clawdentity 0.0.2 → 0.0.3

package/dist/bin.js

@@ -17062,7 +17062,7 @@ var DEFAULT_NONCE_TTL_MS = 5 * 60 * 1e3;
 
 // src/index.ts
 import { createRequire } from "module";
-import { Command as Command9 } from "commander";
+import { Command as Command10 } from "commander";
 
 // src/commands/admin.ts
 import { Command } from "commander";
@@ -19133,8 +19133,8 @@ var ConnectorClient = class {
     }
   }
   async wait(delayMs) {
-    await new Promise((resolve) => {
-      setTimeout(resolve, delayMs);
+    await new Promise((resolve2) => {
+      setTimeout(resolve2, delayMs);
     });
   }
   makeFrameId() {
@@ -19378,7 +19378,7 @@ async function buildUpgradeHeaders(input) {
   };
 }
 async function startConnectorRuntime(input) {
-  const logger11 = input.logger ?? createLogger({ service: "connector", module: "runtime" });
+  const logger12 = input.logger ?? createLogger({ service: "connector", module: "runtime" });
   const fetchImpl = input.fetchImpl ?? fetch;
   const secretKey = decodeBase64url(
     parseRequiredString(input.credentials.secretKey, "secretKey")
@@ -19413,7 +19413,7 @@ async function startConnectorRuntime(input) {
     openclawHookPath: resolveOpenclawHookPath(input.openclawHookPath),
     openclawHookToken: resolveOpenclawHookToken(input.openclawHookToken),
     fetchImpl,
-    logger: logger11,
+    logger: logger12,
     webSocketFactory: createWebSocketFactory()
   });
   const outboundBaseUrl = normalizeOutboundBaseUrl(input.outboundBaseUrl);
@@ -19502,7 +19502,7 @@ async function startConnectorRuntime(input) {
       writeJson(res, 202, { accepted: true, peer: relayRequest.peer });
     } catch (error48) {
       if (error48 instanceof AppError) {
-        logger11.warn("connector.outbound.rejected", {
+        logger12.warn("connector.outbound.rejected", {
           code: error48.code,
           status: error48.status,
           message: error48.message
@@ -19515,7 +19515,7 @@ async function startConnectorRuntime(input) {
         });
         return;
       }
-      logger11.error("connector.outbound.failed", {
+      logger12.error("connector.outbound.failed", {
         errorName: error48 instanceof Error ? error48.name : "unknown"
       });
       writeJson(res, 500, {
@@ -19527,35 +19527,35 @@ async function startConnectorRuntime(input) {
     }
   });
   let stoppedResolve;
-  const stoppedPromise = new Promise((resolve) => {
-    stoppedResolve = resolve;
+  const stoppedPromise = new Promise((resolve2) => {
+    stoppedResolve = resolve2;
   });
   const stop = async () => {
     connectorClient.disconnect();
-    await new Promise((resolve, reject) => {
+    await new Promise((resolve2, reject) => {
       server.close((error48) => {
         if (error48) {
           reject(error48);
           return;
         }
-        resolve();
+        resolve2();
       });
     });
     stoppedResolve?.();
   };
-  await new Promise((resolve, reject) => {
+  await new Promise((resolve2, reject) => {
     server.once("error", reject);
     server.listen(
       Number(outboundBaseUrl.port || "80"),
       outboundBaseUrl.hostname,
       () => {
         server.off("error", reject);
-        resolve();
+        resolve2();
       }
     );
   });
   connectorClient.connect();
-  logger11.info("connector.runtime.started", {
+  logger12.info("connector.runtime.started", {
     outboundUrl,
     websocketUrl: wsUrl,
     agentDid: input.credentials.agentDid
@@ -21794,10 +21794,572 @@ var createOpenclawCommand = () => {
   return openclawCommand;
 };
 
-// src/commands/verify.ts
-import { readFile as readFile5 } from "fs/promises";
+// src/commands/pair.ts
+import { randomBytes as randomBytes3 } from "crypto";
+import { mkdir as mkdir6, readFile as readFile5, writeFile as writeFile6 } from "fs/promises";
+import { dirname as dirname5, join as join7, resolve } from "path";
 import { Command as Command8 } from "commander";
-var logger9 = createLogger({ service: "cli", module: "verify" });
+import jsQR from "jsqr";
+import { PNG } from "pngjs";
+import QRCode from "qrcode";
+var logger9 = createLogger({ service: "cli", module: "pair" });
+var AGENTS_DIR_NAME5 = "agents";
+var AIT_FILE_NAME4 = "ait.jwt";
+var SECRET_KEY_FILE_NAME3 = "secret.key";
+var PAIRING_QR_DIR_NAME = "pairing";
+var PAIR_START_PATH = "/pair/start";
+var PAIR_CONFIRM_PATH = "/pair/confirm";
+var OWNER_PAT_HEADER = "x-claw-owner-pat";
+var NONCE_SIZE2 = 24;
+var PAIRING_TICKET_PREFIX = "clwpair1_";
+var isRecord8 = (value) => {
+  return typeof value === "object" && value !== null;
+};
+function createCliError6(code, message2) {
+  return new AppError({
+    code,
+    message: message2,
+    status: 400
+  });
+}
+function parseNonEmptyString8(value) {
+  if (typeof value !== "string") {
+    return "";
+  }
+  return value.trim();
+}
+function parsePairingTicket(value) {
+  const ticket = parseNonEmptyString8(value);
+  if (!ticket.startsWith(PAIRING_TICKET_PREFIX)) {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_TICKET_INVALID",
+      "Pairing ticket is invalid"
+    );
+  }
+  return ticket;
+}
+function parseTtlSeconds(value) {
+  const raw = parseNonEmptyString8(value);
+  if (raw.length === 0) {
+    return void 0;
+  }
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isInteger(parsed) || parsed < 1) {
+    throw createCliError6(
+      "CLI_PAIR_START_INVALID_TTL",
+      "ttlSeconds must be a positive integer"
+    );
+  }
+  return parsed;
+}
+function resolveProxyUrl(overrideProxyUrl) {
+  const candidate = parseNonEmptyString8(overrideProxyUrl) || parseNonEmptyString8(process.env.CLAWDENTITY_PROXY_URL);
+  if (candidate.length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_PROXY_URL_REQUIRED",
+      "Proxy URL is required. Pass --proxy-url <url> or set CLAWDENTITY_PROXY_URL."
+    );
+  }
+  try {
+    const parsed = new URL(candidate);
+    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+      throw new Error("invalid protocol");
+    }
+    return parsed.toString();
+  } catch {
+    throw createCliError6("CLI_PAIR_INVALID_PROXY_URL", "Proxy URL is invalid");
+  }
+}
+function toProxyRequestUrl(proxyUrl, path) {
+  const normalizedBase = proxyUrl.endsWith("/") ? proxyUrl : `${proxyUrl}/`;
+  return new URL(path.slice(1), normalizedBase).toString();
+}
+function toPathWithQuery3(url2) {
+  const parsed = new URL(url2);
+  return `${parsed.pathname}${parsed.search}`;
+}
+function extractErrorCode(payload) {
+  if (!isRecord8(payload)) {
+    return void 0;
+  }
+  const envelope = payload;
+  if (!envelope.error || typeof envelope.error.code !== "string") {
+    return void 0;
+  }
+  const code = envelope.error.code.trim();
+  return code.length > 0 ? code : void 0;
+}
+function extractErrorMessage(payload) {
+  if (!isRecord8(payload)) {
+    return void 0;
+  }
+  const envelope = payload;
+  if (!envelope.error || typeof envelope.error.message !== "string") {
+    return void 0;
+  }
+  const message2 = envelope.error.message.trim();
+  return message2.length > 0 ? message2 : void 0;
+}
+async function parseJsonResponse5(response) {
+  try {
+    return await response.json();
+  } catch {
+    return void 0;
+  }
+}
+async function executePairRequest(input) {
+  try {
+    return await input.fetchImpl(input.url, input.init);
+  } catch {
+    throw createCliError6(
+      "CLI_PAIR_REQUEST_FAILED",
+      "Unable to connect to proxy URL. Check network access and proxyUrl."
