agentbnb 8.2.0 → 8.2.1

package/dist/skills/agentbnb/bootstrap.js

@@ -21,7 +21,7 @@ import {
   requestViaRelay,
   resolvePendingRequest,
   searchCards
-} from "../../chunk-P4LOYSLA.js";
+} from "../../chunk-WKWJWKX7.js";
 import {
   loadPeers
 } from "../../chunk-HLUEOLSZ.js";
@@ -30,7 +30,7 @@ import {
   executeCapabilityRequest,
   releaseRequesterEscrow,
   settleRequesterEscrow
-} from "../../chunk-ALX4WS3A.js";
+} from "../../chunk-NP55V7RQ.js";
 import {
   bootstrapAgent,
   generateKeyPair,
@@ -52,6 +52,7 @@ import {
   insertRequestLog,
   listCards,
   loadKeyPair,
+  lookupAgent,
   migrateOwner,
   openCreditDb,
   openDatabase,
@@ -63,7 +64,7 @@ import {
   updateSkillAvailability,
   updateSkillIdleRate,
   verifyEscrowReceipt
-} from "../../chunk-7EF3HYVZ.js";
+} from "../../chunk-STJLWMXH.js";
 import "../../chunk-NWIQJ2CL.js";
 import {
   getConfigDir,
@@ -79,9 +80,9 @@ import {
 } from "../../chunk-3LWBH7P3.js";
 
 // skills/agentbnb/bootstrap.ts
-import { join as join6, basename, dirname as dirname4 } from "path";
-import { homedir as homedir3 } from "os";
-import { spawnSync, exec } from "child_process";
+import { join as join7, basename as basename2, dirname as dirname3 } from "path";
+import { homedir as homedir4 } from "os";
+import { exec } from "child_process";
 import { promisify as promisify2 } from "util";
 import { randomUUID as randomUUID10 } from "crypto";
 
@@ -1271,7 +1272,7 @@ var AgentRuntime = class {
     }
     const modes = /* @__PURE__ */ new Map();
     if (this.conductorEnabled) {
-      const { ConductorMode } = await import("../../conductor-mode-TFCVCQHU.js");
+      const { ConductorMode } = await import("../../conductor-mode-D5TFQW5L.js");
       const { registerConductorCard, CONDUCTOR_OWNER } = await import("../../card-EX2EYGCZ.js");
       const { loadPeers: loadPeers2 } = await import("../../peers-CJ7T4RJO.js");
       registerConductorCard(this.registryDb);
@@ -1435,7 +1436,54 @@ function createGatewayServer(opts) {
     return { status: "ok", version: VERSION, uptime: process.uptime() };
   });
   fastify.post("/rpc", async (request, reply) => {
-    const body = request.body;
+    const rawBody = request.body;
+    if (Array.isArray(rawBody)) {
+      const responses = await Promise.all(
+        rawBody.map(async (single) => {
+          if (single.jsonrpc !== "2.0" || !single.method) {
+            return { jsonrpc: "2.0", id: single.id ?? null, error: { code: -32600, message: "Invalid Request" } };
+          }
+          if (single.method !== "capability.execute") {
+            return { jsonrpc: "2.0", id: single.id ?? null, error: { code: -32601, message: "Method not found" } };
+          }
+          const params2 = single.params ?? {};
+          const cardId2 = params2.card_id;
+          if (!cardId2) {
+            return { jsonrpc: "2.0", id: single.id ?? null, error: { code: -32602, message: "Invalid params: card_id required" } };
+          }
+          const requester2 = params2.requester ?? "unknown";
+          const receipt2 = params2.escrow_receipt;
+          const batchSkillId = params2.skill_id;
+          const trackKey2 = batchSkillId ?? cardId2;
+          inFlight.set(trackKey2, (inFlight.get(trackKey2) ?? 0) + 1);
+          try {
+            const result2 = await executeCapabilityRequest({
+              registryDb,
+              creditDb,
+              cardId: cardId2,
+              skillId: batchSkillId,
+              params: params2,
+              requester: requester2,
+              escrowReceipt: receipt2,
+              skillExecutor,
+              handlerUrl,
+              timeoutMs
+            });
+            if (result2.success) {
+              return { jsonrpc: "2.0", id: single.id ?? null, result: result2.result };
+            } else {
+              return { jsonrpc: "2.0", id: single.id ?? null, error: result2.error };
+            }
+          } finally {
+            const next = (inFlight.get(trackKey2) ?? 1) - 1;
+            if (next <= 0) inFlight.delete(trackKey2);
+            else inFlight.set(trackKey2, next);
+          }
+        })
+      );
+      return reply.send(responses);
+    }
+    const body = rawBody;
     if (body.jsonrpc !== "2.0" || !body.method) {
       return reply.status(400).send({
         jsonrpc: "2.0",
@@ -1655,13 +1703,190 @@ var LocalCreditLedger = class {
   }
 };
 
+// src/identity/identity.ts
+import { z as z2 } from "zod";
+import { createHash, createPrivateKey, createPublicKey } from "crypto";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
+import { join as join2 } from "path";
+var AgentIdentitySchema = z2.object({
+  /** Deterministic ID derived from public key: sha256(hex).slice(0, 16). */
+  agent_id: z2.string().min(1),
+  /** Human-readable owner name (from config or init). */
