npm - clawdentity - Versions diffs - 0.0.8 → 0.0.10 - Mend

clawdentity 0.0.8 → 0.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/bin.js +410 -171
package/dist/index.js +410 -171
package/package.json +1 -1
package/skill-bundle/openclaw-skill/skill/SKILL.md +32 -32
package/skill-bundle/openclaw-skill/skill/references/clawdentity-protocol.md +6 -11

package/dist/bin.js CHANGED Viewed

@@ -15709,6 +15709,7 @@ var registrySigningKeysEnvSchema = external_exports.string().min(1).transform((v
 var registryConfigSchema = external_exports.object({
   ENVIRONMENT: environmentSchema,
   APP_VERSION: external_exports.string().min(1).optional(),
+  PROXY_URL: external_exports.string().url().optional(),
   BOOTSTRAP_SECRET: external_exports.string().min(1).optional(),
   REGISTRY_SIGNING_KEY: external_exports.string().min(1).optional(),
   REGISTRY_SIGNING_KEYS: registrySigningKeysEnvSchema.optional()
@@ -17071,13 +17072,14 @@ import { Command } from "commander";
 import { chmod, mkdir, readFile, writeFile } from "fs/promises";
 import { homedir } from "os";
 import { dirname, join as join2 } from "path";
-var DEFAULT_REGISTRY_URL = "https://api.clawdentity.com";
+var DEFAULT_REGISTRY_URL = "https://registry.clawdentity.com";
 var CONFIG_DIR = ".clawdentity";
 var CONFIG_FILE = "config.json";
 var CACHE_DIR = "cache";
 var FILE_MODE = 384;
 var ENV_KEY_MAP = {
   registryUrl: "CLAWDENTITY_REGISTRY_URL",
+  proxyUrl: "CLAWDENTITY_PROXY_URL",
   apiKey: "CLAWDENTITY_API_KEY"
 };
 var LEGACY_ENV_KEY_MAP = {
@@ -17099,6 +17101,9 @@ var normalizeConfig = (raw) => {
   if (typeof raw.registryUrl === "string" && raw.registryUrl.length > 0) {
     config2.registryUrl = raw.registryUrl;
   }
+  if (typeof raw.proxyUrl === "string" && raw.proxyUrl.length > 0) {
+    config2.proxyUrl = raw.proxyUrl;
+  }
   if (typeof raw.apiKey === "string" && raw.apiKey.length > 0) {
     config2.apiKey = raw.apiKey;
   }
@@ -18393,6 +18398,7 @@ import { Command as Command4 } from "commander";
 var logger5 = createLogger({ service: "cli", module: "config" });
 var VALID_KEYS = [
   "registryUrl",
+  "proxyUrl",
   "apiKey"
 ];
 var isValidConfigKey = (value) => {
@@ -20343,6 +20349,64 @@ function createConnectorCommand(dependencies = {}) {
 // src/commands/invite.ts
 import { Command as Command6 } from "commander";
+// src/config/endpoints.ts
+var PRODUCTION_REGISTRY_HOST = "registry.clawdentity.com";
+var DEVELOPMENT_REGISTRY_HOST = "dev.registry.clawdentity.com";
+var PRODUCTION_PROXY_HOST = "proxy.clawdentity.com";
+var DEVELOPMENT_PROXY_HOST = "dev.proxy.clawdentity.com";
+var LOCAL_REGISTRY_PORT = "8788";
+var LOCAL_PROXY_PORT = "8787";
+var LOCAL_HOSTNAMES = /* @__PURE__ */ new Set([
+  "localhost",
+  "127.0.0.1",
+  "host.docker.internal",
+  "gateway.docker.internal"
+]);
+var normalizeUrl = (candidate) => {
+  try {
+    const parsed = new URL(candidate);
+    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+      return void 0;
+    }
+    return parsed;
+  } catch {
+    return void 0;
+  }
+};
+var toProxyHostname = (registryHostname) => {
+  if (registryHostname === PRODUCTION_REGISTRY_HOST) {
+    return PRODUCTION_PROXY_HOST;
+  }
+  if (registryHostname === DEVELOPMENT_REGISTRY_HOST) {
+    return DEVELOPMENT_PROXY_HOST;
+  }
+  if (registryHostname.startsWith("dev.registry.")) {
+    return `dev.proxy.${registryHostname.slice("dev.registry.".length)}`;
+  }
+  if (registryHostname.startsWith("registry.")) {
+    return `proxy.${registryHostname.slice("registry.".length)}`;
+  }
+  return void 0;
+};
+var deriveProxyUrlFromRegistryUrl = (registryUrl) => {
+  const parsedRegistryUrl = normalizeUrl(registryUrl);
+  if (!parsedRegistryUrl) {
+    return void 0;
+  }
+  const hostname3 = parsedRegistryUrl.hostname.toLowerCase();
+  if (LOCAL_HOSTNAMES.has(hostname3) && parsedRegistryUrl.port === LOCAL_REGISTRY_PORT) {
+    return `${parsedRegistryUrl.protocol}//${hostname3}:${LOCAL_PROXY_PORT}/`;
+  }
+  const mappedHostname = toProxyHostname(hostname3);
+  if (!mappedHostname) {
+    return void 0;
+  }
+  const port = parsedRegistryUrl.port.length > 0 ? `:${parsedRegistryUrl.port}` : "";
+  return `${parsedRegistryUrl.protocol}//${mappedHostname}${port}/`;
+};
+// src/commands/invite.ts