+    );
+  }
+}
+function mapStartPairError(status, payload) {
+  const code = extractErrorCode(payload);
+  const message2 = extractErrorMessage(payload);
+  if (code === "PROXY_PAIR_OWNER_PAT_INVALID" || status === 401) {
+    return message2 ? `Owner PAT is invalid (401): ${message2}` : "Owner PAT is invalid or expired (401).";
+  }
+  if (code === "PROXY_PAIR_OWNER_PAT_FORBIDDEN" || status === 403) {
+    return message2 ? `Owner PAT does not control initiator agent DID (403): ${message2}` : "Owner PAT does not control initiator agent DID (403).";
+  }
+  if (status === 400) {
+    return message2 ? `Pair start request is invalid (400): ${message2}` : "Pair start request is invalid (400).";
+  }
+  if (status >= 500) {
+    return `Proxy pairing service is unavailable (${status}).`;
+  }
+  if (message2) {
+    return `Pair start failed (${status}): ${message2}`;
+  }
+  return `Pair start failed (${status})`;
+}
+function mapConfirmPairError(status, payload) {
+  const code = extractErrorCode(payload);
+  const message2 = extractErrorMessage(payload);
+  if (code === "PROXY_PAIR_TICKET_NOT_FOUND" || status === 404) {
+    return "Pairing ticket is invalid or expired";
+  }
+  if (code === "PROXY_PAIR_TICKET_EXPIRED" || status === 410) {
+    return "Pairing ticket has expired";
+  }
+  if (status === 400) {
+    return message2 ? `Pair confirm request is invalid (400): ${message2}` : "Pair confirm request is invalid (400).";
+  }
+  if (status >= 500) {
+    return `Proxy pairing service is unavailable (${status}).`;
+  }
+  if (message2) {
+    return `Pair confirm failed (${status}): ${message2}`;
+  }
+  return `Pair confirm failed (${status})`;
+}
+function parsePairStartResponse(payload) {
+  if (!isRecord8(payload)) {
+    throw createCliError6(
+      "CLI_PAIR_START_INVALID_RESPONSE",
+      "Pair start response is invalid"
+    );
+  }
+  const ticket = parsePairingTicket(payload.ticket);
+  const initiatorAgentDid = parseNonEmptyString8(payload.initiatorAgentDid);
+  const expiresAt = parseNonEmptyString8(payload.expiresAt);
+  if (initiatorAgentDid.length === 0 || expiresAt.length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_START_INVALID_RESPONSE",
+      "Pair start response is invalid"
+    );
+  }
+  return {
+    ticket,
+    initiatorAgentDid,
+    expiresAt
+  };
+}
+function parsePairConfirmResponse(payload) {
+  if (!isRecord8(payload)) {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_INVALID_RESPONSE",
+      "Pair confirm response is invalid"
+    );
+  }
+  const paired = payload.paired === true;
+  const initiatorAgentDid = parseNonEmptyString8(payload.initiatorAgentDid);
+  const responderAgentDid = parseNonEmptyString8(payload.responderAgentDid);
+  if (!paired || initiatorAgentDid.length === 0 || responderAgentDid.length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_INVALID_RESPONSE",
+      "Pair confirm response is invalid"
+    );
+  }
+  return {
+    paired,
+    initiatorAgentDid,
+    responderAgentDid
+  };
+}
+async function readAgentProofMaterial(agentName, dependencies) {
+  const readFileImpl = dependencies.readFileImpl ?? readFile5;
+  const getConfigDirImpl = dependencies.getConfigDirImpl ?? getConfigDir;
+  const normalizedAgentName = assertValidAgentName(agentName);
+  const agentDir = join7(
+    getConfigDirImpl(),
+    AGENTS_DIR_NAME5,
+    normalizedAgentName
+  );
+  const aitPath = join7(agentDir, AIT_FILE_NAME4);
+  const secretKeyPath = join7(agentDir, SECRET_KEY_FILE_NAME3);
+  let ait;
+  try {
+    ait = (await readFileImpl(aitPath, "utf-8")).trim();
+  } catch (error48) {
+    const nodeError = error48;
+    if (nodeError.code === "ENOENT") {
+      throw createCliError6(
+        "CLI_PAIR_AGENT_NOT_FOUND",
+        `Agent "${normalizedAgentName}" is missing ${AIT_FILE_NAME4}. Run agent create first.`
+      );
+    }
+    throw error48;
+  }
+  if (ait.length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_AGENT_NOT_FOUND",
+      `Agent "${normalizedAgentName}" has an empty ${AIT_FILE_NAME4}`
+    );
+  }
+  let encodedSecretKey;
+  try {
+    encodedSecretKey = (await readFileImpl(secretKeyPath, "utf-8")).trim();
+  } catch (error48) {
+    const nodeError = error48;
+    if (nodeError.code === "ENOENT") {
+      throw createCliError6(
+        "CLI_PAIR_AGENT_NOT_FOUND",
+        `Agent "${normalizedAgentName}" is missing ${SECRET_KEY_FILE_NAME3}. Run agent create first.`
+      );
+    }
+    throw error48;
+  }
+  if (encodedSecretKey.length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_AGENT_NOT_FOUND",
+      `Agent "${normalizedAgentName}" has an empty ${SECRET_KEY_FILE_NAME3}`
+    );
+  }
+  let secretKey;
+  try {
+    secretKey = decodeBase64url(encodedSecretKey);
+  } catch {
+    throw createCliError6(
+      "CLI_PAIR_AGENT_NOT_FOUND",
+      `Agent "${normalizedAgentName}" has invalid ${SECRET_KEY_FILE_NAME3}`
+    );
+  }
+  return {
+    ait,
+    secretKey
+  };
+}
+function resolveOwnerPat(options) {
+  const ownerPat = parseNonEmptyString8(options.explicitOwnerPat) || parseNonEmptyString8(options.config.apiKey);
+  if (ownerPat.length > 0) {
+    return ownerPat;
+  }
+  throw createCliError6(
+    "CLI_PAIR_START_OWNER_PAT_REQUIRED",
+    "Owner PAT is required. Pass --owner-pat <token> or configure API key with `clawdentity invite redeem` / `clawdentity config set apiKey <token>`."
+  );
+}
+async function buildSignedHeaders(input) {
+  const signed = await signHttpRequest({
+    method: input.method,
+    pathWithQuery: toPathWithQuery3(input.requestUrl),
+    timestamp: String(input.timestampSeconds),
+    nonce: input.nonce,
+    body: input.bodyBytes,
+    secretKey: input.secretKey
+  });
+  return signed.headers;
+}
+async function encodeTicketQrPng(ticket) {
+  const buffer = await QRCode.toBuffer(ticket, {
+    type: "png",
+    width: 512,
+    margin: 2,
+    errorCorrectionLevel: "M"
+  });
+  return new Uint8Array(buffer);
+}
+function decodeTicketFromPng(imageBytes) {
+  let decodedPng;
+  try {
+    decodedPng = PNG.sync.read(Buffer.from(imageBytes));
+  } catch {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_QR_FILE_INVALID",
+      "QR image file is invalid or unsupported"
+    );
+  }
+  const imageData = new Uint8ClampedArray(
+    decodedPng.data.buffer,
+    decodedPng.data.byteOffset,
+    decodedPng.data.byteLength
+  );
+  const decoded = jsQR(imageData, decodedPng.width, decodedPng.height);
+  if (!decoded || parseNonEmptyString8(decoded.data).length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_QR_NOT_FOUND",
+      "No pairing QR code was found in the image"
+    );
+  }
+  return parsePairingTicket(decoded.data);
+}
+async function persistPairingQr(input) {
+  const mkdirImpl = input.dependencies.mkdirImpl ?? mkdir6;
+  const writeFileImpl = input.dependencies.writeFileImpl ?? writeFile6;
+  const getConfigDirImpl = input.dependencies.getConfigDirImpl ?? getConfigDir;
+  const qrEncodeImpl = input.dependencies.qrEncodeImpl ?? encodeTicketQrPng;
+  const baseDir = join7(getConfigDirImpl(), PAIRING_QR_DIR_NAME);
+  const outputPath = parseNonEmptyString8(input.qrOutput) ? resolve(input.qrOutput ?? "") : join7(
+    baseDir,
+    `${assertValidAgentName(input.agentName)}-pair-${input.nowSeconds}.png`
+  );
+  await mkdirImpl(dirname5(outputPath), { recursive: true });
+  const imageBytes = await qrEncodeImpl(input.ticket);
+  await writeFileImpl(outputPath, imageBytes);
+  return outputPath;
+}
+function resolveConfirmTicketSource(options) {
+  const inlineTicket = parseNonEmptyString8(options.ticket);
+  const qrFile = parseNonEmptyString8(options.qrFile);
+  if (inlineTicket.length > 0 && qrFile.length > 0) {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_INPUT_CONFLICT",
+      "Provide either --ticket or --qr-file, not both"
+    );
+  }
+  if (inlineTicket.length > 0) {
+    return {
+      ticket: parsePairingTicket(inlineTicket),
+      source: "ticket"
+    };
+  }
+  if (qrFile.length > 0) {
+    return {
+      ticket: "",
+      source: "qr-file",
+      qrFilePath: resolve(qrFile)
+    };
+  }
+  throw createCliError6(
+    "CLI_PAIR_CONFIRM_TICKET_REQUIRED",
+    "Pairing ticket is required. Pass --ticket <clwpair1_...> or --qr-file <path>."
+  );
+}
+async function startPairing(agentName, options, dependencies = {}) {
+  const fetchImpl = dependencies.fetchImpl ?? fetch;
+  const resolveConfigImpl = dependencies.resolveConfigImpl ?? resolveConfig;
+  const nowSecondsImpl = dependencies.nowSecondsImpl ?? (() => Math.floor(Date.now() / 1e3));
+  const nonceFactoryImpl = dependencies.nonceFactoryImpl ?? (() => randomBytes3(NONCE_SIZE2).toString("base64url"));
+  const ttlSeconds = parseTtlSeconds(options.ttlSeconds);
+  const proxyUrl = resolveProxyUrl(options.proxyUrl);
+  const config2 = await resolveConfigImpl();
+  const ownerPat = resolveOwnerPat({
+    explicitOwnerPat: options.ownerPat,
+    config: config2
+  });
+  const { ait, secretKey } = await readAgentProofMaterial(
+    agentName,
+    dependencies
+  );
+  const requestUrl = toProxyRequestUrl(proxyUrl, PAIR_START_PATH);
+  const requestBody = JSON.stringify({
+    ttlSeconds
+  });
+  const bodyBytes = new TextEncoder().encode(requestBody);
+  const timestampSeconds = nowSecondsImpl();
+  const nonce = nonceFactoryImpl();
+  const signedHeaders = await buildSignedHeaders({
+    method: "POST",
+    requestUrl,
+    bodyBytes,
+    secretKey,
+    timestampSeconds,
+    nonce
+  });
+  const response = await executePairRequest({
+    fetchImpl,
+    url: requestUrl,
+    init: {
+      method: "POST",
+      headers: {
+        authorization: `Claw ${ait}`,
+        "content-type": "application/json",
+        [OWNER_PAT_HEADER]: ownerPat,
+        ...signedHeaders
+      },
+      body: requestBody
+    }
+  });
+  const responseBody = await parseJsonResponse5(response);
+  if (!response.ok) {
+    throw createCliError6(
+      "CLI_PAIR_START_FAILED",
+      mapStartPairError(response.status, responseBody)
+    );
+  }
+  const parsed = parsePairStartResponse(responseBody);
+  const result = {
+    ...parsed,
+    proxyUrl
+  };
+  if (options.qr === true) {
+    result.qrPath = await persistPairingQr({
+      agentName,
+      qrOutput: options.qrOutput,
+      ticket: parsed.ticket,
+      dependencies,
+      nowSeconds: timestampSeconds
+    });
+  }
+  return result;
+}
+async function confirmPairing(agentName, options, dependencies = {}) {
+  const fetchImpl = dependencies.fetchImpl ?? fetch;
+  const nowSecondsImpl = dependencies.nowSecondsImpl ?? (() => Math.floor(Date.now() / 1e3));
+  const nonceFactoryImpl = dependencies.nonceFactoryImpl ?? (() => randomBytes3(NONCE_SIZE2).toString("base64url"));
+  const readFileImpl = dependencies.readFileImpl ?? readFile5;
+  const qrDecodeImpl = dependencies.qrDecodeImpl ?? decodeTicketFromPng;
+  const ticketSource = resolveConfirmTicketSource(options);
+  const proxyUrl = resolveProxyUrl(options.proxyUrl);
+  let ticket = ticketSource.ticket;
+  if (ticketSource.source === "qr-file") {
+    if (!ticketSource.qrFilePath) {
+      throw createCliError6(
+        "CLI_PAIR_CONFIRM_QR_FILE_REQUIRED",
+        "QR file path is required"
+      );
+    }
+    let imageBytes;
+    try {
+      imageBytes = await readFileImpl(ticketSource.qrFilePath);
+    } catch (error48) {
+      const nodeError = error48;
+      if (nodeError.code === "ENOENT") {
+        throw createCliError6(
+          "CLI_PAIR_CONFIRM_QR_FILE_NOT_FOUND",
+          `QR file not found: ${ticketSource.qrFilePath}`
+        );
+      }
+      throw error48;
+    }
+    ticket = parsePairingTicket(qrDecodeImpl(new Uint8Array(imageBytes)));
+  }
+  const { ait, secretKey } = await readAgentProofMaterial(
+    agentName,
+    dependencies
+  );
+  const requestUrl = toProxyRequestUrl(proxyUrl, PAIR_CONFIRM_PATH);
+  const requestBody = JSON.stringify({ ticket });
+  const bodyBytes = new TextEncoder().encode(requestBody);
+  const timestampSeconds = nowSecondsImpl();
+  const nonce = nonceFactoryImpl();
+  const signedHeaders = await buildSignedHeaders({
+    method: "POST",
+    requestUrl,
+    bodyBytes,
+    secretKey,
+    timestampSeconds,
+    nonce
+  });
+  const response = await executePairRequest({
+    fetchImpl,
+    url: requestUrl,
+    init: {
+      method: "POST",
+      headers: {
+        authorization: `Claw ${ait}`,
+        "content-type": "application/json",
+        ...signedHeaders
+      },
+      body: requestBody
+    }
+  });
+  const responseBody = await parseJsonResponse5(response);
+  if (!response.ok) {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_FAILED",
+      mapConfirmPairError(response.status, responseBody)
+    );
+  }
+  const parsed = parsePairConfirmResponse(responseBody);
+  return {
+    ...parsed,
+    proxyUrl
+  };
+}
+var createPairCommand = (dependencies = {}) => {
+  const pairCommand = new Command8("pair").description(
+    "Manage proxy trust pairing between agents"
+  );
+  pairCommand.command("start <agentName>").description("Start pairing and issue one-time pairing ticket").option(
+    "--proxy-url <url>",
+    "Initiator proxy base URL (or set CLAWDENTITY_PROXY_URL)"
+  ).option(
+    "--owner-pat <token>",
+    "Owner PAT override (defaults to configured API key)"
+  ).option("--ttl-seconds <seconds>", "Pairing ticket expiry in seconds").option("--qr", "Generate a local QR file for sharing").option("--qr-output <path>", "Write QR PNG to a specific file path").action(