+  owner: z2.string().min(1),
+  /** Hex-encoded Ed25519 public key. */
+  public_key: z2.string().min(1),
+  /** ISO 8601 timestamp of identity creation. */
+  created_at: z2.string().datetime(),
+  /** Optional guarantor info if linked to a human. */
+  guarantor: z2.object({
+    github_login: z2.string().min(1),
+    verified_at: z2.string().datetime()
+  }).optional()
+});
+var AgentCertificateSchema = z2.object({
+  identity: AgentIdentitySchema,
+  /** ISO 8601 timestamp of certificate issuance. */
+  issued_at: z2.string().datetime(),
+  /** ISO 8601 timestamp of certificate expiry. */
+  expires_at: z2.string().datetime(),
+  /** Hex-encoded public key of the issuer (same as identity for self-signed). */
+  issuer_public_key: z2.string().min(1),
+  /** Base64url Ed25519 signature over { identity, issued_at, expires_at, issuer_public_key }. */
+  signature: z2.string().min(1)
+});
+var IDENTITY_FILENAME = "identity.json";
+var PRIVATE_KEY_FILENAME = "private.key";
+var PUBLIC_KEY_FILENAME = "public.key";
+function derivePublicKeyFromPrivate(privateKey) {
+  const privateKeyObject = createPrivateKey({ key: privateKey, format: "der", type: "pkcs8" });
+  const publicKeyObject = createPublicKey(privateKeyObject);
+  const publicKey = publicKeyObject.export({ format: "der", type: "spki" });
+  return Buffer.from(publicKey);
+}
+function buildIdentityFromPublicKey(publicKey, owner, createdAt) {
+  const publicKeyHex = publicKey.toString("hex");
+  return {
+    agent_id: deriveAgentId(publicKeyHex),
+    owner,
+    public_key: publicKeyHex,
+    created_at: createdAt ?? (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function generateFreshIdentity(configDir, owner) {
+  const keys = generateKeyPair();
+  saveKeyPair(configDir, keys);
+  const identity = buildIdentityFromPublicKey(keys.publicKey, owner);
+  saveIdentity(configDir, identity);
+  return { identity, keys, status: "generated" };
+}
+function deriveAgentId(publicKeyHex) {
+  return createHash("sha256").update(publicKeyHex, "hex").digest("hex").slice(0, 16);
+}
+function loadIdentity(configDir) {
+  const filePath = join2(configDir, IDENTITY_FILENAME);
+  if (!existsSync3(filePath)) return null;
+  try {
+    const raw = readFileSync3(filePath, "utf-8");
+    return AgentIdentitySchema.parse(JSON.parse(raw));
+  } catch {
+    return null;
+  }
+}
+function saveIdentity(configDir, identity) {
+  if (!existsSync3(configDir)) {
+    mkdirSync2(configDir, { recursive: true });
+  }
+  const filePath = join2(configDir, IDENTITY_FILENAME);
+  writeFileSync2(filePath, JSON.stringify(identity, null, 2), "utf-8");
+}
+function loadOrRepairIdentity(configDir, ownerHint) {
+  if (!existsSync3(configDir)) {
+    mkdirSync2(configDir, { recursive: true });
+  }
+  const identityPath = join2(configDir, IDENTITY_FILENAME);
+  const privateKeyPath = join2(configDir, PRIVATE_KEY_FILENAME);
+  const publicKeyPath = join2(configDir, PUBLIC_KEY_FILENAME);
+  const hasIdentity = existsSync3(identityPath);
+  const hasPrivateKey = existsSync3(privateKeyPath);
+  const hasPublicKey = existsSync3(publicKeyPath);
+  if (!hasIdentity || !hasPrivateKey || !hasPublicKey) {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let keys;
+  try {
+    keys = loadKeyPair(configDir);
+  } catch {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let derivedPublicKey;
+  try {
+    derivedPublicKey = derivePublicKeyFromPrivate(keys.privateKey);
+  } catch {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let keypairRepaired = false;
+  if (!keys.publicKey.equals(derivedPublicKey)) {
+    keypairRepaired = true;
+    keys = { privateKey: keys.privateKey, publicKey: derivedPublicKey };
+    saveKeyPair(configDir, keys);
+  }
+  const loadedIdentity = loadIdentity(configDir);
+  const expectedAgentId = deriveAgentId(derivedPublicKey.toString("hex"));
+  const expectedPublicKeyHex = derivedPublicKey.toString("hex");
+  const identityMismatch = !loadedIdentity || loadedIdentity.public_key !== expectedPublicKeyHex || loadedIdentity.agent_id !== expectedAgentId;
+  if (identityMismatch) {
+    const repairedIdentity = buildIdentityFromPublicKey(
+      derivedPublicKey,
+      loadedIdentity?.owner ?? ownerHint ?? "agent",
+      loadedIdentity?.created_at
+    );
+    saveIdentity(configDir, repairedIdentity);
+    return { identity: repairedIdentity, keys, status: "repaired" };
+  }
+  if (ownerHint && loadedIdentity.owner !== ownerHint) {
+    const updatedIdentity = { ...loadedIdentity, owner: ownerHint };
+    saveIdentity(configDir, updatedIdentity);
+    return { identity: updatedIdentity, keys, status: "repaired" };
+  }
+  return { identity: loadedIdentity, keys, status: keypairRepaired ? "repaired" : "existing" };
+}
+function ensureIdentity(configDir, owner) {
+  return loadOrRepairIdentity(configDir, owner).identity;
