npm - clawdentity - Versions diffs - 0.0.3 → 0.0.5 - Mend

clawdentity 0.0.3 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/bin.js +481 -32
package/dist/index.js +481 -32
package/dist/postinstall.js +0 -0
package/package.json +17 -15
package/skill-bundle/AGENTS.md +2 -1
package/skill-bundle/openclaw-skill/dist/relay-to-peer.mjs +165 -18
package/skill-bundle/openclaw-skill/skill/SKILL.md +15 -2
package/skill-bundle/openclaw-skill/skill/references/clawdentity-protocol.md +18 -7

package/dist/bin.js CHANGED Viewed

@@ -19577,6 +19577,8 @@ var IDENTITY_FILE_NAME2 = "identity.json";
 var AIT_FILE_NAME2 = "ait.jwt";
 var SECRET_KEY_FILE_NAME = "secret.key";
 var REGISTRY_AUTH_FILE_NAME2 = "registry-auth.json";
+var OPENCLAW_RELAY_RUNTIME_FILE_NAME = "openclaw-relay.json";
+var OPENCLAW_CONNECTORS_FILE_NAME = "openclaw-connectors.json";
 var SERVICE_LOG_DIR_NAME = "logs";
 var DEFAULT_CONNECTOR_BASE_URL2 = "http://127.0.0.1:19400";
 var DEFAULT_CONNECTOR_OUTBOUND_PATH2 = "/v1/outbound";
@@ -19660,13 +19662,43 @@ function normalizeOutboundPath2(pathValue) {
   }
   return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
 }
-function resolveConnectorBaseUrl() {
+function resolveConnectorBaseUrlFromEnv() {
   const value = process.env.CLAWDENTITY_CONNECTOR_BASE_URL;
   if (typeof value !== "string" || value.trim().length === 0) {
-    return DEFAULT_CONNECTOR_BASE_URL2;
+    return void 0;
   }
   return parseConnectorBaseUrl(value.trim());
 }
+async function readConnectorAssignedBaseUrl(configDir, agentName, readFileImpl) {
+  const assignmentsPath = join5(configDir, OPENCLAW_CONNECTORS_FILE_NAME);
+  let raw;
+  try {
+    raw = await readFileImpl(assignmentsPath, "utf8");
+  } catch (error48) {
+    if (getErrorCode(error48) === "ENOENT") {
+      return void 0;
+    }
+    throw error48;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw createCliError3(
+      "CLI_CONNECTOR_INVALID_ASSIGNMENTS",
+      "Connector assignments config is invalid JSON",
+      { assignmentsPath }
+    );
+  }
+  if (!isRecord5(parsed) || !isRecord5(parsed.agents)) {
+    return void 0;
+  }
+  const entry = parsed.agents[agentName];
+  if (!isRecord5(entry) || typeof entry.connectorBaseUrl !== "string") {
+    return void 0;
+  }
+  return parseConnectorBaseUrl(entry.connectorBaseUrl);
+}
 function resolveConnectorOutboundPath() {
   const value = process.env.CLAWDENTITY_CONNECTOR_OUTBOUND_PATH;
   if (typeof value !== "string" || value.trim().length === 0) {
@@ -19701,6 +19733,34 @@ async function readRequiredTrimmedFile(filePath, label, readFileImpl) {
   }
   return trimmed;
 }
+async function readRelayRuntimeConfig(configDir, readFileImpl) {
+  const filePath = join5(configDir, OPENCLAW_RELAY_RUNTIME_FILE_NAME);
+  let raw;
+  try {
+    raw = await readFileImpl(filePath, "utf8");
+  } catch (error48) {
+    if (getErrorCode(error48) === "ENOENT") {
+      return void 0;
+    }
+    throw error48;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return void 0;
+  }
+  if (!isRecord5(parsed)) {
+    return void 0;
+  }
+  const openclawHookToken = typeof parsed.openclawHookToken === "string" && parsed.openclawHookToken.trim().length > 0 ? parsed.openclawHookToken.trim() : void 0;
+  if (!openclawHookToken) {
+    return void 0;
+  }
+  return {
+    openclawHookToken
+  };
+}
 function parseJsonRecord(value, code, message2) {
   let parsed;
   try {
@@ -20090,6 +20150,8 @@ async function startConnectorForAgent(agentName, commandOptions = {}, dependenci
     rawSecretKey,
     rawIdentity,
     rawRegistryAuth,
+    assignedConnectorBaseUrl,
+    relayRuntimeConfig,
     config2,
     connectorModule
   ] = await Promise.all([
@@ -20113,6 +20175,8 @@ async function startConnectorForAgent(agentName, commandOptions = {}, dependenci
       REGISTRY_AUTH_FILE_NAME2,
       readFileImpl
     ),
+    readConnectorAssignedBaseUrl(configDir, agentName, readFileImpl),
+    readRelayRuntimeConfig(configDir, readFileImpl),
     resolveConfigImpl(),
     loadConnectorModule()
   ]);
@@ -20124,7 +20188,8 @@ async function startConnectorForAgent(agentName, commandOptions = {}, dependenci
   }
   const identity = parseAgentIdentity(rawIdentity);
   const registryAuth = parseRegistryAuth(rawRegistryAuth);
-  const outboundBaseUrl = resolveConnectorBaseUrl();
+  const openclawHookToken = commandOptions.openclawHookToken ?? relayRuntimeConfig?.openclawHookToken;
+  const outboundBaseUrl = resolveConnectorBaseUrlFromEnv() ?? assignedConnectorBaseUrl ?? DEFAULT_CONNECTOR_BASE_URL2;
   const outboundPath = resolveConnectorOutboundPath();
   const runtime = await connectorModule.startConnectorRuntime({
     agentName,
@@ -20135,7 +20200,7 @@ async function startConnectorForAgent(agentName, commandOptions = {}, dependenci
     proxyWebsocketUrl: commandOptions.proxyWsUrl,
     openclawBaseUrl: commandOptions.openclawBaseUrl,
     openclawHookPath: commandOptions.openclawHookPath,
-    openclawHookToken: commandOptions.openclawHookToken,
+    openclawHookToken,
     credentials: {
       agentDid: identity.did,
       ait: rawAit,
@@ -20602,9 +20667,11 @@ var createInviteCommand = (dependencies = {}) => {
 };
 // src/commands/openclaw.ts
+import { randomBytes as randomBytes3 } from "crypto";
+import { existsSync } from "fs";
 import { chmod as chmod3, copyFile, mkdir as mkdir5, readFile as readFile4, writeFile as writeFile5 } from "fs/promises";
 import { homedir as homedir3 } from "os";
-import { dirname as dirname4, join as join6 } from "path";
+import { dirname as dirname4, join as join6, resolve as resolvePath } from "path";
 import { Command as Command7 } from "commander";
 var logger8 = createLogger({ service: "cli", module: "openclaw" });
 var CLAWDENTITY_DIR_NAME = ".clawdentity";
@@ -20614,17 +20681,29 @@ var SECRET_KEY_FILE_NAME2 = "secret.key";
 var PEERS_FILE_NAME = "peers.json";
 var OPENCLAW_DIR_NAME = ".openclaw";
 var OPENCLAW_CONFIG_FILE_NAME = "openclaw.json";
+var LEGACY_OPENCLAW_STATE_DIR_NAMES = [".clawdbot", ".moldbot", ".moltbot"];
+var LEGACY_OPENCLAW_CONFIG_FILE_NAMES = ["clawdbot.json", "moldbot.json", "moltbot.json"];
 var OPENCLAW_AGENT_FILE_NAME = "openclaw-agent-name";
-var OPENCLAW_RELAY_RUNTIME_FILE_NAME = "openclaw-relay.json";
+var OPENCLAW_RELAY_RUNTIME_FILE_NAME2 = "openclaw-relay.json";
+var OPENCLAW_CONNECTORS_FILE_NAME2 = "openclaw-connectors.json";
 var SKILL_DIR_NAME = "clawdentity-openclaw-relay";
 var RELAY_MODULE_FILE_NAME = "relay-to-peer.mjs";
+var RELAY_RUNTIME_FILE_NAME = "clawdentity-relay.json";
+var RELAY_PEERS_FILE_NAME = "clawdentity-peers.json";
 var HOOK_MAPPING_ID = "clawdentity-send-to-peer";
 var HOOK_PATH_SEND_TO_PEER = "send-to-peer";
 var OPENCLAW_SEND_TO_PEER_HOOK_PATH = "hooks/send-to-peer";
 var DEFAULT_OPENCLAW_BASE_URL2 = "http://127.0.0.1:18789";
+var DEFAULT_CONNECTOR_PORT = 19400;
+var DEFAULT_CONNECTOR_OUTBOUND_PATH3 = "/v1/outbound";
+var CONNECTOR_HOST_LOOPBACK = "127.0.0.1";
+var CONNECTOR_HOST_DOCKER = "host.docker.internal";
+var CONNECTOR_HOST_DOCKER_GATEWAY = "gateway.docker.internal";
+var CONNECTOR_HOST_LINUX_BRIDGE = "172.17.0.1";
 var INVITE_CODE_PREFIX = "clawd1_";
 var PEER_ALIAS_PATTERN = /^[a-zA-Z0-9._-]+$/;
 var FILE_MODE3 = 384;
+var OPENCLAW_HOOK_TOKEN_BYTES = 32;
 var textEncoder2 = new TextEncoder();
 var textDecoder = new TextDecoder();
 function isRecord7(value) {
@@ -20783,11 +20862,56 @@ function resolveHomeDir(homeDir) {
   }
   return homedir3();
 }
+function resolveHomePrefixedPath(input, homeDir) {
+  const trimmed = input.trim();
+  if (trimmed.startsWith("~")) {
+    return resolvePath(trimmed.replace(/^~(?=$|[\\/])/, homeDir));
+  }
+  return resolvePath(trimmed);
+}
+function readNonEmptyEnvPath(value, homeDir) {
+  if (typeof value !== "string" || value.trim().length === 0) {
+    return void 0;
+  }
+  return resolveHomePrefixedPath(value, homeDir);
+}
+function resolveOpenclawHomeDir(homeDir) {
+  const envOpenclawHome = readNonEmptyEnvPath(process.env.OPENCLAW_HOME, homeDir);
+  return envOpenclawHome ?? homeDir;
+}
+function resolveDefaultOpenclawStateDir(openclawHomeDir) {
+  const newStateDir = join6(openclawHomeDir, OPENCLAW_DIR_NAME);
+  if (existsSync(newStateDir)) {
+    return newStateDir;
+  }
+  for (const legacyDirName of LEGACY_OPENCLAW_STATE_DIR_NAMES) {
+    const legacyStateDir = join6(openclawHomeDir, legacyDirName);
+    if (existsSync(legacyStateDir)) {
+      return legacyStateDir;
+    }
+  }
+  return newStateDir;
+}
 function resolveOpenclawDir(openclawDir, homeDir) {
   if (typeof openclawDir === "string" && openclawDir.trim().length > 0) {
-    return openclawDir.trim();
+    return resolveHomePrefixedPath(openclawDir, homeDir);
+  }
+  const envStateDir = readNonEmptyEnvPath(
+    process.env.OPENCLAW_STATE_DIR ?? process.env.CLAWDBOT_STATE_DIR,
+    homeDir
+  );
+  if (envStateDir !== void 0) {
+    return envStateDir;
+  }
+  const envConfigPath = readNonEmptyEnvPath(
+    process.env.OPENCLAW_CONFIG_PATH ?? process.env.CLAWDBOT_CONFIG_PATH,
+    homeDir
+  );
+  if (envConfigPath !== void 0) {
+    return dirname4(envConfigPath);
   }
-  return join6(homeDir, OPENCLAW_DIR_NAME);
+  const openclawHomeDir = resolveOpenclawHomeDir(homeDir);
+  return resolveDefaultOpenclawStateDir(openclawHomeDir);
 }
 function resolveAgentDirectory(homeDir, agentName) {
   return join6(homeDir, CLAWDENTITY_DIR_NAME, AGENTS_DIR_NAME4, agentName);
@@ -20795,8 +20919,26 @@ function resolveAgentDirectory(homeDir, agentName) {
 function resolvePeersPath(homeDir) {
   return join6(homeDir, CLAWDENTITY_DIR_NAME, PEERS_FILE_NAME);
 }
-function resolveOpenclawConfigPath(openclawDir) {
-  return join6(openclawDir, OPENCLAW_CONFIG_FILE_NAME);
+function resolveOpenclawConfigPath(openclawDir, homeDir) {
+  const envConfigPath = readNonEmptyEnvPath(
+    process.env.OPENCLAW_CONFIG_PATH ?? process.env.CLAWDBOT_CONFIG_PATH,
+    homeDir
+  );
+  if (envConfigPath !== void 0) {
+    return envConfigPath;
+  }
+  const configCandidates = [
+    join6(openclawDir, OPENCLAW_CONFIG_FILE_NAME),
+    ...LEGACY_OPENCLAW_CONFIG_FILE_NAMES.map(
+      (fileName) => join6(openclawDir, fileName)
+    )
+  ];
+  for (const candidate of configCandidates) {
+    if (existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  return configCandidates[0];
 }
 function resolveDefaultTransformSource(openclawDir) {
   return join6(
@@ -20814,7 +20956,16 @@ function resolveOpenclawAgentNamePath(homeDir) {
   return join6(homeDir, CLAWDENTITY_DIR_NAME, OPENCLAW_AGENT_FILE_NAME);
 }
 function resolveRelayRuntimeConfigPath(homeDir) {
-  return join6(homeDir, CLAWDENTITY_DIR_NAME, OPENCLAW_RELAY_RUNTIME_FILE_NAME);
+  return join6(homeDir, CLAWDENTITY_DIR_NAME, OPENCLAW_RELAY_RUNTIME_FILE_NAME2);
+}
+function resolveConnectorAssignmentsPath(homeDir) {
+  return join6(homeDir, CLAWDENTITY_DIR_NAME, OPENCLAW_CONNECTORS_FILE_NAME2);
+}
+function resolveTransformRuntimePath(openclawDir) {
+  return join6(openclawDir, "hooks", "transforms", RELAY_RUNTIME_FILE_NAME);
+}
+function resolveTransformPeersPath(openclawDir) {
+  return join6(openclawDir, "hooks", "transforms", RELAY_PEERS_FILE_NAME);
 }
 async function readJsonFile(filePath) {
   const raw = await readFile4(filePath, "utf8");
@@ -20952,6 +21103,98 @@ async function savePeersConfig(peersPath, config2) {
   await writeSecureFile3(peersPath, `${JSON.stringify(config2, null, 2)}
 `);
 }
+function parseConnectorBaseUrlForAssignment(value, label) {
+  return parseHttpUrl(value, {
+    label,
+    code: "CLI_OPENCLAW_INVALID_CONNECTOR_BASE_URL",
+    message: "Connector base URL must be a valid URL"
+  });
+}
+function parseConnectorAssignments(value, connectorAssignmentsPath) {
+  if (!isRecord7(value)) {
+    throw createCliError5(
+      "CLI_OPENCLAW_INVALID_CONNECTOR_ASSIGNMENTS",
+      "Connector assignments config must be an object",
+      { connectorAssignmentsPath }
+    );
+  }
+  const agentsRaw = value.agents;
+  if (!isRecord7(agentsRaw)) {
+    return { agents: {} };
+  }
+  const agents = {};
+  for (const [agentName, entryValue] of Object.entries(agentsRaw)) {
+    if (!isRecord7(entryValue)) {
+      throw createCliError5(
+        "CLI_OPENCLAW_INVALID_CONNECTOR_ASSIGNMENTS",
+        "Connector assignment entry must be an object",
+        { connectorAssignmentsPath, agentName }
+      );
+    }
+    const connectorBaseUrl = parseConnectorBaseUrlForAssignment(
+      entryValue.connectorBaseUrl,
+      "connectorBaseUrl"
+    );
+    const updatedAt = typeof entryValue.updatedAt === "string" && entryValue.updatedAt.trim().length > 0 ? entryValue.updatedAt.trim() : nowIso();
+    agents[assertValidAgentName(agentName)] = {
+      connectorBaseUrl,
+      updatedAt
+    };
+  }
+  return { agents };
+}
+async function loadConnectorAssignments(connectorAssignmentsPath) {
+  let parsed;
+  try {
+    parsed = await readJsonFile(connectorAssignmentsPath);
+  } catch (error48) {
+    if (getErrorCode2(error48) === "ENOENT") {
+      return { agents: {} };
+    }
+    throw error48;
+  }
+  return parseConnectorAssignments(parsed, connectorAssignmentsPath);
+}
+async function saveConnectorAssignments(connectorAssignmentsPath, config2) {
+  await writeSecureFile3(
+    connectorAssignmentsPath,
+    `${JSON.stringify(config2, null, 2)}
+`
+  );
+}
+function parseConnectorPortFromBaseUrl(baseUrl) {
+  const parsed = new URL(baseUrl);
+  if (parsed.port) {
+    return Number(parsed.port);
+  }
+  return parsed.protocol === "https:" ? 443 : 80;
+}
+function allocateConnectorPort(assignments, agentName) {
+  const existing = assignments.agents[agentName];
+  if (existing) {
+    return parseConnectorPortFromBaseUrl(existing.connectorBaseUrl);
+  }
+  const usedPorts = /* @__PURE__ */ new Set();
+  for (const entry of Object.values(assignments.agents)) {
+    usedPorts.add(parseConnectorPortFromBaseUrl(entry.connectorBaseUrl));
+  }
+  let nextPort = DEFAULT_CONNECTOR_PORT;
+  while (usedPorts.has(nextPort)) {
+    nextPort += 1;
+  }
+  return nextPort;
+}
+function buildConnectorBaseUrl(host, port) {
+  return `http://${host}:${port}`;
+}
+function buildRelayConnectorBaseUrls(port) {
+  return [
+    buildConnectorBaseUrl(CONNECTOR_HOST_DOCKER, port),
+    buildConnectorBaseUrl(CONNECTOR_HOST_DOCKER_GATEWAY, port),
+    buildConnectorBaseUrl(CONNECTOR_HOST_LINUX_BRIDGE, port),
+    buildConnectorBaseUrl(CONNECTOR_HOST_LOOPBACK, port)
+  ];
+}
 function parseRelayRuntimeConfig(value, relayRuntimeConfigPath) {
   if (!isRecord7(value)) {
     throw createCliError5(
@@ -20961,8 +21204,10 @@ function parseRelayRuntimeConfig(value, relayRuntimeConfigPath) {
     );
   }
   const updatedAt = typeof value.updatedAt === "string" && value.updatedAt.trim().length > 0 ? value.updatedAt.trim() : void 0;
+  const openclawHookToken = typeof value.openclawHookToken === "string" && value.openclawHookToken.trim().length > 0 ? value.openclawHookToken.trim() : void 0;
   return {
     openclawBaseUrl: parseOpenclawBaseUrl(value.openclawBaseUrl),
+    openclawHookToken,
     updatedAt
   };
 }
@@ -20978,9 +21223,10 @@ async function loadRelayRuntimeConfig(relayRuntimeConfigPath) {
   }
   return parseRelayRuntimeConfig(parsed, relayRuntimeConfigPath);
 }
-async function saveRelayRuntimeConfig(relayRuntimeConfigPath, openclawBaseUrl) {
+async function saveRelayRuntimeConfig(relayRuntimeConfigPath, openclawBaseUrl, openclawHookToken) {
   const config2 = {
     openclawBaseUrl,
+    ...openclawHookToken ? { openclawHookToken } : {},
     updatedAt: nowIso()
   };
   await writeSecureFile3(
@@ -21021,6 +21267,9 @@ function normalizeStringArrayWithValue(value, requiredValue) {
   normalized.add(requiredValue);
   return Array.from(normalized);
 }
+function generateOpenclawHookToken() {
+  return randomBytes3(OPENCLAW_HOOK_TOKEN_BYTES).toString("hex");
+}
 function upsertRelayHookMapping(mappingsValue) {
   const mappings = Array.isArray(mappingsValue) ? mappingsValue.filter(isRecord7).map((mapping) => ({ ...mapping })) : [];
   const existingIndex = mappings.findIndex((mapping) => {
@@ -21052,7 +21301,7 @@ function upsertRelayHookMapping(mappingsValue) {
   mappings.push(relayMapping);
   return mappings;
 }
-async function patchOpenclawConfig(openclawConfigPath) {
+async function patchOpenclawConfig(openclawConfigPath, hookToken) {
   let config2;
   try {
     config2 = await readJsonFile(openclawConfigPath);
@@ -21074,7 +21323,11 @@ async function patchOpenclawConfig(openclawConfigPath) {
     );
   }
   const hooks = isRecord7(config2.hooks) ? { ...config2.hooks } : {};
+  const existingHookToken = typeof hooks.token === "string" && hooks.token.trim().length > 0 ? hooks.token.trim() : void 0;
+  const preferredHookToken = typeof hookToken === "string" && hookToken.trim().length > 0 ? hookToken.trim() : void 0;
+  const resolvedHookToken = existingHookToken ?? preferredHookToken ?? generateOpenclawHookToken();
   hooks.enabled = true;