+    withErrorHandling(
+      "pair start",
+      async (agentName, options) => {
+        const result = await startPairing(agentName, options, dependencies);
+        logger9.info("cli.pair_started", {
+          initiatorAgentDid: result.initiatorAgentDid,
+          proxyUrl: result.proxyUrl,
+          expiresAt: result.expiresAt,
+          qrPath: result.qrPath
+        });
+        writeStdoutLine("Pairing ticket created");
+        writeStdoutLine(`Ticket: ${result.ticket}`);
+        writeStdoutLine(`Initiator Agent DID: ${result.initiatorAgentDid}`);
+        writeStdoutLine(`Expires At: ${result.expiresAt}`);
+        if (result.qrPath) {
+          writeStdoutLine(`QR File: ${result.qrPath}`);
+        }
+      }
+    )
+  );
+  pairCommand.command("confirm <agentName>").description("Confirm pairing using one-time pairing ticket").option("--ticket <ticket>", "One-time pairing ticket (clwpair1_...)").option("--qr-file <path>", "Path to pairing QR PNG file").option(
+    "--proxy-url <url>",
+    "Responder proxy base URL (or set CLAWDENTITY_PROXY_URL)"
+  ).action(
+    withErrorHandling(
+      "pair confirm",
+      async (agentName, options) => {
+        const result = await confirmPairing(agentName, options, dependencies);
+        logger9.info("cli.pair_confirmed", {
+          initiatorAgentDid: result.initiatorAgentDid,
+          responderAgentDid: result.responderAgentDid,
+          proxyUrl: result.proxyUrl
+        });
+        writeStdoutLine("Pairing confirmed");
+        writeStdoutLine(`Initiator Agent DID: ${result.initiatorAgentDid}`);
+        writeStdoutLine(`Responder Agent DID: ${result.responderAgentDid}`);
+        writeStdoutLine(`Paired: ${result.paired ? "true" : "false"}`);
+      }
+    )
+  );
+  return pairCommand;
+};
+
+// src/commands/verify.ts
+import { readFile as readFile6 } from "fs/promises";
+import { Command as Command9 } from "commander";
+var logger10 = createLogger({ service: "cli", module: "verify" });
 var REGISTRY_KEYS_CACHE_FILE = "registry-keys.json";
 var CRL_CLAIMS_CACHE_FILE = "crl-claims.json";
 var REGISTRY_KEYS_CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -21808,7 +22370,7 @@ var VerifyCommandError = class extends Error {
     this.name = "VerifyCommandError";
   }
 };
-var isRecord8 = (value) => {
+var isRecord9 = (value) => {
   return typeof value === "object" && value !== null;
 };
 var normalizeRegistryUrl = (registryUrl) => {
@@ -21844,7 +22406,7 @@ var resolveToken = async (tokenOrFile) => {
     throw new VerifyCommandError("invalid token (value is empty)");
   }
   try {
-    const fileContents = await readFile5(input, "utf-8");
+    const fileContents = await readFile6(input, "utf-8");
     const token = fileContents.trim();
     if (token.length === 0) {
       throw new VerifyCommandError(`invalid token (${input} is empty)`);
@@ -21876,7 +22438,7 @@ var parseResponseJson = async (response) => {
   }
 };
 var parseSigningKeys = (payload) => {
-  if (!isRecord8(payload) || !Array.isArray(payload.keys)) {
+  if (!isRecord9(payload) || !Array.isArray(payload.keys)) {
     throw new VerifyCommandError(
       "verification keys unavailable (response payload is invalid)"
     );
@@ -21895,7 +22457,7 @@ var parseSigningKeys = (payload) => {
 };
 var parseRegistryKeysCache = (rawCache) => {
   const parsed = parseJson(rawCache);
-  if (!isRecord8(parsed)) {
+  if (!isRecord9(parsed)) {
     return void 0;
   }
   const { registryUrl, fetchedAtMs, keys } = parsed;
@@ -21921,7 +22483,7 @@ var parseRegistryKeysCache = (rawCache) => {
 };
 var parseCrlCache = (rawCache) => {
   const parsed = parseJson(rawCache);
-  if (!isRecord8(parsed)) {
+  if (!isRecord9(parsed)) {
     return void 0;
   }
   const { registryUrl, fetchedAtMs, claims } = parsed;
@@ -22019,7 +22581,7 @@ var fetchCrlClaims = async (input) => {
     );
   }
   const payload = await parseResponseJson(response);
-  if (!isRecord8(payload) || typeof payload.crl !== "string") {
+  if (!isRecord9(payload) || typeof payload.crl !== "string") {
     throw new VerifyCommandError(
       "revocation check unavailable (response payload is invalid)"
     );
@@ -22064,7 +22626,7 @@ var loadCrlClaims = async (input) => {
   return claims;
 };
 var toInvalidTokenReason = (error48) => {
-  if (isRecord8(error48) && typeof error48.message === "string") {
+  if (isRecord9(error48) && typeof error48.message === "string") {
     return `invalid token (${error48.message})`;
   }
   if (error48 instanceof Error && error48.message.length > 0) {
@@ -22132,7 +22694,7 @@ var runVerify = async (tokenOrFile) => {
     printResult(false, "revoked");
     return;
   }
-  logger9.info("cli.verify.success", {
+  logger10.info("cli.verify.success", {
     did: claims.sub,
     jti: claims.jti,
     issuer: claims.iss
@@ -22140,7 +22702,7 @@ var runVerify = async (tokenOrFile) => {
   printResult(true, `token verified (${claims.sub})`);
 };
 var createVerifyCommand = () => {
-  return new Command8("verify").description("Verify an AIT using registry keys and CRL state").argument(
+  return new Command9("verify").description("Verify an AIT using registry keys and CRL state").argument(
     "<tokenOrFile>",
     "Raw AIT token or file path containing the token"
   ).action(
@@ -22161,15 +22723,15 @@ var resolveCliVersion = () => {
 };
 var CLI_VERSION = resolveCliVersion();
 var createProgram = () => {
-  return new Command9("clawdentity").description("Clawdentity CLI - Agent identity management").version(CLI_VERSION).addCommand(createAdminCommand()).addCommand(createAgentCommand()).addCommand(createApiKeyCommand()).addCommand(createConnectorCommand()).addCommand(createConfigCommand()).addCommand(createInviteCommand()).addCommand(createOpenclawCommand()).addCommand(createVerifyCommand());
+  return new Command10("clawdentity").description("Clawdentity CLI - Agent identity management").version(CLI_VERSION).addCommand(createAdminCommand()).addCommand(createAgentCommand()).addCommand(createApiKeyCommand()).addCommand(createConnectorCommand()).addCommand(createConfigCommand()).addCommand(createInviteCommand()).addCommand(createOpenclawCommand()).addCommand(createPairCommand()).addCommand(createVerifyCommand());
 };
 
 // src/bin.ts
-var logger10 = createLogger({ service: "cli", module: "bin" });
+var logger11 = createLogger({ service: "cli", module: "bin" });
 createProgram().parseAsync(process.argv).catch((error48) => {
   process.exitCode = 1;
   const message2 = error48 instanceof Error ? error48.message : String(error48);
-  logger10.error("cli.execution_failed", { errorMessage: message2 });
+  logger11.error("cli.execution_failed", { errorMessage: message2 });
   writeStderrLine(message2);
 });
 /*! Bundled license information: