, "daemon.out.log")
+      ]
+    },
+    {
+      argv: [
+        "nssm",
+        "set",
+        svc,
+        "AppStderr",
+        path11.join(logDir, "daemon.err.log")
+      ]
+    },
+    { argv: ["nssm", "set", svc, "AppExit", "Default", "Restart"] },
+    { argv: ["nssm", "set", svc, "AppRestartDelay", "10000"] },
+    // The daemon writes state + pid into the config dir and reads credentials
+    // there, so LocalService needs modify on it.
+    {
+      argv: [
+        "icacls",
+        configDir,
+        "/grant",
+        `${WINDOWS_SERVICE_ACCOUNT}:(OI)(CI)(M)`
+      ]
+    }
+  ];
+  if (inp.start) {
+    commands.push({ argv: ["nssm", "start", svc] });
+  }
+  return {
+    platform: "win32",
+    manager: "NSSM (service)",
+    serviceLabel: svc,
+    files: [
+      {
+        filePath: systemCredFilePath(configDir),
+        contents: inp.credentialsJson ?? ""
+      }
+    ],
+    commands,
+    ensureDirs: [logDir],
+    startsNow: inp.start
+  };
+}
+function linuxSystemUninstallPlan(configDir) {
+  return {
+    platform: "linux",
+    manager: "systemd (system)",
+    serviceLabel: SYSTEMD_UNIT_NAME,
+    removeFiles: [SYSTEMD_SYSTEM_UNIT_PATH, systemCredFilePath(configDir)],
+    commands: [
+      {
+        argv: ["systemctl", "disable", "--now", SYSTEMD_UNIT_NAME],
+        optional: true
+      },
+      { argv: ["systemctl", "daemon-reload"], optional: true }
+    ]
+  };
+}
+function windowsSystemUninstallPlan(configDir) {
+  return {
+    platform: "win32",
+    manager: "NSSM (service)",
+    serviceLabel: WINDOWS_TASK_NAME,
+    removeFiles: [systemCredFilePath(configDir)],
+    commands: [
+      { argv: ["nssm", "stop", WINDOWS_TASK_NAME], optional: true },
+      {
+        argv: ["nssm", "remove", WINDOWS_TASK_NAME, "confirm"],
+        optional: true
+      }
+    ]
+  };
+}
+function buildInstallPlan(inp) {
+  if (inp.system) {
+    switch (inp.platform) {
+      case "linux":
+        return linuxSystemInstallPlan(inp);
+      case "win32":
+        return windowsSystemInstallPlan(inp);
+      case "darwin":
+        throw new Error(
+          "--system is not supported on macOS; use per-user `onklave daemon install`."
+        );
+    }
+  }
+  switch (inp.platform) {
+    case "darwin":
+      return macInstallPlan(inp);
+    case "linux":
+      return linuxInstallPlan(inp);
+    case "win32":
+      return windowsInstallPlan(inp);
+  }
+}
+function buildUninstallPlan(inp) {
+  if (inp.system) {
+    const configDir = inp.systemConfigDir ?? "";
+    switch (inp.platform) {
+      case "linux":
+        return linuxSystemUninstallPlan(configDir);
+      case "win32":
+        return windowsSystemUninstallPlan(configDir);
+      case "darwin":
+        throw new Error(
+          "--system is not supported on macOS; use per-user `onklave daemon uninstall`."
