clawdbot 2026.1.4 → 2026.1.5

package/dist/auto-reply/reply/commands.js

@@ -11,7 +11,7 @@ import { buildStatusMessage } from "../status.js";
 import { isAbortTrigger, setAbortMemory } from "./abort.js";
 import { stripMentions } from "./mentions.js";
 export function buildCommandContext(params) {
-    const { ctx, cfg, sessionKey, isGroup, triggerBodyNormalized } = params;
+    const { ctx, cfg, sessionKey, isGroup, triggerBodyNormalized, commandAuthorized, } = params;
     const surface = (ctx.Surface ?? "").trim().toLowerCase();
     const isWhatsAppSurface = surface === "whatsapp" ||
         (ctx.From ?? "").startsWith("whatsapp:") ||
@@ -21,35 +21,35 @@ export function buildCommandContext(params) {
         : undefined;
     const from = (ctx.From ?? "").replace(/^whatsapp:/, "");
     const to = (ctx.To ?? "").replace(/^whatsapp:/, "");
-    const defaultAllowFrom = isWhatsAppSurface &&
-        (!configuredAllowFrom || configuredAllowFrom.length === 0) &&
-        to
-        ? [to]
-        : undefined;
-    const allowFrom = configuredAllowFrom && configuredAllowFrom.length > 0
-        ? configuredAllowFrom
-        : defaultAllowFrom;
+    const allowFromList = configuredAllowFrom?.filter((entry) => entry?.trim()) ?? [];
+    const allowAll = !isWhatsAppSurface ||
+        allowFromList.length === 0 ||
+        allowFromList.some((entry) => entry.trim() === "*");
     const abortKey = sessionKey ?? (from || undefined) ?? (to || undefined);
     const rawBodyNormalized = triggerBodyNormalized;
     const commandBodyNormalized = isGroup
         ? stripMentions(rawBodyNormalized, ctx, cfg)
         : rawBodyNormalized;
     const senderE164 = normalizeE164(ctx.SenderE164 ?? "");
-    const ownerCandidates = isWhatsAppSurface
-        ? (allowFrom ?? []).filter((entry) => entry && entry !== "*")
+    const ownerCandidates = isWhatsAppSurface && !allowAll
+        ? allowFromList.filter((entry) => entry !== "*")
         : [];
-    if (isWhatsAppSurface && ownerCandidates.length === 0 && to) {
+    if (isWhatsAppSurface && !allowAll && ownerCandidates.length === 0 && to) {
         ownerCandidates.push(to);
     }
     const ownerList = ownerCandidates
         .map((entry) => normalizeE164(entry))
         .filter((entry) => Boolean(entry));
-    const isOwnerSender = Boolean(senderE164) && ownerList.includes(senderE164 ?? "");
+    const isOwner = !isWhatsAppSurface ||
+        allowAll ||
+        ownerList.length === 0 ||
+        (senderE164 ? ownerList.includes(senderE164) : false);
+    const isAuthorizedSender = commandAuthorized && isOwner;
     return {
         surface,
         isWhatsAppSurface,
         ownerList,
-        isOwnerSender,
+        isAuthorizedSender,
         senderE164: senderE164 || undefined,
         abortKey,
         rawBodyNormalized,
@@ -59,7 +59,7 @@ export function buildCommandContext(params) {
     };
 }
 export async function handleCommands(params) {
-    const { cfg, command, sessionEntry, sessionStore, sessionKey, storePath, sessionScope, workspaceDir, defaultGroupActivation, resolvedThinkLevel, resolvedVerboseLevel, resolveDefaultThinkingLevel, model, contextTokens, isGroup, } = params;
+    const { cfg, command, directives, sessionEntry, sessionStore, sessionKey, storePath, sessionScope, workspaceDir, defaultGroupActivation, resolvedThinkLevel, resolvedVerboseLevel, resolveDefaultThinkingLevel, model, contextTokens, isGroup, } = params;
