clawmarketbot 0.1.0

package/README.md

@@ -0,0 +1,70 @@
+# clawmarketbot
+
+CLI for [ClawMarket](https://clawmarket.cc) — download and install OpenClaw agent configs directly from the marketplace or from npm.
+
+## Requirements
+
+- Node.js 18+
+- OpenClaw installed and configured (`~/.openclaw/openclaw.json` must exist)
+- `unzip` or `tar` available in your PATH
+
+## Install
+
+```bash
+npm install -g clawmarketbot
+```
+
+## Usage
+
+### Install a bot from an npm package
+
+```bash
+clawmarketbot config install-npm @clawmarket/my-bot
+```
+
+Optionally pin a version:
+
+```bash
+clawmarketbot config install-npm @clawmarket/my-bot@1.2.0
+```
+
+### Install a bot from a one-time download token
+
+```bash
+clawmarketbot config install <token>
+```
+
+Tokens are obtained from the ClawMarket download modal.
+
+### Download a config artifact to disk
+
+```bash
+clawmarketbot config download <token>
+```
+
+### Auth
+
+```bash
+clawmarketbot auth login    # save an API key
+clawmarketbot auth status   # check current auth
+clawmarketbot auth logout   # clear credentials
+```
+
+## Environment Variables
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `CLAWMARKET_API_URL` | `https://api.clawmarket.cc` | ClawMarket backend URL |
+| `OPENCLAW_HOME` | `os.homedir()` | OpenClaw home directory |
+| `OPENCLAW_STATE_DIR` | `~/.openclaw` | OpenClaw state directory |
+| `OPENCLAW_CONFIG_PATH` | `~/.openclaw/openclaw.json` | OpenClaw config file |
+
+## How npm-based install works
+
+When you run `clawmarketbot config install-npm @clawmarket/some-bot`:
+
+1. Package metadata is fetched from the npm registry
+2. The tarball is downloaded and its integrity verified
+3. A `bot.zip` bundled inside the package is extracted
+4. The bot's `installer.sh` is run, registering the agent in your OpenClaw config
+5. All temp files are cleaned up automatically

package/dist/index.js

@@ -0,0 +1,1090 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command } from "commander";
+
+// src/commands/auth.ts
+import fetch from "node-fetch";
+
+// src/lib/prompts.ts
+import { checkbox, confirm as promptConfirm, input, password, select } from "@inquirer/prompts";
+
+// src/lib/constants.ts
+var SECRET_FIELD_NAMES = new Set(
+  [
+    "apiKey",
+    "api_key",
+    "apikey",
+    "key",
+    "secret",
+    "token",
+    "accessToken",
+    "access_token",
+    "botToken",
+    "bot_token",
+    "appToken",
+    "app_token",
+    "signingSecret",
+    "clientSecret",
+    "client_secret",
+    "password",
+    "credential",
+    "privateKey",
+    "private_key",
+    "sessionToken",
+    "session_token"
+  ].map((key) => key.toLowerCase())
+);
+
+// src/lib/prompts.ts
+async function askWithDefault(question, defaultValue) {
+  const value = await input({
+    message: question.trim() || "Input",
+    default: defaultValue
+  });
+  return value.trim() || defaultValue.trim();
+}
+async function askSecret(question) {
+  const value = await password({ message: question.trim() || "Secret", mask: true });
+  return value.trim();
+}
+
+// src/lib/auth-config.ts
+import path from "path";
+import fs2 from "fs/promises";
+import os from "os";
+
+// src/lib/fs.ts
+import fs from "fs/promises";
+async function fileExists(filePath) {
+  try {
+    await fs.access(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/lib/auth-config.ts
+function authConfigDir() {
+  return path.join(os.homedir(), ".clawmarket");
+}
+function authConfigPath() {
+  return path.join(authConfigDir(), "clawmarket.json");
+}
+async function readStoredApiKey() {
+  const configPath = authConfigPath();
+  if (!await fileExists(configPath)) return null;
+  try {
+    const raw = await fs2.readFile(configPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    const apiKey = typeof parsed.api_key === "string" ? parsed.api_key.trim() : "";
+    return apiKey.length > 0 ? apiKey : null;
+  } catch {
+    return null;
+  }
+}
+async function writeStoredApiKey(apiKey) {
+  const configDir = authConfigDir();
+  const configPath = authConfigPath();
+  await fs2.mkdir(configDir, { recursive: true, mode: 448 });
+  await fs2.chmod(configDir, 448).catch(() => void 0);
+  const payload = { api_key: apiKey };
+  await fs2.writeFile(configPath, JSON.stringify(payload, null, 2), { mode: 384 });
+  await fs2.chmod(configPath, 384).catch(() => void 0);
+}
+async function clearStoredApiKey() {
+  const configPath = authConfigPath();
+  if (!await fileExists(configPath)) return false;
+  await fs2.unlink(configPath);
+  return true;
+}
+
+// src/commands/auth.ts
+var DEFAULT_SERVER = process.env.CLAWMARKET_API_URL || "http://localhost:8000";
+function resolveUsername(payload) {
+  return payload.data?.user?.username || payload.user?.username || "user";
+}
+function resolveError(payload, fallback) {
+  return payload.error || payload.message || fallback;
+}
+async function readJsonSafe(response) {
+  const text = await response.text();
+  if (!text.trim()) return {};
+  try {
+    return JSON.parse(text);
+  } catch {
+    return { message: text };
+  }
+}
+async function readApiKeyFromStdin() {
+  if (process.stdin.isTTY) {
+    throw new Error("`--stdin` requires piped input");
+  }
+  const chunks = [];
+  for await (const chunk of process.stdin) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(String(chunk)));
+  }
+  return Buffer.concat(chunks).toString("utf-8").trim();
+}
+async function resolveApiKeyInput(apiKeyArg, fromStdin) {
+  if (apiKeyArg && apiKeyArg.trim()) {
+    console.warn("Warning: using `<api-key>` argument stores it in shell history. Prefer prompt input or `--stdin`.");
+    return apiKeyArg.trim();
+  }
+  if (fromStdin) {
+    const fromPipe = await readApiKeyFromStdin();
+    if (!fromPipe) throw new Error("No API key received from stdin");
+    return fromPipe;
+  }
+  const entered = await askSecret("API key");
+  if (!entered) throw new Error("API key is required");
+  return entered;
+}
+async function validateApiKey(server, apiKey) {
+  const response = await fetch(`${server}/auth/api-key`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ api_key: apiKey })
+  });
+  const payload = await readJsonSafe(response);
+  return { ok: response.ok, payload };
+}
+function registerAuthCommands(program2) {
+  const authCommand = program2.command("auth").description("Manage authentication");
+  authCommand.command("login").description("Login with your ClawMarket API key").argument("[api-key]", "API key (less secure; shows in shell history)").option("--stdin", "Read API key from stdin (recommended for automation)").option("-s, --server <url>", "Server URL", DEFAULT_SERVER).action(async (apiKeyArg, options) => {
+    console.log("Validating API key...");
+    try {
+      const apiKey = await resolveApiKeyInput(apiKeyArg, Boolean(options.stdin));
+      const validation = await validateApiKey(options.server, apiKey);
+      if (!validation.ok) {
+        console.error(`Error: ${resolveError(validation.payload, "Invalid API key")}`);
+        process.exit(1);
+      }
+      const username = resolveUsername(validation.payload);
+      await writeStoredApiKey(apiKey);
+      console.log(`
+Hey ${username}! You're now logged in.
+`);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "";
+      if (message.includes("`--stdin`") || message.includes("No API key received") || message.includes("API key is required")) {
+        console.error(message);
+        process.exit(1);
+      }
+      console.error("Failed to connect to server. Are you online?");
+      process.exit(1);
+    }
+  });
+  authCommand.command("status").description("Check authentication status").option("-s, --server <url>", "Server URL", DEFAULT_SERVER).action(async (options) => {
+    const apiKey = await readStoredApiKey();
+    if (!apiKey) {
+      console.log("Not logged in. Run: clawmarketbot auth login");
+      return;
+    }
+    try {
+      const validation = await validateApiKey(options.server, apiKey);
+      if (!validation.ok) {
+        console.log("Session expired. Run: clawmarketbot auth login");
+        return;
+      }
+      const username = resolveUsername(validation.payload);
+      console.log(`Logged in as ${username}`);
+    } catch {
+      console.log("Logged in (could not verify with server)");
+    }
+  });
+  authCommand.command("logout").description("Logout and clear credentials").action(async () => {
+    const removed = await clearStoredApiKey();
+    console.log(removed ? "Logged out successfully" : "Not logged in");
+  });
+}
+
+// src/commands/config.ts
+import fs5 from "fs/promises";
+import path4 from "path";
+import os3 from "os";
+import { createHash as createHash2, randomUUID } from "crypto";
+import { spawn as spawn2 } from "child_process";
+import JSON52 from "json5";
+import fetch3 from "node-fetch";
+
+// ../../contracts/token.js
+var CLAWMARKET_DOWNLOAD_TOKEN_PATTERN = "[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}";
+var CLAWMARKET_DOWNLOAD_TOKEN_REGEX = new RegExp(
+  `^${CLAWMARKET_DOWNLOAD_TOKEN_PATTERN}$`,
+  "i"
+);
+var CLAWMARKET_ARTIFACT_SHA256_HEADER = "x-clawmarket-sha256";
+function isClawMarketDownloadToken(value) {
+  if (typeof value !== "string") return false;
+  return CLAWMARKET_DOWNLOAD_TOKEN_REGEX.test(value.trim());
+}
+
+// src/lib/openclaw.ts
+import path2 from "path";
+import fs3 from "fs/promises";
+import os2 from "os";
+import JSON5 from "json5";
+var MAX_INCLUDE_DEPTH = 10;
+var DEBUG_LOGGING = process.env.CLAWMARKET_DEBUG === "1";
+function debug(message) {
+  if (!DEBUG_LOGGING) return;
+  console.error(`[clawmarketbot][debug] ${message}`);
+}
+function asObject(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return null;
+  return value;
+}
+function resolveTilde(inputPath, homeDir) {
+  if (inputPath === "~") return homeDir;
+  if (inputPath.startsWith("~/")) return path2.join(homeDir, inputPath.slice(2));
+  return inputPath;
+}
+function resolvePathLike(value, fallback, homeDir, baseDir = process.cwd()) {
+  if (typeof value !== "string" || value.trim().length === 0) return fallback;
+  const expanded = resolveTilde(value, homeDir);
+  if (path2.isAbsolute(expanded)) return path2.normalize(expanded);
+  return path2.resolve(baseDir, expanded);
+}
+function isPlainObject(value) {
+  return !!value && typeof value === "object" && !Array.isArray(value);
+}
+function deepMerge(base, override) {
+  const result = { ...base };
+  for (const [key, value] of Object.entries(override)) {
+    const baseValue = result[key];
+    if (isPlainObject(baseValue) && isPlainObject(value)) {
+      result[key] = deepMerge(baseValue, value);
+      continue;
+    }
+    result[key] = value;
+  }
+  return result;
+}
+async function parseJson5File(filePath) {
+  const content = await fs3.readFile(filePath, "utf-8");
+  let parsed;
+  try {
+    parsed = JSON5.parse(content);
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : "invalid JSON5";
+    throw new Error(`Failed to parse OpenClaw config "${filePath}": ${reason}`);
+  }
+  if (!isPlainObject(parsed)) {
+    throw new Error(`OpenClaw config "${filePath}" must be an object`);
+  }
+  return parsed;
+}
+async function resolveIncludeTarget(includePath, includingFilePath, depth, stack) {
+  const rawPath = resolveTilde(includePath, os2.homedir());
+  const absPath = path2.isAbsolute(rawPath) ? path2.normalize(rawPath) : path2.resolve(path2.dirname(includingFilePath), rawPath);
+  if (!absPath) {
+    throw new Error(`Invalid include path "${includePath}" in "${includingFilePath}"`);
+  }
+  if (stack.includes(absPath)) {
+    throw new Error(`Circular OpenClaw config include detected: ${[...stack, absPath].join(" -> ")}`);
+  }
+  if (!await fileExists(absPath)) {
+    throw new Error(`Included OpenClaw config file not found: ${absPath}`);
+  }
+  const parsed = await parseJson5File(absPath);
+  return resolveIncludes(parsed, absPath, depth + 1, [...stack, absPath]);
+}
+async function resolveIncludes(value, currentFilePath, depth, stack) {
+  if (depth > MAX_INCLUDE_DEPTH) {
+    throw new Error(`OpenClaw config include depth exceeded (${MAX_INCLUDE_DEPTH}) at "${currentFilePath}"`);
+  }
+  if (!isPlainObject(value)) return {};
+  let includedValue = null;
+  if ("$include" in value) {
+    const includeSpec = value.$include;
+    if (typeof includeSpec === "string") {
+      includedValue = await resolveIncludeTarget(includeSpec, currentFilePath, depth, stack);
+    } else if (Array.isArray(includeSpec)) {
+      includedValue = {};
+      for (const includePath of includeSpec) {
+        if (typeof includePath !== "string") {
+          throw new Error(`Invalid $include entry in "${currentFilePath}" (expected string paths)`);
+        }
+        const resolved = await resolveIncludeTarget(includePath, currentFilePath, depth, stack);
+        includedValue = deepMerge(includedValue, resolved);
+      }
+    } else {
+      throw new Error(`Invalid $include value in "${currentFilePath}" (expected string or array)`);
+    }
+  }
+  const resolvedSiblings = {};
+  for (const [key, child] of Object.entries(value)) {
+    if (key === "$include") continue;
+    if (isPlainObject(child)) {
+      resolvedSiblings[key] = await resolveIncludes(child, currentFilePath, depth, stack);
+    } else if (Array.isArray(child)) {
+      const resolvedItems = await Promise.all(
+        child.map(
+          async (item) => isPlainObject(item) ? resolveIncludes(item, currentFilePath, depth, stack) : item
+        )
+      );
+      resolvedSiblings[key] = resolvedItems;
+    } else {
+      resolvedSiblings[key] = child;
+    }
+  }
+  if (!includedValue) return resolvedSiblings;
+  return deepMerge(includedValue, resolvedSiblings);
+}
+function parseAgentName(agentConfig) {
+  const identity = asObject(agentConfig.identity);
+  if (identity && typeof identity.name === "string" && identity.name.trim()) {
+    return identity.name.trim();
+  }
+  if (typeof agentConfig.name === "string" && agentConfig.name.trim()) {
+    return agentConfig.name.trim();
+  }
+  return null;
+}
+function parseAgents(config, paths) {
+  const agentsRoot = asObject(config.agents);
+  const defaults = asObject(agentsRoot?.defaults);
+  const configDir = path2.dirname(paths.configPath);
+  const defaultWorkspace = resolvePathLike(
+    defaults?.workspace,
+    path2.join(paths.stateDir, "workspace"),
+    paths.homeDir,
+    configDir
+  );
+  const list = Array.isArray(agentsRoot?.list) ? agentsRoot?.list : [];
+  if (!list || list.length === 0) {
+    const defaultAgent = {
+      id: "main",
+      name: "Main Agent",
+      workspace: defaultWorkspace,
+      agentDir: path2.join(paths.stateDir, "agents", "main", "agent"),
+      isDefault: true
+    };
+    return { agents: [defaultAgent], defaultAgentId: defaultAgent.id };
+  }
+  const agents = [];
+  for (const item of list) {
+    if (!isPlainObject(item)) continue;
+    const id = typeof item.id === "string" ? item.id.trim() : "";
+    if (!id) continue;
+    const workspaceFallback = defaultWorkspace;
+    const workspace = resolvePathLike(item.workspace, workspaceFallback, paths.homeDir, configDir);
+    const agentDirFallback = path2.join(paths.stateDir, "agents", id, "agent");
+    const agentDir = resolvePathLike(item.agentDir, agentDirFallback, paths.homeDir, configDir);
+    const name = parseAgentName(item) || id;
+    const isDefault = item.default === true;
+    agents.push({ id, name, workspace, agentDir, isDefault });
+  }
+  if (agents.length === 0) {
+    throw new Error("OpenClaw config contains agents.list but no valid agent entries");
+  }
+  const explicitDefault = agents.find((agent) => agent.isDefault);
+  const defaultAgentId = explicitDefault?.id || agents[0].id;
+  const normalizedAgents = agents.map((agent) => ({
+    ...agent,
+    isDefault: agent.id === defaultAgentId
+  }));
+  return { agents: normalizedAgents, defaultAgentId };
+}
+async function parseSkillName(skillFilePath, fallbackName) {
+  try {
+    const content = await fs3.readFile(skillFilePath, "utf-8");
+    if (!content.startsWith("---")) return fallbackName;
+    const lines = content.split(/\r?\n/).slice(1);
+    for (const line of lines) {
+      if (line.trim() === "---") break;
+      const nameMatch = line.match(/^\s*name\s*:\s*(.+)\s*$/);
+      if (nameMatch) {
+        return nameMatch[1].trim().replace(/^['"]|['"]$/g, "") || fallbackName;
+      }
+    }
+    return fallbackName;
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : "unknown error";
+    debug(`Could not parse skill frontmatter "${skillFilePath}": ${reason}`);
+    return fallbackName;
+  }
+}
+async function discoverSkillsInDirectory(dirPath, source) {
+  if (!await fileExists(dirPath)) return [];
+  const entries = await fs3.readdir(dirPath, { withFileTypes: true }).catch(() => []);
+  const skills = [];
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    const skillDirPath = path2.join(dirPath, entry.name);
+    const skillFilePath = path2.join(skillDirPath, "SKILL.md");
+    if (!await fileExists(skillFilePath)) continue;
+    const key = entry.name;
+    const name = await parseSkillName(skillFilePath, key);
+    skills.push({
+      key,
+      name,
+      source,
+      path: skillDirPath,
+      referenceOnly: false
+    });
+  }
+  return skills;
+}
+function skillPriority(source) {
+  switch (source) {
+    case "workspace":
+      return 400;
+    case "managed":
+      return 300;
+    case "extra":
+      return 100;
+    case "config":
+      return 50;
+    default:
+      return 0;
+  }
+}
+async function discoverSkillsForAgent(agent, config, paths) {
+  const skillsRoot = asObject(config.skills);
+  const loadConfig = asObject(skillsRoot?.load);
+  const configDir = path2.dirname(paths.configPath);
+  const extraDirs = Array.isArray(loadConfig?.extraDirs) ? loadConfig.extraDirs.filter((v) => typeof v === "string") : [];
+  const aggregated = [];
+  aggregated.push(...await discoverSkillsInDirectory(path2.join(agent.workspace, "skills"), "workspace"));
+  aggregated.push(...await discoverSkillsInDirectory(paths.managedSkillsDir, "managed"));
+  for (const dir of extraDirs) {
+    const resolvedDir = resolvePathLike(dir, dir, paths.homeDir, configDir);
+    aggregated.push(...await discoverSkillsInDirectory(resolvedDir, "extra"));
+  }
+  const byKey = /* @__PURE__ */ new Map();
+  for (const skill of aggregated) {
+    const lowerKey = skill.key.toLowerCase();
+    const existing = byKey.get(lowerKey);
+    if (!existing || skillPriority(skill.source) > skillPriority(existing.source)) {
+      byKey.set(lowerKey, skill);
+    }
+  }
+  const entries = asObject(skillsRoot?.entries);
+  if (entries) {
+    for (const key of Object.keys(entries)) {
+      const normalized = key.toLowerCase();
+      if (!byKey.has(normalized)) {
+        byKey.set(normalized, {
+          key,
+          name: key,
+          source: "config",
+          referenceOnly: true
+        });
+      }
+    }
+  }
+  const allowBundled = Array.isArray(skillsRoot?.allowBundled) ? skillsRoot.allowBundled.filter((v) => typeof v === "string") : [];
+  for (const key of allowBundled) {
+    const normalized = key.toLowerCase();
+    if (!byKey.has(normalized)) {
+      byKey.set(normalized, {
+        key,
+        name: key,
+        source: "config",
+        referenceOnly: true
+      });
+    }
+  }
+  return [...byKey.values()].sort((a, b) => a.name.localeCompare(b.name));
+}
+function parseCronJobs(rawCron) {
+  const asArrayOrContainer = Array.isArray(rawCron) ? rawCron : isPlainObject(rawCron) && Array.isArray(rawCron.jobs) ? rawCron.jobs : [];
+  const jobs = [];
+  for (const item of asArrayOrContainer) {
+    if (!isPlainObject(item)) continue;
+    const jobIdRaw = typeof item.jobId === "string" ? item.jobId : typeof item.id === "string" ? item.id : null;
+    if (!jobIdRaw || !jobIdRaw.trim()) continue;
+    const nameRaw = typeof item.name === "string" && item.name.trim().length > 0 ? item.name : jobIdRaw;
+    const agentId = typeof item.agentId === "string" && item.agentId.trim() ? item.agentId : void 0;
+    const sessionTarget = typeof item.sessionTarget === "string" && item.sessionTarget.trim() ? item.sessionTarget : void 0;
+    jobs.push({
+      jobId: jobIdRaw.trim(),
+      name: nameRaw.trim(),
+      agentId,
+      sessionTarget,
+      schedule: item.schedule,
+      payload: item.payload,
+      delivery: item.delivery,
+      raw: item
+    });
+  }
+  return jobs;
+}
+async function readCronJobs(config, paths) {
+  const cronConfig = asObject(config.cron);
+  const configDir = path2.dirname(paths.configPath);
+  const cronStorePath = resolvePathLike(
+    cronConfig?.store,
+    path2.join(paths.stateDir, "cron", "jobs.json"),
+    paths.homeDir,
+    configDir
+  );
+  if (!await fileExists(cronStorePath)) return [];
+  try {
+    const raw = await fs3.readFile(cronStorePath, "utf-8");
+    const parsed = JSON5.parse(raw);
+    return parseCronJobs(parsed);
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : "unknown error";
+    debug(`Failed reading cron jobs from "${cronStorePath}": ${reason}`);
+    return [];
+  }
+}
+function resolveOpenClawPaths() {
+  const osHome = os2.homedir();
+  const homeDir = resolveTilde(process.env.OPENCLAW_HOME || osHome, osHome);
+  const stateDir = resolvePathLike(process.env.OPENCLAW_STATE_DIR, path2.join(homeDir, ".openclaw"), osHome, osHome);
+  const configPath = resolvePathLike(
+    process.env.OPENCLAW_CONFIG_PATH,
+    path2.join(stateDir, "openclaw.json"),
+    osHome,
+    osHome
+  );
+  return {
+    homeDir,
+    stateDir,
+    configPath,
+    envPath: path2.join(stateDir, ".env"),
+    managedSkillsDir: path2.join(stateDir, "skills"),
+    cronStorePath: path2.join(stateDir, "cron", "jobs.json")
+  };
+}
+async function loadOpenClawContext() {
+  const paths = resolveOpenClawPaths();
+  if (!await fileExists(paths.configPath)) {
+    throw new Error(`OpenClaw config not found at "${paths.configPath}". Is OpenClaw installed?`);
+  }
+  const rawConfig = await parseJson5File(paths.configPath);
+  const resolvedConfig = await resolveIncludes(rawConfig, paths.configPath, 0, [path2.resolve(paths.configPath)]);
+  const { agents, defaultAgentId } = parseAgents(resolvedConfig, paths);
+  const skillsByAgent = {};
+  for (const agent of agents) {
+    skillsByAgent[agent.id] = await discoverSkillsForAgent(agent, resolvedConfig, paths);
+  }
+  const cronJobs = await readCronJobs(resolvedConfig, paths);
+  return {
+    paths,
+    rawConfig,
+    resolvedConfig,
+    agents,
+    defaultAgentId,
+    skillsByAgent,
+    cronJobs
+  };
+}
+
+// src/lib/npm-install.ts
+import fs4 from "fs/promises";
+import path3 from "path";
+import { createHash } from "crypto";
+import { spawn } from "child_process";
+import fetch2 from "node-fetch";
+function parseNpmPackageSpec(spec) {
+  if (spec.startsWith("@")) {
+    const versionAt2 = spec.indexOf("@", 1);
+    if (versionAt2 === -1) return { packageName: spec, version: "latest" };
+    return {
+      packageName: spec.slice(0, versionAt2),
+      version: spec.slice(versionAt2 + 1) || "latest"
+    };
+  }
+  const versionAt = spec.indexOf("@");
+  if (versionAt === -1) return { packageName: spec, version: "latest" };
+  return {
+    packageName: spec.slice(0, versionAt),
+    version: spec.slice(versionAt + 1) || "latest"
+  };
+}
+async function fetchNpmPackageVersion(packageName, version = "latest") {
+  const encodedName = packageName.startsWith("@") ? `@${encodeURIComponent(packageName.slice(1))}` : encodeURIComponent(packageName);
+  const url = `https://registry.npmjs.org/${encodedName}/${encodeURIComponent(version)}`;
+  const response = await fetch2(url, { headers: { Accept: "application/json" } });
+  if (!response.ok) {
+    if (response.status === 404) {
+      throw new Error(`npm package "${packageName}" not found in the registry.`);
+    }
+    throw new Error(`npm registry request failed: HTTP ${response.status}`);
+  }
+  const data = await response.json();
+  if (!data?.dist?.tarball) {
+    throw new Error(`npm package "${packageName}" has no tarball URL in registry metadata.`);
+  }
+  return data;
+}
+async function downloadNpmTarball(tarballUrl, destPath, expectedShasum) {
+  const response = await fetch2(tarballUrl);
+  if (!response.ok) {
+    throw new Error(`Failed to download tarball: HTTP ${response.status}`);
+  }
+  const bytes = Buffer.from(await response.arrayBuffer());
+  const actual = createHash("sha1").update(bytes).digest("hex");
+  if (actual !== expectedShasum) {
+    throw new Error(
+      `Tarball integrity check failed: expected ${expectedShasum}, got ${actual}.`
+    );
+  }
+  await fs4.writeFile(destPath, bytes);
+}
+async function extractNpmTarball(tarballPath, destDir) {
+  await new Promise((resolve, reject) => {
+    const child = spawn("tar", ["-xzf", tarballPath, "-C", destDir]);
+    let stderr = "";
+    child.stderr?.on("data", (chunk) => {
+      stderr += String(chunk);
+    });
+    child.on("error", (err) => {
+      if (err.code === "ENOENT") {
+        reject(new Error('"tar" is required to install npm packages but was not found in PATH.'));
+      } else {
+        reject(err);
+      }
+    });
+    child.on("close", (code) => {
+      if (code === 0) {
+        resolve();
+      } else {
+        reject(
+          new Error(`tar exited with code ${code}${stderr.trim() ? `: ${stderr.trim()}` : ""}`)
+        );
+      }
+    });
+  });
+}
+async function findBotZipInExtractedPackage(extractedDir) {
+  const packageRoot = path3.join(extractedDir, "package");
+  async function scan(dir) {
+    let entries;
+    try {
+      entries = await fs4.readdir(dir, { withFileTypes: true });
+    } catch {
+      return null;
+    }
+    for (const entry of entries) {
+      if (entry.isFile() && entry.name === "bot.zip") {
+        return path3.join(dir, entry.name);
+      }
+    }
+    for (const entry of entries) {
+      if (entry.isFile() && entry.name.endsWith(".zip")) {
+        return path3.join(dir, entry.name);
+      }
+    }
+    for (const entry of entries) {
+      if (!entry.isDirectory()) continue;
+      const found = await scan(path3.join(dir, entry.name));
+      if (found) return found;
+    }
+    return null;
+  }
+  return scan(packageRoot);
+}
+
+// src/commands/config.ts
+function isValidDownloadToken(token) {
+  return isClawMarketDownloadToken(token);
+}
+function assertValidDownloadToken(token) {
+  if (!isValidDownloadToken(token)) {
+    throw new Error("Invalid token format. Expected UUID token from the download modal.");
+  }
+}
+async function resolveSafeDownloadPath(targetPath) {
+  const resolved = path4.resolve(targetPath);
+  if (!await fileExists(resolved)) {
+    return { outputPath: resolved, renamed: false };
+  }
+  const parsed = path4.parse(resolved);
+  for (let i = 1; i <= 1e3; i += 1) {
+    const candidate = path4.join(parsed.dir, `${parsed.name}-${i}${parsed.ext}`);
+    if (!await fileExists(candidate)) {
+      return { outputPath: candidate, renamed: true };
+    }
+  }
+  throw new Error(`Unable to choose a safe output filename for: ${resolved}`);
+}
+function getDefaultServer() {
+  return process.env.CLAWMARKET_API_URL || "http://localhost:8000";
+}
+function sha256(content) {
+  return createHash2("sha256").update(content).digest("hex");
+}
+function verifyDownloadedArtifactChecksum(content, checksumHeader) {
+  if (!checksumHeader) return;
+  const normalized = checksumHeader.trim().toLowerCase();
+  if (!/^[a-f0-9]{64}$/.test(normalized)) {
+    throw new Error("Download failed integrity check: invalid checksum header.");
+  }
+  const actual = sha256(content);
+  if (actual !== normalized) {
+    throw new Error("Download failed integrity check: checksum mismatch.");
+  }
+}
+function sanitizeSlugPart(value) {
+  return value.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 32);
+}
+function sanitizeFileName(value) {
+  const base = path4.basename(value || "").replace(/[^A-Za-z0-9._-]/g, "-");
+  return base || "download.bin";
+}
+function parseContentDispositionFileName(headerValue) {
+  if (!headerValue) return null;
+  const utf8Match = headerValue.match(/filename\*=UTF-8''([^;]+)/i);
+  if (utf8Match?.[1]) {
+    try {
+      return sanitizeFileName(decodeURIComponent(utf8Match[1]));
+    } catch {
+      return sanitizeFileName(utf8Match[1]);
+    }
+  }
+  const quoted = headerValue.match(/filename="([^"]+)"/i);
+  if (quoted?.[1]) return sanitizeFileName(quoted[1]);
+  const plain = headerValue.match(/filename=([^;]+)/i);
+  if (plain?.[1]) return sanitizeFileName(plain[1].trim());
+  return null;
+}
+function toStringOrUndefined(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
+}
+function validateAgentId(input2) {
+  return /^[A-Za-z0-9][A-Za-z0-9_-]{0,63}$/.test(input2);
+}
+async function readJsonError(response) {
+  const text = await response.text();
+  if (!text.trim()) return "Request failed";
+  try {
+    const parsed = JSON.parse(text);
+    return parsed.error || parsed.message || text;
+  } catch {
+    return text;
+  }
+}
+async function fetchDownloadArtifact(server, token) {
+  const response = await fetch3(`${server}/download/${encodeURIComponent(token)}?format=file`, {
+    method: "GET"
+  });
+  if (!response.ok) {
+    throw new Error(await readJsonError(response));
+  }
+  const bytes = Buffer.from(await response.arrayBuffer());
+  verifyDownloadedArtifactChecksum(bytes, response.headers.get(CLAWMARKET_ARTIFACT_SHA256_HEADER));
+  const fileFromHeader = parseContentDispositionFileName(response.headers.get("content-disposition"));
+  const fallbackFile = `clawmarket-${token}.zip`;
+  return {
+    bytes,
+    fileName: fileFromHeader || fallbackFile
+  };
+}
+async function runCommand(command, args, options = {}) {
+  return new Promise((resolve, reject) => {
+    const child = spawn2(command, args, {
+      cwd: options.cwd,
+      stdio: options.stdio === "inherit" ? "inherit" : "pipe"
+    });
+    let stdout = "";
+    let stderr = "";
+    if (child.stdout) {
+      child.stdout.on("data", (chunk) => {
+        stdout += String(chunk);
+      });
+    }
+    if (child.stderr) {
+      child.stderr.on("data", (chunk) => {
+        stderr += String(chunk);
+      });
+    }
+    child.on("error", (error) => {
+      reject(error);
+    });
+    child.on("close", (code) => {
+      if (code === 0) {
+        resolve({ stdout, stderr });
+        return;
+      }
+      const detail = stderr.trim() || stdout.trim();
+      reject(new Error(`${command} exited with code ${code}${detail ? `: ${detail}` : ""}`));
+    });
+  });
+}
+function isErrnoWithCode(error, code) {
+  return Boolean(error && typeof error === "object" && error.code === code);
+}
+async function extractZipArtifact(artifactPath, destinationDir) {
+  try {
+    await runCommand("unzip", ["-q", artifactPath, "-d", destinationDir]);
+    return;
+  } catch (error) {
+    if (!isErrnoWithCode(error, "ENOENT")) {
+      throw error;
+    }
+  }
+  try {
+    await runCommand("tar", ["-xf", artifactPath, "-C", destinationDir]);
+  } catch (error) {
+    if (isErrnoWithCode(error, "ENOENT")) {
+      throw new Error('Could not extract zip artifact: neither "unzip" nor "tar" is available.');
+    }
+    throw error;
+  }
+}
+async function findInstallerPackage(rootDir) {
+  const queue = [path4.resolve(rootDir)];
+  const seen = /* @__PURE__ */ new Set();
+  while (queue.length > 0) {
+    const current = queue.shift();
+    if (!current || seen.has(current)) continue;
+    seen.add(current);
+    const rootInstallerPath = path4.join(current, "installer.sh");
+    const sourceInstallerPath = path4.join(current, "source", "installer.sh");
+    const configPath = path4.join(current, "source", "bot-config.json");
+    if (await fileExists(rootInstallerPath) && await fileExists(configPath)) {
+      return {
+        packageRoot: current,
+        installerPath: rootInstallerPath,
+        botConfigPath: configPath,
+        layout: "root-installer"
+      };
+    }
+    if (await fileExists(sourceInstallerPath) && await fileExists(configPath)) {
+      return {
+        packageRoot: current,
+        installerPath: sourceInstallerPath,
+        botConfigPath: configPath,
+        layout: "source-installer"
+      };
+    }
+    let entries;
+    try {
+      entries = await fs5.readdir(current, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      if (!entry.isDirectory()) continue;
+      if (entry.name === "." || entry.name === "..") continue;
+      queue.push(path4.join(current, entry.name));
+    }
+  }
+  return null;
+}
+async function ensureInstallableLayout(pkg) {
+  if (pkg.layout === "root-installer") {
+    return {
+      packageRoot: pkg.packageRoot,
+      installerScriptName: "installer.sh",
+      botConfigPath: pkg.botConfigPath
+    };
+  }
+  const promotedInstallerPath = path4.join(pkg.packageRoot, "installer.sh");
+  await fs5.copyFile(pkg.installerPath, promotedInstallerPath);
+  await fs5.chmod(promotedInstallerPath, 493).catch(() => void 0);
+  return {
+    packageRoot: pkg.packageRoot,
+    installerScriptName: "installer.sh",
+    botConfigPath: pkg.botConfigPath
+  };
+}
+async function readBotInstallerConfig(configPath) {
+  if (!await fileExists(configPath)) {
+    throw new Error(`Package is missing required config file: ${configPath}`);
+  }
+  const raw = await fs5.readFile(configPath, "utf-8");
+  try {
+    return JSON.parse(raw);
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : "invalid JSON";
+    throw new Error(`Package config is invalid JSON (${configPath}): ${reason}`);
+  }
+}
+async function resolveAgentId(suggestedAgentId) {
+  const canPrompt = Boolean(process.stdin.isTTY && process.stdout.isTTY);
+  if (!canPrompt) {
+    throw new Error("Install requires an interactive terminal to choose the new agent id.");
+  }
+  const prompted = await askWithDefault("New OpenClaw agent id", suggestedAgentId);
+  if (!validateAgentId(prompted)) {
+    throw new Error('Invalid agent id. Use 1-64 chars: letters, numbers, "-" or "_" (must start with alphanumeric).');
+  }
+  return prompted;
+}
+function registerConfigCommands(program2) {
+  const configCommand = program2.command("config").description("Download and install published configs");
+  configCommand.command("download").description("Download a published config artifact from a one-time token").argument("<token>", "One-time download token").action(async (token) => {
+    try {
+      assertValidDownloadToken(token);
+      const server = getDefaultServer();
+      const response = await fetch3(`${server}/download/${encodeURIComponent(token)}?format=file`, {
+        method: "GET"
+      });
+      if (!response.ok) {
+        throw new Error(await readJsonError(response));
+      }
+      const fileFromHeader = parseContentDispositionFileName(response.headers.get("content-disposition"));
+      const fallbackFile = `clawmarket-${token}.bin`;
+      const preferredPath = path4.resolve(fileFromHeader || fallbackFile);
+      const { outputPath, renamed } = await resolveSafeDownloadPath(preferredPath);
+      const bytes = Buffer.from(await response.arrayBuffer());
+      verifyDownloadedArtifactChecksum(bytes, response.headers.get(CLAWMARKET_ARTIFACT_SHA256_HEADER));
+      await fs5.mkdir(path4.dirname(outputPath), { recursive: true });
+      await fs5.writeFile(outputPath, bytes);
+      if (renamed) {
+        console.log(`Existing file detected, saved as: ${outputPath}`);
+      }
+      console.log(`Downloaded artifact: ${outputPath}`);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Download failed";
+      console.error(message);
+      process.exit(1);
+    }
+  });
+  configCommand.command("install").description("Install an agent config from a one-time token into a new OpenClaw agent").argument("<token>", "One-time download token").action(async (token) => {
+    try {
+      assertValidDownloadToken(token);
+      const server = getDefaultServer();
+      const context = await loadOpenClawContext();
+      const artifact = await fetchDownloadArtifact(server, token);
+      const tempRoot = await fs5.mkdtemp(path4.join(os3.tmpdir(), `.clawmarket-install-${randomUUID().slice(0, 8)}-`));
+      try {
+        const artifactPath = path4.join(tempRoot, sanitizeFileName(artifact.fileName));
+        const extractedPath = path4.join(tempRoot, "extracted");
+        await fs5.mkdir(extractedPath, { recursive: true });
+        await fs5.writeFile(artifactPath, artifact.bytes);
+        await extractZipArtifact(artifactPath, extractedPath);
+        const packageInfo = await findInstallerPackage(extractedPath);
+        if (!packageInfo) {
+          throw new Error(
+            "Downloaded artifact is not an installable bot package (missing installer.sh + source/bot-config.json or source/installer.sh + source/bot-config.json)."
+          );
+        }
+        const installLayout = await ensureInstallableLayout(packageInfo);
+        const botConfig = await readBotInstallerConfig(installLayout.botConfigPath);
+        if (typeof botConfig.installerSpecVersion === "number" && botConfig.installerSpecVersion !== 1) {
+          console.warn(
+            `Warning: installerSpecVersion=${botConfig.installerSpecVersion} (this CLI currently expects version 1).`
+          );
+        }
+        const configuredAgentId = toStringOrUndefined(botConfig.agent?.id) || "agent";
+        const suggestedAgentId = validateAgentId(configuredAgentId) ? configuredAgentId : sanitizeSlugPart(configuredAgentId) || "agent";
+        const agentId = await resolveAgentId(suggestedAgentId);
+        const agentName = toStringOrUndefined(botConfig.agent?.name) || agentId;
+        const existing = new Set(context.agents.map((agent) => agent.id.toLowerCase()));
+        if (existing.has(agentId.toLowerCase())) {
+          throw new Error(`Agent id "${agentId}" already exists. Choose another id.`);
+        }
+        console.log("Running packaged installer...");
+        await runCommand(
+          "bash",
+          [installLayout.installerScriptName, "--agent-id", agentId, "--agent-name", agentName, context.paths.stateDir],
+          { cwd: installLayout.packageRoot, stdio: "inherit" }
+        );
+        const refreshed = await loadOpenClawContext();
+        const installed = refreshed.agents.find((agent) => agent.id.toLowerCase() === agentId.toLowerCase());
+        if (!installed) {
+          throw new Error("Installer finished, but the new agent was not detected in openclaw.json.");
+        }
+        console.log("Installed package into OpenClaw as an additional agent");
+        console.log(`  Agent ID: ${installed.id}`);
+        console.log(`  Name: ${installed.name}`);
+        console.log(`  Workspace: ${installed.workspace}`);
+        console.log(`  Agent Dir: ${installed.agentDir}`);
+        console.log("\nNext steps:");
+        console.log("  1) openclaw agents list");
+        console.log("  2) openclaw gateway restart");
+      } finally {
+        await fs5.rm(tempRoot, { recursive: true, force: true }).catch(() => void 0);
+      }
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Install failed";
+      console.error(message);
+      process.exit(1);
+    }
+  });
+  configCommand.command("install-npm").description("Install a bot config from an npm package (e.g. @clawmarket/my-bot)").argument("<package>", "npm package name, optionally with version (e.g. @clawmarket/my-bot or @clawmarket/my-bot@1.2.0)").action(async (packageSpec) => {
+    try {
+      const { packageName, version } = parseNpmPackageSpec(packageSpec);
+      console.log(`Looking up ${packageSpec} in the npm registry...`);
+      const context = await loadOpenClawContext();
+      const pkgMeta = await fetchNpmPackageVersion(packageName, version);
+      console.log(`Found ${pkgMeta.name}@${pkgMeta.version}`);
+      const tempRoot = await fs5.mkdtemp(
+        path4.join(os3.tmpdir(), `.clawmarket-npm-${randomUUID().slice(0, 8)}-`)
+      );
+      try {
+        const tarballPath = path4.join(tempRoot, "package.tgz");
+        console.log("Downloading package...");
+        await downloadNpmTarball(pkgMeta.dist.tarball, tarballPath, pkgMeta.dist.shasum);
+        const npmExtractedPath = path4.join(tempRoot, "npm-extracted");
+        await fs5.mkdir(npmExtractedPath, { recursive: true });
+        await extractNpmTarball(tarballPath, npmExtractedPath);
+        const botZipPath = await findBotZipInExtractedPackage(npmExtractedPath);
+        if (!botZipPath) {
+          throw new Error(
+            `npm package "${pkgMeta.name}" does not contain a bot.zip. Expected a bot.zip at the package root inside the tarball.`
+          );
+        }
+        const botZipFileName = sanitizeFileName(path4.basename(botZipPath));
+        const stagedZipPath = path4.join(tempRoot, botZipFileName);
+        await fs5.copyFile(botZipPath, stagedZipPath);
+        const botExtractedPath = path4.join(tempRoot, "bot-extracted");
+        await fs5.mkdir(botExtractedPath, { recursive: true });
+        await extractZipArtifact(stagedZipPath, botExtractedPath);
+        const packageInfo = await findInstallerPackage(botExtractedPath);
+        if (!packageInfo) {
+          throw new Error(
+            "Bot zip is not an installable package (missing installer.sh + source/bot-config.json)."
+          );
+        }
+        const installLayout = await ensureInstallableLayout(packageInfo);
+        const botConfig = await readBotInstallerConfig(installLayout.botConfigPath);
+        if (typeof botConfig.installerSpecVersion === "number" && botConfig.installerSpecVersion !== 1) {
+          console.warn(
+            `Warning: installerSpecVersion=${botConfig.installerSpecVersion} (this CLI currently expects version 1).`
+          );
+        }
+        const configuredAgentId = toStringOrUndefined(botConfig.agent?.id) || "agent";
+        const suggestedAgentId = validateAgentId(configuredAgentId) ? configuredAgentId : sanitizeSlugPart(configuredAgentId) || "agent";
+        const agentId = await resolveAgentId(suggestedAgentId);
+        const agentName = toStringOrUndefined(botConfig.agent?.name) || agentId;
+        const existing = new Set(context.agents.map((agent) => agent.id.toLowerCase()));
+        if (existing.has(agentId.toLowerCase())) {
+          throw new Error(`Agent id "${agentId}" already exists. Choose another id.`);
+        }
+        console.log("Running packaged installer...");
+        await runCommand(
+          "bash",
+          [installLayout.installerScriptName, "--agent-id", agentId, "--agent-name", agentName, context.paths.stateDir],
+          { cwd: installLayout.packageRoot, stdio: "inherit" }
+        );
+        const refreshed = await loadOpenClawContext();
+        const installed = refreshed.agents.find((agent) => agent.id.toLowerCase() === agentId.toLowerCase());
+        if (!installed) {
+          throw new Error("Installer finished, but the new agent was not detected in openclaw.json.");
+        }
+        console.log(`
+Installed ${pkgMeta.name}@${pkgMeta.version} into OpenClaw as a new agent`);
+        console.log(`  Agent ID: ${installed.id}`);
+        console.log(`  Name: ${installed.name}`);
+        console.log(`  Workspace: ${installed.workspace}`);
+        console.log(`  Agent Dir: ${installed.agentDir}`);
+        console.log("\nNext steps:");
+        console.log("  1) openclaw agents list");
+        console.log("  2) openclaw gateway restart");
+      } finally {
+        await fs5.rm(tempRoot, { recursive: true, force: true }).catch(() => void 0);
+      }
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Install failed";
+      console.error(message);
+      process.exit(1);
+    }
+  });
+}
+
+// src/index.ts
+var program = new Command();
+program.name("clawmarketbot").description("CLI tool for ClawMarket - discover, download, and install OpenClaw configs").version("0.1.0");
+registerAuthCommands(program);
+registerConfigCommands(program);
+program.parse();

package/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "clawmarketbot",
+  "version": "0.1.0",
+  "private": false,
+  "description": "CLI tool for ClawMarket - discover, download, and install OpenClaw configs",
+  "type": "module",
+  "bin": {
+    "clawmarketbot": "./dist/index.js"
+  },
+  "main": "./dist/index.js",
+  "exports": {
+    ".": "./dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "scripts": {
+    "clean": "rm -rf dist",
+    "build": "tsup",
+    "prepublishOnly": "npm run build",
+    "dev": "tsx src/index.ts",
+    "test": "tsx --test src/__tests__/**/*.test.ts"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@inquirer/prompts": "^7.8.4",
+    "archiver": "^7.0.1",
+    "commander": "^12.0.0",
+    "form-data": "^4.0.0",
+    "json5": "^2.2.3",
+    "node-fetch": "^3.3.2"
+  },
+  "devDependencies": {
+    "@clawmarket/contracts": "file:../../contracts",
+    "@types/archiver": "^7.0.0",
+    "@types/node": "^22.0.0",
+    "tsup": "^8.0.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.7.0"
+  }
+}