+}
+
 // src/registry/identity-auth.ts
 var MAX_REQUEST_AGE_MS = 5 * 60 * 1e3;
-async function verifyIdentity(request, reply) {
-  const publicKeyHex = request.headers["x-agent-publickey"];
-  const signature = request.headers["x-agent-signature"];
-  const timestamp = request.headers["x-agent-timestamp"];
-  if (!publicKeyHex || !signature || !timestamp) {
+function normalizeSignedParams(body) {
+  return body === void 0 ? null : body;
+}
+function buildIdentityPayload(method, path, timestamp, publicKeyHex, agentId, params) {
+  return {
+    method,
+    path,
+    timestamp,
+    publicKey: publicKeyHex,
+    agentId,
+    params: normalizeSignedParams(params)
+  };
+}
+function extractClaimedRequester(request) {
+  const extractFromObject = (obj) => {
+    const directOwner = typeof obj.owner === "string" ? obj.owner.trim() : "";
+    if (directOwner) return directOwner;
+    const directRequester = typeof obj.requester === "string" ? obj.requester.trim() : "";
+    if (directRequester) return directRequester;
+    const oldOwner = typeof obj.oldOwner === "string" ? obj.oldOwner.trim() : "";
+    if (oldOwner) return oldOwner;
+    const nestedParams = obj.params;
+    if (nestedParams && typeof nestedParams === "object" && !Array.isArray(nestedParams)) {
+      const nested = nestedParams;
+      const nestedOwner = typeof nested.owner === "string" ? nested.owner.trim() : "";
+      if (nestedOwner) return nestedOwner;
+      const nestedRequester = typeof nested.requester === "string" ? nested.requester.trim() : "";
+      if (nestedRequester) return nestedRequester;
+    }
+    return null;
+  };
+  if (request.body && typeof request.body === "object" && !Array.isArray(request.body)) {
+    const claimed = extractFromObject(request.body);
+    if (claimed) return claimed;
+  }
+  if (request.params && typeof request.params === "object" && !Array.isArray(request.params)) {
+    const claimed = extractFromObject(request.params);
+    if (claimed) return claimed;
+  }
+  return null;
+}
+async function verifyIdentity(request, reply, options) {
+  const agentIdHeader = request.headers["x-agent-id"];
+  const publicKeyHeader = request.headers["x-agent-publickey"];
+  const signatureHeader = request.headers["x-agent-signature"];
+  const timestampHeader = request.headers["x-agent-timestamp"];
+  const agentId = agentIdHeader?.trim();
+  const publicKeyHex = publicKeyHeader?.trim();
+  const signature = signatureHeader?.trim();
+  const timestamp = timestampHeader?.trim();
+  if (!agentId || !publicKeyHex || !signature || !timestamp) {
     await reply.code(401).send({ error: "Missing identity headers" });
     return false;
   }
@@ -1670,12 +1895,21 @@ async function verifyIdentity(request, reply) {
     await reply.code(401).send({ error: "Request expired" });
     return false;
   }
-  const payload = {
-    method: request.method,
-    path: request.url,
-    timestamp,
-    publicKey: publicKeyHex
-  };
+  if (!/^[0-9a-fA-F]+$/.test(publicKeyHex) || publicKeyHex.length % 2 !== 0) {
+    await reply.code(401).send({ error: "Invalid identity signature" });
+    return false;
+  }
+  let expectedAgentId;
+  try {
+    expectedAgentId = deriveAgentId(publicKeyHex);
+  } catch {
+    await reply.code(401).send({ error: "Invalid identity signature" });
+    return false;
+  }
+  if (agentId !== expectedAgentId) {
+    await reply.code(401).send({ error: "Invalid identity signature" });
+    return false;
+  }
   let publicKeyBuffer;
   try {
     publicKeyBuffer = Buffer.from(publicKeyHex, "hex");
@@ -1683,30 +1917,52 @@ async function verifyIdentity(request, reply) {
     await reply.code(401).send({ error: "Invalid identity signature" });
     return false;
   }
+  const knownAgent = options.agentDb ? lookupAgent(options.agentDb, agentId) : null;
+  if (knownAgent && knownAgent.public_key.toLowerCase() !== publicKeyHex.toLowerCase()) {
+    await reply.code(401).send({ error: "Invalid identity signature" });
+    return false;
+  }
+  const payload = buildIdentityPayload(
+    request.method,
+    request.url,
+    timestamp,
+    publicKeyHex,
+    agentId,
+    request.body
+  );
   const valid = verifyEscrowReceipt(payload, signature, publicKeyBuffer);
   if (!valid) {
     await reply.code(401).send({ error: "Invalid identity signature" });
     return false;
   }
+  const claimedRequester = extractClaimedRequester(request);
+  if (claimedRequester) {
+    const matchesAgentId = claimedRequester === agentId;
+    const matchesLegacyOwner = knownAgent?.legacy_owner === claimedRequester;
+    if (!matchesAgentId && !matchesLegacyOwner) {
+      await reply.code(401).send({ error: "Identity does not match requester" });
+      return false;
+    }
+  }
   request.agentPublicKey = publicKeyHex;
+  request.agentId = agentId;
   return true;