     const activationCommand = parseActivationCommand(command.commandBodyNormalized);
     const sendPolicyCommand = parseSendPolicyCommand(command.commandBodyNormalized);
     if (activationCommand.hasCommand) {
@@ -69,8 +69,17 @@ export async function handleCommands(params) {
                 reply: { text: "⚙️ Group activation only applies to group chats." },
             };
         }
-        if (!command.isOwnerSender) {
-            logVerbose(`Ignoring /activation from non-owner in group: ${command.senderE164 || "<unknown>"}`);
+        const activationOwnerList = command.ownerList;
+        const activationSenderE164 = command.senderE164
+            ? normalizeE164(command.senderE164)
+            : "";
+        const isActivationOwner = !command.isWhatsAppSurface || activationOwnerList.length === 0
+            ? command.isAuthorizedSender
+            : Boolean(activationSenderE164) &&
+                activationOwnerList.includes(activationSenderE164);
+        if (!command.isAuthorizedSender ||
+            (command.isWhatsAppSurface && !isActivationOwner)) {
+            logVerbose(`Ignoring /activation from unauthorized sender in group: ${command.senderE164 || "<unknown>"}`);
             return { shouldContinue: false };
         }
         if (!activationCommand.mode) {
@@ -94,8 +103,8 @@ export async function handleCommands(params) {
         };
     }
     if (sendPolicyCommand.hasCommand) {
-        if (!command.isOwnerSender) {
-            logVerbose(`Ignoring /send from non-owner: ${command.senderE164 || "<unknown>"}`);
+        if (!command.isAuthorizedSender) {
+            logVerbose(`Ignoring /send from unauthorized sender: ${command.senderE164 || "<unknown>"}`);
             return { shouldContinue: false };
         }
         if (!sendPolicyCommand.mode) {
@@ -130,8 +139,8 @@ export async function handleCommands(params) {
     if (command.commandBodyNormalized === "/restart" ||
         command.commandBodyNormalized === "restart" ||
         command.commandBodyNormalized.startsWith("/restart ")) {
-        if (isGroup && !command.isOwnerSender) {
-            logVerbose(`Ignoring /restart from non-owner in group: ${command.senderE164 || "<unknown>"}`);
+        if (!command.isAuthorizedSender) {
+            logVerbose(`Ignoring /restart from unauthorized sender: ${command.senderE164 || "<unknown>"}`);
             return { shouldContinue: false };
         }
         const restartMethod = triggerClawdbotRestart();
@@ -142,11 +151,13 @@ export async function handleCommands(params) {
             },
         };
     }
-    if (command.commandBodyNormalized === "/status" ||
+    const statusRequested = directives.hasStatusDirective ||
+        command.commandBodyNormalized === "/status" ||
         command.commandBodyNormalized === "status" ||
-        command.commandBodyNormalized.startsWith("/status ")) {
-        if (isGroup && !command.isOwnerSender) {
-            logVerbose(`Ignoring /status from non-owner in group: ${command.senderE164 || "<unknown>"}`);
+        command.commandBodyNormalized.startsWith("/status ");
+    if (statusRequested) {
+        if (!command.isAuthorizedSender) {
+            logVerbose(`Ignoring /status from unauthorized sender: ${command.senderE164 || "<unknown>"}`);
             return { shouldContinue: false };
         }
         const webLinked = await webAuthExists();

