npm - agentbnb - Versions diffs - 8.2.0 → 8.2.2 - Mend

agentbnb 8.2.0 → 8.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/dist/{chunk-TBJ3FZKZ.js → chunk-4IPJJRTP.js} +1 -1
package/dist/chunk-CKOOVZOI.js +158 -0
package/dist/chunk-CQFBNTGT.js +145 -0
package/dist/{chunk-P4LOYSLA.js → chunk-DYQOFGGI.js} +331 -416
package/dist/{chunk-ALX4WS3A.js → chunk-EG6RS4JC.js} +70 -46
package/dist/{chunk-CUONY5TO.js → chunk-EJKW57ZV.js} +19 -1
package/dist/{chunk-5AAFG2V2.js → chunk-LKLKYXLV.js} +239 -24
package/dist/{chunk-7EF3HYVZ.js → chunk-MCED4GDW.js} +499 -86
package/dist/{chunk-YHY7OG6S.js → chunk-MWOXW7JQ.js} +7 -7
package/dist/{chunk-E2OKP5CY.js → chunk-QCGIG7WW.js} +182 -86
package/dist/{chunk-5GME4KJZ.js → chunk-QHZGOG3O.js} +148 -46
package/dist/{chunk-D6RKW2XG.js → chunk-RYISHSHB.js} +302 -4
package/dist/{chunk-O2OYBAVR.js → chunk-S3V6R3EN.js} +75 -39
package/dist/{chunk-X32NE6V4.js → chunk-WNXXLCV5.js} +1 -1
package/dist/{chunk-C537SFHV.js → chunk-XBGVQMQJ.js} +72 -48
package/dist/{chunk-FTZTEHYG.js → chunk-Z2GEFFDO.js} +135 -8
package/dist/cli/index.js +42 -67
package/dist/{client-HKV3QWZ3.js → client-XOLP5IUZ.js} +4 -2
package/dist/{conduct-W6XF6DJW.js → conduct-AZFLNUX3.js} +10 -11
package/dist/{conduct-YB64OHI6.js → conduct-VPUYTNEA.js} +10 -11
package/dist/{conductor-mode-AKREGDIU.js → conductor-mode-PLTB6MS3.js} +7 -8
package/dist/{conductor-mode-TFCVCQHU.js → conductor-mode-WKB42PYM.js} +6 -3
package/dist/{execute-EPE6MZLT.js → execute-NNDCXTN4.js} +3 -2
package/dist/{execute-AYQWORVH.js → execute-RIRHTIBU.js} +6 -5
package/dist/index.d.ts +8 -8
package/dist/index.js +637 -693
package/dist/{publish-capability-AH2HDW54.js → publish-capability-QDR2QIZ2.js} +2 -2
package/dist/{request-HCCXSKAY.js → request-NX7GSPIG.js} +31 -36
package/dist/{serve-skill-SZAQT5T5.js → serve-skill-E6EJQYAK.js} +10 -9
package/dist/{server-LMY2A3GT.js → server-VBCT32FC.js} +12 -18
package/dist/{service-coordinator-WGH6B2VT.js → service-coordinator-KMSA6BST.js} +137 -69
package/dist/skills/agentbnb/bootstrap.js +561 -247
package/package.json +13 -17
package/skills/agentbnb/bootstrap.test.ts +8 -6
package/skills/agentbnb/bootstrap.ts +21 -13
package/skills/agentbnb/install.sh +0 -0
package/dist/chunk-64AK4FJM.js +0 -84
package/dist/chunk-KF3TZHA5.js +0 -91
package/dist/chunk-LJM7FHPM.js +0 -138
package/dist/chunk-OH7BP5NP.js +0 -96

package/dist/skills/agentbnb/bootstrap.js CHANGED Viewed

@@ -1,3 +1,7 @@
+import {
+  RelayClient,
+  RelayMessageSchema
+} from "../../chunk-3LWBH7P3.js";
 import {
   AutoRequestor,
   BudgetController,
@@ -5,23 +9,19 @@ import {
   DEFAULT_AUTONOMY_CONFIG,
   DEFAULT_BUDGET_CONFIG,
   ORCHESTRATION_FEE,
-  buildReputationMap,
-  computeReputation,
   decompose,
-  fetchRemoteCards,
-  filterCards,
   getAutonomyTier,
   insertAuditEvent,
   interpolateObject,
   listPendingRequests,
   matchSubTasks,
-  mergeResults,
   orchestrate,
+  resolvePendingRequest
+} from "../../chunk-DYQOFGGI.js";
+import {
   requestCapability,
-  requestViaRelay,
-  resolvePendingRequest,
-  searchCards
-} from "../../chunk-P4LOYSLA.js";
+  requestViaRelay
+} from "../../chunk-CKOOVZOI.js";
 import {
   loadPeers
 } from "../../chunk-HLUEOLSZ.js";
@@ -30,10 +30,13 @@ import {
   executeCapabilityRequest,
   releaseRequesterEscrow,
   settleRequesterEscrow
-} from "../../chunk-ALX4WS3A.js";
+} from "../../chunk-EG6RS4JC.js";
 import {
   bootstrapAgent,
-  generateKeyPair,
+  buildReputationMap,
+  computeReputation,
+  fetchRemoteCards,
+  filterCards,
   getActivityFeed,
   getBalance,
   getCard,
@@ -51,20 +54,26 @@ import {
   insertFeedback,
   insertRequestLog,
   listCards,
-  loadKeyPair,
+  lookupAgent,
+  mergeResults,
   migrateOwner,
   openCreditDb,
   openDatabase,
   releaseEscrow,
-  saveKeyPair,
+  searchCards,
   settleEscrow,
-  signEscrowReceipt,
   updateCard,
   updateSkillAvailability,
-  updateSkillIdleRate,
-  verifyEscrowReceipt
-} from "../../chunk-7EF3HYVZ.js";
+  updateSkillIdleRate
+} from "../../chunk-MCED4GDW.js";
 import "../../chunk-NWIQJ2CL.js";
+import {
+  generateKeyPair,
+  loadKeyPair,
+  saveKeyPair,
+  signEscrowReceipt,
+  verifyEscrowReceipt
+} from "../../chunk-EJKW57ZV.js";
 import {
   getConfigDir,
   loadConfig
@@ -73,17 +82,13 @@ import {
   AgentBnBError,
   AnyCardSchema
 } from "../../chunk-WVY2W7AA.js";
-import {
-  RelayClient,
-  RelayMessageSchema
-} from "../../chunk-3LWBH7P3.js";
 // skills/agentbnb/bootstrap.ts
-import { join as join6, basename, dirname as dirname4 } from "path";
-import { homedir as homedir3 } from "os";
-import { spawnSync, exec } from "child_process";
+import { join as join7, basename as basename2, dirname as dirname3 } from "path";
+import { homedir as homedir4 } from "os";
+import { exec } from "child_process";
 import { promisify as promisify2 } from "util";
-import { randomUUID as randomUUID10 } from "crypto";
+import { randomUUID as randomUUID11 } from "crypto";
 // src/runtime/process-guard.ts
 import { dirname, join } from "path";
@@ -1271,7 +1276,7 @@ var AgentRuntime = class {
     }
     const modes = /* @__PURE__ */ new Map();
     if (this.conductorEnabled) {
-      const { ConductorMode } = await import("../../conductor-mode-TFCVCQHU.js");
+      const { ConductorMode } = await import("../../conductor-mode-WKB42PYM.js");
       const { registerConductorCard, CONDUCTOR_OWNER } = await import("../../card-EX2EYGCZ.js");
       const { loadPeers: loadPeers2 } = await import("../../peers-CJ7T4RJO.js");
       registerConductorCard(this.registryDb);
@@ -1435,7 +1440,54 @@ function createGatewayServer(opts) {
     return { status: "ok", version: VERSION, uptime: process.uptime() };
   });
   fastify.post("/rpc", async (request, reply) => {
-    const body = request.body;
+    const rawBody = request.body;
+    if (Array.isArray(rawBody)) {