 }
-function identityAuthPlugin(fastify) {
-  fastify.addHook("onRequest", async (request, reply) => {
-    await verifyIdentity(request, reply);
+function identityAuthPlugin(fastify, options = {}) {
+  fastify.addHook("preHandler", async (request, reply) => {
+    const ok = await verifyIdentity(request, reply, options);
+    if (!ok) {
+      return reply;
+    }
   });
 }
-function signRequest(method, path, body, privateKey, publicKeyHex) {
+function signRequest(method, path, body, privateKey, publicKeyHex, agentIdOverride) {
   const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-  const payload = {
-    method,
-    path,
-    timestamp,
-    publicKey: publicKeyHex
-  };
-  void body;
+  const agentId = agentIdOverride ?? deriveAgentId(publicKeyHex);
+  const payload = buildIdentityPayload(method, path, timestamp, publicKeyHex, agentId, body);
   const signature = signEscrowReceipt(payload, privateKey);
   return {
+    "X-Agent-Id": agentId,
     "X-Agent-PublicKey": publicKeyHex,
     "X-Agent-Signature": signature,
     "X-Agent-Timestamp": timestamp
@@ -2290,92 +2546,6 @@ function getJobsByRelayOwner(db, relayOwner) {
   ).all(relayOwner, "queued");
 }
 
-// src/identity/identity.ts
-import { z as z2 } from "zod";
-import { createHash } from "crypto";
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
-import { join as join2 } from "path";
-var AgentIdentitySchema = z2.object({
-  /** Deterministic ID derived from public key: sha256(hex).slice(0, 16). */
-  agent_id: z2.string().min(1),
-  /** Human-readable owner name (from config or init). */
-  owner: z2.string().min(1),
-  /** Hex-encoded Ed25519 public key. */
-  public_key: z2.string().min(1),
-  /** ISO 8601 timestamp of identity creation. */
-  created_at: z2.string().datetime(),
-  /** Optional guarantor info if linked to a human. */
-  guarantor: z2.object({
-    github_login: z2.string().min(1),
-    verified_at: z2.string().datetime()
-  }).optional()
-});
-var AgentCertificateSchema = z2.object({
-  identity: AgentIdentitySchema,
-  /** ISO 8601 timestamp of certificate issuance. */
-  issued_at: z2.string().datetime(),
-  /** ISO 8601 timestamp of certificate expiry. */
-  expires_at: z2.string().datetime(),
-  /** Hex-encoded public key of the issuer (same as identity for self-signed). */
-  issuer_public_key: z2.string().min(1),
-  /** Base64url Ed25519 signature over { identity, issued_at, expires_at, issuer_public_key }. */
-  signature: z2.string().min(1)
-});
-var IDENTITY_FILENAME = "identity.json";
-function deriveAgentId(publicKeyHex) {
-  return createHash("sha256").update(publicKeyHex, "hex").digest("hex").slice(0, 16);
-}
-function createIdentity(configDir, owner) {
-  if (!existsSync3(configDir)) {
-    mkdirSync2(configDir, { recursive: true });
-  }
-  let keys;
-  try {
-    keys = loadKeyPair(configDir);
-  } catch {
-    keys = generateKeyPair();
-    saveKeyPair(configDir, keys);
-  }
-  const publicKeyHex = keys.publicKey.toString("hex");
-  const agentId = deriveAgentId(publicKeyHex);
-  const identity = {
-    agent_id: agentId,
-    owner,
-    public_key: publicKeyHex,
-    created_at: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  saveIdentity(configDir, identity);
-  return identity;
-}
-function loadIdentity(configDir) {
-  const filePath = join2(configDir, IDENTITY_FILENAME);
-  if (!existsSync3(filePath)) return null;
-  try {
-    const raw = readFileSync3(filePath, "utf-8");
-    return AgentIdentitySchema.parse(JSON.parse(raw));
-  } catch {
-    return null;
-  }
-}
-function saveIdentity(configDir, identity) {
-  if (!existsSync3(configDir)) {
-    mkdirSync2(configDir, { recursive: true });
-  }
-  const filePath = join2(configDir, IDENTITY_FILENAME);
-  writeFileSync2(filePath, JSON.stringify(identity, null, 2), "utf-8");
-}
-function ensureIdentity(configDir, owner) {
-  const existing = loadIdentity(configDir);
-  if (existing) {
-    if (existing.owner !== owner) {
-      existing.owner = owner;
-      saveIdentity(configDir, existing);
-    }
-    return existing;
-  }
-  return createIdentity(configDir, owner);
-}
-
 // src/hub-agent/crypto.ts
 import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
 function getMasterKey() {
@@ -3313,7 +3483,7 @@ async function creditRoutesPlugin(fastify, options) {
   }
   initFreeTierTable(creditDb);
   await fastify.register(async (scope) => {
-    identityAuthPlugin(scope);
+    identityAuthPlugin(scope, { agentDb: creditDb });
     scope.post("/api/credits/hold", {
       schema: {
         tags: ["credits"],
@@ -4473,7 +4643,7 @@ function createRegistryServer(opts) {
             type: "apiKey",
             in: "header",
             name: "X-Agent-PublicKey",
-            description: "Ed25519 public key (hex). Also requires X-Agent-Signature and X-Agent-Timestamp headers."