package/dist/auto-reply/reply/directive-handling.js

@@ -4,7 +4,7 @@ import { buildModelAliasIndex, modelKey, resolveConfiguredModelRef, resolveModel
 import { saveSessionStore } from "../../config/sessions.js";
 import { enqueueSystemEvent } from "../../infra/system-events.js";
 import { extractModelDirective } from "../model.js";
-import { extractElevatedDirective, extractThinkDirective, extractVerboseDirective, } from "./directives.js";
+import { extractElevatedDirective, extractStatusDirective, extractThinkDirective, extractVerboseDirective, } from "./directives.js";
 import { stripMentions, stripStructuralPrefixes } from "./mentions.js";
 import { resolveModelDirectiveSelection, } from "./model-selection.js";
 import { extractQueueDirective, } from "./queue.js";
@@ -13,7 +13,8 @@ export function parseInlineDirectives(body) {
     const { cleaned: thinkCleaned, thinkLevel, rawLevel: rawThinkLevel, hasDirective: hasThinkDirective, } = extractThinkDirective(body);
     const { cleaned: verboseCleaned, verboseLevel, rawLevel: rawVerboseLevel, hasDirective: hasVerboseDirective, } = extractVerboseDirective(thinkCleaned);
     const { cleaned: elevatedCleaned, elevatedLevel, rawLevel: rawElevatedLevel, hasDirective: hasElevatedDirective, } = extractElevatedDirective(verboseCleaned);
-    const { cleaned: modelCleaned, rawModel, hasDirective: hasModelDirective, } = extractModelDirective(elevatedCleaned);
+    const { cleaned: statusCleaned, hasDirective: hasStatusDirective } = extractStatusDirective(elevatedCleaned);
+    const { cleaned: modelCleaned, rawModel, hasDirective: hasModelDirective, } = extractModelDirective(statusCleaned);
     const { cleaned: queueCleaned, queueMode, queueReset, rawMode, debounceMs, cap, dropPolicy, rawDebounce, rawCap, rawDrop, hasDirective: hasQueueDirective, hasOptions: hasQueueOptions, } = extractQueueDirective(modelCleaned);
     return {
         cleaned: queueCleaned,
@@ -26,6 +27,7 @@ export function parseInlineDirectives(body) {
         hasElevatedDirective,
         elevatedLevel,
         rawElevatedLevel,
+        hasStatusDirective,
         hasModelDirective,
         rawModelDirective: rawModel,
         hasQueueDirective,

package/dist/auto-reply/reply/directives.js

@@ -45,3 +45,15 @@ export function extractElevatedDirective(body) {
         hasDirective: !!match,
     };
 }
+export function extractStatusDirective(body) {
+    if (!body)
+        return { cleaned: "", hasDirective: false };
+    const match = body.match(/(?:^|\s)\/status(?=$|\s|:)\b/i);
+    const cleaned = match
+        ? body.replace(match[0], "").replace(/\s+/g, " ").trim()
+        : body.trim();
+    return {
+        cleaned,
+        hasDirective: !!match,
+    };
+}

package/dist/auto-reply/reply/session-updates.js

@@ -4,8 +4,6 @@ import { saveSessionStore } from "../../config/sessions.js";
 import { buildProviderSummary } from "../../infra/provider-summary.js";
 import { drainSystemEvents } from "../../infra/system-events.js";
 export async function prependSystemEvents(params) {
-    if (!params.isMainSession)
-        return params.prefixedBodyBase;
     const compactSystemEvent = (line) => {
         const trimmed = line.trim();
         if (!trimmed)
@@ -21,9 +19,9 @@ export async function prependSystemEvents(params) {
         return trimmed;
     };
     const systemLines = [];
-    const queued = drainSystemEvents();
+    const queued = drainSystemEvents(params.sessionKey);
     systemLines.push(...queued.map(compactSystemEvent).filter((v) => Boolean(v)));
-    if (params.isNewSession) {
+    if (params.isMainSession && params.isNewSession) {
         const summary = await buildProviderSummary(params.cfg);
         if (summary.length > 0)
             systemLines.unshift(...summary);