 var logger7 = createLogger({ service: "cli", module: "invite" });
 var isRecord6 = (value) => {
   return typeof value === "object" && value !== null;
@@ -20519,10 +20583,23 @@ function parseInviteRedeemResponse(payload) {
   }
   const apiKeyId = parseNonEmptyString6(apiKeySource.id);
   const apiKeyName = parseNonEmptyString6(apiKeySource.name);
+  const proxyUrlCandidate = parseNonEmptyString6(payload.proxyUrl);
+  let proxyUrl;
+  if (proxyUrlCandidate.length > 0) {
+    try {
+      const parsed = new URL(proxyUrlCandidate);
+      if (parsed.protocol === "https:" || parsed.protocol === "http:") {
+        proxyUrl = parsed.toString();
+      }
+    } catch {
+      proxyUrl = void 0;
+    }
+  }
   return {
     apiKeyToken,
     apiKeyId: apiKeyId.length > 0 ? apiKeyId : void 0,
-    apiKeyName: apiKeyName.length > 0 ? apiKeyName : void 0
+    apiKeyName: apiKeyName.length > 0 ? apiKeyName : void 0,
+    proxyUrl
   };
 }
 async function resolveInviteRuntime(overrideRegistryUrl, dependencies) {
@@ -20600,11 +20677,19 @@ async function redeemInvite(code, options, dependencies = {}) {
     registryUrl: runtime.registryUrl
   };
 }
-async function persistRedeemConfig(registryUrl, apiKeyToken, dependencies = {}) {
+async function persistRedeemConfig(input, dependencies = {}) {
   const setConfigValueImpl = dependencies.setConfigValueImpl ?? setConfigValue;
   try {
-    await setConfigValueImpl("registryUrl", registryUrl);
-    await setConfigValueImpl("apiKey", apiKeyToken);
+    await setConfigValueImpl("registryUrl", input.registryUrl);
+    await setConfigValueImpl("apiKey", input.apiKeyToken);
+    const resolvedProxyUrl = parseNonEmptyString6(input.proxyUrl) || deriveProxyUrlFromRegistryUrl(input.registryUrl);
+    if (!resolvedProxyUrl) {
+      throw createCliError4(
+        "CLI_INVITE_REDEEM_PROXY_URL_MISSING",
+        "Proxy URL is missing from onboarding response and could not be derived from registry URL."
+      );
+    }
+    await setConfigValueImpl("proxyUrl", resolvedProxyUrl);
   } catch (error48) {
     logger7.warn("cli.invite_redeem_config_persist_failed", {
       errorName: error48 instanceof Error ? error48.name : "unknown"
@@ -20655,8 +20740,11 @@ var createInviteCommand = (dependencies = {}) => {
         writeStdoutLine("API key token (shown once):");
         writeStdoutLine(result.apiKeyToken);
         await persistRedeemConfig(
-          result.registryUrl,
-          result.apiKeyToken,
+          {
+            registryUrl: result.registryUrl,
+            apiKeyToken: result.apiKeyToken,
+            proxyUrl: result.proxyUrl
+          },
           dependencies
         );
         writeStdoutLine("API key saved to local config");
@@ -20701,13 +20789,13 @@ var CONNECTOR_HOST_LOOPBACK = "127.0.0.1";
 var CONNECTOR_HOST_DOCKER = "host.docker.internal";
 var CONNECTOR_HOST_DOCKER_GATEWAY = "gateway.docker.internal";
 var CONNECTOR_HOST_LINUX_BRIDGE = "172.17.0.1";
-var INVITE_CODE_PREFIX = "clawd1_";
 var PEER_ALIAS_PATTERN = /^[a-zA-Z0-9._-]+$/;
 var FILE_MODE3 = 384;
 var OPENCLAW_HOOK_TOKEN_BYTES = 32;
-var OPENCLAW_SETUP_COMMAND_HINT = "Run: clawdentity openclaw setup <agentName> --peer-alias <alias> --peer-did <did> --peer-proxy-url <proxy-url>";
+var OPENCLAW_SETUP_COMMAND_HINT = "Run: clawdentity openclaw setup <agentName>";
 var OPENCLAW_SETUP_RESTART_COMMAND_HINT = `${OPENCLAW_SETUP_COMMAND_HINT} and restart OpenClaw`;
 var OPENCLAW_SETUP_WITH_BASE_URL_HINT = `${OPENCLAW_SETUP_COMMAND_HINT} --openclaw-base-url <url>`;
+var OPENCLAW_PAIRING_COMMAND_HINT = "Run QR pairing first: clawdentity pair start <agentName> --qr and clawdentity pair confirm <agentName> --qr-file <path>";
 var textEncoder2 = new TextEncoder();
 var textDecoder = new TextDecoder();
 function isRecord7(value) {
@@ -20816,50 +20904,6 @@ function parseAgentDid2(value, label) {
   }
   return did;
 }
-function parseInvitePayload(value) {
-  if (!isRecord7(value)) {
-    throw createCliError5(
-      "CLI_OPENCLAW_INVALID_INVITE",
-      "invite payload must be an object"
-    );
-  }
-  if (value.v !== 1) {
-    throw createCliError5(
-      "CLI_OPENCLAW_INVALID_INVITE",
-      "invite payload version is unsupported"
-    );
-  }
-  const issuedAt = parseNonEmptyString7(value.issuedAt, "invite issuedAt");
-  const did = parseAgentDid2(value.did, "invite did");
-  const proxyUrl = parseProxyUrl(value.proxyUrl);
-  const alias = value.alias === void 0 ? void 0 : parsePeerAlias(value.alias);
-  const name = parseOptionalName(value.name);
-  if (alias === void 0 && name === void 0) {
-    return {
-      v: 1,
-      issuedAt,
-      did,
-      proxyUrl
-    };
-  }
-  if (name === void 0) {
-    return {
-      v: 1,
-      issuedAt,
-      did,
-      proxyUrl,
-      alias
-    };
-  }
-  return {
-    v: 1,
-    issuedAt,
-    did,
-    proxyUrl,
-    alias,
-    name
-  };
-}
 function resolveHomeDir(homeDir) {
   if (typeof homeDir === "string" && homeDir.trim().length > 0) {
     return homeDir.trim();
@@ -21010,41 +21054,6 @@ async function ensureLocalAgentCredentials(homeDir, agentName) {
     }
   }
 }
-function decodeInvitePayload(code) {
-  const rawCode = parseNonEmptyString7(code, "invite code");
-  if (!rawCode.startsWith(INVITE_CODE_PREFIX)) {
-    throw createCliError5(
-      "CLI_OPENCLAW_INVALID_INVITE",
-      "Invite code has invalid prefix"
-    );
-  }
-  const encoded = rawCode.slice(INVITE_CODE_PREFIX.length);
-  if (encoded.length === 0) {
-    throw createCliError5(
-      "CLI_OPENCLAW_INVALID_INVITE",
-      "invite code payload is empty"
-    );
-  }
-  let decodedJson;
-  try {
-    decodedJson = textDecoder.decode(decodeBase64url(encoded));
-  } catch {
-    throw createCliError5(
-      "CLI_OPENCLAW_INVALID_INVITE",
-      "invite code payload is not valid base64url"
-    );
-  }
-  let parsedPayload;
-  try {
-    parsedPayload = JSON.parse(decodedJson);
-  } catch {
-    throw createCliError5(
-      "CLI_OPENCLAW_INVALID_INVITE",
-      "invite code payload is not valid JSON"
-    );
-  }
-  return parseInvitePayload(parsedPayload);
-}
 async function writeSecureFile3(filePath, content) {
   await mkdir5(dirname4(filePath), { recursive: true });
   await writeFile5(filePath, content, "utf8");
@@ -21565,7 +21574,7 @@ async function runOpenclawDoctor(options = {}) {
             label: "Peers map",
             status: "fail",
             message: `peer alias is missing: ${peerAlias}`,
-            remediationHint: OPENCLAW_SETUP_COMMAND_HINT,
+            remediationHint: OPENCLAW_PAIRING_COMMAND_HINT,
             details: { peersPath, peerAlias }
           })
         );
@@ -21585,9 +21594,8 @@ async function runOpenclawDoctor(options = {}) {
         toDoctorCheck({
           id: "state.peers",
           label: "Peers map",
-          status: "fail",
-          message: "no peers are configured",
-          remediationHint: OPENCLAW_SETUP_COMMAND_HINT,
+          status: "pass",
+          message: "no peers are configured yet (optional until pairing)",
           details: { peersPath }
         })
       );
@@ -21808,7 +21816,7 @@ function parseRelayProbeFailure(input) {
   if (input.status === 500) {
     return {
       message: "Relay probe failed inside local relay pipeline",
-      remediationHint: "Check connector runtime and peer alias; rerun clawdentity openclaw doctor --peer <alias>"
+      remediationHint: "Check connector runtime and peer pairing; rerun clawdentity openclaw doctor"
     };
   }
   return {
@@ -21816,17 +21824,57 @@ function parseRelayProbeFailure(input) {
     remediationHint: input.responseBody.trim().length > 0 ? `Inspect response body: ${input.responseBody.trim()}` : "Check local OpenClaw and connector logs"
   };
 }
+async function resolveRelayProbePeerAlias(input) {
+  if (typeof input.peerAliasOption === "string" && input.peerAliasOption.trim().length > 0) {
+    return parsePeerAlias(input.peerAliasOption);
+  }
+  const peersPath = resolvePeersPath(input.homeDir);
+  const peersConfig = await loadPeersConfig(peersPath);
+  const peerAliases = Object.keys(peersConfig.peers);
+  if (peerAliases.length === 1) {
+    return peerAliases[0];
+  }
+  if (peerAliases.length === 0) {
+    throw createCliError5(
+      "CLI_OPENCLAW_RELAY_TEST_PEER_REQUIRED",
+      "No paired peer is configured yet. Complete QR pairing first.",
+      { peersPath }
+    );
+  }
+  throw createCliError5(
+    "CLI_OPENCLAW_RELAY_TEST_PEER_REQUIRED",
+    "Multiple peers are configured. Pass --peer <alias> to choose one.",
+    { peersPath, peerAliases }
+  );
+}
 async function runOpenclawRelayTest(options) {
   const homeDir = resolveHomeDir(options.homeDir);
   const openclawDir = resolveOpenclawDir(options.openclawDir, homeDir);
-  const peerAlias = parsePeerAlias(options.peer);
+  const checkedAt = nowIso();
+  let peerAlias;
+  try {
+    peerAlias = await resolveRelayProbePeerAlias({
+      homeDir,
+      peerAliasOption: options.peer
+    });
+  } catch (error48) {
+    const appError = error48 instanceof AppError ? error48 : void 0;
+    return {
+      status: "failure",
+      checkedAt,
+      peerAlias: "unresolved",
+      endpoint: toSendToPeerEndpoint(DEFAULT_OPENCLAW_BASE_URL2),
+      message: appError?.message ?? "Unable to resolve relay peer alias",
+      remediationHint: OPENCLAW_PAIRING_COMMAND_HINT,
+      details: appError?.details
+    };
+  }
   const preflight = await runOpenclawDoctor({
     homeDir,
     openclawDir,
     peerAlias,
     resolveConfigImpl: options.resolveConfigImpl
   });
-  const checkedAt = nowIso();
   const relayRuntimeConfigPath = resolveRelayRuntimeConfigPath(homeDir);
   let openclawBaseUrl = DEFAULT_OPENCLAW_BASE_URL2;
   try {
@@ -21929,37 +21977,6 @@ async function runOpenclawRelayTest(options) {
     preflight
   };
 }
-function resolveOpenclawSetupPeerInput(options) {
-  const inviteCode = options.inviteCode?.trim();
-  const invite = inviteCode !== void 0 && inviteCode.length > 0 ? decodeInvitePayload(inviteCode) : void 0;
-  const peerAliasCandidate = options.peerAlias ?? invite?.alias;
-  const peerDidCandidate = options.peerDid ?? invite?.did;
-  const peerProxyUrlCandidate = options.peerProxyUrl ?? invite?.proxyUrl;
-  const peerNameCandidate = options.peerName ?? invite?.name;
-  const missingFields = [];
-  if (peerAliasCandidate === void 0 || peerAliasCandidate.trim().length === 0) {
-    missingFields.push("peerAlias");
-  }
-  if (peerDidCandidate === void 0 || peerDidCandidate.trim().length === 0) {
-    missingFields.push("peerDid");
-  }
-  if (peerProxyUrlCandidate === void 0 || peerProxyUrlCandidate.trim().length === 0) {
-    missingFields.push("peerProxyUrl");
-  }
-  if (missingFields.length > 0) {
-    throw createCliError5(
-      "CLI_OPENCLAW_PEER_INPUT_REQUIRED",
-      "Peer routing details are required. Provide --peer-alias, --peer-did, and --peer-proxy-url.",
-      { missingFields }
-    );
-  }
-  return {
-    peerAlias: parsePeerAlias(peerAliasCandidate),
-    peerDid: parseAgentDid2(peerDidCandidate, "peer DID"),
-    peerProxyUrl: parseProxyUrl(peerProxyUrlCandidate),
-    peerName: parseOptionalName(peerNameCandidate)
-  };
-}
 async function setupOpenclawRelay(agentName, options) {
   const normalizedAgentName = assertValidAgentName(agentName);
   const homeDir = resolveHomeDir(options.homeDir);
@@ -21975,7 +21992,6 @@ async function setupOpenclawRelay(agentName, options) {
     optionValue: options.openclawBaseUrl,
     relayRuntimeConfigPath
   });
-  const peerInput = resolveOpenclawSetupPeerInput(options);
   await ensureLocalAgentCredentials(homeDir, normalizedAgentName);
   await mkdir5(dirname4(transformTargetPath), { recursive: true });
   try {
@@ -21996,11 +22012,6 @@ async function setupOpenclawRelay(agentName, options) {
   );
   const peersPath = resolvePeersPath(homeDir);
   const peers = await loadPeersConfig(peersPath);
-  peers.peers[peerInput.peerAlias] = peerInput.peerName === void 0 ? { did: peerInput.peerDid, proxyUrl: peerInput.peerProxyUrl } : {
-    did: peerInput.peerDid,
-    proxyUrl: peerInput.peerProxyUrl,
-    name: peerInput.peerName
-  };
   await savePeersConfig(peersPath, peers);
   const relayTransformPeersPath = resolveTransformPeersPath(openclawDir);
   await writeSecureFile3(
@@ -22055,9 +22066,6 @@ async function setupOpenclawRelay(agentName, options) {
   );
   logger8.info("cli.openclaw_setup_completed", {
     agentName: normalizedAgentName,
-    peerAlias: peerInput.peerAlias,
-    peerDid: peerInput.peerDid,
-    peerProxyUrl: peerInput.peerProxyUrl,
     openclawConfigPath,
     transformTargetPath,
     relayTransformRuntimePath,
@@ -22067,9 +22075,6 @@ async function setupOpenclawRelay(agentName, options) {
     relayRuntimeConfigPath
   });
   return {
-    peerAlias: peerInput.peerAlias,
-    peerDid: peerInput.peerDid,
-    peerProxyUrl: peerInput.peerProxyUrl,
     openclawConfigPath,
     transformTargetPath,
     relayTransformRuntimePath,
@@ -22083,10 +22088,7 @@ var createOpenclawCommand = () => {
   const openclawCommand = new Command7("openclaw").description(
     "Manage OpenClaw relay setup"
   );
-  openclawCommand.command("setup <agentName>").description("Apply OpenClaw relay setup using peer routing details").requiredOption("--peer-alias <alias>", "Peer alias for local routing").requiredOption("--peer-did <did>", "Peer agent DID (did:claw:agent:...)").requiredOption(
-    "--peer-proxy-url <url>",
-    "Peer proxy URL ending in /hooks/agent"
-  ).option("--peer-name <displayName>", "Human-friendly peer display name").option(
+  openclawCommand.command("setup <agentName>").description("Apply OpenClaw relay setup").option(
     "--openclaw-dir <path>",
     "OpenClaw state directory (default ~/.openclaw)"
   ).option(
@@ -22100,9 +22102,7 @@ var createOpenclawCommand = () => {
       "openclaw setup",
       async (agentName, options) => {
         const result = await setupOpenclawRelay(agentName, options);
-        writeStdoutLine(`Peer alias configured: ${result.peerAlias}`);
-        writeStdoutLine(`Peer DID: ${result.peerDid}`);
-        writeStdoutLine(`Peer proxy URL: ${result.peerProxyUrl}`);
+        writeStdoutLine("Self setup complete");
         writeStdoutLine(
           `Updated OpenClaw config: ${result.openclawConfigPath}`
         );
@@ -22145,7 +22145,9 @@ var createOpenclawCommand = () => {
     )
   );
   const relayCommand = openclawCommand.command("relay").description("Run OpenClaw relay diagnostics");
-  relayCommand.command("test").description("Send a relay probe to a configured peer alias").requiredOption("--peer <alias>", "Peer alias in ~/.clawdentity/peers.json").option(
+  relayCommand.command("test").description(
+    "Send a relay probe to a configured peer (auto-selects when one peer exists)"
+  ).option("--peer <alias>", "Peer alias in ~/.clawdentity/peers.json").option(
     "--openclaw-base-url <url>",
     "Base URL for local OpenClaw hook API (default OPENCLAW_BASE_URL or relay runtime config)"
   ).option(
@@ -22186,7 +22188,14 @@ var createOpenclawCommand = () => {
 // src/commands/pair.ts
 import { randomBytes as randomBytes4 } from "crypto";
-import { mkdir as mkdir6, readdir, readFile as readFile5, unlink as unlink2, writeFile as writeFile6 } from "fs/promises";
+import {
+  chmod as chmod4,
+  mkdir as mkdir6,
+  readdir,
+  readFile as readFile5,
+  unlink as unlink2,
+  writeFile as writeFile6
+} from "fs/promises";
 import { dirname as dirname5, join as join7, resolve } from "path";
 import { Command as Command8 } from "commander";
 import jsQR from "jsqr";
@@ -22197,6 +22206,7 @@ var AGENTS_DIR_NAME5 = "agents";
 var AIT_FILE_NAME4 = "ait.jwt";
 var SECRET_KEY_FILE_NAME3 = "secret.key";
 var PAIRING_QR_DIR_NAME = "pairing";
+var PEERS_FILE_NAME2 = "peers.json";
 var PAIR_START_PATH = "/pair/start";
 var PAIR_CONFIRM_PATH = "/pair/confirm";
 var OWNER_PAT_HEADER = "x-claw-owner-pat";
@@ -22204,6 +22214,8 @@ var NONCE_SIZE2 = 24;
 var PAIRING_TICKET_PREFIX = "clwpair1_";
 var PAIRING_QR_MAX_AGE_SECONDS = 900;
 var PAIRING_QR_FILENAME_PATTERN = /-pair-(\d+)\.png$/;
+var FILE_MODE4 = 384;
+var PEER_ALIAS_PATTERN2 = /^[a-zA-Z0-9._-]+$/;
 var isRecord8 = (value) => {
   return typeof value === "object" && value !== null;
 };
@@ -22230,6 +22242,172 @@ function parsePairingTicket(value) {
   }
   return ticket;
 }
+function parsePairingTicketIssuerOrigin(ticket) {
+  const encodedPayload = ticket.slice(PAIRING_TICKET_PREFIX.length);
+  if (encodedPayload.length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_TICKET_INVALID",
+      "Pairing ticket is invalid"
+    );
+  }
+  let payloadRaw;
+  try {
+    payloadRaw = new TextDecoder().decode(decodeBase64url(encodedPayload));
+  } catch {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_TICKET_INVALID",
+      "Pairing ticket is invalid"
+    );
+  }
+  let payload;
+  try {
+    payload = JSON.parse(payloadRaw);
+  } catch {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_TICKET_INVALID",
+      "Pairing ticket is invalid"
+    );
+  }
+  if (!isRecord8(payload) || typeof payload.iss !== "string") {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_TICKET_INVALID",
+      "Pairing ticket is invalid"
+    );
+  }
+  let issuerUrl;
+  try {
+    issuerUrl = new URL(payload.iss);
+  } catch {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_TICKET_INVALID",
+      "Pairing ticket is invalid"
+    );
+  }
+  if (issuerUrl.protocol !== "https:" && issuerUrl.protocol !== "http:") {
+    throw createCliError6(
+      "CLI_PAIR_CONFIRM_TICKET_INVALID",
+      "Pairing ticket is invalid"
+    );
+  }
+  return issuerUrl.origin;
+}
+function parsePeerAlias2(value) {
+  if (value.length === 0 || value.length > 128) {
+    throw createCliError6(
+      "CLI_PAIR_PEER_ALIAS_INVALID",
+      "Generated peer alias is invalid"
+    );
+  }
+  if (!PEER_ALIAS_PATTERN2.test(value)) {
+    throw createCliError6(
+      "CLI_PAIR_PEER_ALIAS_INVALID",
+      "Generated peer alias is invalid"
+    );
+  }
+  return value;
+}
+function derivePeerAliasBase(peerDid) {
+  try {
+    const parsed = parseDid(peerDid);
+    if (parsed.kind === "agent") {
+      return parsePeerAlias2(`peer-${parsed.ulid.slice(-8).toLowerCase()}`);
+    }
+  } catch {
+  }
+  return "peer";
+}
+function resolvePeerAlias(input) {
+  for (const [alias, entry] of Object.entries(input.peers)) {
+    if (entry.did === input.peerDid) {
+      return alias;
+    }
+  }
+  const baseAlias = derivePeerAliasBase(input.peerDid);
+  if (input.peers[baseAlias] === void 0) {
+    return baseAlias;
+  }
+  let index = 2;
+  while (input.peers[`${baseAlias}-${index}`] !== void 0) {
+    index += 1;
+  }
+  return `${baseAlias}-${index}`;
+}
+function resolvePeersConfigPath(getConfigDirImpl) {
+  return join7(getConfigDirImpl(), PEERS_FILE_NAME2);
+}
+function parsePeerEntry(value) {
+  if (!isRecord8(value)) {
+    throw createCliError6(
+      "CLI_PAIR_PEERS_CONFIG_INVALID",
+      "Peer entry must be an object"
+    );
+  }
+  const did = parseNonEmptyString8(value.did);
+  const proxyUrl = parseNonEmptyString8(value.proxyUrl);
+  if (did.length === 0 || proxyUrl.length === 0) {
+    throw createCliError6(
+      "CLI_PAIR_PEERS_CONFIG_INVALID",
+      "Peer entry is invalid"
+    );
+  }
+  return {
+    did,
+    proxyUrl
+  };
+}
+async function loadPeersConfig2(input) {
+  const peersPath = resolvePeersConfigPath(input.getConfigDirImpl);
+  let raw;
+  try {
+    raw = await input.readFileImpl(peersPath, "utf8");
+  } catch (error48) {
+    const nodeError = error48;
+    if (nodeError.code === "ENOENT") {
+      return { peers: {} };
+    }
+    throw error48;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw createCliError6(
+      "CLI_PAIR_PEERS_CONFIG_INVALID",
+      "Peer config is not valid JSON"
+    );
+  }
+  if (!isRecord8(parsed)) {
+    throw createCliError6(
+      "CLI_PAIR_PEERS_CONFIG_INVALID",
+      "Peer config must be a JSON object"
+    );
+  }
+  if (parsed.peers === void 0) {
+    return { peers: {} };
+  }
+  if (!isRecord8(parsed.peers)) {
+    throw createCliError6(
+      "CLI_PAIR_PEERS_CONFIG_INVALID",
+      "Peer config peers field must be an object"
+    );
+  }
+  const peers = {};
+  for (const [alias, value] of Object.entries(parsed.peers)) {
+    peers[parsePeerAlias2(alias)] = parsePeerEntry(value);
+  }
+  return { peers };
+}
+async function savePeersConfig2(input) {
+  const peersPath = resolvePeersConfigPath(input.getConfigDirImpl);
+  await input.mkdirImpl(dirname5(peersPath), { recursive: true });
+  await input.writeFileImpl(
+    peersPath,
+    `${JSON.stringify(input.config, null, 2)}
+`,
+    "utf8"
+  );
+  await input.chmodImpl(peersPath, FILE_MODE4);
+}
 function parseTtlSeconds(value) {
   const raw = parseNonEmptyString8(value);
   if (raw.length === 0) {
@@ -22244,14 +22422,7 @@ function parseTtlSeconds(value) {
   }
   return parsed;
 }
-function resolveProxyUrl(overrideProxyUrl) {
-  const candidate = parseNonEmptyString8(overrideProxyUrl) || parseNonEmptyString8(process.env.CLAWDENTITY_PROXY_URL);
-  if (candidate.length === 0) {
-    throw createCliError6(
-      "CLI_PAIR_PROXY_URL_REQUIRED",
-      "Proxy URL is required. Pass --proxy-url <url> or set CLAWDENTITY_PROXY_URL."
-    );
-  }
+function parseProxyUrl2(candidate) {
   try {
     const parsed = new URL(candidate);
     if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
@@ -22262,6 +22433,33 @@ function resolveProxyUrl(overrideProxyUrl) {
     throw createCliError6("CLI_PAIR_INVALID_PROXY_URL", "Proxy URL is invalid");
   }
 }
+function resolveProxyUrlCandidates(input) {
+  const explicit = parseNonEmptyString8(input.overrideProxyUrl);
+  if (explicit.length > 0) {
+    return [parseProxyUrl2(explicit)];
+  }
+  const fromEnv = parseNonEmptyString8(process.env.CLAWDENTITY_PROXY_URL);
+  if (fromEnv.length > 0) {
+    return [parseProxyUrl2(fromEnv)];
+  }
+  const fromConfig = parseNonEmptyString8(input.config.proxyUrl);
+  if (fromConfig.length > 0) {
+    return [parseProxyUrl2(fromConfig)];
+  }
+  const derivedFromRegistry = deriveProxyUrlFromRegistryUrl(
+    input.config.registryUrl || DEFAULT_REGISTRY_URL
+  );
+  if (typeof derivedFromRegistry === "string" && derivedFromRegistry.length > 0) {
+    return [parseProxyUrl2(derivedFromRegistry)];
+  }
+  throw createCliError6(
+    "CLI_PAIR_PROXY_URL_REQUIRED",
+    "Proxy URL could not be resolved. Run onboarding invite redeem again or set proxyUrl via `clawdentity config set proxyUrl <url>`."
+  );
+}
+function resolveProxyUrl(input) {
+  return resolveProxyUrlCandidates(input)[0];
+}
 function toProxyRequestUrl(proxyUrl, path) {
   const normalizedBase = proxyUrl.endsWith("/") ? proxyUrl : `${proxyUrl}/`;
   return new URL(path.slice(1), normalizedBase).toString();
@@ -22585,14 +22783,46 @@ function resolveConfirmTicketSource(options) {
     "Pairing ticket is required. Pass --ticket <clwpair1_...> or --qr-file <path>."
   );
 }
+async function persistPairedPeer(input) {
+  const getConfigDirImpl = input.dependencies.getConfigDirImpl ?? getConfigDir;
+  const readFileImpl = input.dependencies.readFileImpl ?? readFile5;
+  const mkdirImpl = input.dependencies.mkdirImpl ?? mkdir6;
+  const writeFileImpl = input.dependencies.writeFileImpl ?? writeFile6;
+  const chmodImpl = input.dependencies.chmodImpl ?? chmod4;
+  const issuerOrigin = parsePairingTicketIssuerOrigin(input.ticket);
+  const peerProxyUrl = new URL("/hooks/agent", `${issuerOrigin}/`).toString();
+  const peersConfig = await loadPeersConfig2({
+    getConfigDirImpl,
+    readFileImpl
+  });
+  const alias = resolvePeerAlias({
+    peers: peersConfig.peers,
+    peerDid: input.peerDid
+  });
+  peersConfig.peers[alias] = {
+    did: input.peerDid,
+    proxyUrl: peerProxyUrl
+  };
+  await savePeersConfig2({
+    config: peersConfig,
+    getConfigDirImpl,
+    mkdirImpl,
+    writeFileImpl,
+    chmodImpl
+  });
+  return alias;
+}
 async function startPairing(agentName, options, dependencies = {}) {
   const fetchImpl = dependencies.fetchImpl ?? fetch;
   const resolveConfigImpl = dependencies.resolveConfigImpl ?? resolveConfig;
   const nowSecondsImpl = dependencies.nowSecondsImpl ?? (() => Math.floor(Date.now() / 1e3));
   const nonceFactoryImpl = dependencies.nonceFactoryImpl ?? (() => randomBytes4(NONCE_SIZE2).toString("base64url"));
   const ttlSeconds = parseTtlSeconds(options.ttlSeconds);
-  const proxyUrl = resolveProxyUrl(options.proxyUrl);
   const config2 = await resolveConfigImpl();
+  const proxyUrl = resolveProxyUrl({
+    overrideProxyUrl: options.proxyUrl,
+    config: config2
+  });
   const ownerPat = resolveOwnerPat({
     explicitOwnerPat: options.ownerPat,
     config: config2
@@ -22655,12 +22885,17 @@ async function startPairing(agentName, options, dependencies = {}) {
 }
 async function confirmPairing(agentName, options, dependencies = {}) {
   const fetchImpl = dependencies.fetchImpl ?? fetch;
+  const resolveConfigImpl = dependencies.resolveConfigImpl ?? resolveConfig;
   const nowSecondsImpl = dependencies.nowSecondsImpl ?? (() => Math.floor(Date.now() / 1e3));
   const nonceFactoryImpl = dependencies.nonceFactoryImpl ?? (() => randomBytes4(NONCE_SIZE2).toString("base64url"));
   const readFileImpl = dependencies.readFileImpl ?? readFile5;
   const qrDecodeImpl = dependencies.qrDecodeImpl ?? decodeTicketFromPng;
+  const config2 = await resolveConfigImpl();
   const ticketSource = resolveConfirmTicketSource(options);
-  const proxyUrl = resolveProxyUrl(options.proxyUrl);
+  const proxyUrl = resolveProxyUrl({
+    overrideProxyUrl: options.proxyUrl,
+    config: config2
+  });
   let ticket = ticketSource.ticket;
   if (ticketSource.source === "qr-file") {
     if (!ticketSource.qrFilePath) {
@@ -22722,6 +22957,11 @@ async function confirmPairing(agentName, options, dependencies = {}) {
     );
   }
   const parsed = parsePairConfirmResponse(responseBody);
+  const peerAlias = await persistPairedPeer({
+    ticket,
+    peerDid: parsed.initiatorAgentDid,
+    dependencies
+  });
   if (ticketSource.source === "qr-file" && ticketSource.qrFilePath) {
     const unlinkImpl = dependencies.unlinkImpl ?? unlink2;
     await unlinkImpl(ticketSource.qrFilePath).catch((error48) => {
@@ -22737,17 +22977,15 @@ async function confirmPairing(agentName, options, dependencies = {}) {
   }
   return {
     ...parsed,
-    proxyUrl
+    proxyUrl,
+    peerAlias
   };
 }
 var createPairCommand = (dependencies = {}) => {
   const pairCommand = new Command8("pair").description(
     "Manage proxy trust pairing between agents"
   );
-  pairCommand.command("start <agentName>").description("Start pairing and issue one-time pairing ticket").option(
-    "--proxy-url <url>",
-    "Initiator proxy base URL (or set CLAWDENTITY_PROXY_URL)"
-  ).option(
+  pairCommand.command("start <agentName>").description("Start pairing and issue one-time pairing ticket").option("--proxy-url <url>", "Optional initiator proxy base URL override").option(
     "--owner-pat <token>",
     "Owner PAT override (defaults to configured API key)"
   ).option("--ttl-seconds <seconds>", "Pairing ticket expiry in seconds").option("--qr", "Generate a local QR file for sharing").option("--qr-output <path>", "Write QR PNG to a specific file path").action(
@@ -22771,10 +23009,7 @@ var createPairCommand = (dependencies = {}) => {
       }
     )
   );
-  pairCommand.command("confirm <agentName>").description("Confirm pairing using one-time pairing ticket").option("--ticket <ticket>", "One-time pairing ticket (clwpair1_...)").option("--qr-file <path>", "Path to pairing QR PNG file").option(
-    "--proxy-url <url>",
-    "Responder proxy base URL (or set CLAWDENTITY_PROXY_URL)"
-  ).action(
+  pairCommand.command("confirm <agentName>").description("Confirm pairing using one-time pairing ticket").option("--ticket <ticket>", "One-time pairing ticket (clwpair1_...)").option("--qr-file <path>", "Path to pairing QR PNG file").option("--proxy-url <url>", "Optional responder proxy base URL override").action(
     withErrorHandling(
       "pair confirm",
       async (agentName, options) => {
@@ -22782,12 +23017,16 @@ var createPairCommand = (dependencies = {}) => {
         logger9.info("cli.pair_confirmed", {
           initiatorAgentDid: result.initiatorAgentDid,
           responderAgentDid: result.responderAgentDid,
-          proxyUrl: result.proxyUrl
+          proxyUrl: result.proxyUrl,
+          peerAlias: result.peerAlias
         });
         writeStdoutLine("Pairing confirmed");
         writeStdoutLine(`Initiator Agent DID: ${result.initiatorAgentDid}`);
         writeStdoutLine(`Responder Agent DID: ${result.responderAgentDid}`);
         writeStdoutLine(`Paired: ${result.paired ? "true" : "false"}`);
+        if (result.peerAlias) {
+          writeStdoutLine(`Peer alias saved: ${result.peerAlias}`);
+        }
       }
     )
   );
@@ -22827,11 +23066,11 @@ var toRegistryUrl = (registryUrl, path) => {
 var toExpectedIssuer = (registryUrl) => {
   try {
     const hostname3 = new URL(registryUrl).hostname;
-    if (hostname3 === "api.clawdentity.com") {
-      return "https://api.clawdentity.com";
+    if (hostname3 === "registry.clawdentity.com") {
+      return "https://registry.clawdentity.com";
     }
-    if (hostname3 === "dev.api.clawdentity.com") {
-      return "https://dev.api.clawdentity.com";
+    if (hostname3 === "dev.registry.clawdentity.com") {
+      return "https://dev.registry.clawdentity.com";
     }
     return void 0;
   } catch {