+            description: "Ed25519 public key (hex). Also requires X-Agent-Id, X-Agent-Signature, and X-Agent-Timestamp headers."
           }
         }
       }
@@ -4486,7 +4656,7 @@ function createRegistryServer(opts) {
   void server.register(cors, {
     origin: true,
     methods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
-    allowedHeaders: ["Content-Type", "Authorization", "X-Agent-PublicKey", "X-Agent-Signature", "X-Agent-Timestamp"]
+    allowedHeaders: ["Content-Type", "Authorization", "X-Agent-Id", "X-Agent-PublicKey", "X-Agent-Signature", "X-Agent-Timestamp"]
   });
   void server.register(fastifyWebsocket);
   let relayState = null;
@@ -5826,12 +5996,133 @@ async function stopAnnouncement() {
   });
 }
 
+// src/runtime/resolve-self-cli.ts
+import { execFileSync as execFileSync2 } from "child_process";
+import { existsSync as existsSync5, realpathSync } from "fs";
+import { createRequire } from "module";
+import { homedir as homedir2 } from "os";
+import { basename, isAbsolute, join as join4, resolve } from "path";
+function resolveSelfCli() {
+  const require2 = createRequire(import.meta.url);
+  return resolveSelfCliWithDeps({
+    argv1: process.argv[1],
+    cwd: process.cwd(),
+    platform: process.platform,
+    homeDir: homedir2(),
+    envPath: process.env["PATH"],
+    exists: existsSync5,
+    realpath: realpathSync,
+    runWhich: (pathEnv) => execFileSync2("which", ["agentbnb"], {
+      encoding: "utf8",
+      env: { ...process.env, PATH: pathEnv }
+    }).trim(),
+    requireResolve: (id) => require2.resolve(id)
+  });
+}
+function resolveSelfCliWithDeps(deps) {
+  const tried = [];
+  const tryCandidate = (rawPath, label, requireCliShape = false) => {
+    if (!rawPath || rawPath.trim().length === 0) {
+      tried.push(`${label}: <empty>`);
+      return null;
+    }
+    const maybeAbsolute = isAbsolute(rawPath) ? rawPath : resolve(deps.cwd, rawPath);
+    tried.push(`${label}: ${maybeAbsolute}`);
+    if (!deps.exists(maybeAbsolute)) return null;
+    const resolvedPath = safeRealpath(deps.realpath, maybeAbsolute);
+    if (requireCliShape && !looksLikeAgentbnbCli(resolvedPath)) return null;
+    return resolvedPath;
+  };
+  const argvPath = tryCandidate(deps.argv1, "process.argv[1]", true);
+  if (argvPath) return argvPath;
+  const fullPathEnv = buildFullPathEnv(deps.envPath, deps.homeDir);
+  tried.push(`which agentbnb PATH=${fullPathEnv}`);
+  try {
+    const whichPath = tryCandidate(deps.runWhich(fullPathEnv), "which agentbnb");
+    if (whichPath) return whichPath;
+  } catch (err) {
+    tried.push(`which agentbnb failed: ${extractErrorMessage(err)}`);
+  }
+  const npmGlobalCandidates = ["/usr/local/bin/agentbnb", "/opt/homebrew/bin/agentbnb"];
+  for (const candidate of npmGlobalCandidates) {
+    const resolvedPath = tryCandidate(candidate, "npm-global");
+    if (resolvedPath) return resolvedPath;
+  }
+  const pnpmCandidates = getPnpmGlobalCandidates(deps.platform, deps.homeDir);
+  for (const candidate of pnpmCandidates) {
+    const resolvedPath = tryCandidate(candidate, "pnpm-global");
+    if (resolvedPath) return resolvedPath;
+  }
+  try {
+    const requireResolved = deps.requireResolve("agentbnb/dist/cli/index.js");
+    const resolvedPath = tryCandidate(requireResolved, "require.resolve(agentbnb/dist/cli/index.js)");
+    if (resolvedPath) return resolvedPath;
+  } catch (err) {
+    tried.push(`require.resolve(agentbnb/dist/cli/index.js) failed: ${extractErrorMessage(err)}`);
+  }
+  throw new AgentBnBError(
+    `Unable to resolve absolute path to agentbnb CLI.