package/dist/auto-reply/reply.js

@@ -7,6 +7,7 @@ import { resolveSessionTranscriptPath } from "../config/sessions.js";
 import { logVerbose } from "../globals.js";
 import { clearCommandLane, getQueueSize } from "../process/command-queue.js";
 import { defaultRuntime } from "../runtime.js";
+import { hasControlCommand } from "./command-detection.js";
 import { getAbortMemory } from "./reply/abort.js";
 import { runReplyAgent } from "./reply/agent-runner.js";
 import { resolveBlockStreamingChunking } from "./reply/block-streaming.js";
@@ -171,9 +172,22 @@ export async function getReplyFromConfig(ctx, opts, configOverride) {
     }
     const sessionState = await initSessionState({ ctx, cfg });
     let { sessionCtx, sessionEntry, sessionStore, sessionKey, sessionId, isNewSession, systemSent, abortedLastRun, storePath, sessionScope, groupResolution, isGroup, triggerBodyNormalized, } = sessionState;
-    const directives = parseInlineDirectives(sessionCtx.BodyStripped ?? sessionCtx.Body ?? "");
-    sessionCtx.Body = directives.cleaned;
-    sessionCtx.BodyStripped = directives.cleaned;
+    const rawBody = sessionCtx.BodyStripped ?? sessionCtx.Body ?? "";
+    const commandAuthorized = ctx.CommandAuthorized ?? true;
+    const parsedDirectives = parseInlineDirectives(rawBody);
+    const directives = commandAuthorized
+        ? parsedDirectives
+        : {
+            ...parsedDirectives,
+            hasThinkDirective: false,
+            hasVerboseDirective: false,
+            hasStatusDirective: false,
+            hasModelDirective: false,
+            hasQueueDirective: false,
+            queueReset: false,
+        };
+    sessionCtx.Body = parsedDirectives.cleaned;
+    sessionCtx.BodyStripped = parsedDirectives.cleaned;
     const surfaceKey = sessionCtx.Surface?.trim().toLowerCase() ??
         ctx.Surface?.trim().toLowerCase() ??
         "";
@@ -314,6 +328,7 @@ export async function getReplyFromConfig(ctx, opts, configOverride) {
         sessionKey,
         isGroup,
         triggerBodyNormalized,
+        commandAuthorized,
     });
     const isEmptyConfig = Object.keys(cfg).length === 0;
     if (command.isWhatsAppSurface &&
@@ -331,6 +346,7 @@ export async function getReplyFromConfig(ctx, opts, configOverride) {
         ctx,
         cfg,
         command,
+        directives,
         sessionEntry,
         sessionStore,
         sessionKey,
@@ -353,7 +369,8 @@ export async function getReplyFromConfig(ctx, opts, configOverride) {
     const isFirstTurnInSession = isNewSession || !systemSent;
     const isGroupChat = sessionCtx.ChatType === "group";
     const wasMentioned = ctx.WasMentioned === true;
-    const shouldEagerType = !isGroupChat || wasMentioned;
+    const isHeartbeat = opts?.isHeartbeat === true;
+    const shouldEagerType = (!isGroupChat || wasMentioned) && !isHeartbeat;
     const shouldInjectGroupIntro = Boolean(isGroupChat &&
         (isFirstTurnInSession || sessionEntry?.groupActivationNeedsSystemIntro));
     const groupIntro = shouldInjectGroupIntro
@@ -367,6 +384,10 @@ export async function getReplyFromConfig(ctx, opts, configOverride) {
     const baseBody = sessionCtx.BodyStripped ?? sessionCtx.Body ?? "";
     const rawBodyTrimmed = (ctx.Body ?? "").trim();
     const baseBodyTrimmedRaw = baseBody.trim();
+    if (!commandAuthorized && !baseBodyTrimmedRaw && hasControlCommand(rawBody)) {
+        typing.cleanup();
+        return undefined;
+    }
     const isBareSessionReset = isNewSession &&
         baseBodyTrimmedRaw.length === 0 &&
         rawBodyTrimmed.length > 0;
@@ -396,6 +417,7 @@ export async function getReplyFromConfig(ctx, opts, configOverride) {
     const isMainSession = !isGroupSession && sessionKey === (sessionCfg?.mainKey ?? "main");
     prefixedBodyBase = await prependSystemEvents({
         cfg,
+        sessionKey,
         isMainSession,
         isNewSession,
         prefixedBodyBase,