+      const responses = await Promise.all(
+        rawBody.map(async (single) => {
+          if (single.jsonrpc !== "2.0" || !single.method) {
+            return { jsonrpc: "2.0", id: single.id ?? null, error: { code: -32600, message: "Invalid Request" } };
+          }
+          if (single.method !== "capability.execute") {
+            return { jsonrpc: "2.0", id: single.id ?? null, error: { code: -32601, message: "Method not found" } };
+          }
+          const params2 = single.params ?? {};
+          const cardId2 = params2.card_id;
+          if (!cardId2) {
+            return { jsonrpc: "2.0", id: single.id ?? null, error: { code: -32602, message: "Invalid params: card_id required" } };
+          }
+          const requester2 = params2.requester ?? "unknown";
+          const receipt2 = params2.escrow_receipt;
+          const batchSkillId = params2.skill_id;
+          const trackKey2 = batchSkillId ?? cardId2;
+          inFlight.set(trackKey2, (inFlight.get(trackKey2) ?? 0) + 1);
+          try {
+            const result2 = await executeCapabilityRequest({
+              registryDb,
+              creditDb,
+              cardId: cardId2,
+              skillId: batchSkillId,
+              params: params2,
+              requester: requester2,
+              escrowReceipt: receipt2,
+              skillExecutor,
+              handlerUrl,
+              timeoutMs
+            });
+            if (result2.success) {
+              return { jsonrpc: "2.0", id: single.id ?? null, result: result2.result };
+            } else {
+              return { jsonrpc: "2.0", id: single.id ?? null, error: result2.error };
+            }
+          } finally {
+            const next = (inFlight.get(trackKey2) ?? 1) - 1;
+            if (next <= 0) inFlight.delete(trackKey2);
+            else inFlight.set(trackKey2, next);
+          }
+        })
+      );
+      return reply.send(responses);
+    }
+    const body = rawBody;
     if (body.jsonrpc !== "2.0" || !body.method) {
       return reply.status(400).send({
         jsonrpc: "2.0",
@@ -1537,6 +1589,7 @@ import swaggerUi from "@fastify/swagger-ui";
 import fastifyStatic from "@fastify/static";
 import fastifyWebsocket from "@fastify/websocket";
 import { join as join3, dirname as dirname2 } from "path";
+import { randomUUID as randomUUID7 } from "crypto";
 import { fileURLToPath } from "url";
 import { existsSync as existsSync4 } from "fs";
 import { z as z7 } from "zod";
@@ -1655,13 +1708,190 @@ var LocalCreditLedger = class {
   }
 };
+// src/identity/identity.ts
+import { z as z2 } from "zod";
+import { createHash, createPrivateKey, createPublicKey } from "crypto";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
+import { join as join2 } from "path";
+var AgentIdentitySchema = z2.object({
+  /** Deterministic ID derived from public key: sha256(hex).slice(0, 16). */
+  agent_id: z2.string().min(1),
+  /** Human-readable owner name (from config or init). */
+  owner: z2.string().min(1),
+  /** Hex-encoded Ed25519 public key. */
+  public_key: z2.string().min(1),
+  /** ISO 8601 timestamp of identity creation. */
+  created_at: z2.string().datetime(),
+  /** Optional guarantor info if linked to a human. */
+  guarantor: z2.object({
+    github_login: z2.string().min(1),
+    verified_at: z2.string().datetime()
+  }).optional()
+});
+var AgentCertificateSchema = z2.object({
+  identity: AgentIdentitySchema,
+  /** ISO 8601 timestamp of certificate issuance. */
+  issued_at: z2.string().datetime(),
+  /** ISO 8601 timestamp of certificate expiry. */
+  expires_at: z2.string().datetime(),
+  /** Hex-encoded public key of the issuer (same as identity for self-signed). */
+  issuer_public_key: z2.string().min(1),
+  /** Base64url Ed25519 signature over { identity, issued_at, expires_at, issuer_public_key }. */
+  signature: z2.string().min(1)
+});
+var IDENTITY_FILENAME = "identity.json";
+var PRIVATE_KEY_FILENAME = "private.key";
+var PUBLIC_KEY_FILENAME = "public.key";
+function derivePublicKeyFromPrivate(privateKey) {
+  const privateKeyObject = createPrivateKey({ key: privateKey, format: "der", type: "pkcs8" });
+  const publicKeyObject = createPublicKey(privateKeyObject);
+  const publicKey = publicKeyObject.export({ format: "der", type: "spki" });
+  return Buffer.from(publicKey);
+}
+function buildIdentityFromPublicKey(publicKey, owner, createdAt) {
+  const publicKeyHex = publicKey.toString("hex");
+  return {
+    agent_id: deriveAgentId(publicKeyHex),
+    owner,
+    public_key: publicKeyHex,
+    created_at: createdAt ?? (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function generateFreshIdentity(configDir, owner) {
+  const keys = generateKeyPair();
+  saveKeyPair(configDir, keys);
+  const identity = buildIdentityFromPublicKey(keys.publicKey, owner);
+  saveIdentity(configDir, identity);
+  return { identity, keys, status: "generated" };
+}
+function deriveAgentId(publicKeyHex) {
+  return createHash("sha256").update(publicKeyHex, "hex").digest("hex").slice(0, 16);
+}
+function loadIdentity(configDir) {
+  const filePath = join2(configDir, IDENTITY_FILENAME);
+  if (!existsSync3(filePath)) return null;
+  try {
+    const raw = readFileSync3(filePath, "utf-8");
+    return AgentIdentitySchema.parse(JSON.parse(raw));
+  } catch {
+    return null;
+  }
+}
+function saveIdentity(configDir, identity) {
+  if (!existsSync3(configDir)) {
+    mkdirSync2(configDir, { recursive: true });
+  }
+  const filePath = join2(configDir, IDENTITY_FILENAME);
+  writeFileSync2(filePath, JSON.stringify(identity, null, 2), "utf-8");
+}
+function loadOrRepairIdentity(configDir, ownerHint) {
+  if (!existsSync3(configDir)) {
+    mkdirSync2(configDir, { recursive: true });
+  }
+  const identityPath = join2(configDir, IDENTITY_FILENAME);
