hyperclaw 4.0.1 → 5.0.0

package/dist/run-main.js

@@ -1,17 +1,22 @@
 const require_chunk = require('./chunk-jS-bbMI5.js');
-const require_paths = require('./paths-AIyBxIzm.js');
-const require_paths$1 = require('./paths-DPovhojT.js');
-require('./env-resolve-BzDlV2CS.js');
-const require_onboard = require('./onboard-DnegOHMh.js');
-require('./server-CCI1hv45.js');
-require('./theme-LUTKWUWd.js');
-const require_manager = require('./manager-DWQSp1oL.js');
-const require_manager$1 = require('./manager-C4ZdCiPx.js');
-const require_memory = require('./memory-DvsoY6nv.js');
-const require_loader = require('./loader-BR-QFJOm.js');
-const require_pairing = require('./pairing-tNnYsLWG.js');
-const require_security = require('./security-CVzgwvDN.js');
-const require_developer_keys = require('./developer-keys-BNo6wlFV.js');
+require('./paths-AIyBxIzm.js');
+require('./paths-DPovhojT.js');
+require('./env-resolve-CmGWhWXJ.js');
+const require_onboard = require('./onboard-BXNXCQp4.js');
+require('./server-Dh3JlBFB.js');
+const require_daemon = require('./daemon-Bg4GtCmc.js');
+require('./theme-DcxwcUgZ.js');
+const require_hub = require('./hub-D0XwdjM-.js');
+const require_manager = require('./manager-rgCsaWT1.js');
+const require_manager$1 = require('./manager-03ipO9R0.js');
+const require_memory = require('./memory-DsS_eFvJ.js');
+const require_loader = require('./loader-CnEdOyjT.js');
+const require_agents_routing = require('./agents-routing-ChHiZp36.js');
+const require_pairing = require('./pairing-6iM27aD8.js');
+const require_doctor = require('./doctor-BvCe8BBk.js');
+const require_health = require('./health-Ds2YlpTB.js');
+const require_security = require('./security-tpgqPWWH.js');
+const require_developer_keys = require('./developer-keys-DrrcUqFa.js');
 const commander = require_chunk.__toESM(require("commander"));
 const chalk = require_chunk.__toESM(require("chalk"));
 const inquirer = require_chunk.__toESM(require("inquirer"));
@@ -19,507 +24,14 @@ const ora = require_chunk.__toESM(require("ora"));
 const fs_extra = require_chunk.__toESM(require("fs-extra"));
 const path = require_chunk.__toESM(require("path"));
 const os = require_chunk.__toESM(require("os"));
+const crypto = require_chunk.__toESM(require("crypto"));
 const child_process = require_chunk.__toESM(require("child_process"));
 const util = require_chunk.__toESM(require("util"));
 const http = require_chunk.__toESM(require("http"));
-const https = require_chunk.__toESM(require("https"));
-const readline = require_chunk.__toESM(require("readline"));
-const tar = require_chunk.__toESM(require("tar"));
 const fs = require_chunk.__toESM(require("fs"));
+const readline = require_chunk.__toESM(require("readline"));
 const net = require_chunk.__toESM(require("net"));
 
-//#region src/skills/clawhub.ts
-require_paths$1.init_paths();
-const CLAWHUB_API = process.env.CLAWHUB_API_URL || "https://clawhub.com";
-const WORKSPACE_SKILLS$1 = path.default.join(require_paths.getHyperClawDir(), "workspace", "skills");
-async function searchSkills(query, category) {
-	const q = new URLSearchParams({ q: query });
-	if (category) q.set("category", category);
-	const url = `${CLAWHUB_API}/api/skills/search?${q}`;
-	try {
-		const body = await fetchJson(url);
-		return Array.isArray(body.skills) ? body.skills : Array.isArray(body) ? body : [];
-	} catch (e) {
-		return [];
-	}
-}
-async function installSkill(skillId, version) {
-	const ver = version ? `@${version}` : "";
-	const url = `${CLAWHUB_API}/api/skills/${encodeURIComponent(skillId)}/download${ver}`;
-	try {
-		const body = await fetchJson(url);
-		const tarballUrl = body.url || body.tarball;
-		if (!tarballUrl) throw new Error("No download URL in registry response");
-		await fs_extra.default.ensureDir(WORKSPACE_SKILLS$1);
-		const destDir = path.default.join(WORKSPACE_SKILLS$1, skillId);
-		await fs_extra.default.ensureDir(destDir);
-		if (body.content || body.skillMarkdown) {
-			const content = body.content || body.skillMarkdown;
-			await fs_extra.default.writeFile(path.default.join(destDir, "SKILL.md"), content, "utf8");
-			return destDir;
-		}
-		const tarballBuffer = await fetchBuffer(tarballUrl);
-		const extractDir = path.default.join(path.default.dirname(destDir), `.skill-extract-${skillId}-${Date.now()}`);
-		await fs_extra.default.ensureDir(extractDir);
-		try {
-			const tarPath = path.default.join(extractDir, "skill.tar.gz");
-			await fs_extra.default.writeFile(tarPath, tarballBuffer);
-			await tar.default.x({
-				file: tarPath,
-				cwd: extractDir
-			});
-			await fs_extra.default.remove(tarPath);
-			const entries = await fs_extra.default.readdir(extractDir);
-			let skillDir = extractDir;
-			const topSkill = path.default.join(extractDir, "SKILL.md");
-			if (!await fs_extra.default.pathExists(topSkill)) {
-				const sub = entries.find((e) => e !== "package.json" && !e.startsWith("."));
-				if (sub) {
-					const subPath = path.default.join(extractDir, sub);
-					if ((await fs_extra.default.stat(subPath)).isDirectory() && await fs_extra.default.pathExists(path.default.join(subPath, "SKILL.md"))) skillDir = subPath;
-				}
-			}
-			await fs_extra.default.copy(skillDir, destDir, { filter: (src) => !src.includes("node_modules") });
-			if (!await fs_extra.default.pathExists(path.default.join(destDir, "SKILL.md"))) throw new Error("Tarball did not contain SKILL.md");
-			return destDir;
-		} finally {
-			await fs_extra.default.remove(extractDir).catch(() => {});
-		}
-	} catch (e) {
-		if (e.message?.includes("ENOTFOUND") || e.code === "ENOTFOUND") throw new Error(`ClawHub registry unavailable. Install manually: mkdir -p ~/.hyperclaw/workspace/skills/${skillId} && add SKILL.md`);
-		throw e;
-	}
-}
-async function listInstalledFromClawHub() {
-	if (!await fs_extra.default.pathExists(WORKSPACE_SKILLS$1)) return [];
-	const dirs = await fs_extra.default.readdir(WORKSPACE_SKILLS$1);
-	const out = [];
-	for (const id of dirs) {
-		const p = path.default.join(WORKSPACE_SKILLS$1, id, "SKILL.md");
-		if (await fs_extra.default.pathExists(p)) out.push(id);
-	}
-	return out;
-}
-function fetchBuffer(url) {
-	return new Promise((resolve, reject) => {
-		const parsed = new URL(url);
-		const mod = parsed.protocol === "https:" ? https.default : http.default;
-		const req = mod.request({
-			hostname: parsed.hostname,
-			port: parsed.port || (parsed.protocol === "https:" ? 443 : 80),
-			path: parsed.pathname + parsed.search,
-			method: "GET",
-			headers: { "User-Agent": "HyperClaw/4.0.1" }
-		}, (res) => {
-			const chunks = [];
-			res.on("data", (c) => chunks.push(c));
-			res.on("end", () => resolve(Buffer.concat(chunks)));
-		});
-		req.on("error", reject);
-		req.setTimeout(3e4, () => {
-			req.destroy();
-			reject(new Error("Tarball download timeout"));
-		});
-		req.end();
-	});
-}
-function fetchJson(url) {
-	return new Promise((resolve, reject) => {
-		const parsed = new URL(url);
-		const req = https.default.request({
-			hostname: parsed.hostname,
-			port: 443,
-			path: parsed.pathname + parsed.search,
-			method: "GET",
-			headers: { "User-Agent": "HyperClaw/4.0.1" }
-		}, (res) => {
-			let data = "";
-			res.on("data", (c) => data += c);
-			res.on("end", () => {
-				try {
-					resolve(JSON.parse(data));
-				} catch {
-					reject(new Error("Invalid JSON from registry"));
-				}
-			});
-		});
-		req.on("error", reject);
-		req.setTimeout(15e3, () => {
-			req.destroy();
-			reject(new Error("Timeout"));
-		});
-		req.end();
-	});
-}
-
-//#endregion
-//#region src/plugins/hub.ts
-require_paths$1.init_paths();
-const SKILL_REGISTRY = [
-	{
-		id: "web-search",
-		name: "Web Search (Tavily)",
-		version: "2.1.0",
-		description: "Real-time web search via Tavily API. Powers research and news queries.",
-		author: "hyperclaw-team",
-		category: "utility",
-		downloads: 48200,
-		rating: 4.8,
-		risk: "clean",
-		requiresKeys: ["TAVILY_API_KEY"],
-		tags: [
-			"search",
-			"internet",
-			"tavily"
-		]
-	},
-	{
-		id: "calendar",
-		name: "Google Calendar",
-		version: "1.4.0",
-		description: "Read and create Google Calendar events via OAuth.",
-		author: "hyperclaw-team",
-		category: "productivity",
-		downloads: 32100,
-		rating: 4.6,
-		risk: "clean",
-		requiresKeys: ["GOOGLE_CALENDAR_CREDS"],
-		tags: [
-			"calendar",
-			"schedule",
-			"google"
-		],
-		npmPackage: "googleapis"
-	},
-	{
-		id: "github",
-		name: "GitHub Integration",
-		version: "1.2.0",
-		description: "Create issues, PRs, read repos. Requires GitHub PAT.",
-		author: "hyperclaw-team",
-		category: "integration",
-		downloads: 27800,
-		rating: 4.7,
-		risk: "clean",
-		requiresKeys: ["GITHUB_TOKEN"],
-		tags: [
-			"github",
-			"git",
-			"code"
-		],
-		npmPackage: "@octokit/rest"
-	},
-	{
-		id: "home-assistant",
-		name: "Home Assistant",
-		version: "1.5.0",
-		description: "Control smart home devices via Home Assistant REST API.",
-		author: "hyperclaw-team",
-		category: "automation",
-		downloads: 19400,
-		rating: 4.5,
-		risk: "clean",
-		requiresKeys: ["HA_URL", "HA_TOKEN"],
-		tags: [
-			"smart-home",
-			"iot",
-			"automation"
-		]
-	},
-	{
-		id: "code-executor",
-		name: "Code Executor (Sandbox)",
-		version: "3.0.1",
-		description: "Execute Python/JS/Bash code in a sandboxed Docker container.",
-		author: "hyperclaw-team",
-		category: "utility",
-		downloads: 41e3,
-		rating: 4.9,
-		risk: "clean",
-		tags: [
-			"code",
-			"sandbox",
-			"python",
-			"bash"
-		],
-		npmPackage: "dockerode"
-	},
-	{
-		id: "translator",
-		name: "Real-time Translator",
-		version: "2.0.0",
-		description: "DeepL + Google Translate integration for 90+ languages.",
-		author: "hyperclaw-team",
-		category: "utility",
-		downloads: 38500,
-		rating: 4.7,
-		risk: "clean",
-		requiresKeys: ["DEEPL_API_KEY"],
-		tags: [
-			"translate",
-			"language",
-			"deepl"
-		],
-		installed: true
-	},
-	{
-		id: "reminders",
-		name: "Smart Reminders",
-		version: "2.1.0",
-		description: "Natural language reminders with cron scheduling.",
-		author: "hyperclaw-team",
-		category: "productivity",
-		downloads: 29e3,
-		rating: 4.6,
-		risk: "clean",
-		tags: [
-			"reminders",
-			"cron",
-			"schedule"
-		],
-		installed: true
-	},
-	{
-		id: "weather",
-		name: "Weather Forecast",
-		version: "1.3.0",
-		description: "OpenWeatherMap integration. Current + 7-day forecast.",
-		author: "hyperclaw-team",
-		category: "utility",
-		downloads: 22100,
-		rating: 4.4,
-		risk: "clean",
-		requiresKeys: ["OPENWEATHER_API_KEY"],
-		tags: ["weather", "forecast"]
-	},
-	{
-		id: "stealth-browser",
-		name: "Stealth Browser",
-		version: "1.0.3",
-		description: "Headless browser with fingerprint evasion. Can bypass bot detection.",
-		author: "unknown-dev",
-		category: "utility",
-		downloads: 3200,
-		rating: 3.1,
-		risk: "suspicious",
-		riskReason: "Fingerprint evasion may violate ToS on some sites. VirusTotal: 2/72 engines flagged.",
-		tags: [
-			"browser",
-			"puppeteer",
-			"stealth"
-		],
-		npmPackage: "puppeteer-extra-plugin-stealth"
-	},
-	{
-		id: "db-reader",
-		name: "Database Reader",
-		version: "1.1.0",
-		description: "Read from PostgreSQL/MySQL/SQLite databases.",
-		author: "hyperclaw-team",
-		category: "integration",
-		downloads: 15600,
-		rating: 4.5,
-		risk: "clean",
-		requiresKeys: ["DATABASE_URL"],
-		tags: [
-			"database",
-			"sql",
-			"postgres"
-		],
-		npmPackage: "pg"
-	},
-	{
-		id: "keylogger-util",
-		name: "Input Monitor Pro",
-		version: "0.9.1",
-		description: "Monitors keyboard events for automation triggers.",
-		author: "shadowy-scripts",
-		category: "automation",
-		downloads: 890,
-		rating: 1.8,
-		risk: "dangerous",
-		riskReason: "Detected keylogging behavior. VirusTotal: 31/72 engines flagged as malware.",
-		tags: ["keyboard", "monitor"]
-	}
-];
-const WORKSPACE_SKILLS = () => path.default.join(require_paths.getHyperClawDir(), "workspace", "skills");
-var SkillHub = class {
-	installed = /* @__PURE__ */ new Set();
-	/** Sync installed set from workspace disk (persisted installs). */
-	async refreshInstalledFromDisk() {
-		const ids = await listInstalledFromClawHub();
-		this.installed = new Set(ids);
-	}
-	/** Persist bundled skill to workspace so it survives restarts and is loaded by skill-loader. */
-	async persistBundledSkill(skill) {
-		const destDir = path.default.join(WORKSPACE_SKILLS(), skill.id);
-		await fs_extra.default.ensureDir(destDir);
-		const skillPath = path.default.join(destDir, "SKILL.md");
-		const repoSkillPath = path.default.join(process.cwd(), "skills", skill.id, "SKILL.md");
-		const altRepoPath = path.default.join(__dirname, "..", "..", "skills", skill.id, "SKILL.md");
-		if (await fs_extra.default.pathExists(repoSkillPath)) await fs_extra.default.copy(repoSkillPath, skillPath);
-		else if (await fs_extra.default.pathExists(altRepoPath)) await fs_extra.default.copy(altRepoPath, skillPath);
-		else {
-			const content = `# ${skill.name}\n\n${skill.description}\n\n## Usage\n\nWhen the user needs ${skill.description.toLowerCase()}, use this skill.${skill.requiresKeys?.length ? `\n\nRequires: ${skill.requiresKeys.join(", ")}` : ""}\n`;
-			await fs_extra.default.writeFile(skillPath, content, "utf8");
-		}
-		this.installed.add(skill.id);
-	}
-	async showHub(hideSuspicious = false) {
-		await this.refreshInstalledFromDisk();
-		console.log(chalk.default.bold.cyan("\n╔═══════════════════════════════════════════╗"));
-		console.log(chalk.default.bold.cyan("║           🧩 HYPERCLAW SKILL HUB          ║"));
-		console.log(chalk.default.bold.cyan("╚═══════════════════════════════════════════╝\n"));
-		const skills = hideSuspicious ? SKILL_REGISTRY.filter((s) => s.risk === "clean") : SKILL_REGISTRY;
-		for (const skill of skills) this.printSkillCard(skill);
-	}
-	printSkillCard(skill) {
-		const riskBadge = {
-			"clean": chalk.default.green("✔ CLEAN"),
-			"suspicious": chalk.default.yellow("⚠ SUSPICIOUS"),
-			"dangerous": chalk.default.red("✖ DANGEROUS")
-		}[skill.risk];
-		const instBadge = this.installed.has(skill.id) ? chalk.default.green("[installed]") : chalk.default.gray("[available]");
-		const stars = "★".repeat(Math.round(skill.rating)) + "☆".repeat(5 - Math.round(skill.rating));
-		console.log(`  ${chalk.default.bold(skill.name)} ${chalk.default.gray(`v${skill.version}`)} ${instBadge}`);
-		console.log(`  ${chalk.default.gray(skill.description)}`);
-		console.log(`  ${riskBadge}  ${chalk.default.yellow(stars)} ${chalk.default.gray(`${(skill.downloads / 1e3).toFixed(1)}k downloads`)}`);
-		if (skill.riskReason) console.log(`  ${chalk.default.yellow("⚠")} ${chalk.default.yellow(skill.riskReason)}`);
-		if (skill.requiresKeys?.length) console.log(`  🔑 Requires: ${chalk.default.cyan(skill.requiresKeys.join(", "))}`);
-		console.log();
-	}
-	async install(skillId, force = false) {
-		const skill = SKILL_REGISTRY.find((s) => s.id === skillId);
-		if (!skill) {
-			console.log(chalk.default.red(`❌ Skill not found: ${skillId}`));
-			return;
-		}
-		if (skill.risk === "dangerous" && !force) {
-			console.log(chalk.default.red(`\n🚨 DANGEROUS SKILL BLOCKED: ${skill.name}`));
-			console.log(chalk.default.red(`   ${skill.riskReason}`));
-			console.log(chalk.default.gray("   Use --force to override (NOT RECOMMENDED)\n"));
-			return;
-		}
-		if (skill.risk === "suspicious" && !force) {
-			console.log(chalk.default.yellow(`\n⚠️  SUSPICIOUS SKILL: ${skill.name}`));
-			console.log(chalk.default.yellow(`   ${skill.riskReason}`));
-			console.log(chalk.default.gray("   Use --force to install anyway\n"));
-			return;
-		}
-		const spinner = (0, ora.default)(`Installing ${skill.name}...`).start();
-		if (skill.npmPackage) {
-			spinner.text = `Installing npm package: ${skill.npmPackage}`;
-			await new Promise((r) => setTimeout(r, 800));
-		}
-		await this.persistBundledSkill(skill);
-		spinner.succeed(`${skill.name} installed ✓`);
-		if (skill.requiresKeys?.length) {
-			console.log(chalk.default.yellow(`\n📋 Required API keys to activate:`));
-			skill.requiresKeys.forEach((k) => {
-				console.log(chalk.default.cyan(`   hyperclaw config set-key ${k}`));
-			});
-		}
-		console.log();
-	}
-	async scan(skillId) {
-		const skill = SKILL_REGISTRY.find((s) => s.id === skillId);
-		if (!skill) return;
-		const spinner = (0, ora.default)(`Scanning ${skill.name}...`).start();
-		const stages = [
-			"Checking manifest...",
-			"Scanning for malicious patterns...",
-			"Checking VirusTotal...",
-			"Verifying author..."