package/dist/browser/config.js

@@ -1,3 +1,4 @@
+import { deriveDefaultBrowserCdpPortRange, deriveDefaultBrowserControlPort, } from "../config/port-defaults.js";
 import { DEFAULT_CLAWD_BROWSER_COLOR, DEFAULT_CLAWD_BROWSER_CONTROL_URL, DEFAULT_CLAWD_BROWSER_ENABLED, DEFAULT_CLAWD_BROWSER_PROFILE_NAME, } from "./constants.js";
 import { CDP_PORT_RANGE_START } from "./profiles.js";
 function isLoopbackHost(host) {
@@ -43,11 +44,11 @@ export function parseHttpUrl(raw, label) {
  * Ensure the default "clawd" profile exists in the profiles map.
  * Auto-creates it with the legacy CDP port (from browser.cdpUrl) or first port if missing.
  */
-function ensureDefaultProfile(profiles, defaultColor, legacyCdpPort) {
+function ensureDefaultProfile(profiles, defaultColor, legacyCdpPort, derivedDefaultCdpPort) {
     const result = { ...profiles };
     if (!result[DEFAULT_CLAWD_BROWSER_PROFILE_NAME]) {
         result[DEFAULT_CLAWD_BROWSER_PROFILE_NAME] = {
-            cdpPort: legacyCdpPort ?? CDP_PORT_RANGE_START,
+            cdpPort: legacyCdpPort ?? derivedDefaultCdpPort ?? CDP_PORT_RANGE_START,
             color: defaultColor,
         };
     }
@@ -55,9 +56,26 @@ function ensureDefaultProfile(profiles, defaultColor, legacyCdpPort) {
 }
 export function resolveBrowserConfig(cfg) {
     const enabled = cfg?.enabled ?? DEFAULT_CLAWD_BROWSER_ENABLED;
-    const controlInfo = parseHttpUrl(cfg?.controlUrl ?? DEFAULT_CLAWD_BROWSER_CONTROL_URL, "browser.controlUrl");
+    const envControlUrl = process.env.CLAWDBOT_BROWSER_CONTROL_URL?.trim();
+    const derivedControlPort = (() => {
+        const raw = process.env.CLAWDBOT_GATEWAY_PORT?.trim();
+        if (!raw)
+            return null;
+        const gatewayPort = Number.parseInt(raw, 10);
+        if (!Number.isFinite(gatewayPort) || gatewayPort <= 0)
+            return null;
+        return deriveDefaultBrowserControlPort(gatewayPort);
+    })();
+    const derivedControlUrl = derivedControlPort
+        ? `http://127.0.0.1:${derivedControlPort}`
+        : null;
+    const controlInfo = parseHttpUrl(cfg?.controlUrl ??
+        envControlUrl ??
+        derivedControlUrl ??
+        DEFAULT_CLAWD_BROWSER_CONTROL_URL, "browser.controlUrl");
     const controlPort = controlInfo.port;
     const defaultColor = normalizeHexColor(cfg?.color);
+    const derivedCdpRange = deriveDefaultBrowserCdpPortRange(controlPort);
     const rawCdpUrl = (cfg?.cdpUrl ?? "").trim();
     let cdpInfo;
     if (rawCdpUrl) {
@@ -83,7 +101,7 @@ export function resolveBrowserConfig(cfg) {
     const defaultProfile = cfg?.defaultProfile ?? DEFAULT_CLAWD_BROWSER_PROFILE_NAME;
     // Use legacy cdpUrl port for backward compatibility when no profiles configured
     const legacyCdpPort = rawCdpUrl ? cdpInfo.port : undefined;
-    const profiles = ensureDefaultProfile(cfg?.profiles, defaultColor, legacyCdpPort);
+    const profiles = ensureDefaultProfile(cfg?.profiles, defaultColor, legacyCdpPort, derivedCdpRange.start);
     const cdpProtocol = cdpInfo.parsed.protocol === "https:" ? "https" : "http";
     return {
         enabled,

package/dist/browser/profiles-service.js

@@ -1,6 +1,7 @@
 import fs from "node:fs";
 import path from "node:path";
 import { loadConfig, writeConfigFile } from "../config/config.js";
+import { deriveDefaultBrowserCdpPortRange } from "../config/port-defaults.js";
 import { resolveClawdUserDataDir } from "./chrome.js";
 import { parseHttpUrl, resolveProfile } from "./config.js";
 import { allocateCdpPort, allocateColor, getUsedColors, getUsedPorts, isValidProfileName, } from "./profiles.js";
@@ -37,7 +38,8 @@ export function createBrowserProfilesService(ctx) {
         }
         else {
             const usedPorts = getUsedPorts(resolvedProfiles);
-            const cdpPort = allocateCdpPort(usedPorts);
+            const range = deriveDefaultBrowserCdpPortRange(state.resolved.controlPort);
+            const cdpPort = allocateCdpPort(usedPorts, range);
             if (cdpPort === null) {
                 throw new Error("no available CDP ports in range");
             }

package/dist/browser/profiles.js

@@ -1,8 +1,9 @@
 /**
  * CDP port allocation for browser profiles.
  *
- * Port range: 18800-18899 (100 profiles max)
+ * Default port range: 18800-18899 (100 profiles max)
  * Ports are allocated once at profile creation and persisted in config.
+ * Multi-instance: callers may pass an explicit range to avoid collisions.
  *
  * Reserved ports (do not use for CDP):
  *   18789 - Gateway WebSocket
@@ -18,8 +19,18 @@ export function isValidProfileName(name) {
         return false;
     return PROFILE_NAME_REGEX.test(name);
 }
-export function allocateCdpPort(usedPorts) {
-    for (let port = CDP_PORT_RANGE_START; port <= CDP_PORT_RANGE_END; port++) {
+export function allocateCdpPort(usedPorts, range) {
+    const start = range?.start ?? CDP_PORT_RANGE_START;
+    const end = range?.end ?? CDP_PORT_RANGE_END;
+    if (!Number.isFinite(start) ||
+        !Number.isFinite(end) ||
+        start <= 0 ||
+        end <= 0) {
+        return null;
+    }
+    if (start > end)
+        return null;
+    for (let port = start; port <= end; port++) {
         if (!usedPorts.has(port))
             return port;
     }

package/dist/canvas-host/a2ui/.bundle.hash

@@ -1 +1,3 @@
+68f18193053997f3dee16de6b0be0bcd97dc70ff8200c77f687479e8b19b78e1
+||||||| Stash base
 7daf1cbf58ef395b74c2690c439ac7b3cb536e8eb124baf72ad41da4f542204d

package/dist/cli/gateway-cli.js

@@ -113,7 +113,7 @@ export function registerGatewayCli(program) {
     program
         .command("gateway-daemon")
         .description("Run the WebSocket Gateway as a long-lived daemon")
-        .option("--port <port>", "Port for the gateway WebSocket", "18789")
+        .option("--port <port>", "Port for the gateway WebSocket")
         .option("--bind <mode>", 'Bind mode ("loopback"|"tailnet"|"lan"|"auto"). Defaults to config gateway.bind (or loopback).')
         .option("--token <token>", "Shared token required in connect.params.auth.token (default: CLAWDBOT_GATEWAY_TOKEN env if set)")
         .option("--auth <mode>", 'Gateway auth mode ("token"|"password")')
@@ -222,7 +222,7 @@ export function registerGatewayCli(program) {
     const gateway = program
         .command("gateway")
         .description("Run the WebSocket Gateway")
-        .option("--port <port>", "Port for the gateway WebSocket", "18789")
+        .option("--port <port>", "Port for the gateway WebSocket")
         .option("--bind <mode>", 'Bind mode ("loopback"|"tailnet"|"lan"|"auto"). Defaults to config gateway.bind (or loopback).')
         .option("--token <token>", "Shared token required in connect.params.auth.token (default: CLAWDBOT_GATEWAY_TOKEN env if set)")
         .option("--auth <mode>", 'Gateway auth mode ("token"|"password")')