+        );
+    }
+  }
+  switch (inp.platform) {
+    case "darwin":
+      return macUninstallPlan(inp.homeDir, inp.uid);
+    case "linux":
+      return linuxUninstallPlan(inp.homeDir);
+    case "win32":
+      return windowsUninstallPlan(inp.homeDir);
+  }
+}
+function runInstallPlan(plan) {
+  for (const dir of plan.ensureDirs) {
+    fs10.mkdirSync(dir, { recursive: true });
+  }
+  for (const file of plan.files) {
+    fs10.mkdirSync(path11.dirname(file.filePath), { recursive: true });
+    fs10.writeFileSync(
+      file.filePath,
+      file.contents,
+      file.mode != null ? { mode: file.mode } : {}
+    );
+  }
+  runCommands(plan.commands);
+}
+function runUninstallPlan(plan) {
+  runCommands(plan.commands);
+  for (const filePath of plan.removeFiles) {
+    try {
+      fs10.unlinkSync(filePath);
+    } catch {
+    }
+  }
+}
+function runCommands(commands) {
+  for (const cmd of commands) {
+    const [bin, ...rest] = cmd.argv;
+    try {
+      execFileSync(bin, rest, { stdio: "pipe", timeout: 3e4 });
+    } catch (err) {
+      if (cmd.optional) continue;
+      const detail = err.stderr?.toString().trim();
+      throw new Error(
+        `Command failed: ${cmd.argv.join(" ")}${detail ? `
+${detail}` : ""}`
+      );
+    }
+  }
+}
+// _apps/@onklave/agent-cli/src/services/daemon-elevation.service.ts
+import { execSync as execSync2, execFileSync as execFileSync2 } from "child_process";
+function isElevated(platform2 = process.platform) {
+  if (platform2 === "win32") {
+    try {
+      execSync2("net session", { stdio: "ignore", timeout: 5e3 });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  return typeof process.getuid === "function" && process.getuid() === 0;
+}
+function buildSudoReExec(nodePath, args) {
+  return ["sudo", nodePath, ...args];
+}
+function psQuote(value) {
+  return `'${value.replace(/'/g, "''")}'`;
+}
+function buildRunAsCommand(nodePath, args) {
+  const argList = args.map(psQuote).join(",");
+  const script = `Start-Process -FilePath ${psQuote(nodePath)} ` + (args.length ? `-ArgumentList ${argList} ` : "") + `-Verb RunAs -Wait`;
+  return ["powershell", "-NoProfile", "-NonInteractive", "-Command", script];
+}
+function runElevated(argv) {
+  const [bin, ...rest] = argv;
+  execFileSync2(bin, rest, { stdio: "inherit" });
+}
 // _apps/@onklave/agent-cli/src/commands/daemon.command.ts
 var UNIT_FLAGS = {
   "--emit-systemd-unit": "systemd",
@@ -4446,10 +5115,12 @@ async function daemonCommand(args) {
   if (sub === "status") return daemonStatus();
   if (sub === "stop" || sub === "drain") return daemonStop();
   if (sub === "update") return daemonUpdate();
+  if (sub === "install") return daemonInstall(args.slice(1));
+  if (sub === "uninstall") return daemonUninstall(args.slice(1));
   if (sub && !sub.startsWith("--")) {
     console.error(`Unknown subcommand: ${sub}`);
     console.error(
-      "Usage: onklave daemon [status|stop|drain|update] | --emit-systemd-unit | --emit-launchd-plist | --emit-nssm-script"
+      "Usage: onklave daemon [install|uninstall|status|stop|drain|update] [--system] [--no-start] | --emit-systemd-unit | --emit-launchd-plist | --emit-nssm-script"
     );
     process.exitCode = 1;
     return;
@@ -4628,12 +5299,12 @@ async function daemonStart() {
     allowAutoUpgrade: !!process.env["ONKLAVE_ALLOW_AUTO_UPGRADE"],
     currentVersion: readPackageVersion() ?? "0.0.0",
     runInstall: async () => {
-      const { execFileSync } = __require("child_process");
-      execFileSync("npm", ["install", "-g", "@onklave/agent-cli@latest"], {
+      const { execFileSync: execFileSync3 } = __require("child_process");
+      execFileSync3("npm", ["install", "-g", "@onklave/agent-cli@latest"], {
         stdio: "pipe",
         timeout: 18e4
       });
-      const v = execFileSync(
+      const v = execFileSync3(
         "npm",
         ["view", "@onklave/agent-cli@latest", "version"],
         { stdio: "pipe", timeout: 3e4 }
@@ -4690,6 +5361,11 @@ async function daemonStart() {
   console.log(
     `Daemon online. machineId=${creds.machineId} pid=${process.pid}. Press Ctrl-C to drain.`
   );
+  if (process.stdout.isTTY) {
+    console.log(
+      "Tip: run `onklave daemon install` to run this as a background service that auto-starts at login."
