clawdentity 0.0.11 → 0.0.12

package/dist/bin.js

@@ -14355,6 +14355,8 @@ var AGENT_AUTH_REFRESH_PATH = "/v1/agents/auth/refresh";
 var INVITES_PATH = "/v1/invites";
 var INVITES_REDEEM_PATH = "/v1/invites/redeem";
 var ME_API_KEYS_PATH = "/v1/me/api-keys";
+var REGISTRY_METADATA_PATH = "/v1/metadata";
+var RELAY_CONNECT_PATH = "/v1/relay/connect";
 var RELAY_RECIPIENT_AGENT_DID_HEADER = "x-claw-recipient-agent-did";
 
 // ../../packages/protocol/src/http-signing.ts
@@ -18395,6 +18397,139 @@ var createApiKeyCommand = (dependencies = {}) => {
 // src/commands/config.ts
 import { access as access2 } from "fs/promises";
 import { Command as Command4 } from "commander";
+
+// src/config/registry-metadata.ts
+function isRecord4(value) {
+  return typeof value === "object" && value !== null;
+}
+function parseNonEmptyString5(value) {
+  if (typeof value !== "string") {
+    return "";
+  }
+  return value.trim();
+}
+function createCliError3(code, message2) {
+  return new AppError({
+    code,
+    message: message2,
+    status: 400
+  });
+}
+function parseUrl(candidate, label) {
+  let parsed;
+  try {
+    parsed = new URL(candidate);
+  } catch {
+    throw createCliError3("CLI_REGISTRY_URL_INVALID", `${label} is invalid`);
+  }
+  if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+    throw createCliError3("CLI_REGISTRY_URL_INVALID", `${label} is invalid`);
+  }
+  return parsed;
+}
+function normalizeRegistryUrl(registryUrl) {
+  return parseUrl(registryUrl, "Registry URL").toString();
+}
+function toRegistryRequestUrl(registryUrl, path) {
+  const normalizedRegistryUrl = normalizeRegistryUrl(registryUrl);
+  const base = normalizedRegistryUrl.endsWith("/") ? normalizedRegistryUrl : `${normalizedRegistryUrl}/`;
+  return new URL(path.slice(1), base).toString();
+}
+function extractRegistryErrorMessage3(payload) {
+  if (!isRecord4(payload)) {
+    return void 0;
+  }
+  const envelope = payload;
+  if (!envelope.error || typeof envelope.error.message !== "string") {
+    return void 0;
+  }
+  const trimmed = envelope.error.message.trim();
+  return trimmed.length > 0 ? trimmed : void 0;
+}
+async function parseJsonResponse4(response) {
+  try {
+    return await response.json();
+  } catch {
+    return void 0;
+  }
+}
+function parseMetadataPayload(payload, fallbackRegistryUrl) {
+  if (!isRecord4(payload)) {
+    throw createCliError3(
+      "CLI_REGISTRY_METADATA_INVALID_RESPONSE",
+      "Registry metadata response is invalid"
+    );
+  }
+  const proxyUrlRaw = parseNonEmptyString5(payload.proxyUrl);
+  if (proxyUrlRaw.length === 0) {
+    throw createCliError3(
+      "CLI_REGISTRY_METADATA_INVALID_RESPONSE",
+      "Registry metadata response is invalid"
+    );
+  }
+  const proxyUrl = parseUrl(proxyUrlRaw, "Proxy URL").toString();
+  const registryUrlRaw = parseNonEmptyString5(payload.registryUrl);
+  const registryUrl = registryUrlRaw.length > 0 ? parseUrl(registryUrlRaw, "Registry URL").toString() : normalizeRegistryUrl(fallbackRegistryUrl);
+  const environment = parseNonEmptyString5(payload.environment);
+  const version2 = parseNonEmptyString5(payload.version);
+  return {
+    proxyUrl,
+    registryUrl,
+    environment: environment.length > 0 ? environment : void 0,
+    version: version2.length > 0 ? version2 : void 0
+  };
+}
+function mapMetadataError(status, payload) {
+  const registryMessage = extractRegistryErrorMessage3(payload);
+  if (status === 404) {
+    return "Registry metadata endpoint is unavailable (404).";
+  }
+  if (status >= 500) {
+    return `Registry metadata request failed (${status}). Try again later.`;
+  }
+  if (registryMessage) {
+    return `Registry metadata request failed (${status}): ${registryMessage}`;
+  }
+  return `Registry metadata request failed (${status}).`;
+}
+async function fetchRegistryMetadata(registryUrl, dependencies = {}) {
+  const fetchImpl = dependencies.fetchImpl ?? globalThis.fetch;
+  if (typeof fetchImpl !== "function") {
+    throw createCliError3(
+      "CLI_REGISTRY_METADATA_FETCH_UNAVAILABLE",
+      "Runtime fetch is unavailable for registry metadata lookup"
+    );
+  }
+  const normalizedRegistryUrl = normalizeRegistryUrl(registryUrl);
+  const requestUrl = toRegistryRequestUrl(
+    normalizedRegistryUrl,
+    REGISTRY_METADATA_PATH
+  );
+  let response;
+  try {
+    response = await fetchImpl(requestUrl, {
+      method: "GET",
+      headers: {
+        accept: "application/json"
+      }
+    });
+  } catch {
+    throw createCliError3(
+      "CLI_REGISTRY_METADATA_REQUEST_FAILED",
+      "Unable to reach registry metadata endpoint. Check registryUrl and network access."
+    );
+  }
+  const payload = await parseJsonResponse4(response);
+  if (!response.ok) {
+    throw createCliError3(
+      "CLI_REGISTRY_METADATA_FETCH_FAILED",
+      mapMetadataError(response.status, payload)
+    );
+  }
+  return parseMetadataPayload(payload, normalizedRegistryUrl);
+}
+
+// src/commands/config.ts
 var logger5 = createLogger({ service: "cli", module: "config" });
 var VALID_KEYS = [
   "registryUrl",
@@ -18437,7 +18572,7 @@ var getEnvRegistryUrlOverride = () => {
     return typeof value === "string" && value.length > 0;
   });
 };
-var createConfigCommand = () => {
+var createConfigCommand = (dependencies = {}) => {
   const configCommand = new Command4("config").description(
     "Manage local CLI configuration"
   );
@@ -18454,14 +18589,27 @@ var createConfigCommand = () => {
         }
       }
       const config2 = await readConfig();
-      const registryUrl = options.registryUrl ?? getEnvRegistryUrlOverride() ?? config2.registryUrl;
+      const requestedRegistryUrl = options.registryUrl ?? getEnvRegistryUrlOverride() ?? config2.registryUrl;
+      const normalizedRegistryUrl = normalizeRegistryUrl(requestedRegistryUrl);
+      const metadata = await fetchRegistryMetadata(normalizedRegistryUrl, {
+        fetchImpl: dependencies.fetchImpl
+      });
       await writeConfig({
         ...config2,
-        registryUrl
+        registryUrl: metadata.registryUrl,
+        proxyUrl: metadata.proxyUrl
       });
       writeStdoutLine(`Initialized config at ${configFilePath}`);
       writeStdoutLine(
-        JSON.stringify(maskApiKey({ ...config2, registryUrl }), null, 2)
+        JSON.stringify(
+          maskApiKey({
+            ...config2,
+            registryUrl: metadata.registryUrl,
+            proxyUrl: metadata.proxyUrl
+          }),
+          null,
+          2
+        )
       );
     })
   );
@@ -18768,6 +18916,7 @@ function normalizeConnectionHeaders(headers) {
 var ConnectorClient = class {
   connectorUrl;
   connectionHeaders;
+  connectionHeadersProvider;
   openclawHookUrl;
   openclawHookToken;
   heartbeatIntervalMs;
@@ -18799,6 +18948,7 @@ var ConnectorClient = class {
     this.connectionHeaders = normalizeConnectionHeaders(
       options.connectionHeaders
     );
+    this.connectionHeadersProvider = options.connectionHeadersProvider;
     this.openclawHookToken = options.openclawHookToken;
     this.heartbeatIntervalMs = options.heartbeatIntervalMs ?? DEFAULT_HEARTBEAT_INTERVAL_MS;
     this.reconnectMinDelayMs = options.reconnectMinDelayMs ?? DEFAULT_RECONNECT_MIN_DELAY_MS;
@@ -18851,7 +19001,7 @@ var ConnectorClient = class {
       return;
     }
     this.started = true;
-    this.connectSocket();
+    void this.connectSocket();
   }
   disconnect() {
     this.started = false;
@@ -18884,13 +19034,27 @@ var ConnectorClient = class {
     this.flushOutboundQueue();
     return frame;
   }
-  connectSocket() {
+  async connectSocket() {
     this.clearReconnectTimeout();
+    let connectionHeaders = this.connectionHeaders;
+    if (this.connectionHeadersProvider) {
+      try {
+        connectionHeaders = normalizeConnectionHeaders(
+          await this.connectionHeadersProvider()
+        );
+      } catch (error48) {
+        this.logger.warn("connector.websocket.create_failed", {
+          reason: sanitizeErrorReason(error48)
+        });
+        this.scheduleReconnect();
+        return;
+      }
+    }
+    if (!this.started) {
+      return;
+    }
     try {
-      this.socket = this.webSocketFactory(
-        this.connectorUrl,
-        this.connectionHeaders
-      );
+      this.socket = this.webSocketFactory(this.connectorUrl, connectionHeaders);
     } catch (error48) {
       this.logger.warn("connector.websocket.create_failed", {
         reason: sanitizeErrorReason(error48)
@@ -18945,7 +19109,7 @@ var ConnectorClient = class {
     const delayMs = Math.max(0, Math.floor(boundedDelay + jitterOffset));
     this.reconnectAttempt += 1;
     this.reconnectTimeout = setTimeout(() => {
-      this.connectSocket();
+      void this.connectSocket();
     }, delayMs);
   }
   clearReconnectTimeout() {
@@ -19165,7 +19329,7 @@ var REFRESH_SINGLE_FLIGHT_PREFIX = "connector-runtime";
 var NONCE_SIZE = 16;
 var MAX_OUTBOUND_BODY_BYTES = 1024 * 1024;
 var ACCESS_TOKEN_REFRESH_SKEW_MS = 3e4;
-function isRecord4(value) {
+function isRecord5(value) {
   return typeof value === "object" && value !== null;
 }
 function toPathWithQuery2(url2) {
@@ -19213,6 +19377,9 @@ function normalizeWebSocketUrl(urlInput) {
   if (parsed.protocol !== "wss:" && parsed.protocol !== "ws:") {
     throw new Error("Proxy websocket URL must use ws:// or wss://");
   }
+  if (parsed.pathname === "/") {
+    parsed.pathname = RELAY_CONNECT_PATH;
+  }
   return parsed.toString();
 }
 function resolveOpenclawBaseUrl(input) {
@@ -19257,7 +19424,7 @@ function shouldRefreshAccessToken(auth, nowMs) {
   return expiresAtMs <= nowMs + ACCESS_TOKEN_REFRESH_SKEW_MS;
 }
 function parseOutboundRelayRequest(payload) {
-  if (!isRecord4(payload)) {
+  if (!isRecord5(payload)) {
     throw new AppError({
       code: "CONNECTOR_OUTBOUND_INVALID_REQUEST",
       message: "Outbound relay request must be an object",