package/dist/cli/profile.js

@@ -0,0 +1,81 @@
+import os from "node:os";
+import path from "node:path";
+function takeValue(raw, next) {
+    if (raw.includes("=")) {
+        const [, value] = raw.split("=", 2);
+        const trimmed = (value ?? "").trim();
+        return { value: trimmed || null, consumedNext: false };
+    }
+    const trimmed = (next ?? "").trim();
+    return { value: trimmed || null, consumedNext: Boolean(next) };
+}
+function isValidProfileName(value) {
+    if (!value)
+        return false;
+    // Keep it path-safe + shell-friendly.
+    return /^[a-z0-9][a-z0-9_-]{0,63}$/i.test(value);
+}
+export function parseCliProfileArgs(argv) {
+    if (argv.length < 2)
+        return { ok: true, profile: null, argv };
+    const out = argv.slice(0, 2);
+    let profile = null;
+    let sawDev = false;
+    const args = argv.slice(2);
+    for (let i = 0; i < args.length; i += 1) {
+        const arg = args[i];
+        if (arg === undefined)
+            continue;
+        if (arg === "--dev") {
+            if (profile && profile !== "dev") {
+                return { ok: false, error: "Cannot combine --dev with --profile" };
+            }
+            sawDev = true;
+            profile = "dev";
+            continue;
+        }
+        if (arg === "--profile" || arg.startsWith("--profile=")) {
+            if (sawDev) {
+                return { ok: false, error: "Cannot combine --dev with --profile" };
+            }
+            const next = args[i + 1];
+            const { value, consumedNext } = takeValue(arg, next);
+            if (consumedNext)
+                i += 1;
+            if (!value)
+                return { ok: false, error: "--profile requires a value" };
+            if (!isValidProfileName(value)) {
+                return {
+                    ok: false,
+                    error: 'Invalid --profile (use letters, numbers, "_", "-" only)',
+                };
+            }
+            profile = value;
+            continue;
+        }
+        out.push(arg);
+    }
+    return { ok: true, profile, argv: out };
+}
+function resolveProfileStateDir(profile, homedir) {
+    const suffix = profile.toLowerCase() === "default" ? "" : `-${profile}`;
+    return path.join(homedir(), `.clawdbot${suffix}`);
+}
+export function applyCliProfileEnv(params) {
+    const env = params.env ?? process.env;
+    const homedir = params.homedir ?? os.homedir;
+    const profile = params.profile.trim();
+    if (!profile)
+        return;
+    // Convenience only: fill defaults, never override explicit env values.
+    env.CLAWDBOT_PROFILE = profile;
+    const stateDir = env.CLAWDBOT_STATE_DIR?.trim() || resolveProfileStateDir(profile, homedir);
+    if (!env.CLAWDBOT_STATE_DIR?.trim())
+        env.CLAWDBOT_STATE_DIR = stateDir;
+    if (!env.CLAWDBOT_CONFIG_PATH?.trim()) {
+        env.CLAWDBOT_CONFIG_PATH = path.join(stateDir, "clawdbot.json");
+    }
+    if (profile === "dev" && !env.CLAWDBOT_GATEWAY_PORT?.trim()) {
+        env.CLAWDBOT_GATEWAY_PORT = "19001";
+    }
+}

package/dist/cli/program.js

@@ -31,7 +31,12 @@ export function buildProgram() {
     const program = new Command();
     const PROGRAM_VERSION = VERSION;
     const TAGLINE = "Send, receive, and auto-reply on WhatsApp (web) and Telegram (bot).";
-    program.name("clawdbot").description("").version(PROGRAM_VERSION);
+    program
+        .name("clawdbot")
+        .description("")
+        .version(PROGRAM_VERSION)
+        .option("--dev", "Dev profile: isolate state under ~/.clawdbot-dev, default gateway port 19001, and shift derived ports (bridge/browser/canvas)")
+        .option("--profile <name>", "Use a named profile (isolates CLAWDBOT_STATE_DIR/CLAWDBOT_CONFIG_PATH under ~/.clawdbot-<name>)");
     const formatIntroLine = (version, rich = true) => {
         const base = `📡 clawdbot ${version} — ${TAGLINE}`;
         return rich && chalk.level > 0
@@ -82,6 +87,10 @@ export function buildProgram() {
             "Send via your web session and print JSON result.",
         ],
         ["clawdbot gateway --port 18789", "Run the WebSocket Gateway locally."],
+        [
+            "clawdbot --dev gateway",
+            "Run a dev Gateway (isolated state/config) on ws://127.0.0.1:19001.",
+        ],
         [
             "clawdbot gateway --force",
             "Kill anything bound to the default gateway port, then start it.",

package/dist/cli/run-main.js

@@ -0,0 +1,33 @@
+import process from "node:process";
+import { fileURLToPath } from "node:url";
+import { loadDotEnv } from "../infra/dotenv.js";
+import { normalizeEnv } from "../infra/env.js";
+import { isMainModule } from "../infra/is-main.js";
+import { ensureClawdbotCliOnPath } from "../infra/path-env.js";
+import { assertSupportedRuntime } from "../infra/runtime-guard.js";
+import { enableConsoleCapture } from "../logging.js";
+export async function runCli(argv = process.argv) {
+    loadDotEnv({ quiet: true });
+    normalizeEnv();
+    ensureClawdbotCliOnPath();
+    // Capture all console output into structured logs while keeping stdout/stderr behavior.
+    enableConsoleCapture();
+    // Enforce the minimum supported runtime before doing any work.
+    assertSupportedRuntime();
+    const { buildProgram } = await import("./program.js");
+    const program = buildProgram();
+    // Global error handlers to prevent silent crashes from unhandled rejections/exceptions.
+    // These log the error and exit gracefully instead of crashing without trace.
+    process.on("unhandledRejection", (reason, _promise) => {
+        console.error("[clawdbot] Unhandled promise rejection:", reason instanceof Error ? (reason.stack ?? reason.message) : reason);
+        process.exit(1);
+    });
+    process.on("uncaughtException", (error) => {
+        console.error("[clawdbot] Uncaught exception:", error.stack ?? error.message);
+        process.exit(1);
+    });
+    await program.parseAsync(argv);
+}
+export function isCliMainModule() {
+    return isMainModule({ currentFile: fileURLToPath(import.meta.url) });
+}

package/dist/commands/configure.js

@@ -5,6 +5,7 @@ import { CONFIG_PATH_CLAWDBOT, readConfigFileSnapshot, resolveGatewayPort, write
 import { GATEWAY_LAUNCH_AGENT_LABEL } from "../daemon/constants.js";
 import { resolveGatewayProgramArguments } from "../daemon/program-args.js";
 import { resolveGatewayService } from "../daemon/service.js";
+import { ensureControlUiAssetsBuilt } from "../infra/control-ui-assets.js";
 import { defaultRuntime } from "../runtime.js";
 import { resolveUserPath, sleep } from "../utils.js";
 import { createClackPrompter } from "../wizard/clack-prompter.js";
@@ -434,6 +435,10 @@ export async function runConfigureWizard(opts, runtime = defaultRuntime) {
             runtime.error(`Health check failed: ${String(err)}`);
         }
     }
+    const controlUiAssets = await ensureControlUiAssetsBuilt(runtime);
+    if (!controlUiAssets.ok && controlUiAssets.message) {
+        runtime.error(controlUiAssets.message);
+    }
     note((() => {
         const bind = nextConfig.gateway?.bind ?? "loopback";
         const links = resolveControlUiLinks({

package/dist/commands/onboard-providers.js

@@ -270,7 +270,7 @@ export async function setupProviders(cfg, runtime, prompter, options) {
         if (!whatsappLinked) {
             await prompter.note([
                 "Scan the QR with WhatsApp on your phone.",
-                "Credentials are stored under ~/.clawdbot/credentials/ for future runs.",
+                `Credentials are stored under ${resolveWebAuthDir()}/ for future runs.`,
             ].join("\n"), "WhatsApp linking");
         }
         const wantsLink = await prompter.confirm({

package/dist/commands/setup.js

@@ -3,6 +3,7 @@ import path from "node:path";
 import JSON5 from "json5";
 import { DEFAULT_AGENT_WORKSPACE_DIR, ensureAgentWorkspace, } from "../agents/workspace.js";
 import { CONFIG_PATH_CLAWDBOT } from "../config/config.js";
+import { applyModelAliasDefaults } from "../config/defaults.js";
 import { resolveSessionTranscriptsDir } from "../config/sessions.js";
 import { defaultRuntime } from "../runtime.js";
 async function readConfigFileRaw() {
@@ -20,7 +21,9 @@ async function readConfigFileRaw() {
 }
 async function writeConfigFile(cfg) {
     await fs.mkdir(path.dirname(CONFIG_PATH_CLAWDBOT), { recursive: true });
-    const json = JSON.stringify(cfg, null, 2).trimEnd().concat("\n");
+    const json = JSON.stringify(applyModelAliasDefaults(cfg), null, 2)
+        .trimEnd()
+        .concat("\n");
     await fs.writeFile(CONFIG_PATH_CLAWDBOT, json, "utf-8");
 }
 export async function setupCommand(opts, runtime = defaultRuntime) {