+    );
+  }
   await new Promise(() => void 0);
 }
 async function daemonStatus() {
@@ -4770,6 +5446,261 @@ async function daemonUpdate() {
     "Self-replace via npm provenance verification (spec \xA76.3) is deferred \u2014 see V6-CLI-002 Phase 7 in the kanban."
   );
 }
+function currentServicePlatform() {
+  const p = process.platform;
+  return p === "darwin" || p === "linux" || p === "win32" ? p : null;
+}
+function resolveCliPath() {
+  return __require.main?.filename ?? process.argv[1];
+}
+function windowsPrincipalUser() {
+  const domain = process.env["USERDOMAIN"];
+  const user = process.env["USERNAME"] ?? "";
+  return domain ? `${domain}\\${user}` : user;
+}
+function systemConfigDir(platform2) {
+  if (platform2 === "win32") {
+    return path12.join(
+      process.env["ProgramData"] || "C:\\ProgramData",
+      "Onklave"
+    );
+  }
+  return "/var/lib/onklave";
+}
+function getFlagValue(args, flag) {
+  const i = args.indexOf(flag);
+  return i >= 0 && i + 1 < args.length ? args[i + 1] : void 0;
+}
+async function daemonInstall(args) {
+  const platform2 = currentServicePlatform();
+  if (!platform2) {
+    console.error(`Unsupported platform: ${process.platform}`);
+    process.exitCode = 1;
+    return;
+  }
+  const start = !args.includes("--no-start");
+  if (args.includes("--system")) {
+    return daemonInstallSystem(platform2, args, start);
+  }
+  return daemonInstallPerUser(platform2, start);
+}
+async function daemonInstallPerUser(platform2, start) {
+  const creds = await new AuthService().getCredentials();
+  if (!creds?.deviceToken || !creds?.machineId) {
+    console.error(
+      "Error: machine is not registered. Run: onklave register --token <bootstrap>"
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const plan = buildInstallPlan({
+    platform: platform2,
+    nodePath: process.execPath,
+    cliPath: resolveCliPath(),
+    homeDir: os7.homedir(),
+    uid: process.getuid ? String(process.getuid()) : void 0,
+    windowsUser: platform2 === "win32" ? windowsPrincipalUser() : void 0,
+    start
+  });
+  try {
+    runInstallPlan(plan);
+  } catch (err) {
+    console.error(`Install failed: ${err.message}`);
+    process.exitCode = 1;
+    return;
+  }
+  console.log(
+    `Installed Onklave daemon as a ${plan.manager} service (${plan.serviceLabel}), running as ${os7.userInfo().username}.`
+  );
+  console.log(
+    plan.startsNow ? "Started now and set to auto-start at login." : "Registered to auto-start at next login (not started now \u2014 re-run without --no-start to start immediately)."
+  );
+  console.log("Check it with: onklave daemon status");
+}
+async function daemonInstallSystem(platform2, args, start) {
+  if (platform2 === "darwin") {
+    console.error(
+      "--system is not supported on macOS. Use the per-user installer instead:"
+    );
+    console.error("  onklave daemon install");
+    process.exitCode = 1;
+    return;
+  }
+  const credsFile = getFlagValue(args, "--creds-file");
+  if (credsFile) {
+    let credentialsJson2;
+    try {
+      credentialsJson2 = fs11.readFileSync(credsFile, "utf8");
+    } catch (err) {
+      console.error(
+        `Cannot read handed-over credentials: ${err.message}`
+      );
+      process.exitCode = 1;
+      return;
+    }
+    return runSystemInstall(platform2, credentialsJson2, start);