@@ -19390,7 +19557,10 @@ async function startConnectorRuntime(input) {
     parseRequiredString(input.credentials.secretKey, "secretKey")
   );
   let currentAuth = toInitialAuthBundle(input.credentials);
-  if (shouldRefreshAccessToken(currentAuth, Date.now())) {
+  const refreshCurrentAuthIfNeeded = async () => {
+    if (!shouldRefreshAccessToken(currentAuth, Date.now())) {
+      return;
+    }
     currentAuth = await refreshAgentAuthWithClawProof({
       registryUrl: input.registryUrl,
       ait: input.credentials.ait,
@@ -19403,18 +19573,22 @@ async function startConnectorRuntime(input) {
       agentName: input.agentName,
       auth: currentAuth
     });
-  }
+  };
+  await refreshCurrentAuthIfNeeded();
   const wsUrl = normalizeWebSocketUrl(input.proxyWebsocketUrl);
   const wsParsed = new URL(wsUrl);
-  const upgradeHeaders = await buildUpgradeHeaders({
-    wsUrl: wsParsed,
-    ait: input.credentials.ait,
-    accessToken: currentAuth.accessToken,
-    secretKey
-  });
+  const resolveUpgradeHeaders = async () => {
+    await refreshCurrentAuthIfNeeded();
+    return buildUpgradeHeaders({
+      wsUrl: wsParsed,
+      ait: input.credentials.ait,
+      accessToken: currentAuth.accessToken,
+      secretKey
+    });
+  };
   const connectorClient = new ConnectorClient({
     connectorUrl: wsParsed.toString(),
-    connectionHeaders: upgradeHeaders,
+    connectionHeadersProvider: resolveUpgradeHeaders,
     openclawBaseUrl: resolveOpenclawBaseUrl(input.openclawBaseUrl),
     openclawHookPath: resolveOpenclawHookPath(input.openclawHookPath),
     openclawHookToken: resolveOpenclawHookToken(input.openclawHookToken),
@@ -19588,16 +19762,16 @@ var OPENCLAW_CONNECTORS_FILE_NAME = "openclaw-connectors.json";
 var SERVICE_LOG_DIR_NAME = "logs";
 var DEFAULT_CONNECTOR_BASE_URL2 = "http://127.0.0.1:19400";
 var DEFAULT_CONNECTOR_OUTBOUND_PATH2 = "/v1/outbound";
-function isRecord5(value) {
+function isRecord6(value) {
   return typeof value === "object" && value !== null;
 }
 function getErrorCode(error48) {
-  if (!isRecord5(error48)) {
+  if (!isRecord6(error48)) {
     return void 0;
   }
   return typeof error48.code === "string" ? error48.code : void 0;
 }
-function createCliError3(code, message2, details) {
+function createCliError4(code, message2, details) {
   return new AppError({
     code,
     message: message2,
@@ -19605,9 +19779,9 @@ function createCliError3(code, message2, details) {
     details
   });
 }
-function parseNonEmptyString5(value, label) {
+function parseNonEmptyString6(value, label) {
   if (typeof value !== "string") {
-    throw createCliError3(
+    throw createCliError4(
       "CLI_CONNECTOR_INVALID_INPUT",
       "Connector input is invalid",
       {
@@ -19617,7 +19791,7 @@ function parseNonEmptyString5(value, label) {
   }
   const trimmed = value.trim();
   if (trimmed.length === 0) {
-    throw createCliError3(
+    throw createCliError4(
       "CLI_CONNECTOR_INVALID_INPUT",
       "Connector input is invalid",
       {
@@ -19628,9 +19802,9 @@ function parseNonEmptyString5(value, label) {
   return trimmed;
 }
 function parseAgentDid(value) {
-  const did = parseNonEmptyString5(value, "agent did");
+  const did = parseNonEmptyString6(value, "agent did");
   if (!did.startsWith("did:claw:agent:")) {
-    throw createCliError3(
+    throw createCliError4(
       "CLI_CONNECTOR_INVALID_AGENT_IDENTITY",
       "Agent identity is invalid for connector startup"
     );
@@ -19642,13 +19816,13 @@ function parseConnectorBaseUrl(value) {
   try {
     parsed = new URL(value);
   } catch {
-    throw createCliError3(
+    throw createCliError4(
       "CLI_CONNECTOR_INVALID_BASE_URL",
       "Connector base URL is invalid"
     );
   }
   if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-    throw createCliError3(
+    throw createCliError4(
       "CLI_CONNECTOR_INVALID_BASE_URL",
       "Connector base URL is invalid"
     );
@@ -19658,10 +19832,65 @@ function parseConnectorBaseUrl(value) {
   }
   return parsed.toString();
 }
+function parseProxyWebsocketUrl(value) {
+  let parsed;
+  try {
+    parsed = new URL(value);
+  } catch {
+    throw createCliError4(
+      "CLI_CONNECTOR_INVALID_PROXY_URL",
+      "Proxy websocket URL is invalid"
+    );
+  }
+  if (parsed.protocol !== "ws:" && parsed.protocol !== "wss:" && parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw createCliError4(
+      "CLI_CONNECTOR_INVALID_PROXY_URL",
+      "Proxy websocket URL is invalid"
+    );
+  }
+  return parsed.toString();
+}
+function resolveProxyWebsocketUrlFromEnv() {
+  const explicitProxyWsUrl = process.env.CLAWDENTITY_PROXY_WS_URL;
+  if (typeof explicitProxyWsUrl === "string" && explicitProxyWsUrl.trim().length > 0) {
+    return parseProxyWebsocketUrl(explicitProxyWsUrl.trim());
+  }
+  const proxyUrl = process.env.CLAWDENTITY_PROXY_URL;
+  if (typeof proxyUrl === "string" && proxyUrl.trim().length > 0) {
+    return parseProxyWebsocketUrl(proxyUrl.trim());
+  }
+  return void 0;
+}
+async function resolveProxyWebsocketUrl(input) {
+  if (typeof input.explicitProxyWsUrl === "string" && input.explicitProxyWsUrl.trim().length > 0) {
+    return parseProxyWebsocketUrl(input.explicitProxyWsUrl.trim());
+  }
+  const fromEnv = resolveProxyWebsocketUrlFromEnv();
+  if (fromEnv !== void 0) {
+    return fromEnv;
+  }
+  if (typeof input.configProxyUrl === "string" && input.configProxyUrl.trim().length > 0) {
+    return parseProxyWebsocketUrl(input.configProxyUrl.trim());
+  }
+  const fetchImpl = input.fetchImpl ?? globalThis.fetch;
+  if (typeof fetchImpl === "function") {
+    try {
+      const metadata = await fetchRegistryMetadata(input.registryUrl, {
+        fetchImpl
+      });
+      return parseProxyWebsocketUrl(metadata.proxyUrl);
+    } catch {
+    }
+  }
+  throw createCliError4(
+    "CLI_CONNECTOR_PROXY_URL_REQUIRED",
+    "Proxy URL is required for connector startup. Run `clawdentity invite redeem <clw_inv_...>` or set CLAWDENTITY_PROXY_URL / CLAWDENTITY_PROXY_WS_URL."
+  );
+}
 function normalizeOutboundPath2(pathValue) {
   const trimmed = pathValue.trim();
   if (trimmed.length === 0) {
-    throw createCliError3(
+    throw createCliError4(
       "CLI_CONNECTOR_INVALID_OUTBOUND_PATH",
       "Connector outbound path is invalid"
     );
@@ -19690,17 +19919,17 @@ async function readConnectorAssignedBaseUrl(configDir, agentName, readFileImpl)
   try {
     parsed = JSON.parse(raw);
   } catch {
-    throw createCliError3(
+    throw createCliError4(
       "CLI_CONNECTOR_INVALID_ASSIGNMENTS",
       "Connector assignments config is invalid JSON",
       { assignmentsPath }
     );
   }
-  if (!isRecord5(parsed) || !isRecord5(parsed.agents)) {
+  if (!isRecord6(parsed) || !isRecord6(parsed.agents)) {
     return void 0;
   }
   const entry = parsed.agents[agentName];
-  if (!isRecord5(entry) || typeof entry.connectorBaseUrl !== "string") {
+  if (!isRecord6(entry) || typeof entry.connectorBaseUrl !== "string") {
     return void 0;
   }
   return parseConnectorBaseUrl(entry.connectorBaseUrl);
@@ -19721,7 +19950,7 @@ async function readRequiredTrimmedFile(filePath, label, readFileImpl) {
     raw = await readFileImpl(filePath, "utf8");
   } catch (error48) {
     if (getErrorCode(error48) === "ENOENT") {
-      throw createCliError3(
+      throw createCliError4(
         "CLI_CONNECTOR_MISSING_AGENT_MATERIAL",
         "Local agent credentials are missing for connector startup",
         { label }
@@ -19731,7 +19960,7 @@ async function readRequiredTrimmedFile(filePath, label, readFileImpl) {
   }
   const trimmed = raw.trim();
   if (trimmed.length === 0) {
-    throw createCliError3(
+    throw createCliError4(
       "CLI_CONNECTOR_MISSING_AGENT_MATERIAL",
       "Local agent credentials are missing for connector startup",
       { label }
@@ -19756,7 +19985,7 @@ async function readRelayRuntimeConfig(configDir, readFileImpl) {
   } catch {
     return void 0;
   }
-  if (!isRecord5(parsed)) {
+  if (!isRecord6(parsed)) {
     return void 0;
   }
   const openclawHookToken = typeof parsed.openclawHookToken === "string" && parsed.openclawHookToken.trim().length > 0 ? parsed.openclawHookToken.trim() : void 0;
@@ -19772,10 +20001,10 @@ function parseJsonRecord(value, code, message2) {
   try {
     parsed = JSON.parse(value);
   } catch {
-    throw createCliError3(code, message2);
+    throw createCliError4(code, message2);
   }
-  if (!isRecord5(parsed)) {
-    throw createCliError3(code, message2);
+  if (!isRecord6(parsed)) {
+    throw createCliError4(code, message2);
   }
   return parsed;
 }
@@ -19785,7 +20014,7 @@ function parseRegistryAuth(rawRegistryAuth) {
     "CLI_CONNECTOR_INVALID_REGISTRY_AUTH",
     "Agent registry auth is invalid for connector startup"
   );
-  const refreshToken = parseNonEmptyString5(parsed.refreshToken, "refreshToken");
+  const refreshToken = parseNonEmptyString6(parsed.refreshToken, "refreshToken");
   const accessToken = typeof parsed.accessToken === "string" && parsed.accessToken.trim().length > 0 ? parsed.accessToken.trim() : void 0;
   const accessExpiresAt = typeof parsed.accessExpiresAt === "string" && parsed.accessExpiresAt.trim().length > 0 ? parsed.accessExpiresAt.trim() : void 0;
   const refreshExpiresAt = typeof parsed.refreshExpiresAt === "string" && parsed.refreshExpiresAt.trim().length > 0 ? parsed.refreshExpiresAt.trim() : void 0;
@@ -19814,7 +20043,7 @@ async function loadDefaultConnectorModule() {
   };
 }
 function resolveWaitPromise(runtime) {
-  if (!runtime || !isRecord5(runtime)) {
+  if (!runtime || !isRecord6(runtime)) {
     return void 0;
   }
   if (typeof runtime.waitUntilStopped === "function") {
@@ -19838,7 +20067,7 @@ function parseConnectorServicePlatformOption(value) {
   if (value === "auto" || value === "launchd" || value === "systemd") {
     return value;
   }
-  throw createCliError3(
+  throw createCliError4(
     "CLI_CONNECTOR_SERVICE_PLATFORM_INVALID",
