clawmatrix 0.2.2 → 0.2.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawmatrix",
-  "version": "0.2.2",
+  "version": "0.2.4",
   "description": "Decentralized mesh cluster plugin for OpenClaw — inter-gateway communication, model proxy, task handoff, and tool proxy.",
   "type": "module",
   "license": "MIT",

package/src/cli.ts

@@ -99,7 +99,7 @@ export const registerClusterCli = ({ program }: { program: Command }) => {
         models: Array<{ id: string }>;
         tags: string[];
         connected: boolean;
-        status: "direct" | "relay" | "unreachable";
+        status: "direct" | "relay" | "unreachable" | "sentinel-only";
         latencyMs: number;
         reachableVia: string | null;
       }>;
@@ -121,10 +121,15 @@ export const registerClusterCli = ({ program }: { program: Command }) => {
 
       for (let i = 0; i < peers.length; i++) {
         const peer = peers[i];
-        const dot = peer.status === "direct" ? green("●") : peer.status === "relay" ? yellow("●") : red("○");
+        const dot = peer.status === "direct" ? green("●")
+          : peer.status === "relay" ? yellow("●")
+          : peer.status === "sentinel-only" ? yellow("◐")
+          : red("○");
         const latency = peer.connected && peer.latencyMs > 0 ? dim(` ${peer.latencyMs}ms`) : "";
         const statusLabel = peer.status === "relay"
           ? yellow(` relay via ${peer.reachableVia}`)
+          : peer.status === "sentinel-only"
+            ? yellow(" sentinel only")
           : peer.status === "unreachable"
             ? red(" unreachable")
             : "";

package/src/cluster-service.ts

@@ -505,12 +505,14 @@ export function createClusterService(
   config: ClawMatrixConfig,
   openclawConfig: OpenClawConfig,
   openclawVersion?: string,
+  onStarted?: () => void,
 ): OpenClawPluginService {
   return {
     id: "clawmatrix",
     start(ctx: OpenClawPluginServiceContext) {
       clusterRuntime = new ClusterRuntime(config, ctx.logger, openclawConfig, openclawVersion);
       clusterRuntime.start();
+      onStarted?.();
     },
     async stop() {
       if (clusterRuntime) {

package/src/identity.ts

@@ -54,10 +54,12 @@ export function loadOrCreateIdentity(stateDir: string): KeyPair {
     if (fs.existsSync(filePath)) {
       const raw = fs.readFileSync(filePath, "utf-8");
       const data: IdentityData = JSON.parse(raw);
-      return keyPairFromSerialized(data.publicKey, data.privateKey);
+      const keyPair = keyPairFromSerialized(data.publicKey, data.privateKey);
+      console.error(`[clawmatrix:identity] loaded existing identity from ${filePath} (publicKey=${data.publicKey.slice(0, 12)}...)`);
+      return keyPair;
     }
-  } catch {
-    // Corrupted file — regenerate
+  } catch (err) {
+    console.error(`[clawmatrix:identity] failed to load identity from ${filePath}, regenerating: ${err}`);
   }
 
   // Generate new identity
@@ -73,6 +75,7 @@ export function loadOrCreateIdentity(stateDir: string): KeyPair {
     fs.mkdirSync(stateDir, { recursive: true });
   }
   fs.writeFileSync(filePath, JSON.stringify(data, null, 2), { mode: 0o600 });
+  console.error(`[clawmatrix:identity] generated NEW identity at ${filePath} (publicKey=${data.publicKey.slice(0, 12)}...)`);
 
   return keyPair;
 }

package/src/index.ts

@@ -136,7 +136,12 @@ const plugin = {
     }
 
     // Background service: manages mesh connections, WS listener, heartbeat
-    api.registerService(createClusterService(config, api.config, api.runtime.version));
+    // onStarted callback wires up approval after the runtime is available
+    let onServiceStarted: (() => void) | undefined;
+    const serviceStartedPromise = config.peerApproval.enabled
+      ? new Promise<void>((resolve) => { onServiceStarted = resolve; })
+      : undefined;
+    api.registerService(createClusterService(config, api.config, api.runtime.version, onServiceStarted));
 
     // Model providers: register per-node providers so models are accessed as nodeId/modelId
     const baseUrl = `http://127.0.0.1:${config.proxyPort}/v1`;
@@ -363,15 +368,52 @@ const plugin = {
               }
             }
           }
-          // Auto-detect: scan OpenClaw channels config for enabled channels with groups
+          // Auto-detect: prefer DM targets (owner) over group targets
           if (targets.length === 0) {
             const channelsConfig = (api.config as Record<string, unknown>).channels as
-              Record<string, { enabled?: boolean; groups?: Record<string, unknown> }> | undefined;
+              Record<string, { enabled?: boolean; allowFrom?: Array<string | number>; groups?: Record<string, unknown> }> | undefined;
+
+            // Parse commands.ownerAllowFrom for channel-prefixed owner IDs
+            // e.g. ["telegram:12345", "feishu:user_abc"] → { telegram: "12345", feishu: "user_abc" }
+            const commandsConfig = (api.config as Record<string, unknown>).commands as
+              { ownerAllowFrom?: Array<string | number> } | undefined;
+            const ownerByChannel = new Map<string, string>();
+            if (commandsConfig?.ownerAllowFrom) {
+              for (const entry of commandsConfig.ownerAllowFrom) {
+                const str = String(entry).trim();
+                const colonIdx = str.indexOf(":");
+                if (colonIdx > 0) {
+                  const ch = str.slice(0, colonIdx).toLowerCase();
+                  const id = str.slice(colonIdx + 1).trim();
+                  if (id && !ownerByChannel.has(ch)) {
+                    ownerByChannel.set(ch, id);
+                  }
+                }
+              }
+            }
+
             if (channelsConfig) {
               for (const [channelId, chConf] of Object.entries(channelsConfig)) {
-                if (!chConf || chConf.enabled === false) continue;
+                if (!chConf || typeof chConf !== "object" || chConf.enabled === false) continue;
+
+                // Priority 1: owner from commands.ownerAllowFrom → DM
+                const ownerDm = ownerByChannel.get(channelId);
+                if (ownerDm) {
+                  targets.push({ channel: channelId, to: ownerDm });
+                  continue;
+                }
+
+                // Priority 2: channel allowFrom (DM allowlist) → first entry as DM
+                if (Array.isArray(chConf.allowFrom) && chConf.allowFrom.length > 0) {
+                  const firstUser = String(chConf.allowFrom[0]).trim();
+                  if (firstUser && firstUser !== "*") {
+                    targets.push({ channel: channelId, to: firstUser });
+                    continue;
+                  }
+                }
+
+                // Priority 3: groups (fallback)
                 if (chConf.groups && typeof chConf.groups === "object") {
-                  // Use the first configured group as notification target
                   const firstGroupId = Object.keys(chConf.groups)[0];
                   if (firstGroupId) {
                     targets.push({ channel: channelId, to: firstGroupId });
@@ -388,8 +430,11 @@ const plugin = {
         }
       };
 
-      // Delay setup until service has started
-      setTimeout(setupApproval, 1000);
+      // Run setupApproval once the cluster service has started
+      serviceStartedPromise!.then(() => {
+        // Small delay to ensure runtime is fully wired
+        setTimeout(setupApproval, 100);
+      });
     }
 
     // Gateway methods (queried by CLI via `openclaw gateway call`)
@@ -399,6 +444,8 @@ const plugin = {
         try {
           const runtime = getClusterRuntime();
           const peers = runtime.peerManager.router.getAllPeers();
+          const mergedPeers = mergeSentinelPeers(peers, runtime)
+            .filter((p) => (p as { nodeId: string }).nodeId !== config.nodeId);
           respond(true, {
             nodeId: config.nodeId,
             listen: config.listen ? config.listenPort : false,
@@ -406,7 +453,7 @@ const plugin = {
             agents: config.agents.map((a) => ({ id: a.id, description: a.description })),
             models: config.models.map((m) => ({ id: m.id })),
             tags: config.tags,
-            peers: mergeSentinelPeers(peers, runtime),
+            peers: mergedPeers,
           });
         } catch {
           respond(false, { error: "ClawMatrix service not running" });
@@ -687,16 +734,18 @@ function mergeSentinelPeers(
     const status = runtime.peerManager.router.getPeerStatus(p);
     const sentinel = sentinelMap.get(p.nodeId);
     const sentinelStatus = sentinel ? runtime.peerManager.router.getPeerStatus(sentinel) : undefined;
+    const sentinelOnline = sentinelStatus === "direct" || sentinelStatus === "relay";
+    const effectiveStatus = status === "unreachable" && sentinelOnline ? "sentinel-only" : status;
     result.push({
       nodeId: p.nodeId,
       agents: p.agents,
       models: p.models,
       tags: p.tags,
       connected: status !== "unreachable",
-      status,
+      status: effectiveStatus,
       reachableVia: p.reachableVia,
       latencyMs: p.latencyMs,
-      ...(sentinel ? { sentinel: sentinelStatus === "direct" || sentinelStatus === "relay" ? "online" : "offline" } : {}),
+      ...(sentinel ? { sentinel: sentinelOnline ? "online" : "offline" } : {}),
     });
   }
 
@@ -704,15 +753,16 @@ function mergeSentinelPeers(
   for (const [mainId, sentinel] of sentinelMap) {
     if (seen.has(mainId)) continue;
     const sentinelStatus = runtime.peerManager.router.getPeerStatus(sentinel);
+    const sentinelOnline = sentinelStatus === "direct" || sentinelStatus === "relay";
     result.push({
       nodeId: mainId,
       agents: [],
       models: [],
       tags: [],
       connected: false,
-      status: "unreachable",
+      status: sentinelOnline ? "sentinel-only" : "unreachable",
       latencyMs: sentinel.latencyMs,
-      sentinel: sentinelStatus === "direct" || sentinelStatus === "relay" ? "online" : "offline",
+      sentinel: sentinelOnline ? "online" : "offline",
     });
   }
 

package/src/peer-approval.ts

@@ -101,6 +101,8 @@ export class PeerApprovalManager extends EventEmitter<PeerApprovalEvents> {
   private loaded = false;
   /** IP → list of deny timestamps (for approval noise suppression). */
   private ipDenyHistory = new Map<string, number[]>();
+  /** Active sentinel polling timers (for cleanup on destroy). */
+  private sentinelTimers = new Set<ReturnType<typeof setInterval>>();
 
   constructor(config: PeerApprovalConfig, stateDir: string) {
     super();
@@ -190,6 +192,15 @@ export class PeerApprovalManager extends EventEmitter<PeerApprovalEvents> {
     // Always allow pre-approved nodeIds from config
     if (this.config.allowList.includes(nodeId)) return "allow";
 
+    // Auto-allow sentinel companions: if "X:sentinel" connects and "X" is approved, allow it
+    const sentinelSuffix = ":sentinel";
+    if (nodeId.endsWith(sentinelSuffix)) {
+      const baseNodeId = nodeId.slice(0, -sentinelSuffix.length);
+      if (this.data.approved[baseNodeId] || this.config.allowList.includes(baseNodeId)) {
+        return "allow";
+      }
+    }
+
     // Already approved (persisted)
     const approved = this.data.approved[nodeId];
     if (approved) {
@@ -236,6 +247,16 @@ export class PeerApprovalManager extends EventEmitter<PeerApprovalEvents> {
     publicKey?: string,
     ip?: string,
   ): Promise<"approve" | "deny" | "timeout"> {
+    // Sentinel companion: piggyback on the base nodeId's approval instead of
+    // creating a separate request. If the base node's approval is already pending,
+    // wait for that decision. If the sentinel arrives first, wait for the base
+    // node's approval to appear (up to the configured timeout).
+    const sentinelSuffix = ":sentinel";
+    if (nodeId.endsWith(sentinelSuffix)) {
+      const baseNodeId = nodeId.slice(0, -sentinelSuffix.length);
+      return this.waitForBaseApproval(baseNodeId, nodeId, capabilities, publicKey);
+    }
+
     const approvalId = crypto.randomUUID();
     this.log(`requestApproval: nodeId=${nodeId} mode=${this.config.mode} approvalId=${approvalId}`);
 
@@ -481,6 +502,79 @@ export class PeerApprovalManager extends EventEmitter<PeerApprovalEvents> {
     });
   }
 
+  /**
+   * Wait for the base nodeId's approval decision (for sentinel companions).
+   * If the base already has a pending approval, piggyback on it.
+   * If not yet pending, poll briefly until it appears or timeout.
+   */
+  private waitForBaseApproval(
+    baseNodeId: string,
+    sentinelNodeId: string,
+    capabilities: NodeCapabilities,
+    publicKey?: string,
+  ): Promise<"approve" | "deny" | "timeout"> {
+    const autoApprove = (decision: "approve" | "deny" | "timeout") => {
+      if (decision === "approve") {
+        this.addApproved(sentinelNodeId, capabilities.deviceInfo, publicKey, {
+          source: `auto:sentinel-of:${baseNodeId}`, at: Date.now(),
+        });
+      }
+      return decision;
+    };
+
+    // Try to find an existing pending approval for the base node
+    const tryPiggyback = (): Promise<"approve" | "deny" | "timeout"> | null => {
+      for (const pending of this.pending.values()) {
+        if (pending.nodeId === baseNodeId) {
+          this.log(`sentinel ${sentinelNodeId} piggybacking on pending approval for ${baseNodeId}`);
+          return new Promise<"approve" | "deny" | "timeout">((resolve) => {
+            const origResolve = pending.resolve;
+            pending.resolve = (decision) => {
+              origResolve(decision);
+              resolve(autoApprove(decision));
+            };
+          });
+        }
+      }
+      return null;
+    };
+
+    const existing = tryPiggyback();
+    if (existing) return existing;
+
+    // Base node's approval hasn't been created yet (sentinel arrived first).
+    // Poll briefly — the base node should connect within a few seconds.
+    this.log(`sentinel ${sentinelNodeId} waiting for base node ${baseNodeId} approval to appear`);
+    return new Promise<"approve" | "deny" | "timeout">((resolve) => {
+      let attempts = 0;
+      const maxAttempts = 30; // 30 × 1s = 30s max wait
+      const cleanup = () => { clearInterval(timer); this.sentinelTimers.delete(timer); };
+      const timer = setInterval(() => {
+        attempts++;
+
+        // Check if base got approved while we were waiting
+        if (this.data.approved[baseNodeId]) {
+          cleanup();
+          resolve(autoApprove("approve"));
+          return;
+        }
+
+        const result = tryPiggyback();
+        if (result) {
+          cleanup();
+          result.then(resolve);
+          return;
+        }
+
+        if (attempts >= maxAttempts) {
+          cleanup();
+          resolve("timeout");
+        }
+      }, 1_000);
+      this.sentinelTimers.add(timer);
+    });
+  }
+
   private addApproved(nodeId: string, deviceInfo?: DeviceInfo, publicKey?: string, resolvedBy?: ApprovalResolvedBy) {
     this.data.approved[nodeId] = {
       nodeId,
@@ -518,8 +612,12 @@ export class PeerApprovalManager extends EventEmitter<PeerApprovalEvents> {
     mode: "notify" | "required",
     ip?: string,
   ) {
-    if (!this.channelApi || this.notifyTargets.length === 0) {
-      this.log(`sendNotifications: skipped (channelApi=${!!this.channelApi} targets=${this.notifyTargets.length})`);
+    if (!this.channelApi && !this.gatewaySend) {
+      this.log(`sendNotifications: skipped (no channelApi or gatewaySend)`);
+      return;
+    }
+    if (this.notifyTargets.length === 0) {
+      this.log(`sendNotifications: skipped (no targets)`);
       return;
     }
     this.log(`sendNotifications: sending to ${this.notifyTargets.length} targets`);
@@ -553,31 +651,40 @@ export class PeerApprovalManager extends EventEmitter<PeerApprovalEvents> {
 
     for (const target of this.notifyTargets) {
       try {
-        const channelObj = this.channelApi[target.channel];
-
-        // Convention: sendMessage{Channel} e.g. sendMessageTelegram
-        const capitalize = (s: string) => s.charAt(0).toUpperCase() + s.slice(1);
-        const methodName = `sendMessage${capitalize(target.channel)}`;
-        const sendFn = channelObj?.[methodName];
-
-        if (typeof sendFn === "function") {
-          // Direct channel API (built-in channels like telegram)
-          const opts: Record<string, unknown> = {
-            accountId: target.accountId,
-            messageThreadId: target.threadId,
-          };
-          if (mode === "required") {
-            opts.buttons = [
-              [
-                { text: "\u2705 Approve", callback_data: approveCmd },
-                { text: "\u274c Deny", callback_data: denyCmd },
-              ],
-            ];
+        let sent = false;
+
+        // Try direct channel API first (built-in channels like telegram)
+        if (this.channelApi) {
+          const channelObj = this.channelApi[target.channel];
+          const capitalize = (s: string) => s.charAt(0).toUpperCase() + s.slice(1);
+          const methodName = `sendMessage${capitalize(target.channel)}`;
+          const sendFn = channelObj?.[methodName];
+
+          if (typeof sendFn === "function") {
+            try {
+              const opts: Record<string, unknown> = {
+                accountId: target.accountId,
+                messageThreadId: target.threadId,
+              };
+              if (mode === "required") {
+                opts.buttons = [
+                  [
+                    { text: "\u2705 Approve", callback_data: approveCmd },
+                    { text: "\u274c Deny", callback_data: denyCmd },
+                  ],
+                ];
+              }
+              await sendFn(target.to, message, opts);
+              this.log(`sendNotifications: sent to ${target.channel}/${target.to} via channelApi`);
+              sent = true;
+            } catch (apiErr) {
+              this.log(`sendNotifications: channelApi failed for ${target.channel}/${target.to}: ${apiErr}, trying gatewaySend`);
+            }
           }
-          await sendFn(target.to, message, opts);
-          this.log(`sendNotifications: sent to ${target.channel}/${target.to} via channelApi`);
-        } else if (this.gatewaySend) {
-          // Fallback: gateway send method (works for all channels including plugins like feishu)
+        }
+
+        // Fallback: gateway send (works for all channels, more reliable)
+        if (!sent && this.gatewaySend) {
           await this.gatewaySend({
             to: target.to,
             message: mode === "required"
@@ -588,8 +695,11 @@ export class PeerApprovalManager extends EventEmitter<PeerApprovalEvents> {
             threadId: target.threadId != null ? String(target.threadId) : undefined,
           });
           this.log(`sendNotifications: sent to ${target.channel}/${target.to} via gatewaySend`);
-        } else {
-          this.log(`sendNotifications: no channelApi or gatewaySend for "${target.channel}"`);
+          sent = true;
+        }
+
+        if (!sent) {
+          this.log(`sendNotifications: no send method available for "${target.channel}"`);
         }
       } catch (err) {
         this.log(`sendNotifications: failed for ${target.channel}/${target.to}: ${err}`);
@@ -619,6 +729,11 @@ export class PeerApprovalManager extends EventEmitter<PeerApprovalEvents> {
   }
 
   destroy() {
+    // Clean up sentinel polling timers
+    for (const timer of this.sentinelTimers) {
+      clearInterval(timer);
+    }
+    this.sentinelTimers.clear();
     // Reject all pending approvals
     for (const pending of this.pending.values()) {
       pending.resolve("deny");

package/src/peer-manager.ts

@@ -59,6 +59,8 @@ export class PeerManager extends EventEmitter<PeerManagerEvents> {
   /** Map from ws WebSocket to remote IP (for audit logging on close). */
   private inboundIps = new Map<WsWebSocket, string>();
   private gossipDebounceTimer: ReturnType<typeof setTimeout> | null = null;
+  /** Latest connection per nodeId awaiting peer approval (updated on reconnect). */
+  private pendingApprovalConns = new Map<string, { conn: Connection; caps: NodeCapabilities }>();
   /** Persistent X25519 identity key pair (TOFU). See identity.ts for security model. */
   private identityKeyPair: KeyPair;
   private e2eeOptions: ConnectionE2eeOptions;
@@ -280,12 +282,26 @@ export class PeerManager extends EventEmitter<PeerManagerEvents> {
 
   // ── Outbound connections (standard WebSocket) ──────────────────
   private connectToPeer(peer: PeerConfig) {
-    if (this.stopped) return;
+    if (this.stopped) {
+      debug("peer", `connectToPeer(${peer.nodeId}): skipped (stopped)`);
+      return;
+    }
+
+    const attempt = this.reconnectAttempts.get(peer.nodeId) ?? 0;
+    debug("peer", `connectToPeer(${peer.nodeId}): attempt=${attempt} url=${peer.url}`);
 
     // Use a common WS subprotocol for traffic disguise
-    const ws = new WebSocket(peer.url, ["graphql-transport-ws"]);
+    let ws: WebSocket;
+    try {
+      ws = new WebSocket(peer.url, ["graphql-transport-ws"]);
+    } catch (err) {
+      debug("peer", `connectToPeer(${peer.nodeId}): WebSocket constructor threw: ${err}`);
+      this.scheduleReconnect(peer);
+      return;
+    }
 
     ws.addEventListener("open", () => {
+      debug("peer", `connectToPeer(${peer.nodeId}): ws open`);
       const conn = new Connection(
         ws,
         "outbound",
@@ -297,6 +313,7 @@ export class PeerManager extends EventEmitter<PeerManagerEvents> {
       conn.bindWebSocket(ws);
 
       conn.on("authenticated", (caps) => {
+        debug("peer", `connectToPeer(${peer.nodeId}): authenticated`);
         this.reconnectAttempts.delete(peer.nodeId);
         this.onPeerAuthenticated(conn, caps);
       });
@@ -314,17 +331,27 @@ export class PeerManager extends EventEmitter<PeerManagerEvents> {
       }
     };
 
-    ws.addEventListener("error", tryReconnect);
-    ws.addEventListener("close", tryReconnect);
+    ws.addEventListener("error", (ev) => {
+      debug("peer", `connectToPeer(${peer.nodeId}): ws error: ${(ev as ErrorEvent).message ?? "unknown"}`);
+      tryReconnect();
+    });
+    ws.addEventListener("close", (ev) => {
+      debug("peer", `connectToPeer(${peer.nodeId}): ws close code=${ev.code} reason=${ev.reason}`);
+      tryReconnect();
+    });
   }
 
   private scheduleReconnect(peer: PeerConfig) {
-    if (this.stopped) return;
+    if (this.stopped) {
+      debug("peer", `scheduleReconnect(${peer.nodeId}): skipped (stopped)`);
+      return;
+    }
     if (this.reconnectTimers.has(peer.nodeId)) return;
 
     const attempt = this.reconnectAttempts.get(peer.nodeId) ?? 0;
     const delay = Math.min(RECONNECT_BASE * 2 ** attempt, RECONNECT_MAX);
     this.reconnectAttempts.set(peer.nodeId, attempt + 1);
+    debug("peer", `scheduleReconnect(${peer.nodeId}): attempt=${attempt} delay=${delay}ms`);
 
     const timer = setTimeout(() => {
       this.reconnectTimers.delete(peer.nodeId);
@@ -360,8 +387,23 @@ export class PeerManager extends EventEmitter<PeerManagerEvents> {
         return;
       }
       if (check === "pending") {
+        // If already waiting for approval for this nodeId (remote side
+        // reconnected after auth timeout), just update the connection ref
+        // so the existing .then() handler acts on the latest connection.
+        // Do NOT call requestApproval again — that would register duplicate
+        // .then() handlers that all call completePeerJoin.
+        if (this.pendingApprovalConns.has(nodeId)) {
+          debug("approval", `reusing pending approval for ${nodeId}, updating conn ref`);
+          this.pendingApprovalConns.set(nodeId, { conn, caps });
+          if (this.config.peerApproval?.mode === "required") {
+            conn.on("close", () => this.onPeerDisconnected(conn));
+          }
+          return;
+        }
+
         // In notify mode, requestApproval auto-approves and sends notification.
         // In required mode, it waits for explicit approval.
+        this.pendingApprovalConns.set(nodeId, { conn, caps });
         this.approvalManager.requestApproval(
           nodeId,
           caps,
@@ -372,12 +414,16 @@ export class PeerManager extends EventEmitter<PeerManagerEvents> {
           peerPublicKey,
           ip,
         ).then((decision) => {
-          if (decision === "approve" && conn.isOpen) {
-            conn.completeAuth();
-            this.completePeerJoin(conn, caps);
-          } else if (conn.isOpen) {
+          const latest = this.pendingApprovalConns.get(nodeId);
+          this.pendingApprovalConns.delete(nodeId);
+          const activeConn = latest?.conn ?? conn;
+          const activeCaps = latest?.caps ?? caps;
+          if (decision === "approve" && activeConn.isOpen) {
+            activeConn.completeAuth();
+            this.completePeerJoin(activeConn, activeCaps);
+          } else if (activeConn.isOpen) {
             if (ip) this.approvalManager.recordIpDeny(ip);
-            conn.close(
+            activeConn.close(
               decision === "timeout" ? 4004 : 4005,
               decision === "timeout" ? "approval timeout" : "approval denied",
             );

package/src/tools/cluster-peers.ts

@@ -14,7 +14,9 @@ export function createClusterPeersTool(): AnyAgentTool {
     async execute() {
       try {
         const runtime = getClusterRuntime();
-        const allEntries = runtime.peerManager.router.getAllPeers();
+        const localNodeId = runtime.config.nodeId;
+        const allEntries = runtime.peerManager.router.getAllPeers()
+          .filter((e) => e.nodeId !== localNodeId && e.nodeId !== `${localNodeId}:sentinel`);
 
         // Separate sentinel peers from normal peers
         const sentinelSet = new Set<string>();
@@ -34,6 +36,8 @@ export function createClusterPeersTool(): AnyAgentTool {
             const sentinelStatus = sentinelEntry
               ? runtime.peerManager.router.getPeerStatus(sentinelEntry)
               : undefined;
+            const sentinelOnline = sentinelStatus === "direct" || sentinelStatus === "relay";
+            const effectiveStatus = status === "unreachable" && sentinelOnline ? "sentinel-only" : status;
 
             return {
               nodeId: entry.nodeId,
@@ -45,11 +49,10 @@ export function createClusterPeersTool(): AnyAgentTool {
               models: entry.models.map((m) => m.id),
               tags: entry.tags,
               tools: entry.toolProxy?.enabled ? (entry.toolProxy.allow ?? []) : [],
-              status,
+              status: effectiveStatus,
               latencyMs: entry.latencyMs,
-              // Sentinel info merged into the same row
               ...(hasSentinel ? {
-                sentinel: sentinelStatus === "direct" || sentinelStatus === "relay" ? "online" : "offline",
+                sentinel: sentinelOnline ? "online" : "offline",
               } : {}),
             };
           });
@@ -61,15 +64,16 @@ export function createClusterPeersTool(): AnyAgentTool {
           if (peers.some((p) => p.nodeId === mainNodeId)) continue;
           // Main node is gone, only sentinel remains
           const sentinelStatus = runtime.peerManager.router.getPeerStatus(entry);
+          const sentinelOnline = sentinelStatus === "direct" || sentinelStatus === "relay";
           peers.push({
             nodeId: mainNodeId,
             agents: [],
             models: [],
             tags: entry.tags.filter((t) => t !== "sentinel"),
             tools: [],
-            status: "unreachable",
+            status: sentinelOnline ? "sentinel-only" : "unreachable",
             latencyMs: entry.latencyMs,
-            sentinel: sentinelStatus === "direct" || sentinelStatus === "relay" ? "online" : "offline",
+            sentinel: sentinelOnline ? "online" : "offline",
           } as (typeof peers)[number]);
         }