+  }
+  const creds = await new AuthService().getCredentials();
+  if (!creds?.deviceToken || !creds?.machineId) {
+    console.error(
+      "Error: machine is not registered. Run: onklave register --token <bootstrap>"
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const credentialsJson = JSON.stringify(creds);
+  if (platform2 === "win32") {
+    if (isElevated("win32")) {
+      return runSystemInstall("win32", credentialsJson, start);
+    }
+    console.log("Requesting elevation (a UAC prompt will appear)\u2026");
+    const reArgs = [
+      "daemon",
+      "install",
+      "--system",
+      ...start ? [] : ["--no-start"]
+    ];
+    try {
+      runElevated(
+        buildRunAsCommand(process.execPath, [resolveCliPath(), ...reArgs])
+      );
+    } catch (err) {
+      console.error(`Elevation failed: ${err.message}`);
+      process.exitCode = 1;
+      return;
+    }
+    console.log(
+      "Elevated install completed. Verify with: onklave daemon status"
+    );
+    return;
+  }
+  if (isElevated("linux")) {
+    return runSystemInstall("linux", credentialsJson, start);
+  }
+  const tmpDir = fs11.mkdtempSync(path12.join(os7.tmpdir(), "onklave-creds-"));
+  const tmpCreds = path12.join(tmpDir, "credentials.json");
+  fs11.writeFileSync(tmpCreds, credentialsJson, { mode: 384 });
+  try {
+    const reArgs = [
+      "daemon",
+      "install",
+      "--system",
+      ...start ? [] : ["--no-start"],
+      "--creds-file",
+      tmpCreds
+    ];
+    console.log("Requesting elevation via sudo\u2026");
+    runElevated(
+      buildSudoReExec(process.execPath, [resolveCliPath(), ...reArgs])
+    );
+  } catch (err) {
+    console.error(`Elevation failed: ${err.message}`);
+    process.exitCode = 1;
+  } finally {
+    try {
+      fs11.rmSync(tmpDir, { recursive: true, force: true });
+    } catch {
+    }
+  }
+}
+async function runSystemInstall(platform2, credentialsJson, start) {
+  if (platform2 === "win32" && !commandExists("nssm")) {
+    console.error(
+      "NSSM is required to supervise a Node process as a Windows service but was not found on PATH."
+    );
+    console.error("Install it (e.g. `choco install nssm`) and re-run.");
+    process.exitCode = 1;
+    return;
+  }
+  if (platform2 === "linux" && !commandExists("useradd")) {
+    console.error(
+      "`useradd` was not found \u2014 cannot create the dedicated service account."
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const configDir = systemConfigDir(platform2);
+  let plan;
+  try {
+    plan = buildInstallPlan({
+      platform: platform2,
+      nodePath: process.execPath,
+      cliPath: resolveCliPath(),
+      homeDir: os7.homedir(),
+      start,
+      system: true,
+      systemConfigDir: configDir,
+      credentialsJson
+    });
+    runInstallPlan(plan);
+  } catch (err) {
+    console.error(`Install failed: ${err.message}`);
+    process.exitCode = 1;
+    return;
+  }
+  console.log(
+    `Installed Onklave daemon as a ${plan.manager} service (${plan.serviceLabel}).`
+  );
+  console.log(
+    `Config dir: ${configDir} \u2014 credentials copied there for the service account.`
+  );
+  console.log(
+    plan.startsNow ? "Started now and enabled at boot." : "Enabled at boot (not started now \u2014 re-run without --no-start to start immediately)."