     "Connector service platform must be one of: auto, launchd, systemd"
   );
@@ -19853,7 +20082,7 @@ function resolveConnectorServicePlatform(inputPlatform, currentPlatform) {
   if (currentPlatform === "linux") {
     return "systemd";
   }
-  throw createCliError3(
+  throw createCliError4(
     "CLI_CONNECTOR_SERVICE_PLATFORM_UNSUPPORTED",
     "Connector service install is supported only on macOS (launchd) and Linux (systemd)",
     {
@@ -19955,7 +20184,7 @@ function resolveServiceDependencies(dependencies) {
     resolveCurrentPlatformImpl: dependencies.resolveCurrentPlatformImpl ?? (() => process.platform),
     resolveCurrentUidImpl: dependencies.resolveCurrentUidImpl ?? (() => {
       if (typeof process.getuid !== "function") {
-        throw createCliError3(
+        throw createCliError4(
           "CLI_CONNECTOR_SERVICE_UID_UNAVAILABLE",
           "Current user id is unavailable in this runtime"
         );
@@ -20017,7 +20246,7 @@ async function installConnectorServiceForAgent(agentName, commandOptions = {}, d
         `${serviceName}.service`
       ]);
     } catch (error48) {
-      throw createCliError3(
+      throw createCliError4(
         "CLI_CONNECTOR_SERVICE_INSTALL_FAILED",
         "Failed to install systemd connector service",
         {
@@ -20064,7 +20293,7 @@ async function installConnectorServiceForAgent(agentName, commandOptions = {}, d
       serviceFilePath
     ]);
   } catch (error48) {
-    throw createCliError3(
+    throw createCliError4(
       "CLI_CONNECTOR_SERVICE_INSTALL_FAILED",
       "Failed to install launchd connector service",
       {
@@ -20148,6 +20377,7 @@ async function startConnectorForAgent(agentName, commandOptions = {}, dependenci
   const resolveConfigImpl = dependencies.resolveConfigImpl ?? resolveConfig;
   const getConfigDirImpl = dependencies.getConfigDirImpl ?? getConfigDir;
   const readFileImpl = dependencies.readFileImpl ?? ((path, encoding) => readFile3(path, encoding));
+  const fetchImpl = dependencies.fetchImpl ?? globalThis.fetch;
   const loadConnectorModule = dependencies.loadConnectorModule ?? loadDefaultConnectorModule;
   const configDir = getConfigDirImpl();
   const agentDirectory = join5(configDir, AGENTS_DIR_NAME3, agentName);
@@ -20187,13 +20417,19 @@ async function startConnectorForAgent(agentName, commandOptions = {}, dependenci
     loadConnectorModule()
   ]);
   if (typeof connectorModule.startConnectorRuntime !== "function") {
-    throw createCliError3(
+    throw createCliError4(
       "CLI_CONNECTOR_INVALID_PACKAGE_API",
       "Connector package does not expose startConnectorRuntime"
     );
   }
   const identity = parseAgentIdentity(rawIdentity);
   const registryAuth = parseRegistryAuth(rawRegistryAuth);
+  const resolvedProxyWebsocketUrl = await resolveProxyWebsocketUrl({
+    explicitProxyWsUrl: commandOptions.proxyWsUrl,
+    configProxyUrl: config2.proxyUrl,
+    registryUrl: config2.registryUrl,
+    fetchImpl
+  });
   const openclawHookToken = commandOptions.openclawHookToken ?? relayRuntimeConfig?.openclawHookToken;
   const outboundBaseUrl = resolveConnectorBaseUrlFromEnv() ?? assignedConnectorBaseUrl ?? DEFAULT_CONNECTOR_BASE_URL2;
   const outboundPath = resolveConnectorOutboundPath();
@@ -20203,7 +20439,7 @@ async function startConnectorForAgent(agentName, commandOptions = {}, dependenci
     registryUrl: config2.registryUrl,
     outboundBaseUrl,
     outboundPath,
-    proxyWebsocketUrl: commandOptions.proxyWsUrl,
+    proxyWebsocketUrl: resolvedProxyWebsocketUrl,
     openclawBaseUrl: commandOptions.openclawBaseUrl,
     openclawHookPath: commandOptions.openclawHookPath,
     openclawHookToken,
@@ -20218,8 +20454,8 @@ async function startConnectorForAgent(agentName, commandOptions = {}, dependenci
       tokenType: registryAuth.tokenType
     }
   });
-  const outboundUrl = runtime && isRecord5(runtime) && typeof runtime.outboundUrl === "string" ? runtime.outboundUrl : resolveOutboundUrl(outboundBaseUrl, outboundPath);
-  const proxyWebsocketUrl = runtime && isRecord5(runtime) ? typeof runtime.websocketUrl === "string" ? runtime.websocketUrl : typeof runtime.proxyWebsocketUrl === "string" ? runtime.proxyWebsocketUrl : void 0 : void 0;
+  const outboundUrl = runtime && isRecord6(runtime) && typeof runtime.outboundUrl === "string" ? runtime.outboundUrl : resolveOutboundUrl(outboundBaseUrl, outboundPath);
+  const proxyWebsocketUrl = runtime && isRecord6(runtime) ? typeof runtime.websocketUrl === "string" ? runtime.websocketUrl : typeof runtime.proxyWebsocketUrl === "string" ? runtime.proxyWebsocketUrl : resolvedProxyWebsocketUrl : void 0;
   return {
     outboundUrl,
     proxyWebsocketUrl,
@@ -20349,107 +20585,52 @@ function createConnectorCommand(dependencies = {}) {
 
 // src/commands/invite.ts
 import { Command as Command6 } from "commander";
-
-// src/config/endpoints.ts
-var PRODUCTION_REGISTRY_HOST = "registry.clawdentity.com";
-var DEVELOPMENT_REGISTRY_HOST = "dev.registry.clawdentity.com";
-var PRODUCTION_PROXY_HOST = "proxy.clawdentity.com";
-var DEVELOPMENT_PROXY_HOST = "dev.proxy.clawdentity.com";
-var LOCAL_REGISTRY_PORT = "8788";
-var LOCAL_PROXY_PORT = "8787";
-var LOCAL_HOSTNAMES = /* @__PURE__ */ new Set([
-  "localhost",
-  "127.0.0.1",
-  "host.docker.internal",
-  "gateway.docker.internal"
-]);
-var normalizeUrl = (candidate) => {
-  try {
-    const parsed = new URL(candidate);
-    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
-      return void 0;
-    }
-    return parsed;
-  } catch {
-    return void 0;
-  }
-};
-var toProxyHostname = (registryHostname) => {
-  if (registryHostname === PRODUCTION_REGISTRY_HOST) {
-    return PRODUCTION_PROXY_HOST;
-  }
-  if (registryHostname === DEVELOPMENT_REGISTRY_HOST) {
-    return DEVELOPMENT_PROXY_HOST;
-  }
-  if (registryHostname.startsWith("dev.registry.")) {
-    return `dev.proxy.${registryHostname.slice("dev.registry.".length)}`;
-  }
-  if (registryHostname.startsWith("registry.")) {
-    return `proxy.${registryHostname.slice("registry.".length)}`;
-  }
-  return void 0;
-};
-var deriveProxyUrlFromRegistryUrl = (registryUrl) => {
-  const parsedRegistryUrl = normalizeUrl(registryUrl);
-  if (!parsedRegistryUrl) {
-    return void 0;
-  }
-  const hostname3 = parsedRegistryUrl.hostname.toLowerCase();
-  if (LOCAL_HOSTNAMES.has(hostname3) && parsedRegistryUrl.port === LOCAL_REGISTRY_PORT) {
-    return `${parsedRegistryUrl.protocol}//${hostname3}:${LOCAL_PROXY_PORT}/`;
-  }
-  const mappedHostname = toProxyHostname(hostname3);
-  if (!mappedHostname) {
-    return void 0;
-  }
-  const port = parsedRegistryUrl.port.length > 0 ? `:${parsedRegistryUrl.port}` : "";
-  return `${parsedRegistryUrl.protocol}//${mappedHostname}${port}/`;
-};
-
-// src/commands/invite.ts
 var logger7 = createLogger({ service: "cli", module: "invite" });
-var isRecord6 = (value) => {
+var isRecord7 = (value) => {
   return typeof value === "object" && value !== null;
 };
-function parseNonEmptyString6(value) {
+function parseNonEmptyString7(value) {
   if (typeof value !== "string") {
     return "";
   }
   return value.trim();
 }
-function createCliError4(code, message2) {
+function createCliError5(code, message2) {
   return new AppError({
     code,
     message: message2,
     status: 400
   });
 }
-function resolveRegistryUrl2(input) {
-  const candidate = parseNonEmptyString6(input.overrideRegistryUrl) || input.configRegistryUrl;
+function normalizeProxyUrl(value) {
   try {
-    return new URL(candidate).toString();
+    const parsed = new URL(value);
+    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+      throw new Error("invalid protocol");
+    }
+    return parsed.toString();
   } catch {
-    throw createCliError4(
-      "CLI_INVITE_INVALID_REGISTRY_URL",
-      "Registry URL is invalid"
+    throw createCliError5(
+      "CLI_INVITE_REDEEM_INVALID_RESPONSE",
+      "Invite redeem response is invalid"
     );
   }
 }
+function resolveRegistryUrl2(input) {
+  const candidate = parseNonEmptyString7(input.overrideRegistryUrl) || input.configRegistryUrl;
+  return normalizeRegistryUrl(candidate);
+}
 function requireApiKey2(config2) {
   if (typeof config2.apiKey === "string" && config2.apiKey.trim().length > 0) {
     return config2.apiKey;
   }
-  throw createCliError4(
+  throw createCliError5(
     "CLI_INVITE_MISSING_LOCAL_CREDENTIALS",
     "API key is not configured. Run `clawdentity config set apiKey <token>` or set CLAWDENTITY_API_KEY."
   );
 }
-function toRegistryRequestUrl(registryUrl, path) {
-  const normalizedBaseUrl = registryUrl.endsWith("/") ? registryUrl : `${registryUrl}/`;
-  return new URL(path.slice(1), normalizedBaseUrl).toString();
-}
 function extractRegistryErrorCode(payload) {
-  if (!isRecord6(payload)) {
+  if (!isRecord7(payload)) {
     return void 0;
   }
   const envelope = payload;
@@ -20459,8 +20640,8 @@ function extractRegistryErrorCode(payload) {
   const trimmed = envelope.error.code.trim();
   return trimmed.length > 0 ? trimmed : void 0;
 }
-function extractRegistryErrorMessage3(payload) {
-  if (!isRecord6(payload)) {
+function extractRegistryErrorMessage4(payload) {
+  if (!isRecord7(payload)) {
     return void 0;
   }
   const envelope = payload;
@@ -20470,7 +20651,7 @@ function extractRegistryErrorMessage3(payload) {
   const trimmed = envelope.error.message.trim();
   return trimmed.length > 0 ? trimmed : void 0;
 }
-async function parseJsonResponse4(response) {
+async function parseJsonResponse5(response) {
   try {
     return await response.json();
   } catch {
@@ -20481,7 +20662,7 @@ async function executeInviteRequest(input) {
   try {
     return await input.fetchImpl(input.url, input.init);
   } catch {
-    throw createCliError4(
+    throw createCliError5(
       "CLI_INVITE_REQUEST_FAILED",
       "Unable to connect to the registry. Check network access and registryUrl."
