npm - clawdentity - Versions diffs - 0.0.2 → 0.0.4 - Mend

clawdentity 0.0.2 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/bin.js +1222 -121
package/dist/index.js +1220 -119
package/dist/postinstall.js +0 -0
package/package.json +19 -14
package/skill-bundle/AGENTS.md +2 -1
package/skill-bundle/openclaw-skill/skill/SKILL.md +24 -13
package/skill-bundle/openclaw-skill/skill/references/clawdentity-protocol.md +20 -9

package/dist/bin.js CHANGED Viewed

@@ -17062,7 +17062,7 @@ var DEFAULT_NONCE_TTL_MS = 5 * 60 * 1e3;
 // src/index.ts
 import { createRequire } from "module";
-import { Command as Command9 } from "commander";
+import { Command as Command10 } from "commander";
 // src/commands/admin.ts
 import { Command } from "commander";
@@ -18495,9 +18495,9 @@ var createConfigCommand = () => {
 // src/commands/connector.ts
 import { execFile as execFileCallback } from "child_process";
-import { mkdir as mkdir4, readFile as readFile3, rm, writeFile as writeFile4 } from "fs/promises";
+import { mkdir as mkdir4, readFile as readFile4, rm, writeFile as writeFile4 } from "fs/promises";
 import { homedir as homedir2 } from "os";
-import { dirname as dirname3, join as join5 } from "path";
+import { dirname as dirname3, join as join6 } from "path";
 import { fileURLToPath } from "url";
 import { promisify } from "util";
@@ -19133,8 +19133,8 @@ var ConnectorClient = class {
     }
   }
   async wait(delayMs) {
-    await new Promise((resolve) => {
-      setTimeout(resolve, delayMs);
+    await new Promise((resolve2) => {
+      setTimeout(resolve2, delayMs);
     });
   }
   makeFrameId() {
@@ -19151,15 +19151,271 @@ import { mkdir as mkdir3, rename as rename2, writeFile as writeFile3 } from "fs/
 import {
   createServer
 } from "http";
-import { dirname as dirname2, join as join4 } from "path";
+import { dirname as dirname2, join as join5 } from "path";
 import { WebSocket as NodeWebSocket } from "ws";
+// ../../packages/connector/src/relay-echo.ts
+import { readFile as readFile3 } from "fs/promises";
+import { join as join4 } from "path";
+var OPENCLAW_RELAY_RUNTIME_CONFIG_FILENAME = "openclaw-relay.json";
+var PEERS_CONFIG_FILENAME = "peers.json";
+var ECHO_EMPTY_MESSAGE_FALLBACK = "(no message content)";
+var MIN_ECHO_MAX_LENGTH = 50;
+var MAX_ECHO_MAX_LENGTH = 2e3;
+var DEFAULT_RELAY_ECHO_ENABLED = true;
+var DEFAULT_RELAY_ECHO_CHANNEL = "last";
+var DEFAULT_RELAY_ECHO_MAX_LENGTH = 500;
+function isRecord4(value) {
+  return typeof value === "object" && value !== null;
+}
+function parseAbsoluteHttpUrl(value, field) {
+  if (typeof value !== "string" || value.trim().length === 0) {
+    throw new Error(`${field} must be a non-empty string`);
+  }
+  let parsed;
+  try {
+    parsed = new URL(value.trim());
+  } catch {
+    throw new Error(`${field} must be a valid absolute URL`);
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error(`${field} must use http or https`);
+  }
+  if (parsed.pathname === "/" && parsed.search.length === 0 && parsed.hash.length === 0) {
+    return parsed.origin;
+  }
+  return parsed.toString();
+}
+function parseBoolean(value, field) {
+  if (typeof value !== "boolean") {
+    throw new Error(`${field} must be a boolean`);
+  }
+  return value;
+}
+function parsePositiveInt(value, field, min, max) {
+  const parsed = typeof value === "number" ? value : typeof value === "string" ? Number(value) : Number.NaN;
+  if (!Number.isInteger(parsed) || parsed < min || parsed > max) {
+    throw new Error(`${field} must be an integer between ${min} and ${max}`);
+  }
+  return parsed;
+}
+function parseOptionalString(value, field) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value !== "string") {
+    throw new Error(`${field} must be a string`);
+  }
+  const trimmed = value.trim();
+  if (trimmed.length === 0) {
+    return void 0;
+  }
+  return trimmed;
+}
+function parseEchoConfig(value) {
+  if (value === void 0) {
+    return {
+      enabled: DEFAULT_RELAY_ECHO_ENABLED,
+      channel: DEFAULT_RELAY_ECHO_CHANNEL,
+      maxLength: DEFAULT_RELAY_ECHO_MAX_LENGTH
+    };
+  }
+  if (!isRecord4(value)) {
+    throw new Error("echo config must be an object");
+  }
+  return {
+    enabled: value.enabled === void 0 ? DEFAULT_RELAY_ECHO_ENABLED : parseBoolean(value.enabled, "echo.enabled"),
+    channel: parseOptionalString(value.channel, "echo.channel") ?? DEFAULT_RELAY_ECHO_CHANNEL,
+    to: parseOptionalString(value.to, "echo.to"),
+    maxLength: value.maxLength === void 0 ? DEFAULT_RELAY_ECHO_MAX_LENGTH : parsePositiveInt(
+      value.maxLength,
+      "echo.maxLength",
+      MIN_ECHO_MAX_LENGTH,
+      MAX_ECHO_MAX_LENGTH
+    )
+  };
+}
+async function loadRelayRuntimeConfigFile(input) {
+  const relayRuntimeConfigPath = join4(
+    input.configDir,
+    OPENCLAW_RELAY_RUNTIME_CONFIG_FILENAME
+  );
+  let raw;
+  try {
+    raw = await readFile3(relayRuntimeConfigPath, "utf8");
+  } catch (error48) {
+    if (typeof error48 === "object" && error48 !== null && "code" in error48 && error48.code === "ENOENT") {
+      return void 0;
+    }
+    throw new Error(
+      `Unable to read relay runtime config at ${relayRuntimeConfigPath}`
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error(
+      `Unable to parse relay runtime config at ${relayRuntimeConfigPath}`
+    );
+  }
+  if (!isRecord4(parsed)) {
+    throw new Error("Relay runtime config root must be a JSON object");
+  }
+  const config2 = parsed;
+  const openclawBaseUrl = config2.openclawBaseUrl === void 0 ? void 0 : parseAbsoluteHttpUrl(config2.openclawBaseUrl, "openclawBaseUrl");
+  return {
+    openclawBaseUrl,
+    echo: parseEchoConfig(config2.echo)
+  };
+}
+function compactString(value) {
+  return value.replaceAll(/\s+/g, " ").trim();
+}
+function toCompactJson(value) {
+  try {
+    const raw = JSON.stringify(value);
+    if (typeof raw !== "string" || raw.length === 0) {
+      return ECHO_EMPTY_MESSAGE_FALLBACK;
+    }
+    return raw;
+  } catch {
+    return ECHO_EMPTY_MESSAGE_FALLBACK;
+  }
+}
+function truncateMessage(value, maxLength) {
+  if (value.length <= maxLength) {
+    return value;
+  }
+  return `${value.slice(0, maxLength)}...`;
+}
+function extractRelayMessageContent(payload) {
+  if (typeof payload === "string") {
+    const compact = compactString(payload);
+    return compact.length > 0 ? compact : ECHO_EMPTY_MESSAGE_FALLBACK;
+  }
+  if (isRecord4(payload)) {
+    for (const candidateKey of ["message", "text", "content"]) {
+      const candidateValue = payload[candidateKey];
+      if (typeof candidateValue === "string") {
+        const compact = compactString(candidateValue);
+        if (compact.length > 0) {
+          return compact;
+        }
+      }
+    }
+  }
+  return toCompactJson(payload);
+}
+function formatInboundRelayEcho(input) {
+  const content = truncateMessage(
+    extractRelayMessageContent(input.payload),
+    input.maxLength
+  );
+  return `\u{1F517} [${input.fromLabel}]: ${content}`;
+}
+function formatOutboundRelayEcho(input) {
+  const content = truncateMessage(
+    extractRelayMessageContent(input.payload),
+    input.maxLength
+  );
+  return `\u21A9\uFE0F Reply to [${input.toLabel}]: ${content}`;
+}
+async function loadPeerLabelsByDid(input) {
+  const peersPath = join4(input.configDir, PEERS_CONFIG_FILENAME);
+  let raw;
+  try {
+    raw = await readFile3(peersPath, "utf8");
+  } catch (error48) {
+    if (typeof error48 === "object" && error48 !== null && "code" in error48 && error48.code === "ENOENT") {
+      return /* @__PURE__ */ new Map();
+    }
+    throw new Error(`Unable to read peers config at ${peersPath}`);
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error(`Unable to parse peers config at ${peersPath}`);
+  }
+  if (!isRecord4(parsed) || !isRecord4(parsed.peers)) {
+    return /* @__PURE__ */ new Map();
+  }
+  const labels = /* @__PURE__ */ new Map();
+  for (const [alias, entry] of Object.entries(parsed.peers)) {
+    if (!isRecord4(entry) || typeof entry.did !== "string") {
+      continue;
+    }
+    const did = entry.did.trim();
+    if (did.length === 0) {
+      continue;
+    }
+    const name = typeof entry.name === "string" && entry.name.trim().length > 0 ? entry.name.trim() : alias.trim();
+    if (name.length === 0) {
+      continue;
+    }
+    labels.set(did, name);
+  }
+  return labels;
+}
+function resolvePeerLabel(input) {
+  if (input.peerDid !== void 0) {
+    const byDid = input.peerLabelsByDid.get(input.peerDid);
+    if (typeof byDid === "string" && byDid.length > 0) {
+      return byDid;
+    }
+  }
+  const fallback = input.fallbackLabel.trim();
+  if (fallback.length > 0) {
+    return fallback;
+  }
+  return input.peerDid?.trim() || "Unknown peer";
+}
+async function sendRelayEchoToOpenclaw(input) {
+  if (!input.echoConfig.enabled) {
+    return;
+  }
+  const payload = {
+    message: input.message,
+    name: "Clawdentity Relay",
+    wakeMode: "now",
+    deliver: true,
+    channel: input.echoConfig.channel
+  };
+  if (input.echoConfig.to !== void 0) {
+    payload.to = input.echoConfig.to;
+  }
+  const headers = {
+    "content-type": "application/json"
+  };
+  if (input.requestId !== void 0 && input.requestId.trim().length > 0) {
+    headers["x-request-id"] = input.requestId.trim();
+  }
+  if (input.hookToken !== void 0 && input.hookToken.trim().length > 0) {
+    headers["x-openclaw-token"] = input.hookToken.trim();
+  }
+  const response = await input.fetchImpl(input.endpoint, {
+    method: "POST",
+    headers,
+    body: JSON.stringify(payload)