+  );
+  console.log(
+    platform2 === "linux" ? "Logs: journalctl -u onklave-daemon -f" : `Logs: ${path12.join(configDir, "logs")}`
+  );
+}
+async function daemonUninstall(args) {
+  const platform2 = currentServicePlatform();
+  if (!platform2) {
+    console.error(`Unsupported platform: ${process.platform}`);
+    process.exitCode = 1;
+    return;
+  }
+  if (args.includes("--system")) {
+    if (platform2 === "darwin") {
+      console.error(
+        "--system is not supported on macOS. Use: onklave daemon uninstall"
+      );
+      process.exitCode = 1;
+      return;
+    }
+    if (!isElevated(platform2)) {
+      const reArgs = ["daemon", "uninstall", "--system"];
+      const cmd = platform2 === "win32" ? buildRunAsCommand(process.execPath, [resolveCliPath(), ...reArgs]) : buildSudoReExec(process.execPath, [resolveCliPath(), ...reArgs]);
+      console.log("Requesting elevation\u2026");
+      try {
+        runElevated(cmd);
+      } catch (err) {
+        console.error(`Elevation failed: ${err.message}`);
+        process.exitCode = 1;
+      }
+      return;
+    }
+    const configDir = systemConfigDir(platform2);
+    const plan2 = buildUninstallPlan({
+      platform: platform2,
+      homeDir: os7.homedir(),
+      system: true,
+      systemConfigDir: configDir
+    });
+    runUninstallPlan(plan2);
+    console.log(
+      `Removed Onklave daemon ${plan2.manager} service (${plan2.serviceLabel}).`
+    );
+    return;
+  }
+  const plan = buildUninstallPlan({
+    platform: platform2,
+    homeDir: os7.homedir(),
+    uid: process.getuid ? String(process.getuid()) : void 0
+  });
+  runUninstallPlan(plan);
+  console.log(
+    `Removed Onklave daemon ${plan.manager} service (${plan.serviceLabel}).`
+  );
+}
 async function daemonStop() {
   const pidFile = defaultPidFilePath();
   const pid = readPid(pidFile);
@@ -4802,7 +5733,7 @@ function transitionToAction(next) {
 }
 function readPid(pidFile) {
   try {
-    const raw = fs10.readFileSync(pidFile, "utf8").trim();
+    const raw = fs11.readFileSync(pidFile, "utf8").trim();
     const parsed = Number.parseInt(raw, 10);
     return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
   } catch {
@@ -4810,19 +5741,19 @@ function readPid(pidFile) {
   }
 }
 function writePid(pidFile) {
-  const dir = path10.dirname(pidFile);
-  fs10.mkdirSync(dir, { recursive: true });
+  const dir = path12.dirname(pidFile);
+  fs11.mkdirSync(dir, { recursive: true });
   try {
-    if (fs10.statSync(pidFile).isDirectory()) {
-      fs10.rmSync(pidFile, { recursive: true, force: true });
+    if (fs11.statSync(pidFile).isDirectory()) {
+      fs11.rmSync(pidFile, { recursive: true, force: true });
     }
   } catch {
   }
-  fs10.writeFileSync(pidFile, String(process.pid), { mode: 384 });
+  fs11.writeFileSync(pidFile, String(process.pid), { mode: 384 });
 }
 function removePid(pidFile) {
   try {
-    fs10.unlinkSync(pidFile);
+    fs11.unlinkSync(pidFile);
   } catch {
   }
 }
@@ -4866,14 +5797,14 @@ var COMMANDS = {
 };
 // _apps/@onklave/agent-cli/src/services/update-notifier.service.ts
-import * as fs11 from "node:fs";
-import * as path11 from "node:path";
+import * as fs12 from "node:fs";
+import * as path13 from "node:path";
 import * as os8 from "node:os";
 import { createInterface } from "node:readline/promises";
 import { spawnSync } from "node:child_process";
 var CHECK_TTL_MS = 24 * 60 * 60 * 1e3;
 var FETCH_DEADLINE_MS = 1500;
-var CACHE_PATH = path11.join(
+var CACHE_PATH = path13.join(
   os8.homedir(),
   ".config",
   "onklave",
@@ -4984,16 +5915,16 @@ function isCacheFresh(cache, nowMs) {
 }
 function readCache() {
   try {
-    if (!fs11.existsSync(CACHE_PATH)) return {};
-    return JSON.parse(fs11.readFileSync(CACHE_PATH, "utf8"));
+    if (!fs12.existsSync(CACHE_PATH)) return {};
+    return JSON.parse(fs12.readFileSync(CACHE_PATH, "utf8"));
   } catch {
     return {};
   }
 }
 function writeCache(cache) {
   try {
-    fs11.mkdirSync(path11.dirname(CACHE_PATH), { recursive: true, mode: 448 });
-    fs11.writeFileSync(CACHE_PATH, JSON.stringify(cache, null, 2), "utf8");
+    fs12.mkdirSync(path13.dirname(CACHE_PATH), { recursive: true, mode: 448 });
+    fs12.writeFileSync(CACHE_PATH, JSON.stringify(cache, null, 2), "utf8");
   } catch {
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@onklave/agent-cli",
-  "version": "0.1.48",
+  "version": "0.1.50",
   "description": "Onklave Agent CLI — local agent runner with cloud orchestration",
   "bin": {
     "onklave": "./main.js"