+  const privateKeyPath = join2(configDir, PRIVATE_KEY_FILENAME);
+  const publicKeyPath = join2(configDir, PUBLIC_KEY_FILENAME);
+  const hasIdentity = existsSync3(identityPath);
+  const hasPrivateKey = existsSync3(privateKeyPath);
+  const hasPublicKey = existsSync3(publicKeyPath);
+  if (!hasIdentity || !hasPrivateKey || !hasPublicKey) {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let keys;
+  try {
+    keys = loadKeyPair(configDir);
+  } catch {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let derivedPublicKey;
+  try {
+    derivedPublicKey = derivePublicKeyFromPrivate(keys.privateKey);
+  } catch {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let keypairRepaired = false;
+  if (!keys.publicKey.equals(derivedPublicKey)) {
+    keypairRepaired = true;
+    keys = { privateKey: keys.privateKey, publicKey: derivedPublicKey };
+    saveKeyPair(configDir, keys);
+  }
+  const loadedIdentity = loadIdentity(configDir);
+  const expectedAgentId = deriveAgentId(derivedPublicKey.toString("hex"));
+  const expectedPublicKeyHex = derivedPublicKey.toString("hex");
+  const identityMismatch = !loadedIdentity || loadedIdentity.public_key !== expectedPublicKeyHex || loadedIdentity.agent_id !== expectedAgentId;
+  if (identityMismatch) {
+    const repairedIdentity = buildIdentityFromPublicKey(
+      derivedPublicKey,
+      loadedIdentity?.owner ?? ownerHint ?? "agent",
+      loadedIdentity?.created_at
+    );
+    saveIdentity(configDir, repairedIdentity);
+    return { identity: repairedIdentity, keys, status: "repaired" };
+  }
+  if (ownerHint && loadedIdentity.owner !== ownerHint) {
+    const updatedIdentity = { ...loadedIdentity, owner: ownerHint };
+    saveIdentity(configDir, updatedIdentity);
+    return { identity: updatedIdentity, keys, status: "repaired" };
+  }
+  return { identity: loadedIdentity, keys, status: keypairRepaired ? "repaired" : "existing" };
+}
+function ensureIdentity(configDir, owner) {
+  return loadOrRepairIdentity(configDir, owner).identity;
+}
 // src/registry/identity-auth.ts
 var MAX_REQUEST_AGE_MS = 5 * 60 * 1e3;
-async function verifyIdentity(request, reply) {
-  const publicKeyHex = request.headers["x-agent-publickey"];
-  const signature = request.headers["x-agent-signature"];
-  const timestamp = request.headers["x-agent-timestamp"];
-  if (!publicKeyHex || !signature || !timestamp) {
+function normalizeSignedParams(body) {
+  return body === void 0 ? null : body;
+}
+function buildIdentityPayload(method, path, timestamp, publicKeyHex, agentId, params) {
+  return {
+    method,
+    path,
+    timestamp,
+    publicKey: publicKeyHex,
+    agentId,
+    params: normalizeSignedParams(params)
+  };
+}
+function extractClaimedRequester(request) {
+  const extractFromObject = (obj) => {
+    const directOwner = typeof obj.owner === "string" ? obj.owner.trim() : "";
+    if (directOwner) return directOwner;
+    const directRequester = typeof obj.requester === "string" ? obj.requester.trim() : "";
+    if (directRequester) return directRequester;
+    const oldOwner = typeof obj.oldOwner === "string" ? obj.oldOwner.trim() : "";
+    if (oldOwner) return oldOwner;
+    const nestedParams = obj.params;
+    if (nestedParams && typeof nestedParams === "object" && !Array.isArray(nestedParams)) {
+      const nested = nestedParams;
+      const nestedOwner = typeof nested.owner === "string" ? nested.owner.trim() : "";
+      if (nestedOwner) return nestedOwner;
+      const nestedRequester = typeof nested.requester === "string" ? nested.requester.trim() : "";
+      if (nestedRequester) return nestedRequester;
+    }
+    return null;
+  };
+  if (request.body && typeof request.body === "object" && !Array.isArray(request.body)) {
+    const claimed = extractFromObject(request.body);
+    if (claimed) return claimed;
+  }
+  if (request.params && typeof request.params === "object" && !Array.isArray(request.params)) {
+    const claimed = extractFromObject(request.params);
+    if (claimed) return claimed;
+  }
+  return null;
+}
+async function verifyIdentity(request, reply, options) {
+  const agentIdHeader = request.headers["x-agent-id"];
+  const publicKeyHeader = request.headers["x-agent-publickey"];
+  const signatureHeader = request.headers["x-agent-signature"];
+  const timestampHeader = request.headers["x-agent-timestamp"];
+  const agentId = agentIdHeader?.trim();
+  const publicKeyHex = publicKeyHeader?.trim();
+  const signature = signatureHeader?.trim();
+  const timestamp = timestampHeader?.trim();
+  if (!agentId || !publicKeyHex || !signature || !timestamp) {
     await reply.code(401).send({ error: "Missing identity headers" });
     return false;
   }
@@ -1670,12 +1900,21 @@ async function verifyIdentity(request, reply) {
     await reply.code(401).send({ error: "Request expired" });
     return false;
   }
-  const payload = {
-    method: request.method,
-    path: request.url,
-    timestamp,
-    publicKey: publicKeyHex
-  };
+  if (!/^[0-9a-fA-F]+$/.test(publicKeyHex) || publicKeyHex.length % 2 !== 0) {
+    await reply.code(401).send({ error: "Invalid identity signature" });
+    return false;
+  }
+  let expectedAgentId;
+  try {
+    expectedAgentId = deriveAgentId(publicKeyHex);
+  } catch {
+    await reply.code(401).send({ error: "Invalid identity signature" });
+    return false;
+  }
+  if (agentId !== expectedAgentId) {
+    await reply.code(401).send({ error: "Invalid identity signature" });
+    return false;
+  }
   let publicKeyBuffer;
   try {
     publicKeyBuffer = Buffer.from(publicKeyHex, "hex");
@@ -1683,30 +1922,52 @@ async function verifyIdentity(request, reply) {
     await reply.code(401).send({ error: "Invalid identity signature" });
     return false;
   }
+  const knownAgent = options.agentDb ? lookupAgent(options.agentDb, agentId) : null;
+  if (knownAgent && knownAgent.public_key.toLowerCase() !== publicKeyHex.toLowerCase()) {
+    await reply.code(401).send({ error: "Invalid identity signature" });
+    return false;
+  }
+  const payload = buildIdentityPayload(
+    request.method,
+    request.url,
+    timestamp,
+    publicKeyHex,
+    agentId,
+    request.body
+  );
   const valid = verifyEscrowReceipt(payload, signature, publicKeyBuffer);
   if (!valid) {
     await reply.code(401).send({ error: "Invalid identity signature" });
     return false;
   }
+  const claimedRequester = extractClaimedRequester(request);
+  if (claimedRequester) {
+    const matchesAgentId = claimedRequester === agentId;
+    const matchesLegacyOwner = knownAgent?.legacy_owner === claimedRequester;
+    if (!matchesAgentId && !matchesLegacyOwner) {
+      await reply.code(401).send({ error: "Identity does not match requester" });
+      return false;
+    }
+  }
   request.agentPublicKey = publicKeyHex;
+  request.agentId = agentId;
   return true;
 }
-function identityAuthPlugin(fastify) {
-  fastify.addHook("onRequest", async (request, reply) => {
-    await verifyIdentity(request, reply);
+function identityAuthPlugin(fastify, options = {}) {
+  fastify.addHook("preHandler", async (request, reply) => {
+    const ok = await verifyIdentity(request, reply, options);
+    if (!ok) {
+      return reply;
+    }
   });
 }
-function signRequest(method, path, body, privateKey, publicKeyHex) {
+function signRequest(method, path, body, privateKey, publicKeyHex, agentIdOverride) {
   const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-  const payload = {
-    method,
-    path,
-    timestamp,
-    publicKey: publicKeyHex
-  };
-  void body;
+  const agentId = agentIdOverride ?? deriveAgentId(publicKeyHex);
+  const payload = buildIdentityPayload(method, path, timestamp, publicKeyHex, agentId, body);
   const signature = signEscrowReceipt(payload, privateKey);
   return {
+    "X-Agent-Id": agentId,
     "X-Agent-PublicKey": publicKeyHex,
     "X-Agent-Signature": signature,
     "X-Agent-Timestamp": timestamp
@@ -2290,92 +2551,6 @@ function getJobsByRelayOwner(db, relayOwner) {
   ).all(relayOwner, "queued");
 }
-// src/identity/identity.ts
-import { z as z2 } from "zod";
-import { createHash } from "crypto";
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
-import { join as join2 } from "path";
-var AgentIdentitySchema = z2.object({
-  /** Deterministic ID derived from public key: sha256(hex).slice(0, 16). */
-  agent_id: z2.string().min(1),
-  /** Human-readable owner name (from config or init). */
-  owner: z2.string().min(1),
-  /** Hex-encoded Ed25519 public key. */
-  public_key: z2.string().min(1),
-  /** ISO 8601 timestamp of identity creation. */
-  created_at: z2.string().datetime(),
-  /** Optional guarantor info if linked to a human. */
-  guarantor: z2.object({
-    github_login: z2.string().min(1),
-    verified_at: z2.string().datetime()
-  }).optional()
-});
-var AgentCertificateSchema = z2.object({
-  identity: AgentIdentitySchema,
-  /** ISO 8601 timestamp of certificate issuance. */
-  issued_at: z2.string().datetime(),
-  /** ISO 8601 timestamp of certificate expiry. */
-  expires_at: z2.string().datetime(),
-  /** Hex-encoded public key of the issuer (same as identity for self-signed). */
-  issuer_public_key: z2.string().min(1),
-  /** Base64url Ed25519 signature over { identity, issued_at, expires_at, issuer_public_key }. */
-  signature: z2.string().min(1)
-});
-var IDENTITY_FILENAME = "identity.json";
-function deriveAgentId(publicKeyHex) {
-  return createHash("sha256").update(publicKeyHex, "hex").digest("hex").slice(0, 16);
-}
-function createIdentity(configDir, owner) {
-  if (!existsSync3(configDir)) {
-    mkdirSync2(configDir, { recursive: true });
-  }
-  let keys;
-  try {
-    keys = loadKeyPair(configDir);
-  } catch {
-    keys = generateKeyPair();
-    saveKeyPair(configDir, keys);
-  }
-  const publicKeyHex = keys.publicKey.toString("hex");
-  const agentId = deriveAgentId(publicKeyHex);
-  const identity = {
-    agent_id: agentId,
-    owner,
-    public_key: publicKeyHex,
-    created_at: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  saveIdentity(configDir, identity);
-  return identity;
-}
-function loadIdentity(configDir) {
-  const filePath = join2(configDir, IDENTITY_FILENAME);
-  if (!existsSync3(filePath)) return null;
-  try {
-    const raw = readFileSync3(filePath, "utf-8");
-    return AgentIdentitySchema.parse(JSON.parse(raw));
-  } catch {
-    return null;
-  }
-}
-function saveIdentity(configDir, identity) {
-  if (!existsSync3(configDir)) {
-    mkdirSync2(configDir, { recursive: true });
-  }
-  const filePath = join2(configDir, IDENTITY_FILENAME);
-  writeFileSync2(filePath, JSON.stringify(identity, null, 2), "utf-8");
-}
-function ensureIdentity(configDir, owner) {
-  const existing = loadIdentity(configDir);
-  if (existing) {
-    if (existing.owner !== owner) {
-      existing.owner = owner;
-      saveIdentity(configDir, existing);
-    }
-    return existing;
-  }
-  return createIdentity(configDir, owner);
-}
 // src/hub-agent/crypto.ts
 import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
 function getMasterKey() {
@@ -3313,7 +3488,7 @@ async function creditRoutesPlugin(fastify, options) {
   }
   initFreeTierTable(creditDb);
   await fastify.register(async (scope) => {
-    identityAuthPlugin(scope);
+    identityAuthPlugin(scope, { agentDb: creditDb });
     scope.post("/api/credits/hold", {
       schema: {
         tags: ["credits"],
@@ -4473,7 +4648,7 @@ function createRegistryServer(opts) {
             type: "apiKey",
             in: "header",
             name: "X-Agent-PublicKey",
-            description: "Ed25519 public key (hex). Also requires X-Agent-Signature and X-Agent-Timestamp headers."
+            description: "Ed25519 public key (hex). Also requires X-Agent-Id, X-Agent-Signature, and X-Agent-Timestamp headers."
           }
         }
       }
@@ -4486,7 +4661,7 @@ function createRegistryServer(opts) {
   void server.register(cors, {
     origin: true,
     methods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
-    allowedHeaders: ["Content-Type", "Authorization", "X-Agent-PublicKey", "X-Agent-Signature", "X-Agent-Timestamp"]
+    allowedHeaders: ["Content-Type", "Authorization", "X-Agent-Id", "X-Agent-PublicKey", "X-Agent-Signature", "X-Agent-Timestamp"]
   });
   void server.register(fastifyWebsocket);
   let relayState = null;
@@ -5363,15 +5538,60 @@ function createRegistryServer(opts) {
         });
       }
       const { requests, strategy, total_budget } = parseResult.data;
-      const batchResult = await executeCapabilityBatch({
-        requests,
-        strategy,
-        total_budget,
-        registryDb: db,
-        creditDb: opts.creditDb,
-        owner
-      });
-      return reply.send(batchResult);
+      const host = request.headers.host ?? request.hostname;
+      const relayRegistryUrl = `${request.protocol}://${host}`;
+      const relayRequesterOwner = `${owner}:batch:${Date.now()}`;
+      let relayClient;
+      try {
+        const batchResult = await executeCapabilityBatch({
+          requests,
+          strategy,
+          total_budget,
+          registryDb: db,
+          creditDb: opts.creditDb,
+          owner,
+          registryUrl: relayRegistryUrl,
+          dispatchRequest: async ({ target, params, requester }) => {
+            if (!target.via_relay) {
+              return { card_id: target.cardId, skill_id: target.skillId };
+            }
+            if (!relayClient) {
+              const { RelayClient: RelayClient2 } = await import("../../websocket-client-4Z5P54RU.js");
+              relayClient = new RelayClient2({
+                registryUrl: relayRegistryUrl,
+                owner: relayRequesterOwner,
+                token: "batch-token",
+                card: {
+                  spec_version: "1.0",
+                  id: randomUUID7(),
+                  owner: relayRequesterOwner,
+                  name: relayRequesterOwner,
+                  description: "Batch requester",
+                  level: 1,
+                  inputs: [],
+                  outputs: [],
+                  pricing: { credits_per_call: 1 },
+                  availability: { online: false }
+                },
+                onRequest: async () => ({ error: { code: -32601, message: "Batch requester does not serve capabilities" } }),
+                silent: true
+              });
+              await relayClient.connect();
+            }
+            const { requestViaRelay: requestViaRelay2 } = await import("../../client-XOLP5IUZ.js");
+            return requestViaRelay2(relayClient, {
+              targetOwner: target.owner,
+              cardId: target.cardId,
+              skillId: target.skillId,
+              params: { ...params, requester },
+              requester
+            });
+          }
+        });
+        return reply.send(batchResult);
+      } finally {
+        relayClient?.disconnect();
+      }
     });
     if (opts.ownerApiKey && opts.ownerName) {
       const ownerApiKey = opts.ownerApiKey;
@@ -5826,13 +6046,134 @@ async function stopAnnouncement() {
   });
 }
+// src/runtime/resolve-self-cli.ts
+import { execFileSync as execFileSync2 } from "child_process";
+import { existsSync as existsSync5, realpathSync } from "fs";
+import { createRequire } from "module";
+import { homedir as homedir2 } from "os";
+import { basename, isAbsolute, join as join4, resolve } from "path";
+function resolveSelfCli() {
+  const require2 = createRequire(import.meta.url);
+  return resolveSelfCliWithDeps({
+    argv1: process.argv[1],
+    cwd: process.cwd(),
+    platform: process.platform,
+    homeDir: homedir2(),
+    envPath: process.env["PATH"],
+    exists: existsSync5,
+    realpath: realpathSync,
+    runWhich: (pathEnv) => execFileSync2("which", ["agentbnb"], {
+      encoding: "utf8",
+      env: { ...process.env, PATH: pathEnv }
+    }).trim(),
+    requireResolve: (id) => require2.resolve(id)
+  });
+}
+function resolveSelfCliWithDeps(deps) {
+  const tried = [];
+  const tryCandidate = (rawPath, label, requireCliShape = false) => {
+    if (!rawPath || rawPath.trim().length === 0) {
+      tried.push(`${label}: <empty>`);
+      return null;
+    }
+    const maybeAbsolute = isAbsolute(rawPath) ? rawPath : resolve(deps.cwd, rawPath);
+    tried.push(`${label}: ${maybeAbsolute}`);
+    if (!deps.exists(maybeAbsolute)) return null;
+    const resolvedPath = safeRealpath(deps.realpath, maybeAbsolute);
+    if (requireCliShape && !looksLikeAgentbnbCli(resolvedPath)) return null;
+    return resolvedPath;
+  };
+  const argvPath = tryCandidate(deps.argv1, "process.argv[1]", true);
+  if (argvPath) return argvPath;
+  const fullPathEnv = buildFullPathEnv(deps.envPath, deps.homeDir);
+  tried.push(`which agentbnb PATH=${fullPathEnv}`);
+  try {
+    const whichPath = tryCandidate(deps.runWhich(fullPathEnv), "which agentbnb");
+    if (whichPath) return whichPath;
+  } catch (err) {
+    tried.push(`which agentbnb failed: ${extractErrorMessage(err)}`);
+  }
+  const npmGlobalCandidates = ["/usr/local/bin/agentbnb", "/opt/homebrew/bin/agentbnb"];
+  for (const candidate of npmGlobalCandidates) {
+    const resolvedPath = tryCandidate(candidate, "npm-global");
+    if (resolvedPath) return resolvedPath;
+  }
+  const pnpmCandidates = getPnpmGlobalCandidates(deps.platform, deps.homeDir);
+  for (const candidate of pnpmCandidates) {
+    const resolvedPath = tryCandidate(candidate, "pnpm-global");
+    if (resolvedPath) return resolvedPath;
+  }
+  try {
+    const requireResolved = deps.requireResolve("agentbnb/dist/cli/index.js");
+    const resolvedPath = tryCandidate(requireResolved, "require.resolve(agentbnb/dist/cli/index.js)");
+    if (resolvedPath) return resolvedPath;
+  } catch (err) {
+    tried.push(`require.resolve(agentbnb/dist/cli/index.js) failed: ${extractErrorMessage(err)}`);
+  }
+  throw new AgentBnBError(
+    `Unable to resolve absolute path to agentbnb CLI.
+Paths tried:
+${tried.map((item) => `- ${item}`).join("\n")}`,
+    "CLI_ENTRY_NOT_FOUND"
+  );
+}
+function buildFullPathEnv(pathEnv, homeDir) {
+  const values = /* @__PURE__ */ new Set();
+  for (const item of (pathEnv ?? "").split(":")) {
+    if (item.trim()) values.add(item.trim());
+  }
+  for (const extra of [
+    "/usr/local/bin",
+    "/opt/homebrew/bin",
+    "/usr/bin",
+    "/bin",
+    "/usr/sbin",
+    "/sbin",
+    join4(homeDir, ".local", "bin"),
+    join4(homeDir, "Library", "pnpm"),
+    join4(homeDir, ".local", "share", "pnpm")
+  ]) {
+    values.add(extra);
+  }
+  return [...values].join(":");
+}
+function safeRealpath(realpath, path) {
+  try {
+    return realpath(path);
+  } catch {
+    return path;
+  }
+}
+function getPnpmGlobalCandidates(platform, homeDir) {
+  const candidates = /* @__PURE__ */ new Set();
+  if (platform === "darwin") {
+    candidates.add(join4(homeDir, "Library", "pnpm", "agentbnb"));
+  }
+  if (platform === "linux") {
+    candidates.add(join4(homeDir, ".local", "share", "pnpm", "agentbnb"));
+  }
+  candidates.add(join4(homeDir, "Library", "pnpm", "agentbnb"));
+  candidates.add(join4(homeDir, ".local", "share", "pnpm", "agentbnb"));
+  return [...candidates];
+}
+function looksLikeAgentbnbCli(path) {
+  const normalized = path.replace(/\\/g, "/").toLowerCase();
+  const fileName = basename(normalized);
+  if (fileName === "agentbnb" || fileName === "agentbnb.cmd" || fileName === "agentbnb.exe") {
+    return true;
+  }
+  return normalized.includes("/agentbnb/dist/cli/index.") || normalized.endsWith("/dist/cli/index.js") || normalized.endsWith("/dist/cli/index.mjs") || normalized.endsWith("/dist/cli/index.cjs");
+}
+function extractErrorMessage(err) {
+  if (err instanceof Error && err.message) return err.message;
+  return String(err);
+}
 // src/runtime/service-coordinator.ts
 import { spawn as spawn2 } from "child_process";
-import { createRequire } from "module";
-import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
-import { fileURLToPath as fileURLToPath2 } from "url";
-import { dirname as dirname3, join as join4, resolve } from "path";
-import { randomUUID as randomUUID7 } from "crypto";
+import { existsSync as existsSync6, readFileSync as readFileSync4 } from "fs";
+import { join as join5 } from "path";
+import { randomUUID as randomUUID8 } from "crypto";
 var ServiceCoordinator = class {
   config;
   guard;
@@ -5952,7 +6293,7 @@ var ServiceCoordinator = class {
     return {
       port: opts?.port ?? this.config.gateway_port,
       handlerUrl: opts?.handlerUrl ?? "http://localhost:8080",
-      skillsYamlPath: opts?.skillsYamlPath ?? join4(getConfigDir(), "skills.yaml"),
+      skillsYamlPath: opts?.skillsYamlPath ?? join5(getConfigDir(), "skills.yaml"),
       registryPort: opts?.registryPort ?? 7701,
       registryUrl: opts?.registryUrl ?? this.config.registry ?? "",
       relay: opts?.relay ?? true,
@@ -6035,10 +6376,10 @@ var ServiceCoordinator = class {
     }
     if (opts.registryUrl && opts.relay) {
       const { RelayClient: RelayClient2 } = await import("../../websocket-client-4Z5P54RU.js");
-      const { executeCapabilityRequest: executeCapabilityRequest2 } = await import("../../execute-EPE6MZLT.js");
+      const { executeCapabilityRequest: executeCapabilityRequest2 } = await import("../../execute-NNDCXTN4.js");
       const cards = listCards(this.runtime.registryDb, this.config.owner);
       const card = cards[0] ?? {
-        id: randomUUID7(),
+        id: randomUUID8(),
         owner: this.config.owner,
         name: this.config.owner,
         description: "Agent registered via CLI",
@@ -6142,7 +6483,8 @@ var ServiceCoordinator = class {
   spawnManagedProcess(opts) {
     const runtime = loadPersistedRuntime(getConfigDir());
     const nodeExec = resolveNodeExecutable(runtime);
-    const cliArgs = resolveCliLaunchArgs(this.buildServeArgs(opts));
+    const cliPath = resolveSelfCli();
+    const cliArgs = [cliPath, "serve", ...this.buildServeArgs(opts)];
     const child = spawn2(nodeExec, cliArgs, {
       detached: true,
       stdio: "ignore",
@@ -6303,8 +6645,8 @@ var ServiceCoordinator = class {
   };
 };
 function loadPersistedRuntime(configDir) {
-  const runtimePath = join4(configDir, "runtime.json");
-  if (!existsSync5(runtimePath)) return null;
+  const runtimePath = join5(configDir, "runtime.json");
+  if (!existsSync6(runtimePath)) return null;
   try {
     const raw = readFileSync4(runtimePath, "utf8");
     const parsed = JSON.parse(raw);
@@ -6328,28 +6670,6 @@ function resolveNodeExecutable(runtime) {
   }
   return process.execPath;
 }
-function resolveCliLaunchArgs(serveArgs) {
-  const require2 = createRequire(import.meta.url);
-  try {
-    const distCli2 = require2.resolve("agentbnb/dist/cli/index.js");
-    return [distCli2, "serve", ...serveArgs];
-  } catch {
-  }
-  const projectRoot = resolve(dirname3(fileURLToPath2(import.meta.url)), "..", "..");
-  const distCli = join4(projectRoot, "dist", "cli", "index.js");
-  if (existsSync5(distCli)) {
-    return [distCli, "serve", ...serveArgs];
-  }
-  const srcCli = join4(projectRoot, "src", "cli", "index.ts");
-  if (existsSync5(srcCli)) {
-    const tsxCli = require2.resolve("tsx/dist/cli.mjs");
-    return [tsxCli, srcCli, "serve", ...serveArgs];
-  }
-  throw new AgentBnBError(
-    "Unable to locate AgentBnB CLI entry (dist/cli/index.js or src/cli/index.ts)",
-    "CLI_ENTRY_NOT_FOUND"
-  );
-}
 function isPidAlive(pid) {
   if (!Number.isInteger(pid) || pid <= 0) return false;
   try {
@@ -6365,11 +6685,11 @@ function sleep2(ms) {
 }
 // src/app/agentbnb-service.ts
-import { randomUUID as randomUUID9 } from "crypto";
+import { randomUUID as randomUUID10 } from "crypto";
 // src/credit/escrow-receipt.ts
 import { z as z8 } from "zod";
-import { randomUUID as randomUUID8 } from "crypto";
+import { randomUUID as randomUUID9 } from "crypto";
 var EscrowReceiptSchema = z8.object({
   requester_owner: z8.string().min(1),
   requester_agent_id: z8.string().optional(),
@@ -6391,7 +6711,7 @@ function createSignedEscrowReceipt(db, privateKey, publicKey, opts) {
     card_id: opts.cardId,
     ...opts.skillId ? { skill_id: opts.skillId } : {},
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    nonce: randomUUID8()
+    nonce: randomUUID9()
   };
   const signature = signEscrowReceipt(receiptData, privateKey);
   const receipt = {
@@ -6458,7 +6778,7 @@ var AgentBnBService = class {
     const creditDb = openCreditDb(this.config.credit_db_path);
     creditDb.pragma("busy_timeout = 5000");
     try {
-      const keys = this.getOrCreateKeyPair();
+      const { keys } = loadOrRepairIdentity(getConfigDir(), this.config.owner);
       const { escrowId, receipt } = createSignedEscrowReceipt(
         creditDb,
         keys.privateKey,
@@ -6633,13 +6953,13 @@ var AgentBnBService = class {
     if (!this.config.registry) {
       throw new AgentBnBError("Registry is required for relay fallback.", "RELAY_NOT_AVAILABLE");
     }
-    const requesterId = `${this.config.owner}:req:${randomUUID9()}`;
+    const requesterId = `${this.config.owner}:req:${randomUUID10()}`;
     const tempRelay = new RelayClient({
       registryUrl: this.config.registry,
       owner: requesterId,
       token: this.config.token,
       card: {
-        id: randomUUID9(),
+        id: randomUUID10(),
         owner: requesterId,
         name: requesterId,
         description: "Requester",
@@ -6667,20 +6987,9 @@ var AgentBnBService = class {
       tempRelay.disconnect();
     }
   }
-  getOrCreateKeyPair() {
-    const configDir = getConfigDir();
-    try {
-      return loadKeyPair(configDir);
-    } catch {
-      const keys = generateKeyPair();
-      saveKeyPair(configDir, keys);
-      return keys;
-    }
-  }
   loadIdentityAuth() {
     const configDir = getConfigDir();
-    const identity = ensureIdentity(configDir, this.config.owner);
-    const keys = this.getOrCreateKeyPair();
+    const { identity, keys } = loadOrRepairIdentity(configDir, this.config.owner);
     return {
       agentId: identity.agent_id,
       publicKey: identity.public_key,
@@ -6748,9 +7057,9 @@ function isNetworkError(err) {
 }
 // skills/agentbnb/openclaw-tools.ts
-import { readFileSync as readFileSync5, existsSync as existsSync6 } from "fs";
-import { join as join5 } from "path";
-import { homedir as homedir2 } from "os";
+import { readFileSync as readFileSync5, existsSync as existsSync7 } from "fs";
+import { join as join6 } from "path";
+import { homedir as homedir3 } from "os";
 // src/mcp/tools/discover.ts
 import { z as z9 } from "zod";
@@ -6870,12 +7179,23 @@ async function handleRequest(args, ctx) {
       } finally {
         db.close();
       }
+      let identityAuth;
+      try {
+        const keys = loadKeyPair(ctx.configDir);
+        identityAuth = {
+          agentId: ctx.identity.agent_id,
+          publicKey: ctx.identity.public_key,
+          privateKey: keys.privateKey
+        };
+      } catch {
+      }
       if (localCard && localCard.owner === ctx.config.owner) {
         const result = await requestCapability({
           gatewayUrl: ctx.config.gateway_url,
           token: ctx.config.token,
           cardId,
-          params: { ...args.params ?? {}, ...args.skill_id ? { skill_id: args.skill_id } : {}, requester: ctx.config.owner }
+          params: { ...args.params ?? {}, ...args.skill_id ? { skill_id: args.skill_id } : {}, requester: ctx.config.owner },
+          identity: identityAuth
         });
         return {
           content: [{ type: "text", text: JSON.stringify({ success: true, result }, null, 2) }]
@@ -6905,28 +7225,16 @@ async function handleRequest(args, ctx) {
       const targetOwner = remoteCard["owner"] ?? remoteCard["agent_name"];
       const gatewayUrl = remoteCard["gateway_url"];
       if (gatewayUrl) {
-        const keys = loadKeyPair(ctx.configDir);
-        const ledger = createLedger({
-          registryUrl: ctx.config.registry,
-          ownerPublicKey: ctx.identity.public_key,
-          privateKey: keys.privateKey
+        const result = await requestCapability({
+          gatewayUrl,
+          token: "",
+          cardId,
+          params: { ...args.params ?? {}, ...args.skill_id ? { skill_id: args.skill_id } : {}, requester: ctx.config.owner },
+          identity: identityAuth
         });
-        const { escrowId } = await ledger.hold(ctx.config.owner, maxCost, cardId);
-        try {
-          const result = await requestCapability({
-            gatewayUrl,
-            token: "",
-            cardId,
-            params: { ...args.params ?? {}, ...args.skill_id ? { skill_id: args.skill_id } : {}, requester: ctx.config.owner }
-          });
-          await ledger.settle(escrowId, targetOwner ?? "unknown");
-          return {
-            content: [{ type: "text", text: JSON.stringify({ success: true, result, credits_spent: maxCost }, null, 2) }]
-          };
-        } catch (err) {
-          await ledger.release(escrowId);
-          throw err;
-        }
+        return {
+          content: [{ type: "text", text: JSON.stringify({ success: true, result }, null, 2) }]
+        };
       }
       if (targetOwner) {
         const relay = new RelayClient({
@@ -7257,19 +7565,19 @@ async function handlePublish(args, ctx) {
 var contextCache = /* @__PURE__ */ new Map();
 function resolveConfigDir(toolCtx) {
   if (toolCtx.agentDir) {
-    return toolCtx.agentDir.endsWith(".agentbnb") ? toolCtx.agentDir : join5(toolCtx.agentDir, ".agentbnb");
+    return toolCtx.agentDir.endsWith(".agentbnb") ? toolCtx.agentDir : join6(toolCtx.agentDir, ".agentbnb");
   }
   if (toolCtx.workspaceDir) {
-    return join5(toolCtx.workspaceDir, ".agentbnb");
+    return join6(toolCtx.workspaceDir, ".agentbnb");
   }
-  return join5(homedir2(), ".agentbnb");
+  return join6(homedir3(), ".agentbnb");
 }
 function buildMcpContext(toolCtx) {
   const configDir = resolveConfigDir(toolCtx);
   const cached = contextCache.get(configDir);
   if (cached) return cached;
-  const configPath = join5(configDir, "config.json");
-  if (!existsSync6(configPath)) {
+  const configPath = join6(configDir, "config.json");
+  if (!existsSync7(configPath)) {
     throw new Error(
       `AgentBnB not initialized at ${configDir}. Run \`agentbnb init\` or activate the plugin first.`
     );
@@ -7434,23 +7742,23 @@ function resolveWorkspaceDir() {
   if (process.env["AGENTBNB_DIR"]) {
     return process.env["AGENTBNB_DIR"];
   }
-  const openclawAgentsDir = join6(homedir3(), ".openclaw", "agents");
+  const openclawAgentsDir = join7(homedir4(), ".openclaw", "agents");
   const cwd = process.cwd();
   if (cwd.startsWith(openclawAgentsDir + "/")) {
     const relative = cwd.slice(openclawAgentsDir.length + 1);
     const agentName = relative.split("/")[0];
-    return join6(openclawAgentsDir, agentName, ".agentbnb");
+    return join7(openclawAgentsDir, agentName, ".agentbnb");
   }
-  return join6(homedir3(), ".agentbnb");
+  return join7(homedir4(), ".agentbnb");
 }
 function registerDecomposerCard(configDir, owner) {
   try {
-    const db = openDatabase(join6(configDir, "registry.db"));
+    const db = openDatabase(join7(configDir, "registry.db"));
     const existing = db.prepare(
       "SELECT id FROM capability_cards WHERE owner = ? AND json_extract(data, '$.capability_type') = ?"
     ).get(owner, "task_decomposition");
     if (existing) return;
-    const cardId = randomUUID10();
+    const cardId = randomUUID11();
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const card = {
       spec_version: "2.0",
@@ -7503,37 +7811,40 @@ function registerDecomposerCard(configDir, owner) {
   }
 }
 function findCli() {
-  const result = spawnSync("which", ["agentbnb"], { encoding: "utf-8", stdio: "pipe" });
-  if (result.status === 0 && result.stdout.trim()) {
-    return result.stdout.trim();
+  try {
+    return resolveSelfCli();
+  } catch {
+    return null;
   }
-  return null;
 }
 async function runCommand(cmd, env) {
   return execAsync(cmd, { env });
 }
 function deriveAgentName(configDir) {
-  const parent = basename(dirname4(configDir));
-  if (parent && parent !== "." && parent !== ".agentbnb" && parent !== homedir3().split("/").pop()) {
+  const parent = basename2(dirname3(configDir));
+  if (parent && parent !== "." && parent !== ".agentbnb" && parent !== homedir4().split("/").pop()) {
     return parent;
   }
-  return `agent-${randomUUID10().slice(0, 8)}`;
+  return `agent-${randomUUID11().slice(0, 8)}`;
 }
-var defaultDeps = { findCli, runCommand };
+var defaultDeps = { resolveSelfCli, runCommand };
 async function autoOnboard(configDir, deps = defaultDeps) {
   process.stderr.write("[agentbnb] First-time setup: initializing agent identity...\n");
-  const cliPath = deps.findCli();
-  if (!cliPath) {
+  let cliPath;
+  try {
+    cliPath = deps.resolveSelfCli();
+  } catch {
     process.stderr.write("[agentbnb] CLI not found. Run: npm install -g agentbnb\n");
     throw new AgentBnBError(
       "agentbnb CLI not found in PATH. Install with: npm install -g agentbnb",
       "INIT_FAILED"
     );
   }
+  const quotedCliPath = quoteShellArg(cliPath);
   const env = { ...process.env, AGENTBNB_DIR: configDir };
   const agentName = deriveAgentName(configDir);
   try {
-    await deps.runCommand(`agentbnb init --owner "${agentName}" --yes --no-detect`, env);
+    await deps.runCommand(`${quotedCliPath} init --owner "${agentName}" --yes --no-detect`, env);
     process.stderr.write(`[agentbnb] Agent "${agentName}" initialized.
 `);
   } catch (err) {
@@ -7541,7 +7852,7 @@ async function autoOnboard(configDir, deps = defaultDeps) {
     throw new AgentBnBError(`Auto-init failed: ${msg}`, "INIT_FAILED");
   }
   try {
-    await deps.runCommand("agentbnb openclaw sync", env);
+    await deps.runCommand(`${quotedCliPath} openclaw sync`, env);
     process.stderr.write("[agentbnb] Capabilities published from SOUL.md.\n");
   } catch {
     process.stderr.write("[agentbnb] Note: openclaw sync skipped (SOUL.md may not exist yet).\n");
@@ -7553,6 +7864,9 @@ async function autoOnboard(configDir, deps = defaultDeps) {
   process.stderr.write("[agentbnb] Agent initialized and published to AgentBnB network.\n");
   return config;
 }
+function quoteShellArg(input) {
+  return `'${input.replace(/'/g, `'\\''`)}'`;
+}
 async function activate(config = {}, _onboardDeps) {
   if (config.agentDir) {
     process.env["AGENTBNB_DIR"] = config.agentDir;
@@ -7561,7 +7875,7 @@ async function activate(config = {}, _onboardDeps) {
 `
     );
   } else if (config.workspaceDir) {
-    const derived = join6(config.workspaceDir, ".agentbnb");
+    const derived = join7(config.workspaceDir, ".agentbnb");
     process.env["AGENTBNB_DIR"] = derived;
     process.stderr.write(
       `[agentbnb] AGENTBNB_DIR derived from config.workspaceDir: ${derived}
@@ -7590,7 +7904,7 @@ async function activate(config = {}, _onboardDeps) {
     `[agentbnb] activate: owner=${agentConfig.owner} config=${configDir}/config.json
 `
   );
-  const guard = new ProcessGuard(join6(configDir, ".pid"));
+  const guard = new ProcessGuard(join7(configDir, ".pid"));
   const coordinator = new ServiceCoordinator(agentConfig, guard);
   const service = new AgentBnBService(coordinator, agentConfig);
   const opts = {