     );
@@ -20489,7 +20670,7 @@ async function executeInviteRequest(input) {
 }
 function mapCreateInviteError(status, payload) {
   const errorCode = extractRegistryErrorCode(payload);
-  const registryMessage = extractRegistryErrorMessage3(payload);
+  const registryMessage = extractRegistryErrorMessage4(payload);
   if (status === 401) {
     return registryMessage ? `Registry authentication failed (401): ${registryMessage}` : "Registry authentication failed (401). Check your API key.";
   }
@@ -20512,7 +20693,7 @@ function mapCreateInviteError(status, payload) {
 }
 function mapRedeemInviteError(status, payload) {
   const errorCode = extractRegistryErrorCode(payload);
-  const registryMessage = extractRegistryErrorMessage3(payload);
+  const registryMessage = extractRegistryErrorMessage4(payload);
   if (errorCode === "INVITE_REDEEM_ALREADY_USED" || errorCode === "INVITE_REDEEM_ALREADY_REDEEMED") {
     return "Invite code has already been redeemed";
   }
@@ -20534,16 +20715,16 @@ function mapRedeemInviteError(status, payload) {
   return `Invite redeem failed (${status})`;
 }
 function parseInviteRecord(payload) {
-  if (!isRecord6(payload)) {
-    throw createCliError4(
+  if (!isRecord7(payload)) {
+    throw createCliError5(
       "CLI_INVITE_CREATE_INVALID_RESPONSE",
       "Invite response is invalid"
     );
   }
-  const source = isRecord6(payload.invite) ? payload.invite : payload;
-  const code = parseNonEmptyString6(source.code);
+  const source = isRecord7(payload.invite) ? payload.invite : payload;
+  const code = parseNonEmptyString7(source.code);
   if (code.length === 0) {
-    throw createCliError4(
+    throw createCliError5(
       "CLI_INVITE_CREATE_INVALID_RESPONSE",
       "Invite response is invalid"
     );
@@ -20551,11 +20732,11 @@ function parseInviteRecord(payload) {
   const invite = {
     code
   };
-  const id = parseNonEmptyString6(source.id);
+  const id = parseNonEmptyString7(source.id);
   if (id.length > 0) {
     invite.id = id;
   }
-  const createdAt = parseNonEmptyString6(source.createdAt);
+  const createdAt = parseNonEmptyString7(source.createdAt);
   if (createdAt.length > 0) {
     invite.createdAt = createdAt;
   }
@@ -20565,36 +20746,25 @@ function parseInviteRecord(payload) {
   return invite;
 }
 function parseInviteRedeemResponse(payload) {
-  if (!isRecord6(payload)) {
-    throw createCliError4(
+  if (!isRecord7(payload)) {
+    throw createCliError5(
       "CLI_INVITE_REDEEM_INVALID_RESPONSE",
       "Invite redeem response is invalid"
     );
   }
-  const apiKeySource = isRecord6(payload.apiKey) ? payload.apiKey : payload;
-  const apiKeyToken = parseNonEmptyString6(
-    isRecord6(payload.apiKey) ? payload.apiKey.token : payload.token
+  const apiKeySource = isRecord7(payload.apiKey) ? payload.apiKey : payload;
+  const apiKeyToken = parseNonEmptyString7(
+    isRecord7(payload.apiKey) ? payload.apiKey.token : payload.token
   );
   if (apiKeyToken.length === 0) {
-    throw createCliError4(
+    throw createCliError5(
       "CLI_INVITE_REDEEM_INVALID_RESPONSE",
       "Invite redeem response is invalid"
     );
   }
-  const apiKeyId = parseNonEmptyString6(apiKeySource.id);
-  const apiKeyName = parseNonEmptyString6(apiKeySource.name);
-  const proxyUrlCandidate = parseNonEmptyString6(payload.proxyUrl);
-  let proxyUrl;
-  if (proxyUrlCandidate.length > 0) {
-    try {
-      const parsed = new URL(proxyUrlCandidate);
-      if (parsed.protocol === "https:" || parsed.protocol === "http:") {
-        proxyUrl = parsed.toString();
-      }
-    } catch {
-      proxyUrl = void 0;
-    }
-  }
+  const apiKeyId = parseNonEmptyString7(apiKeySource.id);
+  const apiKeyName = parseNonEmptyString7(apiKeySource.name);
+  const proxyUrl = parseNonEmptyString7(payload.proxyUrl);
   return {
     apiKeyToken,
     apiKeyId: apiKeyId.length > 0 ? apiKeyId : void 0,
@@ -20629,13 +20799,13 @@ async function createInvite(options, dependencies = {}) {
         "content-type": "application/json"
       },
       body: JSON.stringify({
-        expiresAt: parseNonEmptyString6(options.expiresAt) || void 0
+        expiresAt: parseNonEmptyString7(options.expiresAt) || void 0
       })
     }
   });
-  const responseBody = await parseJsonResponse4(response);
+  const responseBody = await parseJsonResponse5(response);
   if (!response.ok) {
-    throw createCliError4(
+    throw createCliError5(
       "CLI_INVITE_CREATE_FAILED",
       mapCreateInviteError(response.status, responseBody)
     );
@@ -20646,9 +20816,9 @@ async function createInvite(options, dependencies = {}) {
   };
 }
 async function redeemInvite(code, options, dependencies = {}) {
-  const inviteCode = parseNonEmptyString6(code);
+  const inviteCode = parseNonEmptyString7(code);
   if (inviteCode.length === 0) {
-    throw createCliError4(
+    throw createCliError5(
       "CLI_INVITE_REDEEM_CODE_REQUIRED",
       "Invite code is required"
     );
@@ -20665,36 +20835,34 @@ async function redeemInvite(code, options, dependencies = {}) {
       body: JSON.stringify({ code: inviteCode })
     }
   });
-  const responseBody = await parseJsonResponse4(response);
+  const responseBody = await parseJsonResponse5(response);
   if (!response.ok) {
-    throw createCliError4(
+    throw createCliError5(
       "CLI_INVITE_REDEEM_FAILED",
       mapRedeemInviteError(response.status, responseBody)
     );
   }
+  const parsedRedeem = parseInviteRedeemResponse(responseBody);
+  const proxyUrl = parsedRedeem.proxyUrl.length > 0 ? parsedRedeem.proxyUrl : (await fetchRegistryMetadata(runtime.registryUrl, {
+    fetchImpl: runtime.fetchImpl
+  })).proxyUrl;
   return {
-    ...parseInviteRedeemResponse(responseBody),
+    ...parsedRedeem,
+    proxyUrl: normalizeProxyUrl(proxyUrl),
     registryUrl: runtime.registryUrl
   };
 }
-async function persistRedeemConfig(input, dependencies = {}) {
+async function persistRedeemConfig(registryUrl, apiKeyToken, proxyUrl, dependencies = {}) {
   const setConfigValueImpl = dependencies.setConfigValueImpl ?? setConfigValue;
   try {
-    await setConfigValueImpl("registryUrl", input.registryUrl);
-    await setConfigValueImpl("apiKey", input.apiKeyToken);
-    const resolvedProxyUrl = parseNonEmptyString6(input.proxyUrl) || deriveProxyUrlFromRegistryUrl(input.registryUrl);
-    if (!resolvedProxyUrl) {
-      throw createCliError4(
-        "CLI_INVITE_REDEEM_PROXY_URL_MISSING",
-        "Proxy URL is missing from onboarding response and could not be derived from registry URL."
-      );
-    }
-    await setConfigValueImpl("proxyUrl", resolvedProxyUrl);
+    await setConfigValueImpl("registryUrl", registryUrl);
+    await setConfigValueImpl("apiKey", apiKeyToken);
+    await setConfigValueImpl("proxyUrl", proxyUrl);
   } catch (error48) {
     logger7.warn("cli.invite_redeem_config_persist_failed", {
       errorName: error48 instanceof Error ? error48.name : "unknown"
     });
-    throw createCliError4(
+    throw createCliError5(
       "CLI_INVITE_REDEEM_CONFIG_PERSISTENCE_FAILED",
       "Failed to save redeemed API key locally"
     );
@@ -20702,7 +20870,7 @@ async function persistRedeemConfig(input, dependencies = {}) {
 }
 var createInviteCommand = (dependencies = {}) => {
   const inviteCommand = new Command6("invite").description(
-    "Manage registry onboarding invites"
+    "Manage registry onboarding invites (not OpenClaw peer relay invites)"
   );
   inviteCommand.command("create").description("Create a registry invite code (admin only)").option("--expires-at <timestamp>", "Optional invite expiry (ISO-8601)").option("--registry-url <url>", "Override registry URL").action(
     withErrorHandling(
@@ -20740,15 +20908,12 @@ var createInviteCommand = (dependencies = {}) => {
         writeStdoutLine("API key token (shown once):");
         writeStdoutLine(result.apiKeyToken);
         await persistRedeemConfig(
-          {
-            registryUrl: result.registryUrl,
-            apiKeyToken: result.apiKeyToken,
-            proxyUrl: result.proxyUrl
-          },
+          result.registryUrl,
+          result.apiKeyToken,
+          result.proxyUrl,
           dependencies
         );
         writeStdoutLine("API key saved to local config");
-        writeStdoutLine("Onboarding auth complete");
       }
     )
   );
@@ -20770,8 +20935,16 @@ var SECRET_KEY_FILE_NAME2 = "secret.key";
 var PEERS_FILE_NAME = "peers.json";
 var OPENCLAW_DIR_NAME = ".openclaw";
 var OPENCLAW_CONFIG_FILE_NAME = "openclaw.json";
-var LEGACY_OPENCLAW_STATE_DIR_NAMES = [".clawdbot", ".moldbot", ".moltbot"];
-var LEGACY_OPENCLAW_CONFIG_FILE_NAMES = ["clawdbot.json", "moldbot.json", "moltbot.json"];
+var LEGACY_OPENCLAW_STATE_DIR_NAMES = [
+  ".clawdbot",
+  ".moldbot",
+  ".moltbot"
+];
+var LEGACY_OPENCLAW_CONFIG_FILE_NAMES = [
+  "clawdbot.json",
+  "moldbot.json",
+  "moltbot.json"
+];
 var OPENCLAW_AGENT_FILE_NAME = "openclaw-agent-name";
 var OPENCLAW_RELAY_RUNTIME_FILE_NAME2 = "openclaw-relay.json";
 var OPENCLAW_CONNECTORS_FILE_NAME2 = "openclaw-connectors.json";
@@ -20783,6 +20956,8 @@ var HOOK_MAPPING_ID = "clawdentity-send-to-peer";
 var HOOK_PATH_SEND_TO_PEER = "send-to-peer";
 var OPENCLAW_SEND_TO_PEER_HOOK_PATH = "hooks/send-to-peer";
 var DEFAULT_OPENCLAW_BASE_URL2 = "http://127.0.0.1:18789";
+var DEFAULT_OPENCLAW_MAIN_SESSION_KEY = "main";
+var DEFAULT_OPENCLAW_AGENT_ID = "main";
 var DEFAULT_CONNECTOR_PORT = 19400;
 var DEFAULT_CONNECTOR_OUTBOUND_PATH3 = "/v1/outbound";
 var CONNECTOR_HOST_LOOPBACK = "127.0.0.1";
@@ -20798,10 +20973,10 @@ var OPENCLAW_SETUP_WITH_BASE_URL_HINT = `${OPENCLAW_SETUP_COMMAND_HINT} --opencl
 var OPENCLAW_PAIRING_COMMAND_HINT = "Run QR pairing first: clawdentity pair start <agentName> --qr and clawdentity pair confirm <agentName> --qr-file <path>";
 var textEncoder2 = new TextEncoder();
 var textDecoder = new TextDecoder();
-function isRecord7(value) {
+function isRecord8(value) {
   return typeof value === "object" && value !== null;
 }
-function createCliError5(code, message2, details) {
+function createCliError6(code, message2, details) {
   return new AppError({
     code,
     message: message2,
@@ -20810,14 +20985,14 @@ function createCliError5(code, message2, details) {
   });
 }