-		];
-		for (const stage of stages) {
-			spinner.text = stage;
-			await new Promise((r) => setTimeout(r, 600));
-		}
-		const result = {
-			"clean": chalk.default.green("✅ All green — safe to install"),
-			"suspicious": chalk.default.yellow("⚠️  Suspicious patterns detected — proceed with caution"),
-			"dangerous": chalk.default.red("🚨 Malicious patterns detected — do NOT install")
-		}[skill.risk];
-		spinner.stop();
-		console.log(`\n🔬 Scan results for ${chalk.default.bold(skill.name)}:`);
-		console.log(`   ${result}`);
-		if (skill.riskReason) console.log(chalk.default.gray(`   Detail: ${skill.riskReason}`));
-		console.log();
-	}
-	async checkEligibility() {
-		const spinner = (0, ora.default)("Checking system eligibility...").start();
-		await new Promise((r) => setTimeout(r, 1e3));
-		spinner.succeed("Eligibility check complete");
-		console.log(chalk.default.green("\n✅ All installed skills are eligible on this system\n"));
-	}
-	async getInstalled() {
-		await this.refreshInstalledFromDisk();
-		const ids = this.installed;
-		const fromRegistry = SKILL_REGISTRY.filter((s) => ids.has(s.id));
-		const fromWorkspace = (await listInstalledFromClawHub()).filter((id) => !SKILL_REGISTRY.some((s) => s.id === id));
-		return [...fromRegistry, ...fromWorkspace.map((id) => ({
-			id,
-			name: id,
-			version: "0",
-			description: "",
-			author: "",
-			category: "utility",
-			downloads: 0,
-			rating: 0,
-			risk: "clean",
-			tags: []
-		}))];
-	}
-	/** ClawHub integration: search remote registry, fallback to bundled when remote unavailable */
-	async searchClawHub(query, category) {
-		let remote = await searchSkills(query, category);
-		if (remote.length === 0) {
-			const q = (query || "").toLowerCase();
-			const filtered = SKILL_REGISTRY.filter((s) => !q || s.id.includes(q) || s.name.toLowerCase().includes(q) || s.tags.some((t) => t.includes(q))).filter((s) => !category || s.category === category);
-			remote = filtered.map((s) => ({
-				id: s.id,
-				name: s.name,
-				author: s.author,
-				description: s.description,
-				rating: s.rating,
-				downloads: s.downloads,
-				version: s.version,
-				categories: [s.category]
-			}));
-		}
-		return remote;
-	}
-	/** ClawHub integration: install from remote registry */
-	async installFromClawHub(skillId, version) {
-		return installSkill(skillId, version);
-	}
-	/** ClawHub marketplace UX: unified browse (bundled + remote) */
-	async showMarketplace(opts) {
-		await this.refreshInstalledFromDisk();
-		const installedClawHub = await listInstalledFromClawHub();
-		const bundled = (opts?.hideSuspicious ? SKILL_REGISTRY.filter((s) => s.risk === "clean") : SKILL_REGISTRY).filter((s) => !opts?.category || s.category === opts.category);
-		console.log(chalk.default.bold.cyan("\n╔══════════════════════════════════════════════════════════╗"));
-		console.log(chalk.default.bold.cyan("║           🧩 CLAWHUB MARKETPLACE                         ║"));
-		console.log(chalk.default.bold.cyan("╚══════════════════════════════════════════════════════════╝\n"));
-		if (installedClawHub.length > 0) {
-			console.log(chalk.default.bold.green("  Installed (ClawHub):"));
-			installedClawHub.forEach((id) => console.log(chalk.default.gray(`    • ${id}`)));
-			console.log();
-		}
-		console.log(chalk.default.bold("  Bundled skills:"));
-		for (const skill of bundled) {
-			const inst = this.installed.has(skill.id) || installedClawHub.includes(skill.id);
-			const badge = inst ? chalk.default.green("✓ installed") : chalk.default.cyan("hyperclaw skill install " + skill.id);
-			const risk = skill.risk === "clean" ? "" : chalk.default.yellow(` [${skill.risk}]`);
-			console.log(`    ${chalk.default.bold(skill.name)} ${chalk.default.gray(`v${skill.version}`)} ${badge}${risk}`);
-			console.log(chalk.default.gray(`      ${skill.description}`));
-		}
-		console.log(chalk.default.gray("\n  Search remote: hyperclaw skill search <query>"));
-		console.log(chalk.default.gray("  Install:       hyperclaw skill install <id>\n"));
-	}
-};
-
-//#endregion
 //#region src/cli/dashboard.ts
 var Dashboard = class {
 	async launch(live) {
@@ -533,7 +45,7 @@ var Dashboard = class {
 	async drawDashboard() {
 		const cfg = await new require_onboard.ConfigStore().load();
 		const gm = new require_onboard.GatewayManager();
-		const hub = new SkillHub();
+		const hub = new require_hub.SkillHub();
 		const installed = await hub.getInstalled();
 		const port = cfg?.gateway?.port || 1515;
 		const agent = cfg?.identity?.agentName || "Hyper";
@@ -552,7 +64,7 @@ var Dashboard = class {
 			return c(`║ `) + content + " ".repeat(pad) + c(`║`);
 		};
 		console.log(c(`╔${line}╗`));
-		console.log(c(`║`) + chalk.default.bold.hex("#06b6d4")(`${"🦅 HYPERCLAW v4.0.1 — GATEWAY DASHBOARD".padStart(45).padEnd(w)}`) + c(`║`));
+		console.log(c(`║`) + chalk.default.bold.hex("#06b6d4")(`${"🦅 HYPERCLAW v5.0.0 — GATEWAY DASHBOARD".padStart(45).padEnd(w)}`) + c(`║`));
 		console.log(c(`╠${line}╣`));
 		console.log(row(`${statusDot} Gateway  ${statusText}   ${chalk.default.gray("│")}  ws://localhost:${port}   ${chalk.default.gray("│")}  Agent: ${c(agent)}`));
 		console.log(row(`${c("◆")} Model     ${chalk.default.gray(model.slice(0, 30))}   ${chalk.default.gray("│")}  User: ${c(user)}`));
@@ -633,7 +145,7 @@ async function recordAudio(outFile, seconds) {
 async function transcribeWhisper(filePath, lang) {
 	const apiKey = process.env.OPENAI_API_KEY || process.env.ANTHROPIC_API_KEY;
 	if (!apiKey) throw new Error("No OPENAI_API_KEY set");
-	const FormData = (await Promise.resolve().then(() => require_chunk.__toDynamicImportESM()(require("./form_data-fpopMWNo.js"))).catch(() => null))?.default;
+	const FormData = (await Promise.resolve().then(() => require_chunk.__toDynamicImportESM()(require("./form_data-Cz040rio.js"))).catch(() => null))?.default;
 	if (!FormData) throw new Error("form-data not installed");
 	const form = new FormData();
 	form.append("file", fs.createReadStream(filePath), {
@@ -778,281 +290,183 @@ var VoiceEngine = class {
 };
 
 //#endregion
-//#region src/routing/agents-routing.ts
-var AgentRouter = class {
-	stateFile;
-	agents = [];
-	constructor() {
-		this.stateFile = path.default.join(os.default.homedir(), ".hyperclaw", "agents.json");
-		this.load();
-	}
-	load() {
-		try {
-			this.agents = fs_extra.default.readJsonSync(this.stateFile);
-		} catch {
-			this.agents = [{
-				workspace: path.default.join(os.default.homedir(), ".hyperclaw", "workspace"),
-				name: "default",
-				model: void 0,
-				bindings: []
-			}];
-		}
+//#region src/infra/device-pairing.ts
+const DEVICES_DIR = path.default.join(os.default.homedir(), ".hyperclaw", "devices");
+const PENDING_FILE = path.default.join(DEVICES_DIR, "pending.json");
+const PAIRED_FILE = path.default.join(DEVICES_DIR, "paired.json");
+const PENDING_EXPIRY_MS = 10 * 60 * 1e3;
+const TOKEN_BYTES = 16;
+async function readPending() {
+	try {
+		const data = await fs_extra.default.readJson(PENDING_FILE);
+		return Array.isArray(data) ? data : [];
+	} catch {
+		return [];
 	}
-	save() {
-		fs_extra.default.ensureDirSync(path.default.dirname(this.stateFile));
-		fs_extra.default.writeJsonSync(this.stateFile, this.agents, { spaces: 2 });
+}
+async function writePending(entries) {
+	await fs_extra.default.ensureDir(DEVICES_DIR);
+	await fs_extra.default.writeJson(PENDING_FILE, entries, {
+		spaces: 2,
+		mode: 384
+	});
+}
+async function readPaired() {
+	try {
+		const data = await fs_extra.default.readJson(PAIRED_FILE);
+		return Array.isArray(data) ? data : [];
+	} catch {
+		return [];
 	}
-	listBindings() {
-		console.log(chalk.default.bold.cyan("\n  🦅 AGENT BINDINGS\n"));
-		if (this.agents.length === 0) {
-			console.log(chalk.default.gray("  No agents configured."));
-			return;
-		}
-		for (const agent of this.agents) {
-			console.log(`  ${chalk.default.bold(agent.name)}  ${chalk.default.gray(agent.workspace)}`);
-			if (agent.bindings.length === 0) console.log(`    ${chalk.default.gray("No channel bindings — receives from all channels")}`);
-			else for (const b of agent.bindings) {
-				const acct = b.accountId ? chalk.default.gray(`@${b.accountId}`) : chalk.default.gray("(all accounts)");
-				const role = b.role === "primary" ? chalk.default.green("[primary]") : chalk.default.gray("[secondary]");
-				console.log(`    ${chalk.default.cyan(b.channelId)} ${acct} ${role}`);
-			}
-			console.log();
-		}
+}
+async function writePaired(devices) {
+	await fs_extra.default.ensureDir(DEVICES_DIR);
+	await fs_extra.default.writeJson(PAIRED_FILE, devices, {
+		spaces: 2,
+		mode: 384
+	});
+}
+var DevicePairingStore = class {
+	/**
+	
+	* Creates a pending pairing request and returns:
+	
+	*   - requestId: show to user for approve/reject
+	
+	*   - setupCode: base64-encoded JSON {url, token} — send to device
+	
+	*/
+	async createRequest(gatewayUrl, opts) {
+		const now = Date.now();
+		const all = (await readPending()).filter((e) => new Date(e.expiresAt).getTime() > now);
+		const requestId = crypto.default.randomBytes(6).toString("hex");
+		const token = crypto.default.randomBytes(TOKEN_BYTES).toString("hex");
+		const expiresAt = new Date(now + PENDING_EXPIRY_MS).toISOString();
+		const entry = {
+			requestId,
+			token,
+			expiresAt,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+			...opts?.deviceName ? { deviceName: opts.deviceName } : {},
+			...opts?.platform ? { platform: opts.platform } : {}
+		};
+		all.push(entry);
+		await writePending(all);
+		const payload = {
+			url: gatewayUrl,
+			token
+		};
+		const setupCode = Buffer.from(JSON.stringify(payload)).toString("base64");
+		return {
+			requestId,
+			setupCode,
+			expiresAt
+		};
 	}
-	async bind() {
-		console.log(chalk.default.cyan("\n  Bind a channel to an agent workspace\n"));
-		const { channel, workspace, role } = await inquirer.default.prompt([
-			{
-				type: "input",
-				name: "channel",
-				message: "Channel ID (e.g. telegram, discord, slack):",
-				validate: (v) => v.trim().length > 0 || "Required"
-			},
-			{
-				type: "input",
-				name: "workspace",
-				message: "Agent workspace (directory or name):",
-				default: "default"
-			},
-			{
-				type: "list",
-				name: "role",
-				message: "Binding role:",
-				choices: [{
-					name: "primary — routes all traffic from this channel",
-					value: "primary"
-				}, {
-					name: "secondary — fallback if primary is busy",
-					value: "secondary"
-				}]
-			}
-		]);
-		let agent = this.agents.find((a) => a.name === workspace || a.workspace === workspace);
-		if (!agent) {
-			agent = {
-				workspace,
-				name: workspace,
-				bindings: []
-			};
-			this.agents.push(agent);
-		}
-		agent.bindings.push({
-			channelId: channel,
-			agentWorkspace: agent.workspace,
-			role,
-			createdAt: (/* @__PURE__ */ new Date()).toISOString()
-		});
-		this.save();
-		console.log(chalk.default.green(`\n  ✔  Bound ${channel} → ${workspace} (${role})\n`));
-	}
-	async unbind() {
-		const allBindings = [];
-		for (const agent of this.agents) for (const b of agent.bindings) allBindings.push({
-			agent: agent.name,
-			channel: b.channelId
-		});
-		if (allBindings.length === 0) {
-			console.log(chalk.default.gray("\n  No bindings to remove.\n"));
-			return;
-		}
-		const { toRemove } = await inquirer.default.prompt([{
-			type: "checkbox",
-			name: "toRemove",
-			message: "Select bindings to remove:",
-			choices: allBindings.map((b) => ({
-				name: `${b.channel} → ${b.agent}`,
-				value: b
-			}))
-		}]);
-		for (const { agent: agentName, channel } of toRemove) {
-			const agent = this.agents.find((a) => a.name === agentName);
-			if (agent) agent.bindings = agent.bindings.filter((b) => b.channelId !== channel);
+	async listPending() {
+		const now = Date.now();
+		const all = await readPending();
+		return all.filter((e) => new Date(e.expiresAt).getTime() > now);
+	}
+	async listPaired() {
+		return readPaired();
+	}
+	async approve(requestId) {
+		const now = Date.now();
+		const pending = await readPending();
+		const idx = pending.findIndex((e) => e.requestId === requestId && new Date(e.expiresAt).getTime() > now);
+		if (idx === -1) return null;
+		const entry = pending[idx];
+		pending.splice(idx, 1);
+		await writePending(pending);
+		const deviceId = `device-${crypto.default.randomBytes(4).toString("hex")}`;
+		const longToken = crypto.default.randomBytes(32).toString("hex");
+		const device = {
+			deviceId,
+			requestId: entry.requestId,
+			token: longToken,
+			pairedAt: (/* @__PURE__ */ new Date()).toISOString(),
+			...entry.deviceName ? { deviceName: entry.deviceName } : {},
+			...entry.platform ? { platform: entry.platform } : {}
+		};
+		const paired = await readPaired();
+		paired.push(device);
+		await writePaired(paired);
+		return device;
+	}
+	async reject(requestId) {
+		const pending = await readPending();
+		const idx = pending.findIndex((e) => e.requestId === requestId);
+		if (idx === -1) return false;
+		pending.splice(idx, 1);
+		await writePending(pending);
+		return true;
+	}
+	async unpair(deviceId) {
+		const paired = await readPaired();
+		const idx = paired.findIndex((d) => d.deviceId === deviceId);
+		if (idx === -1) return false;
+		paired.splice(idx, 1);
+		await writePaired(paired);
+		return true;
+	}
+	async verifyToken(token) {
+		const now = Date.now();
+		const pending = await readPending();
+		const pendingMatch = pending.find((e) => e.token === token && new Date(e.expiresAt).getTime() > now);
+		if (pendingMatch) return this.approve(pendingMatch.requestId);
+		const paired = await readPaired();
+		return paired.find((d) => d.token === token) ?? null;
+	}
+	async touchDevice(deviceId) {
+		const paired = await readPaired();
+		const device = paired.find((d) => d.deviceId === deviceId);
+		if (device) {
+			device.lastSeenAt = (/* @__PURE__ */ new Date()).toISOString();
+			await writePaired(paired);
 		}
-		this.save();
-		console.log(chalk.default.green(`\n  ✔  Removed ${toRemove.length} binding(s)\n`));
 	}
-};
-
-//#endregion
-//#region src/commands/doctor.ts
-async function isPortOpen(port) {
-	return new Promise((resolve) => {
-		const s = new net.default.Socket();
-		s.setTimeout(500);
-		s.on("connect", () => {
-			s.destroy();
-			resolve(true);
-		});
-		s.on("error", () => resolve(false));
-		s.on("timeout", () => resolve(false));
+	static parseSetupCode(setupCode) {
 		try {
-			s.connect(port, "127.0.0.1");
+			const json = Buffer.from(setupCode, "base64").toString("utf8");
+			const parsed = JSON.parse(json);
+			if (typeof parsed.url === "string" && typeof parsed.token === "string") return parsed;
+			return null;
 		} catch {
-			resolve(false);
+			return null;
 		}
-	});
-}
-async function runDoctor(fix = false) {
-	const spinner = (0, ora.default)("Running health checks...").start();
-	await new Promise((r) => setTimeout(r, 800));
-	spinner.stop();
-	const configDir = path.default.join(os.default.homedir(), ".hyperclaw");
-	const configFile = path.default.join(configDir, "config.json");
-	const agentsFile = path.default.join(configDir, "AGENTS.md");
-	const authFile = path.default.join(configDir, "auth.json");
-	const pairingFile = path.default.join(configDir, "pairing-store.json");
-	let cfg = null;
-	try {
-		cfg = fs_extra.default.readJsonSync(configFile);
-	} catch {}
-	const issues = [];
-	if (!cfg) issues.push({
-		id: "no-config",
-		severity: "error",
-		title: "No configuration found",
-		detail: "Run: hyperclaw init",
-		fixable: false
-	});
-	else {
-		const hasToken = !!cfg.gateway?.authToken;
-		issues.push({
-			id: "gateway-token",
-			severity: hasToken ? "ok" : "warn",
-			title: hasToken ? "Gateway auth token set" : "Gateway auth token missing",
-			detail: hasToken ? "Token is configured" : "Set a strong token in gateway config",
-			fixable: !hasToken,
-			fix: async () => {
-				const crypto = await import("crypto");
-				cfg.gateway = cfg.gateway || {};
-				cfg.gateway.authToken = crypto.randomBytes(32).toString("hex");
-				fs_extra.default.writeJsonSync(configFile, cfg, { spaces: 2 });
-				console.log(chalk.default.green("  ✔  Generated and saved gateway auth token"));
+	}
+	async showCLI() {
+		const now = Date.now();
+		const pending = (await readPending()).filter((e) => new Date(e.expiresAt).getTime() > now);
+		const paired = await readPaired();
+		console.log(chalk.default.bold.cyan("\n  📱 DEVICE PAIRING\n"));
+		if (pending.length > 0) {
+			console.log(chalk.default.yellow("  Pending requests:\n"));
+			for (const e of pending) {
+				const expiresIn = Math.round((new Date(e.expiresAt).getTime() - now) / 6e4);
+				const name = e.deviceName ? chalk.default.white(` "${e.deviceName}"`) : "";
+				const plat = e.platform ? chalk.default.gray(` (${e.platform})`) : "";
+				console.log(`  ${chalk.default.yellow("○")} ${chalk.default.bold(e.requestId)}${name}${plat}  ${chalk.default.gray(`expires in ${expiresIn}m`)}`);
 			}
-		});
-		const channels = cfg.channels || [];
-		const channelConfigs = cfg.channelConfigs || {};
-		for (const ch of channels) {
-			const dmPolicy = channelConfigs[ch]?.dmPolicy?.policy;
-			if (dmPolicy === "open") issues.push({
-				id: `dm-open-${ch}`,
-				severity: "warn",
-				title: `DM policy is "open" on ${ch}`,
-				detail: `Anyone can DM your agent on ${ch}. Consider using "pairing" or "allowlist".`,
-				fixable: false
-			});
-			if (dmPolicy === "allowlist") {
-				const allowFrom = channelConfigs[ch]?.dmPolicy?.allowFrom || [];
-				if (allowFrom.length === 0) issues.push({
-					id: `dm-empty-allowlist-${ch}`,
-					severity: "error",
-					title: `Empty allowlist on ${ch} — DMs will be silently dropped`,
-					detail: `channel.${ch}.dmPolicy.allowFrom is empty. Add users or change policy.`,
-					fixable: true,
-					fix: async () => {
-						try {
-							const pairingEntries = fs_extra.default.readJsonSync(pairingFile);
-							const approved = pairingEntries.filter((e) => e.channelId === ch && e.status === "approved" && e.userId);
-							if (approved.length > 0) {
-								channelConfigs[ch].dmPolicy.allowFrom = approved.map((e) => e.userId);
-								cfg.channelConfigs = channelConfigs;
-								fs_extra.default.writeJsonSync(configFile, cfg, { spaces: 2 });
-								console.log(chalk.default.green(`  ✔  Restored ${approved.length} user(s) from pairing store to ${ch} allowlist`));
-							}
-						} catch {}
-					}
-				});
+			console.log();
+		}
+		if (paired.length > 0) {
+			console.log(chalk.default.green("  Paired devices:\n"));
+			for (const d of paired) {
+				const name = d.deviceName ? chalk.default.white(` "${d.deviceName}"`) : "";
+				const plat = d.platform ? chalk.default.gray(` (${d.platform})`) : "";
+				const seen = d.lastSeenAt ? chalk.default.gray(`  last seen: ${new Date(d.lastSeenAt).toLocaleDateString()}`) : "";
+				console.log(`  ${chalk.default.green("●")} ${chalk.default.bold(d.deviceId)}${name}${plat}  ${chalk.default.gray(`paired: ${new Date(d.pairedAt).toLocaleDateString()}`)}${seen}`);
 			}
+			console.log();
 		}
-		const hasApiKey = !!cfg.provider?.apiKey;
-		const isLocal = cfg.provider?.providerId === "local";
-		if (!hasApiKey && !isLocal) issues.push({
-			id: "no-api-key",
-			severity: "error",
-			title: "No AI provider API key configured",
-			detail: "Run: hyperclaw config set-key",
-			fixable: false
-		});
-		else issues.push({
-			id: "api-key",
-			severity: "ok",
-			title: "AI provider key configured",
-			detail: `Provider: ${cfg.provider?.providerId}`,
-			fixable: false
-		});
-		issues.push({
-			id: "agents-md",
-			severity: await fs_extra.default.pathExists(agentsFile) ? "ok" : "warn",
-			title: await fs_extra.default.pathExists(agentsFile) ? "AGENTS.md exists" : "AGENTS.md missing",
-			detail: await fs_extra.default.pathExists(agentsFile) ? agentsFile : "Run: hyperclaw memory init to generate",
-			fixable: false
-		});
-		const port = cfg.gateway?.port || 1515;
-		const running = await isPortOpen(port);
-		issues.push({
-			id: "gateway-running",
-			severity: running ? "ok" : "warn",
-			title: running ? `Gateway running on port ${port}` : `Gateway not running on port ${port}`,
-			detail: running ? `ws://127.0.0.1:${port}` : "Run: hyperclaw daemon start",
-			fixable: false
-		});
-		if (await fs_extra.default.pathExists(authFile)) {
-			const stat = await fs_extra.default.stat(authFile);
-			const unsafe = (stat.mode & 63) !== 0;
-			issues.push({
-				id: "auth-permissions",
-				severity: unsafe ? "warn" : "ok",
-				title: unsafe ? "Auth store has unsafe permissions" : "Auth store permissions OK",
-				detail: unsafe ? `chmod 600 ${authFile}` : `Mode: 600`,
-				fixable: unsafe,
-				fix: async () => {
-					await fs_extra.default.chmod(authFile, 384);
-					console.log(chalk.default.green(`  ✔  Fixed permissions on ${authFile}`));
-				}
-			});
+		if (pending.length === 0 && paired.length === 0) {
+			console.log(chalk.default.gray("  No pending or paired devices."));
+			console.log(chalk.default.gray("  In Telegram, message your bot: /pair\n"));
 		}
 	}
-	console.log(chalk.default.bold.cyan("\n  🩺 HYPERCLAW DOCTOR\n"));
-	let errorCount = 0, warnCount = 0;
-	for (const issue of issues) {
-		const icon = {
-			error: chalk.default.red("✖"),
-			warn: chalk.default.yellow("⚠"),
-			ok: chalk.default.green("✔")
-		}[issue.severity];
-		console.log(`  ${icon} ${chalk.default.white(issue.title)}`);
-		console.log(`     ${chalk.default.gray(issue.detail)}`);
-		if (issue.fixable && fix && issue.fix) await issue.fix();
-		else if (issue.fixable && !fix) console.log(chalk.default.gray("     Run with --fix to auto-repair"));
-		if (issue.severity === "error") errorCount++;
-		if (issue.severity === "warn") warnCount++;
-		console.log();
-	}
-	const total = issues.length;
-	const okCount = total - errorCount - warnCount;
-	console.log(`  ${chalk.default.bold("Summary:")} ${chalk.default.green(`${okCount} ok`)}  ${chalk.default.yellow(`${warnCount} warnings`)}  ${chalk.default.red(`${errorCount} errors`)}`);
-	if (errorCount > 0 || warnCount > 0) console.log(chalk.default.gray("\n  Run: hyperclaw doctor --fix   to auto-repair fixable issues\n"));
-	else console.log(chalk.default.green("\n  ✔  All checks passed!\n"));
-}
+};
 
 //#endregion
 //#region src/commands/message-send.ts
@@ -1115,17 +529,28 @@ const CHANNELS = [
 		platforms: ["all"],
 		tokenLabel: "Telegram Bot Token",
 		tokenHint: "Get from @BotFather → /newbot",
+		extraFields: [{
+			name: "dmPolicy",
+			label: "DM policy",
+			hint: "pairing (default) | allowlist | open | disabled",
+			required: false
+		}, {
+			name: "groupActivation",
+			label: "Group activation",
+			hint: "mention (default) | always",
+			required: false
+		}],
 		setupSteps: [
-			"1. Open Telegram and search for @BotFather (the official bot for creating bots).",
-			"2. Start a conversation with /start and type /newbot to create a new bot.",
-			"3. Give the bot a name (e.g. \"My HyperClaw Bot\") and a username ending in \"bot\" (e.g. my_hyperclaw_bot).",
-			"4. @BotFather will send you the Bot Token — a string starting with 7xxxxxx:AAH... Keep it secret!",
-			"5. Copy the token and paste it below.",
+			"1. Open Telegram → @BotFather → /newbot. Save the token.",
+			"2. Config: channels.telegram.botToken, dmPolicy (default: pairing), groups.",
+			"3. Start gateway, approve first DM: hyperclaw pairing approve telegram <CODE>",
+			"4. Add bot to groups; set groups[\"*\"].requireMention for mention gating.",
 			"",
-			"  🔗 t.me/BotFather"
+			"  🔗 docs/telegram.md — full setup"
 		],
 		status: "recommended",
-		npmPackage: "node-telegram-bot-api"
+		npmPackage: "node-telegram-bot-api",
+		notes: "DMs + groups. Pairing, allowlist, voice notes. Long polling default."
 	},
 	{
 		id: "discord",
@@ -1137,23 +562,37 @@ const CHANNELS = [
 		tokenLabel: "Discord Bot Token",
 		tokenHint: "discord.com/developers/applications",
 		setupSteps: [
-			"1. Go to Discord Developer Portal: https://discord.com/developers/applications",
-			"2. Click \"New Application\", give it a name and create it.",
-			"3. Left menu: Bot → Add Bot.",
-			"4. Click \"Reset Token\" and copy the token (keep it secret!).",
-			"5. Settings → OAuth2 → General, copy the Application ID (Client ID).",
-			"6. Optional: To add the bot to a server, Bot → OAuth2 → URL Generator, scope: bot.",
+			"1. Discord Developer Portal → New Application → Bot → Reset Token.",
+			"2. Enable Message Content Intent (and Server Members if needed).",
+			"3. OAuth2 URL Generator: scope bot + applications.commands, permissions: View Channels, Send Messages, Read Message History.",
+			"4. Add bot to server, enable Developer Mode, copy Server ID and User ID.",
+			"5. Enable DMs from server members (right‑click server → Privacy Settings).",
+			"6. hyperclaw gateway → DM the bot → hyperclaw pairing approve discord <CODE>",
 			"",
-			"  🔗 discord.com/developers/applications"
+			"  🔗 docs/discord-setup.md — full setup guide"
+		],
+		extraFields: [
+			{
+				name: "listenGuildIds",
+				label: "Guild IDs to listen in",
+				hint: "[] = all. Add Server IDs to restrict.",
+				required: false
+			},
+			{
+				name: "requireMentionInGuild",
+				label: "Require @mention in guild",
+				hint: "true (default) | false",
+				required: false
+			},
+			{
+				name: "dmPolicy",
+				label: "DM policy",
+				hint: "\"pairing\" (default) | \"allowlist\" | \"open\" | \"none\"",
+				required: false
+			}
 		],
-		extraFields: [{
-			name: "clientId",
-			label: "Client ID (Application ID)",
-			hint: "From OAuth2 → General",
-			required: true
-		}],
 		status: "recommended",
-		npmPackage: "discord.js"
+		npmPackage: "ws"
 	},
 	{
 		id: "whatsapp",
@@ -1162,18 +601,38 @@ const CHANNELS = [
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "WhatsApp Business API key",
+		tokenLabel: "Access Token",
 		tokenHint: "business.whatsapp.com",
+		extraFields: [
+			{
+				name: "phoneNumberId",
+				label: "Phone Number ID",
+				hint: "From Meta API Setup",
+				required: true
+			},
+			{
+				name: "verifyToken",
+				label: "Webhook verify token",
+				hint: "Any string for webhook verification",
+				required: false
+			},
+			{
+				name: "dmPolicy",
+				label: "DM policy",
+				hint: "pairing (default) | allowlist | open | disabled",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Go to Meta for Developers: https://developers.facebook.com/",
-			"2. My Apps → Create App → Business type.",
-			"3. Add product: WhatsApp → Get started.",
-			"4. WhatsApp → API Setup: copy the Temporary access token or create a permanent one.",
-			"5. You also need a Phone Number ID and WhatsApp Business Account ID.",
+			"1. Meta for Developers → Create App → Business → Add WhatsApp.",
+			"2. API Setup: copy Phone Number ID and Access Token.",
+			"3. Webhook: https://<host>/webhook/whatsapp, subscribe to messages.",
+			"4. Start gateway. Approve DMs: hyperclaw pairing approve whatsapp <CODE>",
 			"",
-			"  🔗 developers.facebook.com — business.whatsapp.com"
+			"  🔗 docs/whatsapp.md — full setup"
 		],
 		status: "available",
+		notes: "Meta Business API. Webhook required.",
 		npmPackage: void 0
 	},
 	{
@@ -1183,42 +642,87 @@ const CHANNELS = [
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
+		extraFields: [{
+			name: "dmPolicy",
+			label: "DM policy",
+			hint: "pairing (default) | allowlist | open | disabled",
+			required: false
+		}],
 		setupSteps: [
-			"1. No Meta Business API needed — uses WhatsApp Web.",
-			"2. Make sure you have installed: npm install @whiskeysockets/baileys",
-			"3. Start the gateway. On first connection a QR code will appear.",
-			"4. Scan the QR with your phone (WhatsApp → Linked Devices → Link a device).",
-			"5. After connecting, the session is saved — no QR needed again.",
+			"1. No Meta API — uses WhatsApp Web. Install: npm install @whiskeysockets/baileys",
+			"2. hyperclaw channels add whatsapp-baileys, then hyperclaw gateway",
+			"3. Scan QR (WhatsApp → Linked Devices → Link a device)",
+			"4. Approve first DM: hyperclaw pairing approve whatsapp-baileys <CODE>",
 			"",
-			"  📖 docs: github.com/WhiskeySockets/Baileys"
+			"  🔗 docs/whatsapp.md — full setup"
 		],
 		status: "available",
-		notes: "WhatsApp Web via Baileys — no Meta Business. Scan QR on first run.",
+		notes: "WhatsApp Web via Baileys. No Meta Business. Pairing, voice notes.",
 		npmPackage: "@whiskeysockets/baileys"
 	},
 	{
 		id: "slack",
 		name: "Slack",
 		emoji: "💼",
-		requiresGateway: false,
+		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
 		tokenLabel: "Slack Bot Token (xoxb-...)",
-		extraFields: [{
-			name: "signingSecret",
-			label: "Signing Secret",
-			required: true
-		}],
+		extraFields: [
+			{
+				name: "appToken",
+				label: "App Token (xapp-...)",
+				hint: "Required for Socket Mode (default) — connections:write scope",
+				required: false
+			},
+			{
+				name: "signingSecret",
+				label: "Signing Secret",
+				hint: "Required for HTTP Events API mode only",
+				required: false
+			},
+			{
+				name: "mode",
+				label: "Connection mode",
+				hint: "socket (default) | http",
+				required: false
+			},
+			{
+				name: "userToken",
+				label: "User Token (xoxp-...)",
+				hint: "Optional — for read operations",
+				required: false
+			},
+			{
+				name: "ackReaction",
+				label: "Ack reaction emoji",
+				hint: "Shortcode without colons, e.g. eyes",
+				required: false
+			},
+			{
+				name: "typingReaction",
+				label: "Typing reaction emoji",
+				hint: "Shortcode, e.g. hourglass_flowing_sand",
+				required: false
+			}
+		],
 		setupSteps: [
 			"1. Go to api.slack.com/apps → Create New App → From scratch.",
-			"2. Give it a name and choose a workspace.",
-			"3. OAuth & Permissions: Add Bot Token Scopes (chat:write, users:read, im:read, im:history, etc.).",
-			"4. Install App to workspace — copy the \"Bot User OAuth Token\" (starts with xoxb-).",
-			"5. Basic Information → App Credentials → Signing Secret — copy it.",
+			"2. Socket Mode (default — no public URL needed):",
+			"   a. Settings → Socket Mode → Enable Socket Mode.",
+			"   b. Settings → Basic Information → App-Level Tokens → Generate Token (connections:write) → copy xapp-...",
+			"   c. OAuth & Permissions: add bot scopes (chat:write, im:read, im:history, channels:history, etc.).",
+			"   d. Install App → copy Bot Token (xoxb-...).",
+			"3. HTTP mode (alternative):",
+			"   a. Event Subscriptions → Request URL: https://<host>/webhook/slack.",
+			"   b. Basic Information → Signing Secret — copy it.",
+			"4. Subscribe to bot events: app_mention, message.im, message.channels, message.groups, message.mpim, reaction_added.",
+			"5. App Home → Messages Tab → Enable.",
 			"",
 			"  🔗 api.slack.com/apps"
 		],
-		status: "available",
+		status: "recommended",
+		notes: "Socket Mode (default) requires appToken. HTTP mode requires signingSecret. Supports DMs, channels, threads, reactions, streaming.",
 		npmPackage: "@slack/bolt"
 	},
 	{
@@ -1228,38 +732,160 @@ const CHANNELS = [
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["linux", "darwin"],
-		tokenLabel: "Signal phone number",
-		tokenHint: "Requires signal-cli installed",
+		tokenLabel: "Bot phone number (E.164)",
+		tokenHint: "e.g. +15551234567 — use a dedicated bot number",
 		setupSteps: [
 			"1. Install signal-cli: https://github.com/AsamK/signal-cli",
-			"2. Register number: signal-cli -a +1XXXXXXXXX register",
-			"3. Verify electronically (if available) or via SMS code.",
-			"4. Enter your phone number here (e.g. +1XXXXXXXXX).",
 			"",
-			"  🔗 github.com/AsamK/signal-cli"
+			"  Path A — Link existing Signal account (QR):",
+			"    signal-cli link -n \"HyperClaw\"  then scan in Signal.",
+			"",
+			"  Path B — Register dedicated bot number (SMS):",
+			"    signal-cli -a +<BOT_NUMBER> register",
+			"    signal-cli -a +<BOT_NUMBER> register --captcha '<URL>'  (if captcha required)",
+			"    signal-cli -a +<BOT_NUMBER> verify <CODE>",
+			"",
+			"2. Set account: \"+<BOT_NUMBER>\" in config.",
+			"3. autoStart=true (default) spawns daemon automatically.",
+			"   Or run daemon yourself and set httpUrl: \"http://127.0.0.1:8080\".",
+			"",
+			"  Access control:",
+			"    dmPolicy=pairing (default) — senders get pairing code (expires 1h)",
+			"    groupPolicy=allowlist (default) — only groupAllowFrom senders trigger bot",
+			"",
+			"  Chunking: textChunkLimit=4000, chunkMode=length|newline",
+			"  Reactions: actions.reactions=true, reactionLevel=off|ack|minimal|extensive",
+			"",
+			"  🔗 github.com/AsamK/signal-cli",
+			"  🔗 github.com/AsamK/signal-cli/wiki/Registration-with-captcha"
+		],
+		extraFields: [
+			{
+				name: "account",
+				label: "Bot number (E.164)",
+				hint: "+15551234567",
+				required: true
+			},
+			{
+				name: "cliPath",
+				label: "signal-cli path",
+				hint: "signal-cli (if on PATH)",
+				required: false
+			},
+			{
+				name: "httpUrl",
+				label: "Daemon URL (external)",
+				hint: "http://127.0.0.1:8080 — skips autoStart",
+				required: false
+			},
+			{
+				name: "httpPort",
+				label: "Daemon port",
+				hint: "8080 (default)",
+				required: false
+			},
+			{
+				name: "autoStart",
+				label: "Auto-spawn daemon",
+				hint: "true (default) / false",
+				required: false
+			},
+			{
+				name: "startupTimeoutMs",
+				label: "Startup timeout (ms)",
+				hint: "15000 default, max 120000",
+				required: false
+			},
+			{
+				name: "dmPolicy",
+				label: "DM policy",
+				hint: "\"pairing\" (default) | \"allowlist\" | \"open\" | \"disabled\"",
+				required: false
+			},
+			{
+				name: "groupPolicy",
+				label: "Group policy",
+				hint: "\"allowlist\" (default) | \"open\" | \"disabled\"",
+				required: false
+			},
+			{
+				name: "textChunkLimit",
+				label: "Text chunk limit (chars)",
+				hint: "4000 default",
+				required: false
+			},
+			{
+				name: "chunkMode",
+				label: "Chunk mode",
+				hint: "\"length\" (default) | \"newline\"",
+				required: false
+			}
 		],
 		status: "available",
-		notes: "Requires signal-cli to be installed and registered"
+		notes: "signal-cli HTTP daemon + SSE events. DMs, groups, typing, reactions, chunking, multi-account."
 	},
 	{
 		id: "imessage",
-		name: "iMessage",
+		name: "iMessage (BlueBubbles)",
 		emoji: "💬",
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["darwin"],
+		tokenLabel: "BlueBubbles server URL",
+		extraFields: [{
+			name: "password",
+			label: "BlueBubbles password",
+			hint: "Set in BlueBubbles server settings",
+			required: true
+		}, {
+			name: "dmPolicy",
+			label: "DM policy",
+			hint: "pairing (default) | allowlist | open | disabled",
+			required: false
+		}],
 		setupSteps: [
-			"1. macOS only. You need BlueBubbles (bluebubbles.app) or Beeper bridge.",
-			"2. BlueBubbles: install on Mac, check server URL and API key.",
-			"3. Or Beeper: connect to iMessage via Beeper desktop app.",
-			"4. Set server URL and token in the channel configuration.",
+			"1. macOS only. Install BlueBubbles server: bluebubbles.app",
+			"2. BlueBubbles → Settings: enable web API, set password, note Server URL.",
+			"3. Add channel (imessage or bluebubbles), enter serverUrl + password.",
+			"4. hyperclaw gateway → hyperclaw pairing approve bluebubbles <CODE>",
 			"",
-			"  🔗 bluebubbles.app — beeper.com"
+			"  🔗 docs/bluebubbles.md — bluebubbles.app"
 		],
-		status: os.default.platform() === "darwin" ? "available" : "unavailable",
-		notes: "macOS only — uses BlueBubbles or Beeper bridge",
+		status: os.default.platform() === "darwin" ? "recommended" : "unavailable",
+		notes: "BlueBubbles server on Mac. DMs, pairing. Groups planned.",
 		npmPackage: "bluebubbles-api"
 	},
+	{
+		id: "imessage-native",
+		name: "iMessage (imsg CLI — legacy)",
+		emoji: "💬",
+		requiresGateway: true,
+		supportsDM: true,
+		platforms: ["darwin"],
+		extraFields: [{
+			name: "cliPath",
+			label: "imsg binary path",
+			hint: "Default: imsg (must be in PATH)",
+			required: false
+		}, {
+			name: "dbPath",
+			label: "Messages DB path",
+			hint: "Default: ~/Library/Messages/chat.db",
+			required: false
+		}],
+		setupSteps: [
+			"1. macOS only. Install imsg: brew install steipete/tap/imsg",
+			"2. Verify: imsg rpc --help",
+			"3. Grant Full Disk Access + Automation to Terminal/Node (one-time: imsg chats --limit 1).",
+			"4. No token needed — imsg runs locally via JSON-RPC on stdio.",
+			"5. (Optional) Set cliPath if imsg is not in PATH.",
+			"",
+			"  ⚠️  Legacy integration — for new setups use iMessage (BlueBubbles)",
+			"  🔗 github.com/steipete/imsg"
+		],
+		status: os.default.platform() === "darwin" ? "available" : "unavailable",
+		notes: "Legacy — gateway spawns imsg rpc over JSON-RPC stdio. For new setups prefer BlueBubbles."
+	},
 	{
 		id: "matrix",
 		name: "Matrix",
@@ -1267,26 +893,84 @@ const CHANNELS = [
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: void 0,
-		extraFields: [{
-			name: "homeserver",
-			label: "Homeserver URL",
-			hint: "e.g. https://matrix.org",
-			required: true
-		}, {
-			name: "accessToken",
-			label: "Access Token",
-			required: true
-		}],
+		tokenLabel: "Access Token (syt_...)",
+		tokenHint: "Or set userId + password instead",
+		extraFields: [
+			{
+				name: "homeserver",
+				label: "Homeserver URL",
+				hint: "e.g. https://matrix.example.org",
+				required: true
+			},
+			{
+				name: "accessToken",
+				label: "Access Token (syt_...)",
+				hint: "Preferred; userId auto-fetched via /whoami",
+				required: false
+			},
+			{
+				name: "userId",
+				label: "Matrix User ID",
+				hint: "@bot:example.org — required only for password login",
+				required: false
+			},
+			{
+				name: "password",
+				label: "Password (alternative to token)",
+				hint: "Token cached to credentials file on first login",
+				required: false
+			},
+			{
+				name: "deviceName",
+				label: "Device display name",
+				hint: "Shown in Matrix clients",
+				required: false
+			},
+			{
+				name: "encryption",
+				label: "Enable E2EE",
+				hint: "true | false — requires crypto native module",
+				required: false
+			},
+			{
+				name: "threadReplies",
+				label: "Thread replies",
+				hint: "off | inbound (default) | always",
+				required: false
+			},
+			{
+				name: "textChunkLimit",
+				label: "Text chunk limit (chars)",
+				hint: "Default: 16000",
+				required: false
+			},
+			{
+				name: "mediaMaxMb",
+				label: "Media size limit (MB)",
+				hint: "Default: 10",
+				required: false
+			},
+			{
+				name: "autoJoin",
+				label: "Auto-join invites",
+				hint: "always (default) | allowlist | off",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Create a bot account on matrix.org or another homeserver.",
-			"2. Access token: Element/SchildiChat → Settings → Help & About → Access Token.",
-			"3. Or via API: POST /_matrix/client/r0/login with type=m.login.password.",
-			"4. Homeserver URL: https://matrix.org or your server URL.",
+			"1. Create a Matrix bot account on any homeserver (matrix.org has free accounts).",
+			"2. Get an access token via the login API:",
+			"     curl -X POST https://<homeserver>/_matrix/client/v3/login \\",
+			"       -H \"Content-Type: application/json\" \\",
+			"       -d '{\"type\":\"m.login.password\",\"identifier\":{\"type\":\"m.id.user\",\"user\":\"<username>\"},\"password\":\"<password>\"}'",
+			"   Or set userId + password — HyperClaw will call the login API and cache the token.",
+			"3. Invite the bot account to a room or DM it from any Matrix client (Element, Beeper, etc.).",
+			"4. For Beeper, enable E2EE: set encryption: true and verify the device in Element.",
 			"",
-			"  🔗 matrix.org — element.io"
+			"  🔗 matrix.org/ecosystem/hosting/ — element.io"
 		],
 		status: "available",
+		notes: "Supports DMs, rooms, threads, media, reactions, polls, location, E2EE, multi-account.",
 		npmPackage: "matrix-js-sdk"
 	},
 	{
@@ -1300,25 +984,81 @@ const CHANNELS = [
 		extraFields: [
 			{
 				name: "server",
-				label: "Server",
+				label: "Server (IRC_HOST)",
 				hint: "e.g. irc.libera.chat",
 				required: true
 			},
+			{
+				name: "port",
+				label: "Port (IRC_PORT)",
+				hint: "Default: 6697 (TLS) or 6667",
+				required: false
+			},
+			{
+				name: "tls",
+				label: "TLS (IRC_TLS)",
+				hint: "true / false — default: false",
+				required: false
+			},
 			{
 				name: "nick",
-				label: "Nickname",
+				label: "Nickname (IRC_NICK)",
 				required: true
 			},
+			{
+				name: "username",
+				label: "Username / ident (IRC_USERNAME)",
+				required: false
+			},
+			{
+				name: "realname",
+				label: "Real name (IRC_REALNAME)",
+				required: false
+			},
+			{
+				name: "password",
+				label: "Server password (IRC_PASSWORD)",
+				hint: "Not NickServ — leave blank if none",
+				required: false
+			},
 			{
 				name: "channels",
-				label: "Default channels (#room)",
+				label: "Channels to join (IRC_CHANNELS)",
+				hint: "#room1,#room2",
+				required: false
+			},
+			{
+				name: "nickservPassword",
+				label: "NickServ password (IRC_NICKSERV_PASSWORD)",
+				hint: "Identify after connect",
+				required: false
+			},
+			{
+				name: "groupPolicy",
+				label: "Group policy",
+				hint: "\"allowlist\" (default) or \"open\"",
+				required: false
+			},
+			{
+				name: "dmPolicy",
+				label: "DM policy",
+				hint: "\"pairing\" (default) | \"allowlist\" | \"open\"",
 				required: false
 			}
 		],
 		setupSteps: [
 			"1. Choose an IRC server (e.g. irc.libera.chat, irc.oftc.net).",
-			"2. You need a nickname for the bot and optionally a channel to join.",
-			"3. Some servers require authentication before /join.",
+			"2. Set a nickname for the bot and the channels it should join.",
+			"3. Enable TLS (recommended): set port 6697 and tls: true.",
+			"4. If your nick is registered, set nickservPassword to auto-identify.",
+			"5. Access control defaults: groupPolicy=allowlist (bot only replies in",
+			"   configured groups), dmPolicy=pairing (new DMs need pairing approval).",
+			"6. To allow everyone in a channel without mention, set per-channel:",
+			"   groups[\"#mychan\"].requireMention = false, allowFrom = [\"*\"].",
+			"",
+			"  Env vars: IRC_HOST IRC_PORT IRC_TLS IRC_NICK IRC_USERNAME",
+			"            IRC_REALNAME IRC_PASSWORD IRC_CHANNELS",
+			"            IRC_NICKSERV_PASSWORD IRC_NICKSERV_REGISTER_EMAIL",
 			"",
 			"  🔗 libera.chat — oftc.net"
 		],
@@ -1332,31 +1072,71 @@ const CHANNELS = [
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "Personal Access Token (or Bot token)",
-		tokenHint: "Account Settings > Security > Personal Access Tokens",
+		tokenLabel: "Bot Token (MATTERMOST_BOT_TOKEN)",
+		tokenHint: "System Console → Integrations → Bot Accounts → Add Bot Account",
 		setupSteps: [
-			"1. In Mattermost: Profile → Account Settings → Security → Personal Access Tokens.",
-			"2. Create token — copy it (not shown again).",
-			"3. Integrations → Outgoing Webhooks → Add outgoing webhook.",
-			"4. Note the webhook URL and Trigger Word. The webhook token is needed for verification.",
-			"5. Webhook URL for gateway: https://<gateway>/webhook/mattermost",
+			"1. Create a Bot Account: System Console → Integrations → Bot Accounts → Add Bot Account.",
+			"2. Copy the bot token shown after creation (not shown again).",
+			"3. Note your Mattermost base URL (e.g. https://chat.example.com).",
+			"4. The connector uses WebSocket events — no outgoing webhook needed.",
+			"5. For slash commands: set commands.native=true and expose callbackUrl.",
+			"6. For buttons: add capabilities: [\"inlineButtons\"] and set interactions.callbackBaseUrl.",
+			"",
+			"  Env vars: MATTERMOST_BOT_TOKEN  MATTERMOST_URL",
 			"",
-			"  🔗 docs.mattermost.com"
+			"  Chat modes:",
+			"    oncall (default) — reply only when @mentioned",
+			"    onmessage        — reply to every channel message",
+			"    onchar           — reply when message starts with a prefix (e.g. \">\", \"!\")",
+			"",
+			"  Access control:",
+			"    dmPolicy=pairing (default) | allowlist | open | none",
+			"    groupPolicy=allowlist (default) | open",
+			"    groupAllowFrom=[userId1, ...] — sender gate for channels",
+			"",
+			"  🔗 docs.mattermost.com — mattermost.com"
+		],
+		extraFields: [
+			{
+				name: "baseUrl",
+				label: "Base URL (MATTERMOST_URL)",
+				hint: "https://chat.example.com",
+				required: true
+			},
+			{
+				name: "chatmode",
+				label: "Chat mode",
+				hint: "\"oncall\" (default) | \"onmessage\" | \"onchar\"",
+				required: false
+			},
+			{
+				name: "oncharPrefixes",
+				label: "onchar prefixes",
+				hint: ">, ! (comma-separated, for chatmode=onchar)",
+				required: false
+			},
+			{
+				name: "dmPolicy",
+				label: "DM policy",
+				hint: "\"pairing\" (default) | \"open\" | \"allowlist\" | \"none\"",
+				required: false
+			},
+			{
+				name: "groupPolicy",
+				label: "Group policy",
+				hint: "\"allowlist\" (default) | \"open\"",
+				required: false
+			},
+			{
+				name: "capabilities",
+				label: "Capabilities",
+				hint: "\"inlineButtons\" — comma-separated",
+				required: false
+			}
 		],
-		extraFields: [{
-			name: "serverUrl",
-			label: "Server URL",
-			hint: "https://mattermost.example.com",
-			required: true
-		}, {
-			name: "webhookToken",
-			label: "Outgoing Webhook Token",
-			hint: "From Integrations > Outgoing Webhook",
-			required: true
-		}],
 		status: "available",
-		notes: "Requires Outgoing Webhook + PAT. Webhook URL: /webhook/mattermost",
-		npmPackage: "@mattermost/client"
+		notes: "WebSocket + REST. Supports DMs, channels, buttons, reactions, slash commands, multi-account.",
+		npmPackage: "ws"
 	},
 	{
 		id: "googlechat",
@@ -1379,18 +1159,27 @@ const CHANNELS = [
 		id: "msteams",
 		name: "Microsoft Teams",
 		emoji: "🟣",
-		requiresGateway: false,
-		supportsDM: false,
+		requiresGateway: true,
+		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "Teams incoming webhook URL",
+		tokenLabel: "App ID (Azure Bot)",
+		extraFields: [{
+			name: "appPassword",
+			label: "App Password (client secret)",
+			hint: "From Azure Bot → Manage → Certificates & secrets",
+			required: true
+		}],
 		setupSteps: [
-			"1. In Teams: Channel → Connectors → Incoming Webhook → Configure.",
-			"2. Give it a name and copy the Webhook URL.",
-			"3. Paste the URL below.",
+			"1. Create an Azure Bot: portal.azure.com → Create a resource → Azure Bot",
+			"2. Type of App: Single Tenant. Create new Microsoft App ID.",
+			"3. Configuration → copy App ID. Manage → Certificates & secrets → New client secret → copy Value (appPassword).",
+			"4. Channels → Microsoft Teams → Configure. Set Messaging endpoint: https://<your-host>/webhook/msteams",
+			"5. Build a Teams app manifest with botId = App ID. Upload to Teams.",
 			"",
-			"  🔗 docs.microsoft.com/microsoftteams/platform/webhooks-and-connectors"
+			"  🔗 docs/msteams.md — full setup guide"
 		],
-		status: "available"
+		status: "available",
+		notes: "Bot Framework. Text + DM. Channel/group files require Graph + SharePoint."
 	},
 	{
 		id: "nostr",
@@ -1420,24 +1209,61 @@ const CHANNELS = [
 		id: "line",
 		name: "LINE",
 		emoji: "🟩",
-		requiresGateway: false,
+		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
 		tokenLabel: "LINE Channel access token",
-		extraFields: [{
-			name: "secret",
-			label: "Channel Secret",
-			required: true
-		}],
+		extraFields: [
+			{
+				name: "channelSecret",
+				label: "Channel Secret",
+				hint: "From LINE Developers Console → Basic settings",
+				required: true
+			},
+			{
+				name: "tokenFile",
+				label: "Token file path (optional)",
+				hint: "Alternative to pasting token directly",
+				required: false
+			},
+			{
+				name: "secretFile",
+				label: "Secret file path (optional)",
+				hint: "Alternative to pasting secret directly",
+				required: false
+			},
+			{
+				name: "webhookPath",
+				label: "Webhook path",
+				hint: "Default: /line/webhook",
+				required: false
+			},
+			{
+				name: "mediaMaxMb",
+				label: "Media download limit (MB)",
+				hint: "Default: 10",
+				required: false
+			},
+			{
+				name: "groupPolicy",
+				label: "Group policy",
+				hint: "open | allowlist | disabled (default: allowlist)",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Go to developers.line.biz → Console → Create provider & channel.",
-			"2. Messaging API channel → Configure Basic settings.",
-			"3. Channel access token: Issue or Regenerate — copy it.",
-			"4. Channel secret: from Basic settings — copy it.",
+			"1. Go to developers.line.biz → Console → Create provider & Messaging API channel.",
+			"2. Channel access token: Issue or Regenerate — copy it.",
+			"3. Channel secret: from Basic settings — copy it.",
+			"4. Enable \"Use webhook\" in Messaging API settings.",
+			"5. Set webhook URL (HTTPS required):",
+			"     https://<gateway-host>/line/webhook",
+			"6. Paste token + secret below.",
 			"",
 			"  🔗 developers.line.biz"
 		],
 		status: "available",
+		notes: "Webhook receiver. Supports DMs, groups, media, Flex messages, quick replies, locations.",
 		npmPackage: "@line/bot-sdk"
 	},
 	{
@@ -1465,27 +1291,68 @@ const CHANNELS = [
 	{
 		id: "synology-chat",
 		name: "Synology Chat",
-		emoji: "💬",
+		emoji: "💬",
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "Incoming Webhook URL",
-		tokenHint: "Synology Chat incoming webhook URL",
-		extraFields: [{
-			name: "outgoingToken",
-			label: "Outgoing Webhook Token",
-			hint: "Optional verification token",
-			required: false
-		}],
+		tokenLabel: "Outgoing Webhook Token (SYNOLOGY_CHAT_TOKEN)",
+		tokenHint: "From Synology Chat Integrations Outgoing Webhook",
+		extraFields: [
+			{
+				name: "incomingUrl",
+				label: "Incoming Webhook URL (SYNOLOGY_CHAT_INCOMING_URL)",
+				hint: "From Synology Chat Integrations Incoming Webhook",
+				required: true
+			},
+			{
+				name: "webhookPath",
+				label: "Gateway inbound path",
+				hint: "/webhook/synology (default)",
+				required: false
+			},
+			{
+				name: "dmPolicy",
+				label: "DM policy",
+				hint: "\"allowlist\" (default) | \"open\" | \"pairing\" | \"disabled\"",
+				required: false
+			},
+			{
+				name: "allowedUserIds",
+				label: "Allowed user IDs (SYNOLOGY_ALLOWED_USER_IDS)",
+				hint: "Numeric Synology Chat user IDs, comma-separated",
+				required: false
+			},
+			{
+				name: "rateLimitPerMinute",
+				label: "Rate limit per sender/min (SYNOLOGY_RATE_LIMIT)",
+				hint: "30 (default)",
+				required: false
+			},
+			{
+				name: "allowInsecureSsl",
+				label: "Allow insecure SSL",
+				hint: "false (default) — true only for self-signed NAS certs",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Synology Chat → Integration → Incoming Webhook: create a webhook and copy the URL.",
-			"2. If you want inbound bot events, create an Outgoing Webhook pointing to /webhook/synology-chat.",
-			"3. Paste the incoming webhook URL below.",
+			"1. Synology Chat Integrations Incoming Webhook Create copy URL.",
+			"2. Synology Chat Integrations Outgoing Webhook Create:",
+			"     Outgoing URL: https://<gateway>/webhook/synology",
+			"     Copy the generated token.",
+			"3. Set token + incomingUrl in config (or env vars).",
+			"4. dmPolicy=allowlist requires at least one allowedUserId.",
+			"",
+			"  Env vars: SYNOLOGY_CHAT_TOKEN  SYNOLOGY_CHAT_INCOMING_URL",
+			"            SYNOLOGY_ALLOWED_USER_IDS  SYNOLOGY_RATE_LIMIT  OPENCLAW_BOT_NAME",
+			"",
+			"  Multi-account: channels.synology-chat.accounts.{ default, alerts }",
+			"  Targets: <numericId>, synology-chat:<id>, user:<id>",
 			"",
 			"  🔗 kb.synology.com"
 		],
 		status: "available",
-		notes: "Webhook bridge for Synology Chat rooms / bot automation."
+		notes: "Gateway webhooks. Token verify, rate limiting, multi-account, allowInsecureSsl."
 	},
 	{
 		id: "twitch",
@@ -1496,61 +1363,84 @@ const CHANNELS = [
 		platforms: ["all"],
 		tokenLabel: "OAuth Token (oauth:...)",
 		tokenHint: "Generate a Twitch chat token for your bot account",
-		extraFields: [{
-			name: "username",
-			label: "Bot Username",
-			required: true
-		}, {
-			name: "channels",
-			label: "Channels (#name or comma-separated)",
-			required: true
-		}],
+		extraFields: [
+			{
+				name: "username",
+				label: "Bot username",
+				required: true
+			},
+			{
+				name: "channels",
+				label: "Channels (comma-separated)",
+				hint: "vevisk,secondchannel",
+				required: true
+			},
+			{
+				name: "commandPrefix",
+				label: "Command prefix",
+				hint: "! (default)",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Create or use a Twitch bot account.",
-			"2. Generate an IRC OAuth token for Twitch chat (format: oauth:...).",
-			"3. Add one or more channels the bot should join.",
+			"1. Create Twitch bot account. Generate OAuth: twitchapps.com/tmi",
+			"2. Config: username, oauthToken, channels (required).",
+			"3. Add allowFrom (recommended) to restrict who can trigger.",
+			"4. Public chat: prefix required (default !). Whispers: no prefix.",
 			"",
-			"  🔗 dev.twitch.tv"
+			"  🔗 docs/twitch.md — dev.twitch.tv"
 		],
 		status: "available",
-		notes: "Twitch IRC chat integration for streams / channel chat."
+		notes: "IRC over WebSocket. Channel chat + whispers. Pairing, allowlist, modsBypass."
 	},
 	{
 		id: "tlon",
-		name: "Tlon",
-		emoji: "🔵",
+		name: "Tlon (Urbit Groups)",
+		emoji: "🌊",
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "API Key",
-		tokenHint: "Token for your Tlon API / bot gateway",
+		tokenLabel: "Login Code",
+		tokenHint: "Ship login code from Landscape → Settings → Access key (e.g. lidlut-tabwed-pillex-ridrup)",
 		extraFields: [
 			{
-				name: "apiBaseUrl",
-				label: "API Base URL",
-				hint: "e.g. https://tlon.example.com",
+				name: "ship",
+				label: "Ship Name",
+				hint: "e.g. ~sampel-palnet",
+				required: true
+			},
+			{
+				name: "url",
+				label: "Ship URL",
+				hint: "e.g. https://sampel-palnet.tlon.network or http://localhost:8080",
 				required: true
 			},
 			{
-				name: "channelId",
-				label: "Default Channel ID",
+				name: "ownerShip",
+				label: "Owner Ship",
+				hint: "Your personal ship — always authorized, receives approval notifications",
 				required: false
 			},
 			{
-				name: "webhookSecret",
-				label: "Webhook Secret",
+				name: "allowPrivateNetwork",
+				label: "Allow Private Network",
+				hint: "Enable for localhost/LAN ships (SSRF opt-in)",
 				required: false
 			}
 		],
 		setupSteps: [
-			"1. Point Tlon events to /webhook/tlon on your HyperClaw gateway.",
-			"2. Use the API base URL and API key for outbound sends.",
-			"3. Optionally set a default channel ID and webhook secret.",
+			"1. Install plugin: hyperclaw plugins install @hyperclaw/extension-tlon",
+			"2. Get your ship login code from Landscape (Settings → System → Access key).",
+			"3. Configure channels.tlon with ship name, URL, and login code.",
+			"4. Optionally set ownerShip to receive approval notifications.",
+			"5. Restart gateway: hyperclaw gateway restart",
+			"6. DM the bot ship in Tlon or mention it in a group channel.",
 			"",
-			"  🔗 Tlon bot gateway / integration endpoint"
+			"  Plugin required — connects via Urbit Eyre HTTP API + SSE stream.",
+			"  See: docs/tlon.md"
 		],
 		status: "available",
-		notes: "Generic Tlon bridge via webhook ingress + outbound API send."
+		notes: "Urbit Eyre HTTP API + SSE. DMs, groups, reactions, owner approval, auto-discovery. Plugin: @hyperclaw/extension-tlon"
 	},
 	{
 		id: "instagram",
@@ -1684,46 +1574,136 @@ const CHANNELS = [
 		status: "available"
 	},
 	{
-		id: "nextcloud",
+		id: "nextcloud-talk",
 		name: "Nextcloud Talk",
 		emoji: "☁️",
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "Nextcloud URL",
-		extraFields: [{
-			name: "username",
-			label: "Username",
-			required: true
-		}, {
-			name: "password",
-			label: "App Password",
-			required: true
-		}],
+		tokenLabel: "Nextcloud instance URL",
+		tokenHint: "e.g. https://cloud.example.com",
+		extraFields: [
+			{
+				name: "botSecret",
+				label: "Bot shared secret",
+				hint: "From: occ talk:bot:install",
+				required: true
+			},
+			{
+				name: "botSecretFile",
+				label: "Bot secret file path (optional)",
+				hint: "Alternative to inline secret",
+				required: false
+			},
+			{
+				name: "apiUser",
+				label: "API username (optional)",
+				hint: "For DM detection + fallback send via OCS API",
+				required: false
+			},
+			{
+				name: "apiPassword",
+				label: "API/app password (optional)",
+				hint: "Nextcloud app password for apiUser",
+				required: false
+			},
+			{
+				name: "webhookPort",
+				label: "Webhook listener port",
+				hint: "Default: 8788",
+				required: false
+			},
+			{
+				name: "webhookPath",
+				label: "Webhook path",
+				hint: "Default: /nextcloud-talk-webhook",
+				required: false
+			},
+			{
+				name: "webhookPublicUrl",
+				label: "Webhook public URL",
+				hint: "If behind a proxy — set this in occ talk:bot:install",
+				required: false
+			},
+			{
+				name: "groupPolicy",
+				label: "Room policy",
+				hint: "allowlist (default) | open | disabled",
+				required: false
+			},
+			{
+				name: "textChunkLimit",
+				label: "Text chunk limit (chars)",
+				hint: "Default: 32000",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Create App Password: Nextcloud → Profile → Security → App passwords.",
-			"2. You need the Nextcloud URL, username and App Password.",
+			"1. On your Nextcloud server, create the bot:",
+			"     ./occ talk:bot:install \"HyperClaw\" \"<shared-secret>\" \"<webhook-url>\" --feature reaction",
+			"   Replace <webhook-url> with your gateway URL, e.g. https://yourhost/nextcloud-talk-webhook",
+			"2. Enable the bot in the target room settings (room → ⋯ → Bots).",
+			"3. Enter the Nextcloud URL (token field) and the shared secret below.",
+			"4. (Optional) Add apiUser + app password to enable DM detection via OCS API.",
 			"",
-			"  🔗 nextcloud.com"
+			"  🔗 nextcloud.com — docs.nextcloud.com/server/latest/admin_manual/talk_bots.html"
 		],
-		status: "available"
+		status: "available",
+		notes: "Webhook bot. Supports DMs (with apiUser), rooms, reactions. No media uploads."
 	},
 	{
 		id: "zalo",
 		name: "Zalo",
 		emoji: "🔵",
-		requiresGateway: false,
+		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "Zalo OA Access Token",
+		tokenLabel: "Zalo Bot Token (12345689:abc-xyz)",
+		tokenHint: "From bot.zaloplatforms.com",
+		extraFields: [
+			{
+				name: "tokenFile",
+				label: "Token file path (optional)",
+				hint: "Alternative to inline token",
+				required: false
+			},
+			{
+				name: "groupPolicy",
+				label: "Group policy",
+				hint: "allowlist (default) | open | disabled",
+				required: false
+			},
+			{
+				name: "webhookUrl",
+				label: "Webhook URL (optional)",
+				hint: "HTTPS required — leave blank for long-polling",
+				required: false
+			},
+			{
+				name: "webhookSecret",
+				label: "Webhook secret (optional)",
+				hint: "8-256 chars — required if webhookUrl is set",
+				required: false
+			},
+			{
+				name: "mediaMaxMb",
+				label: "Media size limit (MB)",
+				hint: "Default: 5",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Zalo Official Account (OA): developers.zalo.me → My Apps.",
-			"2. Create an app and connect it to your OA.",
-			"3. Access Token from Zalo API (OAuth flow or test token for development).",
+			"1. Go to https://bot.zaloplatforms.com and sign in.",
+			"2. Create a new bot and configure its settings.",
+			"3. Copy the bot token (format: 12345689:abc-xyz).",
+			"4. Paste the token below.",
+			"5. (Optional) Set webhookUrl for webhook mode (HTTPS required).",
+			"   Leave blank to use long-polling (no public URL needed).",
 			"",
-			"  🔗 developers.zalo.me"
+			"  🔗 bot.zaloplatforms.com"
 		],
-		status: "available"
+		status: "available",
+		notes: "Experimental. DMs supported; groups with allowlist policy. Long-polling by default."
 	},
 	{
 		id: "web",
@@ -1812,18 +1792,24 @@ const ZALO_PERSONAL = {
 	requiresGateway: true,
 	supportsDM: true,
 	platforms: ["all"],
-	tokenLabel: "Zalo Personal cookie token",
-	tokenHint: "Extract from browser",
+	tokenLabel: "Cookie (from chat.zalo.me)",
+	tokenHint: "DevTools → Application → Cookies",
+	extraFields: [{
+		name: "dmPolicy",
+		label: "DM policy",
+		hint: "pairing (default) | allowlist | open | disabled",
+		required: false
+	}],
 	setupSteps: [
-		"1. Unofficial API — uses browser cookies. May break with Zalo updates.",
-		"2. Open Zalo Web in browser, Developer Tools → Application → Cookies.",
-		"3. Look for the token/cookie Zalo uses for auth.",
-		"4. See docs/channels/zalo-personal.md for details.",
+		"1. ⚠️ Experimental — unofficial. Account ban risk. Use at your own risk.",
+		"2. Open chat.zalo.me, log in. DevTools → Application → Cookies → copy.",
+		"3. Add channel, set cookie (or ZALO_PERSONAL_COOKIE env).",
+		"4. hyperclaw gateway → hyperclaw pairing approve zalo-personal <CODE>",
 		"",
-		"  ⚠️  Unofficial — use at your own risk"
+		"  🔗 docs/zalo-personal.md — full setup"
 	],
 	status: "available",
-	notes: "Uses unofficial Zalo personal API — may break on Zalo app updates"
+	notes: "Zalo Web cookie auth. DMs only. No groups. Text chunked ~2000 chars."
 };
 CHANNELS.push(ZALO_PERSONAL);
 
@@ -1955,6 +1941,180 @@ async function getConfiguredChannels() {
 		return [];
 	}
 }
+/**
+* hyperclaw channels login [channel]
+* Shortcut for first-time login flows (QR pairing, bot tokens, OAuth).
+* Delegates to channelsAdd with a login-oriented preamble.
+*/
+async function channelsLogin(channelId) {
+	console.log(chalk.default.bold.cyan("\n  🔑 Channel Login\n"));
+	console.log(chalk.default.gray("  This wizard will guide you through first-time login for a channel.\n"));
+	console.log(chalk.default.gray("  WhatsApp → QR code scan"));
+	console.log(chalk.default.gray("  Telegram → bot token (from @BotFather)"));
+	console.log(chalk.default.gray("  Discord  → bot token (from Discord Developer Portal)"));
+	console.log(chalk.default.gray("  Slack    → bot + app tokens"));
+	console.log(chalk.default.gray("  Signal   → phone number + signal-cli daemon\n"));
+	await channelsAdd(channelId);
+}
+function httpProbe(url, ms = 1200) {
+	return new Promise((resolve) => {
+		const req = http.default.get(url, { timeout: ms }, (res) => {
+			res.resume();
+			resolve((res.statusCode ?? 0) < 500);
+		});
+		req.on("error", () => resolve(false));
+		req.on("timeout", () => {
+			req.destroy();
+			resolve(false);
+		});
+	});
+}
+/** Attempt a lightweight connectivity probe for a channel. */
+async function probeChannel(channelId, channelCfg) {
+	switch (channelId) {
+		case "telegram": {
+			const token = channelCfg?.token || process.env.TELEGRAM_BOT_TOKEN;
+			if (!token) return {
+				status: "skipped",
+				detail: "no token"
+			};
+			const ok = await httpProbe(`https://api.telegram.org/bot${token}/getMe`);
+			return ok ? {
+				status: "connected",
+				detail: "api.telegram.org ok"
+			} : {
+				status: "unreachable",
+				detail: "api.telegram.org unreachable"
+			};
+		}
+		case "discord": {
+			const ok = await httpProbe("https://discord.com/api/v10/gateway");
+			return ok ? {
+				status: "connected",
+				detail: "discord.com/api ok"
+			} : {
+				status: "unreachable",
+				detail: "discord.com unreachable"
+			};
+		}
+		case "signal": {
+			const daemonUrl = channelCfg?.daemonUrl || "http://127.0.0.1:8080";
+			const ok = await httpProbe(`${daemonUrl}/v1/about`);
+			return ok ? {
+				status: "connected",
+				detail: `signal-cli at ${daemonUrl}`
+			} : {
+				status: "unreachable",
+				detail: `signal-cli not reachable at ${daemonUrl}`
+			};
+		}
+		case "mattermost": {
+			const baseUrl = channelCfg?.baseUrl;
+			if (!baseUrl) return {
+				status: "skipped",
+				detail: "no baseUrl"
+			};
+			const ok = await httpProbe(`${baseUrl}/api/v4/system/ping`);
+			return ok ? {
+				status: "connected",
+				detail: "system/ping ok"
+			} : {
+				status: "unreachable",
+				detail: "server unreachable"
+			};
+		}
+		case "matrix": {
+			const homeserver = channelCfg?.homeserver;
+			if (!homeserver) return {
+				status: "skipped",
+				detail: "no homeserver"
+			};
+			const ok = await httpProbe(`${homeserver}/_matrix/client/versions`);
+			return ok ? {
+				status: "connected",
+				detail: "matrix client ok"
+			} : {
+				status: "unreachable",
+				detail: "homeserver unreachable"
+			};
+		}
+		case "slack": {
+			const ok = await httpProbe("https://slack.com/api/api.test");
+			return ok ? {
+				status: "connected",
+				detail: "slack.com/api ok"
+			} : {
+				status: "unreachable",
+				detail: "slack.com unreachable"
+			};
+		}
+		default: return {
+			status: "skipped",
+			detail: "probe not implemented"
+		};
+	}
+}
+/**
+* hyperclaw channels status [--probe]
+* Show all configured channels with their status.
+* --probe attempts a real connectivity check for each.
+*/
+async function channelsStatus(opts = {}) {
+	const configFile = path.default.join(os.default.homedir(), ".hyperclaw", "config.json");
+	let cfg = {};
+	try {
+		cfg = fs_extra.default.readJsonSync(configFile);
+	} catch {}
+	const configured = cfg.channels || [];
+	console.log(chalk.default.bold.cyan("\n  📡 CHANNEL STATUS\n"));
+	if (configured.length === 0) {
+		console.log(chalk.default.gray("  No channels configured.\n"));
+		console.log(chalk.default.gray("  Add a channel: hyperclaw channels add\n"));
+		return;
+	}
+	const spinner = opts.probe ? (0, ora.default)("Probing channels...").start() : null;
+	const results = [];
+	for (const id of configured) {
+		const ch = getChannel(id);
+		if (!ch) continue;
+		const channelCfg = cfg.channelConfigs?.[id];
+		const dmPolicy = channelCfg?.dmPolicy?.policy ?? channelCfg?.dmPolicy;
+		const r = {
+			id,
+			name: ch.name,
+			emoji: ch.emoji,
+			configured: true,
+			dmPolicy
+		};
+		if (opts.probe) {
+			const { status, detail } = await probeChannel(id, channelCfg);
+			r.probe = status;
+			r.probeDetail = detail;
+		}
+		results.push(r);
+	}
+	if (spinner) spinner.stop();
+	const allIds = CHANNELS.map((c) => c.id);
+	const unconfigured = allIds.filter((id) => !configured.includes(id));
+	for (const r of results) {
+		const probeStr = opts.probe ? r.probe === "connected" ? chalk.default.green(" ✔ connected") : r.probe === "unreachable" ? chalk.default.red(" ✖ unreachable") : chalk.default.gray(" — skipped") : "";
+		const dm = r.dmPolicy ? chalk.default.gray(` dm:${r.dmPolicy}`) : "";
+		console.log(`  ${chalk.default.green("●")} ${r.emoji} ${r.name.padEnd(18)}${dm}${probeStr}`);
+		if (opts.probe && r.probeDetail) console.log(`     ${chalk.default.gray(r.probeDetail)}`);
+	}
+	if (unconfigured.length > 0) console.log(chalk.default.gray(`\n  ○ ${unconfigured.length} unconfigured channel(s) — add with: hyperclaw channels add`));
+	console.log();
+	if (opts.probe) {
+		const unreachable = results.filter((r) => r.probe === "unreachable");
+		if (unreachable.length > 0) {
+			console.log(chalk.default.yellow(`  ⚠  ${unreachable.length} channel(s) unreachable:`));
+			for (const r of unreachable) console.log(chalk.default.gray(`     ${r.id}: ${r.probeDetail}`));
+			console.log();
+			console.log(chalk.default.gray("  Troubleshoot: hyperclaw doctor"));
+			console.log(chalk.default.gray("  Logs:         hyperclaw logs --follow\n"));
+		} else console.log(chalk.default.green("  ✔  All probed channels reachable\n"));
+	}
+}
 
 //#endregion
 //#region src/infra/update-channels.ts
@@ -2266,38 +2426,93 @@ var init_queue = require_chunk.__esm({ "src/delivery/queue.ts"() {
 //#endregion
 //#region src/cli/run-main.ts
 const program = new commander.Command();
-program.name("hyperclaw").description("⚡ HyperClaw — AI Gateway Platform. The Lobster Evolution 🦅").version("4.0.1");
+program.name("hyperclaw").description("⚡ HyperClaw — AI Gateway Platform. The Lobster Evolution 🦅").version("5.0.0").option("--profile <name>", "Use an isolated gateway profile. Auto-scopes HYPERCLAW_STATE_DIR and HYPERCLAW_CONFIG_PATH. Required for multi-gateway setups (rescue bot, staging, etc.). Example: hyperclaw --profile rescue gateway --port 19001").hook("preAction", (thisCommand) => {
+	const profile = thisCommand.opts().profile;
+	if (profile) {
+		const os$8 = require("os");
+		const path$7 = require("path");
+		const home = os$8.homedir();
+		if (!process.env.HYPERCLAW_STATE_DIR) process.env.HYPERCLAW_STATE_DIR = path$7.join(home, `.hyperclaw-${profile}`);
+		if (!process.env.HYPERCLAW_CONFIG_PATH) process.env.HYPERCLAW_CONFIG_PATH = path$7.join(process.env.HYPERCLAW_STATE_DIR, "hyperclaw.json");
+	}
+});
 program.command("init").description("Initialize HyperClaw with interactive wizard").option("-a, --auto-config", "Auto-configure with defaults").option("-d, --daemon", "Install as system daemon").option("-s, --start-now", "Start gateway after setup").action(async (opts) => {
 	await new require_onboard.Banner().showNeonBanner(false);
 	await new require_onboard.HyperClawWizard().run(opts);
 	process.exit(0);
 });
-program.command("onboard").description("Full onboarding wizard — preferred setup path").option("--install-daemon", "Auto-install system daemon (starts on boot, grants full PC access)").option("--quick", "Use QuickStart mode (skip advanced options)").action(async (opts) => {
+program.command("onboard").description("Full onboarding wizard — preferred setup path").option("--install-daemon", "Auto-install system daemon (starts on boot, grants full PC access)").option("--quick", "Use QuickStart mode (skip advanced options)").option("--reset", "Reset config before running wizard (sends to trash, not deleted)").option("--reset-scope <scope>", "What to reset: config | config+creds | full", "config").option("--non-interactive", "Run in non-interactive mode (use flags for all options)").option("--json", "Output result as JSON (use with --non-interactive)").option("--anthropic-api-key <key>", "Anthropic API key (non-interactive)").option("--openai-api-key <key>", "OpenAI API key (non-interactive)").option("--gateway-port <port>", "Gateway port (non-interactive)", "18789").option("--gateway-bind <bind>", "Gateway bind: loopback | all (non-interactive)", "loopback").option("--daemon-runtime <runtime>", "Daemon runtime: node | bun (non-interactive)", "node").option("--skip-skills", "Skip skills setup (non-interactive)").option("--skip-search", "Skip web search setup (non-interactive)").action(async (opts) => {
 	await new require_onboard.Banner().showNeonBanner(false);
+	if (opts.reset) {
+		const fs$7 = require("fs-extra");
+		const path$7 = require("path");
+		const os$8 = require("os");
+		const hcDir = path$7.join(os$8.homedir(), ".hyperclaw");
+		const scope = opts.resetScope ?? "config";
+		const filesToRemove = [path$7.join(hcDir, "hyperclaw.json")];
+		if (scope === "config+creds" || scope === "full") {
+			filesToRemove.push(path$7.join(hcDir, "credentials"));
+			filesToRemove.push(path$7.join(hcDir, "sessions"));
+		}
+		if (scope === "full") filesToRemove.push(path$7.join(hcDir, "workspace"));
+		const chalk$11 = require("chalk");
+		console.log(chalk$11.yellow(`\n  ⚠  Reset scope: ${chalk$11.bold(scope)}\n`));
+		console.log(chalk$11.gray("  Files to remove:"));
+		filesToRemove.forEach((f) => console.log(chalk$11.gray(`    • ${f}`)));
+		const inquirer$2 = require("inquirer");
+		const { confirmReset } = await inquirer$2.prompt([{
+			type: "confirm",
+			name: "confirmReset",
+			message: "Confirm reset? (files will be moved to trash/backup, not permanently deleted)",
+			default: false
+		}]);
+		if (confirmReset) {
+			const backupDir = path$7.join(hcDir, `backup-${Date.now()}`);
+			await fs$7.ensureDir(backupDir);
+			for (const f of filesToRemove) if (await fs$7.pathExists(f)) {
+				const dest = path$7.join(backupDir, path$7.basename(f));
+				await fs$7.move(f, dest);
+				console.log(chalk$11.gray(`  ✓ Moved ${path$7.basename(f)} → backup/`));
+			}
+			console.log(chalk$11.green("\n  ✔  Reset complete. Starting fresh...\n"));
+		} else {
+			console.log(chalk$11.gray("\n  Reset cancelled.\n"));
+			process.exit(0);
+		}
+	}
 	if (opts.installDaemon) {
-		const chalk$13 = require("chalk");
-		console.log(chalk$13.yellow("\n  ⚠  --install-daemon mode\n"));
-		console.log(chalk$13.gray("  The daemon will run as a background system service and will have:\n"));
-		console.log(chalk$13.white("    • Full shell / command execution on this machine"));
-		console.log(chalk$13.white("    • File system read & write access"));
-		console.log(chalk$13.white("    • Network access (gateway WebSocket)"));
-		console.log(chalk$13.white("    • Auto-start on every system boot\n"));
-		const inquirer$3 = require("inquirer");
-		const { confirmed } = await inquirer$3.prompt([{
+		const chalk$11 = require("chalk");
+		console.log(chalk$11.yellow("\n  ⚠  --install-daemon mode\n"));
+		console.log(chalk$11.gray("  The daemon will run as a background system service and will have:\n"));
+		console.log(chalk$11.white("    • Full shell / command execution on this machine"));
+		console.log(chalk$11.white("    • File system read & write access"));
+		console.log(chalk$11.white("    • Network access (gateway WebSocket)"));
+		console.log(chalk$11.white("    • Auto-start on every system boot\n"));
+		const inquirer$2 = require("inquirer");
+		const { confirmed } = await inquirer$2.prompt([{
 			type: "confirm",
 			name: "confirmed",
 			message: "I understand and want to continue with full PC access:",
 			default: false
 		}]);
 		if (!confirmed) {
-			console.log(chalk$13.gray("\n  Cancelled. Run without --install-daemon to choose during setup.\n"));
+			console.log(chalk$11.gray("\n  Cancelled. Run without --install-daemon to choose during setup.\n"));
 			process.exit(0);
 		}
 	}
 	await new require_onboard.HyperClawWizard().run({
 		...opts,
 		wizard: true,
-		installDaemon: opts.installDaemon ?? false
+		installDaemon: opts.installDaemon ?? false,
+		nonInteractive: opts.nonInteractive ?? false,
+		jsonOutput: opts.json ?? false,
+		skipSkills: opts.skipSkills ?? false,
+		skipSearch: opts.skipSearch ?? false,
+		daemonRuntime: opts.daemonRuntime ?? "node",
+		gatewayPort: opts.gatewayPort ? parseInt(opts.gatewayPort) : void 0,
+		gatewayBind: opts.gatewayBind ?? "loopback",
+		anthropicApiKey: opts.anthropicApiKey,
+		openaiApiKey: opts.openaiApiKey
 	});
 	process.exit(0);
 });
@@ -2322,18 +2537,18 @@ gatewayCmd.command("status").description("Show gateway status").action(async ()
 	process.exit(0);
 });
 gatewayCmd.command("start").description("Start the gateway service").option("-p, --port <port>", "Override port").action(async (opts) => {
-	await new require_onboard.DaemonManager().start();
+	await new require_daemon.DaemonManager().start();
 });
 gatewayCmd.command("stop").description("Stop the gateway service").action(async () => {
-	await new require_onboard.DaemonManager().stop();
+	await new require_daemon.DaemonManager().stop();
 	process.exit(0);
 });
 gatewayCmd.command("restart").description("Restart the gateway service").action(async () => {
-	const dm = new require_onboard.DaemonManager();
+	const dm = new require_daemon.DaemonManager();
 	await dm.restart();
 });
-program.command("daemon").description("Manage HyperClaw system service (alias: gateway)").argument("<action>", "start|stop|restart|status|logs").action(async (action) => {
-	const dm = new require_onboard.DaemonManager();
+program.command("daemon").description("Manage HyperClaw system service (alias: gateway)").argument("<action>", "start|stop|restart|status|logs|install|uninstall").action(async (action) => {
+	const dm = new require_daemon.DaemonManager();
 	if (action === "start") await new require_onboard.Banner().showNeonBanner(true);
 	await dm.handle(action);
 	if (action === "start" || action === "restart") return;
@@ -2341,20 +2556,20 @@ program.command("daemon").description("Manage HyperClaw system service (alias: g
 });
 const sandboxCmd = program.command("sandbox").description("Debug sandbox and tool policy");
 sandboxCmd.command("explain").description("Show effective sandbox mode, tool policy, and allowed tools").option("--json", "Output as JSON").action(async (opts) => {
-	const chalk$13 = require("chalk");
-	const fs$10 = require("fs-extra");
-	const path$10 = require("path");
-	const os$9 = require("os");
+	const chalk$11 = require("chalk");
+	const fs$7 = require("fs-extra");
+	const path$7 = require("path");
+	const os$8 = require("os");
 	const { getConfigPath } = await Promise.resolve().then(() => require("./paths-D-QecARF.js"));
 	const cfgPath = getConfigPath();
 	let cfg = {};
 	try {
-		cfg = await fs$10.readJson(cfgPath);
+		cfg = await fs$7.readJson(cfgPath);
 	} catch {}
 	const sandboxMode = cfg?.agents?.defaults?.sandbox?.mode ?? "non-main";
 	const toolsCfg = cfg?.tools ?? {};
-	const { describeToolPolicy, applyToolPolicy } = await Promise.resolve().then(() => require("./tool-policy-CFF-d5fs.js"));
-	const { getBuiltinTools, getSessionsTools, getPCAccessTools, getBrowserTools, getExtractionTools, getWebsiteWatchTools, getVisionTools } = await Promise.resolve().then(() => require("./src-BptR-54a.js"));
+	const { describeToolPolicy, applyToolPolicy } = await Promise.resolve().then(() => require("./tool-policy-CNT-mF2Z.js"));
+	const { getBuiltinTools, getSessionsTools, getPCAccessTools, getBrowserTools, getExtractionTools, getWebsiteWatchTools, getVisionTools } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	const allTools = [
 		...getBuiltinTools(),
 		...getSessionsTools(() => null),
@@ -2382,15 +2597,15 @@ sandboxCmd.command("explain").description("Show effective sandbox mode, tool pol
 		}, null, 2));
 		process.exit(0);
 	}
-	console.log(chalk$13.bold.hex("#06b6d4")("\n  🔒 SANDBOX EXPLAIN\n"));
+	console.log(chalk$11.bold.hex("#06b6d4")("\n  🔒 SANDBOX EXPLAIN\n"));
 	console.log(`  Sandbox mode:  ${sandboxMode} (non-main sessions get restricted pcTools)`);
 	console.log(`  Tool profile:  ${policy.profile}`);
 	console.log(`  Policy source: ${policy.source}`);
 	if (policy.allow?.length) console.log(`  Allow:         ${policy.allow.join(", ")}`);
 	if (policy.deny?.length) console.log(`  Deny:          ${policy.deny.join(", ")}`);
 	console.log(`  Tools:         ${filtered.length} / ${allTools.length} allowed`);
-	console.log(chalk$13.gray("\n  Allowed: " + filtered.map((t) => t.name).join(", ")));
-	console.log(chalk$13.gray("\n  Elevated: " + ((cfg?.tools?.elevated)?.enabled ? "enabled" : "disabled")));
+	console.log(chalk$11.gray("\n  Allowed: " + filtered.map((t) => t.name).join(", ")));
+	console.log(chalk$11.gray("\n  Elevated: " + ((cfg?.tools?.elevated)?.enabled ? "enabled" : "disabled")));
 	console.log();
 	process.exit(0);
 });
@@ -2407,6 +2622,14 @@ channelsCmd.command("remove <channel>").description("Remove a channel").action(a
 	await channelsRemove(channel);
 	process.exit(0);
 });
+channelsCmd.command("login [channel]").description("First-time login / QR pairing for a channel").action(async (channel) => {
+	await channelsLogin(channel);
+	process.exit(0);
+});
+channelsCmd.command("status").description("Show channel status (use --probe to test connectivity)").option("--probe", "Probe each channel for real connectivity").action(async (opts) => {
+	await channelsStatus({ probe: !!opts.probe });
+	process.exit(0);
+});
 const hooksCmd = program.command("hooks").description("Hook management");
 hooksCmd.command("list").description("List all hooks").option("--eligible", "Show only eligible hooks").action((opts) => {
 	new require_loader.HookLoader().list(opts.eligible);
@@ -2430,24 +2653,79 @@ hooksCmd.command("install <pack>").description("Install a hook pack").action(asy
 });
 const agentsCmd = program.command("agents").description("Multi-agent routing");
 agentsCmd.command("bindings").description("List agent ↔ channel bindings").action(() => {
-	new AgentRouter().listBindings();
+	new require_agents_routing.AgentRouter().listBindings();
 	process.exit(0);
 });
 agentsCmd.command("bind").description("Bind a channel to an agent workspace").action(async () => {
-	await new AgentRouter().bind();
+	await new require_agents_routing.AgentRouter().bind();
 	process.exit(0);
 });
 agentsCmd.command("unbind").description("Remove channel ↔ agent bindings").action(async () => {
-	await new AgentRouter().unbind();
+	await new require_agents_routing.AgentRouter().unbind();
 	process.exit(0);
 });
 const pairingCmd = program.command("pairing").description("DM pairing codes");
-pairingCmd.command("list").description("List pending and approved pairing codes").action(() => {
-	new require_pairing.PairingStore().showList();
+pairingCmd.command("list [channel]").description("List pending DM pairing requests (optionally filter by channel)").action(async (channel) => {
+	await new require_pairing.GlobalPairingManager().showList(channel);
+	process.exit(0);
+});
+pairingCmd.command("approve <channel> <code>").description("Approve a pairing code and add sender to channel allowlist").option("--account <id>", "Account ID for multi-account channels", "default").action(async (channel, code, opts) => {
+	await new require_pairing.GlobalPairingManager().cliApprove(channel, code, opts.account);
+	process.exit(0);
+});
+const devicesCmd = program.command("devices").description("Node/device pairing (iOS, Android, macOS, headless)");
+devicesCmd.command("list").description("List pending and paired devices").action(async () => {
+	await new DevicePairingStore().showCLI();
+	process.exit(0);
+});
+devicesCmd.command("pair").description("Create a new device pairing request and print setup code").option("-u, --gateway-url <url>", "Gateway WebSocket URL", "ws://localhost:18789").option("-n, --name <name>", "Device name (optional)").option("-p, --platform <platform>", "Platform hint: ios|android|macos|headless (optional)").action(async (opts) => {
+	const store = new DevicePairingStore();
+	const result = await store.createRequest(opts.gatewayUrl, {
+		deviceName: opts.name,
+		platform: opts.platform
+	});
+	console.log(chalk.default.bold.cyan("\n  📱 DEVICE PAIR REQUEST\n"));
+	console.log(`  Request ID:  ${chalk.default.bold(result.requestId)}`);
+	console.log(`  Expires:     ${chalk.default.gray(new Date(result.expiresAt).toLocaleTimeString())}`);
+	console.log();
+	console.log(chalk.default.yellow("  Setup code (send to device or paste in app):"));
+	console.log(chalk.default.bold(`\n  ${result.setupCode}\n`));
+	console.log(chalk.default.gray("  Approve:  hyperclaw devices approve " + result.requestId));
+	console.log(chalk.default.gray("  Reject:   hyperclaw devices reject " + result.requestId));
+	console.log(chalk.default.gray("\n  Telegram: message your bot with /pair for guided flow.\n"));
+	process.exit(0);
+});
+devicesCmd.command("approve <requestId>").description("Approve a pending device pairing request").action(async (requestId) => {
+	const store = new DevicePairingStore();
+	const device = await store.approve(requestId);
+	if (device) {
+		console.log(chalk.default.green(`\n  ✔  Device approved: ${chalk.default.bold(device.deviceId)}`));
+		if (device.deviceName) console.log(chalk.default.gray(`     Name: ${device.deviceName}`));
+		console.log(chalk.default.gray(`     Paired at: ${device.pairedAt}\n`));
+	} else {
+		console.log(chalk.default.red(`\n  ✖  Request not found or expired: ${requestId}\n`));
+		process.exit(1);
+	}
+	process.exit(0);
+});
+devicesCmd.command("reject <requestId>").description("Reject a pending device pairing request").action(async (requestId) => {
+	const store = new DevicePairingStore();
+	const ok = await store.reject(requestId);
+	if (ok) console.log(chalk.default.green(`\n  ✔  Request rejected: ${requestId}\n`));
+	else {
+		console.log(chalk.default.red(`\n  ✖  Request not found: ${requestId}\n`));
+		process.exit(1);
+	}
 	process.exit(0);
 });
-pairingCmd.command("approve <channel> <code>").description("Approve a pairing code and add user to allowlist").action((channel, code) => {
-	new require_pairing.PairingStore().cliApprove(channel, code);
+devicesCmd.command("unpair <deviceId>").description("Remove a paired device").action(async (deviceId) => {
+	const store = new DevicePairingStore();
+	const ok = await store.unpair(deviceId);
+	if (ok) console.log(chalk.default.green(`\n  ✔  Device unpaired: ${deviceId}\n`));
+	else {
+		console.log(chalk.default.red(`\n  ✖  Device not found: ${deviceId}\n`));
+		process.exit(1);
+	}
 	process.exit(0);
 });
 const msgCmd = program.command("message").description("Send messages");
@@ -2456,7 +2734,7 @@ msgCmd.command("send").description("Send a message via a configured channel").op
 	process.exit(0);
 });
 program.command("hub").description("Skill hub — browse marketplace, install, scan skills").option("-i, --install <id>", "Install skill").option("-s, --scan <id>", "Security scan a skill").option("-m, --marketplace", "ClawHub-style marketplace view (installed + bundled)").option("--force", "Force install (bypass risk block)").option("--hide-suspicious", "Hide suspicious/dangerous skills").action(async (opts) => {
-	const hub = new SkillHub();
+	const hub = new require_hub.SkillHub();
 	if (opts.scan) await hub.scan(opts.scan);
 	else if (opts.install) await hub.install(opts.install, opts.force);
 	else if (opts.marketplace) await hub.showMarketplace({ hideSuspicious: opts.hideSuspicious });
@@ -2465,7 +2743,7 @@ program.command("hub").description("Skill hub — browse marketplace, install, s
 });
 const skillCmd = program.command("skill").description("ClawHub — search and install skills from registry");
 skillCmd.command("search [query]").description("Search ClawHub for skills").option("-c, --category <cat>", "Filter by category").action(async (query, opts) => {
-	const hub = new SkillHub();
+	const hub = new require_hub.SkillHub();
 	const q = query || "";
 	const skills = await hub.searchClawHub(q, opts.category);
 	if (skills.length === 0) {
@@ -2483,11 +2761,11 @@ skillCmd.command("search [query]").description("Search ClawHub for skills").opti
 	process.exit(0);
 });
 skillCmd.command("list").description("List installed skills (bundled + ClawHub)").action(async () => {
-	const hub = new SkillHub();
+	const hub = new require_hub.SkillHub();
 	const installed = await hub.getInstalled();
 	console.log(chalk.default.bold.hex("#06b6d4")("\n  Installed skills:\n"));
 	for (const s of installed) {
-		const src = SKILL_REGISTRY.some((r) => r.id === s.id) ? "" : " (ClawHub)";
+		const src = require_hub.SKILL_REGISTRY.some((r) => r.id === s.id) ? "" : " (ClawHub)";
 		console.log(`  ${chalk.default.hex("#06b6d4")("✓")} ${s.name} ${chalk.default.gray(`(${s.id})${src}`)}`);
 	}
 	if (installed.length === 0) console.log(chalk.default.gray("  No skills installed. Run: hyperclaw hub or hyperclaw skill search <query>\n"));
@@ -2495,14 +2773,14 @@ skillCmd.command("list").description("List installed skills (bundled + ClawHub)"
 	process.exit(0);
 });
 skillCmd.command("install <id>").description("Install skill from ClawHub (or bundled when registry unavailable)").option("-v, --version <ver>", "Pin version (e.g. 2.0.0)").option("--force", "Force install (bypass risk block for bundled)").action(async (id, opts) => {
-	const hub = new SkillHub();
-	const ora$6 = (await import("ora")).default;
-	const s = ora$6(`Installing ${id}...`).start();
+	const hub = new require_hub.SkillHub();
+	const ora$4 = (await import("ora")).default;
+	const s = ora$4(`Installing ${id}...`).start();
 	try {
 		const dest = await hub.installFromClawHub(id, opts.version);
 		s.succeed(`Installed to ${dest}`);
 	} catch (e) {
-		const match = SKILL_REGISTRY.find((x) => x.id === id);
+		const match = require_hub.SKILL_REGISTRY.find((x) => x.id === id);
 		if (match) {
 			await hub.install(id, !!opts?.force);
 			s.succeed(`Installed bundled skill: ${match.name}`);
@@ -2511,13 +2789,13 @@ skillCmd.command("install <id>").description("Install skill from ClawHub (or bun
 	process.exit(0);
 });
 program.command("menu-bar").description("Launch macOS menu bar companion (Electron tray app)").action(async () => {
-	const path$10 = await import("path");
+	const path$7 = await import("path");
 	const { spawn } = await import("child_process");
-	const fs$10 = await import("fs-extra");
-	const root = path$10.join(process.cwd(), "apps", "macos");
-	const altRoot = path$10.join(__dirname, "..", "..", "apps", "macos");
-	const macosDir = await fs$10.pathExists(root) ? root : await fs$10.pathExists(altRoot) ? altRoot : null;
-	if (!macosDir || !await fs$10.pathExists(path$10.join(macosDir, "package.json"))) {
+	const fs$7 = await import("fs-extra");
+	const root = path$7.join(process.cwd(), "apps", "macos");
+	const altRoot = path$7.join(__dirname, "..", "..", "apps", "macos");
+	const macosDir = await fs$7.pathExists(root) ? root : await fs$7.pathExists(altRoot) ? altRoot : null;
+	if (!macosDir || !await fs$7.pathExists(path$7.join(macosDir, "package.json"))) {
 		console.log(chalk.default.gray("\n  macOS menu bar app not found."));
 		console.log(chalk.default.gray("  Run from HyperClaw repo root, or: cd apps/macos && npm start\n"));
 		process.exit(1);
@@ -2544,8 +2822,15 @@ program.command("update").description("Update HyperClaw").option("-c, --channel
 	await performUpdate(effective.channel, installKind);
 	process.exit(0);
 });
-program.command("doctor").description("Health check — surfaces misconfigs and risky DM policies").option("--fix", "Auto-repair fixable issues").action(async (opts) => {
-	await runDoctor(opts.fix);
+program.command("doctor").description("Health check — surfaces misconfigs, risky DM policies, and repairs").option("--fix", "Auto-repair fixable issues").option("--repair", "Apply recommended repairs (same as --fix)").option("--force", "Apply aggressive repairs (use with --repair)").option("-y, --yes", "Accept defaults without prompting").option("--non-interactive", "Skip prompts; only run safe migrations").option("--deep", "Scan system services for extra gateway installs").action(async (opts) => {
+	await require_doctor.runDoctor(opts.fix || opts.repair, {
+		fix: opts.fix,
+		repair: opts.repair,
+		force: opts.force,
+		yes: opts.yes,
+		nonInteractive: opts.nonInteractive,
+		deep: opts.deep
+	});
 	process.exit(0);
 });
 const memCmd = program.command("memory").description("Agent memory management");
@@ -2591,12 +2876,12 @@ cfgCmd.command("set-key <KEY=value>").description("Set an API key or config valu
 	process.exit(0);
 });
 cfgCmd.command("set-service-key <serviceId> [apiKey]").description("Set API key for a service (hackerone, bugcrowd, synack, or custom). Prompts if apiKey omitted.").action(async (serviceId, apiKey) => {
-	const inquirer$3 = (await import("inquirer")).default;
+	const inquirer$2 = (await import("inquirer")).default;
 	const config = new require_manager.ConfigManager();
 	const cfg = await config.load();
 	let key = apiKey;
 	if (!key || key.trim().length === 0) {
-		const r = await inquirer$3.prompt([{
+		const r = await inquirer$2.prompt([{
 			type: "password",
 			name: "k",
 			message: `API key for ${serviceId}:`,
@@ -2627,7 +2912,7 @@ cfgCmd.command("set-service-key <serviceId> [apiKey]").description("Set API key
 cfgCmd.command("schema").description("Show configuration schema").action(() => {
 	console.log(chalk.default.bold.hex("#06b6d4")("\n  Config schema: ~/.hyperclaw/config.json\n"));
 	const schema = {
-		version: "string (e.g. \"4.0.1\")",
+		version: "string (e.g. \"5.0.0\")",
 		workspaceName: "string",
 		provider: {
 			providerId: "string",
@@ -2720,17 +3005,17 @@ program.command("deploy").description("Deploy gateway to cloud (Fly.io or Render
 program.command("voice-call").description("Start voice call session — terminal mode, talks to gateway").option("-u, --gateway-url <url>", "Gateway URL", "http://localhost:18789").action(async (opts) => {
 	const axios = (await import("axios")).default;
 	const readline$2 = await import("readline");
-	const chalk$13 = require("chalk");
+	const chalk$11 = require("chalk");
 	const url = opts.gatewayUrl || "http://localhost:18789";
-	console.log(chalk$13.bold.cyan("\n  🎙️  HYPERCLAW VOICE CALL\n"));
-	console.log(chalk$13.gray(`  Gateway: ${url}`));
-	console.log(chalk$13.gray("  Type a message and press Enter. Ctrl+C to exit.\n"));
+	console.log(chalk$11.bold.cyan("\n  🎙️  HYPERCLAW VOICE CALL\n"));
+	console.log(chalk$11.gray(`  Gateway: ${url}`));
+	console.log(chalk$11.gray("  Type a message and press Enter. Ctrl+C to exit.\n"));
 	const rl = readline$2.createInterface({
 		input: process.stdin,
 		output: process.stdout
 	});
 	const ask = () => {
-		rl.question(chalk$13.cyan("  You: "), async (input) => {
+		rl.question(chalk$11.cyan("  You: "), async (input) => {
 			if (!input?.trim()) {
 				ask();
 				return;
@@ -2740,9 +3025,9 @@ program.command("voice-call").description("Start voice call session — terminal
 					message: input.trim(),
 					thinking: "none"
 				}, { timeout: 6e4 });
-				console.log(chalk$13.green(`  🦅 Agent: ${(res.data?.response || "").slice(0, 500)}\n`));
+				console.log(chalk$11.green(`  🦅 Agent: ${(res.data?.response || "").slice(0, 500)}\n`));
 			} catch (e) {
-				console.log(chalk$13.red(`  Error: ${e.response?.data?.error || e.message}\n`));
+				console.log(chalk$11.red(`  Error: ${e.response?.data?.error || e.message}\n`));
 			}
 			ask();
 		});
@@ -2762,13 +3047,102 @@ program.command("dashboard").description("Launch live terminal dashboard").optio
 	await new Dashboard().launch(opts.live);
 	if (!opts.live) process.exit(0);
 });
-program.command("status").description("System overview").action(async () => {
+program.command("status").description("System overview").option("--all", "Full local diagnosis (read-only)").option("--deep", "Also probe the running gateway").action(async (opts) => {
 	await new require_onboard.Banner().showStatus();
+	if (opts.all || opts.deep) {
+		const fs$7 = await import("fs-extra");
+		const { getConfigPath } = await Promise.resolve().then(() => require("./paths-D-QecARF.js"));
+		const t = (await Promise.resolve().then(() => require("./theme-cx0fkgWC.js"))).getTheme(false);
+		const configPath = getConfigPath();
+		console.log(t.bold("\n  ─── Deep status ───\n"));
+		try {
+			const cfg = await fs$7.readJson(configPath);
+			console.log(t.muted("  Config: ") + (cfg ? t.success("loaded") : t.error("missing")));
+			console.log(t.muted("  Channels: ") + JSON.stringify(cfg?.gateway?.enabledChannels || cfg?.channels || []));
+		} catch {
+			console.log(t.muted("  Config: ") + t.error("unreadable"));
+		}
+		if (opts.deep) {
+			const http$2 = await import("http");
+			const { resolveGatewayUrl } = await Promise.resolve().then(() => require("./health-B-asI__D.js"));
+			const cfg = await new require_manager.ConfigManager().load();
+			const { gatewayUrl } = resolveGatewayUrl(cfg);
+			const u = new URL(gatewayUrl);
+			const optsReq = {
+				hostname: u.hostname,
+				port: u.port || (u.protocol === "https:" ? 443 : 80),
+				path: "/api/status",
+				method: "GET",
+				timeout: 3e3
+			};
+			if (u.protocol === "https:") {
+				const https = await import("https");
+				await new Promise((resolve) => {
+					const req = https.request(`${gatewayUrl}/api/status`, { timeout: 3e3 }, (res) => {
+						let d = "";
+						res.on("data", (c) => d += c);
+						res.on("end", () => {
+							try {
+								const j = JSON.parse(d);
+								console.log(t.muted("  Gateway: ") + t.success("reachable") + ` (sessions: ${j.sessions ?? "-"}, uptime: ${j.uptime ?? "-"})`);
+							} catch {
+								console.log(t.muted("  Gateway: ") + t.error("unreachable or invalid response"));
+							}
+							resolve();
+						});
+					});
+					req.on("error", () => {
+						console.log(t.muted("  Gateway: ") + t.error("unreachable"));
+						resolve();
+					});
+					req.on("timeout", () => {
+						req.destroy();
+						console.log(t.muted("  Gateway: ") + t.error("timeout"));
+						resolve();
+					});
+					req.end();
+				});
+			} else await new Promise((resolve) => {
+				const req = http$2.request(optsReq, (res) => {
+					let d = "";
+					res.on("data", (c) => d += c);
+					res.on("end", () => {
+						try {
+							const j = JSON.parse(d);
+							console.log(t.muted("  Gateway: ") + t.success("reachable") + ` (sessions: ${j.sessions ?? "-"}, uptime: ${j.uptime ?? "-"})`);
+						} catch {
+							console.log(t.muted("  Gateway: ") + t.error("unreachable or invalid response"));
+						}
+						resolve();
+					});
+				});
+				req.on("error", () => {
+					console.log(t.muted("  Gateway: ") + t.error("unreachable"));
+					resolve();
+				});
+				req.on("timeout", () => {
+					req.destroy();
+					console.log(t.muted("  Gateway: ") + t.error("timeout"));
+					resolve();
+				});
+				req.end();
+			});
+		}
+		console.log();
+	}
 	process.exit(0);
 });
+program.command("health").description("Quick gateway health probe (Runtime, RPC probe, channel count)").option("--json", "Output raw JSON").option("-v, --verbose", "Show state dir, config path, and env overrides").action(async (opts) => {
+	const result = await require_health.runHealth({
+		json: opts.json,
+		verbose: opts.verbose
+	});
+	if (!result.allOk) process.exitCode = 1;
+	process.exit(process.exitCode ?? 0);
+});
 const themeCmd = program.command("theme").description("Switch CLI color theme");
 themeCmd.command("list").description("List available themes").action(async () => {
-	const { allThemes, getThemeName } = await Promise.resolve().then(() => require("./theme-Iefa3L63.js"));
+	const { allThemes, getThemeName } = await Promise.resolve().then(() => require("./theme-cx0fkgWC.js"));
 	const current = getThemeName();
 	console.log(chalk.default.bold.hex("#06b6d4")("\n  🎨 AVAILABLE THEMES\n"));
 	for (const { name, label } of allThemes()) {
@@ -2780,7 +3154,7 @@ themeCmd.command("list").description("List available themes").action(async () =>
 	process.exit(0);
 });
 themeCmd.command("set <theme>").description("Set theme: dark | grey | white").action(async (name) => {
-	const { setThemeName, allThemes } = await Promise.resolve().then(() => require("./theme-Iefa3L63.js"));
+	const { setThemeName, allThemes } = await Promise.resolve().then(() => require("./theme-cx0fkgWC.js"));
 	const valid = allThemes().map((t) => t.name);
 	if (!valid.includes(name)) {
 		console.log(chalk.default.red(`\n  ✖  Unknown theme: "${name}". Use: ${valid.join(" | ")}\n`));
@@ -2792,7 +3166,7 @@ themeCmd.command("set <theme>").description("Set theme: dark | grey | white").ac
 	process.exit(0);
 });
 themeCmd.command("preview").description("Preview all themes side-by-side").action(async () => {
-	const { allThemes, getTheme, setThemeName, getThemeName } = await Promise.resolve().then(() => require("./theme-Iefa3L63.js"));
+	const { allThemes, getTheme, setThemeName, getThemeName } = await Promise.resolve().then(() => require("./theme-cx0fkgWC.js"));
 	const current = getThemeName();
 	console.log(chalk.default.bold("\n  🎨 THEME PREVIEW\n"));
 	for (const { name, label } of allThemes()) {
@@ -2809,45 +3183,49 @@ themeCmd.command("preview").description("Preview all themes side-by-side").actio
 });
 const secretsCmd = program.command("secrets").description("External secrets management");
 secretsCmd.command("audit").description("Audit all required secrets").option("--required-by <ids>", "Filter by skill/provider IDs (comma-separated)").action(async (opts) => {
-	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-DOWs9lLX.js"));
+	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-FCgF1plu.js"));
 	const filter = opts.requiredBy?.split(",");
 	await new SecretsManager().audit(filter);
 	process.exit(0);
 });
 secretsCmd.command("set <KEY=value>").description("Set a secret in .env file").action(async (kv) => {
-	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-DOWs9lLX.js"));
+	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-FCgF1plu.js"));
 	await new SecretsManager().set(kv);
 	process.exit(0);
 });
 secretsCmd.command("apply").description("Write secrets from .env to shell config (~/.bashrc, ~/.zshrc)").action(async () => {
-	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-DOWs9lLX.js"));
+	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-FCgF1plu.js"));
 	await new SecretsManager().apply();
 	process.exit(0);
 });
 secretsCmd.command("reload").description("Reload secrets into running gateway").action(async () => {
-	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-DOWs9lLX.js"));
+	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-FCgF1plu.js"));
 	await new SecretsManager().reload();
 	process.exit(0);
 });
 secretsCmd.command("remove <key>").description("Remove a secret from .env").action(async (key) => {
-	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-DOWs9lLX.js"));
+	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-FCgF1plu.js"));
 	await new SecretsManager().remove(key);
 	process.exit(0);
 });
 secretsCmd.command("credentials").description("List provider credential files (credentials/*.json)").action(async () => {
-	const { CredentialsStore } = await Promise.resolve().then(() => require("./credentials-store-B3anVuZD.js"));
+	const { CredentialsStore } = await Promise.resolve().then(() => require("./credentials-store-C6ir0Dae.js"));
 	await new CredentialsStore().showList();
 	process.exit(0);
 });
 const securityCmd = program.command("security").description("Security tools");
-securityCmd.command("audit").description("Security audit — file permissions, DM policies, embedded secrets").option("--deep", "Full deep scan including token entropy and installed skill risks").action(async (opts) => {
-	const { runSecurityAudit } = await Promise.resolve().then(() => require("./audit-BTLzQBk-.js"));
-	await runSecurityAudit(opts.deep);
+securityCmd.command("audit").description("Security audit — file permissions, DM policies, embedded secrets").option("--deep", "Full deep scan including token entropy and installed skill risks").option("--fix", "Auto-fix safe findings (file permissions etc.)").option("--json", "Machine-readable JSON output").action(async (opts) => {
+	const { runSecurityAudit } = await Promise.resolve().then(() => require("./audit-BaIiyWFu.js"));
+	await runSecurityAudit({
+		deep: opts.deep,
+		fix: opts.fix,
+		json: opts.json
+	});
 	process.exit(0);
 });
 const agentRunCmd = program.command("agent").description("Run agent with thinking control");
 agentRunCmd.requiredOption("-m, --message <text>", "Message to send to the agent").option("--thinking <level>", "Thinking level: high|medium|low|none", "none").option("--model <model>", "Override model").option("--session <id>", "Session/thread ID").option("--multi-step", "Decompose into steps and run each (sequential)").option("--parallel", "Run sub-agents in parallel for independent subtasks").option("--verbose", "Show thinking blocks and request details").option("--workspace <dir>", "Override workspace directory").action(async (opts) => {
-	const { runAgent } = await Promise.resolve().then(() => require("./src-BptR-54a.js"));
+	const { runAgent } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await runAgent({
 		message: opts.message,
 		thinking: opts.thinking,
@@ -2863,7 +3241,7 @@ agentRunCmd.requiredOption("-m, --message <text>", "Message to send to the agent
 });
 const threadsCmd = program.command("threads").description("ACP thread-bound agent sessions");
 threadsCmd.command("list").description("List agent threads").option("--channel <id>", "Filter by channel").option("--active", "Show only active threads").action(async (opts) => {
-	const { ACPThreadManager } = await Promise.resolve().then(() => require("./src-BptR-54a.js"));
+	const { ACPThreadManager } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	const mgr = new ACPThreadManager();
 	const threads = await mgr.list({
 		channelId: opts.channel,
@@ -2873,33 +3251,33 @@ threadsCmd.command("list").description("List agent threads").option("--channel <
 	process.exit(0);
 });
 threadsCmd.command("terminate <id>").description("Terminate a thread").action(async (id) => {
-	const { ACPThreadManager } = await Promise.resolve().then(() => require("./src-BptR-54a.js"));
+	const { ACPThreadManager } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await new ACPThreadManager().terminate(id);
 	console.log(require("chalk").green(`\n  ✔  Thread terminated: ${id}\n`));
 	process.exit(0);
 });
 const canvasCmd = program.command("canvas").description("Live AI-driven UI canvas");
 canvasCmd.command("show").description("Show current canvas components").action(async () => {
-	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-CN8ePGog.js"));
+	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-BVQrd0_g.js"));
 	await new CanvasRenderer().show();
 	process.exit(0);
 });
 canvasCmd.command("add <type> <title>").description("Add a canvas component (type: chart|table|form|markdown|image|custom)").action(async (type, title) => {
-	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-CN8ePGog.js"));
+	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-BVQrd0_g.js"));
 	await new CanvasRenderer().addComponent(type, title);
 	process.exit(0);
 });
 canvasCmd.command("clear").description("Clear all canvas components").action(async () => {
-	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-CN8ePGog.js"));
+	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-BVQrd0_g.js"));
 	await new CanvasRenderer().clear();
 	process.exit(0);
 });
 canvasCmd.command("export").description("Export canvas as HTML file").action(async () => {
-	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-CN8ePGog.js"));
-	const fs$10 = require("fs-extra");
+	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-BVQrd0_g.js"));
+	const fs$7 = require("fs-extra");
 	const html = await new CanvasRenderer().exportHtml();
 	const outFile = require("path").join(require("os").homedir(), ".hyperclaw", "canvas", "export.html");
-	await fs$10.writeFile(outFile, html);
+	await fs$7.writeFile(outFile, html);
 	console.log(require("chalk").green(`\n  ✔  Canvas exported to ${outFile}\n`));
 	process.exit(0);
 });
@@ -2916,137 +3294,137 @@ deliveryCmd.command("retry <id>").description("Retry a dead-lettered delivery it
 });
 const mcpCmd = program.command("mcp").description("MCP (Model Context Protocol) server management");
 mcpCmd.command("list").action(async () => {
-	const { mcpList } = await Promise.resolve().then(() => require("./mcp-D0qVYL4A.js"));
+	const { mcpList } = await Promise.resolve().then(() => require("./mcp-CfoSU4Uz.js"));
 	await mcpList();
 	process.exit(0);
 });
 mcpCmd.command("add").action(async () => {
-	const { mcpAdd } = await Promise.resolve().then(() => require("./mcp-D0qVYL4A.js"));
+	const { mcpAdd } = await Promise.resolve().then(() => require("./mcp-CfoSU4Uz.js"));
 	await mcpAdd();
 	process.exit(0);
 });
 mcpCmd.command("remove <id>").action(async (id) => {
-	const { mcpRemove } = await Promise.resolve().then(() => require("./mcp-D0qVYL4A.js"));
+	const { mcpRemove } = await Promise.resolve().then(() => require("./mcp-CfoSU4Uz.js"));
 	await mcpRemove(id);
 	process.exit(0);
 });
 mcpCmd.command("probe [id]").action(async (id) => {
-	const { mcpProbe } = await Promise.resolve().then(() => require("./mcp-D0qVYL4A.js"));
+	const { mcpProbe } = await Promise.resolve().then(() => require("./mcp-CfoSU4Uz.js"));
 	await mcpProbe(id);
 	process.exit(0);
 });
 const nodeCmd = program.command("node").description("HyperClaw node management (local, remote, android)");
 nodeCmd.command("list").action(async () => {
-	const { nodeList } = await Promise.resolve().then(() => require("./node-CHBOeMvu.js"));
+	const { nodeList } = await Promise.resolve().then(() => require("./node-Dw2Gi-cP.js"));
 	await nodeList();
 	process.exit(0);
 });
 nodeCmd.command("add").action(async () => {
-	const { nodeAdd } = await Promise.resolve().then(() => require("./node-CHBOeMvu.js"));
+	const { nodeAdd } = await Promise.resolve().then(() => require("./node-Dw2Gi-cP.js"));
 	await nodeAdd();
 	process.exit(0);
 });
 nodeCmd.command("probe [id]").action(async (id) => {
-	const { nodeProbe } = await Promise.resolve().then(() => require("./node-CHBOeMvu.js"));
+	const { nodeProbe } = await Promise.resolve().then(() => require("./node-Dw2Gi-cP.js"));
 	await nodeProbe(id);
 	process.exit(0);
 });
 nodeCmd.command("remove <id>").action(async (id) => {
-	const { nodeRemove } = await Promise.resolve().then(() => require("./node-CHBOeMvu.js"));
+	const { nodeRemove } = await Promise.resolve().then(() => require("./node-Dw2Gi-cP.js"));
 	await nodeRemove(id);
 	process.exit(0);
 });
 const arCmd = program.command("auto-reply").description("Auto-reply rule engine");
 arCmd.command("list").action(async () => {
-	const { AutoReplyEngine } = await Promise.resolve().then(() => require("./rules-Dp4iYVQ4.js"));
+	const { AutoReplyEngine } = await Promise.resolve().then(() => require("./rules-BE4GV6cV.js"));
 	const e = new AutoReplyEngine();
 	await e.load();
 	e.showList();
 	process.exit(0);
 });
 arCmd.command("toggle <id>").action(async (id) => {
-	const { AutoReplyEngine } = await Promise.resolve().then(() => require("./rules-Dp4iYVQ4.js"));
+	const { AutoReplyEngine } = await Promise.resolve().then(() => require("./rules-BE4GV6cV.js"));
 	const e = new AutoReplyEngine();
 	await e.toggle(id);
 	process.exit(0);
 });
 arCmd.command("remove <id>").action(async (id) => {
-	const { AutoReplyEngine } = await Promise.resolve().then(() => require("./rules-Dp4iYVQ4.js"));
+	const { AutoReplyEngine } = await Promise.resolve().then(() => require("./rules-BE4GV6cV.js"));
 	const e = new AutoReplyEngine();
 	await e.remove(id);
 	process.exit(0);
 });
 const gmailCmd = program.command("gmail").description("Gmail Pub/Sub real-time notifications");
 gmailCmd.command("watch-setup").description("Register Gmail watch for push notifications. Requires: hyperclaw auth oauth google-gmail").requiredOption("-t, --topic <name>", "Pub/Sub topic (e.g. projects/myproject/topics/gmail-push)").option("-l, --labels <ids>", "Label IDs to watch (comma-separated)", "INBOX").action(async (opts) => {
-	const chalk$13 = require("chalk");
+	const chalk$11 = require("chalk");
 	try {
-		const { setupGmailWatch } = await Promise.resolve().then(() => require("./gmail-watch-setup-C6_zNpp1.js"));
+		const { setupGmailWatch } = await Promise.resolve().then(() => require("./gmail-watch-setup-Du7DVV7S.js"));
 		const labelIds = opts.labels.split(",").map((s) => s.trim()).filter(Boolean);
 		const result = await setupGmailWatch({
 			topicName: opts.topic,
 			labelIds
 		});
-		console.log(chalk$13.hex("#06b6d4")("\n  ✔  Gmail watch registered"));
-		console.log(chalk$13.gray(`     historyId: ${result.historyId}`));
-		console.log(chalk$13.gray(`     expiration: ${new Date(parseInt(result.expiration, 10)).toISOString()}`));
-		console.log(chalk$13.gray("\n  Push endpoint: https://<your-server>/webhook/gmail-pubsub"));
-		console.log(chalk$13.gray("  Ensure email channel is enabled and gateway is publicly accessible.\n"));
+		console.log(chalk$11.hex("#06b6d4")("\n  ✔  Gmail watch registered"));
+		console.log(chalk$11.gray(`     historyId: ${result.historyId}`));
+		console.log(chalk$11.gray(`     expiration: ${new Date(parseInt(result.expiration, 10)).toISOString()}`));
+		console.log(chalk$11.gray("\n  Push endpoint: https://<your-server>/webhook/gmail-pubsub"));
+		console.log(chalk$11.gray("  Ensure email channel is enabled and gateway is publicly accessible.\n"));
 	} catch (e) {
-		console.error(chalk$13.red("\n  ✖  " + e.message + "\n"));
+		console.error(chalk$11.red("\n  ✖  " + e.message + "\n"));
 		process.exit(1);
 	}
 	process.exit(0);
 });
 const cronCmd = program.command("cron").description("Scheduled tasks (cron → agent prompt)");
 cronCmd.command("list").action(async () => {
-	const chalk$13 = require("chalk");
-	const { loadCronTasks } = await Promise.resolve().then(() => require("./cron-tasks-Bl9yuyCa.js"));
+	const chalk$11 = require("chalk");
+	const { loadCronTasks } = await Promise.resolve().then(() => require("./cron-tasks-Bli7Kzd2.js"));
 	const tasks = await loadCronTasks();
-	console.log(chalk$13.bold.cyan("\n  ⏰ CRON TASKS\n"));
+	console.log(chalk$11.bold.cyan("\n  ⏰ CRON TASKS\n"));
 	if (tasks.length === 0) {
-		console.log(chalk$13.gray("  No tasks. Add: hyperclaw cron add \"0 9 * * 1-5\" \"Check calendar\"\n"));
+		console.log(chalk$11.gray("  No tasks. Add: hyperclaw cron add \"0 9 * * 1-5\" \"Check calendar\"\n"));
 		process.exit(0);
 		return;
 	}
 	for (const t of tasks) {
-		const dot = t.enabled ? chalk$13.green("●") : chalk$13.gray("○");
-		console.log(`  ${dot} ${chalk$13.white(t.name || t.id)}`);
-		console.log(`     ${chalk$13.gray("Schedule:")} ${t.schedule}`);
-		console.log(`     ${chalk$13.gray("Prompt:")} ${t.prompt.slice(0, 60)}${t.prompt.length > 60 ? "..." : ""}`);
-		if (t.lastRunAt) console.log(`     ${chalk$13.gray("Last run:")} ${t.lastRunAt}`);
+		const dot = t.enabled ? chalk$11.green("●") : chalk$11.gray("○");
+		console.log(`  ${dot} ${chalk$11.white(t.name || t.id)}`);
+		console.log(`     ${chalk$11.gray("Schedule:")} ${t.schedule}`);
+		console.log(`     ${chalk$11.gray("Prompt:")} ${t.prompt.slice(0, 60)}${t.prompt.length > 60 ? "..." : ""}`);
+		if (t.lastRunAt) console.log(`     ${chalk$11.gray("Last run:")} ${t.lastRunAt}`);
 		console.log();
 	}
 	process.exit(0);
 });
 cronCmd.command("add").arguments("<schedule> <prompt>").option("-n, --name <name>", "Task name").action(async (schedule, prompt, opts) => {
-	const chalk$13 = require("chalk");
-	const { loadCronTasks, addCronTask, saveCronTasks } = await Promise.resolve().then(() => require("./cron-tasks-Bl9yuyCa.js"));
+	const chalk$11 = require("chalk");
+	const { loadCronTasks, addCronTask, saveCronTasks } = await Promise.resolve().then(() => require("./cron-tasks-Bli7Kzd2.js"));
 	await loadCronTasks();
 	addCronTask(schedule, prompt, opts.name);
 	await saveCronTasks();
-	console.log(chalk$13.green(`\n  ✔  Cron task added: ${schedule} → "${prompt.slice(0, 40)}..."\n`));
-	console.log(chalk$13.gray("  Restart gateway to apply.\n"));
+	console.log(chalk$11.green(`\n  ✔  Cron task added: ${schedule} → "${prompt.slice(0, 40)}..."\n`));
+	console.log(chalk$11.gray("  Restart gateway to apply.\n"));
 	process.exit(0);
 });
 cronCmd.command("remove <id>").action(async (id) => {
-	const chalk$13 = require("chalk");
-	const { loadCronTasks, removeCronTask, saveCronTasks } = await Promise.resolve().then(() => require("./cron-tasks-Bl9yuyCa.js"));
+	const chalk$11 = require("chalk");
+	const { loadCronTasks, removeCronTask, saveCronTasks } = await Promise.resolve().then(() => require("./cron-tasks-Bli7Kzd2.js"));
 	await loadCronTasks();
 	if (removeCronTask(id)) {
 		await saveCronTasks();
-		console.log(chalk$13.green(`\n  ✔  Task removed\n`));
-	} else console.log(chalk$13.red(`\n  ✖  Task not found: ${id}\n`));
+		console.log(chalk$11.green(`\n  ✔  Task removed\n`));
+	} else console.log(chalk$11.red(`\n  ✖  Task not found: ${id}\n`));
 	process.exit(0);
 });
 program.command("nodes").description("List connected mobile nodes (iOS/Android Connect tab)").action(async () => {
-	const chalk$13 = require("chalk");
+	const chalk$11 = require("chalk");
 	const http$2 = await import("http");
-	const fs$10 = await import("fs-extra");
-	const path$10 = await import("path");
-	const os$9 = await import("os");
+	const fs$7 = await import("fs-extra");
+	const path$7 = await import("path");
+	const os$8 = await import("os");
 	let port = 18789;
 	try {
-		const cfg = await fs$10.readJson(path$10.join(os$9.homedir(), ".hyperclaw", "hyperclaw.json"));
+		const cfg = await fs$7.readJson(path$7.join(os$8.homedir(), ".hyperclaw", "hyperclaw.json"));
 		port = cfg?.gateway?.port ?? 18789;
 	} catch {}
 	return new Promise((resolve, reject) => {
@@ -3057,26 +3435,26 @@ program.command("nodes").description("List connected mobile nodes (iOS/Android C
 				try {
 					const j = JSON.parse(data);
 					const nodes = j.nodes || [];
-					console.log(chalk$13.bold.cyan("\n  📱 CONNECTED NODES\n"));
+					console.log(chalk$11.bold.cyan("\n  📱 CONNECTED NODES\n"));
 					if (nodes.length === 0) {
-						console.log(chalk$13.gray("  No mobile nodes. Open iOS/Android app → Connect tab → pair with gateway."));
-						console.log(chalk$13.gray(`  Gateway: ws://localhost:${port}\n`));
+						console.log(chalk$11.gray("  No mobile nodes. Open iOS/Android app → Connect tab → pair with gateway."));
+						console.log(chalk$11.gray(`  Gateway: ws://localhost:${port}\n`));
 					} else {
 						for (const n of nodes) {
-							console.log(`  ${chalk$13.green("●")} ${n.nodeId} ${chalk$13.gray(`(${n.platform || "?"})`)}`);
-							console.log(`    ${chalk$13.gray("Device:")} ${n.deviceName || "—"}`);
-							console.log(`    ${chalk$13.gray("Capabilities:")} ${Object.entries(n.capabilities || {}).filter(([, v]) => v).map(([k]) => k).join(", ") || "—"}`);
+							console.log(`  ${chalk$11.green("●")} ${n.nodeId} ${chalk$11.gray(`(${n.platform || "?"})`)}`);
+							console.log(`    ${chalk$11.gray("Device:")} ${n.deviceName || "—"}`);
+							console.log(`    ${chalk$11.gray("Capabilities:")} ${Object.entries(n.capabilities || {}).filter(([, v]) => v).map(([k]) => k).join(", ") || "—"}`);
 						}
 						console.log();
 					}
 				} catch {
-					console.log(chalk$13.red("  Could not reach gateway. Start with: hyperclaw daemon start\n"));
+					console.log(chalk$11.red("  Could not reach gateway. Start with: hyperclaw daemon start\n"));
 				}
 				resolve();
 			});
 		});
 		req.on("error", () => {
-			console.log(chalk$13.red("  Gateway offline. Start with: hyperclaw daemon start\n"));
+			console.log(chalk$11.red("  Gateway offline. Start with: hyperclaw daemon start\n"));
 			resolve();
 		});
 		req.setTimeout(3e3, () => {
@@ -3087,20 +3465,20 @@ program.command("nodes").description("List connected mobile nodes (iOS/Android C
 });
 const whCmd = program.command("webhooks").description("Webhook endpoint management");
 whCmd.command("list").action(async () => {
-	const { WebhookManager } = await Promise.resolve().then(() => require("./manager-DyEeuP9g.js"));
+	const { WebhookManager } = await Promise.resolve().then(() => require("./manager-BpDfbDjg.js"));
 	const m = new WebhookManager();
 	await m.load();
 	m.showList();
 	process.exit(0);
 });
 whCmd.command("remove <id>").action(async (id) => {
-	const { WebhookManager } = await Promise.resolve().then(() => require("./manager-DyEeuP9g.js"));
+	const { WebhookManager } = await Promise.resolve().then(() => require("./manager-BpDfbDjg.js"));
 	const m = new WebhookManager();
 	await m.remove(id);
 	process.exit(0);
 });
 whCmd.command("toggle <id>").action(async (id) => {
-	const { WebhookManager } = await Promise.resolve().then(() => require("./manager-DyEeuP9g.js"));
+	const { WebhookManager } = await Promise.resolve().then(() => require("./manager-BpDfbDjg.js"));
 	const m = new WebhookManager();
 	await m.toggle(id);
 	process.exit(0);
@@ -3109,7 +3487,7 @@ const logsCmd = program.command("logs").description("View gateway logs");
 logsCmd.option("-n, --lines <n>", "Number of lines to show", "50");
 logsCmd.option("-f, --follow", "Stream logs in real time");
 logsCmd.action(async (opts) => {
-	const { tailLog, streamLog } = await Promise.resolve().then(() => require("./logger-CWyS7qAp.js"));
+	const { tailLog, streamLog } = await Promise.resolve().then(() => require("./logger-ybOp7VOC.js"));
 	if (opts.follow) await streamLog();
 	else {
 		await tailLog(parseInt(opts.lines));
@@ -3117,7 +3495,7 @@ logsCmd.action(async (opts) => {
 	}
 });
 program.command("gateway:serve").description("Start the gateway server in the foreground (used by daemon)").action(async () => {
-	const { startGateway } = await Promise.resolve().then(() => require("./server-RBqwE_GN.js"));
+	const { startGateway } = await Promise.resolve().then(() => require("./server-D4wVHiX9.js"));
 	await startGateway();
 	process.on("SIGINT", () => process.exit(0));
 	process.on("SIGTERM", () => process.exit(0));
@@ -3125,15 +3503,15 @@ program.command("gateway:serve").description("Start the gateway server in the fo
 });
 const gatewayCfgCmd = gatewayCmd.command("config").description("Configure gateway settings");
 gatewayCfgCmd.option("--set-token <token>", "Set gateway auth token").option("--regenerate-token", "Generate a new random token").option("--set-port <port>", "Set gateway port").option("--set-bind <addr>", "Set gateway bind address").action(async (opts) => {
-	const chalk$13 = require("chalk");
-	const fs$10 = require("fs-extra");
-	const path$10 = require("path");
-	const os$9 = require("os");
-	const crypto = require("crypto");
-	const cfgFile = path$10.join(os$9.homedir(), ".hyperclaw", "hyperclaw.json");
+	const chalk$11 = require("chalk");
+	const fs$7 = require("fs-extra");
+	const path$7 = require("path");
+	const os$8 = require("os");
+	const crypto$2 = require("crypto");
+	const cfgFile = path$7.join(os$8.homedir(), ".hyperclaw", "hyperclaw.json");
 	let cfg = {};
 	try {
-		cfg = await fs$10.readJson(cfgFile);
+		cfg = await fs$7.readJson(cfgFile);
 	} catch {}
 	if (!cfg.gateway) cfg.gateway = {
 		port: 18789,
@@ -3144,53 +3522,53 @@ gatewayCfgCmd.option("--set-token <token>", "Set gateway auth token").option("--
 		hooks: true
 	};
 	if (opts.regenerateToken) {
-		cfg.gateway.authToken = crypto.randomBytes(32).toString("hex");
-		console.log(chalk$13.hex("#06b6d4")("\n  ✔  New gateway token generated"));
-		console.log(chalk$13.gray(`  Token: ${cfg.gateway.authToken}`));
+		cfg.gateway.authToken = crypto$2.randomBytes(32).toString("hex");
+		console.log(chalk$11.hex("#06b6d4")("\n  ✔  New gateway token generated"));
+		console.log(chalk$11.gray(`  Token: ${cfg.gateway.authToken}`));
 	}
 	if (opts.setToken) {
 		cfg.gateway.authToken = opts.setToken;
-		console.log(chalk$13.hex("#06b6d4")(`\n  ✔  Gateway token set`));
+		console.log(chalk$11.hex("#06b6d4")(`\n  ✔  Gateway token set`));
 	}
 	if (opts.setPort) {
 		cfg.gateway.port = parseInt(opts.setPort);
-		console.log(chalk$13.hex("#06b6d4")(`\n  ✔  Port set to ${cfg.gateway.port}`));
+		console.log(chalk$11.hex("#06b6d4")(`\n  ✔  Port set to ${cfg.gateway.port}`));
 	}
 	if (opts.setBind) {
 		cfg.gateway.bind = opts.setBind;
-		console.log(chalk$13.hex("#06b6d4")(`\n  ✔  Bind set to ${cfg.gateway.bind}`));
+		console.log(chalk$11.hex("#06b6d4")(`\n  ✔  Bind set to ${cfg.gateway.bind}`));
 	}
-	await fs$10.ensureDir(path$10.dirname(cfgFile));
-	await fs$10.writeJson(cfgFile, cfg, { spaces: 2 });
-	await fs$10.chmod(cfgFile, 384);
-	console.log(chalk$13.gray(`  Saved to ${cfgFile}\n`));
+	await fs$7.ensureDir(path$7.dirname(cfgFile));
+	await fs$7.writeJson(cfgFile, cfg, { spaces: 2 });
+	await fs$7.chmod(cfgFile, 384);
+	console.log(chalk$11.gray(`  Saved to ${cfgFile}\n`));
 	process.exit(0);
 });
 const authCmd = program.command("auth").description("OAuth and provider credentials");
 authCmd.command("add <service_id>").description("Add API key for a service (any provider we do not ship). Stored in credentials/ and .env.").option("--key <api_key>", "API key (prompts if omitted)").option("--base-url <url>", "Base URL (optional, e.g. https://api.example.com)").option("--env-var <name>", "Env var name (default: <SERVICE_ID>_API_KEY)").action(async (serviceId, opts) => {
-	const chalk$13 = require("chalk");
-	const inquirer$3 = require("inquirer");
-	const { CredentialsStore } = await Promise.resolve().then(() => require("./credentials-store-B3anVuZD.js"));
-	const { getHyperClawDir: getHyperClawDir$1, getEnvFilePath } = await Promise.resolve().then(() => require("./paths-D-QecARF.js"));
-	const { getApiKeyGuide, GENERIC_API_KEY_STEPS } = await Promise.resolve().then(() => require("./api-keys-guide-Bzig1R5W.js"));
-	const fs$10 = await import("fs-extra");
-	const path$10 = await import("path");
+	const chalk$11 = require("chalk");
+	const inquirer$2 = require("inquirer");
+	const { CredentialsStore } = await Promise.resolve().then(() => require("./credentials-store-C6ir0Dae.js"));
+	const { getHyperClawDir, getEnvFilePath } = await Promise.resolve().then(() => require("./paths-D-QecARF.js"));
+	const { getApiKeyGuide, GENERIC_API_KEY_STEPS } = await Promise.resolve().then(() => require("./api-keys-guide-BCcOl0Q7.js"));
+	const fs$7 = await import("fs-extra");
+	const path$7 = await import("path");
 	const guide = getApiKeyGuide(serviceId);
 	const steps = guide?.setupSteps ?? GENERIC_API_KEY_STEPS;
-	console.log(chalk$13.bold.hex("#06b6d4")(`\n  🔑 Add API key: ${guide?.name ?? serviceId}\n`));
-	console.log(chalk$13.bold("  Steps:\n"));
-	for (const step of steps) if (step.startsWith("  🔗")) console.log(chalk$13.hex("#06b6d4")(step));
-	else if (step.startsWith("  💡")) console.log(chalk$13.gray(step));
-	else console.log(chalk$13.gray(`  ${step}`));
+	console.log(chalk$11.bold.hex("#06b6d4")(`\n  🔑 Add API key: ${guide?.name ?? serviceId}\n`));
+	console.log(chalk$11.bold("  Steps:\n"));
+	for (const step of steps) if (step.startsWith("  🔗")) console.log(chalk$11.hex("#06b6d4")(step));
+	else if (step.startsWith("  💡")) console.log(chalk$11.gray(step));
+	else console.log(chalk$11.gray(`  ${step}`));
 	console.log();
 	const safeId = serviceId.replace(/[^a-zA-Z0-9_-]/g, "_").toLowerCase();
 	if (!safeId) {
-		console.log(chalk$13.red("\n  ✖  Invalid service ID\n"));
+		console.log(chalk$11.red("\n  ✖  Invalid service ID\n"));
 		process.exit(1);
 	}
 	let apiKey = opts.key || process.env[`${safeId.toUpperCase().replace(/-/g, "_")}_API_KEY`];
 	if (!apiKey) {
-		const { key } = await inquirer$3.prompt([{
+		const { key } = await inquirer$2.prompt([{
 			type: "password",
 			name: "key",
 			message: `API key for ${serviceId}:`,
@@ -3199,7 +3577,7 @@ authCmd.command("add <service_id>").description("Add API key for a service (any
 		}]);
 		apiKey = key.trim();
 	}
-	const creds = new CredentialsStore(getHyperClawDir$1());
+	const creds = new CredentialsStore(getHyperClawDir());
 	await creds.set(safeId, {
 		apiKey,
 		...opts.baseUrl ? { baseUrl: opts.baseUrl } : {},
@@ -3207,52 +3585,52 @@ authCmd.command("add <service_id>").description("Add API key for a service (any
 	});
 	const envVar = opts.envVar || `${safeId.toUpperCase().replace(/-/g, "_")}_API_KEY`;
 	const envPath = getEnvFilePath();
-	await fs$10.ensureDir(path$10.dirname(envPath));
+	await fs$7.ensureDir(path$7.dirname(envPath));
 	let envContent = "";
-	if (await fs$10.pathExists(envPath)) envContent = await fs$10.readFile(envPath, "utf8");
+	if (await fs$7.pathExists(envPath)) envContent = await fs$7.readFile(envPath, "utf8");
 	const envLine = `${envVar}=${apiKey}`;
 	const re = new RegExp(`^${envVar}=.*$`, "m");
 	if (re.test(envContent)) envContent = envContent.replace(re, envLine);
 	else envContent = envContent.trimEnd() + (envContent ? "\n" : "") + envLine + "\n";
-	await fs$10.writeFile(envPath, envContent, { mode: 384 });
-	console.log(chalk$13.hex("#06b6d4")(`\n  ✔  Added: ${safeId}`));
-	console.log(chalk$13.gray(`     Credentials: ~/.hyperclaw/credentials/${safeId}.json`));
-	console.log(chalk$13.gray(`     Env: ${envVar} (in .env — use in skills via process.env.${envVar.replace(/-/g, "_")})`));
-	console.log(chalk$13.gray("\n  Run: hyperclaw secrets apply   to add to shell"));
-	console.log(chalk$13.gray("  Run: hyperclaw secrets reload  to inject into running gateway\n"));
+	await fs$7.writeFile(envPath, envContent, { mode: 384 });
+	console.log(chalk$11.hex("#06b6d4")(`\n  ✔  Added: ${safeId}`));
+	console.log(chalk$11.gray(`     Credentials: ~/.hyperclaw/credentials/${safeId}.json`));
+	console.log(chalk$11.gray(`     Env: ${envVar} (in .env — use in skills via process.env.${envVar.replace(/-/g, "_")})`));
+	console.log(chalk$11.gray("\n  Run: hyperclaw secrets apply   to add to shell"));
+	console.log(chalk$11.gray("  Run: hyperclaw secrets reload  to inject into running gateway\n"));
 	process.exit(0);
 });
 authCmd.command("remove <service_id>").description("Remove API key for a service from credentials and .env").action(async (serviceId) => {
-	const chalk$13 = require("chalk");
-	const { CredentialsStore } = await Promise.resolve().then(() => require("./credentials-store-B3anVuZD.js"));
-	const { getHyperClawDir: getHyperClawDir$1, getEnvFilePath } = await Promise.resolve().then(() => require("./paths-D-QecARF.js"));
-	const fs$10 = await import("fs-extra");
+	const chalk$11 = require("chalk");
+	const { CredentialsStore } = await Promise.resolve().then(() => require("./credentials-store-C6ir0Dae.js"));
+	const { getHyperClawDir, getEnvFilePath } = await Promise.resolve().then(() => require("./paths-D-QecARF.js"));
+	const fs$7 = await import("fs-extra");
 	const safeId = serviceId.replace(/[^a-zA-Z0-9_-]/g, "_").toLowerCase();
-	const creds = new CredentialsStore(getHyperClawDir$1());
+	const creds = new CredentialsStore(getHyperClawDir());
 	await creds.remove(safeId);
 	const envVar = `${safeId.toUpperCase().replace(/-/g, "_")}_API_KEY`;
 	const envPath = getEnvFilePath();
-	if (await fs$10.pathExists(envPath)) {
-		let c = await fs$10.readFile(envPath, "utf8");
+	if (await fs$7.pathExists(envPath)) {
+		let c = await fs$7.readFile(envPath, "utf8");
 		c = c.replace(new RegExp(`^${envVar}=.*\n?`, "gm"), "");
-		await fs$10.writeFile(envPath, c);
+		await fs$7.writeFile(envPath, c);
 	}
-	console.log(chalk$13.hex("#06b6d4")(`\n  ✔  Removed: ${safeId}\n`));
+	console.log(chalk$11.hex("#06b6d4")(`\n  ✔  Removed: ${safeId}\n`));
 	process.exit(0);
 });
 authCmd.command("oauth <provider>").description("Run full OAuth flow. Providers: google, google-gmail (Gmail Pub/Sub), microsoft").option("--client-id <id>", "OAuth client ID (or GOOGLE_OAUTH_CLIENT_ID)").option("--client-secret <secret>", "OAuth client secret (optional for PKCE)").action(async (provider, opts) => {
-	const chalk$13 = require("chalk");
-	const ora$6 = (await import("ora")).default;
+	const chalk$11 = require("chalk");
+	const ora$4 = (await import("ora")).default;
 	try {
-		const { runOAuthFlow } = await Promise.resolve().then(() => require("./oauth-flow-HdvMxKmZ.js"));
-		const spinner = ora$6("Starting OAuth flow...").start();
+		const { runOAuthFlow } = await Promise.resolve().then(() => require("./oauth-flow-DQPvMHRH.js"));
+		const spinner = ora$4("Starting OAuth flow...").start();
 		spinner.text = "Opening browser — complete the consent and return here.";
 		const tokens = await runOAuthFlow(provider, {
 			clientId: opts.clientId,
 			clientSecret: opts.clientSecret
 		});
 		spinner.stop();
-		const { writeOAuthToken } = await Promise.resolve().then(() => require("./oauth-provider-DfEgSucI.js"));
+		const { writeOAuthToken } = await Promise.resolve().then(() => require("./oauth-provider-Uo4Nib_c.js"));
 		const now = Math.floor(Date.now() / 1e3);
 		const expires_at = tokens.expires_in ? now + tokens.expires_in : void 0;
 		const tokenUrl = provider === "google" || provider === "google-gmail" ? "https://oauth2.googleapis.com/token" : provider === "microsoft" ? "https://login.microsoftonline.com/common/oauth2/v2.0/token" : void 0;
@@ -3262,46 +3640,46 @@ authCmd.command("oauth <provider>").description("Run full OAuth flow. Providers:
 			expires_at,
 			token_url: tokenUrl
 		});
-		console.log(chalk$13.hex("#06b6d4")(`\n  ✔  OAuth tokens saved for: ${provider}`));
-		console.log(chalk$13.gray("  Set in hyperclaw.json: \"provider\": { \"authType\": \"oauth\", \"providerId\": \"" + provider + "\" }\n"));
+		console.log(chalk$11.hex("#06b6d4")(`\n  ✔  OAuth tokens saved for: ${provider}`));
+		console.log(chalk$11.gray("  Set in hyperclaw.json: \"provider\": { \"authType\": \"oauth\", \"providerId\": \"" + provider + "\" }\n"));
 	} catch (e) {
-		console.error(chalk$13.red("\n  ✖  OAuth failed: " + e.message + "\n"));
+		console.error(chalk$11.red("\n  ✖  OAuth failed: " + e.message + "\n"));
 		process.exit(1);
 	}
 	process.exit(0);
 });
 authCmd.command("setup-token <provider>").description("Save setup token (Anthropic Claude Pro/Max). Run: claude setup-token, paste result here.").action(async (provider) => {
-	const chalk$13 = require("chalk");
-	const inquirer$3 = await import("inquirer");
+	const chalk$11 = require("chalk");
+	const inquirer$2 = await import("inquirer");
 	if (provider !== "anthropic") {
-		console.log(chalk$13.yellow(`\n  Provider "${provider}" may not support setup-token. Use "hyperclaw auth add" for API keys.\n`));
+		console.log(chalk$11.yellow(`\n  Provider "${provider}" may not support setup-token. Use "hyperclaw auth add" for API keys.\n`));
 		process.exit(1);
 	}
-	const { token } = await inquirer$3.default.prompt([{
+	const { token } = await inquirer$2.default.prompt([{
 		type: "password",
 		name: "token",
 		message: "Paste setup token from `claude setup-token`:",
 		mask: "●"
 	}]);
 	if (!token?.trim()) {
-		console.log(chalk$13.red("\n  ✖  No token provided.\n"));
+		console.log(chalk$11.red("\n  ✖  No token provided.\n"));
 		process.exit(1);
 	}
-	const { writeOAuthToken } = await Promise.resolve().then(() => require("./oauth-provider-DfEgSucI.js"));
+	const { writeOAuthToken } = await Promise.resolve().then(() => require("./oauth-provider-Uo4Nib_c.js"));
 	await writeOAuthToken("anthropic-setup", {
 		access_token: token.trim(),
 		token_url: "https://api.anthropic.com"
 	});
-	console.log(chalk$13.hex("#06b6d4")("\n  ✔  Anthropic setup token saved to ~/.hyperclaw/oauth-anthropic-setup.json"));
-	console.log(chalk$13.gray("  Use providerId: anthropic with authType: oauth and oauthTokenPath for Claude Pro/Max.\n"));
+	console.log(chalk$11.hex("#06b6d4")("\n  ✔  Anthropic setup token saved to ~/.hyperclaw/oauth-anthropic-setup.json"));
+	console.log(chalk$11.gray("  Use providerId: anthropic with authType: oauth and oauthTokenPath for Claude Pro/Max.\n"));
 	process.exit(0);
 });
 authCmd.command("oauth-set <provider>").description("Save OAuth tokens manually (access_token, refresh_token, etc.) to ~/.hyperclaw/oauth-<provider>.json").option("--token <access_token>", "Access token").option("--refresh <refresh_token>", "Refresh token (optional)").option("--expires-in <seconds>", "Token lifetime in seconds (optional)").option("--token-url <url>", "Refresh endpoint URL (optional)").action(async (provider, opts) => {
-	const chalk$13 = require("chalk");
-	const { writeOAuthToken } = await Promise.resolve().then(() => require("./oauth-provider-DfEgSucI.js"));
+	const chalk$11 = require("chalk");
+	const { writeOAuthToken } = await Promise.resolve().then(() => require("./oauth-provider-Uo4Nib_c.js"));
 	const access_token = opts.token || process.env.OAUTH_ACCESS_TOKEN;
 	if (!access_token) {
-		console.log(chalk$13.red("\n  ✖  Provide --token <access_token> or set OAUTH_ACCESS_TOKEN\n"));
+		console.log(chalk$11.red("\n  ✖  Provide --token <access_token> or set OAUTH_ACCESS_TOKEN\n"));
 		process.exit(1);
 	}
 	const expires_at = opts.expiresIn ? Math.floor(Date.now() / 1e3) + parseInt(opts.expiresIn, 10) : void 0;
@@ -3311,22 +3689,22 @@ authCmd.command("oauth-set <provider>").description("Save OAuth tokens manually
 		expires_at,
 		token_url: opts.tokenUrl || void 0
 	});
-	console.log(chalk$13.hex("#06b6d4")(`\n  ✔  OAuth tokens saved for provider: ${provider}`));
-	console.log(chalk$13.gray("  Set in hyperclaw.json: \"provider\": { \"authType\": \"oauth\", \"providerId\": \"" + provider + "\" }\n"));
+	console.log(chalk$11.hex("#06b6d4")(`\n  ✔  OAuth tokens saved for provider: ${provider}`));
+	console.log(chalk$11.gray("  Set in hyperclaw.json: \"provider\": { \"authType\": \"oauth\", \"providerId\": \"" + provider + "\" }\n"));
 	process.exit(0);
 });
 const workspaceCmd = program.command("workspace").description("Manage agent workspace files");
 workspaceCmd.command("init [dir]").description("Initialize workspace files (SOUL.md, USER.md, TOOLS.md, HEARTBEAT.md, BOOTSTRAP.md) in a directory").action(async (dir) => {
-	const chalk$13 = require("chalk");
-	const fs$10 = require("fs-extra");
-	const path$10 = require("path");
-	const os$9 = require("os");
-	const targetDir = dir || path$10.join(os$9.homedir(), ".hyperclaw");
+	const chalk$11 = require("chalk");
+	const fs$7 = require("fs-extra");
+	const path$7 = require("path");
+	const os$8 = require("os");
+	const targetDir = dir || path$7.join(os$8.homedir(), ".hyperclaw");
 	let cfg = {};
 	try {
-		cfg = await fs$10.readJson(path$10.join(os$9.homedir(), ".hyperclaw", "hyperclaw.json"));
+		cfg = await fs$7.readJson(path$7.join(os$8.homedir(), ".hyperclaw", "hyperclaw.json"));
 	} catch {}
-	const { initWorkspaceFiles } = await Promise.resolve().then(() => require("./memory-DIZLpg-p.js"));
+	const { initWorkspaceFiles } = await Promise.resolve().then(() => require("./memory-BlHL7JCO.js"));
 	await initWorkspaceFiles({
 		agentName: cfg.identity?.agentName || "Hyper",
 		personality: cfg.identity?.personality || "helpful and concise",
@@ -3334,17 +3712,17 @@ workspaceCmd.command("init [dir]").description("Initialize workspace files (SOUL
 		userName: cfg.identity?.userName || "User",
 		rules: cfg.identity?.rules ?? []
 	}, targetDir);
-	console.log(chalk$13.hex("#06b6d4")(`\n  ✔  Workspace files initialized in ${targetDir}`));
-	console.log(chalk$13.gray("  Files: SOUL.md  USER.md  TOOLS.md  HEARTBEAT.md  BOOTSTRAP.md\n"));
+	console.log(chalk$11.hex("#06b6d4")(`\n  ✔  Workspace files initialized in ${targetDir}`));
+	console.log(chalk$11.gray("  Files: SOUL.md  USER.md  TOOLS.md  HEARTBEAT.md  BOOTSTRAP.md\n"));
 	process.exit(0);
 });
 workspaceCmd.command("show [dir]").description("Show workspace files summary").action(async (dir) => {
-	const chalk$13 = require("chalk");
-	const fs$10 = require("fs-extra");
-	const path$10 = require("path");
-	const os$9 = require("os");
-	const targetDir = dir || path$10.join(os$9.homedir(), ".hyperclaw");
-	console.log(chalk$13.bold.hex("#06b6d4")("\n  📁 WORKSPACE\n"));
+	const chalk$11 = require("chalk");
+	const fs$7 = require("fs-extra");
+	const path$7 = require("path");
+	const os$8 = require("os");
+	const targetDir = dir || path$7.join(os$8.homedir(), ".hyperclaw");
+	console.log(chalk$11.bold.hex("#06b6d4")("\n  📁 WORKSPACE\n"));
 	for (const fname of [
 		"SOUL.md",
 		"USER.md",
@@ -3354,45 +3732,45 @@ workspaceCmd.command("show [dir]").description("Show workspace files summary").a
 		"AGENTS.md",
 		"MEMORY.md"
 	]) {
-		const fpath = path$10.join(targetDir, fname);
-		const exists = await fs$10.pathExists(fpath);
-		const size = exists ? (await fs$10.stat(fpath)).size : 0;
-		const dot = exists ? chalk$13.hex("#06b6d4")("✔") : chalk$13.gray("○");
-		console.log(`  ${dot} ${fname.padEnd(14)} ${exists ? chalk$13.gray(`${size} bytes`) : chalk$13.gray("(missing)")}`);
+		const fpath = path$7.join(targetDir, fname);
+		const exists = await fs$7.pathExists(fpath);
+		const size = exists ? (await fs$7.stat(fpath)).size : 0;
+		const dot = exists ? chalk$11.hex("#06b6d4")("✔") : chalk$11.gray("○");
+		console.log(`  ${dot} ${fname.padEnd(14)} ${exists ? chalk$11.gray(`${size} bytes`) : chalk$11.gray("(missing)")}`);
 	}
 	console.log();
 	process.exit(0);
 });
 const botCmd = program.command("bot").description("HyperClaw Bot — companion bot for remote gateway control");
 botCmd.command("status").action(async () => {
-	const { showBotStatus } = await Promise.resolve().then(() => require("./hyperclawbot-DfMGowZC.js"));
+	const { showBotStatus } = await Promise.resolve().then(() => require("./hyperclawbot-zvczQgKx.js"));
 	await showBotStatus();
 	process.exit(0);
 });
 botCmd.command("setup").description("Configure HyperClaw Bot (Telegram token, allowed users)").action(async () => {
-	const inquirer$3 = require("inquirer");
-	const { saveBotConfig } = await Promise.resolve().then(() => require("./hyperclawbot-DfMGowZC.js"));
-	const chalk$13 = require("chalk");
-	console.log(chalk$13.bold.hex("#06b6d4")("\n  🦅 HYPERCLAW BOT SETUP\n"));
-	console.log(chalk$13.gray("  Create a bot at t.me/BotFather, then paste the token below.\n"));
-	const { platform } = await inquirer$3.prompt([{
+	const inquirer$2 = require("inquirer");
+	const { saveBotConfig } = await Promise.resolve().then(() => require("./hyperclawbot-zvczQgKx.js"));
+	const chalk$11 = require("chalk");
+	console.log(chalk$11.bold.hex("#06b6d4")("\n  🦅 HYPERCLAW BOT SETUP\n"));
+	console.log(chalk$11.gray("  Create a bot at t.me/BotFather, then paste the token below.\n"));
+	const { platform } = await inquirer$2.prompt([{
 		type: "list",
 		name: "platform",
 		message: "Platform:",
 		choices: ["telegram", "discord"]
 	}]);
-	const { token } = await inquirer$3.prompt([{
+	const { token } = await inquirer$2.prompt([{
 		type: "input",
 		name: "token",
 		message: platform === "telegram" ? "Bot token (from @BotFather):" : "Discord bot token:",
 		validate: (v) => v.trim().length > 10 || "Required"
 	}]);
-	const { userIds } = await inquirer$3.prompt([{
+	const { userIds } = await inquirer$2.prompt([{
 		type: "input",
 		name: "userIds",
 		message: "Allowed user IDs (comma-separated, leave empty for unrestricted):"
 	}]);
-	const { gatewayUrl } = await inquirer$3.prompt([{
+	const { gatewayUrl } = await inquirer$2.prompt([{
 		type: "input",
 		name: "gatewayUrl",
 		message: "Gateway URL:",
@@ -3408,20 +3786,20 @@ botCmd.command("setup").description("Configure HyperClaw Bot (Telegram token, al
 		createdAt: (/* @__PURE__ */ new Date()).toISOString()
 	};
 	await saveBotConfig(cfg);
-	console.log(chalk$13.hex("#06b6d4")("\n  ✔  HyperClaw Bot configured"));
+	console.log(chalk$11.hex("#06b6d4")("\n  ✔  HyperClaw Bot configured"));
 	if (platform === "discord") try {
 		require.resolve("discord.js");
 	} catch {
-		console.log(chalk$13.yellow("  ⚠  For Discord: run: npm install discord.js"));
+		console.log(chalk$11.yellow("  ⚠  For Discord: run: npm install discord.js"));
 	}
-	console.log(chalk$13.gray("  Start with: hyperclaw bot start\n"));
+	console.log(chalk$11.gray("  Start with: hyperclaw bot start\n"));
 	process.exit(0);
 });
 botCmd.command("start").description("Start HyperClaw Bot (foreground or background)").option("--background", "Run bot in background (use hyperclaw bot stop to stop)").action(async (opts) => {
 	const { spawn } = await import("child_process");
-	const path$10 = await import("path");
+	const path$7 = await import("path");
 	if (opts?.background) {
-		const entry = process.argv[1] || path$10.join(__dirname, "run-main.js");
+		const entry = process.argv[1] || path$7.join(__dirname, "run-main.js");
 		const child = spawn(process.execPath, [
 			entry,
 			"bot",
@@ -3433,14 +3811,14 @@ botCmd.command("start").description("Start HyperClaw Bot (foreground or backgrou
 			cwd: process.cwd()
 		});
 		child.unref();
-		const { writeBotPid } = await Promise.resolve().then(() => require("./hyperclawbot-DfMGowZC.js"));
+		const { writeBotPid } = await Promise.resolve().then(() => require("./hyperclawbot-zvczQgKx.js"));
 		await writeBotPid(child.pid);
 		console.log(require("chalk").green(`\n  ✔  HyperClaw Bot started in background (PID ${child.pid})`));
 		console.log(require("chalk").gray("  Stop with: hyperclaw bot stop\n"));
 		process.exit(0);
 		return;
 	}
-	const { loadBotConfig, TelegramHyperClawBot, DiscordHyperClawBot } = await Promise.resolve().then(() => require("./hyperclawbot-DfMGowZC.js"));
+	const { loadBotConfig, TelegramHyperClawBot, DiscordHyperClawBot } = await Promise.resolve().then(() => require("./hyperclawbot-zvczQgKx.js"));
 	const cfg = await loadBotConfig();
 	if (!cfg) {
 		console.log(require("chalk").red("\n  ✖  HyperClaw Bot not configured. Run: hyperclaw bot setup\n"));
@@ -3466,42 +3844,42 @@ botCmd.command("start").description("Start HyperClaw Bot (foreground or backgrou
 	}
 });
 botCmd.command("stop").description("Stop HyperClaw Bot (when running in background)").action(async () => {
-	const chalk$13 = require("chalk");
-	const { stopBotProcess } = await Promise.resolve().then(() => require("./hyperclawbot-DfMGowZC.js"));
+	const chalk$11 = require("chalk");
+	const { stopBotProcess } = await Promise.resolve().then(() => require("./hyperclawbot-zvczQgKx.js"));
 	const stopped = await stopBotProcess();
-	if (stopped) console.log(chalk$13.green("\n  ✔  HyperClaw Bot stopped\n"));
-	else console.log(chalk$13.gray("\n  Bot not running in background (no PID file). Use Ctrl+C to stop foreground bot.\n"));
+	if (stopped) console.log(chalk$11.green("\n  ✔  HyperClaw Bot stopped\n"));
+	else console.log(chalk$11.gray("\n  Bot not running in background (no PID file). Use Ctrl+C to stop foreground bot.\n"));
 	process.exit(stopped ? 0 : 0);
 });
 memCmd.command("search <query>").description("Search MEMORY.md").action(async (query) => {
-	const { searchMemory } = await Promise.resolve().then(() => require("./src-BptR-54a.js"));
+	const { searchMemory } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await searchMemory(query);
 	process.exit(0);
 });
 memCmd.command("auto-show").description("Show auto-extracted memories from MEMORY.md").action(async () => {
-	const { showMemory } = await Promise.resolve().then(() => require("./src-BptR-54a.js"));
+	const { showMemory } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await showMemory();
 	process.exit(0);
 });
 memCmd.command("clear").description("Clear all auto-extracted memories").action(async () => {
-	const { clearMemory } = await Promise.resolve().then(() => require("./src-BptR-54a.js"));
+	const { clearMemory } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await clearMemory();
 	process.exit(0);
 });
 memCmd.command("save <text>").description("Manually save a fact to MEMORY.md").action(async (text) => {
-	const { saveMemoryDirect } = await Promise.resolve().then(() => require("./src-BptR-54a.js"));
+	const { saveMemoryDirect } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await saveMemoryDirect(text);
 	console.log(chalk.default.hex("#06b6d4")(`  ✅ Saved: ${text}\n`));
 	process.exit(0);
 });
 const pcCmd = program.command("pc").description("PC access — give the AI access to your computer");
 pcCmd.command("status").description("Show PC access status and config").action(async () => {
-	const { showPCAccessStatus } = await Promise.resolve().then(() => require("./src-BptR-54a.js"));
+	const { showPCAccessStatus } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await showPCAccessStatus();
 	process.exit(0);
 });
 pcCmd.command("enable").description("Enable PC access for the AI").option("--level <level>", "Access level: read-only | sandboxed | full", "full").option("--paths <paths>", "Comma-separated allowed paths (sandboxed mode)").action(async (opts) => {
-	const { savePCAccessConfig } = await Promise.resolve().then(() => require("./src-BptR-54a.js"));
+	const { savePCAccessConfig } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	const level = opts.level;
 	const allowed = [
 		"read-only",
@@ -3528,7 +3906,7 @@ pcCmd.command("enable").description("Enable PC access for the AI").option("--lev
 	process.exit(0);
 });
 pcCmd.command("disable").description("Disable PC access").action(async () => {
-	const { savePCAccessConfig } = await Promise.resolve().then(() => require("./src-BptR-54a.js"));
+	const { savePCAccessConfig } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await savePCAccessConfig({ enabled: false });
 	console.log(chalk.default.hex("#06b6d4")("\n  ✅ PC access disabled\n"));
 	process.exit(0);
@@ -3552,7 +3930,7 @@ pcCmd.command("log").description("Show PC access audit log").option("-n, --lines
 	process.exit(0);
 });
 pcCmd.command("run <command>").description("Run a shell command via PC access (must be enabled)").action(async (command) => {
-	const { loadPCAccessConfig, getPCAccessTools } = await Promise.resolve().then(() => require("./src-BptR-54a.js"));
+	const { loadPCAccessConfig, getPCAccessTools } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	const cfg = await loadPCAccessConfig();
 	if (!cfg.enabled) {
 		console.log(chalk.default.red("\n  ✖  PC access disabled. Run: hyperclaw pc enable\n"));
@@ -3565,14 +3943,58 @@ pcCmd.command("run <command>").description("Run a shell command via PC access (m
 	console.log(result);
 	process.exit(0);
 });
+function checkForUpdate() {
+	const { execFile: execFile$1 } = require("child_process");
+	const { readFileSync } = require("fs");
+	const path$7 = require("path");
+	try {
+		const pkgPath = path$7.resolve(__dirname, "../../package.json");
+		const current = JSON.parse(readFileSync(pkgPath, "utf8")).version;
+		execFile$1("npm", [
+			"view",
+			"hyperclaw",
+			"version",
+			"--json"
+		], { timeout: 5e3 }, (_err, stdout) => {
+			if (_err || !stdout) return;
+			try {
+				const latest = JSON.parse(stdout.trim());
+				if (latest && latest !== current) {
+					const semver = (v) => v.split(".").map(Number);
+					const [lMaj, lMin, lPat] = semver(latest);
+					const [cMaj, cMin, cPat] = semver(current);
+					const isNewer = lMaj > cMaj || lMaj === cMaj && lMin > cMin || lMaj === cMaj && lMin === cMin && lPat > cPat;
+					if (isNewer) process.stdout.write(chalk.default.yellow(`\n  ⬆  Update available: ${chalk.default.dim(current)} → ${chalk.default.green(latest)}\n`) + chalk.default.gray(`     npm install -g hyperclaw@latest\n\n`));
+				}
+			} catch {}
+		});
+	} catch {}
+}
+program.command("setup").description("Setup wizard — alias for `hyperclaw onboard`").option("--install-daemon", "Auto-install system daemon").option("--reset", "Reset config before running wizard").option("--non-interactive", "Non-interactive mode").option("--json", "Output result as JSON (use with --non-interactive)").option("--anthropic-api-key <key>", "Anthropic API key (non-interactive)").option("--openai-api-key <key>", "OpenAI API key (non-interactive)").option("--gateway-port <port>", "Gateway port (non-interactive)", "18789").option("--gateway-bind <bind>", "Gateway bind: loopback | all", "loopback").action(async (opts) => {
+	await new require_onboard.Banner().showNeonBanner(false);
+	const wizardOpts = {
+		wizard: true,
+		installDaemon: opts.installDaemon ?? false,
+		reset: opts.reset ?? false,
+		nonInteractive: opts.nonInteractive ?? false,
+		jsonOutput: opts.json ?? false,
+		gatewayPort: opts.gatewayPort ? parseInt(opts.gatewayPort) : void 0,
+		gatewayBind: opts.gatewayBind ?? "loopback",
+		anthropicApiKey: opts.anthropicApiKey,
+		openaiApiKey: opts.openaiApiKey
+	};
+	await new require_onboard.HyperClawWizard().run(wizardOpts);
+	process.exit(0);
+});
+checkForUpdate();
 if (process.argv.length === 2) (async () => {
-	const { ConfigManager: ConfigManager$1 } = await Promise.resolve().then(() => require("./manager-BX2lIsmk.js"));
+	const { ConfigManager: ConfigManager$1 } = await Promise.resolve().then(() => require("./manager-CrVDn6eN.js"));
 	const cfg = await new ConfigManager$1().load().catch(() => null);
 	if (cfg?.provider?.apiKey || cfg?.provider?.providerId) {
 		await new require_onboard.Banner().showNeonBanner(false);
-		const { getTheme } = await Promise.resolve().then(() => require("./theme-Iefa3L63.js"));
+		const { getTheme } = await Promise.resolve().then(() => require("./theme-cx0fkgWC.js"));
 		const t = getTheme(false);
-		const chalk$13 = require("chalk");
+		const chalk$11 = require("chalk");
 		console.log(t.bold("  Quick actions:\n"));
 		console.log(`  ${t.c("hyperclaw onboard")}                    — re-run setup wizard`);
 		console.log(`  ${t.c("hyperclaw onboard --install-daemon")}   — wizard + daemon (full PC access)`);
@@ -3584,7 +4006,7 @@ if (process.argv.length === 2) (async () => {
 		console.log(`  ${t.c("hyperclaw --help")}                     — all commands\n`);
 	} else {
 		await new require_onboard.Banner().showNeonBanner(false);
-		const { HyperClawWizard: HyperClawWizard$1 } = await Promise.resolve().then(() => require("./onboard-3q20ZyHj.js"));
+		const { HyperClawWizard: HyperClawWizard$1 } = await Promise.resolve().then(() => require("./onboard-0WoDxbv_.js"));
 		await new HyperClawWizard$1().run({ wizard: true });
 	}
 	process.exit(0);