+Paths tried:
+${tried.map((item) => `- ${item}`).join("\n")}`,
+    "CLI_ENTRY_NOT_FOUND"
+  );
+}
+function buildFullPathEnv(pathEnv, homeDir) {
+  const values = /* @__PURE__ */ new Set();
+  for (const item of (pathEnv ?? "").split(":")) {
+    if (item.trim()) values.add(item.trim());
+  }
+  for (const extra of [
+    "/usr/local/bin",
+    "/opt/homebrew/bin",
+    "/usr/bin",
+    "/bin",
+    "/usr/sbin",
+    "/sbin",
+    join4(homeDir, ".local", "bin"),
+    join4(homeDir, "Library", "pnpm"),
+    join4(homeDir, ".local", "share", "pnpm")
+  ]) {
+    values.add(extra);
+  }
+  return [...values].join(":");
+}
+function safeRealpath(realpath, path) {
+  try {
+    return realpath(path);
+  } catch {
+    return path;
+  }
+}
+function getPnpmGlobalCandidates(platform, homeDir) {
+  const candidates = /* @__PURE__ */ new Set();
+  if (platform === "darwin") {
+    candidates.add(join4(homeDir, "Library", "pnpm", "agentbnb"));
+  }
+  if (platform === "linux") {
+    candidates.add(join4(homeDir, ".local", "share", "pnpm", "agentbnb"));
+  }
+  candidates.add(join4(homeDir, "Library", "pnpm", "agentbnb"));
+  candidates.add(join4(homeDir, ".local", "share", "pnpm", "agentbnb"));
+  return [...candidates];
+}
+function looksLikeAgentbnbCli(path) {
+  const normalized = path.replace(/\\/g, "/").toLowerCase();
+  const fileName = basename(normalized);
+  if (fileName === "agentbnb" || fileName === "agentbnb.cmd" || fileName === "agentbnb.exe") {
+    return true;
+  }
+  return normalized.includes("/agentbnb/dist/cli/index.") || normalized.endsWith("/dist/cli/index.js") || normalized.endsWith("/dist/cli/index.mjs") || normalized.endsWith("/dist/cli/index.cjs");
+}
+function extractErrorMessage(err) {
+  if (err instanceof Error && err.message) return err.message;
+  return String(err);
+}
+
 // src/runtime/service-coordinator.ts
 import { spawn as spawn2 } from "child_process";
-import { createRequire } from "module";
-import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
-import { fileURLToPath as fileURLToPath2 } from "url";
-import { dirname as dirname3, join as join4, resolve } from "path";
+import { existsSync as existsSync6, readFileSync as readFileSync4 } from "fs";
+import { join as join5 } from "path";
 import { randomUUID as randomUUID7 } from "crypto";
 var ServiceCoordinator = class {
   config;
@@ -5952,7 +6243,7 @@ var ServiceCoordinator = class {
     return {
       port: opts?.port ?? this.config.gateway_port,
       handlerUrl: opts?.handlerUrl ?? "http://localhost:8080",
-      skillsYamlPath: opts?.skillsYamlPath ?? join4(getConfigDir(), "skills.yaml"),
+      skillsYamlPath: opts?.skillsYamlPath ?? join5(getConfigDir(), "skills.yaml"),
       registryPort: opts?.registryPort ?? 7701,
       registryUrl: opts?.registryUrl ?? this.config.registry ?? "",
       relay: opts?.relay ?? true,
@@ -6035,7 +6326,7 @@ var ServiceCoordinator = class {
     }
     if (opts.registryUrl && opts.relay) {
       const { RelayClient: RelayClient2 } = await import("../../websocket-client-4Z5P54RU.js");
-      const { executeCapabilityRequest: executeCapabilityRequest2 } = await import("../../execute-EPE6MZLT.js");
+      const { executeCapabilityRequest: executeCapabilityRequest2 } = await import("../../execute-WOS457HW.js");
       const cards = listCards(this.runtime.registryDb, this.config.owner);
       const card = cards[0] ?? {
         id: randomUUID7(),
@@ -6142,7 +6433,8 @@ var ServiceCoordinator = class {
   spawnManagedProcess(opts) {
     const runtime = loadPersistedRuntime(getConfigDir());
     const nodeExec = resolveNodeExecutable(runtime);
-    const cliArgs = resolveCliLaunchArgs(this.buildServeArgs(opts));
+    const cliPath = resolveSelfCli();
+    const cliArgs = [cliPath, "serve", ...this.buildServeArgs(opts)];
     const child = spawn2(nodeExec, cliArgs, {
       detached: true,
       stdio: "ignore",
@@ -6303,8 +6595,8 @@ var ServiceCoordinator = class {
   };
 };
 function loadPersistedRuntime(configDir) {
-  const runtimePath = join4(configDir, "runtime.json");
-  if (!existsSync5(runtimePath)) return null;
+  const runtimePath = join5(configDir, "runtime.json");
+  if (!existsSync6(runtimePath)) return null;
   try {
     const raw = readFileSync4(runtimePath, "utf8");
     const parsed = JSON.parse(raw);
@@ -6328,28 +6620,6 @@ function resolveNodeExecutable(runtime) {
   }
   return process.execPath;
 }
-function resolveCliLaunchArgs(serveArgs) {
-  const require2 = createRequire(import.meta.url);
-  try {
-    const distCli2 = require2.resolve("agentbnb/dist/cli/index.js");
-    return [distCli2, "serve", ...serveArgs];
-  } catch {
-  }
-  const projectRoot = resolve(dirname3(fileURLToPath2(import.meta.url)), "..", "..");
-  const distCli = join4(projectRoot, "dist", "cli", "index.js");
-  if (existsSync5(distCli)) {