 function getErrorCode2(error48) {
-  if (!isRecord7(error48)) {
+  if (!isRecord8(error48)) {
     return void 0;
   }
   return typeof error48.code === "string" ? error48.code : void 0;
 }
-function parseNonEmptyString7(value, label) {
+function parseNonEmptyString8(value, label) {
   if (typeof value !== "string") {
-    throw createCliError5(
+    throw createCliError6(
       "CLI_OPENCLAW_INVALID_INPUT",
       "Input must be a string",
       {
@@ -20827,7 +21002,7 @@ function parseNonEmptyString7(value, label) {
   }
   const trimmed = value.trim();
   if (trimmed.length === 0) {
-    throw createCliError5(
+    throw createCliError6(
       "CLI_OPENCLAW_INVALID_INPUT",
       "Input must not be empty",
       { label }
@@ -20839,18 +21014,18 @@ function parseOptionalName(value) {
   if (value === void 0) {
     return void 0;
   }
-  return parseNonEmptyString7(value, "name");
+  return parseNonEmptyString8(value, "name");
 }
 function parsePeerAlias(value) {
-  const alias = parseNonEmptyString7(value, "peer alias");
+  const alias = parseNonEmptyString8(value, "peer alias");
   if (alias.length > 128) {
-    throw createCliError5(
+    throw createCliError6(
       "CLI_OPENCLAW_INVALID_PEER_ALIAS",
       "peer alias must be at most 128 characters"
     );
   }
   if (!PEER_ALIAS_PATTERN.test(alias)) {
-    throw createCliError5(
+    throw createCliError6(
       "CLI_OPENCLAW_INVALID_PEER_ALIAS",
       "peer alias must use only letters, numbers, dot, underscore, or hyphen"
     );
@@ -20865,15 +21040,15 @@ function parseProxyUrl(value) {
   });
 }
 function parseHttpUrl(value, input) {
-  const candidate = parseNonEmptyString7(value, input.label);
+  const candidate = parseNonEmptyString8(value, input.label);
   let parsedUrl;
   try {
     parsedUrl = new URL(candidate);
   } catch {
-    throw createCliError5(input.code, input.message);
+    throw createCliError6(input.code, input.message);
   }
   if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
-    throw createCliError5(input.code, `${input.label} must use http or https`);
+    throw createCliError6(input.code, `${input.label} must use http or https`);
   }
   if (parsedUrl.pathname === "/" && parsedUrl.search.length === 0 && parsedUrl.hash.length === 0) {
     return parsedUrl.origin;
@@ -20888,17 +21063,17 @@ function parseOpenclawBaseUrl(value) {
   });
 }
 function parseAgentDid2(value, label) {
-  const did = parseNonEmptyString7(value, label);
+  const did = parseNonEmptyString8(value, label);
   try {
     const parsed = parseDid(did);
     if (parsed.kind !== "agent") {
-      throw createCliError5(
+      throw createCliError6(
         "CLI_OPENCLAW_INVALID_DID",
         "DID is not an agent DID"
       );
     }
   } catch {
-    throw createCliError5("CLI_OPENCLAW_INVALID_DID", "Agent DID is invalid", {
+    throw createCliError6("CLI_OPENCLAW_INVALID_DID", "Agent DID is invalid", {
       label
     });
   }
@@ -20924,7 +21099,10 @@ function readNonEmptyEnvPath(value, homeDir) {
   return resolveHomePrefixedPath(value, homeDir);
 }
 function resolveOpenclawHomeDir(homeDir) {
-  const envOpenclawHome = readNonEmptyEnvPath(process.env.OPENCLAW_HOME, homeDir);
+  const envOpenclawHome = readNonEmptyEnvPath(
+    process.env.OPENCLAW_HOME,
+    homeDir
+  );
   return envOpenclawHome ?? homeDir;
 }
 function resolveDefaultOpenclawStateDir(openclawHomeDir) {
@@ -21020,7 +21198,7 @@ async function readJsonFile(filePath) {
   try {
     return JSON.parse(raw);
   } catch {
-    throw createCliError5("CLI_OPENCLAW_INVALID_JSON", "JSON file is invalid", {
+    throw createCliError6("CLI_OPENCLAW_INVALID_JSON", "JSON file is invalid", {
       filePath
     });
   }
@@ -21037,7 +21215,7 @@ async function ensureLocalAgentCredentials(homeDir, agentName) {
       content = await readFile4(filePath, "utf8");
     } catch (error48) {
       if (getErrorCode2(error48) === "ENOENT") {
-        throw createCliError5(
+        throw createCliError6(
           "CLI_OPENCLAW_MISSING_AGENT_CREDENTIALS",
           "Local agent credentials are missing",
           { agentName, filePath }
@@ -21046,7 +21224,7 @@ async function ensureLocalAgentCredentials(homeDir, agentName) {
       throw error48;
     }
     if (content.trim().length === 0) {
-      throw createCliError5(
+      throw createCliError6(
         "CLI_OPENCLAW_EMPTY_AGENT_CREDENTIALS",
         "Agent credential file is empty",
         { filePath }
@@ -21069,8 +21247,8 @@ async function loadPeersConfig(peersPath) {
     }
     throw error48;
   }
-  if (!isRecord7(parsed)) {
-    throw createCliError5(
+  if (!isRecord8(parsed)) {
+    throw createCliError6(
       "CLI_OPENCLAW_INVALID_PEERS_CONFIG",
       "Peer config root must be a JSON object",
       { peersPath }
@@ -21080,8 +21258,8 @@ async function loadPeersConfig(peersPath) {
   if (peersValue === void 0) {
     return { peers: {} };
   }
-  if (!isRecord7(peersValue)) {
-    throw createCliError5(
+  if (!isRecord8(peersValue)) {
+    throw createCliError6(
       "CLI_OPENCLAW_INVALID_PEERS_CONFIG",
       "Peer config peers field must be an object",
       { peersPath }
@@ -21090,8 +21268,8 @@ async function loadPeersConfig(peersPath) {
   const peers = {};
   for (const [alias, value] of Object.entries(peersValue)) {
     const normalizedAlias = parsePeerAlias(alias);
-    if (!isRecord7(value)) {
-      throw createCliError5(
+    if (!isRecord8(value)) {
+      throw createCliError6(
         "CLI_OPENCLAW_INVALID_PEERS_CONFIG",
         "Peer entry must be an object",
         { alias: normalizedAlias }
@@ -21120,21 +21298,21 @@ function parseConnectorBaseUrlForAssignment(value, label) {
   });
 }
 function parseConnectorAssignments(value, connectorAssignmentsPath) {
-  if (!isRecord7(value)) {
-    throw createCliError5(
+  if (!isRecord8(value)) {
+    throw createCliError6(
       "CLI_OPENCLAW_INVALID_CONNECTOR_ASSIGNMENTS",
       "Connector assignments config must be an object",
       { connectorAssignmentsPath }
     );
   }
   const agentsRaw = value.agents;
-  if (!isRecord7(agentsRaw)) {
+  if (!isRecord8(agentsRaw)) {
     return { agents: {} };
   }
   const agents = {};
   for (const [agentName, entryValue] of Object.entries(agentsRaw)) {
-    if (!isRecord7(entryValue)) {
-      throw createCliError5(
+    if (!isRecord8(entryValue)) {
+      throw createCliError6(
         "CLI_OPENCLAW_INVALID_CONNECTOR_ASSIGNMENTS",
         "Connector assignment entry must be an object",
         { connectorAssignmentsPath, agentName }
@@ -21205,8 +21383,8 @@ function buildRelayConnectorBaseUrls(port) {
   ];
 }
 function parseRelayRuntimeConfig(value, relayRuntimeConfigPath) {
-  if (!isRecord7(value)) {
-    throw createCliError5(
+  if (!isRecord8(value)) {
+    throw createCliError6(
       "CLI_OPENCLAW_INVALID_RELAY_RUNTIME_CONFIG",
       "Relay runtime config must be an object",
       { relayRuntimeConfigPath }
@@ -21260,7 +21438,7 @@ async function resolveOpenclawBaseUrl2(input) {
   }
   return DEFAULT_OPENCLAW_BASE_URL2;
 }
-function normalizeStringArrayWithValue(value, requiredValue) {
+function normalizeStringArrayWithValues(value, requiredValues) {
   const normalized = /* @__PURE__ */ new Set();
   if (Array.isArray(value)) {
     for (const item of value) {
@@ -21273,27 +21451,61 @@ function normalizeStringArrayWithValue(value, requiredValue) {
       }
     }
   }
-  normalized.add(requiredValue);
+  for (const requiredValue of requiredValues) {
+    const trimmed = requiredValue.trim();
+    if (trimmed.length > 0) {
+      normalized.add(trimmed);
+    }
+  }
   return Array.from(normalized);
 }
+function resolveHookDefaultSessionKey(config2, hooks) {
+  if (typeof hooks.defaultSessionKey === "string" && hooks.defaultSessionKey.trim().length > 0) {
+    return hooks.defaultSessionKey.trim();
+  }
+  const session = isRecord8(config2.session) ? config2.session : {};
+  const scope = typeof session.scope === "string" ? session.scope.trim().toLowerCase() : "";
+  if (scope === "global") {
+    return "global";
+  }
+  const agents = isRecord8(config2.agents) ? config2.agents : {};
+  const agentList = Array.isArray(agents.list) ? agents.list : [];
+  const defaultAgentId = resolveDefaultOpenclawAgentId(agentList);
+  return `agent:${defaultAgentId}:${DEFAULT_OPENCLAW_MAIN_SESSION_KEY}`;
+}
+function resolveDefaultOpenclawAgentId(agentList) {
+  const preferred = agentList.find(
+    (agent) => isRecord8(agent) && agent.default === true && typeof agent.id === "string" && agent.id.trim().length > 0
+  ) ?? agentList.find(
+    (agent) => isRecord8(agent) && typeof agent.id === "string" && agent.id.trim().length > 0
+  );
+  if (isRecord8(preferred) && typeof preferred.id === "string" && preferred.id.trim().length > 0) {
+    return normalizeOpenclawIdToken(preferred.id, DEFAULT_OPENCLAW_AGENT_ID);
+  }
+  return DEFAULT_OPENCLAW_AGENT_ID;
+}
+function normalizeOpenclawIdToken(value, fallback) {
+  const normalized = value.trim().toLowerCase().replace(/[^a-z0-9_-]+/g, "-").replace(/^-+/g, "").replace(/-+$/g, "").slice(0, 64);
+  return normalized.length > 0 ? normalized : fallback;
+}
 function generateOpenclawHookToken() {
   return randomBytes3(OPENCLAW_HOOK_TOKEN_BYTES).toString("hex");
 }
 function upsertRelayHookMapping(mappingsValue) {
-  const mappings = Array.isArray(mappingsValue) ? mappingsValue.filter(isRecord7).map((mapping) => ({ ...mapping })) : [];
+  const mappings = Array.isArray(mappingsValue) ? mappingsValue.filter(isRecord8).map((mapping) => ({ ...mapping })) : [];
   const existingIndex = mappings.findIndex((mapping) => {
     if (mapping.id === HOOK_MAPPING_ID) {
       return true;
     }
-    if (!isRecord7(mapping.match)) {
+    if (!isRecord8(mapping.match)) {
       return false;
     }
     return mapping.match.path === HOOK_PATH_SEND_TO_PEER;
   });
-  const baseMapping = existingIndex >= 0 && isRecord7(mappings[existingIndex]) ? mappings[existingIndex] : {};
-  const nextMatch = isRecord7(baseMapping.match) ? { ...baseMapping.match } : {};
+  const baseMapping = existingIndex >= 0 && isRecord8(mappings[existingIndex]) ? mappings[existingIndex] : {};
+  const nextMatch = isRecord8(baseMapping.match) ? { ...baseMapping.match } : {};