+  });
+  if (!response.ok) {
+    input.logger.warn("connector.relay_echo.rejected", {
+      status: response.status,
+      requestId: input.requestId
+    });
+    throw new Error(`Relay echo rejected with status ${response.status}`);
+  }
+}
+// ../../packages/connector/src/runtime.ts
 var REGISTRY_AUTH_FILENAME = "registry-auth.json";
 var AGENTS_DIR_NAME2 = "agents";
 var REFRESH_SINGLE_FLIGHT_PREFIX = "connector-runtime";
 var NONCE_SIZE = 16;
 var MAX_OUTBOUND_BODY_BYTES = 1024 * 1024;
 var ACCESS_TOKEN_REFRESH_SKEW_MS = 3e4;
-function isRecord4(value) {
+function isRecord5(value) {
   return typeof value === "object" && value !== null;
 }
 function toPathWithQuery2(url2) {
@@ -19209,9 +19465,38 @@ function normalizeWebSocketUrl(urlInput) {
   }
   return parsed.toString();
 }
-function resolveOpenclawBaseUrl(input) {
-  const value = input?.trim() || process.env.OPENCLAW_BASE_URL?.trim() || DEFAULT_OPENCLAW_BASE_URL;
-  return value;
+function parseOpenclawBaseUrl(value) {
+  let parsed;
+  try {
+    parsed = new URL(value);
+  } catch {
+    throw new Error("OpenClaw base URL is invalid");
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error("OpenClaw base URL is invalid");
+  }
+  if (parsed.pathname === "/" && parsed.search.length === 0 && parsed.hash.length === 0) {
+    return parsed.origin;
+  }
+  return parsed.toString();
+}
+async function resolveOpenclawRuntimeSettings(input) {
+  const fileConfig = await loadRelayRuntimeConfigFile({
+    configDir: input.configDir
+  });
+  const baseUrlFromOption = input.openclawBaseUrlOption?.trim();
+  const baseUrlFromEnv = process.env.OPENCLAW_BASE_URL?.trim();
+  const openclawBaseUrl = parseOpenclawBaseUrl(
+    baseUrlFromOption || baseUrlFromEnv || fileConfig?.openclawBaseUrl || DEFAULT_OPENCLAW_BASE_URL
+  );
+  return {
+    openclawBaseUrl,
+    echoConfig: fileConfig?.echo ?? {
+      enabled: DEFAULT_RELAY_ECHO_ENABLED,
+      channel: DEFAULT_RELAY_ECHO_CHANNEL,
+      maxLength: DEFAULT_RELAY_ECHO_MAX_LENGTH
+    }
+  };
 }
 function resolveOpenclawHookPath(input) {
   const value = input?.trim() || process.env.OPENCLAW_HOOK_PATH?.trim() || DEFAULT_OPENCLAW_HOOK_PATH;
@@ -19251,7 +19536,7 @@ function shouldRefreshAccessToken(auth, nowMs) {
   return expiresAtMs <= nowMs + ACCESS_TOKEN_REFRESH_SKEW_MS;
 }
 function parseOutboundRelayRequest(payload) {
-  if (!isRecord4(payload)) {
+  if (!isRecord5(payload)) {
     throw new AppError({
       code: "CONNECTOR_OUTBOUND_INVALID_REQUEST",
       message: "Outbound relay request must be an object",
@@ -19309,7 +19594,7 @@ function createWebSocketFactory() {
   };
 }
 async function writeRegistryAuthAtomic(input) {
-  const targetPath = join4(
+  const targetPath = join5(
     input.configDir,
     AGENTS_DIR_NAME2,
     input.agentName,
@@ -19378,7 +19663,7 @@ async function buildUpgradeHeaders(input) {
   };
 }
 async function startConnectorRuntime(input) {
-  const logger11 = input.logger ?? createLogger({ service: "connector", module: "runtime" });
+  const logger12 = input.logger ?? createLogger({ service: "connector", module: "runtime" });
   const fetchImpl = input.fetchImpl ?? fetch;
   const secretKey = decodeBase64url(
     parseRequiredString(input.credentials.secretKey, "secretKey")
@@ -19406,14 +19691,63 @@ async function startConnectorRuntime(input) {
     accessToken: currentAuth.accessToken,
     secretKey
   });
+  const openclawRuntimeSettings = await resolveOpenclawRuntimeSettings({
+    configDir: input.configDir,
+    openclawBaseUrlOption: input.openclawBaseUrl
+  });
+  const peerLabelsByDid = await loadPeerLabelsByDid({
+    configDir: input.configDir
+  });
+  const openclawHookPath = resolveOpenclawHookPath(input.openclawHookPath);
+  const openclawHookToken = resolveOpenclawHookToken(input.openclawHookToken);
+  const openclawHookUrl = new URL(
+    openclawHookPath,
+    openclawRuntimeSettings.openclawBaseUrl
+  ).toString();
+  const queueRelayEcho = (echoInput) => {
+    void sendRelayEchoToOpenclaw({
+      endpoint: openclawHookUrl,
+      echoConfig: openclawRuntimeSettings.echoConfig,
+      fetchImpl,
+      hookToken: openclawHookToken,
+      logger: logger12,
+      message: echoInput.message,
+      requestId: echoInput.requestId
+    }).catch((error48) => {
+      logger12.warn("connector.relay_echo.failed", {
+        direction: echoInput.direction,
+        errorName: error48 instanceof Error ? error48.name : "unknown",
+        requestId: echoInput.requestId
+      });
+    });
+  };
   const connectorClient = new ConnectorClient({
     connectorUrl: wsParsed.toString(),
     connectionHeaders: upgradeHeaders,
-    openclawBaseUrl: resolveOpenclawBaseUrl(input.openclawBaseUrl),
-    openclawHookPath: resolveOpenclawHookPath(input.openclawHookPath),
-    openclawHookToken: resolveOpenclawHookToken(input.openclawHookToken),
+    openclawBaseUrl: openclawRuntimeSettings.openclawBaseUrl,
+    openclawHookPath,
+    openclawHookToken,
     fetchImpl,
-    logger: logger11,
+    logger: logger12,
+    hooks: {
+      onDeliverSucceeded: (frame) => {
+        const fromLabel = resolvePeerLabel({
+          peerLabelsByDid,
+          peerDid: frame.fromAgentDid,
+          fallbackLabel: frame.fromAgentDid
+        });
+        const echoMessage = formatInboundRelayEcho({
+          fromLabel,
+          payload: frame.payload,
+          maxLength: openclawRuntimeSettings.echoConfig.maxLength
+        });
+        queueRelayEcho({
+          direction: "inbound",
+          message: echoMessage,
+          requestId: frame.id
+        });
+      }
+    },
     webSocketFactory: createWebSocketFactory()
   });
   const outboundBaseUrl = normalizeOutboundBaseUrl(input.outboundBaseUrl);
@@ -19499,10 +19833,26 @@ async function startConnectorRuntime(input) {
       const requestBody = await readRequestJson(req);
       const relayRequest = parseOutboundRelayRequest(requestBody);
       await relayToPeer(relayRequest);
+      const toLabel = resolvePeerLabel({
+        peerLabelsByDid,
+        peerDid: relayRequest.peerDid,
+        fallbackLabel: relayRequest.peer
+      });
+      const requestId = typeof req.headers["x-request-id"] === "string" ? req.headers["x-request-id"] : void 0;
+      const echoMessage = formatOutboundRelayEcho({
+        toLabel,
+        payload: relayRequest.payload,
+        maxLength: openclawRuntimeSettings.echoConfig.maxLength
+      });
+      queueRelayEcho({
+        direction: "outbound",
+        message: echoMessage,
+        requestId
+      });
       writeJson(res, 202, { accepted: true, peer: relayRequest.peer });
     } catch (error48) {
       if (error48 instanceof AppError) {
-        logger11.warn("connector.outbound.rejected", {
+        logger12.warn("connector.outbound.rejected", {
           code: error48.code,
           status: error48.status,
           message: error48.message
@@ -19515,7 +19865,7 @@ async function startConnectorRuntime(input) {
         });
         return;
       }
-      logger11.error("connector.outbound.failed", {
+      logger12.error("connector.outbound.failed", {
         errorName: error48 instanceof Error ? error48.name : "unknown"
       });
       writeJson(res, 500, {
@@ -19527,35 +19877,35 @@ async function startConnectorRuntime(input) {
     }
   });
   let stoppedResolve;
-  const stoppedPromise = new Promise((resolve) => {
-    stoppedResolve = resolve;
+  const stoppedPromise = new Promise((resolve2) => {
+    stoppedResolve = resolve2;
   });
   const stop = async () => {
     connectorClient.disconnect();
-    await new Promise((resolve, reject) => {
+    await new Promise((resolve2, reject) => {
       server.close((error48) => {
         if (error48) {
           reject(error48);
           return;
         }
-        resolve();
+        resolve2();
       });
     });
     stoppedResolve?.();
   };
-  await new Promise((resolve, reject) => {
+  await new Promise((resolve2, reject) => {
     server.once("error", reject);
     server.listen(
       Number(outboundBaseUrl.port || "80"),
       outboundBaseUrl.hostname,
       () => {
         server.off("error", reject);
-        resolve();
+        resolve2();
       }
     );
   });
   connectorClient.connect();
-  logger11.info("connector.runtime.started", {
+  logger12.info("connector.runtime.started", {
     outboundUrl,
     websocketUrl: wsUrl,
     agentDid: input.credentials.agentDid
@@ -19580,11 +19930,11 @@ var REGISTRY_AUTH_FILE_NAME2 = "registry-auth.json";
 var SERVICE_LOG_DIR_NAME = "logs";
 var DEFAULT_CONNECTOR_BASE_URL2 = "http://127.0.0.1:19400";
 var DEFAULT_CONNECTOR_OUTBOUND_PATH2 = "/v1/outbound";
-function isRecord5(value) {
+function isRecord6(value) {
   return typeof value === "object" && value !== null;
 }
 function getErrorCode(error48) {
-  if (!isRecord5(error48)) {
+  if (!isRecord6(error48)) {
     return void 0;
   }
   return typeof error48.code === "string" ? error48.code : void 0;
@@ -19708,7 +20058,7 @@ function parseJsonRecord(value, code, message2) {
   } catch {
     throw createCliError3(code, message2);
   }
-  if (!isRecord5(parsed)) {
+  if (!isRecord6(parsed)) {
     throw createCliError3(code, message2);
   }
   return parsed;
@@ -19748,7 +20098,7 @@ async function loadDefaultConnectorModule() {
   };
 }
 function resolveWaitPromise(runtime) {
-  if (!runtime || !isRecord5(runtime)) {
+  if (!runtime || !isRecord6(runtime)) {
     return void 0;
   }
   if (typeof runtime.waitUntilStopped === "function") {