-    return [distCli, "serve", ...serveArgs];
-  }
-  const srcCli = join4(projectRoot, "src", "cli", "index.ts");
-  if (existsSync5(srcCli)) {
-    const tsxCli = require2.resolve("tsx/dist/cli.mjs");
-    return [tsxCli, srcCli, "serve", ...serveArgs];
-  }
-  throw new AgentBnBError(
-    "Unable to locate AgentBnB CLI entry (dist/cli/index.js or src/cli/index.ts)",
-    "CLI_ENTRY_NOT_FOUND"
-  );
-}
 function isPidAlive(pid) {
   if (!Number.isInteger(pid) || pid <= 0) return false;
   try {
@@ -6458,7 +6728,7 @@ var AgentBnBService = class {
     const creditDb = openCreditDb(this.config.credit_db_path);
     creditDb.pragma("busy_timeout = 5000");
     try {
-      const keys = this.getOrCreateKeyPair();
+      const { keys } = loadOrRepairIdentity(getConfigDir(), this.config.owner);
       const { escrowId, receipt } = createSignedEscrowReceipt(
         creditDb,
         keys.privateKey,
@@ -6667,20 +6937,9 @@ var AgentBnBService = class {
       tempRelay.disconnect();
     }
   }
-  getOrCreateKeyPair() {
-    const configDir = getConfigDir();
-    try {
-      return loadKeyPair(configDir);
-    } catch {
-      const keys = generateKeyPair();
-      saveKeyPair(configDir, keys);
-      return keys;
-    }
-  }
   loadIdentityAuth() {
     const configDir = getConfigDir();
-    const identity = ensureIdentity(configDir, this.config.owner);
-    const keys = this.getOrCreateKeyPair();
+    const { identity, keys } = loadOrRepairIdentity(configDir, this.config.owner);
     return {
       agentId: identity.agent_id,
       publicKey: identity.public_key,
@@ -6748,9 +7007,9 @@ function isNetworkError(err) {
 }
 
 // skills/agentbnb/openclaw-tools.ts
-import { readFileSync as readFileSync5, existsSync as existsSync6 } from "fs";
-import { join as join5 } from "path";
-import { homedir as homedir2 } from "os";
+import { readFileSync as readFileSync5, existsSync as existsSync7 } from "fs";
+import { join as join6 } from "path";
+import { homedir as homedir3 } from "os";
 
 // src/mcp/tools/discover.ts
 import { z as z9 } from "zod";
@@ -6917,7 +7176,12 @@ async function handleRequest(args, ctx) {
             gatewayUrl,
             token: "",
             cardId,
-            params: { ...args.params ?? {}, ...args.skill_id ? { skill_id: args.skill_id } : {}, requester: ctx.config.owner }
+            params: { ...args.params ?? {}, ...args.skill_id ? { skill_id: args.skill_id } : {}, requester: ctx.config.owner },
+            identity: {
+              agentId: ctx.identity.agent_id,
+              publicKey: ctx.identity.public_key,
+              privateKey: keys.privateKey
+            }
           });
           await ledger.settle(escrowId, targetOwner ?? "unknown");
           return {
@@ -7257,19 +7521,19 @@ async function handlePublish(args, ctx) {
 var contextCache = /* @__PURE__ */ new Map();
 function resolveConfigDir(toolCtx) {
   if (toolCtx.agentDir) {
-    return toolCtx.agentDir.endsWith(".agentbnb") ? toolCtx.agentDir : join5(toolCtx.agentDir, ".agentbnb");
+    return toolCtx.agentDir.endsWith(".agentbnb") ? toolCtx.agentDir : join6(toolCtx.agentDir, ".agentbnb");
   }
   if (toolCtx.workspaceDir) {
-    return join5(toolCtx.workspaceDir, ".agentbnb");
+    return join6(toolCtx.workspaceDir, ".agentbnb");
   }
-  return join5(homedir2(), ".agentbnb");
+  return join6(homedir3(), ".agentbnb");
 }
 function buildMcpContext(toolCtx) {
   const configDir = resolveConfigDir(toolCtx);
   const cached = contextCache.get(configDir);
   if (cached) return cached;
-  const configPath = join5(configDir, "config.json");
-  if (!existsSync6(configPath)) {
+  const configPath = join6(configDir, "config.json");
+  if (!existsSync7(configPath)) {
     throw new Error(
       `AgentBnB not initialized at ${configDir}. Run \`agentbnb init\` or activate the plugin first.`
     );
@@ -7434,18 +7698,18 @@ function resolveWorkspaceDir() {
   if (process.env["AGENTBNB_DIR"]) {
     return process.env["AGENTBNB_DIR"];
   }
-  const openclawAgentsDir = join6(homedir3(), ".openclaw", "agents");
+  const openclawAgentsDir = join7(homedir4(), ".openclaw", "agents");
   const cwd = process.cwd();
   if (cwd.startsWith(openclawAgentsDir + "/")) {
     const relative = cwd.slice(openclawAgentsDir.length + 1);
     const agentName = relative.split("/")[0];
-    return join6(openclawAgentsDir, agentName, ".agentbnb");
+    return join7(openclawAgentsDir, agentName, ".agentbnb");
   }
-  return join6(homedir3(), ".agentbnb");
+  return join7(homedir4(), ".agentbnb");
 }
 function registerDecomposerCard(configDir, owner) {
   try {
-    const db = openDatabase(join6(configDir, "registry.db"));
+    const db = openDatabase(join7(configDir, "registry.db"));
     const existing = db.prepare(
       "SELECT id FROM capability_cards WHERE owner = ? AND json_extract(data, '$.capability_type') = ?"
     ).get(owner, "task_decomposition");
@@ -7503,37 +7767,40 @@ function registerDecomposerCard(configDir, owner) {
   }
 }
 function findCli() {
-  const result = spawnSync("which", ["agentbnb"], { encoding: "utf-8", stdio: "pipe" });
-  if (result.status === 0 && result.stdout.trim()) {
-    return result.stdout.trim();
+  try {
+    return resolveSelfCli();
+  } catch {
+    return null;
   }
-  return null;
 }
 async function runCommand(cmd, env) {
   return execAsync(cmd, { env });
 }
 function deriveAgentName(configDir) {
-  const parent = basename(dirname4(configDir));
-  if (parent && parent !== "." && parent !== ".agentbnb" && parent !== homedir3().split("/").pop()) {
+  const parent = basename2(dirname3(configDir));
+  if (parent && parent !== "." && parent !== ".agentbnb" && parent !== homedir4().split("/").pop()) {
     return parent;
   }
   return `agent-${randomUUID10().slice(0, 8)}`;
 }
-var defaultDeps = { findCli, runCommand };
+var defaultDeps = { resolveSelfCli, runCommand };
 async function autoOnboard(configDir, deps = defaultDeps) {
   process.stderr.write("[agentbnb] First-time setup: initializing agent identity...\n");
-  const cliPath = deps.findCli();
-  if (!cliPath) {
+  let cliPath;
+  try {
+    cliPath = deps.resolveSelfCli();
+  } catch {
     process.stderr.write("[agentbnb] CLI not found. Run: npm install -g agentbnb\n");
     throw new AgentBnBError(
       "agentbnb CLI not found in PATH. Install with: npm install -g agentbnb",
       "INIT_FAILED"
     );
   }
+  const quotedCliPath = quoteShellArg(cliPath);
   const env = { ...process.env, AGENTBNB_DIR: configDir };
   const agentName = deriveAgentName(configDir);
   try {
-    await deps.runCommand(`agentbnb init --owner "${agentName}" --yes --no-detect`, env);
+    await deps.runCommand(`${quotedCliPath} init --owner "${agentName}" --yes --no-detect`, env);
     process.stderr.write(`[agentbnb] Agent "${agentName}" initialized.
 `);
   } catch (err) {
@@ -7541,7 +7808,7 @@ async function autoOnboard(configDir, deps = defaultDeps) {
     throw new AgentBnBError(`Auto-init failed: ${msg}`, "INIT_FAILED");
   }
   try {
-    await deps.runCommand("agentbnb openclaw sync", env);
+    await deps.runCommand(`${quotedCliPath} openclaw sync`, env);
     process.stderr.write("[agentbnb] Capabilities published from SOUL.md.\n");
   } catch {
     process.stderr.write("[agentbnb] Note: openclaw sync skipped (SOUL.md may not exist yet).\n");
@@ -7553,6 +7820,9 @@ async function autoOnboard(configDir, deps = defaultDeps) {
   process.stderr.write("[agentbnb] Agent initialized and published to AgentBnB network.\n");
   return config;
 }
+function quoteShellArg(input) {
+  return `'${input.replace(/'/g, `'\\''`)}'`;
+}
 async function activate(config = {}, _onboardDeps) {
   if (config.agentDir) {
     process.env["AGENTBNB_DIR"] = config.agentDir;
@@ -7561,7 +7831,7 @@ async function activate(config = {}, _onboardDeps) {
 `
     );
   } else if (config.workspaceDir) {
-    const derived = join6(config.workspaceDir, ".agentbnb");
+    const derived = join7(config.workspaceDir, ".agentbnb");
     process.env["AGENTBNB_DIR"] = derived;
     process.stderr.write(
       `[agentbnb] AGENTBNB_DIR derived from config.workspaceDir: ${derived}
@@ -7590,7 +7860,7 @@ async function activate(config = {}, _onboardDeps) {
     `[agentbnb] activate: owner=${agentConfig.owner} config=${configDir}/config.json
 `
   );
-  const guard = new ProcessGuard(join6(configDir, ".pid"));
+  const guard = new ProcessGuard(join7(configDir, ".pid"));
   const coordinator = new ServiceCoordinator(agentConfig, guard);
   const service = new AgentBnBService(coordinator, agentConfig);
   const opts = {