   nextMatch.path = HOOK_PATH_SEND_TO_PEER;
-  const nextTransform = isRecord7(baseMapping.transform) ? { ...baseMapping.transform } : {};
+  const nextTransform = isRecord8(baseMapping.transform) ? { ...baseMapping.transform } : {};
   nextTransform.module = RELAY_MODULE_FILE_NAME;
   const relayMapping = {
     ...baseMapping,
@@ -21316,7 +21528,7 @@ async function patchOpenclawConfig(openclawConfigPath, hookToken) {
     config2 = await readJsonFile(openclawConfigPath);
   } catch (error48) {
     if (getErrorCode2(error48) === "ENOENT") {
-      throw createCliError5(
+      throw createCliError6(
         "CLI_OPENCLAW_CONFIG_NOT_FOUND",
         "OpenClaw config file was not found",
         { openclawConfigPath }
@@ -21324,23 +21536,25 @@ async function patchOpenclawConfig(openclawConfigPath, hookToken) {
     }
     throw error48;
   }
-  if (!isRecord7(config2)) {
-    throw createCliError5(
+  if (!isRecord8(config2)) {
+    throw createCliError6(
       "CLI_OPENCLAW_INVALID_CONFIG",
       "OpenClaw config root must be an object",
       { openclawConfigPath }
     );
   }
-  const hooks = isRecord7(config2.hooks) ? { ...config2.hooks } : {};
+  const hooks = isRecord8(config2.hooks) ? { ...config2.hooks } : {};
   const existingHookToken = typeof hooks.token === "string" && hooks.token.trim().length > 0 ? hooks.token.trim() : void 0;
   const preferredHookToken = typeof hookToken === "string" && hookToken.trim().length > 0 ? hookToken.trim() : void 0;
   const resolvedHookToken = existingHookToken ?? preferredHookToken ?? generateOpenclawHookToken();
+  const defaultSessionKey = resolveHookDefaultSessionKey(config2, hooks);
   hooks.enabled = true;
   hooks.token = resolvedHookToken;
+  hooks.defaultSessionKey = defaultSessionKey;
   hooks.allowRequestSessionKey = false;
-  hooks.allowedSessionKeyPrefixes = normalizeStringArrayWithValue(
+  hooks.allowedSessionKeyPrefixes = normalizeStringArrayWithValues(
     hooks.allowedSessionKeyPrefixes,
-    "hook:"
+    ["hook:", defaultSessionKey]
   );
   hooks.mappings = upsertRelayHookMapping(hooks.mappings);
   const nextConfig = {
@@ -21368,10 +21582,10 @@ function toDoctorResult(checks) {
   };
 }
 function isRelayHookMapping(value) {
-  if (!isRecord7(value)) {
+  if (!isRecord8(value)) {
     return false;
   }
-  if (!isRecord7(value.match) || value.match.path !== HOOK_PATH_SEND_TO_PEER) {
+  if (!isRecord8(value.match) || value.match.path !== HOOK_PATH_SEND_TO_PEER) {
     return false;
   }
   if (typeof value.id === "string" && value.id !== HOOK_MAPPING_ID) {
@@ -21380,7 +21594,7 @@ function isRelayHookMapping(value) {
   return true;
 }
 function hasRelayTransformModule(value) {
-  if (!isRecord7(value) || !isRecord7(value.transform)) {
+  if (!isRecord8(value) || !isRecord8(value.transform)) {
     return false;
   }
   return value.transform.module === RELAY_MODULE_FILE_NAME;
@@ -21459,6 +21673,7 @@ async function runOpenclawDoctor(options = {}) {
   const resolveConfigImpl = options.resolveConfigImpl ?? resolveConfig;
   try {
     const resolvedConfig = await resolveConfigImpl();
+    const envProxyUrl = typeof process.env.CLAWDENTITY_PROXY_URL === "string" ? process.env.CLAWDENTITY_PROXY_URL.trim() : "";
     if (typeof resolvedConfig.registryUrl !== "string" || resolvedConfig.registryUrl.trim().length === 0) {
       checks.push(
         toDoctorCheck({
@@ -21479,15 +21694,68 @@ async function runOpenclawDoctor(options = {}) {
           remediationHint: "Run: clawdentity config set apiKey <API_KEY>"
         })
       );
-    } else {
+    } else if (envProxyUrl.length > 0) {
+      let hasValidEnvProxyUrl = true;
+      try {
+        parseProxyUrl(envProxyUrl);
+      } catch {
+        hasValidEnvProxyUrl = false;
+        checks.push(
+          toDoctorCheck({
+            id: "config.registry",
+            label: "CLI config",
+            status: "fail",
+            message: "CLAWDENTITY_PROXY_URL is invalid",
+            remediationHint: "Set CLAWDENTITY_PROXY_URL to a valid http(s) URL or unset it"
+          })
+        );
+      }
+      if (hasValidEnvProxyUrl) {
+        checks.push(
+          toDoctorCheck({
+            id: "config.registry",
+            label: "CLI config",
+            status: "pass",
+            message: "registryUrl and apiKey are configured (proxy URL override is active via CLAWDENTITY_PROXY_URL)"
+          })
+        );
+      }
+    } else if (typeof resolvedConfig.proxyUrl !== "string" || resolvedConfig.proxyUrl.trim().length === 0) {
       checks.push(
         toDoctorCheck({
           id: "config.registry",
           label: "CLI config",
-          status: "pass",
-          message: "registryUrl and apiKey are configured"
+          status: "fail",
+          message: "proxyUrl is missing",
+          remediationHint: "Run: clawdentity invite redeem <clw_inv_...> or clawdentity config init"
         })
       );
+    } else {
+      let hasValidConfigProxyUrl = true;
+      try {
+        parseProxyUrl(resolvedConfig.proxyUrl);
+      } catch {
+        hasValidConfigProxyUrl = false;
+        checks.push(
+          toDoctorCheck({
+            id: "config.registry",
+            label: "CLI config",
+            status: "fail",
+            message: "proxyUrl is invalid",
+            remediationHint: "Run: clawdentity invite redeem <clw_inv_...> or clawdentity config init"
+          })
+        );
+      }
+      if (hasValidConfigProxyUrl) {
+        checks.push(
+          toDoctorCheck({
+            id: "config.registry",
+            label: "CLI config",
+            status: "pass",
+            message: "registryUrl, apiKey, and proxyUrl are configured"
+          })
+        );
+      }
     }
   } catch {
     checks.push(
@@ -21681,13 +21949,13 @@ async function runOpenclawDoctor(options = {}) {
   const openclawConfigPath = resolveOpenclawConfigPath(openclawDir, homeDir);
   try {
     const openclawConfig = await readJsonFile(openclawConfigPath);
-    if (!isRecord7(openclawConfig)) {
+    if (!isRecord8(openclawConfig)) {
       throw new Error("root");
     }
-    const hooks = isRecord7(openclawConfig.hooks) ? openclawConfig.hooks : {};
+    const hooks = isRecord8(openclawConfig.hooks) ? openclawConfig.hooks : {};
     const hooksEnabled = hooks.enabled === true;
     const hookToken = typeof hooks.token === "string" && hooks.token.trim().length > 0 ? hooks.token.trim() : void 0;
-    const mappings = Array.isArray(hooks.mappings) ? hooks.mappings.filter(isRecord7) : [];
+    const mappings = Array.isArray(hooks.mappings) ? hooks.mappings.filter(isRecord8) : [];
     const relayMapping = mappings.find(
       (mapping) => isRelayHookMapping(mapping)
     );
@@ -21835,13 +22103,13 @@ async function resolveRelayProbePeerAlias(input) {
     return peerAliases[0];
   }
   if (peerAliases.length === 0) {
-    throw createCliError5(
+    throw createCliError6(
       "CLI_OPENCLAW_RELAY_TEST_PEER_REQUIRED",
       "No paired peer is configured yet. Complete QR pairing first.",
       { peersPath }
     );
   }
-  throw createCliError5(
+  throw createCliError6(
     "CLI_OPENCLAW_RELAY_TEST_PEER_REQUIRED",
     "Multiple peers are configured. Pass --peer <alias> to choose one.",
     { peersPath, peerAliases }
@@ -21998,7 +22266,7 @@ async function setupOpenclawRelay(agentName, options) {
     await copyFile(transformSource, transformTargetPath);
   } catch (error48) {
     if (getErrorCode2(error48) === "ENOENT") {
-      throw createCliError5(
+      throw createCliError6(
         "CLI_OPENCLAW_TRANSFORM_NOT_FOUND",
         "Relay transform source file was not found",
         { transformSource }
@@ -22216,26 +22484,26 @@ var PAIRING_QR_MAX_AGE_SECONDS = 900;
 var PAIRING_QR_FILENAME_PATTERN = /-pair-(\d+)\.png$/;
 var FILE_MODE4 = 384;
 var PEER_ALIAS_PATTERN2 = /^[a-zA-Z0-9._-]+$/;
-var isRecord8 = (value) => {
+var isRecord9 = (value) => {
   return typeof value === "object" && value !== null;
 };
-function createCliError6(code, message2) {
+function createCliError7(code, message2) {
   return new AppError({
     code,
     message: message2,
     status: 400
   });
 }
-function parseNonEmptyString8(value) {
+function parseNonEmptyString9(value) {
   if (typeof value !== "string") {
     return "";
   }
   return value.trim();
 }
 function parsePairingTicket(value) {
-  const ticket = parseNonEmptyString8(value);
+  const ticket = parseNonEmptyString9(value);
   if (!ticket.startsWith(PAIRING_TICKET_PREFIX)) {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_CONFIRM_TICKET_INVALID",
       "Pairing ticket is invalid"
     );
@@ -22245,7 +22513,7 @@ function parsePairingTicket(value) {
 function parsePairingTicketIssuerOrigin(ticket) {
   const encodedPayload = ticket.slice(PAIRING_TICKET_PREFIX.length);
   if (encodedPayload.length === 0) {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_CONFIRM_TICKET_INVALID",
       "Pairing ticket is invalid"
     );
@@ -22254,7 +22522,7 @@ function parsePairingTicketIssuerOrigin(ticket) {
   try {
     payloadRaw = new TextDecoder().decode(decodeBase64url(encodedPayload));
   } catch {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_CONFIRM_TICKET_INVALID",
       "Pairing ticket is invalid"
     );
@@ -22263,13 +22531,13 @@ function parsePairingTicketIssuerOrigin(ticket) {
   try {
     payload = JSON.parse(payloadRaw);
   } catch {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_CONFIRM_TICKET_INVALID",
       "Pairing ticket is invalid"
     );
   }
-  if (!isRecord8(payload) || typeof payload.iss !== "string") {
-    throw createCliError6(
+  if (!isRecord9(payload) || typeof payload.iss !== "string") {
+    throw createCliError7(
       "CLI_PAIR_CONFIRM_TICKET_INVALID",
       "Pairing ticket is invalid"
     );
@@ -22278,13 +22546,13 @@ function parsePairingTicketIssuerOrigin(ticket) {
   try {
     issuerUrl = new URL(payload.iss);
   } catch {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_CONFIRM_TICKET_INVALID",
       "Pairing ticket is invalid"
     );
   }
   if (issuerUrl.protocol !== "https:" && issuerUrl.protocol !== "http:") {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_CONFIRM_TICKET_INVALID",
       "Pairing ticket is invalid"
     );
@@ -22293,13 +22561,13 @@ function parsePairingTicketIssuerOrigin(ticket) {
 }
 function parsePeerAlias2(value) {
   if (value.length === 0 || value.length > 128) {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_PEER_ALIAS_INVALID",
       "Generated peer alias is invalid"
     );
   }
   if (!PEER_ALIAS_PATTERN2.test(value)) {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_PEER_ALIAS_INVALID",
       "Generated peer alias is invalid"
     );
@@ -22336,16 +22604,16 @@ function resolvePeersConfigPath(getConfigDirImpl) {
   return join7(getConfigDirImpl(), PEERS_FILE_NAME2);
 }
 function parsePeerEntry(value) {
-  if (!isRecord8(value)) {
-    throw createCliError6(
+  if (!isRecord9(value)) {
+    throw createCliError7(
       "CLI_PAIR_PEERS_CONFIG_INVALID",
       "Peer entry must be an object"
     );
   }
-  const did = parseNonEmptyString8(value.did);
-  const proxyUrl = parseNonEmptyString8(value.proxyUrl);
+  const did = parseNonEmptyString9(value.did);
+  const proxyUrl = parseNonEmptyString9(value.proxyUrl);
   if (did.length === 0 || proxyUrl.length === 0) {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_PEERS_CONFIG_INVALID",
       "Peer entry is invalid"
     );
@@ -22371,13 +22639,13 @@ async function loadPeersConfig2(input) {
   try {
     parsed = JSON.parse(raw);
   } catch {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_PEERS_CONFIG_INVALID",
       "Peer config is not valid JSON"
     );
   }
-  if (!isRecord8(parsed)) {
-    throw createCliError6(
+  if (!isRecord9(parsed)) {
+    throw createCliError7(
       "CLI_PAIR_PEERS_CONFIG_INVALID",
       "Peer config must be a JSON object"
     );
@@ -22385,8 +22653,8 @@ async function loadPeersConfig2(input) {
   if (parsed.peers === void 0) {
     return { peers: {} };
   }
-  if (!isRecord8(parsed.peers)) {
-    throw createCliError6(
+  if (!isRecord9(parsed.peers)) {
+    throw createCliError7(
       "CLI_PAIR_PEERS_CONFIG_INVALID",
       "Peer config peers field must be an object"
     );
@@ -22409,13 +22677,13 @@ async function savePeersConfig2(input) {
   await input.chmodImpl(peersPath, FILE_MODE4);
 }
 function parseTtlSeconds(value) {
-  const raw = parseNonEmptyString8(value);
+  const raw = parseNonEmptyString9(value);
   if (raw.length === 0) {
     return void 0;
   }
   const parsed = Number.parseInt(raw, 10);
   if (!Number.isInteger(parsed) || parsed < 1) {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_START_INVALID_TTL",
       "ttlSeconds must be a positive integer"
     );
@@ -22430,36 +22698,31 @@ function parseProxyUrl2(candidate) {
     }
     return parsed.toString();
   } catch {
-    throw createCliError6("CLI_PAIR_INVALID_PROXY_URL", "Proxy URL is invalid");
+    throw createCliError7("CLI_PAIR_INVALID_PROXY_URL", "Proxy URL is invalid");
   }
 }
-function resolveProxyUrlCandidates(input) {
-  const explicit = parseNonEmptyString8(input.overrideProxyUrl);
-  if (explicit.length > 0) {
-    return [parseProxyUrl2(explicit)];
-  }
-  const fromEnv = parseNonEmptyString8(process.env.CLAWDENTITY_PROXY_URL);
+async function resolveProxyUrl(input) {
+  const fromEnv = parseNonEmptyString9(process.env.CLAWDENTITY_PROXY_URL);
   if (fromEnv.length > 0) {
-    return [parseProxyUrl2(fromEnv)];
+    return parseProxyUrl2(fromEnv);
   }
-  const fromConfig = parseNonEmptyString8(input.config.proxyUrl);
-  if (fromConfig.length > 0) {
-    return [parseProxyUrl2(fromConfig)];
+  const metadata = await fetchRegistryMetadata(input.config.registryUrl, {
+    fetchImpl: input.fetchImpl
+  });
+  const metadataProxyUrl = parseProxyUrl2(metadata.proxyUrl);
+  const configuredProxyUrl = parseNonEmptyString9(input.config.proxyUrl);
+  if (configuredProxyUrl.length === 0) {
+    return metadataProxyUrl;
   }
-  const derivedFromRegistry = deriveProxyUrlFromRegistryUrl(
-    input.config.registryUrl || DEFAULT_REGISTRY_URL
-  );
-  if (typeof derivedFromRegistry === "string" && derivedFromRegistry.length > 0) {
-    return [parseProxyUrl2(derivedFromRegistry)];
+  const normalizedConfiguredProxyUrl = parseProxyUrl2(configuredProxyUrl);
+  if (normalizedConfiguredProxyUrl === metadataProxyUrl) {
+    return metadataProxyUrl;
   }
-  throw createCliError6(
-    "CLI_PAIR_PROXY_URL_REQUIRED",
-    "Proxy URL could not be resolved. Run onboarding invite redeem again or set proxyUrl via `clawdentity config set proxyUrl <url>`."
+  throw createCliError7(
+    "CLI_PAIR_PROXY_URL_MISMATCH",
+    `Configured proxy URL does not match registry metadata. config=${normalizedConfiguredProxyUrl} metadata=${metadataProxyUrl}. Rerun onboarding invite redeem to refresh config.`
   );
 }
-function resolveProxyUrl(input) {
-  return resolveProxyUrlCandidates(input)[0];
-}
 function toProxyRequestUrl(proxyUrl, path) {
   const normalizedBase = proxyUrl.endsWith("/") ? proxyUrl : `${proxyUrl}/`;
   return new URL(path.slice(1), normalizedBase).toString();
@@ -22469,7 +22732,7 @@ function toPathWithQuery3(url2) {
   return `${parsed.pathname}${parsed.search}`;
 }
 function extractErrorCode(payload) {
-  if (!isRecord8(payload)) {
+  if (!isRecord9(payload)) {
     return void 0;
   }
   const envelope = payload;
@@ -22480,7 +22743,7 @@ function extractErrorCode(payload) {
   return code.length > 0 ? code : void 0;
 }
 function extractErrorMessage(payload) {
-  if (!isRecord8(payload)) {
+  if (!isRecord9(payload)) {
     return void 0;
   }
   const envelope = payload;
@@ -22490,7 +22753,7 @@ function extractErrorMessage(payload) {
   const message2 = envelope.error.message.trim();
   return message2.length > 0 ? message2 : void 0;
 }
-async function parseJsonResponse5(response) {
+async function parseJsonResponse6(response) {
   try {
     return await response.json();
   } catch {
@@ -22501,7 +22764,7 @@ async function executePairRequest(input) {
   try {
     return await input.fetchImpl(input.url, input.init);
   } catch {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_REQUEST_FAILED",
       "Unable to connect to proxy URL. Check network access and proxyUrl."
     );
@@ -22548,17 +22811,17 @@ function mapConfirmPairError(status, payload) {
   return `Pair confirm failed (${status})`;
 }
 function parsePairStartResponse(payload) {
-  if (!isRecord8(payload)) {
-    throw createCliError6(
+  if (!isRecord9(payload)) {
+    throw createCliError7(
       "CLI_PAIR_START_INVALID_RESPONSE",
       "Pair start response is invalid"
     );
   }
   const ticket = parsePairingTicket(payload.ticket);
-  const initiatorAgentDid = parseNonEmptyString8(payload.initiatorAgentDid);
-  const expiresAt = parseNonEmptyString8(payload.expiresAt);
+  const initiatorAgentDid = parseNonEmptyString9(payload.initiatorAgentDid);
+  const expiresAt = parseNonEmptyString9(payload.expiresAt);
   if (initiatorAgentDid.length === 0 || expiresAt.length === 0) {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_START_INVALID_RESPONSE",
       "Pair start response is invalid"
     );
@@ -22570,17 +22833,17 @@ function parsePairStartResponse(payload) {
   };
 }
 function parsePairConfirmResponse(payload) {
-  if (!isRecord8(payload)) {
-    throw createCliError6(
+  if (!isRecord9(payload)) {
+    throw createCliError7(
       "CLI_PAIR_CONFIRM_INVALID_RESPONSE",
       "Pair confirm response is invalid"
     );
   }
   const paired = payload.paired === true;
-  const initiatorAgentDid = parseNonEmptyString8(payload.initiatorAgentDid);
-  const responderAgentDid = parseNonEmptyString8(payload.responderAgentDid);
+  const initiatorAgentDid = parseNonEmptyString9(payload.initiatorAgentDid);
+  const responderAgentDid = parseNonEmptyString9(payload.responderAgentDid);
   if (!paired || initiatorAgentDid.length === 0 || responderAgentDid.length === 0) {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_CONFIRM_INVALID_RESPONSE",
       "Pair confirm response is invalid"
     );
@@ -22608,7 +22871,7 @@ async function readAgentProofMaterial(agentName, dependencies) {
   } catch (error48) {
     const nodeError = error48;
     if (nodeError.code === "ENOENT") {
-      throw createCliError6(
+      throw createCliError7(
         "CLI_PAIR_AGENT_NOT_FOUND",
         `Agent "${normalizedAgentName}" is missing ${AIT_FILE_NAME4}. Run agent create first.`
       );
@@ -22616,7 +22879,7 @@ async function readAgentProofMaterial(agentName, dependencies) {
     throw error48;
   }
   if (ait.length === 0) {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_AGENT_NOT_FOUND",
       `Agent "${normalizedAgentName}" has an empty ${AIT_FILE_NAME4}`
     );
@@ -22627,7 +22890,7 @@ async function readAgentProofMaterial(agentName, dependencies) {
   } catch (error48) {
     const nodeError = error48;
     if (nodeError.code === "ENOENT") {
-      throw createCliError6(
+      throw createCliError7(
         "CLI_PAIR_AGENT_NOT_FOUND",
         `Agent "${normalizedAgentName}" is missing ${SECRET_KEY_FILE_NAME3}. Run agent create first.`
       );
@@ -22635,7 +22898,7 @@ async function readAgentProofMaterial(agentName, dependencies) {
     throw error48;
   }
   if (encodedSecretKey.length === 0) {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_AGENT_NOT_FOUND",
       `Agent "${normalizedAgentName}" has an empty ${SECRET_KEY_FILE_NAME3}`
     );
@@ -22644,7 +22907,7 @@ async function readAgentProofMaterial(agentName, dependencies) {
   try {
     secretKey = decodeBase64url(encodedSecretKey);
   } catch {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_AGENT_NOT_FOUND",
       `Agent "${normalizedAgentName}" has invalid ${SECRET_KEY_FILE_NAME3}`
     );
@@ -22655,11 +22918,11 @@ async function readAgentProofMaterial(agentName, dependencies) {
   };
 }
 function resolveOwnerPat(options) {
-  const ownerPat = parseNonEmptyString8(options.explicitOwnerPat) || parseNonEmptyString8(options.config.apiKey);
+  const ownerPat = parseNonEmptyString9(options.explicitOwnerPat) || parseNonEmptyString9(options.config.apiKey);
   if (ownerPat.length > 0) {
     return ownerPat;
   }
-  throw createCliError6(
+  throw createCliError7(
     "CLI_PAIR_START_OWNER_PAT_REQUIRED",
     "Owner PAT is required. Pass --owner-pat <token> or configure API key with `clawdentity invite redeem` / `clawdentity config set apiKey <token>`."
   );
@@ -22689,7 +22952,7 @@ function decodeTicketFromPng(imageBytes) {
   try {
     decodedPng = PNG.sync.read(Buffer.from(imageBytes));
   } catch {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_CONFIRM_QR_FILE_INVALID",
       "QR image file is invalid or unsupported"
     );
@@ -22700,8 +22963,8 @@ function decodeTicketFromPng(imageBytes) {
     decodedPng.data.byteLength
   );
   const decoded = jsQR(imageData, decodedPng.width, decodedPng.height);
-  if (!decoded || parseNonEmptyString8(decoded.data).length === 0) {
-    throw createCliError6(
+  if (!decoded || parseNonEmptyString9(decoded.data).length === 0) {
+    throw createCliError7(
       "CLI_PAIR_CONFIRM_QR_NOT_FOUND",
       "No pairing QR code was found in the image"
     );
@@ -22716,7 +22979,7 @@ async function persistPairingQr(input) {
   const getConfigDirImpl = input.dependencies.getConfigDirImpl ?? getConfigDir;
   const qrEncodeImpl = input.dependencies.qrEncodeImpl ?? encodeTicketQrPng;
   const baseDir = join7(getConfigDirImpl(), PAIRING_QR_DIR_NAME);
-  const outputPath = parseNonEmptyString8(input.qrOutput) ? resolve(input.qrOutput ?? "") : join7(
+  const outputPath = parseNonEmptyString9(input.qrOutput) ? resolve(input.qrOutput ?? "") : join7(
     baseDir,
     `${assertValidAgentName(input.agentName)}-pair-${input.nowSeconds}.png`
   );
@@ -22757,10 +23020,10 @@ async function persistPairingQr(input) {
   return outputPath;
 }
 function resolveConfirmTicketSource(options) {
-  const inlineTicket = parseNonEmptyString8(options.ticket);
-  const qrFile = parseNonEmptyString8(options.qrFile);
+  const inlineTicket = parseNonEmptyString9(options.ticket);
+  const qrFile = parseNonEmptyString9(options.qrFile);
   if (inlineTicket.length > 0 && qrFile.length > 0) {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_CONFIRM_INPUT_CONFLICT",
       "Provide either --ticket or --qr-file, not both"
     );
@@ -22778,7 +23041,7 @@ function resolveConfirmTicketSource(options) {
       qrFilePath: resolve(qrFile)
     };
   }
-  throw createCliError6(
+  throw createCliError7(
     "CLI_PAIR_CONFIRM_TICKET_REQUIRED",
     "Pairing ticket is required. Pass --ticket <clwpair1_...> or --qr-file <path>."
   );
@@ -22819,14 +23082,14 @@ async function startPairing(agentName, options, dependencies = {}) {
   const nonceFactoryImpl = dependencies.nonceFactoryImpl ?? (() => randomBytes4(NONCE_SIZE2).toString("base64url"));
   const ttlSeconds = parseTtlSeconds(options.ttlSeconds);
   const config2 = await resolveConfigImpl();
-  const proxyUrl = resolveProxyUrl({
-    overrideProxyUrl: options.proxyUrl,
-    config: config2
-  });
   const ownerPat = resolveOwnerPat({
     explicitOwnerPat: options.ownerPat,
     config: config2
   });
+  const proxyUrl = await resolveProxyUrl({
+    config: config2,
+    fetchImpl
+  });
   const { ait, secretKey } = await readAgentProofMaterial(
     agentName,
     dependencies
@@ -22860,9 +23123,9 @@ async function startPairing(agentName, options, dependencies = {}) {
       body: requestBody
     }
   });
-  const responseBody = await parseJsonResponse5(response);
+  const responseBody = await parseJsonResponse6(response);
   if (!response.ok) {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_START_FAILED",
       mapStartPairError(response.status, responseBody)
     );
@@ -22892,14 +23155,14 @@ async function confirmPairing(agentName, options, dependencies = {}) {
   const qrDecodeImpl = dependencies.qrDecodeImpl ?? decodeTicketFromPng;
   const config2 = await resolveConfigImpl();
   const ticketSource = resolveConfirmTicketSource(options);
-  const proxyUrl = resolveProxyUrl({
-    overrideProxyUrl: options.proxyUrl,
-    config: config2
+  const proxyUrl = await resolveProxyUrl({
+    config: config2,
+    fetchImpl
   });
   let ticket = ticketSource.ticket;
   if (ticketSource.source === "qr-file") {
     if (!ticketSource.qrFilePath) {
-      throw createCliError6(
+      throw createCliError7(
         "CLI_PAIR_CONFIRM_QR_FILE_REQUIRED",
         "QR file path is required"
       );
@@ -22910,7 +23173,7 @@ async function confirmPairing(agentName, options, dependencies = {}) {
     } catch (error48) {
       const nodeError = error48;
       if (nodeError.code === "ENOENT") {
-        throw createCliError6(
+        throw createCliError7(
           "CLI_PAIR_CONFIRM_QR_FILE_NOT_FOUND",
           `QR file not found: ${ticketSource.qrFilePath}`
         );
@@ -22949,9 +23212,9 @@ async function confirmPairing(agentName, options, dependencies = {}) {
       body: requestBody
     }
   });
-  const responseBody = await parseJsonResponse5(response);
+  const responseBody = await parseJsonResponse6(response);
   if (!response.ok) {
-    throw createCliError6(
+    throw createCliError7(
       "CLI_PAIR_CONFIRM_FAILED",
       mapConfirmPairError(response.status, responseBody)
     );
@@ -22985,7 +23248,7 @@ var createPairCommand = (dependencies = {}) => {
   const pairCommand = new Command8("pair").description(
     "Manage proxy trust pairing between agents"
   );
-  pairCommand.command("start <agentName>").description("Start pairing and issue one-time pairing ticket").option("--proxy-url <url>", "Optional initiator proxy base URL override").option(
+  pairCommand.command("start <agentName>").description("Start pairing and issue one-time pairing ticket").option(
     "--owner-pat <token>",
     "Owner PAT override (defaults to configured API key)"
   ).option("--ttl-seconds <seconds>", "Pairing ticket expiry in seconds").option("--qr", "Generate a local QR file for sharing").option("--qr-output <path>", "Write QR PNG to a specific file path").action(
@@ -23009,7 +23272,7 @@ var createPairCommand = (dependencies = {}) => {
       }
     )
   );
-  pairCommand.command("confirm <agentName>").description("Confirm pairing using one-time pairing ticket").option("--ticket <ticket>", "One-time pairing ticket (clwpair1_...)").option("--qr-file <path>", "Path to pairing QR PNG file").option("--proxy-url <url>", "Optional responder proxy base URL override").action(
+  pairCommand.command("confirm <agentName>").description("Confirm pairing using one-time pairing ticket").option("--ticket <ticket>", "One-time pairing ticket (clwpair1_...)").option("--qr-file <path>", "Path to pairing QR PNG file").action(
     withErrorHandling(
       "pair confirm",
       async (agentName, options) => {
@@ -23047,10 +23310,10 @@ var VerifyCommandError = class extends Error {
     this.name = "VerifyCommandError";
   }
 };
-var isRecord9 = (value) => {
+var isRecord10 = (value) => {
   return typeof value === "object" && value !== null;
 };
-var normalizeRegistryUrl = (registryUrl) => {
+var normalizeRegistryUrl2 = (registryUrl) => {
   try {
     return new URL(registryUrl).toString();
   } catch {
@@ -23115,7 +23378,7 @@ var parseResponseJson = async (response) => {
   }
 };
 var parseSigningKeys = (payload) => {
-  if (!isRecord9(payload) || !Array.isArray(payload.keys)) {
+  if (!isRecord10(payload) || !Array.isArray(payload.keys)) {
     throw new VerifyCommandError(
       "verification keys unavailable (response payload is invalid)"
     );
@@ -23134,7 +23397,7 @@ var parseSigningKeys = (payload) => {
 };
 var parseRegistryKeysCache = (rawCache) => {
   const parsed = parseJson(rawCache);
-  if (!isRecord9(parsed)) {
+  if (!isRecord10(parsed)) {
     return void 0;
   }
   const { registryUrl, fetchedAtMs, keys } = parsed;
@@ -23160,7 +23423,7 @@ var parseRegistryKeysCache = (rawCache) => {
 };
 var parseCrlCache = (rawCache) => {
   const parsed = parseJson(rawCache);
-  if (!isRecord9(parsed)) {
+  if (!isRecord10(parsed)) {
     return void 0;
   }
   const { registryUrl, fetchedAtMs, claims } = parsed;
@@ -23258,7 +23521,7 @@ var fetchCrlClaims = async (input) => {
     );
   }
   const payload = await parseResponseJson(response);
-  if (!isRecord9(payload) || typeof payload.crl !== "string") {
+  if (!isRecord10(payload) || typeof payload.crl !== "string") {
     throw new VerifyCommandError(
       "revocation check unavailable (response payload is invalid)"
     );
@@ -23303,7 +23566,7 @@ var loadCrlClaims = async (input) => {
   return claims;
 };
 var toInvalidTokenReason = (error48) => {
-  if (isRecord9(error48) && typeof error48.message === "string") {
+  if (isRecord10(error48) && typeof error48.message === "string") {
     return `invalid token (${error48.message})`;
   }
   if (error48 instanceof Error && error48.message.length > 0) {
@@ -23321,7 +23584,7 @@ var printResult = (passed, reason) => {
 };
 var runVerify = async (tokenOrFile) => {
   const config2 = await resolveConfig();
-  const registryUrl = normalizeRegistryUrl(config2.registryUrl);
+  const registryUrl = normalizeRegistryUrl2(config2.registryUrl);
   const expectedIssuer = toExpectedIssuer(registryUrl);
   const token = await resolveToken(tokenOrFile);
   let keys;