@@ -19813,7 +20163,7 @@ function buildConnectorStartArgs(agentName, commandOptions) {
 }
 function resolveCliEntryPath(resolveCurrentModulePathImpl) {
   const modulePath = resolveCurrentModulePathImpl?.() ?? fileURLToPath(import.meta.url);
-  return join5(dirname3(modulePath), "..", "bin.js");
+  return join6(dirname3(modulePath), "..", "bin.js");
 }
 function escapeXml(value) {
   return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&apos;");
@@ -19911,7 +20261,7 @@ async function installConnectorServiceForAgent(agentName, commandOptions = {}, d
   );
   const configDir = serviceDependencies.getConfigDirImpl();
   const homeDir = serviceDependencies.getHomeDirImpl();
-  const logsDir = join5(configDir, SERVICE_LOG_DIR_NAME);
+  const logsDir = join6(configDir, SERVICE_LOG_DIR_NAME);
   const serviceName = sanitizeServiceSegment(
     `clawdentity-connector-${agentName}`
   );
@@ -19921,12 +20271,12 @@ async function installConnectorServiceForAgent(agentName, commandOptions = {}, d
     resolveCliEntryPath(serviceDependencies.resolveCurrentModulePathImpl),
     ...startArgs
   ];
-  const outputLogPath = join5(logsDir, `${serviceName}.out.log`);
-  const errorLogPath = join5(logsDir, `${serviceName}.err.log`);
+  const outputLogPath = join6(logsDir, `${serviceName}.out.log`);
+  const errorLogPath = join6(logsDir, `${serviceName}.err.log`);
   await serviceDependencies.mkdirImpl(logsDir, { recursive: true });
   if (platform === "systemd") {
-    const serviceDir = join5(homeDir, ".config", "systemd", "user");
-    const serviceFilePath2 = join5(serviceDir, `${serviceName}.service`);
+    const serviceDir = join6(homeDir, ".config", "systemd", "user");
+    const serviceFilePath2 = join6(serviceDir, `${serviceName}.service`);
     await serviceDependencies.mkdirImpl(serviceDir, { recursive: true });
     await serviceDependencies.writeFileImpl(
       serviceFilePath2,
@@ -19965,9 +20315,9 @@ async function installConnectorServiceForAgent(agentName, commandOptions = {}, d
       serviceFilePath: serviceFilePath2
     };
   }
-  const launchAgentsDir = join5(homeDir, "Library", "LaunchAgents");
+  const launchAgentsDir = join6(homeDir, "Library", "LaunchAgents");
   const serviceNameWithDomain = `com.clawdentity.${serviceName}`;
-  const serviceFilePath = join5(
+  const serviceFilePath = join6(
     launchAgentsDir,
     `${serviceNameWithDomain}.plist`
   );
@@ -20026,7 +20376,7 @@ async function uninstallConnectorServiceForAgent(agentName, commandOptions = {},
     `clawdentity-connector-${agentName}`
   );
   if (platform === "systemd") {
-    const serviceFilePath2 = join5(
+    const serviceFilePath2 = join6(
       homeDir,
       ".config",
       "systemd",
@@ -20057,7 +20407,7 @@ async function uninstallConnectorServiceForAgent(agentName, commandOptions = {},
     };
   }
   const serviceNameWithDomain = `com.clawdentity.${serviceName}`;
-  const serviceFilePath = join5(
+  const serviceFilePath = join6(
     homeDir,
     "Library",
     "LaunchAgents",
@@ -20081,10 +20431,10 @@ async function uninstallConnectorServiceForAgent(agentName, commandOptions = {},
 async function startConnectorForAgent(agentName, commandOptions = {}, dependencies = {}) {
   const resolveConfigImpl = dependencies.resolveConfigImpl ?? resolveConfig;
   const getConfigDirImpl = dependencies.getConfigDirImpl ?? getConfigDir;
-  const readFileImpl = dependencies.readFileImpl ?? ((path, encoding) => readFile3(path, encoding));
+  const readFileImpl = dependencies.readFileImpl ?? ((path, encoding) => readFile4(path, encoding));
   const loadConnectorModule = dependencies.loadConnectorModule ?? loadDefaultConnectorModule;
   const configDir = getConfigDirImpl();
-  const agentDirectory = join5(configDir, AGENTS_DIR_NAME3, agentName);
+  const agentDirectory = join6(configDir, AGENTS_DIR_NAME3, agentName);
   const [
     rawAit,
     rawSecretKey,
@@ -20094,22 +20444,22 @@ async function startConnectorForAgent(agentName, commandOptions = {}, dependenci
     connectorModule
   ] = await Promise.all([
     readRequiredTrimmedFile(
-      join5(agentDirectory, AIT_FILE_NAME2),
+      join6(agentDirectory, AIT_FILE_NAME2),
       AIT_FILE_NAME2,
       readFileImpl
     ),
     readRequiredTrimmedFile(
-      join5(agentDirectory, SECRET_KEY_FILE_NAME),
+      join6(agentDirectory, SECRET_KEY_FILE_NAME),
       SECRET_KEY_FILE_NAME,
       readFileImpl
     ),
     readRequiredTrimmedFile(
-      join5(agentDirectory, IDENTITY_FILE_NAME2),
+      join6(agentDirectory, IDENTITY_FILE_NAME2),
       IDENTITY_FILE_NAME2,
       readFileImpl
     ),
     readRequiredTrimmedFile(
-      join5(agentDirectory, REGISTRY_AUTH_FILE_NAME2),
+      join6(agentDirectory, REGISTRY_AUTH_FILE_NAME2),
       REGISTRY_AUTH_FILE_NAME2,
       readFileImpl
     ),
@@ -20147,8 +20497,8 @@ async function startConnectorForAgent(agentName, commandOptions = {}, dependenci
       tokenType: registryAuth.tokenType
     }
   });
-  const outboundUrl = runtime && isRecord5(runtime) && typeof runtime.outboundUrl === "string" ? runtime.outboundUrl : resolveOutboundUrl(outboundBaseUrl, outboundPath);
-  const proxyWebsocketUrl = runtime && isRecord5(runtime) ? typeof runtime.websocketUrl === "string" ? runtime.websocketUrl : typeof runtime.proxyWebsocketUrl === "string" ? runtime.proxyWebsocketUrl : void 0 : void 0;
+  const outboundUrl = runtime && isRecord6(runtime) && typeof runtime.outboundUrl === "string" ? runtime.outboundUrl : resolveOutboundUrl(outboundBaseUrl, outboundPath);
+  const proxyWebsocketUrl = runtime && isRecord6(runtime) ? typeof runtime.websocketUrl === "string" ? runtime.websocketUrl : typeof runtime.proxyWebsocketUrl === "string" ? runtime.proxyWebsocketUrl : void 0 : void 0;
   return {
     outboundUrl,
     proxyWebsocketUrl,
@@ -20279,7 +20629,7 @@ function createConnectorCommand(dependencies = {}) {
 // src/commands/invite.ts
 import { Command as Command6 } from "commander";
 var logger7 = createLogger({ service: "cli", module: "invite" });
-var isRecord6 = (value) => {
+var isRecord7 = (value) => {
   return typeof value === "object" && value !== null;
 };
 function parseNonEmptyString6(value) {
@@ -20320,7 +20670,7 @@ function toRegistryRequestUrl(registryUrl, path) {
   return new URL(path.slice(1), normalizedBaseUrl).toString();
 }
 function extractRegistryErrorCode(payload) {
-  if (!isRecord6(payload)) {
+  if (!isRecord7(payload)) {
     return void 0;
   }
   const envelope = payload;
@@ -20331,7 +20681,7 @@ function extractRegistryErrorCode(payload) {
   return trimmed.length > 0 ? trimmed : void 0;
 }
 function extractRegistryErrorMessage3(payload) {
-  if (!isRecord6(payload)) {
+  if (!isRecord7(payload)) {
     return void 0;
   }
   const envelope = payload;
@@ -20405,13 +20755,13 @@ function mapRedeemInviteError(status, payload) {
   return `Invite redeem failed (${status})`;
 }
 function parseInviteRecord(payload) {
-  if (!isRecord6(payload)) {
+  if (!isRecord7(payload)) {
     throw createCliError4(
       "CLI_INVITE_CREATE_INVALID_RESPONSE",
       "Invite response is invalid"
     );
   }
-  const source = isRecord6(payload.invite) ? payload.invite : payload;
+  const source = isRecord7(payload.invite) ? payload.invite : payload;
   const code = parseNonEmptyString6(source.code);
   if (code.length === 0) {
     throw createCliError4(
@@ -20436,15 +20786,15 @@ function parseInviteRecord(payload) {
   return invite;
 }
 function parseInviteRedeemResponse(payload) {
-  if (!isRecord6(payload)) {
+  if (!isRecord7(payload)) {
     throw createCliError4(
       "CLI_INVITE_REDEEM_INVALID_RESPONSE",
       "Invite redeem response is invalid"
     );
   }
-  const apiKeySource = isRecord6(payload.apiKey) ? payload.apiKey : payload;
+  const apiKeySource = isRecord7(payload.apiKey) ? payload.apiKey : payload;
   const apiKeyToken = parseNonEmptyString6(
-    isRecord6(payload.apiKey) ? payload.apiKey.token : payload.token
+    isRecord7(payload.apiKey) ? payload.apiKey.token : payload.token
   );
   if (apiKeyToken.length === 0) {
     throw createCliError4(
@@ -20602,9 +20952,9 @@ var createInviteCommand = (dependencies = {}) => {
 };
 // src/commands/openclaw.ts
-import { chmod as chmod3, copyFile, mkdir as mkdir5, readFile as readFile4, writeFile as writeFile5 } from "fs/promises";
+import { chmod as chmod3, copyFile, mkdir as mkdir5, readFile as readFile5, writeFile as writeFile5 } from "fs/promises";
 import { homedir as homedir3 } from "os";
-import { dirname as dirname4, join as join6 } from "path";
+import { dirname as dirname4, join as join7 } from "path";
 import { Command as Command7 } from "commander";
 var logger8 = createLogger({ service: "cli", module: "openclaw" });
 var CLAWDENTITY_DIR_NAME = ".clawdentity";
@@ -20622,12 +20972,17 @@ var HOOK_MAPPING_ID = "clawdentity-send-to-peer";
 var HOOK_PATH_SEND_TO_PEER = "send-to-peer";
 var OPENCLAW_SEND_TO_PEER_HOOK_PATH = "hooks/send-to-peer";
 var DEFAULT_OPENCLAW_BASE_URL2 = "http://127.0.0.1:18789";
+var DEFAULT_RELAY_ECHO_ENABLED2 = true;
+var DEFAULT_RELAY_ECHO_CHANNEL2 = "last";
+var DEFAULT_RELAY_ECHO_MAX_LENGTH2 = 500;
+var MIN_RELAY_ECHO_MAX_LENGTH = 50;
+var MAX_RELAY_ECHO_MAX_LENGTH = 2e3;
 var INVITE_CODE_PREFIX = "clawd1_";
 var PEER_ALIAS_PATTERN = /^[a-zA-Z0-9._-]+$/;
 var FILE_MODE3 = 384;
 var textEncoder2 = new TextEncoder();
 var textDecoder = new TextDecoder();
-function isRecord7(value) {
+function isRecord8(value) {
   return typeof value === "object" && value !== null;
 }
 function createCliError5(code, message2, details) {
@@ -20639,7 +20994,7 @@ function createCliError5(code, message2, details) {
   });
 }
 function getErrorCode2(error48) {
-  if (!isRecord7(error48)) {
+  if (!isRecord8(error48)) {
     return void 0;
   }
   return typeof error48.code === "string" ? error48.code : void 0;
@@ -20709,13 +21064,82 @@ function parseHttpUrl(value, input) {
   }
   return parsedUrl.toString();
 }
-function parseOpenclawBaseUrl(value) {
+function parseOpenclawBaseUrl2(value) {
   return parseHttpUrl(value, {
     label: "OpenClaw base URL",
     code: "CLI_OPENCLAW_INVALID_OPENCLAW_BASE_URL",
     message: "OpenClaw base URL must be a valid URL"
   });
 }
+function parseBooleanValue(value, label) {
+  if (typeof value === "boolean") {
+    return value;
+  }
+  if (typeof value === "string") {
+    const normalized = value.trim().toLowerCase();
+    if (normalized === "true" || normalized === "1" || normalized === "yes" || normalized === "on") {
+      return true;
+    }
+    if (normalized === "false" || normalized === "0" || normalized === "no" || normalized === "off") {
+      return false;
+    }
+  }
+  throw createCliError5(
+    "CLI_OPENCLAW_INVALID_INPUT",
+    `${label} must be true or false`,
+    { label }
+  );
+}
+function parseRelayEchoChannel(value) {
+  return parseNonEmptyString7(value, "relay echo channel");
+}
+function parseRelayEchoMaxLength(value) {
+  const parsed = typeof value === "number" ? value : typeof value === "string" ? Number(value) : Number.NaN;
+  if (!Number.isInteger(parsed) || parsed < MIN_RELAY_ECHO_MAX_LENGTH || parsed > MAX_RELAY_ECHO_MAX_LENGTH) {
+    throw createCliError5(
+      "CLI_OPENCLAW_INVALID_ECHO_MAX_LENGTH",
+      `echo max length must be an integer between ${MIN_RELAY_ECHO_MAX_LENGTH} and ${MAX_RELAY_ECHO_MAX_LENGTH}`
+    );
+  }
+  return parsed;
+}
+function parseRelayEchoEnabled(value) {
+  return parseBooleanValue(value, "relay echo enabled");
+}
+function parseRelayEchoTo(value) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value !== "string") {
+    throw createCliError5(
+      "CLI_OPENCLAW_INVALID_INPUT",
+      "relay echo target must be a string",
+      { label: "relay echo target" }
+    );
+  }
+  const trimmed = value.trim();
+  if (trimmed.length === 0) {
+    return void 0;
+  }
+  return trimmed;
+}
+function defaultRelayEchoConfig() {
+  return {
+    enabled: DEFAULT_RELAY_ECHO_ENABLED2,
+    channel: DEFAULT_RELAY_ECHO_CHANNEL2,
+    maxLength: DEFAULT_RELAY_ECHO_MAX_LENGTH2
+  };
+}
+function resolveSetupRelayEchoConfig(input) {
+  const current = input.existingConfig?.echo ?? defaultRelayEchoConfig();
+  const options = input.options;
+  return {
+    enabled: options.echoEnabled === void 0 ? current.enabled : parseRelayEchoEnabled(options.echoEnabled),
+    channel: options.echoChannel === void 0 ? current.channel : parseRelayEchoChannel(options.echoChannel),
+    to: options.echoTo === void 0 ? current.to : parseRelayEchoTo(options.echoTo),
+    maxLength: options.echoMaxLength === void 0 ? current.maxLength : parseRelayEchoMaxLength(options.echoMaxLength)
+  };
+}
 function parseAgentDid2(value, label) {
   const did = parseNonEmptyString7(value, label);
   try {
@@ -20734,7 +21158,7 @@ function parseAgentDid2(value, label) {
   return did;
 }
 function parseInvitePayload(value) {
-  if (!isRecord7(value)) {
+  if (!isRecord8(value)) {
     throw createCliError5(
       "CLI_OPENCLAW_INVALID_INVITE",
       "invite payload must be an object"
@@ -20787,19 +21211,19 @@ function resolveOpenclawDir(openclawDir, homeDir) {
   if (typeof openclawDir === "string" && openclawDir.trim().length > 0) {
     return openclawDir.trim();
   }
-  return join6(homeDir, OPENCLAW_DIR_NAME);
+  return join7(homeDir, OPENCLAW_DIR_NAME);
 }
 function resolveAgentDirectory(homeDir, agentName) {
-  return join6(homeDir, CLAWDENTITY_DIR_NAME, AGENTS_DIR_NAME4, agentName);
+  return join7(homeDir, CLAWDENTITY_DIR_NAME, AGENTS_DIR_NAME4, agentName);
 }
 function resolvePeersPath(homeDir) {
-  return join6(homeDir, CLAWDENTITY_DIR_NAME, PEERS_FILE_NAME);
+  return join7(homeDir, CLAWDENTITY_DIR_NAME, PEERS_FILE_NAME);
 }
 function resolveOpenclawConfigPath(openclawDir) {
-  return join6(openclawDir, OPENCLAW_CONFIG_FILE_NAME);
+  return join7(openclawDir, OPENCLAW_CONFIG_FILE_NAME);
 }
 function resolveDefaultTransformSource(openclawDir) {
-  return join6(
+  return join7(
     openclawDir,
     "workspace",
     "skills",
@@ -20808,16 +21232,16 @@ function resolveDefaultTransformSource(openclawDir) {
   );
 }
 function resolveTransformTargetPath(openclawDir) {
-  return join6(openclawDir, "hooks", "transforms", RELAY_MODULE_FILE_NAME);
+  return join7(openclawDir, "hooks", "transforms", RELAY_MODULE_FILE_NAME);
 }
 function resolveOpenclawAgentNamePath(homeDir) {
-  return join6(homeDir, CLAWDENTITY_DIR_NAME, OPENCLAW_AGENT_FILE_NAME);
+  return join7(homeDir, CLAWDENTITY_DIR_NAME, OPENCLAW_AGENT_FILE_NAME);
 }
 function resolveRelayRuntimeConfigPath(homeDir) {
-  return join6(homeDir, CLAWDENTITY_DIR_NAME, OPENCLAW_RELAY_RUNTIME_FILE_NAME);
+  return join7(homeDir, CLAWDENTITY_DIR_NAME, OPENCLAW_RELAY_RUNTIME_FILE_NAME);
 }
 async function readJsonFile(filePath) {
-  const raw = await readFile4(filePath, "utf8");
+  const raw = await readFile5(filePath, "utf8");
   try {
     return JSON.parse(raw);
   } catch {
@@ -20829,13 +21253,13 @@ async function readJsonFile(filePath) {
 async function ensureLocalAgentCredentials(homeDir, agentName) {
   const agentDir = resolveAgentDirectory(homeDir, agentName);
   const requiredFiles = [
-    join6(agentDir, SECRET_KEY_FILE_NAME2),
-    join6(agentDir, AIT_FILE_NAME3)
+    join7(agentDir, SECRET_KEY_FILE_NAME2),
+    join7(agentDir, AIT_FILE_NAME3)
   ];
   for (const filePath of requiredFiles) {
     let content;
     try {
-      content = await readFile4(filePath, "utf8");
+      content = await readFile5(filePath, "utf8");
     } catch (error48) {
       if (getErrorCode2(error48) === "ENOENT") {
         throw createCliError5(
@@ -20909,7 +21333,7 @@ async function loadPeersConfig(peersPath) {
     }
     throw error48;
   }
-  if (!isRecord7(parsed)) {
+  if (!isRecord8(parsed)) {
     throw createCliError5(
       "CLI_OPENCLAW_INVALID_PEERS_CONFIG",
       "Peer config root must be a JSON object",
@@ -20920,7 +21344,7 @@ async function loadPeersConfig(peersPath) {
   if (peersValue === void 0) {
     return { peers: {} };
   }
-  if (!isRecord7(peersValue)) {
+  if (!isRecord8(peersValue)) {
     throw createCliError5(
       "CLI_OPENCLAW_INVALID_PEERS_CONFIG",
       "Peer config peers field must be an object",
@@ -20930,7 +21354,7 @@ async function loadPeersConfig(peersPath) {
   const peers = {};
   for (const [alias, value] of Object.entries(peersValue)) {
     const normalizedAlias = parsePeerAlias(alias);
-    if (!isRecord7(value)) {
+    if (!isRecord8(value)) {
       throw createCliError5(
         "CLI_OPENCLAW_INVALID_PEERS_CONFIG",
         "Peer entry must be an object",
@@ -20952,8 +21376,35 @@ async function savePeersConfig(peersPath, config2) {
   await writeSecureFile3(peersPath, `${JSON.stringify(config2, null, 2)}
 `);
 }
+function parseRelayRuntimeEchoConfig(value, relayRuntimeConfigPath) {
+  if (value === void 0) {
+    return defaultRelayEchoConfig();
+  }
+  if (!isRecord8(value)) {
+    throw createCliError5(
+      "CLI_OPENCLAW_INVALID_RELAY_RUNTIME_CONFIG",
+      "Relay runtime echo config must be an object",
+      { relayRuntimeConfigPath }
+    );
+  }
+  const defaults = defaultRelayEchoConfig();
+  try {
+    return {
+      enabled: value.enabled === void 0 ? defaults.enabled : parseRelayEchoEnabled(value.enabled),
+      channel: value.channel === void 0 ? defaults.channel : parseRelayEchoChannel(value.channel),
+      to: parseRelayEchoTo(value.to),
+      maxLength: value.maxLength === void 0 ? defaults.maxLength : parseRelayEchoMaxLength(value.maxLength)
+    };
+  } catch (error48) {
+    throw createCliError5(
+      "CLI_OPENCLAW_INVALID_RELAY_RUNTIME_CONFIG",
+      error48 instanceof Error ? error48.message : "Relay runtime echo config is invalid",
+      { relayRuntimeConfigPath }
+    );
+  }
+}
 function parseRelayRuntimeConfig(value, relayRuntimeConfigPath) {
-  if (!isRecord7(value)) {
+  if (!isRecord8(value)) {
     throw createCliError5(
       "CLI_OPENCLAW_INVALID_RELAY_RUNTIME_CONFIG",
       "Relay runtime config must be an object",
@@ -20961,9 +21412,11 @@ function parseRelayRuntimeConfig(value, relayRuntimeConfigPath) {
     );
   }
   const updatedAt = typeof value.updatedAt === "string" && value.updatedAt.trim().length > 0 ? value.updatedAt.trim() : void 0;
+  const echo = parseRelayRuntimeEchoConfig(value.echo, relayRuntimeConfigPath);
   return {
-    openclawBaseUrl: parseOpenclawBaseUrl(value.openclawBaseUrl),
-    updatedAt
+    openclawBaseUrl: parseOpenclawBaseUrl2(value.openclawBaseUrl),
+    updatedAt,
+    echo
   };
 }
 async function loadRelayRuntimeConfig(relayRuntimeConfigPath) {
@@ -20978,10 +21431,11 @@ async function loadRelayRuntimeConfig(relayRuntimeConfigPath) {
   }
   return parseRelayRuntimeConfig(parsed, relayRuntimeConfigPath);
 }
-async function saveRelayRuntimeConfig(relayRuntimeConfigPath, openclawBaseUrl) {
+async function saveRelayRuntimeConfig(relayRuntimeConfigPath, openclawBaseUrl, relayEchoConfig) {
   const config2 = {
     openclawBaseUrl,
-    updatedAt: nowIso()
+    updatedAt: nowIso(),
+    echo: relayEchoConfig
   };
   await writeSecureFile3(
     relayRuntimeConfigPath,
@@ -20989,13 +21443,13 @@ async function saveRelayRuntimeConfig(relayRuntimeConfigPath, openclawBaseUrl) {
 `
   );
 }
-async function resolveOpenclawBaseUrl2(input) {
+async function resolveOpenclawBaseUrl(input) {
   if (typeof input.optionValue === "string" && input.optionValue.trim().length > 0) {
-    return parseOpenclawBaseUrl(input.optionValue);
+    return parseOpenclawBaseUrl2(input.optionValue);
   }
   const envOpenclawBaseUrl = process.env.OPENCLAW_BASE_URL;
   if (typeof envOpenclawBaseUrl === "string" && envOpenclawBaseUrl.trim().length > 0) {
-    return parseOpenclawBaseUrl(envOpenclawBaseUrl);
+    return parseOpenclawBaseUrl2(envOpenclawBaseUrl);
   }
   const existingConfig = await loadRelayRuntimeConfig(
     input.relayRuntimeConfigPath
@@ -21022,20 +21476,20 @@ function normalizeStringArrayWithValue(value, requiredValue) {
   return Array.from(normalized);
 }
 function upsertRelayHookMapping(mappingsValue) {
-  const mappings = Array.isArray(mappingsValue) ? mappingsValue.filter(isRecord7).map((mapping) => ({ ...mapping })) : [];
+  const mappings = Array.isArray(mappingsValue) ? mappingsValue.filter(isRecord8).map((mapping) => ({ ...mapping })) : [];
   const existingIndex = mappings.findIndex((mapping) => {
     if (mapping.id === HOOK_MAPPING_ID) {
       return true;
     }
-    if (!isRecord7(mapping.match)) {
+    if (!isRecord8(mapping.match)) {
       return false;
     }
     return mapping.match.path === HOOK_PATH_SEND_TO_PEER;
   });
-  const baseMapping = existingIndex >= 0 && isRecord7(mappings[existingIndex]) ? mappings[existingIndex] : {};
-  const nextMatch = isRecord7(baseMapping.match) ? { ...baseMapping.match } : {};
+  const baseMapping = existingIndex >= 0 && isRecord8(mappings[existingIndex]) ? mappings[existingIndex] : {};
+  const nextMatch = isRecord8(baseMapping.match) ? { ...baseMapping.match } : {};
   nextMatch.path = HOOK_PATH_SEND_TO_PEER;
-  const nextTransform = isRecord7(baseMapping.transform) ? { ...baseMapping.transform } : {};
+  const nextTransform = isRecord8(baseMapping.transform) ? { ...baseMapping.transform } : {};
   nextTransform.module = RELAY_MODULE_FILE_NAME;
   const relayMapping = {
     ...baseMapping,
@@ -21066,14 +21520,14 @@ async function patchOpenclawConfig(openclawConfigPath) {
     }
     throw error48;
   }
-  if (!isRecord7(config2)) {
+  if (!isRecord8(config2)) {
     throw createCliError5(
       "CLI_OPENCLAW_INVALID_CONFIG",
       "OpenClaw config root must be an object",
       { openclawConfigPath }
     );
   }
-  const hooks = isRecord7(config2.hooks) ? { ...config2.hooks } : {};
+  const hooks = isRecord8(config2.hooks) ? { ...config2.hooks } : {};
   hooks.enabled = true;
   hooks.allowRequestSessionKey = false;
   hooks.allowedSessionKeyPrefixes = normalizeStringArrayWithValue(
@@ -21103,10 +21557,10 @@ function toDoctorResult(checks) {
   };
 }
 function isRelayHookMapping(value) {
-  if (!isRecord7(value)) {
+  if (!isRecord8(value)) {
     return false;
   }
-  if (!isRecord7(value.match) || value.match.path !== HOOK_PATH_SEND_TO_PEER) {
+  if (!isRecord8(value.match) || value.match.path !== HOOK_PATH_SEND_TO_PEER) {
     return false;
   }
   if (typeof value.id === "string" && value.id !== HOOK_MAPPING_ID) {
@@ -21115,7 +21569,7 @@ function isRelayHookMapping(value) {
   return true;
 }
 function hasRelayTransformModule(value) {
-  if (!isRecord7(value) || !isRecord7(value.transform)) {
+  if (!isRecord8(value) || !isRecord8(value.transform)) {
     return false;
   }
   return value.transform.module === RELAY_MODULE_FILE_NAME;
@@ -21232,7 +21686,7 @@ async function runOpenclawDoctor(options = {}) {
   const selectedAgentPath = resolveOpenclawAgentNamePath(homeDir);
   let selectedAgentName;
   try {
-    const selectedAgentRaw = await readFile4(selectedAgentPath, "utf8");
+    const selectedAgentRaw = await readFile5(selectedAgentPath, "utf8");
     selectedAgentName = assertValidAgentName(selectedAgentRaw.trim());
     checks.push(
       toDoctorCheck({
@@ -21354,7 +21808,7 @@ async function runOpenclawDoctor(options = {}) {
   }
   const transformTargetPath = resolveTransformTargetPath(openclawDir);
   try {
-    const transformContents = await readFile4(transformTargetPath, "utf8");
+    const transformContents = await readFile5(transformTargetPath, "utf8");
     if (transformContents.trim().length === 0) {
       checks.push(
         toDoctorCheck({
@@ -21392,11 +21846,11 @@ async function runOpenclawDoctor(options = {}) {
   const openclawConfigPath = resolveOpenclawConfigPath(openclawDir);
   try {
     const openclawConfig = await readJsonFile(openclawConfigPath);
-    if (!isRecord7(openclawConfig)) {
+    if (!isRecord8(openclawConfig)) {
       throw new Error("root");
     }
-    const hooks = isRecord7(openclawConfig.hooks) ? openclawConfig.hooks : {};
-    const mappings = Array.isArray(hooks.mappings) ? hooks.mappings.filter(isRecord7) : [];
+    const hooks = isRecord8(openclawConfig.hooks) ? openclawConfig.hooks : {};
+    const mappings = Array.isArray(hooks.mappings) ? hooks.mappings.filter(isRecord8) : [];
     const relayMapping = mappings.find(
       (mapping) => isRelayHookMapping(mapping)
     );
@@ -21436,7 +21890,7 @@ async function runOpenclawDoctor(options = {}) {
   }
   const relayRuntimeConfigPath = resolveRelayRuntimeConfigPath(homeDir);
   try {
-    const openclawBaseUrl = await resolveOpenclawBaseUrl2({
+    const openclawBaseUrl = await resolveOpenclawBaseUrl({
       relayRuntimeConfigPath
     });
     checks.push(
@@ -21498,7 +21952,7 @@ async function runOpenclawRelayTest(options) {
   const relayRuntimeConfigPath = resolveRelayRuntimeConfigPath(homeDir);
   let openclawBaseUrl = DEFAULT_OPENCLAW_BASE_URL2;
   try {
-    openclawBaseUrl = await resolveOpenclawBaseUrl2({
+    openclawBaseUrl = await resolveOpenclawBaseUrl({
       optionValue: options.openclawBaseUrl,
       relayRuntimeConfigPath
     });
@@ -21624,10 +22078,17 @@ async function setupOpenclawRelayFromInvite(agentName, options) {
   const transformSource = typeof options.transformSource === "string" && options.transformSource.trim().length > 0 ? options.transformSource.trim() : resolveDefaultTransformSource(openclawDir);
   const transformTargetPath = resolveTransformTargetPath(openclawDir);
   const relayRuntimeConfigPath = resolveRelayRuntimeConfigPath(homeDir);
-  const openclawBaseUrl = await resolveOpenclawBaseUrl2({
+  const existingRelayRuntimeConfig = await loadRelayRuntimeConfig(
+    relayRuntimeConfigPath
+  );
+  const openclawBaseUrl = await resolveOpenclawBaseUrl({
     optionValue: options.openclawBaseUrl,
     relayRuntimeConfigPath
   });
+  const relayEchoConfig = resolveSetupRelayEchoConfig({
+    existingConfig: existingRelayRuntimeConfig,
+    options
+  });
   const invite = decodeInvitePayload(options.inviteCode);
   const peerAliasCandidate = options.peerAlias ?? invite.alias;
   if (!peerAliasCandidate) {
@@ -21659,7 +22120,11 @@ async function setupOpenclawRelayFromInvite(agentName, options) {
   const agentNamePath = resolveOpenclawAgentNamePath(homeDir);
   await writeSecureFile3(agentNamePath, `${normalizedAgentName}
 `);
-  await saveRelayRuntimeConfig(relayRuntimeConfigPath, openclawBaseUrl);
+  await saveRelayRuntimeConfig(
+    relayRuntimeConfigPath,
+    openclawBaseUrl,
+    relayEchoConfig
+  );
   logger8.info("cli.openclaw_setup_completed", {
     agentName: normalizedAgentName,
     peerAlias,
@@ -21667,7 +22132,8 @@ async function setupOpenclawRelayFromInvite(agentName, options) {
     openclawConfigPath,
     transformTargetPath,
     openclawBaseUrl,
-    relayRuntimeConfigPath
+    relayRuntimeConfigPath,
+    relayEchoConfig
   });
   return {
     peerAlias,
@@ -21676,7 +22142,8 @@ async function setupOpenclawRelayFromInvite(agentName, options) {
     openclawConfigPath,
     transformTargetPath,
     openclawBaseUrl,
-    relayRuntimeConfigPath
+    relayRuntimeConfigPath,
+    relayEcho: relayEchoConfig
   };
 }
 var createOpenclawCommand = () => {
@@ -21712,6 +22179,20 @@ var createOpenclawCommand = () => {
   ).option(
     "--openclaw-base-url <url>",
     "Base URL for local OpenClaw hook API (default http://127.0.0.1:18789)"
+  ).option(
+    "--echo-enabled <true|false>",
+    "Enable or disable relay echo to the operator chat channel (default true)",
+    parseRelayEchoEnabled
+  ).option(
+    "--echo-channel <channel>",
+    "Relay echo delivery channel (default last)"
+  ).option(
+    "--echo-to <target>",
+    "Relay echo delivery target id/recipient (optional)"
+  ).option(
+    "--echo-max-length <number>",
+    `Relay echo message truncation limit (${MIN_RELAY_ECHO_MAX_LENGTH}-${MAX_RELAY_ECHO_MAX_LENGTH}, default ${DEFAULT_RELAY_ECHO_MAX_LENGTH2})`,
+    parseRelayEchoMaxLength
   ).action(
     withErrorHandling(
       "openclaw setup",
@@ -21725,6 +22206,16 @@ var createOpenclawCommand = () => {
         );
         writeStdoutLine(`Installed transform: ${result.transformTargetPath}`);
         writeStdoutLine(`OpenClaw base URL: ${result.openclawBaseUrl}`);
+        writeStdoutLine(
+          `Relay echo enabled: ${result.relayEcho.enabled ? "true" : "false"}`
+        );
+        writeStdoutLine(`Relay echo channel: ${result.relayEcho.channel}`);
+        writeStdoutLine(
+          `Relay echo target: ${result.relayEcho.to ?? "(last route default)"}`
+        );
+        writeStdoutLine(
+          `Relay echo max length: ${result.relayEcho.maxLength}`
+        );
         writeStdoutLine(
           `Relay runtime config: ${result.relayRuntimeConfigPath}`
         );
@@ -21794,10 +22285,620 @@ var createOpenclawCommand = () => {
   return openclawCommand;
 };
-// src/commands/verify.ts
-import { readFile as readFile5 } from "fs/promises";
+// src/commands/pair.ts
+import { randomBytes as randomBytes3 } from "crypto";
+import { mkdir as mkdir6, readdir, readFile as readFile6, unlink as unlink2, writeFile as writeFile6 } from "fs/promises";
+import { dirname as dirname5, join as join8, resolve } from "path";
 import { Command as Command8 } from "commander";
-var logger9 = createLogger({ service: "cli", module: "verify" });
+import jsQR from "jsqr";
+import { PNG } from "pngjs";
+import QRCode from "qrcode";
+var logger9 = createLogger({ service: "cli", module: "pair" });
+var AGENTS_DIR_NAME5 = "agents";
+var AIT_FILE_NAME4 = "ait.jwt";
+var SECRET_KEY_FILE_NAME3 = "secret.key";
+var PAIRING_QR_DIR_NAME = "pairing";
+var PAIR_START_PATH = "/pair/start";
+var PAIR_CONFIRM_PATH = "/pair/confirm";
+var OWNER_PAT_HEADER = "x-claw-owner-pat";
+var NONCE_SIZE2 = 24;
+var PAIRING_TICKET_PREFIX = "clwpair1_";
+var PAIRING_QR_MAX_AGE_SECONDS = 900;
+var PAIRING_QR_FILENAME_PATTERN = /-pair-(\d+)\.png$/;
+var isRecord9 = (value) => {
+  return typeof value === "object" && value !== null;
+};
+function createCliError6(code, message2) {
+  return new AppError({
+    code,
+    message: message2,
+    status: 400
+  });
+}
+function parseNonEmptyString8(value) {
+  if (typeof value !== "string") {
+    return "";
+  }
+  return value.trim();
+}
+function parsePairingTicket(value) {
+  const ticket = parseNonEmptyString8(value);
+  if (!ticket.startsWith(PAIRING_TICKET_PREFIX)) {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_TICKET_INVALID",
+      "Pairing ticket is invalid"
+    );
+  }
+  return ticket;
+}
+function parseTtlSeconds(value) {
+  const raw = parseNonEmptyString8(value);
+  if (raw.length === 0) {
+    return void 0;
+  }
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isInteger(parsed) || parsed < 1) {
+    throw createCliError6(
+      "CLI_PAIR_START_INVALID_TTL",
+      "ttlSeconds must be a positive integer"
+    );
+  }
+  return parsed;
+}
+function resolveProxyUrl(overrideProxyUrl) {
+  const candidate = parseNonEmptyString8(overrideProxyUrl) || parseNonEmptyString8(process.env.CLAWDENTITY_PROXY_URL);
+  if (candidate.length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_PROXY_URL_REQUIRED",
+      "Proxy URL is required. Pass --proxy-url <url> or set CLAWDENTITY_PROXY_URL."
+    );
+  }
+  try {
+    const parsed = new URL(candidate);
+    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+      throw new Error("invalid protocol");
+    }
+    return parsed.toString();
+  } catch {
+    throw createCliError6("CLI_PAIR_INVALID_PROXY_URL", "Proxy URL is invalid");
+  }
+}
+function toProxyRequestUrl(proxyUrl, path) {
+  const normalizedBase = proxyUrl.endsWith("/") ? proxyUrl : `${proxyUrl}/`;
+  return new URL(path.slice(1), normalizedBase).toString();
+}
+function toPathWithQuery3(url2) {
+  const parsed = new URL(url2);
+  return `${parsed.pathname}${parsed.search}`;
+}
+function extractErrorCode(payload) {
+  if (!isRecord9(payload)) {
+    return void 0;
+  }
+  const envelope = payload;
+  if (!envelope.error || typeof envelope.error.code !== "string") {
+    return void 0;
+  }
+  const code = envelope.error.code.trim();
+  return code.length > 0 ? code : void 0;
+}
+function extractErrorMessage(payload) {
+  if (!isRecord9(payload)) {
+    return void 0;
+  }
+  const envelope = payload;
+  if (!envelope.error || typeof envelope.error.message !== "string") {
+    return void 0;
+  }
+  const message2 = envelope.error.message.trim();
+  return message2.length > 0 ? message2 : void 0;
+}
+async function parseJsonResponse5(response) {
+  try {
+    return await response.json();
+  } catch {
+    return void 0;
+  }
+}
+async function executePairRequest(input) {
+  try {
+    return await input.fetchImpl(input.url, input.init);
+  } catch {
+    throw createCliError6(
+      "CLI_PAIR_REQUEST_FAILED",
+      "Unable to connect to proxy URL. Check network access and proxyUrl."
+    );
+  }
+}
+function mapStartPairError(status, payload) {
+  const code = extractErrorCode(payload);
+  const message2 = extractErrorMessage(payload);
+  if (code === "PROXY_PAIR_OWNER_PAT_INVALID" || status === 401) {
+    return message2 ? `Owner PAT is invalid (401): ${message2}` : "Owner PAT is invalid or expired (401).";
+  }
+  if (code === "PROXY_PAIR_OWNER_PAT_FORBIDDEN" || status === 403) {
+    return message2 ? `Owner PAT does not control initiator agent DID (403): ${message2}` : "Owner PAT does not control initiator agent DID (403).";
+  }
+  if (status === 400) {
+    return message2 ? `Pair start request is invalid (400): ${message2}` : "Pair start request is invalid (400).";
+  }
+  if (status >= 500) {
+    return `Proxy pairing service is unavailable (${status}).`;
+  }
+  if (message2) {
+    return `Pair start failed (${status}): ${message2}`;
+  }
+  return `Pair start failed (${status})`;
+}
+function mapConfirmPairError(status, payload) {
+  const code = extractErrorCode(payload);
+  const message2 = extractErrorMessage(payload);
+  if (code === "PROXY_PAIR_TICKET_NOT_FOUND" || status === 404) {
+    return "Pairing ticket is invalid or expired";
+  }
+  if (code === "PROXY_PAIR_TICKET_EXPIRED" || status === 410) {
+    return "Pairing ticket has expired";
+  }
+  if (status === 400) {
+    return message2 ? `Pair confirm request is invalid (400): ${message2}` : "Pair confirm request is invalid (400).";
+  }
+  if (status >= 500) {
+    return `Proxy pairing service is unavailable (${status}).`;
+  }
+  if (message2) {
+    return `Pair confirm failed (${status}): ${message2}`;
+  }
+  return `Pair confirm failed (${status})`;
+}
+function parsePairStartResponse(payload) {
+  if (!isRecord9(payload)) {
+    throw createCliError6(
+      "CLI_PAIR_START_INVALID_RESPONSE",
+      "Pair start response is invalid"
+    );
+  }
+  const ticket = parsePairingTicket(payload.ticket);
+  const initiatorAgentDid = parseNonEmptyString8(payload.initiatorAgentDid);
+  const expiresAt = parseNonEmptyString8(payload.expiresAt);
+  if (initiatorAgentDid.length === 0 || expiresAt.length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_START_INVALID_RESPONSE",
+      "Pair start response is invalid"
+    );
+  }
+  return {
+    ticket,
+    initiatorAgentDid,
+    expiresAt
+  };
+}
+function parsePairConfirmResponse(payload) {
+  if (!isRecord9(payload)) {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_INVALID_RESPONSE",
+      "Pair confirm response is invalid"
+    );
+  }
+  const paired = payload.paired === true;
+  const initiatorAgentDid = parseNonEmptyString8(payload.initiatorAgentDid);
+  const responderAgentDid = parseNonEmptyString8(payload.responderAgentDid);
+  if (!paired || initiatorAgentDid.length === 0 || responderAgentDid.length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_INVALID_RESPONSE",
+      "Pair confirm response is invalid"
+    );
+  }
+  return {
+    paired,
+    initiatorAgentDid,
+    responderAgentDid
+  };
+}
+async function readAgentProofMaterial(agentName, dependencies) {
+  const readFileImpl = dependencies.readFileImpl ?? readFile6;
+  const getConfigDirImpl = dependencies.getConfigDirImpl ?? getConfigDir;
+  const normalizedAgentName = assertValidAgentName(agentName);
+  const agentDir = join8(
+    getConfigDirImpl(),
+    AGENTS_DIR_NAME5,
+    normalizedAgentName
+  );
+  const aitPath = join8(agentDir, AIT_FILE_NAME4);
+  const secretKeyPath = join8(agentDir, SECRET_KEY_FILE_NAME3);
+  let ait;
+  try {
+    ait = (await readFileImpl(aitPath, "utf-8")).trim();
+  } catch (error48) {
+    const nodeError = error48;
+    if (nodeError.code === "ENOENT") {
+      throw createCliError6(
+        "CLI_PAIR_AGENT_NOT_FOUND",
+        `Agent "${normalizedAgentName}" is missing ${AIT_FILE_NAME4}. Run agent create first.`
+      );
+    }
+    throw error48;
+  }
+  if (ait.length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_AGENT_NOT_FOUND",
+      `Agent "${normalizedAgentName}" has an empty ${AIT_FILE_NAME4}`
+    );
+  }
+  let encodedSecretKey;
+  try {
+    encodedSecretKey = (await readFileImpl(secretKeyPath, "utf-8")).trim();
+  } catch (error48) {
+    const nodeError = error48;
+    if (nodeError.code === "ENOENT") {
+      throw createCliError6(
+        "CLI_PAIR_AGENT_NOT_FOUND",
+        `Agent "${normalizedAgentName}" is missing ${SECRET_KEY_FILE_NAME3}. Run agent create first.`
+      );
+    }
+    throw error48;
+  }
+  if (encodedSecretKey.length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_AGENT_NOT_FOUND",
+      `Agent "${normalizedAgentName}" has an empty ${SECRET_KEY_FILE_NAME3}`
+    );
+  }
+  let secretKey;
+  try {
+    secretKey = decodeBase64url(encodedSecretKey);
+  } catch {
+    throw createCliError6(
+      "CLI_PAIR_AGENT_NOT_FOUND",
+      `Agent "${normalizedAgentName}" has invalid ${SECRET_KEY_FILE_NAME3}`
+    );
+  }
+  return {
+    ait,
+    secretKey
+  };
+}
+function resolveOwnerPat(options) {
+  const ownerPat = parseNonEmptyString8(options.explicitOwnerPat) || parseNonEmptyString8(options.config.apiKey);
+  if (ownerPat.length > 0) {
+    return ownerPat;
+  }
+  throw createCliError6(
+    "CLI_PAIR_START_OWNER_PAT_REQUIRED",
+    "Owner PAT is required. Pass --owner-pat <token> or configure API key with `clawdentity invite redeem` / `clawdentity config set apiKey <token>`."
+  );
+}
+async function buildSignedHeaders(input) {
+  const signed = await signHttpRequest({
+    method: input.method,
+    pathWithQuery: toPathWithQuery3(input.requestUrl),
+    timestamp: String(input.timestampSeconds),
+    nonce: input.nonce,
+    body: input.bodyBytes,
+    secretKey: input.secretKey
+  });
+  return signed.headers;
+}
+async function encodeTicketQrPng(ticket) {
+  const buffer = await QRCode.toBuffer(ticket, {
+    type: "png",
+    width: 512,
+    margin: 2,
+    errorCorrectionLevel: "M"
+  });
+  return new Uint8Array(buffer);
+}
+function decodeTicketFromPng(imageBytes) {
+  let decodedPng;
+  try {
+    decodedPng = PNG.sync.read(Buffer.from(imageBytes));
+  } catch {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_QR_FILE_INVALID",
+      "QR image file is invalid or unsupported"
+    );
+  }
+  const imageData = new Uint8ClampedArray(
+    decodedPng.data.buffer,
+    decodedPng.data.byteOffset,
+    decodedPng.data.byteLength
+  );
+  const decoded = jsQR(imageData, decodedPng.width, decodedPng.height);
+  if (!decoded || parseNonEmptyString8(decoded.data).length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_QR_NOT_FOUND",
+      "No pairing QR code was found in the image"
+    );
+  }
+  return parsePairingTicket(decoded.data);
+}
+async function persistPairingQr(input) {
+  const mkdirImpl = input.dependencies.mkdirImpl ?? mkdir6;
+  const readdirImpl = input.dependencies.readdirImpl ?? readdir;
+  const unlinkImpl = input.dependencies.unlinkImpl ?? unlink2;
+  const writeFileImpl = input.dependencies.writeFileImpl ?? writeFile6;
+  const getConfigDirImpl = input.dependencies.getConfigDirImpl ?? getConfigDir;
+  const qrEncodeImpl = input.dependencies.qrEncodeImpl ?? encodeTicketQrPng;
+  const baseDir = join8(getConfigDirImpl(), PAIRING_QR_DIR_NAME);
+  const outputPath = parseNonEmptyString8(input.qrOutput) ? resolve(input.qrOutput ?? "") : join8(
+    baseDir,
+    `${assertValidAgentName(input.agentName)}-pair-${input.nowSeconds}.png`
+  );
+  const existingFiles = await readdirImpl(baseDir).catch((error48) => {
+    const nodeError = error48;
+    if (nodeError.code === "ENOENT") {
+      return [];
+    }
+    throw error48;
+  });
+  for (const fileName of existingFiles) {
+    if (typeof fileName !== "string") {
+      continue;
+    }
+    const match2 = PAIRING_QR_FILENAME_PATTERN.exec(fileName);
+    if (!match2) {
+      continue;
+    }
+    const issuedAtSeconds = Number.parseInt(match2[1] ?? "", 10);
+    if (!Number.isInteger(issuedAtSeconds)) {
+      continue;
+    }
+    if (issuedAtSeconds + PAIRING_QR_MAX_AGE_SECONDS > input.nowSeconds) {
+      continue;
+    }
+    const stalePath = join8(baseDir, fileName);
+    await unlinkImpl(stalePath).catch((error48) => {
+      const nodeError = error48;
+      if (nodeError.code === "ENOENT") {
+        return;
+      }
+      throw error48;
+    });
+  }
+  await mkdirImpl(dirname5(outputPath), { recursive: true });
+  const imageBytes = await qrEncodeImpl(input.ticket);
+  await writeFileImpl(outputPath, imageBytes);
+  return outputPath;
+}
+function resolveConfirmTicketSource(options) {
+  const inlineTicket = parseNonEmptyString8(options.ticket);
+  const qrFile = parseNonEmptyString8(options.qrFile);
+  if (inlineTicket.length > 0 && qrFile.length > 0) {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_INPUT_CONFLICT",
+      "Provide either --ticket or --qr-file, not both"
+    );
+  }
+  if (inlineTicket.length > 0) {
+    return {
+      ticket: parsePairingTicket(inlineTicket),
+      source: "ticket"
+    };
+  }
+  if (qrFile.length > 0) {
+    return {
+      ticket: "",
+      source: "qr-file",
+      qrFilePath: resolve(qrFile)
+    };
+  }
+  throw createCliError6(
+    "CLI_PAIR_CONFIRM_TICKET_REQUIRED",
+    "Pairing ticket is required. Pass --ticket <clwpair1_...> or --qr-file <path>."
+  );
+}
+async function startPairing(agentName, options, dependencies = {}) {
+  const fetchImpl = dependencies.fetchImpl ?? fetch;
+  const resolveConfigImpl = dependencies.resolveConfigImpl ?? resolveConfig;
+  const nowSecondsImpl = dependencies.nowSecondsImpl ?? (() => Math.floor(Date.now() / 1e3));
+  const nonceFactoryImpl = dependencies.nonceFactoryImpl ?? (() => randomBytes3(NONCE_SIZE2).toString("base64url"));
+  const ttlSeconds = parseTtlSeconds(options.ttlSeconds);
+  const proxyUrl = resolveProxyUrl(options.proxyUrl);
+  const config2 = await resolveConfigImpl();
+  const ownerPat = resolveOwnerPat({
+    explicitOwnerPat: options.ownerPat,
+    config: config2
+  });
+  const { ait, secretKey } = await readAgentProofMaterial(
+    agentName,
+    dependencies
+  );
+  const requestUrl = toProxyRequestUrl(proxyUrl, PAIR_START_PATH);
+  const requestBody = JSON.stringify({
+    ttlSeconds
+  });
+  const bodyBytes = new TextEncoder().encode(requestBody);
+  const timestampSeconds = nowSecondsImpl();
+  const nonce = nonceFactoryImpl();
+  const signedHeaders = await buildSignedHeaders({
+    method: "POST",
+    requestUrl,
+    bodyBytes,
+    secretKey,
+    timestampSeconds,
+    nonce
+  });
+  const response = await executePairRequest({
+    fetchImpl,
+    url: requestUrl,
+    init: {
+      method: "POST",
+      headers: {
+        authorization: `Claw ${ait}`,
+        "content-type": "application/json",
+        [OWNER_PAT_HEADER]: ownerPat,
+        ...signedHeaders
+      },
+      body: requestBody
+    }
+  });
+  const responseBody = await parseJsonResponse5(response);
+  if (!response.ok) {
+    throw createCliError6(
+      "CLI_PAIR_START_FAILED",
+      mapStartPairError(response.status, responseBody)
+    );
+  }
+  const parsed = parsePairStartResponse(responseBody);
+  const result = {
+    ...parsed,
+    proxyUrl
+  };
+  if (options.qr === true) {
+    result.qrPath = await persistPairingQr({
+      agentName,
+      qrOutput: options.qrOutput,
+      ticket: parsed.ticket,
+      dependencies,
+      nowSeconds: timestampSeconds
+    });
+  }
+  return result;
+}
+async function confirmPairing(agentName, options, dependencies = {}) {
+  const fetchImpl = dependencies.fetchImpl ?? fetch;
+  const nowSecondsImpl = dependencies.nowSecondsImpl ?? (() => Math.floor(Date.now() / 1e3));
+  const nonceFactoryImpl = dependencies.nonceFactoryImpl ?? (() => randomBytes3(NONCE_SIZE2).toString("base64url"));
+  const readFileImpl = dependencies.readFileImpl ?? readFile6;
+  const qrDecodeImpl = dependencies.qrDecodeImpl ?? decodeTicketFromPng;
+  const ticketSource = resolveConfirmTicketSource(options);
+  const proxyUrl = resolveProxyUrl(options.proxyUrl);
+  let ticket = ticketSource.ticket;
+  if (ticketSource.source === "qr-file") {
+    if (!ticketSource.qrFilePath) {
+      throw createCliError6(
+        "CLI_PAIR_CONFIRM_QR_FILE_REQUIRED",
+        "QR file path is required"
+      );
+    }
+    let imageBytes;
+    try {
+      imageBytes = await readFileImpl(ticketSource.qrFilePath);
+    } catch (error48) {
+      const nodeError = error48;
+      if (nodeError.code === "ENOENT") {
+        throw createCliError6(
+          "CLI_PAIR_CONFIRM_QR_FILE_NOT_FOUND",
+          `QR file not found: ${ticketSource.qrFilePath}`
+        );
+      }
+      throw error48;
+    }
+    ticket = parsePairingTicket(qrDecodeImpl(new Uint8Array(imageBytes)));
+  }
+  const { ait, secretKey } = await readAgentProofMaterial(
+    agentName,
+    dependencies
+  );
+  const requestUrl = toProxyRequestUrl(proxyUrl, PAIR_CONFIRM_PATH);
+  const requestBody = JSON.stringify({ ticket });
+  const bodyBytes = new TextEncoder().encode(requestBody);
+  const timestampSeconds = nowSecondsImpl();
+  const nonce = nonceFactoryImpl();
+  const signedHeaders = await buildSignedHeaders({
+    method: "POST",
+    requestUrl,
+    bodyBytes,
+    secretKey,
+    timestampSeconds,
+    nonce
+  });
+  const response = await executePairRequest({
+    fetchImpl,
+    url: requestUrl,
+    init: {
+      method: "POST",
+      headers: {
+        authorization: `Claw ${ait}`,
+        "content-type": "application/json",
+        ...signedHeaders
+      },
+      body: requestBody
+    }
+  });
+  const responseBody = await parseJsonResponse5(response);
+  if (!response.ok) {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_FAILED",
+      mapConfirmPairError(response.status, responseBody)
+    );
+  }
+  const parsed = parsePairConfirmResponse(responseBody);
+  if (ticketSource.source === "qr-file" && ticketSource.qrFilePath) {
+    const unlinkImpl = dependencies.unlinkImpl ?? unlink2;
+    await unlinkImpl(ticketSource.qrFilePath).catch((error48) => {
+      const nodeError = error48;
+      if (nodeError.code === "ENOENT") {
+        return;
+      }
+      logger9.warn("cli.pair.confirm.qr_cleanup_failed", {
+        path: ticketSource.qrFilePath,
+        reason: error48 instanceof Error && error48.message.length > 0 ? error48.message : "unknown"
+      });
+    });
+  }
+  return {
+    ...parsed,
+    proxyUrl
+  };
+}
+var createPairCommand = (dependencies = {}) => {
+  const pairCommand = new Command8("pair").description(
+    "Manage proxy trust pairing between agents"
+  );
+  pairCommand.command("start <agentName>").description("Start pairing and issue one-time pairing ticket").option(
+    "--proxy-url <url>",
+    "Initiator proxy base URL (or set CLAWDENTITY_PROXY_URL)"
+  ).option(
+    "--owner-pat <token>",
+    "Owner PAT override (defaults to configured API key)"
+  ).option("--ttl-seconds <seconds>", "Pairing ticket expiry in seconds").option("--qr", "Generate a local QR file for sharing").option("--qr-output <path>", "Write QR PNG to a specific file path").action(
+    withErrorHandling(
+      "pair start",
+      async (agentName, options) => {
+        const result = await startPairing(agentName, options, dependencies);
+        logger9.info("cli.pair_started", {
+          initiatorAgentDid: result.initiatorAgentDid,
+          proxyUrl: result.proxyUrl,
+          expiresAt: result.expiresAt,
+          qrPath: result.qrPath
+        });
+        writeStdoutLine("Pairing ticket created");
+        writeStdoutLine(`Ticket: ${result.ticket}`);
+        writeStdoutLine(`Initiator Agent DID: ${result.initiatorAgentDid}`);
+        writeStdoutLine(`Expires At: ${result.expiresAt}`);
+        if (result.qrPath) {
+          writeStdoutLine(`QR File: ${result.qrPath}`);
+        }
+      }
+    )
+  );
+  pairCommand.command("confirm <agentName>").description("Confirm pairing using one-time pairing ticket").option("--ticket <ticket>", "One-time pairing ticket (clwpair1_...)").option("--qr-file <path>", "Path to pairing QR PNG file").option(
+    "--proxy-url <url>",
+    "Responder proxy base URL (or set CLAWDENTITY_PROXY_URL)"
+  ).action(
+    withErrorHandling(
+      "pair confirm",
+      async (agentName, options) => {
+        const result = await confirmPairing(agentName, options, dependencies);
+        logger9.info("cli.pair_confirmed", {
+          initiatorAgentDid: result.initiatorAgentDid,
+          responderAgentDid: result.responderAgentDid,
+          proxyUrl: result.proxyUrl
+        });
+        writeStdoutLine("Pairing confirmed");
+        writeStdoutLine(`Initiator Agent DID: ${result.initiatorAgentDid}`);
+        writeStdoutLine(`Responder Agent DID: ${result.responderAgentDid}`);
+        writeStdoutLine(`Paired: ${result.paired ? "true" : "false"}`);
+      }
+    )
+  );
+  return pairCommand;
+};
+// src/commands/verify.ts
+import { readFile as readFile7 } from "fs/promises";
+import { Command as Command9 } from "commander";
+var logger10 = createLogger({ service: "cli", module: "verify" });
 var REGISTRY_KEYS_CACHE_FILE = "registry-keys.json";
 var CRL_CLAIMS_CACHE_FILE = "crl-claims.json";
 var REGISTRY_KEYS_CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -21808,7 +22909,7 @@ var VerifyCommandError = class extends Error {
     this.name = "VerifyCommandError";
   }
 };
-var isRecord8 = (value) => {
+var isRecord10 = (value) => {
   return typeof value === "object" && value !== null;
 };
 var normalizeRegistryUrl = (registryUrl) => {
@@ -21844,7 +22945,7 @@ var resolveToken = async (tokenOrFile) => {
     throw new VerifyCommandError("invalid token (value is empty)");
   }
   try {
-    const fileContents = await readFile5(input, "utf-8");
+    const fileContents = await readFile7(input, "utf-8");
     const token = fileContents.trim();
     if (token.length === 0) {
       throw new VerifyCommandError(`invalid token (${input} is empty)`);
@@ -21876,7 +22977,7 @@ var parseResponseJson = async (response) => {
   }
 };
 var parseSigningKeys = (payload) => {
-  if (!isRecord8(payload) || !Array.isArray(payload.keys)) {
+  if (!isRecord10(payload) || !Array.isArray(payload.keys)) {
     throw new VerifyCommandError(
       "verification keys unavailable (response payload is invalid)"
     );
@@ -21895,7 +22996,7 @@ var parseSigningKeys = (payload) => {
 };
 var parseRegistryKeysCache = (rawCache) => {
   const parsed = parseJson(rawCache);
-  if (!isRecord8(parsed)) {
+  if (!isRecord10(parsed)) {
     return void 0;
   }
   const { registryUrl, fetchedAtMs, keys } = parsed;
@@ -21921,7 +23022,7 @@ var parseRegistryKeysCache = (rawCache) => {
 };
 var parseCrlCache = (rawCache) => {
   const parsed = parseJson(rawCache);
-  if (!isRecord8(parsed)) {
+  if (!isRecord10(parsed)) {
     return void 0;
   }
   const { registryUrl, fetchedAtMs, claims } = parsed;
@@ -22019,7 +23120,7 @@ var fetchCrlClaims = async (input) => {
     );
   }
   const payload = await parseResponseJson(response);
-  if (!isRecord8(payload) || typeof payload.crl !== "string") {
+  if (!isRecord10(payload) || typeof payload.crl !== "string") {
     throw new VerifyCommandError(
       "revocation check unavailable (response payload is invalid)"
     );
@@ -22064,7 +23165,7 @@ var loadCrlClaims = async (input) => {
   return claims;
 };
 var toInvalidTokenReason = (error48) => {
-  if (isRecord8(error48) && typeof error48.message === "string") {
+  if (isRecord10(error48) && typeof error48.message === "string") {
     return `invalid token (${error48.message})`;
   }
   if (error48 instanceof Error && error48.message.length > 0) {
@@ -22132,7 +23233,7 @@ var runVerify = async (tokenOrFile) => {
     printResult(false, "revoked");
     return;
   }
-  logger9.info("cli.verify.success", {
+  logger10.info("cli.verify.success", {
     did: claims.sub,
     jti: claims.jti,
     issuer: claims.iss
@@ -22140,7 +23241,7 @@ var runVerify = async (tokenOrFile) => {
   printResult(true, `token verified (${claims.sub})`);
 };
 var createVerifyCommand = () => {
-  return new Command8("verify").description("Verify an AIT using registry keys and CRL state").argument(
+  return new Command9("verify").description("Verify an AIT using registry keys and CRL state").argument(
     "<tokenOrFile>",
     "Raw AIT token or file path containing the token"
   ).action(
@@ -22161,15 +23262,15 @@ var resolveCliVersion = () => {
 };
 var CLI_VERSION = resolveCliVersion();
 var createProgram = () => {
-  return new Command9("clawdentity").description("Clawdentity CLI - Agent identity management").version(CLI_VERSION).addCommand(createAdminCommand()).addCommand(createAgentCommand()).addCommand(createApiKeyCommand()).addCommand(createConnectorCommand()).addCommand(createConfigCommand()).addCommand(createInviteCommand()).addCommand(createOpenclawCommand()).addCommand(createVerifyCommand());
+  return new Command10("clawdentity").description("Clawdentity CLI - Agent identity management").version(CLI_VERSION).addCommand(createAdminCommand()).addCommand(createAgentCommand()).addCommand(createApiKeyCommand()).addCommand(createConnectorCommand()).addCommand(createConfigCommand()).addCommand(createInviteCommand()).addCommand(createOpenclawCommand()).addCommand(createPairCommand()).addCommand(createVerifyCommand());
 };
 // src/bin.ts
-var logger10 = createLogger({ service: "cli", module: "bin" });
+var logger11 = createLogger({ service: "cli", module: "bin" });
 createProgram().parseAsync(process.argv).catch((error48) => {
   process.exitCode = 1;
   const message2 = error48 instanceof Error ? error48.message : String(error48);
-  logger10.error("cli.execution_failed", { errorMessage: message2 });
+  logger11.error("cli.execution_failed", { errorMessage: message2 });
   writeStderrLine(message2);
 });
 /*! Bundled license information: