clawdentity 0.0.12 → 0.0.14

package/dist/bin.js

@@ -17064,8 +17064,8 @@ function createLogger(baseFields = {}) {
 var DEFAULT_NONCE_TTL_MS = 5 * 60 * 1e3;
 
 // src/index.ts
-import { createRequire } from "module";
-import { Command as Command10 } from "commander";
+import { createRequire as createRequire2 } from "module";
+import { Command as Command11 } from "commander";
 
 // src/commands/admin.ts
 import { Command } from "commander";
@@ -21167,13 +21167,7 @@ function resolveOpenclawConfigPath(openclawDir, homeDir) {
   return configCandidates[0];
 }
 function resolveDefaultTransformSource(openclawDir) {
-  return join6(
-    openclawDir,
-    "workspace",
-    "skills",
-    SKILL_DIR_NAME,
-    RELAY_MODULE_FILE_NAME
-  );
+  return join6(openclawDir, "skills", SKILL_DIR_NAME, RELAY_MODULE_FILE_NAME);
 }
 function resolveTransformTargetPath(openclawDir) {
   return join6(openclawDir, "hooks", "transforms", RELAY_MODULE_FILE_NAME);
@@ -21907,7 +21901,7 @@ async function runOpenclawDoctor(options = {}) {
           label: "Relay transform",
           status: "fail",
           message: "relay transform artifacts are missing or empty",
-          remediationHint: "Run: npm install clawdentity --skill",
+          remediationHint: "Run: clawdentity skill install",
           details: {
             transformTargetPath,
             relayTransformRuntimePath,
@@ -21937,7 +21931,7 @@ async function runOpenclawDoctor(options = {}) {
         label: "Relay transform",
         status: "fail",
         message: "missing relay transform artifacts",
-        remediationHint: "Run: npm install clawdentity --skill",
+        remediationHint: "Run: clawdentity skill install",
         details: {
           transformTargetPath,
           relayTransformRuntimePath,
@@ -22361,7 +22355,7 @@ var createOpenclawCommand = () => {
     "OpenClaw state directory (default ~/.openclaw)"
   ).option(
     "--transform-source <path>",
-    "Path to relay-to-peer.mjs (default <openclaw-dir>/workspace/skills/clawdentity-openclaw-relay/relay-to-peer.mjs)"
+    "Path to relay-to-peer.mjs (default <openclaw-dir>/skills/clawdentity-openclaw-relay/relay-to-peer.mjs)"
   ).option(
     "--openclaw-base-url <url>",
     "Base URL for local OpenClaw hook API (default http://127.0.0.1:18789)"
@@ -22477,6 +22471,7 @@ var PAIRING_QR_DIR_NAME = "pairing";
 var PEERS_FILE_NAME2 = "peers.json";
 var PAIR_START_PATH = "/pair/start";
 var PAIR_CONFIRM_PATH = "/pair/confirm";
+var PAIR_STATUS_PATH = "/pair/status";
 var OWNER_PAT_HEADER = "x-claw-owner-pat";
 var NONCE_SIZE2 = 24;
 var PAIRING_TICKET_PREFIX = "clwpair1_";
@@ -22484,6 +22479,8 @@ var PAIRING_QR_MAX_AGE_SECONDS = 900;
 var PAIRING_QR_FILENAME_PATTERN = /-pair-(\d+)\.png$/;
 var FILE_MODE4 = 384;
 var PEER_ALIAS_PATTERN2 = /^[a-zA-Z0-9._-]+$/;
+var DEFAULT_STATUS_WAIT_SECONDS = 300;
+var DEFAULT_STATUS_POLL_INTERVAL_SECONDS = 3;
 var isRecord9 = (value) => {
   return typeof value === "object" && value !== null;
 };
@@ -22559,6 +22556,52 @@ function parsePairingTicketIssuerOrigin(ticket) {
   }
   return issuerUrl.origin;
 }
+function parseAitAgentDid(ait) {
+  const parts = ait.split(".");
+  if (parts.length < 2) {
+    throw createCliError7(
+      "CLI_PAIR_AGENT_NOT_FOUND",
+      "Agent AIT is invalid. Recreate the agent before pairing."
+    );
+  }
+  let payloadRaw;
+  try {
+    payloadRaw = new TextDecoder().decode(decodeBase64url(parts[1] ?? ""));
+  } catch {
+    throw createCliError7(
+      "CLI_PAIR_AGENT_NOT_FOUND",
+      "Agent AIT is invalid. Recreate the agent before pairing."
+    );
+  }
+  let payload;
+  try {
+    payload = JSON.parse(payloadRaw);
+  } catch {
+    throw createCliError7(
+      "CLI_PAIR_AGENT_NOT_FOUND",
+      "Agent AIT is invalid. Recreate the agent before pairing."
+    );
+  }
+  if (!isRecord9(payload) || typeof payload.sub !== "string") {
+    throw createCliError7(
+      "CLI_PAIR_AGENT_NOT_FOUND",
+      "Agent AIT is invalid. Recreate the agent before pairing."
+    );
+  }
+  const candidate = payload.sub.trim();
+  try {
+    const parsed = parseDid(candidate);
+    if (parsed.kind !== "agent") {
+      throw new Error("invalid kind");
+    }
+  } catch {
+    throw createCliError7(
+      "CLI_PAIR_AGENT_NOT_FOUND",
+      "Agent AIT is invalid. Recreate the agent before pairing."
+    );
+  }
+  return candidate;
+}
 function parsePeerAlias2(value) {
   if (value.length === 0 || value.length > 128) {
     throw createCliError7(
@@ -22690,6 +22733,20 @@ function parseTtlSeconds(value) {
   }
   return parsed;
 }
+function parsePositiveIntegerOption(input) {
+  const raw = parseNonEmptyString9(input.value);
+  if (raw.length === 0) {
+    return input.defaultValue;
+  }
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isInteger(parsed) || parsed < 1) {
+    throw createCliError7(
+      "CLI_PAIR_STATUS_WAIT_INVALID",
+      `${input.optionName} must be a positive integer`
+    );
+  }
+  return parsed;
+}
 function parseProxyUrl2(candidate) {
   try {
     const parsed = new URL(candidate);
@@ -22810,6 +22867,29 @@ function mapConfirmPairError(status, payload) {
   }
   return `Pair confirm failed (${status})`;
 }
+function mapStatusPairError(status, payload) {
+  const code = extractErrorCode(payload);
+  const message2 = extractErrorMessage(payload);
+  if (code === "PROXY_PAIR_TICKET_NOT_FOUND" || status === 404) {
+    return "Pairing ticket not found";
+  }
+  if (code === "PROXY_PAIR_TICKET_EXPIRED" || status === 410) {
+    return "Pairing ticket has expired";
+  }
+  if (code === "PROXY_PAIR_STATUS_FORBIDDEN" || status === 403) {
+    return message2 ? `Pair status request is forbidden (403): ${message2}` : "Pair status request is forbidden (403).";
+  }
+  if (status === 400) {
+    return message2 ? `Pair status request is invalid (400): ${message2}` : "Pair status request is invalid (400).";
+  }
+  if (status >= 500) {
+    return `Proxy pairing service is unavailable (${status}).`;
+  }
+  if (message2) {
+    return `Pair status failed (${status}): ${message2}`;
+  }
+  return `Pair status failed (${status})`;
+}
 function parsePairStartResponse(payload) {
   if (!isRecord9(payload)) {
     throw createCliError7(
@@ -22854,6 +22934,44 @@ function parsePairConfirmResponse(payload) {
     responderAgentDid
   };
 }
+function parsePairStatusResponse(payload) {
+  if (!isRecord9(payload)) {
+    throw createCliError7(
+      "CLI_PAIR_STATUS_INVALID_RESPONSE",
+      "Pair status response is invalid"
+    );
+  }
+  const statusRaw = parseNonEmptyString9(payload.status);
+  if (statusRaw !== "pending" && statusRaw !== "confirmed") {
+    throw createCliError7(
+      "CLI_PAIR_STATUS_INVALID_RESPONSE",
+      "Pair status response is invalid"
+    );
+  }
+  const initiatorAgentDid = parseNonEmptyString9(payload.initiatorAgentDid);
+  const responderAgentDid = parseNonEmptyString9(payload.responderAgentDid);
+  const expiresAt = parseNonEmptyString9(payload.expiresAt);
+  const confirmedAt = parseNonEmptyString9(payload.confirmedAt);
+  if (initiatorAgentDid.length === 0 || expiresAt.length === 0) {
+    throw createCliError7(
+      "CLI_PAIR_STATUS_INVALID_RESPONSE",
+      "Pair status response is invalid"
+    );
+  }
+  if (statusRaw === "confirmed" && responderAgentDid.length === 0) {
+    throw createCliError7(
+      "CLI_PAIR_STATUS_INVALID_RESPONSE",
+      "Pair status response is invalid"
+    );
+  }
+  return {
+    status: statusRaw,
+    initiatorAgentDid,
+    responderAgentDid: responderAgentDid.length > 0 ? responderAgentDid : void 0,
+    expiresAt,
+    confirmedAt: confirmedAt.length > 0 ? confirmedAt : void 0
+  };
+}
 async function readAgentProofMaterial(agentName, dependencies) {
   const readFileImpl = dependencies.readFileImpl ?? readFile5;
   const getConfigDirImpl = dependencies.getConfigDirImpl ?? getConfigDir;
@@ -23244,6 +23362,147 @@ async function confirmPairing(agentName, options, dependencies = {}) {
     peerAlias
   };
 }
+async function getPairingStatusOnce(agentName, options, dependencies = {}) {
+  const fetchImpl = dependencies.fetchImpl ?? fetch;
+  const resolveConfigImpl = dependencies.resolveConfigImpl ?? resolveConfig;
+  const nowSecondsImpl = dependencies.nowSecondsImpl ?? (() => Math.floor(Date.now() / 1e3));
+  const nonceFactoryImpl = dependencies.nonceFactoryImpl ?? (() => randomBytes4(NONCE_SIZE2).toString("base64url"));
+  const config2 = await resolveConfigImpl();
+  const proxyUrl = await resolveProxyUrl({
+    config: config2,
+    fetchImpl
+  });
+  const ticket = parsePairingTicket(options.ticket);
+  const { ait, secretKey } = await readAgentProofMaterial(
+    agentName,
+    dependencies
+  );
+  const callerAgentDid = parseAitAgentDid(ait);
+  const requestUrl = toProxyRequestUrl(proxyUrl, PAIR_STATUS_PATH);
+  const requestBody = JSON.stringify({ ticket });
+  const bodyBytes = new TextEncoder().encode(requestBody);
+  const timestampSeconds = nowSecondsImpl();
+  const nonce = nonceFactoryImpl();
+  const signedHeaders = await buildSignedHeaders({
+    method: "POST",
+    requestUrl,
+    bodyBytes,
+    secretKey,
+    timestampSeconds,
+    nonce
+  });
+  const response = await executePairRequest({
+    fetchImpl,
+    url: requestUrl,
+    init: {
+      method: "POST",
+      headers: {
+        authorization: `Claw ${ait}`,
+        "content-type": "application/json",
+        ...signedHeaders
+      },
+      body: requestBody
+    }
+  });
+  const responseBody = await parseJsonResponse6(response);
+  if (!response.ok) {
+    throw createCliError7(
+      "CLI_PAIR_STATUS_FAILED",
+      mapStatusPairError(response.status, responseBody)
+    );
+  }
+  const parsed = parsePairStatusResponse(responseBody);
+  let peerAlias;
+  if (parsed.status === "confirmed") {
+    const responderAgentDid = parsed.responderAgentDid;
+    if (!responderAgentDid) {
+      throw createCliError7(
+        "CLI_PAIR_STATUS_INVALID_RESPONSE",
+        "Pair status response is invalid"
+      );
+    }
+    const peerDid = callerAgentDid === parsed.initiatorAgentDid ? responderAgentDid : callerAgentDid === responderAgentDid ? parsed.initiatorAgentDid : void 0;
+    if (!peerDid) {
+      throw createCliError7(
+        "CLI_PAIR_STATUS_FORBIDDEN",
+        "Local agent is not a participant in the pairing ticket"
+      );
+    }
+    peerAlias = await persistPairedPeer({
+      ticket,
+      peerDid,
+      dependencies
+    });
+  }
+  return {
+    ...parsed,
+    proxyUrl,
+    peerAlias
+  };
+}
+async function waitForPairingStatus(input) {
+  const nowSecondsImpl = input.dependencies.nowSecondsImpl ?? (() => Math.floor(Date.now() / 1e3));
+  const sleepImpl = input.dependencies.sleepImpl ?? (async (ms) => {
+    await new Promise((resolve2) => {
+      setTimeout(resolve2, ms);
+    });
+  });
+  const deadlineSeconds = nowSecondsImpl() + input.waitSeconds;
+  while (true) {
+    const status = await getPairingStatusOnce(
+      input.agentName,
+      { ticket: input.ticket },
+      input.dependencies
+    );
+    if (status.status === "confirmed") {
+      return status;
+    }
+    const nowSeconds = nowSecondsImpl();
+    if (nowSeconds >= deadlineSeconds) {
+      throw createCliError7(
+        "CLI_PAIR_STATUS_WAIT_TIMEOUT",
+        `Pairing is still pending after ${input.waitSeconds} seconds`
+      );
+    }
+    const remainingSeconds = Math.max(0, deadlineSeconds - nowSeconds);
+    const sleepSeconds = Math.min(input.pollIntervalSeconds, remainingSeconds);
+    await sleepImpl(sleepSeconds * 1e3);
+  }
+}
+async function getPairingStatus(agentName, options, dependencies = {}) {
+  const ticketRaw = parseNonEmptyString9(options.ticket);
+  if (ticketRaw.length === 0) {
+    throw createCliError7(
+      "CLI_PAIR_STATUS_TICKET_REQUIRED",
+      "Pair status requires --ticket <clwpair1_...>"
+    );
+  }
+  const ticket = parsePairingTicket(ticketRaw);
+  if (options.wait !== true) {
+    return getPairingStatusOnce(
+      agentName,
+      { ticket },
+      dependencies
+    );
+  }
+  const waitSeconds = parsePositiveIntegerOption({
+    value: options.waitSeconds,
+    optionName: "waitSeconds",
+    defaultValue: DEFAULT_STATUS_WAIT_SECONDS
+  });
+  const pollIntervalSeconds = parsePositiveIntegerOption({
+    value: options.pollIntervalSeconds,
+    optionName: "pollIntervalSeconds",
+    defaultValue: DEFAULT_STATUS_POLL_INTERVAL_SECONDS
+  });
+  return waitForPairingStatus({
+    agentName,
+    ticket,
+    waitSeconds,
+    pollIntervalSeconds,
+    dependencies
+  });
+}
 var createPairCommand = (dependencies = {}) => {
   const pairCommand = new Command8("pair").description(
     "Manage proxy trust pairing between agents"
@@ -23251,7 +23510,16 @@ var createPairCommand = (dependencies = {}) => {
   pairCommand.command("start <agentName>").description("Start pairing and issue one-time pairing ticket").option(
     "--owner-pat <token>",
     "Owner PAT override (defaults to configured API key)"
-  ).option("--ttl-seconds <seconds>", "Pairing ticket expiry in seconds").option("--qr", "Generate a local QR file for sharing").option("--qr-output <path>", "Write QR PNG to a specific file path").action(
+  ).option("--ttl-seconds <seconds>", "Pairing ticket expiry in seconds").option("--qr", "Generate a local QR file for sharing").option("--qr-output <path>", "Write QR PNG to a specific file path").option(
+    "--wait",
+    "Wait for responder confirmation and auto-save peer on initiator"
+  ).option(
+    "--wait-seconds <seconds>",
+    "Max seconds to poll for confirmation (default: 300)"
+  ).option(
+    "--poll-interval-seconds <seconds>",
+    "Polling interval in seconds while waiting (default: 3)"
+  ).action(
     withErrorHandling(
       "pair start",
       async (agentName, options) => {
@@ -23269,6 +23537,44 @@ var createPairCommand = (dependencies = {}) => {
         if (result.qrPath) {
           writeStdoutLine(`QR File: ${result.qrPath}`);
         }
+        if (options.wait === true) {
+          const waitSeconds = parsePositiveIntegerOption({
+            value: options.waitSeconds,
+            optionName: "waitSeconds",
+            defaultValue: DEFAULT_STATUS_WAIT_SECONDS
+          });
+          const pollIntervalSeconds = parsePositiveIntegerOption({
+            value: options.pollIntervalSeconds,
+            optionName: "pollIntervalSeconds",
+            defaultValue: DEFAULT_STATUS_POLL_INTERVAL_SECONDS
+          });
+          writeStdoutLine(
+            `Waiting for confirmation (timeout=${waitSeconds}s, interval=${pollIntervalSeconds}s) ...`
+          );
+          const status = await waitForPairingStatus({
+            agentName,
+            ticket: result.ticket,
+            waitSeconds,
+            pollIntervalSeconds,
+            dependencies
+          });
+          logger9.info("cli.pair_status_confirmed_after_start", {
+            initiatorAgentDid: status.initiatorAgentDid,
+            responderAgentDid: status.responderAgentDid,
+            peerAlias: status.peerAlias
+          });
+          writeStdoutLine("Pairing confirmed");
+          writeStdoutLine(`Status: ${status.status}`);
+          if (status.initiatorAgentDid) {
+            writeStdoutLine(`Initiator Agent DID: ${status.initiatorAgentDid}`);
+          }
+          if (status.responderAgentDid) {
+            writeStdoutLine(`Responder Agent DID: ${status.responderAgentDid}`);
+          }
+          if (status.peerAlias) {
+            writeStdoutLine(`Peer alias saved: ${status.peerAlias}`);
+          }
+        }
       }
     )
   );
@@ -23293,12 +23599,377 @@ var createPairCommand = (dependencies = {}) => {
       }
     )
   );
+  pairCommand.command("status <agentName>").description("Check pairing ticket status and sync local peer on confirm").option("--ticket <ticket>", "One-time pairing ticket (clwpair1_...)").option("--wait", "Poll until ticket is confirmed or timeout is reached").option(
+    "--wait-seconds <seconds>",
+    "Max seconds to poll for confirmation (default: 300)"
+  ).option(
+    "--poll-interval-seconds <seconds>",
+    "Polling interval in seconds while waiting (default: 3)"
+  ).action(
+    withErrorHandling(
+      "pair status",
+      async (agentName, options) => {
+        const result = await getPairingStatus(agentName, options, dependencies);
+        logger9.info("cli.pair_status", {
+          initiatorAgentDid: result.initiatorAgentDid,
+          responderAgentDid: result.responderAgentDid,
+          status: result.status,
+          proxyUrl: result.proxyUrl,
+          peerAlias: result.peerAlias
+        });
+        writeStdoutLine(`Status: ${result.status}`);
+        writeStdoutLine(`Initiator Agent DID: ${result.initiatorAgentDid}`);
+        if (result.responderAgentDid) {
+          writeStdoutLine(`Responder Agent DID: ${result.responderAgentDid}`);
+        }
+        writeStdoutLine(`Expires At: ${result.expiresAt}`);
+        if (result.confirmedAt) {
+          writeStdoutLine(`Confirmed At: ${result.confirmedAt}`);
+        }
+        if (result.peerAlias) {
+          writeStdoutLine(`Peer alias saved: ${result.peerAlias}`);
+        }
+      }
+    )
+  );
   return pairCommand;
 };
 
-// src/commands/verify.ts
-import { readFile as readFile6 } from "fs/promises";
+// src/commands/skill.ts
 import { Command as Command9 } from "commander";
+
+// src/install-skill-mode.ts
+import { constants, existsSync as existsSync2 } from "fs";
+import { access as access3, copyFile as copyFile2, mkdir as mkdir7, readdir as readdir2, readFile as readFile6 } from "fs/promises";
+import { createRequire } from "module";
+import { homedir as homedir4 } from "os";
+import { dirname as dirname6, join as join8, relative } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+var OPENCLAW_DIR_NAME2 = ".openclaw";
+var SKILL_PACKAGE_NAME = "@clawdentity/openclaw-skill";
+var SKILL_DIR_NAME2 = "clawdentity-openclaw-relay";
+var RELAY_MODULE_FILE_NAME2 = "relay-to-peer.mjs";
+function isRecord10(value) {
+  return typeof value === "object" && value !== null;
+}
+var SkillInstallError = class extends Error {
+  code;
+  details;
+  constructor(input) {
+    super(input.message);
+    this.name = "SkillInstallError";
+    this.code = input.code;
+    this.details = input.details ?? {};
+  }
+};
+function getErrorCode3(error48) {
+  if (!isRecord10(error48)) {
+    return void 0;
+  }
+  return typeof error48.code === "string" ? error48.code : void 0;
+}
+function resolveHomeDir2(inputHomeDir) {
+  if (typeof inputHomeDir === "string" && inputHomeDir.trim().length > 0) {
+    return inputHomeDir.trim();
+  }
+  return homedir4();
+}
+function resolveOpenclawDir2(homeDir, inputOpenclawDir) {
+  if (typeof inputOpenclawDir === "string" && inputOpenclawDir.trim().length > 0) {
+    return inputOpenclawDir.trim();
+  }
+  return join8(homeDir, OPENCLAW_DIR_NAME2);
+}
+function resolveSkillPackageRoot(input) {
+  if (typeof input.skillPackageRoot === "string" && input.skillPackageRoot.trim().length > 0) {
+    return input.skillPackageRoot.trim();
+  }
+  const overriddenRoot = input.env.CLAWDENTITY_SKILL_PACKAGE_ROOT;
+  if (typeof overriddenRoot === "string" && overriddenRoot.trim().length > 0) {
+    return overriddenRoot.trim();
+  }
+  const bundledSkillRoot = join8(
+    dirname6(fileURLToPath2(import.meta.url)),
+    "..",
+    "skill-bundle",
+    "openclaw-skill"
+  );
+  if (existsSync2(bundledSkillRoot)) {
+    return bundledSkillRoot;
+  }
+  const require3 = createRequire(import.meta.url);
+  let packageJsonPath;
+  try {
+    packageJsonPath = require3.resolve(`${SKILL_PACKAGE_NAME}/package.json`);
+    return dirname6(packageJsonPath);
+  } catch {
+    const workspaceFallbackRoot = join8(
+      dirname6(fileURLToPath2(import.meta.url)),
+      "..",
+      "..",
+      "openclaw-skill"
+    );
+    if (existsSync2(workspaceFallbackRoot)) {
+      return workspaceFallbackRoot;
+    }
+    throw new SkillInstallError({
+      code: "CLI_SKILL_PACKAGE_NOT_FOUND",
+      message: "Skill artifacts are unavailable. Set CLAWDENTITY_SKILL_PACKAGE_ROOT or provide bundled skill assets before running skill install.",
+      details: {
+        packageName: SKILL_PACKAGE_NAME,
+        bundledSkillRoot,
+        workspaceFallbackRoot
+      }
+    });
+  }
+}
+async function assertReadableFile(filePath, details) {
+  try {
+    await access3(filePath, constants.R_OK);
+  } catch (error48) {
+    if (getErrorCode3(error48) === "ENOENT") {
+      throw new SkillInstallError({
+        code: "CLI_SKILL_ARTIFACT_MISSING",
+        message: "Required skill artifact is missing",
+        details: {
+          ...details,
+          sourcePath: filePath
+        }
+      });
+    }
+    throw error48;
+  }
+}
+async function listFilesRecursively(directoryPath) {
+  const entries = await readdir2(directoryPath, { withFileTypes: true });
+  const files = [];
+  for (const entry of entries.sort(
+    (left, right) => left.name.localeCompare(right.name)
+  )) {
+    const entryPath = join8(directoryPath, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...await listFilesRecursively(entryPath));
+      continue;
+    }
+    if (entry.isFile()) {
+      files.push(entryPath);
+    }
+  }
+  return files;
+}
+async function resolveArtifacts(input) {
+  const skillRoot = join8(input.skillPackageRoot, "skill");
+  const skillDocSource = join8(skillRoot, "SKILL.md");
+  const referencesRoot = join8(skillRoot, "references");
+  const relaySource = join8(
+    input.skillPackageRoot,
+    "dist",
+    RELAY_MODULE_FILE_NAME2
+  );
+  await assertReadableFile(skillDocSource, {
+    artifact: "SKILL.md"
+  });
+  await assertReadableFile(relaySource, {
+    artifact: RELAY_MODULE_FILE_NAME2
+  });
+  let referenceFiles;
+  try {
+    referenceFiles = await listFilesRecursively(referencesRoot);
+  } catch (error48) {
+    if (getErrorCode3(error48) === "ENOENT") {
+      throw new SkillInstallError({
+        code: "CLI_SKILL_ARTIFACT_MISSING",
+        message: "Required skill references directory is missing",
+        details: {
+          sourcePath: referencesRoot,
+          artifact: "references"
+        }
+      });
+    }
+    throw error48;
+  }
+  if (referenceFiles.length === 0) {
+    throw new SkillInstallError({
+      code: "CLI_SKILL_REFERENCE_DIR_EMPTY",
+      message: "Required skill references directory is empty",
+      details: {
+        sourcePath: referencesRoot
+      }
+    });
+  }
+  const targetSkillRoot = join8(
+    input.openclawDir,
+    "skills",
+    SKILL_DIR_NAME2
+  );
+  const artifacts = [
+    {
+      sourcePath: skillDocSource,
+      targetPath: join8(targetSkillRoot, "SKILL.md")
+    },
+    {
+      sourcePath: relaySource,
+      targetPath: join8(targetSkillRoot, RELAY_MODULE_FILE_NAME2)
+    },
+    {
+      sourcePath: relaySource,
+      targetPath: join8(
+        input.openclawDir,
+        "hooks",
+        "transforms",
+        RELAY_MODULE_FILE_NAME2
+      )
+    }
+  ];
+  for (const referenceFile of referenceFiles) {
+    const relativePath = relative(referencesRoot, referenceFile);
+    artifacts.push({
+      sourcePath: referenceFile,
+      targetPath: join8(targetSkillRoot, "references", relativePath)
+    });
+  }
+  return artifacts.sort(
+    (left, right) => left.targetPath.localeCompare(right.targetPath)
+  );
+}
+async function copyArtifact(input) {
+  const sourceContent = await readFile6(input.sourcePath);
+  let existingContent;
+  try {
+    existingContent = await readFile6(input.targetPath);
+  } catch (error48) {
+    if (getErrorCode3(error48) !== "ENOENT") {
+      throw error48;
+    }
+  }
+  if (existingContent !== void 0 && sourceContent.equals(existingContent)) {
+    return "unchanged";
+  }
+  await mkdir7(dirname6(input.targetPath), { recursive: true });
+  await copyFile2(input.sourcePath, input.targetPath);
+  if (existingContent !== void 0) {
+    return "updated";
+  }
+  return "installed";
+}
+async function installOpenclawSkillArtifacts(options = {}) {
+  const env = options.env ?? process.env;
+  const homeDir = resolveHomeDir2(options.homeDir);
+  const openclawDir = resolveOpenclawDir2(homeDir, options.openclawDir);
+  const skillPackageRoot = resolveSkillPackageRoot({
+    skillPackageRoot: options.skillPackageRoot,
+    env
+  });
+  const artifacts = await resolveArtifacts({
+    skillPackageRoot,
+    openclawDir
+  });
+  const records = [];
+  for (const artifact of artifacts) {
+    const action = await copyArtifact(artifact);
+    records.push({
+      action,
+      sourcePath: artifact.sourcePath,
+      targetPath: artifact.targetPath
+    });
+  }
+  return {
+    homeDir,
+    openclawDir,
+    skillPackageRoot,
+    targetSkillDirectory: join8(openclawDir, "skills", SKILL_DIR_NAME2),
+    records
+  };
+}
+function formatSkillInstallError(error48) {
+  if (error48 instanceof SkillInstallError) {
+    const details = Object.entries(error48.details).map(([key, value]) => `${key}=${value}`).join(" ");
+    if (details.length === 0) {
+      return `${error48.code}: ${error48.message}`;
+    }
+    return `${error48.code}: ${error48.message} (${details})`;
+  }
+  if (error48 instanceof Error) {
+    return error48.message;
+  }
+  return String(error48);
+}
+
+// src/commands/skill.ts
+function collectStringOption(value, previous) {
+  const trimmed = value.trim();
+  if (trimmed.length === 0) {
+    return previous;
+  }
+  return [...previous, trimmed];
+}
+function toInstallSummary(records) {
+  const installed = records.filter((record2) => record2.action === "installed");
+  const updated = records.filter((record2) => record2.action === "updated");
+  const unchanged = records.filter((record2) => record2.action === "unchanged");
+  return `installed=${installed.length} updated=${updated.length} unchanged=${unchanged.length}`;
+}
+async function runSkillInstall(options) {
+  const requestedDirs = (options.openclawDir ?? []).filter(
+    (dir) => dir.trim().length > 0
+  );
+  const dirs = requestedDirs.length > 0 ? requestedDirs : [void 0];
+  const results = [];
+  for (const openclawDir of dirs) {
+    const result = await installOpenclawSkillArtifacts({
+      openclawDir,
+      skillPackageRoot: options.skillPackageRoot
+    });
+    results.push(result);
+  }
+  return results;
+}
+var createSkillCommand = () => {
+  const skillCommand = new Command9("skill").description(
+    "Install and manage Clawdentity skill artifacts"
+  );
+  skillCommand.command("install").description("Install Clawdentity OpenClaw skill artifacts").option(
+    "--openclaw-dir <path>",
+    "OpenClaw state directory target (repeat for multiple profiles)",
+    collectStringOption,
+    []
+  ).option(
+    "--skill-package-root <path>",
+    "Override skill package root (defaults to bundled assets)"
+  ).option("--json", "Print machine-readable JSON output").action(
+    withErrorHandling(
+      "skill install",
+      async (options) => {
+        let results;
+        try {
+          results = await runSkillInstall(options);
+        } catch (error48) {
+          throw new Error(formatSkillInstallError(error48));
+        }
+        if (options.json) {
+          writeStdoutLine(JSON.stringify({ installs: results }, null, 2));
+          return;
+        }
+        for (const result of results) {
+          writeStdoutLine(`OpenClaw dir: ${result.openclawDir}`);
+          writeStdoutLine(`Skill source: ${result.skillPackageRoot}`);
+          writeStdoutLine(`Target skill dir: ${result.targetSkillDirectory}`);
+          for (const record2 of result.records) {
+            writeStdoutLine(
+              `${record2.action}: ${record2.targetPath} (source: ${record2.sourcePath})`
+            );
+          }
+          writeStdoutLine(toInstallSummary(result.records));
+        }
+      }
+    )
+  );
+  return skillCommand;
+};
+
+// src/commands/verify.ts
+import { readFile as readFile7 } from "fs/promises";
+import { Command as Command10 } from "commander";
 var logger10 = createLogger({ service: "cli", module: "verify" });
 var REGISTRY_KEYS_CACHE_FILE = "registry-keys.json";
 var CRL_CLAIMS_CACHE_FILE = "crl-claims.json";
@@ -23310,7 +23981,7 @@ var VerifyCommandError = class extends Error {
     this.name = "VerifyCommandError";
   }
 };
-var isRecord10 = (value) => {
+var isRecord11 = (value) => {
   return typeof value === "object" && value !== null;
 };
 var normalizeRegistryUrl2 = (registryUrl) => {
@@ -23346,7 +24017,7 @@ var resolveToken = async (tokenOrFile) => {
     throw new VerifyCommandError("invalid token (value is empty)");
   }
   try {
-    const fileContents = await readFile6(input, "utf-8");
+    const fileContents = await readFile7(input, "utf-8");
     const token = fileContents.trim();
     if (token.length === 0) {
       throw new VerifyCommandError(`invalid token (${input} is empty)`);
@@ -23378,7 +24049,7 @@ var parseResponseJson = async (response) => {
   }
 };
 var parseSigningKeys = (payload) => {
-  if (!isRecord10(payload) || !Array.isArray(payload.keys)) {
+  if (!isRecord11(payload) || !Array.isArray(payload.keys)) {
     throw new VerifyCommandError(
       "verification keys unavailable (response payload is invalid)"
     );
@@ -23397,7 +24068,7 @@ var parseSigningKeys = (payload) => {
 };
 var parseRegistryKeysCache = (rawCache) => {
   const parsed = parseJson(rawCache);
-  if (!isRecord10(parsed)) {
+  if (!isRecord11(parsed)) {
     return void 0;
   }
   const { registryUrl, fetchedAtMs, keys } = parsed;
@@ -23423,7 +24094,7 @@ var parseRegistryKeysCache = (rawCache) => {
 };
 var parseCrlCache = (rawCache) => {
   const parsed = parseJson(rawCache);
-  if (!isRecord10(parsed)) {
+  if (!isRecord11(parsed)) {
     return void 0;
   }
   const { registryUrl, fetchedAtMs, claims } = parsed;
@@ -23521,7 +24192,7 @@ var fetchCrlClaims = async (input) => {
     );
   }
   const payload = await parseResponseJson(response);
-  if (!isRecord10(payload) || typeof payload.crl !== "string") {
+  if (!isRecord11(payload) || typeof payload.crl !== "string") {
     throw new VerifyCommandError(
       "revocation check unavailable (response payload is invalid)"
     );
@@ -23566,7 +24237,7 @@ var loadCrlClaims = async (input) => {
   return claims;
 };
 var toInvalidTokenReason = (error48) => {
-  if (isRecord10(error48) && typeof error48.message === "string") {
+  if (isRecord11(error48) && typeof error48.message === "string") {
     return `invalid token (${error48.message})`;
   }
   if (error48 instanceof Error && error48.message.length > 0) {
@@ -23642,7 +24313,7 @@ var runVerify = async (tokenOrFile) => {
   printResult(true, `token verified (${claims.sub})`);
 };
 var createVerifyCommand = () => {
-  return new Command9("verify").description("Verify an AIT using registry keys and CRL state").argument(
+  return new Command10("verify").description("Verify an AIT using registry keys and CRL state").argument(
     "<tokenOrFile>",
     "Raw AIT token or file path containing the token"
   ).action(
@@ -23653,7 +24324,7 @@ var createVerifyCommand = () => {
 };
 
 // src/index.ts
-var require2 = createRequire(import.meta.url);
+var require2 = createRequire2(import.meta.url);
 var resolveCliVersion = () => {
   const packageJson = require2("../package.json");
   if (typeof packageJson.version === "string" && packageJson.version.length > 0) {
@@ -23663,7 +24334,7 @@ var resolveCliVersion = () => {
 };
 var CLI_VERSION = resolveCliVersion();
 var createProgram = () => {
-  return new Command10("clawdentity").description("Clawdentity CLI - Agent identity management").version(CLI_VERSION).addCommand(createAdminCommand()).addCommand(createAgentCommand()).addCommand(createApiKeyCommand()).addCommand(createConnectorCommand()).addCommand(createConfigCommand()).addCommand(createInviteCommand()).addCommand(createOpenclawCommand()).addCommand(createPairCommand()).addCommand(createVerifyCommand());
+  return new Command11("clawdentity").description("Clawdentity CLI - Agent identity management").version(CLI_VERSION).addCommand(createAdminCommand()).addCommand(createAgentCommand()).addCommand(createApiKeyCommand()).addCommand(createConnectorCommand()).addCommand(createConfigCommand()).addCommand(createInviteCommand()).addCommand(createOpenclawCommand()).addCommand(createPairCommand()).addCommand(createSkillCommand()).addCommand(createVerifyCommand());
 };
 
 // src/bin.ts