+  hooks.token = resolvedHookToken;
   hooks.allowRequestSessionKey = false;
   hooks.allowedSessionKeyPrefixes = normalizeStringArrayWithValue(
     hooks.allowedSessionKeyPrefixes,
@@ -21091,6 +21344,9 @@ async function patchOpenclawConfig(openclawConfigPath) {
 `,
     "utf8"
   );
+  return {
+    hookToken: resolvedHookToken
+  };
 }
 function toDoctorCheck(input) {
   return input;
@@ -21126,8 +21382,8 @@ function parseDoctorPeerAlias(peerAlias) {
   }
   return parsePeerAlias(peerAlias);
 }
-function resolveHookToken(optionValue) {
-  const trimmedOption = optionValue?.trim();
+async function resolveHookToken(input) {
+  const trimmedOption = input.optionValue?.trim();
   if (trimmedOption !== void 0 && trimmedOption.length > 0) {
     return trimmedOption;
   }
@@ -21135,6 +21391,12 @@ function resolveHookToken(optionValue) {
   if (envValue !== void 0 && envValue.length > 0) {
     return envValue;
   }
+  const existingConfig = await loadRelayRuntimeConfig(
+    input.relayRuntimeConfigPath
+  );
+  if (existingConfig?.openclawHookToken) {
+    return existingConfig.openclawHookToken;
+  }
   return void 0;
 }
 function resolveProbeMessage(optionValue) {
@@ -21353,17 +21615,28 @@ async function runOpenclawDoctor(options = {}) {
     );
   }
   const transformTargetPath = resolveTransformTargetPath(openclawDir);
+  const relayTransformRuntimePath = resolveTransformRuntimePath(openclawDir);
+  const relayTransformPeersPath = resolveTransformPeersPath(openclawDir);
   try {
     const transformContents = await readFile4(transformTargetPath, "utf8");
-    if (transformContents.trim().length === 0) {
+    const runtimeContents = await readFile4(relayTransformRuntimePath, "utf8");
+    const peersSnapshotContents = await readFile4(
+      relayTransformPeersPath,
+      "utf8"
+    );
+    if (transformContents.trim().length === 0 || runtimeContents.trim().length === 0 || peersSnapshotContents.trim().length === 0) {
       checks.push(
         toDoctorCheck({
           id: "state.transform",
           label: "Relay transform",
           status: "fail",
-          message: `transform file is empty: ${transformTargetPath}`,
+          message: "relay transform artifacts are missing or empty",
           remediationHint: "Run: npm install clawdentity --skill",
-          details: { transformTargetPath }
+          details: {
+            transformTargetPath,
+            relayTransformRuntimePath,
+            relayTransformPeersPath
+          }
         })
       );
     } else {
@@ -21372,8 +21645,12 @@ async function runOpenclawDoctor(options = {}) {
           id: "state.transform",
           label: "Relay transform",
           status: "pass",
-          message: "relay transform file exists",
-          details: { transformTargetPath }
+          message: "relay transform artifacts are present",
+          details: {
+            transformTargetPath,
+            relayTransformRuntimePath,
+            relayTransformPeersPath
+          }
         })
       );
     }
@@ -21383,19 +21660,25 @@ async function runOpenclawDoctor(options = {}) {
         id: "state.transform",
         label: "Relay transform",
         status: "fail",
-        message: `missing transform file: ${transformTargetPath}`,
+        message: "missing relay transform artifacts",
         remediationHint: "Run: npm install clawdentity --skill",
-        details: { transformTargetPath }
+        details: {
+          transformTargetPath,
+          relayTransformRuntimePath,
+          relayTransformPeersPath
+        }
       })
     );
   }
-  const openclawConfigPath = resolveOpenclawConfigPath(openclawDir);
+  const openclawConfigPath = resolveOpenclawConfigPath(openclawDir, homeDir);
   try {
     const openclawConfig = await readJsonFile(openclawConfigPath);
     if (!isRecord7(openclawConfig)) {
       throw new Error("root");
     }
     const hooks = isRecord7(openclawConfig.hooks) ? openclawConfig.hooks : {};
+    const hooksEnabled = hooks.enabled === true;
+    const hookToken = typeof hooks.token === "string" && hooks.token.trim().length > 0 ? hooks.token.trim() : void 0;
     const mappings = Array.isArray(hooks.mappings) ? hooks.mappings.filter(isRecord7) : [];
     const relayMapping = mappings.find(
       (mapping) => isRelayHookMapping(mapping)
@@ -21422,6 +21705,39 @@ async function runOpenclawDoctor(options = {}) {
         })
       );
     }
+    if (!hooksEnabled) {
+      checks.push(
+        toDoctorCheck({
+          id: "state.hookToken",
+          label: "OpenClaw hook auth",
+          status: "fail",
+          message: `hooks.enabled is not true in ${openclawConfigPath}`,
+          remediationHint: "Run: clawdentity openclaw setup <agentName> --invite-code <code> and restart OpenClaw",
+          details: { openclawConfigPath }
+        })
+      );
+    } else if (hookToken === void 0) {
+      checks.push(
+        toDoctorCheck({
+          id: "state.hookToken",
+          label: "OpenClaw hook auth",
+          status: "fail",
+          message: `hooks.token is missing in ${openclawConfigPath}`,
+          remediationHint: "Run: clawdentity openclaw setup <agentName> --invite-code <code> and restart OpenClaw",
+          details: { openclawConfigPath }
+        })
+      );
+    } else {
+      checks.push(
+        toDoctorCheck({
+          id: "state.hookToken",
+          label: "OpenClaw hook auth",
+          status: "pass",
+          message: "hooks token is configured",
+          details: { openclawConfigPath }
+        })
+      );
+    }
   } catch {
     checks.push(
       toDoctorCheck({
@@ -21429,7 +21745,17 @@ async function runOpenclawDoctor(options = {}) {
         label: "OpenClaw hook mapping",
         status: "fail",
         message: `unable to read ${openclawConfigPath}`,
-        remediationHint: "Ensure ~/.openclaw/openclaw.json exists and rerun openclaw setup",
+        remediationHint: "Ensure the OpenClaw config file exists (OPENCLAW_CONFIG_PATH/CLAWDBOT_CONFIG_PATH, or state dir) and rerun openclaw setup",
+        details: { openclawConfigPath }
+      })
+    );
+    checks.push(
+      toDoctorCheck({
+        id: "state.hookToken",
+        label: "OpenClaw hook auth",
+        status: "fail",
+        message: `unable to read ${openclawConfigPath}`,
+        remediationHint: "Ensure the OpenClaw config file exists (OPENCLAW_CONFIG_PATH/CLAWDBOT_CONFIG_PATH, or state dir) and rerun openclaw setup",
         details: { openclawConfigPath }
       })
     );
@@ -21473,6 +21799,12 @@ function parseRelayProbeFailure(input) {
       remediationHint: "Run: clawdentity openclaw setup <agentName> --invite-code <code>"
     };
   }
+  if (input.status === 405) {
+    return {
+      message: "OpenClaw send-to-peer hook is not enabled for POST requests",
+      remediationHint: "Run: clawdentity openclaw setup <agentName> --invite-code <code>, then restart OpenClaw"
+    };
+  }
   if (input.status === 500) {
     return {
       message: "Relay probe failed inside local relay pipeline",
@@ -21528,7 +21860,10 @@ async function runOpenclawRelayTest(options) {
       preflight
     };
   }
-  const hookToken = resolveHookToken(options.hookToken);
+  const hookToken = await resolveHookToken({
+    optionValue: options.hookToken,
+    relayRuntimeConfigPath
+  });
   const fetchImpl = options.fetchImpl ?? globalThis.fetch;
   if (typeof fetchImpl !== "function") {
     return {
@@ -21620,10 +21955,13 @@ async function setupOpenclawRelayFromInvite(agentName, options) {
   const normalizedAgentName = assertValidAgentName(agentName);
   const homeDir = resolveHomeDir(options.homeDir);
   const openclawDir = resolveOpenclawDir(options.openclawDir, homeDir);
-  const openclawConfigPath = resolveOpenclawConfigPath(openclawDir);
+  const openclawConfigPath = resolveOpenclawConfigPath(openclawDir, homeDir);
   const transformSource = typeof options.transformSource === "string" && options.transformSource.trim().length > 0 ? options.transformSource.trim() : resolveDefaultTransformSource(openclawDir);
   const transformTargetPath = resolveTransformTargetPath(openclawDir);
   const relayRuntimeConfigPath = resolveRelayRuntimeConfigPath(homeDir);
+  const existingRelayRuntimeConfig = await loadRelayRuntimeConfig(
+    relayRuntimeConfigPath
+  );
   const openclawBaseUrl = await resolveOpenclawBaseUrl2({
     optionValue: options.openclawBaseUrl,
     relayRuntimeConfigPath
@@ -21651,22 +21989,75 @@ async function setupOpenclawRelayFromInvite(agentName, options) {
     }
     throw error48;
   }
-  await patchOpenclawConfig(openclawConfigPath);
+  const patchedOpenclawConfig = await patchOpenclawConfig(
+    openclawConfigPath,
+    existingRelayRuntimeConfig?.openclawHookToken
+  );
   const peersPath = resolvePeersPath(homeDir);
   const peers = await loadPeersConfig(peersPath);
   peers.peers[peerAlias] = invite.name === void 0 ? { did: invite.did, proxyUrl: invite.proxyUrl } : { did: invite.did, proxyUrl: invite.proxyUrl, name: invite.name };
   await savePeersConfig(peersPath, peers);
+  const relayTransformPeersPath = resolveTransformPeersPath(openclawDir);
+  await writeSecureFile3(
+    relayTransformPeersPath,
+    `${JSON.stringify(peers, null, 2)}
+`
+  );
+  const connectorAssignmentsPath = resolveConnectorAssignmentsPath(homeDir);
+  const connectorAssignments = await loadConnectorAssignments(
+    connectorAssignmentsPath
+  );
+  const connectorPort = allocateConnectorPort(
+    connectorAssignments,
+    normalizedAgentName
+  );
+  const connectorBaseUrl = buildConnectorBaseUrl(
+    CONNECTOR_HOST_LOOPBACK,
+    connectorPort
+  );
+  connectorAssignments.agents[normalizedAgentName] = {
+    connectorBaseUrl,
+    updatedAt: nowIso()
+  };
+  await saveConnectorAssignments(
+    connectorAssignmentsPath,
+    connectorAssignments
+  );
+  const relayTransformRuntimePath = resolveTransformRuntimePath(openclawDir);
+  await writeSecureFile3(
+    relayTransformRuntimePath,
+    `${JSON.stringify(
+      {
+        version: 1,
+        connectorBaseUrl: buildRelayConnectorBaseUrls(connectorPort)[0],
+        connectorBaseUrls: buildRelayConnectorBaseUrls(connectorPort),
+        connectorPath: DEFAULT_CONNECTOR_OUTBOUND_PATH3,
+        peersConfigPath: RELAY_PEERS_FILE_NAME,
+        updatedAt: nowIso()
+      },
+      null,
+      2
+    )}
+`
+  );
   const agentNamePath = resolveOpenclawAgentNamePath(homeDir);
   await writeSecureFile3(agentNamePath, `${normalizedAgentName}
 `);
-  await saveRelayRuntimeConfig(relayRuntimeConfigPath, openclawBaseUrl);
+  await saveRelayRuntimeConfig(
+    relayRuntimeConfigPath,
+    openclawBaseUrl,
+    patchedOpenclawConfig.hookToken
+  );
   logger8.info("cli.openclaw_setup_completed", {
     agentName: normalizedAgentName,
     peerAlias,
     peerDid: invite.did,
     openclawConfigPath,
     transformTargetPath,
+    relayTransformRuntimePath,
+    relayTransformPeersPath,
     openclawBaseUrl,
+    connectorBaseUrl,
     relayRuntimeConfigPath
   });
   return {
@@ -21675,7 +22066,10 @@ async function setupOpenclawRelayFromInvite(agentName, options) {
     peerProxyUrl: invite.proxyUrl,
     openclawConfigPath,
     transformTargetPath,
+    relayTransformRuntimePath,
+    relayTransformPeersPath,
     openclawBaseUrl,
+    connectorBaseUrl,
     relayRuntimeConfigPath
   };
 }
@@ -21724,6 +22118,13 @@ var createOpenclawCommand = () => {
           `Updated OpenClaw config: ${result.openclawConfigPath}`
         );
         writeStdoutLine(`Installed transform: ${result.transformTargetPath}`);
+        writeStdoutLine(
+          `Transform runtime config: ${result.relayTransformRuntimePath}`
+        );
+        writeStdoutLine(
+          `Transform peers snapshot: ${result.relayTransformPeersPath}`
+        );
+        writeStdoutLine(`Connector base URL: ${result.connectorBaseUrl}`);
         writeStdoutLine(`OpenClaw base URL: ${result.openclawBaseUrl}`);
         writeStdoutLine(
           `Relay runtime config: ${result.relayRuntimeConfigPath}`
@@ -21795,8 +22196,8 @@ var createOpenclawCommand = () => {
 };
 // src/commands/pair.ts
-import { randomBytes as randomBytes3 } from "crypto";
-import { mkdir as mkdir6, readFile as readFile5, writeFile as writeFile6 } from "fs/promises";
+import { randomBytes as randomBytes4 } from "crypto";
+import { mkdir as mkdir6, readdir, readFile as readFile5, unlink as unlink2, writeFile as writeFile6 } from "fs/promises";
 import { dirname as dirname5, join as join7, resolve } from "path";
 import { Command as Command8 } from "commander";
 import jsQR from "jsqr";
@@ -21812,6 +22213,8 @@ var PAIR_CONFIRM_PATH = "/pair/confirm";
 var OWNER_PAT_HEADER = "x-claw-owner-pat";
 var NONCE_SIZE2 = 24;
 var PAIRING_TICKET_PREFIX = "clwpair1_";
+var PAIRING_QR_MAX_AGE_SECONDS = 900;
+var PAIRING_QR_FILENAME_PATTERN = /-pair-(\d+)\.png$/;
 var isRecord8 = (value) => {
   return typeof value === "object" && value !== null;
 };
@@ -22120,6 +22523,8 @@ function decodeTicketFromPng(imageBytes) {
 }
 async function persistPairingQr(input) {
   const mkdirImpl = input.dependencies.mkdirImpl ?? mkdir6;
+  const readdirImpl = input.dependencies.readdirImpl ?? readdir;
+  const unlinkImpl = input.dependencies.unlinkImpl ?? unlink2;
   const writeFileImpl = input.dependencies.writeFileImpl ?? writeFile6;
   const getConfigDirImpl = input.dependencies.getConfigDirImpl ?? getConfigDir;
   const qrEncodeImpl = input.dependencies.qrEncodeImpl ?? encodeTicketQrPng;
@@ -22128,6 +22533,37 @@ async function persistPairingQr(input) {
     baseDir,
     `${assertValidAgentName(input.agentName)}-pair-${input.nowSeconds}.png`
   );
+  const existingFiles = await readdirImpl(baseDir).catch((error48) => {
+    const nodeError = error48;
+    if (nodeError.code === "ENOENT") {
+      return [];
+    }
+    throw error48;
+  });
+  for (const fileName of existingFiles) {
+    if (typeof fileName !== "string") {
+      continue;
+    }
+    const match2 = PAIRING_QR_FILENAME_PATTERN.exec(fileName);
+    if (!match2) {
+      continue;
+    }
+    const issuedAtSeconds = Number.parseInt(match2[1] ?? "", 10);
+    if (!Number.isInteger(issuedAtSeconds)) {
+      continue;
+    }
+    if (issuedAtSeconds + PAIRING_QR_MAX_AGE_SECONDS > input.nowSeconds) {
+      continue;
+    }
+    const stalePath = join7(baseDir, fileName);
+    await unlinkImpl(stalePath).catch((error48) => {
+      const nodeError = error48;
+      if (nodeError.code === "ENOENT") {
+        return;
+      }
+      throw error48;
+    });
+  }
   await mkdirImpl(dirname5(outputPath), { recursive: true });
   const imageBytes = await qrEncodeImpl(input.ticket);
   await writeFileImpl(outputPath, imageBytes);
@@ -22164,7 +22600,7 @@ async function startPairing(agentName, options, dependencies = {}) {
   const fetchImpl = dependencies.fetchImpl ?? fetch;
   const resolveConfigImpl = dependencies.resolveConfigImpl ?? resolveConfig;
   const nowSecondsImpl = dependencies.nowSecondsImpl ?? (() => Math.floor(Date.now() / 1e3));
-  const nonceFactoryImpl = dependencies.nonceFactoryImpl ?? (() => randomBytes3(NONCE_SIZE2).toString("base64url"));
+  const nonceFactoryImpl = dependencies.nonceFactoryImpl ?? (() => randomBytes4(NONCE_SIZE2).toString("base64url"));
   const ttlSeconds = parseTtlSeconds(options.ttlSeconds);
   const proxyUrl = resolveProxyUrl(options.proxyUrl);
   const config2 = await resolveConfigImpl();
@@ -22231,7 +22667,7 @@ async function startPairing(agentName, options, dependencies = {}) {
 async function confirmPairing(agentName, options, dependencies = {}) {
   const fetchImpl = dependencies.fetchImpl ?? fetch;
   const nowSecondsImpl = dependencies.nowSecondsImpl ?? (() => Math.floor(Date.now() / 1e3));
-  const nonceFactoryImpl = dependencies.nonceFactoryImpl ?? (() => randomBytes3(NONCE_SIZE2).toString("base64url"));
+  const nonceFactoryImpl = dependencies.nonceFactoryImpl ?? (() => randomBytes4(NONCE_SIZE2).toString("base64url"));
   const readFileImpl = dependencies.readFileImpl ?? readFile5;
   const qrDecodeImpl = dependencies.qrDecodeImpl ?? decodeTicketFromPng;
   const ticketSource = resolveConfirmTicketSource(options);
@@ -22297,6 +22733,19 @@ async function confirmPairing(agentName, options, dependencies = {}) {
     );
   }
   const parsed = parsePairConfirmResponse(responseBody);
+  if (ticketSource.source === "qr-file" && ticketSource.qrFilePath) {
+    const unlinkImpl = dependencies.unlinkImpl ?? unlink2;
+    await unlinkImpl(ticketSource.qrFilePath).catch((error48) => {
+      const nodeError = error48;
+      if (nodeError.code === "ENOENT") {
+        return;
+      }
+      logger9.warn("cli.pair.confirm.qr_cleanup_failed", {
+        path: ticketSource.qrFilePath,
+        reason: error48 instanceof Error && error48.message.length > 0 ? error48.message : "unknown"
+      });
+    });
+  }
   return {
     ...parsed,
     proxyUrl