hyperclaw 4.0.2 → 5.0.0

package/dist/run-main.js

@@ -1,20 +1,22 @@
 const require_chunk = require('./chunk-jS-bbMI5.js');
 require('./paths-AIyBxIzm.js');
 require('./paths-DPovhojT.js');
-require('./env-resolve-szSWl0UF.js');
-const require_onboard = require('./onboard-Bd_wsYdi.js');
-require('./server-BRlCEjyT.js');
-require('./theme-LUTKWUWd.js');
-const require_hub = require('./hub-FrPTA33j.js');
-const require_manager = require('./manager-Dm8nrMFx.js');
-const require_manager$1 = require('./manager-Cwzj7w5R.js');
-const require_memory = require('./memory-BVFGkxxK.js');
-const require_loader = require('./loader-CISCqBto.js');
-const require_agents_routing = require('./agents-routing-683Q2JGp.js');
-const require_pairing = require('./pairing-DU0_J28n.js');
-const require_doctor = require('./doctor-3oi89QIc.js');
-const require_security = require('./security-C-5URby1.js');
-const require_developer_keys = require('./developer-keys-JaJK3T27.js');
+require('./env-resolve-CmGWhWXJ.js');
+const require_onboard = require('./onboard-BXNXCQp4.js');
+require('./server-Dh3JlBFB.js');
+const require_daemon = require('./daemon-Bg4GtCmc.js');
+require('./theme-DcxwcUgZ.js');
+const require_hub = require('./hub-D0XwdjM-.js');
+const require_manager = require('./manager-rgCsaWT1.js');
+const require_manager$1 = require('./manager-03ipO9R0.js');
+const require_memory = require('./memory-DsS_eFvJ.js');
+const require_loader = require('./loader-CnEdOyjT.js');
+const require_agents_routing = require('./agents-routing-ChHiZp36.js');
+const require_pairing = require('./pairing-6iM27aD8.js');
+const require_doctor = require('./doctor-BvCe8BBk.js');
+const require_health = require('./health-Ds2YlpTB.js');
+const require_security = require('./security-tpgqPWWH.js');
+const require_developer_keys = require('./developer-keys-DrrcUqFa.js');
 const commander = require_chunk.__toESM(require("commander"));
 const chalk = require_chunk.__toESM(require("chalk"));
 const inquirer = require_chunk.__toESM(require("inquirer"));
@@ -22,10 +24,13 @@ const ora = require_chunk.__toESM(require("ora"));
 const fs_extra = require_chunk.__toESM(require("fs-extra"));
 const path = require_chunk.__toESM(require("path"));
 const os = require_chunk.__toESM(require("os"));
+const crypto = require_chunk.__toESM(require("crypto"));
 const child_process = require_chunk.__toESM(require("child_process"));
 const util = require_chunk.__toESM(require("util"));
+const http = require_chunk.__toESM(require("http"));
 const fs = require_chunk.__toESM(require("fs"));
 const readline = require_chunk.__toESM(require("readline"));
+const net = require_chunk.__toESM(require("net"));
 
 //#region src/cli/dashboard.ts
 var Dashboard = class {
@@ -59,7 +64,7 @@ var Dashboard = class {
 			return c(`║ `) + content + " ".repeat(pad) + c(`║`);
 		};
 		console.log(c(`╔${line}╗`));
-		console.log(c(`║`) + chalk.default.bold.hex("#06b6d4")(`${"🦅 HYPERCLAW v4.0.2 — GATEWAY DASHBOARD".padStart(45).padEnd(w)}`) + c(`║`));
+		console.log(c(`║`) + chalk.default.bold.hex("#06b6d4")(`${"🦅 HYPERCLAW v5.0.0 — GATEWAY DASHBOARD".padStart(45).padEnd(w)}`) + c(`║`));
 		console.log(c(`╠${line}╣`));
 		console.log(row(`${statusDot} Gateway  ${statusText}   ${chalk.default.gray("│")}  ws://localhost:${port}   ${chalk.default.gray("│")}  Agent: ${c(agent)}`));
 		console.log(row(`${c("◆")} Model     ${chalk.default.gray(model.slice(0, 30))}   ${chalk.default.gray("│")}  User: ${c(user)}`));
@@ -140,7 +145,7 @@ async function recordAudio(outFile, seconds) {
 async function transcribeWhisper(filePath, lang) {
 	const apiKey = process.env.OPENAI_API_KEY || process.env.ANTHROPIC_API_KEY;
 	if (!apiKey) throw new Error("No OPENAI_API_KEY set");
-	const FormData = (await Promise.resolve().then(() => require_chunk.__toDynamicImportESM()(require("./form_data-B_hIUrxU.js"))).catch(() => null))?.default;
+	const FormData = (await Promise.resolve().then(() => require_chunk.__toDynamicImportESM()(require("./form_data-Cz040rio.js"))).catch(() => null))?.default;
 	if (!FormData) throw new Error("form-data not installed");
 	const form = new FormData();
 	form.append("file", fs.createReadStream(filePath), {
@@ -284,6 +289,185 @@ var VoiceEngine = class {
 	}
 };
 
+//#endregion
+//#region src/infra/device-pairing.ts
+const DEVICES_DIR = path.default.join(os.default.homedir(), ".hyperclaw", "devices");
+const PENDING_FILE = path.default.join(DEVICES_DIR, "pending.json");
+const PAIRED_FILE = path.default.join(DEVICES_DIR, "paired.json");
+const PENDING_EXPIRY_MS = 10 * 60 * 1e3;
+const TOKEN_BYTES = 16;
+async function readPending() {
+	try {
+		const data = await fs_extra.default.readJson(PENDING_FILE);
+		return Array.isArray(data) ? data : [];
+	} catch {
+		return [];
+	}
+}
+async function writePending(entries) {
+	await fs_extra.default.ensureDir(DEVICES_DIR);
+	await fs_extra.default.writeJson(PENDING_FILE, entries, {
+		spaces: 2,
+		mode: 384
+	});
+}
+async function readPaired() {
+	try {
+		const data = await fs_extra.default.readJson(PAIRED_FILE);
+		return Array.isArray(data) ? data : [];
+	} catch {
+		return [];
+	}
+}
+async function writePaired(devices) {
+	await fs_extra.default.ensureDir(DEVICES_DIR);
+	await fs_extra.default.writeJson(PAIRED_FILE, devices, {
+		spaces: 2,
+		mode: 384
+	});
+}
+var DevicePairingStore = class {
+	/**
+	
+	* Creates a pending pairing request and returns:
+	
+	*   - requestId: show to user for approve/reject
+	
+	*   - setupCode: base64-encoded JSON {url, token} — send to device
+	
+	*/
+	async createRequest(gatewayUrl, opts) {
+		const now = Date.now();
+		const all = (await readPending()).filter((e) => new Date(e.expiresAt).getTime() > now);
+		const requestId = crypto.default.randomBytes(6).toString("hex");
+		const token = crypto.default.randomBytes(TOKEN_BYTES).toString("hex");
+		const expiresAt = new Date(now + PENDING_EXPIRY_MS).toISOString();
+		const entry = {
+			requestId,
+			token,
+			expiresAt,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+			...opts?.deviceName ? { deviceName: opts.deviceName } : {},
+			...opts?.platform ? { platform: opts.platform } : {}
+		};
+		all.push(entry);
+		await writePending(all);
+		const payload = {
+			url: gatewayUrl,
+			token
+		};
+		const setupCode = Buffer.from(JSON.stringify(payload)).toString("base64");
+		return {
+			requestId,
+			setupCode,
+			expiresAt
+		};
+	}
+	async listPending() {
+		const now = Date.now();
+		const all = await readPending();
+		return all.filter((e) => new Date(e.expiresAt).getTime() > now);
+	}
+	async listPaired() {
+		return readPaired();
+	}
+	async approve(requestId) {
+		const now = Date.now();
+		const pending = await readPending();
+		const idx = pending.findIndex((e) => e.requestId === requestId && new Date(e.expiresAt).getTime() > now);
+		if (idx === -1) return null;
+		const entry = pending[idx];
+		pending.splice(idx, 1);
+		await writePending(pending);
+		const deviceId = `device-${crypto.default.randomBytes(4).toString("hex")}`;
+		const longToken = crypto.default.randomBytes(32).toString("hex");
+		const device = {
+			deviceId,
+			requestId: entry.requestId,
+			token: longToken,
+			pairedAt: (/* @__PURE__ */ new Date()).toISOString(),
+			...entry.deviceName ? { deviceName: entry.deviceName } : {},
+			...entry.platform ? { platform: entry.platform } : {}
+		};
+		const paired = await readPaired();
+		paired.push(device);
+		await writePaired(paired);
+		return device;
+	}
+	async reject(requestId) {
+		const pending = await readPending();
+		const idx = pending.findIndex((e) => e.requestId === requestId);
+		if (idx === -1) return false;
+		pending.splice(idx, 1);
+		await writePending(pending);
+		return true;
+	}
+	async unpair(deviceId) {
+		const paired = await readPaired();
+		const idx = paired.findIndex((d) => d.deviceId === deviceId);
+		if (idx === -1) return false;
+		paired.splice(idx, 1);
+		await writePaired(paired);
+		return true;
+	}
+	async verifyToken(token) {
+		const now = Date.now();
+		const pending = await readPending();
+		const pendingMatch = pending.find((e) => e.token === token && new Date(e.expiresAt).getTime() > now);
+		if (pendingMatch) return this.approve(pendingMatch.requestId);
+		const paired = await readPaired();
+		return paired.find((d) => d.token === token) ?? null;
+	}
+	async touchDevice(deviceId) {
+		const paired = await readPaired();
+		const device = paired.find((d) => d.deviceId === deviceId);
+		if (device) {
+			device.lastSeenAt = (/* @__PURE__ */ new Date()).toISOString();
+			await writePaired(paired);
+		}
+	}
+	static parseSetupCode(setupCode) {
+		try {
+			const json = Buffer.from(setupCode, "base64").toString("utf8");
+			const parsed = JSON.parse(json);
+			if (typeof parsed.url === "string" && typeof parsed.token === "string") return parsed;
+			return null;
+		} catch {
+			return null;
+		}
+	}
+	async showCLI() {
+		const now = Date.now();
+		const pending = (await readPending()).filter((e) => new Date(e.expiresAt).getTime() > now);
+		const paired = await readPaired();
+		console.log(chalk.default.bold.cyan("\n  📱 DEVICE PAIRING\n"));
+		if (pending.length > 0) {
+			console.log(chalk.default.yellow("  Pending requests:\n"));
+			for (const e of pending) {
+				const expiresIn = Math.round((new Date(e.expiresAt).getTime() - now) / 6e4);
+				const name = e.deviceName ? chalk.default.white(` "${e.deviceName}"`) : "";
+				const plat = e.platform ? chalk.default.gray(` (${e.platform})`) : "";
+				console.log(`  ${chalk.default.yellow("○")} ${chalk.default.bold(e.requestId)}${name}${plat}  ${chalk.default.gray(`expires in ${expiresIn}m`)}`);
+			}
+			console.log();
+		}
+		if (paired.length > 0) {
+			console.log(chalk.default.green("  Paired devices:\n"));
+			for (const d of paired) {
+				const name = d.deviceName ? chalk.default.white(` "${d.deviceName}"`) : "";
+				const plat = d.platform ? chalk.default.gray(` (${d.platform})`) : "";
+				const seen = d.lastSeenAt ? chalk.default.gray(`  last seen: ${new Date(d.lastSeenAt).toLocaleDateString()}`) : "";
+				console.log(`  ${chalk.default.green("●")} ${chalk.default.bold(d.deviceId)}${name}${plat}  ${chalk.default.gray(`paired: ${new Date(d.pairedAt).toLocaleDateString()}`)}${seen}`);
+			}
+			console.log();
+		}
+		if (pending.length === 0 && paired.length === 0) {
+			console.log(chalk.default.gray("  No pending or paired devices."));
+			console.log(chalk.default.gray("  In Telegram, message your bot: /pair\n"));
+		}
+	}
+};
+
 //#endregion
 //#region src/commands/message-send.ts
 async function sendMessage(opts) {
@@ -345,17 +529,28 @@ const CHANNELS = [
 		platforms: ["all"],
 		tokenLabel: "Telegram Bot Token",
 		tokenHint: "Get from @BotFather → /newbot",
+		extraFields: [{
+			name: "dmPolicy",
+			label: "DM policy",
+			hint: "pairing (default) | allowlist | open | disabled",
+			required: false
+		}, {
+			name: "groupActivation",
+			label: "Group activation",
+			hint: "mention (default) | always",
+			required: false
+		}],
 		setupSteps: [
-			"1. Open Telegram and search for @BotFather (the official bot for creating bots).",
-			"2. Start a conversation with /start and type /newbot to create a new bot.",
-			"3. Give the bot a name (e.g. \"My HyperClaw Bot\") and a username ending in \"bot\" (e.g. my_hyperclaw_bot).",
-			"4. @BotFather will send you the Bot Token — a string starting with 7xxxxxx:AAH... Keep it secret!",
-			"5. Copy the token and paste it below.",
+			"1. Open Telegram → @BotFather → /newbot. Save the token.",
+			"2. Config: channels.telegram.botToken, dmPolicy (default: pairing), groups.",
+			"3. Start gateway, approve first DM: hyperclaw pairing approve telegram <CODE>",
+			"4. Add bot to groups; set groups[\"*\"].requireMention for mention gating.",
 			"",
-			"  🔗 t.me/BotFather"
+			"  🔗 docs/telegram.md — full setup"
 		],
 		status: "recommended",
-		npmPackage: "node-telegram-bot-api"
+		npmPackage: "node-telegram-bot-api",
+		notes: "DMs + groups. Pairing, allowlist, voice notes. Long polling default."
 	},
 	{
 		id: "discord",
@@ -367,23 +562,37 @@ const CHANNELS = [
 		tokenLabel: "Discord Bot Token",
 		tokenHint: "discord.com/developers/applications",
 		setupSteps: [
-			"1. Go to Discord Developer Portal: https://discord.com/developers/applications",
-			"2. Click \"New Application\", give it a name and create it.",
-			"3. Left menu: Bot → Add Bot.",
-			"4. Click \"Reset Token\" and copy the token (keep it secret!).",
-			"5. Settings → OAuth2 → General, copy the Application ID (Client ID).",
-			"6. Optional: To add the bot to a server, Bot → OAuth2 → URL Generator, scope: bot.",
+			"1. Discord Developer Portal → New Application → Bot → Reset Token.",
+			"2. Enable Message Content Intent (and Server Members if needed).",
+			"3. OAuth2 URL Generator: scope bot + applications.commands, permissions: View Channels, Send Messages, Read Message History.",
+			"4. Add bot to server, enable Developer Mode, copy Server ID and User ID.",
+			"5. Enable DMs from server members (right‑click server → Privacy Settings).",
+			"6. hyperclaw gateway → DM the bot → hyperclaw pairing approve discord <CODE>",
 			"",
-			"  🔗 discord.com/developers/applications"
+			"  🔗 docs/discord-setup.md — full setup guide"
+		],
+		extraFields: [
+			{
+				name: "listenGuildIds",
+				label: "Guild IDs to listen in",
+				hint: "[] = all. Add Server IDs to restrict.",
+				required: false
+			},
+			{
+				name: "requireMentionInGuild",
+				label: "Require @mention in guild",
+				hint: "true (default) | false",
+				required: false
+			},
+			{
+				name: "dmPolicy",
+				label: "DM policy",
+				hint: "\"pairing\" (default) | \"allowlist\" | \"open\" | \"none\"",
+				required: false
+			}
 		],
-		extraFields: [{
-			name: "clientId",
-			label: "Client ID (Application ID)",
-			hint: "From OAuth2 → General",
-			required: true
-		}],
 		status: "recommended",
-		npmPackage: "discord.js"
+		npmPackage: "ws"
 	},
 	{
 		id: "whatsapp",
@@ -392,18 +601,38 @@ const CHANNELS = [
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "WhatsApp Business API key",
+		tokenLabel: "Access Token",
 		tokenHint: "business.whatsapp.com",
+		extraFields: [
+			{
+				name: "phoneNumberId",
+				label: "Phone Number ID",
+				hint: "From Meta API Setup",
+				required: true
+			},
+			{
+				name: "verifyToken",
+				label: "Webhook verify token",
+				hint: "Any string for webhook verification",
+				required: false
+			},
+			{
+				name: "dmPolicy",
+				label: "DM policy",
+				hint: "pairing (default) | allowlist | open | disabled",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Go to Meta for Developers: https://developers.facebook.com/",
-			"2. My Apps → Create App → Business type.",
-			"3. Add product: WhatsApp → Get started.",
-			"4. WhatsApp → API Setup: copy the Temporary access token or create a permanent one.",
-			"5. You also need a Phone Number ID and WhatsApp Business Account ID.",
+			"1. Meta for Developers → Create App → Business → Add WhatsApp.",
+			"2. API Setup: copy Phone Number ID and Access Token.",
+			"3. Webhook: https://<host>/webhook/whatsapp, subscribe to messages.",
+			"4. Start gateway. Approve DMs: hyperclaw pairing approve whatsapp <CODE>",
 			"",
-			"  🔗 developers.facebook.com — business.whatsapp.com"
+			"  🔗 docs/whatsapp.md — full setup"
 		],
 		status: "available",
+		notes: "Meta Business API. Webhook required.",
 		npmPackage: void 0
 	},
 	{
@@ -413,42 +642,87 @@ const CHANNELS = [
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
+		extraFields: [{
+			name: "dmPolicy",
+			label: "DM policy",
+			hint: "pairing (default) | allowlist | open | disabled",
+			required: false
+		}],
 		setupSteps: [
-			"1. No Meta Business API needed — uses WhatsApp Web.",
-			"2. Make sure you have installed: npm install @whiskeysockets/baileys",
-			"3. Start the gateway. On first connection a QR code will appear.",
-			"4. Scan the QR with your phone (WhatsApp → Linked Devices → Link a device).",
-			"5. After connecting, the session is saved — no QR needed again.",
+			"1. No Meta API — uses WhatsApp Web. Install: npm install @whiskeysockets/baileys",
+			"2. hyperclaw channels add whatsapp-baileys, then hyperclaw gateway",
+			"3. Scan QR (WhatsApp → Linked Devices → Link a device)",
+			"4. Approve first DM: hyperclaw pairing approve whatsapp-baileys <CODE>",
 			"",
-			"  📖 docs: github.com/WhiskeySockets/Baileys"
+			"  🔗 docs/whatsapp.md — full setup"
 		],
 		status: "available",
-		notes: "WhatsApp Web via Baileys — no Meta Business. Scan QR on first run.",
+		notes: "WhatsApp Web via Baileys. No Meta Business. Pairing, voice notes.",
 		npmPackage: "@whiskeysockets/baileys"
 	},
 	{
 		id: "slack",
 		name: "Slack",
 		emoji: "💼",
-		requiresGateway: false,
+		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
 		tokenLabel: "Slack Bot Token (xoxb-...)",
-		extraFields: [{
-			name: "signingSecret",
-			label: "Signing Secret",
-			required: true
-		}],
+		extraFields: [
+			{
+				name: "appToken",
+				label: "App Token (xapp-...)",
+				hint: "Required for Socket Mode (default) — connections:write scope",
+				required: false
+			},
+			{
+				name: "signingSecret",
+				label: "Signing Secret",
+				hint: "Required for HTTP Events API mode only",
+				required: false
+			},
+			{
+				name: "mode",
+				label: "Connection mode",
+				hint: "socket (default) | http",
+				required: false
+			},
+			{
+				name: "userToken",
+				label: "User Token (xoxp-...)",
+				hint: "Optional — for read operations",
+				required: false
+			},
+			{
+				name: "ackReaction",
+				label: "Ack reaction emoji",
+				hint: "Shortcode without colons, e.g. eyes",
+				required: false
+			},
+			{
+				name: "typingReaction",
+				label: "Typing reaction emoji",
+				hint: "Shortcode, e.g. hourglass_flowing_sand",
+				required: false
+			}
+		],
 		setupSteps: [
 			"1. Go to api.slack.com/apps → Create New App → From scratch.",
-			"2. Give it a name and choose a workspace.",
-			"3. OAuth & Permissions: Add Bot Token Scopes (chat:write, users:read, im:read, im:history, etc.).",
-			"4. Install App to workspace — copy the \"Bot User OAuth Token\" (starts with xoxb-).",
-			"5. Basic Information → App Credentials → Signing Secret — copy it.",
+			"2. Socket Mode (default — no public URL needed):",
+			"   a. Settings → Socket Mode → Enable Socket Mode.",
+			"   b. Settings → Basic Information → App-Level Tokens → Generate Token (connections:write) → copy xapp-...",
+			"   c. OAuth & Permissions: add bot scopes (chat:write, im:read, im:history, channels:history, etc.).",
+			"   d. Install App → copy Bot Token (xoxb-...).",
+			"3. HTTP mode (alternative):",
+			"   a. Event Subscriptions → Request URL: https://<host>/webhook/slack.",
+			"   b. Basic Information → Signing Secret — copy it.",
+			"4. Subscribe to bot events: app_mention, message.im, message.channels, message.groups, message.mpim, reaction_added.",
+			"5. App Home → Messages Tab → Enable.",
 			"",
 			"  🔗 api.slack.com/apps"
 		],
-		status: "available",
+		status: "recommended",
+		notes: "Socket Mode (default) requires appToken. HTTP mode requires signingSecret. Supports DMs, channels, threads, reactions, streaming.",
 		npmPackage: "@slack/bolt"
 	},
 	{
@@ -458,38 +732,160 @@ const CHANNELS = [
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["linux", "darwin"],
-		tokenLabel: "Signal phone number",
-		tokenHint: "Requires signal-cli installed",
+		tokenLabel: "Bot phone number (E.164)",
+		tokenHint: "e.g. +15551234567 — use a dedicated bot number",
 		setupSteps: [
 			"1. Install signal-cli: https://github.com/AsamK/signal-cli",
-			"2. Register number: signal-cli -a +1XXXXXXXXX register",
-			"3. Verify electronically (if available) or via SMS code.",
-			"4. Enter your phone number here (e.g. +1XXXXXXXXX).",
 			"",
-			"  🔗 github.com/AsamK/signal-cli"
+			"  Path A — Link existing Signal account (QR):",
+			"    signal-cli link -n \"HyperClaw\"  then scan in Signal.",
+			"",
+			"  Path B — Register dedicated bot number (SMS):",
+			"    signal-cli -a +<BOT_NUMBER> register",
+			"    signal-cli -a +<BOT_NUMBER> register --captcha '<URL>'  (if captcha required)",
+			"    signal-cli -a +<BOT_NUMBER> verify <CODE>",
+			"",
+			"2. Set account: \"+<BOT_NUMBER>\" in config.",
+			"3. autoStart=true (default) spawns daemon automatically.",
+			"   Or run daemon yourself and set httpUrl: \"http://127.0.0.1:8080\".",
+			"",
+			"  Access control:",
+			"    dmPolicy=pairing (default) — senders get pairing code (expires 1h)",
+			"    groupPolicy=allowlist (default) — only groupAllowFrom senders trigger bot",
+			"",
+			"  Chunking: textChunkLimit=4000, chunkMode=length|newline",
+			"  Reactions: actions.reactions=true, reactionLevel=off|ack|minimal|extensive",
+			"",
+			"  🔗 github.com/AsamK/signal-cli",
+			"  🔗 github.com/AsamK/signal-cli/wiki/Registration-with-captcha"
+		],
+		extraFields: [
+			{
+				name: "account",
+				label: "Bot number (E.164)",
+				hint: "+15551234567",
+				required: true
+			},
+			{
+				name: "cliPath",
+				label: "signal-cli path",
+				hint: "signal-cli (if on PATH)",
+				required: false
+			},
+			{
+				name: "httpUrl",
+				label: "Daemon URL (external)",
+				hint: "http://127.0.0.1:8080 — skips autoStart",
+				required: false
+			},
+			{
+				name: "httpPort",
+				label: "Daemon port",
+				hint: "8080 (default)",
+				required: false
+			},
+			{
+				name: "autoStart",
+				label: "Auto-spawn daemon",
+				hint: "true (default) / false",
+				required: false
+			},
+			{
+				name: "startupTimeoutMs",
+				label: "Startup timeout (ms)",
+				hint: "15000 default, max 120000",
+				required: false
+			},
+			{
+				name: "dmPolicy",
+				label: "DM policy",
+				hint: "\"pairing\" (default) | \"allowlist\" | \"open\" | \"disabled\"",
+				required: false
+			},
+			{
+				name: "groupPolicy",
+				label: "Group policy",
+				hint: "\"allowlist\" (default) | \"open\" | \"disabled\"",
+				required: false
+			},
+			{
+				name: "textChunkLimit",
+				label: "Text chunk limit (chars)",
+				hint: "4000 default",
+				required: false
+			},
+			{
+				name: "chunkMode",
+				label: "Chunk mode",
+				hint: "\"length\" (default) | \"newline\"",
+				required: false
+			}
 		],
 		status: "available",
-		notes: "Requires signal-cli to be installed and registered"
+		notes: "signal-cli HTTP daemon + SSE events. DMs, groups, typing, reactions, chunking, multi-account."
 	},
 	{
 		id: "imessage",
-		name: "iMessage",
+		name: "iMessage (BlueBubbles)",
 		emoji: "💬",
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["darwin"],
+		tokenLabel: "BlueBubbles server URL",
+		extraFields: [{
+			name: "password",
+			label: "BlueBubbles password",
+			hint: "Set in BlueBubbles server settings",
+			required: true
+		}, {
+			name: "dmPolicy",
+			label: "DM policy",
+			hint: "pairing (default) | allowlist | open | disabled",
+			required: false
+		}],
 		setupSteps: [
-			"1. macOS only. You need BlueBubbles (bluebubbles.app) or Beeper bridge.",
-			"2. BlueBubbles: install on Mac, check server URL and API key.",
-			"3. Or Beeper: connect to iMessage via Beeper desktop app.",
-			"4. Set server URL and token in the channel configuration.",
+			"1. macOS only. Install BlueBubbles server: bluebubbles.app",
+			"2. BlueBubbles → Settings: enable web API, set password, note Server URL.",
+			"3. Add channel (imessage or bluebubbles), enter serverUrl + password.",
+			"4. hyperclaw gateway → hyperclaw pairing approve bluebubbles <CODE>",
 			"",
-			"  🔗 bluebubbles.app — beeper.com"
+			"  🔗 docs/bluebubbles.md — bluebubbles.app"
 		],
-		status: os.default.platform() === "darwin" ? "available" : "unavailable",
-		notes: "macOS only — uses BlueBubbles or Beeper bridge",
+		status: os.default.platform() === "darwin" ? "recommended" : "unavailable",
+		notes: "BlueBubbles server on Mac. DMs, pairing. Groups planned.",
 		npmPackage: "bluebubbles-api"
 	},
+	{
+		id: "imessage-native",
+		name: "iMessage (imsg CLI — legacy)",
+		emoji: "💬",
+		requiresGateway: true,
+		supportsDM: true,
+		platforms: ["darwin"],
+		extraFields: [{
+			name: "cliPath",
+			label: "imsg binary path",
+			hint: "Default: imsg (must be in PATH)",
+			required: false
+		}, {
+			name: "dbPath",
+			label: "Messages DB path",
+			hint: "Default: ~/Library/Messages/chat.db",
+			required: false
+		}],
+		setupSteps: [
+			"1. macOS only. Install imsg: brew install steipete/tap/imsg",
+			"2. Verify: imsg rpc --help",
+			"3. Grant Full Disk Access + Automation to Terminal/Node (one-time: imsg chats --limit 1).",
+			"4. No token needed — imsg runs locally via JSON-RPC on stdio.",
+			"5. (Optional) Set cliPath if imsg is not in PATH.",
+			"",
+			"  ⚠️  Legacy integration — for new setups use iMessage (BlueBubbles)",
+			"  🔗 github.com/steipete/imsg"
+		],
+		status: os.default.platform() === "darwin" ? "available" : "unavailable",
+		notes: "Legacy — gateway spawns imsg rpc over JSON-RPC stdio. For new setups prefer BlueBubbles."
+	},
 	{
 		id: "matrix",
 		name: "Matrix",
@@ -497,26 +893,84 @@ const CHANNELS = [
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: void 0,
-		extraFields: [{
-			name: "homeserver",
-			label: "Homeserver URL",
-			hint: "e.g. https://matrix.org",
-			required: true
-		}, {
-			name: "accessToken",
-			label: "Access Token",
-			required: true
-		}],
+		tokenLabel: "Access Token (syt_...)",
+		tokenHint: "Or set userId + password instead",
+		extraFields: [
+			{
+				name: "homeserver",
+				label: "Homeserver URL",
+				hint: "e.g. https://matrix.example.org",
+				required: true
+			},
+			{
+				name: "accessToken",
+				label: "Access Token (syt_...)",
+				hint: "Preferred; userId auto-fetched via /whoami",
+				required: false
+			},
+			{
+				name: "userId",
+				label: "Matrix User ID",
+				hint: "@bot:example.org — required only for password login",
+				required: false
+			},
+			{
+				name: "password",
+				label: "Password (alternative to token)",
+				hint: "Token cached to credentials file on first login",
+				required: false
+			},
+			{
+				name: "deviceName",
+				label: "Device display name",
+				hint: "Shown in Matrix clients",
+				required: false
+			},
+			{
+				name: "encryption",
+				label: "Enable E2EE",
+				hint: "true | false — requires crypto native module",
+				required: false
+			},
+			{
+				name: "threadReplies",
+				label: "Thread replies",
+				hint: "off | inbound (default) | always",
+				required: false
+			},
+			{
+				name: "textChunkLimit",
+				label: "Text chunk limit (chars)",
+				hint: "Default: 16000",
+				required: false
+			},
+			{
+				name: "mediaMaxMb",
+				label: "Media size limit (MB)",
+				hint: "Default: 10",
+				required: false
+			},
+			{
+				name: "autoJoin",
+				label: "Auto-join invites",
+				hint: "always (default) | allowlist | off",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Create a bot account on matrix.org or another homeserver.",
-			"2. Access token: Element/SchildiChat → Settings → Help & About → Access Token.",
-			"3. Or via API: POST /_matrix/client/r0/login with type=m.login.password.",
-			"4. Homeserver URL: https://matrix.org or your server URL.",
+			"1. Create a Matrix bot account on any homeserver (matrix.org has free accounts).",
+			"2. Get an access token via the login API:",
+			"     curl -X POST https://<homeserver>/_matrix/client/v3/login \\",
+			"       -H \"Content-Type: application/json\" \\",
+			"       -d '{\"type\":\"m.login.password\",\"identifier\":{\"type\":\"m.id.user\",\"user\":\"<username>\"},\"password\":\"<password>\"}'",
+			"   Or set userId + password — HyperClaw will call the login API and cache the token.",
+			"3. Invite the bot account to a room or DM it from any Matrix client (Element, Beeper, etc.).",
+			"4. For Beeper, enable E2EE: set encryption: true and verify the device in Element.",
 			"",
-			"  🔗 matrix.org — element.io"
+			"  🔗 matrix.org/ecosystem/hosting/ — element.io"
 		],
 		status: "available",
+		notes: "Supports DMs, rooms, threads, media, reactions, polls, location, E2EE, multi-account.",
 		npmPackage: "matrix-js-sdk"
 	},
 	{
@@ -530,25 +984,81 @@ const CHANNELS = [
 		extraFields: [
 			{
 				name: "server",
-				label: "Server",
+				label: "Server (IRC_HOST)",
 				hint: "e.g. irc.libera.chat",
 				required: true
 			},
+			{
+				name: "port",
+				label: "Port (IRC_PORT)",
+				hint: "Default: 6697 (TLS) or 6667",
+				required: false
+			},
+			{
+				name: "tls",
+				label: "TLS (IRC_TLS)",
+				hint: "true / false — default: false",
+				required: false
+			},
 			{
 				name: "nick",
-				label: "Nickname",
+				label: "Nickname (IRC_NICK)",
 				required: true
 			},
+			{
+				name: "username",
+				label: "Username / ident (IRC_USERNAME)",
+				required: false
+			},
+			{
+				name: "realname",
+				label: "Real name (IRC_REALNAME)",
+				required: false
+			},
+			{
+				name: "password",
+				label: "Server password (IRC_PASSWORD)",
+				hint: "Not NickServ — leave blank if none",
+				required: false
+			},
 			{
 				name: "channels",
-				label: "Default channels (#room)",
+				label: "Channels to join (IRC_CHANNELS)",
+				hint: "#room1,#room2",
+				required: false
+			},
+			{
+				name: "nickservPassword",
+				label: "NickServ password (IRC_NICKSERV_PASSWORD)",
+				hint: "Identify after connect",
+				required: false
+			},
+			{
+				name: "groupPolicy",
+				label: "Group policy",
+				hint: "\"allowlist\" (default) or \"open\"",
+				required: false
+			},
+			{
+				name: "dmPolicy",
+				label: "DM policy",
+				hint: "\"pairing\" (default) | \"allowlist\" | \"open\"",
 				required: false
 			}
 		],
 		setupSteps: [
 			"1. Choose an IRC server (e.g. irc.libera.chat, irc.oftc.net).",
-			"2. You need a nickname for the bot and optionally a channel to join.",
-			"3. Some servers require authentication before /join.",
+			"2. Set a nickname for the bot and the channels it should join.",
+			"3. Enable TLS (recommended): set port 6697 and tls: true.",
+			"4. If your nick is registered, set nickservPassword to auto-identify.",
+			"5. Access control defaults: groupPolicy=allowlist (bot only replies in",
+			"   configured groups), dmPolicy=pairing (new DMs need pairing approval).",
+			"6. To allow everyone in a channel without mention, set per-channel:",
+			"   groups[\"#mychan\"].requireMention = false, allowFrom = [\"*\"].",
+			"",
+			"  Env vars: IRC_HOST IRC_PORT IRC_TLS IRC_NICK IRC_USERNAME",
+			"            IRC_REALNAME IRC_PASSWORD IRC_CHANNELS",
+			"            IRC_NICKSERV_PASSWORD IRC_NICKSERV_REGISTER_EMAIL",
 			"",
 			"  🔗 libera.chat — oftc.net"
 		],
@@ -562,31 +1072,71 @@ const CHANNELS = [
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "Personal Access Token (or Bot token)",
-		tokenHint: "Account Settings > Security > Personal Access Tokens",
+		tokenLabel: "Bot Token (MATTERMOST_BOT_TOKEN)",
+		tokenHint: "System Console → Integrations → Bot Accounts → Add Bot Account",
 		setupSteps: [
-			"1. In Mattermost: Profile → Account Settings → Security → Personal Access Tokens.",
-			"2. Create token — copy it (not shown again).",
-			"3. Integrations → Outgoing Webhooks → Add outgoing webhook.",
-			"4. Note the webhook URL and Trigger Word. The webhook token is needed for verification.",
-			"5. Webhook URL for gateway: https://<gateway>/webhook/mattermost",
+			"1. Create a Bot Account: System Console → Integrations → Bot Accounts → Add Bot Account.",
+			"2. Copy the bot token shown after creation (not shown again).",
+			"3. Note your Mattermost base URL (e.g. https://chat.example.com).",
+			"4. The connector uses WebSocket events — no outgoing webhook needed.",
+			"5. For slash commands: set commands.native=true and expose callbackUrl.",
+			"6. For buttons: add capabilities: [\"inlineButtons\"] and set interactions.callbackBaseUrl.",
+			"",
+			"  Env vars: MATTERMOST_BOT_TOKEN  MATTERMOST_URL",
 			"",
-			"  🔗 docs.mattermost.com"
+			"  Chat modes:",
+			"    oncall (default) — reply only when @mentioned",
+			"    onmessage        — reply to every channel message",
+			"    onchar           — reply when message starts with a prefix (e.g. \">\", \"!\")",
+			"",
+			"  Access control:",
+			"    dmPolicy=pairing (default) | allowlist | open | none",
+			"    groupPolicy=allowlist (default) | open",
+			"    groupAllowFrom=[userId1, ...] — sender gate for channels",
+			"",
+			"  🔗 docs.mattermost.com — mattermost.com"
+		],
+		extraFields: [
+			{
+				name: "baseUrl",
+				label: "Base URL (MATTERMOST_URL)",
+				hint: "https://chat.example.com",
+				required: true
+			},
+			{
+				name: "chatmode",
+				label: "Chat mode",
+				hint: "\"oncall\" (default) | \"onmessage\" | \"onchar\"",
+				required: false
+			},
+			{
+				name: "oncharPrefixes",
+				label: "onchar prefixes",
+				hint: ">, ! (comma-separated, for chatmode=onchar)",
+				required: false
+			},
+			{
+				name: "dmPolicy",
+				label: "DM policy",
+				hint: "\"pairing\" (default) | \"open\" | \"allowlist\" | \"none\"",
+				required: false
+			},
+			{
+				name: "groupPolicy",
+				label: "Group policy",
+				hint: "\"allowlist\" (default) | \"open\"",
+				required: false
+			},
+			{
+				name: "capabilities",
+				label: "Capabilities",
+				hint: "\"inlineButtons\" — comma-separated",
+				required: false
+			}
 		],
-		extraFields: [{
-			name: "serverUrl",
-			label: "Server URL",
-			hint: "https://mattermost.example.com",
-			required: true
-		}, {
-			name: "webhookToken",
-			label: "Outgoing Webhook Token",
-			hint: "From Integrations > Outgoing Webhook",
-			required: true
-		}],
 		status: "available",
-		notes: "Requires Outgoing Webhook + PAT. Webhook URL: /webhook/mattermost",
-		npmPackage: "@mattermost/client"
+		notes: "WebSocket + REST. Supports DMs, channels, buttons, reactions, slash commands, multi-account.",
+		npmPackage: "ws"
 	},
 	{
 		id: "googlechat",
@@ -609,18 +1159,27 @@ const CHANNELS = [
 		id: "msteams",
 		name: "Microsoft Teams",
 		emoji: "🟣",
-		requiresGateway: false,
-		supportsDM: false,
+		requiresGateway: true,
+		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "Teams incoming webhook URL",
+		tokenLabel: "App ID (Azure Bot)",
+		extraFields: [{
+			name: "appPassword",
+			label: "App Password (client secret)",
+			hint: "From Azure Bot → Manage → Certificates & secrets",
+			required: true
+		}],
 		setupSteps: [
-			"1. In Teams: Channel → Connectors → Incoming Webhook → Configure.",
-			"2. Give it a name and copy the Webhook URL.",
-			"3. Paste the URL below.",
+			"1. Create an Azure Bot: portal.azure.com → Create a resource → Azure Bot",
+			"2. Type of App: Single Tenant. Create new Microsoft App ID.",
+			"3. Configuration → copy App ID. Manage → Certificates & secrets → New client secret → copy Value (appPassword).",
+			"4. Channels → Microsoft Teams → Configure. Set Messaging endpoint: https://<your-host>/webhook/msteams",
+			"5. Build a Teams app manifest with botId = App ID. Upload to Teams.",
 			"",
-			"  🔗 docs.microsoft.com/microsoftteams/platform/webhooks-and-connectors"
+			"  🔗 docs/msteams.md — full setup guide"
 		],
-		status: "available"
+		status: "available",
+		notes: "Bot Framework. Text + DM. Channel/group files require Graph + SharePoint."
 	},
 	{
 		id: "nostr",
@@ -650,24 +1209,61 @@ const CHANNELS = [
 		id: "line",
 		name: "LINE",
 		emoji: "🟩",
-		requiresGateway: false,
+		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
 		tokenLabel: "LINE Channel access token",
-		extraFields: [{
-			name: "secret",
-			label: "Channel Secret",
-			required: true
-		}],
+		extraFields: [
+			{
+				name: "channelSecret",
+				label: "Channel Secret",
+				hint: "From LINE Developers Console → Basic settings",
+				required: true
+			},
+			{
+				name: "tokenFile",
+				label: "Token file path (optional)",
+				hint: "Alternative to pasting token directly",
+				required: false
+			},
+			{
+				name: "secretFile",
+				label: "Secret file path (optional)",
+				hint: "Alternative to pasting secret directly",
+				required: false
+			},
+			{
+				name: "webhookPath",
+				label: "Webhook path",
+				hint: "Default: /line/webhook",
+				required: false
+			},
+			{
+				name: "mediaMaxMb",
+				label: "Media download limit (MB)",
+				hint: "Default: 10",
+				required: false
+			},
+			{
+				name: "groupPolicy",
+				label: "Group policy",
+				hint: "open | allowlist | disabled (default: allowlist)",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Go to developers.line.biz → Console → Create provider & channel.",
-			"2. Messaging API channel → Configure Basic settings.",
-			"3. Channel access token: Issue or Regenerate — copy it.",
-			"4. Channel secret: from Basic settings — copy it.",
+			"1. Go to developers.line.biz → Console → Create provider & Messaging API channel.",
+			"2. Channel access token: Issue or Regenerate — copy it.",
+			"3. Channel secret: from Basic settings — copy it.",
+			"4. Enable \"Use webhook\" in Messaging API settings.",
+			"5. Set webhook URL (HTTPS required):",
+			"     https://<gateway-host>/line/webhook",
+			"6. Paste token + secret below.",
 			"",
 			"  🔗 developers.line.biz"
 		],
 		status: "available",
+		notes: "Webhook receiver. Supports DMs, groups, media, Flex messages, quick replies, locations.",
 		npmPackage: "@line/bot-sdk"
 	},
 	{
@@ -695,27 +1291,68 @@ const CHANNELS = [
 	{
 		id: "synology-chat",
 		name: "Synology Chat",
-		emoji: "💬",
+		emoji: "💬",
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "Incoming Webhook URL",
-		tokenHint: "Synology Chat incoming webhook URL",
-		extraFields: [{
-			name: "outgoingToken",
-			label: "Outgoing Webhook Token",
-			hint: "Optional verification token",
-			required: false
-		}],
+		tokenLabel: "Outgoing Webhook Token (SYNOLOGY_CHAT_TOKEN)",
+		tokenHint: "From Synology Chat Integrations Outgoing Webhook",
+		extraFields: [
+			{
+				name: "incomingUrl",
+				label: "Incoming Webhook URL (SYNOLOGY_CHAT_INCOMING_URL)",
+				hint: "From Synology Chat Integrations Incoming Webhook",
+				required: true
+			},
+			{
+				name: "webhookPath",
+				label: "Gateway inbound path",
+				hint: "/webhook/synology (default)",
+				required: false
+			},
+			{
+				name: "dmPolicy",
+				label: "DM policy",
+				hint: "\"allowlist\" (default) | \"open\" | \"pairing\" | \"disabled\"",
+				required: false
+			},
+			{
+				name: "allowedUserIds",
+				label: "Allowed user IDs (SYNOLOGY_ALLOWED_USER_IDS)",
+				hint: "Numeric Synology Chat user IDs, comma-separated",
+				required: false
+			},
+			{
+				name: "rateLimitPerMinute",
+				label: "Rate limit per sender/min (SYNOLOGY_RATE_LIMIT)",
+				hint: "30 (default)",
+				required: false
+			},
+			{
+				name: "allowInsecureSsl",
+				label: "Allow insecure SSL",
+				hint: "false (default) — true only for self-signed NAS certs",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Synology Chat → Integration → Incoming Webhook: create a webhook and copy the URL.",
-			"2. If you want inbound bot events, create an Outgoing Webhook pointing to /webhook/synology-chat.",
-			"3. Paste the incoming webhook URL below.",
+			"1. Synology Chat Integrations Incoming Webhook Create copy URL.",
+			"2. Synology Chat Integrations Outgoing Webhook Create:",
+			"     Outgoing URL: https://<gateway>/webhook/synology",
+			"     Copy the generated token.",
+			"3. Set token + incomingUrl in config (or env vars).",
+			"4. dmPolicy=allowlist requires at least one allowedUserId.",
+			"",
+			"  Env vars: SYNOLOGY_CHAT_TOKEN  SYNOLOGY_CHAT_INCOMING_URL",
+			"            SYNOLOGY_ALLOWED_USER_IDS  SYNOLOGY_RATE_LIMIT  OPENCLAW_BOT_NAME",
+			"",
+			"  Multi-account: channels.synology-chat.accounts.{ default, alerts }",
+			"  Targets: <numericId>, synology-chat:<id>, user:<id>",
 			"",
 			"  🔗 kb.synology.com"
 		],
 		status: "available",
-		notes: "Webhook bridge for Synology Chat rooms / bot automation."
+		notes: "Gateway webhooks. Token verify, rate limiting, multi-account, allowInsecureSsl."
 	},
 	{
 		id: "twitch",
@@ -726,61 +1363,84 @@ const CHANNELS = [
 		platforms: ["all"],
 		tokenLabel: "OAuth Token (oauth:...)",
 		tokenHint: "Generate a Twitch chat token for your bot account",
-		extraFields: [{
-			name: "username",
-			label: "Bot Username",
-			required: true
-		}, {
-			name: "channels",
-			label: "Channels (#name or comma-separated)",
-			required: true
-		}],
+		extraFields: [
+			{
+				name: "username",
+				label: "Bot username",
+				required: true
+			},
+			{
+				name: "channels",
+				label: "Channels (comma-separated)",
+				hint: "vevisk,secondchannel",
+				required: true
+			},
+			{
+				name: "commandPrefix",
+				label: "Command prefix",
+				hint: "! (default)",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Create or use a Twitch bot account.",
-			"2. Generate an IRC OAuth token for Twitch chat (format: oauth:...).",
-			"3. Add one or more channels the bot should join.",
+			"1. Create Twitch bot account. Generate OAuth: twitchapps.com/tmi",
+			"2. Config: username, oauthToken, channels (required).",
+			"3. Add allowFrom (recommended) to restrict who can trigger.",
+			"4. Public chat: prefix required (default !). Whispers: no prefix.",
 			"",
-			"  🔗 dev.twitch.tv"
+			"  🔗 docs/twitch.md — dev.twitch.tv"
 		],
 		status: "available",
-		notes: "Twitch IRC chat integration for streams / channel chat."
+		notes: "IRC over WebSocket. Channel chat + whispers. Pairing, allowlist, modsBypass."
 	},
 	{
 		id: "tlon",
-		name: "Tlon",
-		emoji: "🔵",
+		name: "Tlon (Urbit Groups)",
+		emoji: "🌊",
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "API Key",
-		tokenHint: "Token for your Tlon API / bot gateway",
+		tokenLabel: "Login Code",
+		tokenHint: "Ship login code from Landscape → Settings → Access key (e.g. lidlut-tabwed-pillex-ridrup)",
 		extraFields: [
 			{
-				name: "apiBaseUrl",
-				label: "API Base URL",
-				hint: "e.g. https://tlon.example.com",
+				name: "ship",
+				label: "Ship Name",
+				hint: "e.g. ~sampel-palnet",
 				required: true
 			},
 			{
-				name: "channelId",
-				label: "Default Channel ID",
+				name: "url",
+				label: "Ship URL",
+				hint: "e.g. https://sampel-palnet.tlon.network or http://localhost:8080",
+				required: true
+			},
+			{
+				name: "ownerShip",
+				label: "Owner Ship",
+				hint: "Your personal ship — always authorized, receives approval notifications",
 				required: false
 			},
 			{
-				name: "webhookSecret",
-				label: "Webhook Secret",
+				name: "allowPrivateNetwork",
+				label: "Allow Private Network",
+				hint: "Enable for localhost/LAN ships (SSRF opt-in)",
 				required: false
 			}
 		],
 		setupSteps: [
-			"1. Point Tlon events to /webhook/tlon on your HyperClaw gateway.",
-			"2. Use the API base URL and API key for outbound sends.",
-			"3. Optionally set a default channel ID and webhook secret.",
+			"1. Install plugin: hyperclaw plugins install @hyperclaw/extension-tlon",
+			"2. Get your ship login code from Landscape (Settings → System → Access key).",
+			"3. Configure channels.tlon with ship name, URL, and login code.",
+			"4. Optionally set ownerShip to receive approval notifications.",
+			"5. Restart gateway: hyperclaw gateway restart",
+			"6. DM the bot ship in Tlon or mention it in a group channel.",
 			"",
-			"  🔗 Tlon bot gateway / integration endpoint"
+			"  Plugin required — connects via Urbit Eyre HTTP API + SSE stream.",
+			"  See: docs/tlon.md"
 		],
 		status: "available",
-		notes: "Generic Tlon bridge via webhook ingress + outbound API send."
+		notes: "Urbit Eyre HTTP API + SSE. DMs, groups, reactions, owner approval, auto-discovery. Plugin: @hyperclaw/extension-tlon"
 	},
 	{
 		id: "instagram",
@@ -914,46 +1574,136 @@ const CHANNELS = [
 		status: "available"
 	},
 	{
-		id: "nextcloud",
+		id: "nextcloud-talk",
 		name: "Nextcloud Talk",
 		emoji: "☁️",
 		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "Nextcloud URL",
-		extraFields: [{
-			name: "username",
-			label: "Username",
-			required: true
-		}, {
-			name: "password",
-			label: "App Password",
-			required: true
-		}],
+		tokenLabel: "Nextcloud instance URL",
+		tokenHint: "e.g. https://cloud.example.com",
+		extraFields: [
+			{
+				name: "botSecret",
+				label: "Bot shared secret",
+				hint: "From: occ talk:bot:install",
+				required: true
+			},
+			{
+				name: "botSecretFile",
+				label: "Bot secret file path (optional)",
+				hint: "Alternative to inline secret",
+				required: false
+			},
+			{
+				name: "apiUser",
+				label: "API username (optional)",
+				hint: "For DM detection + fallback send via OCS API",
+				required: false
+			},
+			{
+				name: "apiPassword",
+				label: "API/app password (optional)",
+				hint: "Nextcloud app password for apiUser",
+				required: false
+			},
+			{
+				name: "webhookPort",
+				label: "Webhook listener port",
+				hint: "Default: 8788",
+				required: false
+			},
+			{
+				name: "webhookPath",
+				label: "Webhook path",
+				hint: "Default: /nextcloud-talk-webhook",
+				required: false
+			},
+			{
+				name: "webhookPublicUrl",
+				label: "Webhook public URL",
+				hint: "If behind a proxy — set this in occ talk:bot:install",
+				required: false
+			},
+			{
+				name: "groupPolicy",
+				label: "Room policy",
+				hint: "allowlist (default) | open | disabled",
+				required: false
+			},
+			{
+				name: "textChunkLimit",
+				label: "Text chunk limit (chars)",
+				hint: "Default: 32000",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Create App Password: Nextcloud → Profile → Security → App passwords.",
-			"2. You need the Nextcloud URL, username and App Password.",
+			"1. On your Nextcloud server, create the bot:",
+			"     ./occ talk:bot:install \"HyperClaw\" \"<shared-secret>\" \"<webhook-url>\" --feature reaction",
+			"   Replace <webhook-url> with your gateway URL, e.g. https://yourhost/nextcloud-talk-webhook",
+			"2. Enable the bot in the target room settings (room → ⋯ → Bots).",
+			"3. Enter the Nextcloud URL (token field) and the shared secret below.",
+			"4. (Optional) Add apiUser + app password to enable DM detection via OCS API.",
 			"",
-			"  🔗 nextcloud.com"
+			"  🔗 nextcloud.com — docs.nextcloud.com/server/latest/admin_manual/talk_bots.html"
 		],
-		status: "available"
+		status: "available",
+		notes: "Webhook bot. Supports DMs (with apiUser), rooms, reactions. No media uploads."
 	},
 	{
 		id: "zalo",
 		name: "Zalo",
 		emoji: "🔵",
-		requiresGateway: false,
+		requiresGateway: true,
 		supportsDM: true,
 		platforms: ["all"],
-		tokenLabel: "Zalo OA Access Token",
+		tokenLabel: "Zalo Bot Token (12345689:abc-xyz)",
+		tokenHint: "From bot.zaloplatforms.com",
+		extraFields: [
+			{
+				name: "tokenFile",
+				label: "Token file path (optional)",
+				hint: "Alternative to inline token",
+				required: false
+			},
+			{
+				name: "groupPolicy",
+				label: "Group policy",
+				hint: "allowlist (default) | open | disabled",
+				required: false
+			},
+			{
+				name: "webhookUrl",
+				label: "Webhook URL (optional)",
+				hint: "HTTPS required — leave blank for long-polling",
+				required: false
+			},
+			{
+				name: "webhookSecret",
+				label: "Webhook secret (optional)",
+				hint: "8-256 chars — required if webhookUrl is set",
+				required: false
+			},
+			{
+				name: "mediaMaxMb",
+				label: "Media size limit (MB)",
+				hint: "Default: 5",
+				required: false
+			}
+		],
 		setupSteps: [
-			"1. Zalo Official Account (OA): developers.zalo.me → My Apps.",
-			"2. Create an app and connect it to your OA.",
-			"3. Access Token from Zalo API (OAuth flow or test token for development).",
+			"1. Go to https://bot.zaloplatforms.com and sign in.",
+			"2. Create a new bot and configure its settings.",
+			"3. Copy the bot token (format: 12345689:abc-xyz).",
+			"4. Paste the token below.",
+			"5. (Optional) Set webhookUrl for webhook mode (HTTPS required).",
+			"   Leave blank to use long-polling (no public URL needed).",
 			"",
-			"  🔗 developers.zalo.me"
+			"  🔗 bot.zaloplatforms.com"
 		],
-		status: "available"
+		status: "available",
+		notes: "Experimental. DMs supported; groups with allowlist policy. Long-polling by default."
 	},
 	{
 		id: "web",
@@ -1042,18 +1792,24 @@ const ZALO_PERSONAL = {
 	requiresGateway: true,
 	supportsDM: true,
 	platforms: ["all"],
-	tokenLabel: "Zalo Personal cookie token",
-	tokenHint: "Extract from browser",
+	tokenLabel: "Cookie (from chat.zalo.me)",
+	tokenHint: "DevTools → Application → Cookies",
+	extraFields: [{
+		name: "dmPolicy",
+		label: "DM policy",
+		hint: "pairing (default) | allowlist | open | disabled",
+		required: false
+	}],
 	setupSteps: [
-		"1. Unofficial API — uses browser cookies. May break with Zalo updates.",
-		"2. Open Zalo Web in browser, Developer Tools → Application → Cookies.",
-		"3. Look for the token/cookie Zalo uses for auth.",
-		"4. See docs/channels/zalo-personal.md for details.",
+		"1. ⚠️ Experimental — unofficial. Account ban risk. Use at your own risk.",
+		"2. Open chat.zalo.me, log in. DevTools → Application → Cookies → copy.",
+		"3. Add channel, set cookie (or ZALO_PERSONAL_COOKIE env).",
+		"4. hyperclaw gateway → hyperclaw pairing approve zalo-personal <CODE>",
 		"",
-		"  ⚠️  Unofficial — use at your own risk"
+		"  🔗 docs/zalo-personal.md — full setup"
 	],
 	status: "available",
-	notes: "Uses unofficial Zalo personal API — may break on Zalo app updates"
+	notes: "Zalo Web cookie auth. DMs only. No groups. Text chunked ~2000 chars."
 };
 CHANNELS.push(ZALO_PERSONAL);
 
@@ -1185,6 +1941,180 @@ async function getConfiguredChannels() {
 		return [];
 	}
 }
+/**
+* hyperclaw channels login [channel]
+* Shortcut for first-time login flows (QR pairing, bot tokens, OAuth).
+* Delegates to channelsAdd with a login-oriented preamble.
+*/
+async function channelsLogin(channelId) {
+	console.log(chalk.default.bold.cyan("\n  🔑 Channel Login\n"));
+	console.log(chalk.default.gray("  This wizard will guide you through first-time login for a channel.\n"));
+	console.log(chalk.default.gray("  WhatsApp → QR code scan"));
+	console.log(chalk.default.gray("  Telegram → bot token (from @BotFather)"));
+	console.log(chalk.default.gray("  Discord  → bot token (from Discord Developer Portal)"));
+	console.log(chalk.default.gray("  Slack    → bot + app tokens"));
+	console.log(chalk.default.gray("  Signal   → phone number + signal-cli daemon\n"));
+	await channelsAdd(channelId);
+}
+function httpProbe(url, ms = 1200) {
+	return new Promise((resolve) => {
+		const req = http.default.get(url, { timeout: ms }, (res) => {
+			res.resume();
+			resolve((res.statusCode ?? 0) < 500);
+		});
+		req.on("error", () => resolve(false));
+		req.on("timeout", () => {
+			req.destroy();
+			resolve(false);
+		});
+	});
+}
+/** Attempt a lightweight connectivity probe for a channel. */
+async function probeChannel(channelId, channelCfg) {
+	switch (channelId) {
+		case "telegram": {
+			const token = channelCfg?.token || process.env.TELEGRAM_BOT_TOKEN;
+			if (!token) return {
+				status: "skipped",
+				detail: "no token"
+			};
+			const ok = await httpProbe(`https://api.telegram.org/bot${token}/getMe`);
+			return ok ? {
+				status: "connected",
+				detail: "api.telegram.org ok"
+			} : {
+				status: "unreachable",
+				detail: "api.telegram.org unreachable"
+			};
+		}
+		case "discord": {
+			const ok = await httpProbe("https://discord.com/api/v10/gateway");
+			return ok ? {
+				status: "connected",
+				detail: "discord.com/api ok"
+			} : {
+				status: "unreachable",
+				detail: "discord.com unreachable"
+			};
+		}
+		case "signal": {
+			const daemonUrl = channelCfg?.daemonUrl || "http://127.0.0.1:8080";
+			const ok = await httpProbe(`${daemonUrl}/v1/about`);
+			return ok ? {
+				status: "connected",
+				detail: `signal-cli at ${daemonUrl}`
+			} : {
+				status: "unreachable",
+				detail: `signal-cli not reachable at ${daemonUrl}`
+			};
+		}
+		case "mattermost": {
+			const baseUrl = channelCfg?.baseUrl;
+			if (!baseUrl) return {
+				status: "skipped",
+				detail: "no baseUrl"
+			};
+			const ok = await httpProbe(`${baseUrl}/api/v4/system/ping`);
+			return ok ? {
+				status: "connected",
+				detail: "system/ping ok"
+			} : {
+				status: "unreachable",
+				detail: "server unreachable"
+			};
+		}
+		case "matrix": {
+			const homeserver = channelCfg?.homeserver;
+			if (!homeserver) return {
+				status: "skipped",
+				detail: "no homeserver"
+			};
+			const ok = await httpProbe(`${homeserver}/_matrix/client/versions`);
+			return ok ? {
+				status: "connected",
+				detail: "matrix client ok"
+			} : {
+				status: "unreachable",
+				detail: "homeserver unreachable"
+			};
+		}
+		case "slack": {
+			const ok = await httpProbe("https://slack.com/api/api.test");
+			return ok ? {
+				status: "connected",
+				detail: "slack.com/api ok"
+			} : {
+				status: "unreachable",
+				detail: "slack.com unreachable"
+			};
+		}
+		default: return {
+			status: "skipped",
+			detail: "probe not implemented"
+		};
+	}
+}
+/**
+* hyperclaw channels status [--probe]
+* Show all configured channels with their status.
+* --probe attempts a real connectivity check for each.
+*/
+async function channelsStatus(opts = {}) {
+	const configFile = path.default.join(os.default.homedir(), ".hyperclaw", "config.json");
+	let cfg = {};
+	try {
+		cfg = fs_extra.default.readJsonSync(configFile);
+	} catch {}
+	const configured = cfg.channels || [];
+	console.log(chalk.default.bold.cyan("\n  📡 CHANNEL STATUS\n"));
+	if (configured.length === 0) {
+		console.log(chalk.default.gray("  No channels configured.\n"));
+		console.log(chalk.default.gray("  Add a channel: hyperclaw channels add\n"));
+		return;
+	}
+	const spinner = opts.probe ? (0, ora.default)("Probing channels...").start() : null;
+	const results = [];
+	for (const id of configured) {
+		const ch = getChannel(id);
+		if (!ch) continue;
+		const channelCfg = cfg.channelConfigs?.[id];
+		const dmPolicy = channelCfg?.dmPolicy?.policy ?? channelCfg?.dmPolicy;
+		const r = {
+			id,
+			name: ch.name,
+			emoji: ch.emoji,
+			configured: true,
+			dmPolicy
+		};
+		if (opts.probe) {
+			const { status, detail } = await probeChannel(id, channelCfg);
+			r.probe = status;
+			r.probeDetail = detail;
+		}
+		results.push(r);
+	}
+	if (spinner) spinner.stop();
+	const allIds = CHANNELS.map((c) => c.id);
+	const unconfigured = allIds.filter((id) => !configured.includes(id));
+	for (const r of results) {
+		const probeStr = opts.probe ? r.probe === "connected" ? chalk.default.green(" ✔ connected") : r.probe === "unreachable" ? chalk.default.red(" ✖ unreachable") : chalk.default.gray(" — skipped") : "";
+		const dm = r.dmPolicy ? chalk.default.gray(` dm:${r.dmPolicy}`) : "";
+		console.log(`  ${chalk.default.green("●")} ${r.emoji} ${r.name.padEnd(18)}${dm}${probeStr}`);
+		if (opts.probe && r.probeDetail) console.log(`     ${chalk.default.gray(r.probeDetail)}`);
+	}
+	if (unconfigured.length > 0) console.log(chalk.default.gray(`\n  ○ ${unconfigured.length} unconfigured channel(s) — add with: hyperclaw channels add`));
+	console.log();
+	if (opts.probe) {
+		const unreachable = results.filter((r) => r.probe === "unreachable");
+		if (unreachable.length > 0) {
+			console.log(chalk.default.yellow(`  ⚠  ${unreachable.length} channel(s) unreachable:`));
+			for (const r of unreachable) console.log(chalk.default.gray(`     ${r.id}: ${r.probeDetail}`));
+			console.log();
+			console.log(chalk.default.gray("  Troubleshoot: hyperclaw doctor"));
+			console.log(chalk.default.gray("  Logs:         hyperclaw logs --follow\n"));
+		} else console.log(chalk.default.green("  ✔  All probed channels reachable\n"));
+	}
+}
 
 //#endregion
 //#region src/infra/update-channels.ts
@@ -1496,22 +2426,68 @@ var init_queue = require_chunk.__esm({ "src/delivery/queue.ts"() {
 //#endregion
 //#region src/cli/run-main.ts
 const program = new commander.Command();
-program.name("hyperclaw").description("⚡ HyperClaw — AI Gateway Platform. The Lobster Evolution 🦅").version("4.0.2");
+program.name("hyperclaw").description("⚡ HyperClaw — AI Gateway Platform. The Lobster Evolution 🦅").version("5.0.0").option("--profile <name>", "Use an isolated gateway profile. Auto-scopes HYPERCLAW_STATE_DIR and HYPERCLAW_CONFIG_PATH. Required for multi-gateway setups (rescue bot, staging, etc.). Example: hyperclaw --profile rescue gateway --port 19001").hook("preAction", (thisCommand) => {
+	const profile = thisCommand.opts().profile;
+	if (profile) {
+		const os$8 = require("os");
+		const path$7 = require("path");
+		const home = os$8.homedir();
+		if (!process.env.HYPERCLAW_STATE_DIR) process.env.HYPERCLAW_STATE_DIR = path$7.join(home, `.hyperclaw-${profile}`);
+		if (!process.env.HYPERCLAW_CONFIG_PATH) process.env.HYPERCLAW_CONFIG_PATH = path$7.join(process.env.HYPERCLAW_STATE_DIR, "hyperclaw.json");
+	}
+});
 program.command("init").description("Initialize HyperClaw with interactive wizard").option("-a, --auto-config", "Auto-configure with defaults").option("-d, --daemon", "Install as system daemon").option("-s, --start-now", "Start gateway after setup").action(async (opts) => {
 	await new require_onboard.Banner().showNeonBanner(false);
 	await new require_onboard.HyperClawWizard().run(opts);
 	process.exit(0);
 });
-program.command("onboard").description("Full onboarding wizard — preferred setup path").option("--install-daemon", "Auto-install system daemon (starts on boot, grants full PC access)").option("--quick", "Use QuickStart mode (skip advanced options)").action(async (opts) => {
+program.command("onboard").description("Full onboarding wizard — preferred setup path").option("--install-daemon", "Auto-install system daemon (starts on boot, grants full PC access)").option("--quick", "Use QuickStart mode (skip advanced options)").option("--reset", "Reset config before running wizard (sends to trash, not deleted)").option("--reset-scope <scope>", "What to reset: config | config+creds | full", "config").option("--non-interactive", "Run in non-interactive mode (use flags for all options)").option("--json", "Output result as JSON (use with --non-interactive)").option("--anthropic-api-key <key>", "Anthropic API key (non-interactive)").option("--openai-api-key <key>", "OpenAI API key (non-interactive)").option("--gateway-port <port>", "Gateway port (non-interactive)", "18789").option("--gateway-bind <bind>", "Gateway bind: loopback | all (non-interactive)", "loopback").option("--daemon-runtime <runtime>", "Daemon runtime: node | bun (non-interactive)", "node").option("--skip-skills", "Skip skills setup (non-interactive)").option("--skip-search", "Skip web search setup (non-interactive)").action(async (opts) => {
 	await new require_onboard.Banner().showNeonBanner(false);
+	if (opts.reset) {
+		const fs$7 = require("fs-extra");
+		const path$7 = require("path");
+		const os$8 = require("os");
+		const hcDir = path$7.join(os$8.homedir(), ".hyperclaw");
+		const scope = opts.resetScope ?? "config";
+		const filesToRemove = [path$7.join(hcDir, "hyperclaw.json")];
+		if (scope === "config+creds" || scope === "full") {
+			filesToRemove.push(path$7.join(hcDir, "credentials"));
+			filesToRemove.push(path$7.join(hcDir, "sessions"));
+		}
+		if (scope === "full") filesToRemove.push(path$7.join(hcDir, "workspace"));
+		const chalk$11 = require("chalk");
+		console.log(chalk$11.yellow(`\n  ⚠  Reset scope: ${chalk$11.bold(scope)}\n`));
+		console.log(chalk$11.gray("  Files to remove:"));
+		filesToRemove.forEach((f) => console.log(chalk$11.gray(`    • ${f}`)));
+		const inquirer$2 = require("inquirer");
+		const { confirmReset } = await inquirer$2.prompt([{
+			type: "confirm",
+			name: "confirmReset",
+			message: "Confirm reset? (files will be moved to trash/backup, not permanently deleted)",
+			default: false
+		}]);
+		if (confirmReset) {
+			const backupDir = path$7.join(hcDir, `backup-${Date.now()}`);
+			await fs$7.ensureDir(backupDir);
+			for (const f of filesToRemove) if (await fs$7.pathExists(f)) {
+				const dest = path$7.join(backupDir, path$7.basename(f));
+				await fs$7.move(f, dest);
+				console.log(chalk$11.gray(`  ✓ Moved ${path$7.basename(f)} → backup/`));
+			}
+			console.log(chalk$11.green("\n  ✔  Reset complete. Starting fresh...\n"));
+		} else {
+			console.log(chalk$11.gray("\n  Reset cancelled.\n"));
+			process.exit(0);
+		}
+	}
 	if (opts.installDaemon) {
-		const chalk$10 = require("chalk");
-		console.log(chalk$10.yellow("\n  ⚠  --install-daemon mode\n"));
-		console.log(chalk$10.gray("  The daemon will run as a background system service and will have:\n"));
-		console.log(chalk$10.white("    • Full shell / command execution on this machine"));
-		console.log(chalk$10.white("    • File system read & write access"));
-		console.log(chalk$10.white("    • Network access (gateway WebSocket)"));
-		console.log(chalk$10.white("    • Auto-start on every system boot\n"));
+		const chalk$11 = require("chalk");
+		console.log(chalk$11.yellow("\n  ⚠  --install-daemon mode\n"));
+		console.log(chalk$11.gray("  The daemon will run as a background system service and will have:\n"));
+		console.log(chalk$11.white("    • Full shell / command execution on this machine"));
+		console.log(chalk$11.white("    • File system read & write access"));
+		console.log(chalk$11.white("    • Network access (gateway WebSocket)"));
+		console.log(chalk$11.white("    • Auto-start on every system boot\n"));
 		const inquirer$2 = require("inquirer");
 		const { confirmed } = await inquirer$2.prompt([{
 			type: "confirm",
@@ -1520,14 +2496,23 @@ program.command("onboard").description("Full onboarding wizard — preferred set
 			default: false
 		}]);
 		if (!confirmed) {
-			console.log(chalk$10.gray("\n  Cancelled. Run without --install-daemon to choose during setup.\n"));
+			console.log(chalk$11.gray("\n  Cancelled. Run without --install-daemon to choose during setup.\n"));
 			process.exit(0);
 		}
 	}
 	await new require_onboard.HyperClawWizard().run({
 		...opts,
 		wizard: true,
-		installDaemon: opts.installDaemon ?? false
+		installDaemon: opts.installDaemon ?? false,
+		nonInteractive: opts.nonInteractive ?? false,
+		jsonOutput: opts.json ?? false,
+		skipSkills: opts.skipSkills ?? false,
+		skipSearch: opts.skipSearch ?? false,
+		daemonRuntime: opts.daemonRuntime ?? "node",
+		gatewayPort: opts.gatewayPort ? parseInt(opts.gatewayPort) : void 0,
+		gatewayBind: opts.gatewayBind ?? "loopback",
+		anthropicApiKey: opts.anthropicApiKey,
+		openaiApiKey: opts.openaiApiKey
 	});
 	process.exit(0);
 });
@@ -1552,18 +2537,18 @@ gatewayCmd.command("status").description("Show gateway status").action(async ()
 	process.exit(0);
 });
 gatewayCmd.command("start").description("Start the gateway service").option("-p, --port <port>", "Override port").action(async (opts) => {
-	await new require_onboard.DaemonManager().start();
+	await new require_daemon.DaemonManager().start();
 });
 gatewayCmd.command("stop").description("Stop the gateway service").action(async () => {
-	await new require_onboard.DaemonManager().stop();
+	await new require_daemon.DaemonManager().stop();
 	process.exit(0);
 });
 gatewayCmd.command("restart").description("Restart the gateway service").action(async () => {
-	const dm = new require_onboard.DaemonManager();
+	const dm = new require_daemon.DaemonManager();
 	await dm.restart();
 });
 program.command("daemon").description("Manage HyperClaw system service (alias: gateway)").argument("<action>", "start|stop|restart|status|logs|install|uninstall").action(async (action) => {
-	const dm = new require_onboard.DaemonManager();
+	const dm = new require_daemon.DaemonManager();
 	if (action === "start") await new require_onboard.Banner().showNeonBanner(true);
 	await dm.handle(action);
 	if (action === "start" || action === "restart") return;
@@ -1571,20 +2556,20 @@ program.command("daemon").description("Manage HyperClaw system service (alias: g
 });
 const sandboxCmd = program.command("sandbox").description("Debug sandbox and tool policy");
 sandboxCmd.command("explain").description("Show effective sandbox mode, tool policy, and allowed tools").option("--json", "Output as JSON").action(async (opts) => {
-	const chalk$10 = require("chalk");
-	const fs$6 = require("fs-extra");
-	const path$6 = require("path");
-	const os$7 = require("os");
+	const chalk$11 = require("chalk");
+	const fs$7 = require("fs-extra");
+	const path$7 = require("path");
+	const os$8 = require("os");
 	const { getConfigPath } = await Promise.resolve().then(() => require("./paths-D-QecARF.js"));
 	const cfgPath = getConfigPath();
 	let cfg = {};
 	try {
-		cfg = await fs$6.readJson(cfgPath);
+		cfg = await fs$7.readJson(cfgPath);
 	} catch {}
 	const sandboxMode = cfg?.agents?.defaults?.sandbox?.mode ?? "non-main";
 	const toolsCfg = cfg?.tools ?? {};
-	const { describeToolPolicy, applyToolPolicy } = await Promise.resolve().then(() => require("./tool-policy-DNvNRnve.js"));
-	const { getBuiltinTools, getSessionsTools, getPCAccessTools, getBrowserTools, getExtractionTools, getWebsiteWatchTools, getVisionTools } = await Promise.resolve().then(() => require("./src-BEVLgaF1.js"));
+	const { describeToolPolicy, applyToolPolicy } = await Promise.resolve().then(() => require("./tool-policy-CNT-mF2Z.js"));
+	const { getBuiltinTools, getSessionsTools, getPCAccessTools, getBrowserTools, getExtractionTools, getWebsiteWatchTools, getVisionTools } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	const allTools = [
 		...getBuiltinTools(),
 		...getSessionsTools(() => null),
@@ -1612,15 +2597,15 @@ sandboxCmd.command("explain").description("Show effective sandbox mode, tool pol
 		}, null, 2));
 		process.exit(0);
 	}
-	console.log(chalk$10.bold.hex("#06b6d4")("\n  🔒 SANDBOX EXPLAIN\n"));
+	console.log(chalk$11.bold.hex("#06b6d4")("\n  🔒 SANDBOX EXPLAIN\n"));
 	console.log(`  Sandbox mode:  ${sandboxMode} (non-main sessions get restricted pcTools)`);
 	console.log(`  Tool profile:  ${policy.profile}`);
 	console.log(`  Policy source: ${policy.source}`);
 	if (policy.allow?.length) console.log(`  Allow:         ${policy.allow.join(", ")}`);
 	if (policy.deny?.length) console.log(`  Deny:          ${policy.deny.join(", ")}`);
 	console.log(`  Tools:         ${filtered.length} / ${allTools.length} allowed`);
-	console.log(chalk$10.gray("\n  Allowed: " + filtered.map((t) => t.name).join(", ")));
-	console.log(chalk$10.gray("\n  Elevated: " + ((cfg?.tools?.elevated)?.enabled ? "enabled" : "disabled")));
+	console.log(chalk$11.gray("\n  Allowed: " + filtered.map((t) => t.name).join(", ")));
+	console.log(chalk$11.gray("\n  Elevated: " + ((cfg?.tools?.elevated)?.enabled ? "enabled" : "disabled")));
 	console.log();
 	process.exit(0);
 });
@@ -1637,6 +2622,14 @@ channelsCmd.command("remove <channel>").description("Remove a channel").action(a
 	await channelsRemove(channel);
 	process.exit(0);
 });
+channelsCmd.command("login [channel]").description("First-time login / QR pairing for a channel").action(async (channel) => {
+	await channelsLogin(channel);
+	process.exit(0);
+});
+channelsCmd.command("status").description("Show channel status (use --probe to test connectivity)").option("--probe", "Probe each channel for real connectivity").action(async (opts) => {
+	await channelsStatus({ probe: !!opts.probe });
+	process.exit(0);
+});
 const hooksCmd = program.command("hooks").description("Hook management");
 hooksCmd.command("list").description("List all hooks").option("--eligible", "Show only eligible hooks").action((opts) => {
 	new require_loader.HookLoader().list(opts.eligible);
@@ -1672,12 +2665,67 @@ agentsCmd.command("unbind").description("Remove channel ↔ agent bindings").act
 	process.exit(0);
 });
 const pairingCmd = program.command("pairing").description("DM pairing codes");
-pairingCmd.command("list").description("List pending and approved pairing codes").action(() => {
-	new require_pairing.PairingStore().showList();
+pairingCmd.command("list [channel]").description("List pending DM pairing requests (optionally filter by channel)").action(async (channel) => {
+	await new require_pairing.GlobalPairingManager().showList(channel);
 	process.exit(0);
 });
-pairingCmd.command("approve <channel> <code>").description("Approve a pairing code and add user to allowlist").action((channel, code) => {
-	new require_pairing.PairingStore().cliApprove(channel, code);
+pairingCmd.command("approve <channel> <code>").description("Approve a pairing code and add sender to channel allowlist").option("--account <id>", "Account ID for multi-account channels", "default").action(async (channel, code, opts) => {
+	await new require_pairing.GlobalPairingManager().cliApprove(channel, code, opts.account);
+	process.exit(0);
+});
+const devicesCmd = program.command("devices").description("Node/device pairing (iOS, Android, macOS, headless)");
+devicesCmd.command("list").description("List pending and paired devices").action(async () => {
+	await new DevicePairingStore().showCLI();
+	process.exit(0);
+});
+devicesCmd.command("pair").description("Create a new device pairing request and print setup code").option("-u, --gateway-url <url>", "Gateway WebSocket URL", "ws://localhost:18789").option("-n, --name <name>", "Device name (optional)").option("-p, --platform <platform>", "Platform hint: ios|android|macos|headless (optional)").action(async (opts) => {
+	const store = new DevicePairingStore();
+	const result = await store.createRequest(opts.gatewayUrl, {
+		deviceName: opts.name,
+		platform: opts.platform
+	});
+	console.log(chalk.default.bold.cyan("\n  📱 DEVICE PAIR REQUEST\n"));
+	console.log(`  Request ID:  ${chalk.default.bold(result.requestId)}`);
+	console.log(`  Expires:     ${chalk.default.gray(new Date(result.expiresAt).toLocaleTimeString())}`);
+	console.log();
+	console.log(chalk.default.yellow("  Setup code (send to device or paste in app):"));
+	console.log(chalk.default.bold(`\n  ${result.setupCode}\n`));
+	console.log(chalk.default.gray("  Approve:  hyperclaw devices approve " + result.requestId));
+	console.log(chalk.default.gray("  Reject:   hyperclaw devices reject " + result.requestId));
+	console.log(chalk.default.gray("\n  Telegram: message your bot with /pair for guided flow.\n"));
+	process.exit(0);
+});
+devicesCmd.command("approve <requestId>").description("Approve a pending device pairing request").action(async (requestId) => {
+	const store = new DevicePairingStore();
+	const device = await store.approve(requestId);
+	if (device) {
+		console.log(chalk.default.green(`\n  ✔  Device approved: ${chalk.default.bold(device.deviceId)}`));
+		if (device.deviceName) console.log(chalk.default.gray(`     Name: ${device.deviceName}`));
+		console.log(chalk.default.gray(`     Paired at: ${device.pairedAt}\n`));
+	} else {
+		console.log(chalk.default.red(`\n  ✖  Request not found or expired: ${requestId}\n`));
+		process.exit(1);
+	}
+	process.exit(0);
+});
+devicesCmd.command("reject <requestId>").description("Reject a pending device pairing request").action(async (requestId) => {
+	const store = new DevicePairingStore();
+	const ok = await store.reject(requestId);
+	if (ok) console.log(chalk.default.green(`\n  ✔  Request rejected: ${requestId}\n`));
+	else {
+		console.log(chalk.default.red(`\n  ✖  Request not found: ${requestId}\n`));
+		process.exit(1);
+	}
+	process.exit(0);
+});
+devicesCmd.command("unpair <deviceId>").description("Remove a paired device").action(async (deviceId) => {
+	const store = new DevicePairingStore();
+	const ok = await store.unpair(deviceId);
+	if (ok) console.log(chalk.default.green(`\n  ✔  Device unpaired: ${deviceId}\n`));
+	else {
+		console.log(chalk.default.red(`\n  ✖  Device not found: ${deviceId}\n`));
+		process.exit(1);
+	}
 	process.exit(0);
 });
 const msgCmd = program.command("message").description("Send messages");
@@ -1741,13 +2789,13 @@ skillCmd.command("install <id>").description("Install skill from ClawHub (or bun
 	process.exit(0);
 });
 program.command("menu-bar").description("Launch macOS menu bar companion (Electron tray app)").action(async () => {
-	const path$6 = await import("path");
+	const path$7 = await import("path");
 	const { spawn } = await import("child_process");
-	const fs$6 = await import("fs-extra");
-	const root = path$6.join(process.cwd(), "apps", "macos");
-	const altRoot = path$6.join(__dirname, "..", "..", "apps", "macos");
-	const macosDir = await fs$6.pathExists(root) ? root : await fs$6.pathExists(altRoot) ? altRoot : null;
-	if (!macosDir || !await fs$6.pathExists(path$6.join(macosDir, "package.json"))) {
+	const fs$7 = await import("fs-extra");
+	const root = path$7.join(process.cwd(), "apps", "macos");
+	const altRoot = path$7.join(__dirname, "..", "..", "apps", "macos");
+	const macosDir = await fs$7.pathExists(root) ? root : await fs$7.pathExists(altRoot) ? altRoot : null;
+	if (!macosDir || !await fs$7.pathExists(path$7.join(macosDir, "package.json"))) {
 		console.log(chalk.default.gray("\n  macOS menu bar app not found."));
 		console.log(chalk.default.gray("  Run from HyperClaw repo root, or: cd apps/macos && npm start\n"));
 		process.exit(1);
@@ -1774,8 +2822,15 @@ program.command("update").description("Update HyperClaw").option("-c, --channel
 	await performUpdate(effective.channel, installKind);
 	process.exit(0);
 });
-program.command("doctor").description("Health check — surfaces misconfigs and risky DM policies").option("--fix", "Auto-repair fixable issues").action(async (opts) => {
-	await require_doctor.runDoctor(opts.fix);
+program.command("doctor").description("Health check — surfaces misconfigs, risky DM policies, and repairs").option("--fix", "Auto-repair fixable issues").option("--repair", "Apply recommended repairs (same as --fix)").option("--force", "Apply aggressive repairs (use with --repair)").option("-y, --yes", "Accept defaults without prompting").option("--non-interactive", "Skip prompts; only run safe migrations").option("--deep", "Scan system services for extra gateway installs").action(async (opts) => {
+	await require_doctor.runDoctor(opts.fix || opts.repair, {
+		fix: opts.fix,
+		repair: opts.repair,
+		force: opts.force,
+		yes: opts.yes,
+		nonInteractive: opts.nonInteractive,
+		deep: opts.deep
+	});
 	process.exit(0);
 });
 const memCmd = program.command("memory").description("Agent memory management");
@@ -1857,7 +2912,7 @@ cfgCmd.command("set-service-key <serviceId> [apiKey]").description("Set API key
 cfgCmd.command("schema").description("Show configuration schema").action(() => {
 	console.log(chalk.default.bold.hex("#06b6d4")("\n  Config schema: ~/.hyperclaw/config.json\n"));
 	const schema = {
-		version: "string (e.g. \"4.0.2\")",
+		version: "string (e.g. \"5.0.0\")",
 		workspaceName: "string",
 		provider: {
 			providerId: "string",
@@ -1950,17 +3005,17 @@ program.command("deploy").description("Deploy gateway to cloud (Fly.io or Render
 program.command("voice-call").description("Start voice call session — terminal mode, talks to gateway").option("-u, --gateway-url <url>", "Gateway URL", "http://localhost:18789").action(async (opts) => {
 	const axios = (await import("axios")).default;
 	const readline$2 = await import("readline");
-	const chalk$10 = require("chalk");
+	const chalk$11 = require("chalk");
 	const url = opts.gatewayUrl || "http://localhost:18789";
-	console.log(chalk$10.bold.cyan("\n  🎙️  HYPERCLAW VOICE CALL\n"));
-	console.log(chalk$10.gray(`  Gateway: ${url}`));
-	console.log(chalk$10.gray("  Type a message and press Enter. Ctrl+C to exit.\n"));
+	console.log(chalk$11.bold.cyan("\n  🎙️  HYPERCLAW VOICE CALL\n"));
+	console.log(chalk$11.gray(`  Gateway: ${url}`));
+	console.log(chalk$11.gray("  Type a message and press Enter. Ctrl+C to exit.\n"));
 	const rl = readline$2.createInterface({
 		input: process.stdin,
 		output: process.stdout
 	});
 	const ask = () => {
-		rl.question(chalk$10.cyan("  You: "), async (input) => {
+		rl.question(chalk$11.cyan("  You: "), async (input) => {
 			if (!input?.trim()) {
 				ask();
 				return;
@@ -1970,9 +3025,9 @@ program.command("voice-call").description("Start voice call session — terminal
 					message: input.trim(),
 					thinking: "none"
 				}, { timeout: 6e4 });
-				console.log(chalk$10.green(`  🦅 Agent: ${(res.data?.response || "").slice(0, 500)}\n`));
+				console.log(chalk$11.green(`  🦅 Agent: ${(res.data?.response || "").slice(0, 500)}\n`));
 			} catch (e) {
-				console.log(chalk$10.red(`  Error: ${e.response?.data?.error || e.message}\n`));
+				console.log(chalk$11.red(`  Error: ${e.response?.data?.error || e.message}\n`));
 			}
 			ask();
 		});
@@ -1992,13 +3047,102 @@ program.command("dashboard").description("Launch live terminal dashboard").optio
 	await new Dashboard().launch(opts.live);
 	if (!opts.live) process.exit(0);
 });
-program.command("status").description("System overview").action(async () => {
+program.command("status").description("System overview").option("--all", "Full local diagnosis (read-only)").option("--deep", "Also probe the running gateway").action(async (opts) => {
 	await new require_onboard.Banner().showStatus();
+	if (opts.all || opts.deep) {
+		const fs$7 = await import("fs-extra");
+		const { getConfigPath } = await Promise.resolve().then(() => require("./paths-D-QecARF.js"));
+		const t = (await Promise.resolve().then(() => require("./theme-cx0fkgWC.js"))).getTheme(false);
+		const configPath = getConfigPath();
+		console.log(t.bold("\n  ─── Deep status ───\n"));
+		try {
+			const cfg = await fs$7.readJson(configPath);
+			console.log(t.muted("  Config: ") + (cfg ? t.success("loaded") : t.error("missing")));
+			console.log(t.muted("  Channels: ") + JSON.stringify(cfg?.gateway?.enabledChannels || cfg?.channels || []));
+		} catch {
+			console.log(t.muted("  Config: ") + t.error("unreadable"));
+		}
+		if (opts.deep) {
+			const http$2 = await import("http");
+			const { resolveGatewayUrl } = await Promise.resolve().then(() => require("./health-B-asI__D.js"));
+			const cfg = await new require_manager.ConfigManager().load();
+			const { gatewayUrl } = resolveGatewayUrl(cfg);
+			const u = new URL(gatewayUrl);
+			const optsReq = {
+				hostname: u.hostname,
+				port: u.port || (u.protocol === "https:" ? 443 : 80),
+				path: "/api/status",
+				method: "GET",
+				timeout: 3e3
+			};
+			if (u.protocol === "https:") {
+				const https = await import("https");
+				await new Promise((resolve) => {
+					const req = https.request(`${gatewayUrl}/api/status`, { timeout: 3e3 }, (res) => {
+						let d = "";
+						res.on("data", (c) => d += c);
+						res.on("end", () => {
+							try {
+								const j = JSON.parse(d);
+								console.log(t.muted("  Gateway: ") + t.success("reachable") + ` (sessions: ${j.sessions ?? "-"}, uptime: ${j.uptime ?? "-"})`);
+							} catch {
+								console.log(t.muted("  Gateway: ") + t.error("unreachable or invalid response"));
+							}
+							resolve();
+						});
+					});
+					req.on("error", () => {
+						console.log(t.muted("  Gateway: ") + t.error("unreachable"));
+						resolve();
+					});
+					req.on("timeout", () => {
+						req.destroy();
+						console.log(t.muted("  Gateway: ") + t.error("timeout"));
+						resolve();
+					});
+					req.end();
+				});
+			} else await new Promise((resolve) => {
+				const req = http$2.request(optsReq, (res) => {
+					let d = "";
+					res.on("data", (c) => d += c);
+					res.on("end", () => {
+						try {
+							const j = JSON.parse(d);
+							console.log(t.muted("  Gateway: ") + t.success("reachable") + ` (sessions: ${j.sessions ?? "-"}, uptime: ${j.uptime ?? "-"})`);
+						} catch {
+							console.log(t.muted("  Gateway: ") + t.error("unreachable or invalid response"));
+						}
+						resolve();
+					});
+				});
+				req.on("error", () => {
+					console.log(t.muted("  Gateway: ") + t.error("unreachable"));
+					resolve();
+				});
+				req.on("timeout", () => {
+					req.destroy();
+					console.log(t.muted("  Gateway: ") + t.error("timeout"));
+					resolve();
+				});
+				req.end();
+			});
+		}
+		console.log();
+	}
 	process.exit(0);
 });
+program.command("health").description("Quick gateway health probe (Runtime, RPC probe, channel count)").option("--json", "Output raw JSON").option("-v, --verbose", "Show state dir, config path, and env overrides").action(async (opts) => {
+	const result = await require_health.runHealth({
+		json: opts.json,
+		verbose: opts.verbose
+	});
+	if (!result.allOk) process.exitCode = 1;
+	process.exit(process.exitCode ?? 0);
+});
 const themeCmd = program.command("theme").description("Switch CLI color theme");
 themeCmd.command("list").description("List available themes").action(async () => {
-	const { allThemes, getThemeName } = await Promise.resolve().then(() => require("./theme-Iefa3L63.js"));
+	const { allThemes, getThemeName } = await Promise.resolve().then(() => require("./theme-cx0fkgWC.js"));
 	const current = getThemeName();
 	console.log(chalk.default.bold.hex("#06b6d4")("\n  🎨 AVAILABLE THEMES\n"));
 	for (const { name, label } of allThemes()) {
@@ -2010,7 +3154,7 @@ themeCmd.command("list").description("List available themes").action(async () =>
 	process.exit(0);
 });
 themeCmd.command("set <theme>").description("Set theme: dark | grey | white").action(async (name) => {
-	const { setThemeName, allThemes } = await Promise.resolve().then(() => require("./theme-Iefa3L63.js"));
+	const { setThemeName, allThemes } = await Promise.resolve().then(() => require("./theme-cx0fkgWC.js"));
 	const valid = allThemes().map((t) => t.name);
 	if (!valid.includes(name)) {
 		console.log(chalk.default.red(`\n  ✖  Unknown theme: "${name}". Use: ${valid.join(" | ")}\n`));
@@ -2022,7 +3166,7 @@ themeCmd.command("set <theme>").description("Set theme: dark | grey | white").ac
 	process.exit(0);
 });
 themeCmd.command("preview").description("Preview all themes side-by-side").action(async () => {
-	const { allThemes, getTheme, setThemeName, getThemeName } = await Promise.resolve().then(() => require("./theme-Iefa3L63.js"));
+	const { allThemes, getTheme, setThemeName, getThemeName } = await Promise.resolve().then(() => require("./theme-cx0fkgWC.js"));
 	const current = getThemeName();
 	console.log(chalk.default.bold("\n  🎨 THEME PREVIEW\n"));
 	for (const { name, label } of allThemes()) {
@@ -2039,45 +3183,49 @@ themeCmd.command("preview").description("Preview all themes side-by-side").actio
 });
 const secretsCmd = program.command("secrets").description("External secrets management");
 secretsCmd.command("audit").description("Audit all required secrets").option("--required-by <ids>", "Filter by skill/provider IDs (comma-separated)").action(async (opts) => {
-	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-DgyF52mg.js"));
+	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-FCgF1plu.js"));
 	const filter = opts.requiredBy?.split(",");
 	await new SecretsManager().audit(filter);
 	process.exit(0);
 });
 secretsCmd.command("set <KEY=value>").description("Set a secret in .env file").action(async (kv) => {
-	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-DgyF52mg.js"));
+	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-FCgF1plu.js"));
 	await new SecretsManager().set(kv);
 	process.exit(0);
 });
 secretsCmd.command("apply").description("Write secrets from .env to shell config (~/.bashrc, ~/.zshrc)").action(async () => {
-	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-DgyF52mg.js"));
+	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-FCgF1plu.js"));
 	await new SecretsManager().apply();
 	process.exit(0);
 });
 secretsCmd.command("reload").description("Reload secrets into running gateway").action(async () => {
-	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-DgyF52mg.js"));
+	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-FCgF1plu.js"));
 	await new SecretsManager().reload();
 	process.exit(0);
 });
 secretsCmd.command("remove <key>").description("Remove a secret from .env").action(async (key) => {
-	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-DgyF52mg.js"));
+	const { SecretsManager } = await Promise.resolve().then(() => require("./manager-FCgF1plu.js"));
 	await new SecretsManager().remove(key);
 	process.exit(0);
 });
 secretsCmd.command("credentials").description("List provider credential files (credentials/*.json)").action(async () => {
-	const { CredentialsStore } = await Promise.resolve().then(() => require("./credentials-store-BvnMPJwi.js"));
+	const { CredentialsStore } = await Promise.resolve().then(() => require("./credentials-store-C6ir0Dae.js"));
 	await new CredentialsStore().showList();
 	process.exit(0);
 });
 const securityCmd = program.command("security").description("Security tools");
-securityCmd.command("audit").description("Security audit — file permissions, DM policies, embedded secrets").option("--deep", "Full deep scan including token entropy and installed skill risks").action(async (opts) => {
-	const { runSecurityAudit } = await Promise.resolve().then(() => require("./audit-BYxPlnTQ.js"));
-	await runSecurityAudit(opts.deep);
+securityCmd.command("audit").description("Security audit — file permissions, DM policies, embedded secrets").option("--deep", "Full deep scan including token entropy and installed skill risks").option("--fix", "Auto-fix safe findings (file permissions etc.)").option("--json", "Machine-readable JSON output").action(async (opts) => {
+	const { runSecurityAudit } = await Promise.resolve().then(() => require("./audit-BaIiyWFu.js"));
+	await runSecurityAudit({
+		deep: opts.deep,
+		fix: opts.fix,
+		json: opts.json
+	});
 	process.exit(0);
 });
 const agentRunCmd = program.command("agent").description("Run agent with thinking control");
 agentRunCmd.requiredOption("-m, --message <text>", "Message to send to the agent").option("--thinking <level>", "Thinking level: high|medium|low|none", "none").option("--model <model>", "Override model").option("--session <id>", "Session/thread ID").option("--multi-step", "Decompose into steps and run each (sequential)").option("--parallel", "Run sub-agents in parallel for independent subtasks").option("--verbose", "Show thinking blocks and request details").option("--workspace <dir>", "Override workspace directory").action(async (opts) => {
-	const { runAgent } = await Promise.resolve().then(() => require("./src-BEVLgaF1.js"));
+	const { runAgent } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await runAgent({
 		message: opts.message,
 		thinking: opts.thinking,
@@ -2093,7 +3241,7 @@ agentRunCmd.requiredOption("-m, --message <text>", "Message to send to the agent
 });
 const threadsCmd = program.command("threads").description("ACP thread-bound agent sessions");
 threadsCmd.command("list").description("List agent threads").option("--channel <id>", "Filter by channel").option("--active", "Show only active threads").action(async (opts) => {
-	const { ACPThreadManager } = await Promise.resolve().then(() => require("./src-BEVLgaF1.js"));
+	const { ACPThreadManager } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	const mgr = new ACPThreadManager();
 	const threads = await mgr.list({
 		channelId: opts.channel,
@@ -2103,33 +3251,33 @@ threadsCmd.command("list").description("List agent threads").option("--channel <
 	process.exit(0);
 });
 threadsCmd.command("terminate <id>").description("Terminate a thread").action(async (id) => {
-	const { ACPThreadManager } = await Promise.resolve().then(() => require("./src-BEVLgaF1.js"));
+	const { ACPThreadManager } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await new ACPThreadManager().terminate(id);
 	console.log(require("chalk").green(`\n  ✔  Thread terminated: ${id}\n`));
 	process.exit(0);
 });
 const canvasCmd = program.command("canvas").description("Live AI-driven UI canvas");
 canvasCmd.command("show").description("Show current canvas components").action(async () => {
-	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-pqlDRKbH.js"));
+	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-BVQrd0_g.js"));
 	await new CanvasRenderer().show();
 	process.exit(0);
 });
 canvasCmd.command("add <type> <title>").description("Add a canvas component (type: chart|table|form|markdown|image|custom)").action(async (type, title) => {
-	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-pqlDRKbH.js"));
+	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-BVQrd0_g.js"));
 	await new CanvasRenderer().addComponent(type, title);
 	process.exit(0);
 });
 canvasCmd.command("clear").description("Clear all canvas components").action(async () => {
-	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-pqlDRKbH.js"));
+	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-BVQrd0_g.js"));
 	await new CanvasRenderer().clear();
 	process.exit(0);
 });
 canvasCmd.command("export").description("Export canvas as HTML file").action(async () => {
-	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-pqlDRKbH.js"));
-	const fs$6 = require("fs-extra");
+	const { CanvasRenderer } = await Promise.resolve().then(() => require("./renderer-BVQrd0_g.js"));
+	const fs$7 = require("fs-extra");
 	const html = await new CanvasRenderer().exportHtml();
 	const outFile = require("path").join(require("os").homedir(), ".hyperclaw", "canvas", "export.html");
-	await fs$6.writeFile(outFile, html);
+	await fs$7.writeFile(outFile, html);
 	console.log(require("chalk").green(`\n  ✔  Canvas exported to ${outFile}\n`));
 	process.exit(0);
 });
@@ -2146,167 +3294,167 @@ deliveryCmd.command("retry <id>").description("Retry a dead-lettered delivery it
 });
 const mcpCmd = program.command("mcp").description("MCP (Model Context Protocol) server management");
 mcpCmd.command("list").action(async () => {
-	const { mcpList } = await Promise.resolve().then(() => require("./mcp-B_9Ber63.js"));
+	const { mcpList } = await Promise.resolve().then(() => require("./mcp-CfoSU4Uz.js"));
 	await mcpList();
 	process.exit(0);
 });
 mcpCmd.command("add").action(async () => {
-	const { mcpAdd } = await Promise.resolve().then(() => require("./mcp-B_9Ber63.js"));
+	const { mcpAdd } = await Promise.resolve().then(() => require("./mcp-CfoSU4Uz.js"));
 	await mcpAdd();
 	process.exit(0);
 });
 mcpCmd.command("remove <id>").action(async (id) => {
-	const { mcpRemove } = await Promise.resolve().then(() => require("./mcp-B_9Ber63.js"));
+	const { mcpRemove } = await Promise.resolve().then(() => require("./mcp-CfoSU4Uz.js"));
 	await mcpRemove(id);
 	process.exit(0);
 });
 mcpCmd.command("probe [id]").action(async (id) => {
-	const { mcpProbe } = await Promise.resolve().then(() => require("./mcp-B_9Ber63.js"));
+	const { mcpProbe } = await Promise.resolve().then(() => require("./mcp-CfoSU4Uz.js"));
 	await mcpProbe(id);
 	process.exit(0);
 });
 const nodeCmd = program.command("node").description("HyperClaw node management (local, remote, android)");
 nodeCmd.command("list").action(async () => {
-	const { nodeList } = await Promise.resolve().then(() => require("./node-pwL6O_KX.js"));
+	const { nodeList } = await Promise.resolve().then(() => require("./node-Dw2Gi-cP.js"));
 	await nodeList();
 	process.exit(0);
 });
 nodeCmd.command("add").action(async () => {
-	const { nodeAdd } = await Promise.resolve().then(() => require("./node-pwL6O_KX.js"));
+	const { nodeAdd } = await Promise.resolve().then(() => require("./node-Dw2Gi-cP.js"));
 	await nodeAdd();
 	process.exit(0);
 });
 nodeCmd.command("probe [id]").action(async (id) => {
-	const { nodeProbe } = await Promise.resolve().then(() => require("./node-pwL6O_KX.js"));
+	const { nodeProbe } = await Promise.resolve().then(() => require("./node-Dw2Gi-cP.js"));
 	await nodeProbe(id);
 	process.exit(0);
 });
 nodeCmd.command("remove <id>").action(async (id) => {
-	const { nodeRemove } = await Promise.resolve().then(() => require("./node-pwL6O_KX.js"));
+	const { nodeRemove } = await Promise.resolve().then(() => require("./node-Dw2Gi-cP.js"));
 	await nodeRemove(id);
 	process.exit(0);
 });
 const arCmd = program.command("auto-reply").description("Auto-reply rule engine");
 arCmd.command("list").action(async () => {
-	const { AutoReplyEngine } = await Promise.resolve().then(() => require("./rules-BooT_qFP.js"));
+	const { AutoReplyEngine } = await Promise.resolve().then(() => require("./rules-BE4GV6cV.js"));
 	const e = new AutoReplyEngine();
 	await e.load();
 	e.showList();
 	process.exit(0);
 });
 arCmd.command("toggle <id>").action(async (id) => {
-	const { AutoReplyEngine } = await Promise.resolve().then(() => require("./rules-BooT_qFP.js"));
+	const { AutoReplyEngine } = await Promise.resolve().then(() => require("./rules-BE4GV6cV.js"));
 	const e = new AutoReplyEngine();
 	await e.toggle(id);
 	process.exit(0);
 });
 arCmd.command("remove <id>").action(async (id) => {
-	const { AutoReplyEngine } = await Promise.resolve().then(() => require("./rules-BooT_qFP.js"));
+	const { AutoReplyEngine } = await Promise.resolve().then(() => require("./rules-BE4GV6cV.js"));
 	const e = new AutoReplyEngine();
 	await e.remove(id);
 	process.exit(0);
 });
 const gmailCmd = program.command("gmail").description("Gmail Pub/Sub real-time notifications");
 gmailCmd.command("watch-setup").description("Register Gmail watch for push notifications. Requires: hyperclaw auth oauth google-gmail").requiredOption("-t, --topic <name>", "Pub/Sub topic (e.g. projects/myproject/topics/gmail-push)").option("-l, --labels <ids>", "Label IDs to watch (comma-separated)", "INBOX").action(async (opts) => {
-	const chalk$10 = require("chalk");
+	const chalk$11 = require("chalk");
 	try {
-		const { setupGmailWatch } = await Promise.resolve().then(() => require("./gmail-watch-setup-Czt8rXaX.js"));
+		const { setupGmailWatch } = await Promise.resolve().then(() => require("./gmail-watch-setup-Du7DVV7S.js"));
 		const labelIds = opts.labels.split(",").map((s) => s.trim()).filter(Boolean);
 		const result = await setupGmailWatch({
 			topicName: opts.topic,
 			labelIds
 		});
-		console.log(chalk$10.hex("#06b6d4")("\n  ✔  Gmail watch registered"));
-		console.log(chalk$10.gray(`     historyId: ${result.historyId}`));
-		console.log(chalk$10.gray(`     expiration: ${new Date(parseInt(result.expiration, 10)).toISOString()}`));
-		console.log(chalk$10.gray("\n  Push endpoint: https://<your-server>/webhook/gmail-pubsub"));
-		console.log(chalk$10.gray("  Ensure email channel is enabled and gateway is publicly accessible.\n"));
+		console.log(chalk$11.hex("#06b6d4")("\n  ✔  Gmail watch registered"));
+		console.log(chalk$11.gray(`     historyId: ${result.historyId}`));
+		console.log(chalk$11.gray(`     expiration: ${new Date(parseInt(result.expiration, 10)).toISOString()}`));
+		console.log(chalk$11.gray("\n  Push endpoint: https://<your-server>/webhook/gmail-pubsub"));
+		console.log(chalk$11.gray("  Ensure email channel is enabled and gateway is publicly accessible.\n"));
 	} catch (e) {
-		console.error(chalk$10.red("\n  ✖  " + e.message + "\n"));
+		console.error(chalk$11.red("\n  ✖  " + e.message + "\n"));
 		process.exit(1);
 	}
 	process.exit(0);
 });
 const cronCmd = program.command("cron").description("Scheduled tasks (cron → agent prompt)");
 cronCmd.command("list").action(async () => {
-	const chalk$10 = require("chalk");
-	const { loadCronTasks } = await Promise.resolve().then(() => require("./cron-tasks-BvDFNyiE.js"));
+	const chalk$11 = require("chalk");
+	const { loadCronTasks } = await Promise.resolve().then(() => require("./cron-tasks-Bli7Kzd2.js"));
 	const tasks = await loadCronTasks();
-	console.log(chalk$10.bold.cyan("\n  ⏰ CRON TASKS\n"));
+	console.log(chalk$11.bold.cyan("\n  ⏰ CRON TASKS\n"));
 	if (tasks.length === 0) {
-		console.log(chalk$10.gray("  No tasks. Add: hyperclaw cron add \"0 9 * * 1-5\" \"Check calendar\"\n"));
+		console.log(chalk$11.gray("  No tasks. Add: hyperclaw cron add \"0 9 * * 1-5\" \"Check calendar\"\n"));
 		process.exit(0);
 		return;
 	}
 	for (const t of tasks) {
-		const dot = t.enabled ? chalk$10.green("●") : chalk$10.gray("○");
-		console.log(`  ${dot} ${chalk$10.white(t.name || t.id)}`);
-		console.log(`     ${chalk$10.gray("Schedule:")} ${t.schedule}`);
-		console.log(`     ${chalk$10.gray("Prompt:")} ${t.prompt.slice(0, 60)}${t.prompt.length > 60 ? "..." : ""}`);
-		if (t.lastRunAt) console.log(`     ${chalk$10.gray("Last run:")} ${t.lastRunAt}`);
+		const dot = t.enabled ? chalk$11.green("●") : chalk$11.gray("○");
+		console.log(`  ${dot} ${chalk$11.white(t.name || t.id)}`);
+		console.log(`     ${chalk$11.gray("Schedule:")} ${t.schedule}`);
+		console.log(`     ${chalk$11.gray("Prompt:")} ${t.prompt.slice(0, 60)}${t.prompt.length > 60 ? "..." : ""}`);
+		if (t.lastRunAt) console.log(`     ${chalk$11.gray("Last run:")} ${t.lastRunAt}`);
 		console.log();
 	}
 	process.exit(0);
 });
 cronCmd.command("add").arguments("<schedule> <prompt>").option("-n, --name <name>", "Task name").action(async (schedule, prompt, opts) => {
-	const chalk$10 = require("chalk");
-	const { loadCronTasks, addCronTask, saveCronTasks } = await Promise.resolve().then(() => require("./cron-tasks-BvDFNyiE.js"));
+	const chalk$11 = require("chalk");
+	const { loadCronTasks, addCronTask, saveCronTasks } = await Promise.resolve().then(() => require("./cron-tasks-Bli7Kzd2.js"));
 	await loadCronTasks();
 	addCronTask(schedule, prompt, opts.name);
 	await saveCronTasks();
-	console.log(chalk$10.green(`\n  ✔  Cron task added: ${schedule} → "${prompt.slice(0, 40)}..."\n`));
-	console.log(chalk$10.gray("  Restart gateway to apply.\n"));
+	console.log(chalk$11.green(`\n  ✔  Cron task added: ${schedule} → "${prompt.slice(0, 40)}..."\n`));
+	console.log(chalk$11.gray("  Restart gateway to apply.\n"));
 	process.exit(0);
 });
 cronCmd.command("remove <id>").action(async (id) => {
-	const chalk$10 = require("chalk");
-	const { loadCronTasks, removeCronTask, saveCronTasks } = await Promise.resolve().then(() => require("./cron-tasks-BvDFNyiE.js"));
+	const chalk$11 = require("chalk");
+	const { loadCronTasks, removeCronTask, saveCronTasks } = await Promise.resolve().then(() => require("./cron-tasks-Bli7Kzd2.js"));
 	await loadCronTasks();
 	if (removeCronTask(id)) {
 		await saveCronTasks();
-		console.log(chalk$10.green(`\n  ✔  Task removed\n`));
-	} else console.log(chalk$10.red(`\n  ✖  Task not found: ${id}\n`));
+		console.log(chalk$11.green(`\n  ✔  Task removed\n`));
+	} else console.log(chalk$11.red(`\n  ✖  Task not found: ${id}\n`));
 	process.exit(0);
 });
 program.command("nodes").description("List connected mobile nodes (iOS/Android Connect tab)").action(async () => {
-	const chalk$10 = require("chalk");
-	const http = await import("http");
-	const fs$6 = await import("fs-extra");
-	const path$6 = await import("path");
-	const os$7 = await import("os");
+	const chalk$11 = require("chalk");
+	const http$2 = await import("http");
+	const fs$7 = await import("fs-extra");
+	const path$7 = await import("path");
+	const os$8 = await import("os");
 	let port = 18789;
 	try {
-		const cfg = await fs$6.readJson(path$6.join(os$7.homedir(), ".hyperclaw", "hyperclaw.json"));
+		const cfg = await fs$7.readJson(path$7.join(os$8.homedir(), ".hyperclaw", "hyperclaw.json"));
 		port = cfg?.gateway?.port ?? 18789;
 	} catch {}
 	return new Promise((resolve, reject) => {
-		const req = http.get(`http://127.0.0.1:${port}/api/nodes`, (res) => {
+		const req = http$2.get(`http://127.0.0.1:${port}/api/nodes`, (res) => {
 			let data = "";
 			res.on("data", (c) => data += c);
 			res.on("end", () => {
 				try {
 					const j = JSON.parse(data);
 					const nodes = j.nodes || [];
-					console.log(chalk$10.bold.cyan("\n  📱 CONNECTED NODES\n"));
+					console.log(chalk$11.bold.cyan("\n  📱 CONNECTED NODES\n"));
 					if (nodes.length === 0) {
-						console.log(chalk$10.gray("  No mobile nodes. Open iOS/Android app → Connect tab → pair with gateway."));
-						console.log(chalk$10.gray(`  Gateway: ws://localhost:${port}\n`));
+						console.log(chalk$11.gray("  No mobile nodes. Open iOS/Android app → Connect tab → pair with gateway."));
+						console.log(chalk$11.gray(`  Gateway: ws://localhost:${port}\n`));
 					} else {
 						for (const n of nodes) {
-							console.log(`  ${chalk$10.green("●")} ${n.nodeId} ${chalk$10.gray(`(${n.platform || "?"})`)}`);
-							console.log(`    ${chalk$10.gray("Device:")} ${n.deviceName || "—"}`);
-							console.log(`    ${chalk$10.gray("Capabilities:")} ${Object.entries(n.capabilities || {}).filter(([, v]) => v).map(([k]) => k).join(", ") || "—"}`);
+							console.log(`  ${chalk$11.green("●")} ${n.nodeId} ${chalk$11.gray(`(${n.platform || "?"})`)}`);
+							console.log(`    ${chalk$11.gray("Device:")} ${n.deviceName || "—"}`);
+							console.log(`    ${chalk$11.gray("Capabilities:")} ${Object.entries(n.capabilities || {}).filter(([, v]) => v).map(([k]) => k).join(", ") || "—"}`);
 						}
 						console.log();
 					}
 				} catch {
-					console.log(chalk$10.red("  Could not reach gateway. Start with: hyperclaw daemon start\n"));
+					console.log(chalk$11.red("  Could not reach gateway. Start with: hyperclaw daemon start\n"));
 				}
 				resolve();
 			});
 		});
 		req.on("error", () => {
-			console.log(chalk$10.red("  Gateway offline. Start with: hyperclaw daemon start\n"));
+			console.log(chalk$11.red("  Gateway offline. Start with: hyperclaw daemon start\n"));
 			resolve();
 		});
 		req.setTimeout(3e3, () => {
@@ -2317,20 +3465,20 @@ program.command("nodes").description("List connected mobile nodes (iOS/Android C
 });
 const whCmd = program.command("webhooks").description("Webhook endpoint management");
 whCmd.command("list").action(async () => {
-	const { WebhookManager } = await Promise.resolve().then(() => require("./manager-DSGhn5i3.js"));
+	const { WebhookManager } = await Promise.resolve().then(() => require("./manager-BpDfbDjg.js"));
 	const m = new WebhookManager();
 	await m.load();
 	m.showList();
 	process.exit(0);
 });
 whCmd.command("remove <id>").action(async (id) => {
-	const { WebhookManager } = await Promise.resolve().then(() => require("./manager-DSGhn5i3.js"));
+	const { WebhookManager } = await Promise.resolve().then(() => require("./manager-BpDfbDjg.js"));
 	const m = new WebhookManager();
 	await m.remove(id);
 	process.exit(0);
 });
 whCmd.command("toggle <id>").action(async (id) => {
-	const { WebhookManager } = await Promise.resolve().then(() => require("./manager-DSGhn5i3.js"));
+	const { WebhookManager } = await Promise.resolve().then(() => require("./manager-BpDfbDjg.js"));
 	const m = new WebhookManager();
 	await m.toggle(id);
 	process.exit(0);
@@ -2339,7 +3487,7 @@ const logsCmd = program.command("logs").description("View gateway logs");
 logsCmd.option("-n, --lines <n>", "Number of lines to show", "50");
 logsCmd.option("-f, --follow", "Stream logs in real time");
 logsCmd.action(async (opts) => {
-	const { tailLog, streamLog } = await Promise.resolve().then(() => require("./logger-8tEtAd3y.js"));
+	const { tailLog, streamLog } = await Promise.resolve().then(() => require("./logger-ybOp7VOC.js"));
 	if (opts.follow) await streamLog();
 	else {
 		await tailLog(parseInt(opts.lines));
@@ -2347,7 +3495,7 @@ logsCmd.action(async (opts) => {
 	}
 });
 program.command("gateway:serve").description("Start the gateway server in the foreground (used by daemon)").action(async () => {
-	const { startGateway } = await Promise.resolve().then(() => require("./server-DU9POoWc.js"));
+	const { startGateway } = await Promise.resolve().then(() => require("./server-D4wVHiX9.js"));
 	await startGateway();
 	process.on("SIGINT", () => process.exit(0));
 	process.on("SIGTERM", () => process.exit(0));
@@ -2355,15 +3503,15 @@ program.command("gateway:serve").description("Start the gateway server in the fo
 });
 const gatewayCfgCmd = gatewayCmd.command("config").description("Configure gateway settings");
 gatewayCfgCmd.option("--set-token <token>", "Set gateway auth token").option("--regenerate-token", "Generate a new random token").option("--set-port <port>", "Set gateway port").option("--set-bind <addr>", "Set gateway bind address").action(async (opts) => {
-	const chalk$10 = require("chalk");
-	const fs$6 = require("fs-extra");
-	const path$6 = require("path");
-	const os$7 = require("os");
-	const crypto = require("crypto");
-	const cfgFile = path$6.join(os$7.homedir(), ".hyperclaw", "hyperclaw.json");
+	const chalk$11 = require("chalk");
+	const fs$7 = require("fs-extra");
+	const path$7 = require("path");
+	const os$8 = require("os");
+	const crypto$2 = require("crypto");
+	const cfgFile = path$7.join(os$8.homedir(), ".hyperclaw", "hyperclaw.json");
 	let cfg = {};
 	try {
-		cfg = await fs$6.readJson(cfgFile);
+		cfg = await fs$7.readJson(cfgFile);
 	} catch {}
 	if (!cfg.gateway) cfg.gateway = {
 		port: 18789,
@@ -2374,48 +3522,48 @@ gatewayCfgCmd.option("--set-token <token>", "Set gateway auth token").option("--
 		hooks: true
 	};
 	if (opts.regenerateToken) {
-		cfg.gateway.authToken = crypto.randomBytes(32).toString("hex");
-		console.log(chalk$10.hex("#06b6d4")("\n  ✔  New gateway token generated"));
-		console.log(chalk$10.gray(`  Token: ${cfg.gateway.authToken}`));
+		cfg.gateway.authToken = crypto$2.randomBytes(32).toString("hex");
+		console.log(chalk$11.hex("#06b6d4")("\n  ✔  New gateway token generated"));
+		console.log(chalk$11.gray(`  Token: ${cfg.gateway.authToken}`));
 	}
 	if (opts.setToken) {
 		cfg.gateway.authToken = opts.setToken;
-		console.log(chalk$10.hex("#06b6d4")(`\n  ✔  Gateway token set`));
+		console.log(chalk$11.hex("#06b6d4")(`\n  ✔  Gateway token set`));
 	}
 	if (opts.setPort) {
 		cfg.gateway.port = parseInt(opts.setPort);
-		console.log(chalk$10.hex("#06b6d4")(`\n  ✔  Port set to ${cfg.gateway.port}`));
+		console.log(chalk$11.hex("#06b6d4")(`\n  ✔  Port set to ${cfg.gateway.port}`));
 	}
 	if (opts.setBind) {
 		cfg.gateway.bind = opts.setBind;
-		console.log(chalk$10.hex("#06b6d4")(`\n  ✔  Bind set to ${cfg.gateway.bind}`));
+		console.log(chalk$11.hex("#06b6d4")(`\n  ✔  Bind set to ${cfg.gateway.bind}`));
 	}
-	await fs$6.ensureDir(path$6.dirname(cfgFile));
-	await fs$6.writeJson(cfgFile, cfg, { spaces: 2 });
-	await fs$6.chmod(cfgFile, 384);
-	console.log(chalk$10.gray(`  Saved to ${cfgFile}\n`));
+	await fs$7.ensureDir(path$7.dirname(cfgFile));
+	await fs$7.writeJson(cfgFile, cfg, { spaces: 2 });
+	await fs$7.chmod(cfgFile, 384);
+	console.log(chalk$11.gray(`  Saved to ${cfgFile}\n`));
 	process.exit(0);
 });
 const authCmd = program.command("auth").description("OAuth and provider credentials");
 authCmd.command("add <service_id>").description("Add API key for a service (any provider we do not ship). Stored in credentials/ and .env.").option("--key <api_key>", "API key (prompts if omitted)").option("--base-url <url>", "Base URL (optional, e.g. https://api.example.com)").option("--env-var <name>", "Env var name (default: <SERVICE_ID>_API_KEY)").action(async (serviceId, opts) => {
-	const chalk$10 = require("chalk");
+	const chalk$11 = require("chalk");
 	const inquirer$2 = require("inquirer");
-	const { CredentialsStore } = await Promise.resolve().then(() => require("./credentials-store-BvnMPJwi.js"));
+	const { CredentialsStore } = await Promise.resolve().then(() => require("./credentials-store-C6ir0Dae.js"));
 	const { getHyperClawDir, getEnvFilePath } = await Promise.resolve().then(() => require("./paths-D-QecARF.js"));
-	const { getApiKeyGuide, GENERIC_API_KEY_STEPS } = await Promise.resolve().then(() => require("./api-keys-guide-Dq5Obbp4.js"));
-	const fs$6 = await import("fs-extra");
-	const path$6 = await import("path");
+	const { getApiKeyGuide, GENERIC_API_KEY_STEPS } = await Promise.resolve().then(() => require("./api-keys-guide-BCcOl0Q7.js"));
+	const fs$7 = await import("fs-extra");
+	const path$7 = await import("path");
 	const guide = getApiKeyGuide(serviceId);
 	const steps = guide?.setupSteps ?? GENERIC_API_KEY_STEPS;
-	console.log(chalk$10.bold.hex("#06b6d4")(`\n  🔑 Add API key: ${guide?.name ?? serviceId}\n`));
-	console.log(chalk$10.bold("  Steps:\n"));
-	for (const step of steps) if (step.startsWith("  🔗")) console.log(chalk$10.hex("#06b6d4")(step));
-	else if (step.startsWith("  💡")) console.log(chalk$10.gray(step));
-	else console.log(chalk$10.gray(`  ${step}`));
+	console.log(chalk$11.bold.hex("#06b6d4")(`\n  🔑 Add API key: ${guide?.name ?? serviceId}\n`));
+	console.log(chalk$11.bold("  Steps:\n"));
+	for (const step of steps) if (step.startsWith("  🔗")) console.log(chalk$11.hex("#06b6d4")(step));
+	else if (step.startsWith("  💡")) console.log(chalk$11.gray(step));
+	else console.log(chalk$11.gray(`  ${step}`));
 	console.log();
 	const safeId = serviceId.replace(/[^a-zA-Z0-9_-]/g, "_").toLowerCase();
 	if (!safeId) {
-		console.log(chalk$10.red("\n  ✖  Invalid service ID\n"));
+		console.log(chalk$11.red("\n  ✖  Invalid service ID\n"));
 		process.exit(1);
 	}
 	let apiKey = opts.key || process.env[`${safeId.toUpperCase().replace(/-/g, "_")}_API_KEY`];
@@ -2437,44 +3585,44 @@ authCmd.command("add <service_id>").description("Add API key for a service (any
 	});
 	const envVar = opts.envVar || `${safeId.toUpperCase().replace(/-/g, "_")}_API_KEY`;
 	const envPath = getEnvFilePath();
-	await fs$6.ensureDir(path$6.dirname(envPath));
+	await fs$7.ensureDir(path$7.dirname(envPath));
 	let envContent = "";
-	if (await fs$6.pathExists(envPath)) envContent = await fs$6.readFile(envPath, "utf8");
+	if (await fs$7.pathExists(envPath)) envContent = await fs$7.readFile(envPath, "utf8");
 	const envLine = `${envVar}=${apiKey}`;
 	const re = new RegExp(`^${envVar}=.*$`, "m");
 	if (re.test(envContent)) envContent = envContent.replace(re, envLine);
 	else envContent = envContent.trimEnd() + (envContent ? "\n" : "") + envLine + "\n";
-	await fs$6.writeFile(envPath, envContent, { mode: 384 });
-	console.log(chalk$10.hex("#06b6d4")(`\n  ✔  Added: ${safeId}`));
-	console.log(chalk$10.gray(`     Credentials: ~/.hyperclaw/credentials/${safeId}.json`));
-	console.log(chalk$10.gray(`     Env: ${envVar} (in .env — use in skills via process.env.${envVar.replace(/-/g, "_")})`));
-	console.log(chalk$10.gray("\n  Run: hyperclaw secrets apply   to add to shell"));
-	console.log(chalk$10.gray("  Run: hyperclaw secrets reload  to inject into running gateway\n"));
+	await fs$7.writeFile(envPath, envContent, { mode: 384 });
+	console.log(chalk$11.hex("#06b6d4")(`\n  ✔  Added: ${safeId}`));
+	console.log(chalk$11.gray(`     Credentials: ~/.hyperclaw/credentials/${safeId}.json`));
+	console.log(chalk$11.gray(`     Env: ${envVar} (in .env — use in skills via process.env.${envVar.replace(/-/g, "_")})`));
+	console.log(chalk$11.gray("\n  Run: hyperclaw secrets apply   to add to shell"));
+	console.log(chalk$11.gray("  Run: hyperclaw secrets reload  to inject into running gateway\n"));
 	process.exit(0);
 });
 authCmd.command("remove <service_id>").description("Remove API key for a service from credentials and .env").action(async (serviceId) => {
-	const chalk$10 = require("chalk");
-	const { CredentialsStore } = await Promise.resolve().then(() => require("./credentials-store-BvnMPJwi.js"));
+	const chalk$11 = require("chalk");
+	const { CredentialsStore } = await Promise.resolve().then(() => require("./credentials-store-C6ir0Dae.js"));
 	const { getHyperClawDir, getEnvFilePath } = await Promise.resolve().then(() => require("./paths-D-QecARF.js"));
-	const fs$6 = await import("fs-extra");
+	const fs$7 = await import("fs-extra");
 	const safeId = serviceId.replace(/[^a-zA-Z0-9_-]/g, "_").toLowerCase();
 	const creds = new CredentialsStore(getHyperClawDir());
 	await creds.remove(safeId);
 	const envVar = `${safeId.toUpperCase().replace(/-/g, "_")}_API_KEY`;
 	const envPath = getEnvFilePath();
-	if (await fs$6.pathExists(envPath)) {
-		let c = await fs$6.readFile(envPath, "utf8");
+	if (await fs$7.pathExists(envPath)) {
+		let c = await fs$7.readFile(envPath, "utf8");
 		c = c.replace(new RegExp(`^${envVar}=.*\n?`, "gm"), "");
-		await fs$6.writeFile(envPath, c);
+		await fs$7.writeFile(envPath, c);
 	}
-	console.log(chalk$10.hex("#06b6d4")(`\n  ✔  Removed: ${safeId}\n`));
+	console.log(chalk$11.hex("#06b6d4")(`\n  ✔  Removed: ${safeId}\n`));
 	process.exit(0);
 });
 authCmd.command("oauth <provider>").description("Run full OAuth flow. Providers: google, google-gmail (Gmail Pub/Sub), microsoft").option("--client-id <id>", "OAuth client ID (or GOOGLE_OAUTH_CLIENT_ID)").option("--client-secret <secret>", "OAuth client secret (optional for PKCE)").action(async (provider, opts) => {
-	const chalk$10 = require("chalk");
+	const chalk$11 = require("chalk");
 	const ora$4 = (await import("ora")).default;
 	try {
-		const { runOAuthFlow } = await Promise.resolve().then(() => require("./oauth-flow-CpWlgvNB.js"));
+		const { runOAuthFlow } = await Promise.resolve().then(() => require("./oauth-flow-DQPvMHRH.js"));
 		const spinner = ora$4("Starting OAuth flow...").start();
 		spinner.text = "Opening browser — complete the consent and return here.";
 		const tokens = await runOAuthFlow(provider, {
@@ -2482,7 +3630,7 @@ authCmd.command("oauth <provider>").description("Run full OAuth flow. Providers:
 			clientSecret: opts.clientSecret
 		});
 		spinner.stop();
-		const { writeOAuthToken } = await Promise.resolve().then(() => require("./oauth-provider-BZb6qOw5.js"));
+		const { writeOAuthToken } = await Promise.resolve().then(() => require("./oauth-provider-Uo4Nib_c.js"));
 		const now = Math.floor(Date.now() / 1e3);
 		const expires_at = tokens.expires_in ? now + tokens.expires_in : void 0;
 		const tokenUrl = provider === "google" || provider === "google-gmail" ? "https://oauth2.googleapis.com/token" : provider === "microsoft" ? "https://login.microsoftonline.com/common/oauth2/v2.0/token" : void 0;
@@ -2492,19 +3640,19 @@ authCmd.command("oauth <provider>").description("Run full OAuth flow. Providers:
 			expires_at,
 			token_url: tokenUrl
 		});
-		console.log(chalk$10.hex("#06b6d4")(`\n  ✔  OAuth tokens saved for: ${provider}`));
-		console.log(chalk$10.gray("  Set in hyperclaw.json: \"provider\": { \"authType\": \"oauth\", \"providerId\": \"" + provider + "\" }\n"));
+		console.log(chalk$11.hex("#06b6d4")(`\n  ✔  OAuth tokens saved for: ${provider}`));
+		console.log(chalk$11.gray("  Set in hyperclaw.json: \"provider\": { \"authType\": \"oauth\", \"providerId\": \"" + provider + "\" }\n"));
 	} catch (e) {
-		console.error(chalk$10.red("\n  ✖  OAuth failed: " + e.message + "\n"));
+		console.error(chalk$11.red("\n  ✖  OAuth failed: " + e.message + "\n"));
 		process.exit(1);
 	}
 	process.exit(0);
 });
 authCmd.command("setup-token <provider>").description("Save setup token (Anthropic Claude Pro/Max). Run: claude setup-token, paste result here.").action(async (provider) => {
-	const chalk$10 = require("chalk");
+	const chalk$11 = require("chalk");
 	const inquirer$2 = await import("inquirer");
 	if (provider !== "anthropic") {
-		console.log(chalk$10.yellow(`\n  Provider "${provider}" may not support setup-token. Use "hyperclaw auth add" for API keys.\n`));
+		console.log(chalk$11.yellow(`\n  Provider "${provider}" may not support setup-token. Use "hyperclaw auth add" for API keys.\n`));
 		process.exit(1);
 	}
 	const { token } = await inquirer$2.default.prompt([{
@@ -2514,24 +3662,24 @@ authCmd.command("setup-token <provider>").description("Save setup token (Anthrop
 		mask: "●"
 	}]);
 	if (!token?.trim()) {
-		console.log(chalk$10.red("\n  ✖  No token provided.\n"));
+		console.log(chalk$11.red("\n  ✖  No token provided.\n"));
 		process.exit(1);
 	}
-	const { writeOAuthToken } = await Promise.resolve().then(() => require("./oauth-provider-BZb6qOw5.js"));
+	const { writeOAuthToken } = await Promise.resolve().then(() => require("./oauth-provider-Uo4Nib_c.js"));
 	await writeOAuthToken("anthropic-setup", {
 		access_token: token.trim(),
 		token_url: "https://api.anthropic.com"
 	});
-	console.log(chalk$10.hex("#06b6d4")("\n  ✔  Anthropic setup token saved to ~/.hyperclaw/oauth-anthropic-setup.json"));
-	console.log(chalk$10.gray("  Use providerId: anthropic with authType: oauth and oauthTokenPath for Claude Pro/Max.\n"));
+	console.log(chalk$11.hex("#06b6d4")("\n  ✔  Anthropic setup token saved to ~/.hyperclaw/oauth-anthropic-setup.json"));
+	console.log(chalk$11.gray("  Use providerId: anthropic with authType: oauth and oauthTokenPath for Claude Pro/Max.\n"));
 	process.exit(0);
 });
 authCmd.command("oauth-set <provider>").description("Save OAuth tokens manually (access_token, refresh_token, etc.) to ~/.hyperclaw/oauth-<provider>.json").option("--token <access_token>", "Access token").option("--refresh <refresh_token>", "Refresh token (optional)").option("--expires-in <seconds>", "Token lifetime in seconds (optional)").option("--token-url <url>", "Refresh endpoint URL (optional)").action(async (provider, opts) => {
-	const chalk$10 = require("chalk");
-	const { writeOAuthToken } = await Promise.resolve().then(() => require("./oauth-provider-BZb6qOw5.js"));
+	const chalk$11 = require("chalk");
+	const { writeOAuthToken } = await Promise.resolve().then(() => require("./oauth-provider-Uo4Nib_c.js"));
 	const access_token = opts.token || process.env.OAUTH_ACCESS_TOKEN;
 	if (!access_token) {
-		console.log(chalk$10.red("\n  ✖  Provide --token <access_token> or set OAUTH_ACCESS_TOKEN\n"));
+		console.log(chalk$11.red("\n  ✖  Provide --token <access_token> or set OAUTH_ACCESS_TOKEN\n"));
 		process.exit(1);
 	}
 	const expires_at = opts.expiresIn ? Math.floor(Date.now() / 1e3) + parseInt(opts.expiresIn, 10) : void 0;
@@ -2541,22 +3689,22 @@ authCmd.command("oauth-set <provider>").description("Save OAuth tokens manually
 		expires_at,
 		token_url: opts.tokenUrl || void 0
 	});
-	console.log(chalk$10.hex("#06b6d4")(`\n  ✔  OAuth tokens saved for provider: ${provider}`));
-	console.log(chalk$10.gray("  Set in hyperclaw.json: \"provider\": { \"authType\": \"oauth\", \"providerId\": \"" + provider + "\" }\n"));
+	console.log(chalk$11.hex("#06b6d4")(`\n  ✔  OAuth tokens saved for provider: ${provider}`));
+	console.log(chalk$11.gray("  Set in hyperclaw.json: \"provider\": { \"authType\": \"oauth\", \"providerId\": \"" + provider + "\" }\n"));
 	process.exit(0);
 });
 const workspaceCmd = program.command("workspace").description("Manage agent workspace files");
 workspaceCmd.command("init [dir]").description("Initialize workspace files (SOUL.md, USER.md, TOOLS.md, HEARTBEAT.md, BOOTSTRAP.md) in a directory").action(async (dir) => {
-	const chalk$10 = require("chalk");
-	const fs$6 = require("fs-extra");
-	const path$6 = require("path");
-	const os$7 = require("os");
-	const targetDir = dir || path$6.join(os$7.homedir(), ".hyperclaw");
+	const chalk$11 = require("chalk");
+	const fs$7 = require("fs-extra");
+	const path$7 = require("path");
+	const os$8 = require("os");
+	const targetDir = dir || path$7.join(os$8.homedir(), ".hyperclaw");
 	let cfg = {};
 	try {
-		cfg = await fs$6.readJson(path$6.join(os$7.homedir(), ".hyperclaw", "hyperclaw.json"));
+		cfg = await fs$7.readJson(path$7.join(os$8.homedir(), ".hyperclaw", "hyperclaw.json"));
 	} catch {}
-	const { initWorkspaceFiles } = await Promise.resolve().then(() => require("./memory-BI1kPkAN.js"));
+	const { initWorkspaceFiles } = await Promise.resolve().then(() => require("./memory-BlHL7JCO.js"));
 	await initWorkspaceFiles({
 		agentName: cfg.identity?.agentName || "Hyper",
 		personality: cfg.identity?.personality || "helpful and concise",
@@ -2564,17 +3712,17 @@ workspaceCmd.command("init [dir]").description("Initialize workspace files (SOUL
 		userName: cfg.identity?.userName || "User",
 		rules: cfg.identity?.rules ?? []
 	}, targetDir);
-	console.log(chalk$10.hex("#06b6d4")(`\n  ✔  Workspace files initialized in ${targetDir}`));
-	console.log(chalk$10.gray("  Files: SOUL.md  USER.md  TOOLS.md  HEARTBEAT.md  BOOTSTRAP.md\n"));
+	console.log(chalk$11.hex("#06b6d4")(`\n  ✔  Workspace files initialized in ${targetDir}`));
+	console.log(chalk$11.gray("  Files: SOUL.md  USER.md  TOOLS.md  HEARTBEAT.md  BOOTSTRAP.md\n"));
 	process.exit(0);
 });
 workspaceCmd.command("show [dir]").description("Show workspace files summary").action(async (dir) => {
-	const chalk$10 = require("chalk");
-	const fs$6 = require("fs-extra");
-	const path$6 = require("path");
-	const os$7 = require("os");
-	const targetDir = dir || path$6.join(os$7.homedir(), ".hyperclaw");
-	console.log(chalk$10.bold.hex("#06b6d4")("\n  📁 WORKSPACE\n"));
+	const chalk$11 = require("chalk");
+	const fs$7 = require("fs-extra");
+	const path$7 = require("path");
+	const os$8 = require("os");
+	const targetDir = dir || path$7.join(os$8.homedir(), ".hyperclaw");
+	console.log(chalk$11.bold.hex("#06b6d4")("\n  📁 WORKSPACE\n"));
 	for (const fname of [
 		"SOUL.md",
 		"USER.md",
@@ -2584,27 +3732,27 @@ workspaceCmd.command("show [dir]").description("Show workspace files summary").a
 		"AGENTS.md",
 		"MEMORY.md"
 	]) {
-		const fpath = path$6.join(targetDir, fname);
-		const exists = await fs$6.pathExists(fpath);
-		const size = exists ? (await fs$6.stat(fpath)).size : 0;
-		const dot = exists ? chalk$10.hex("#06b6d4")("✔") : chalk$10.gray("○");
-		console.log(`  ${dot} ${fname.padEnd(14)} ${exists ? chalk$10.gray(`${size} bytes`) : chalk$10.gray("(missing)")}`);
+		const fpath = path$7.join(targetDir, fname);
+		const exists = await fs$7.pathExists(fpath);
+		const size = exists ? (await fs$7.stat(fpath)).size : 0;
+		const dot = exists ? chalk$11.hex("#06b6d4")("✔") : chalk$11.gray("○");
+		console.log(`  ${dot} ${fname.padEnd(14)} ${exists ? chalk$11.gray(`${size} bytes`) : chalk$11.gray("(missing)")}`);
 	}
 	console.log();
 	process.exit(0);
 });
 const botCmd = program.command("bot").description("HyperClaw Bot — companion bot for remote gateway control");
 botCmd.command("status").action(async () => {
-	const { showBotStatus } = await Promise.resolve().then(() => require("./hyperclawbot-D9KCtc4P.js"));
+	const { showBotStatus } = await Promise.resolve().then(() => require("./hyperclawbot-zvczQgKx.js"));
 	await showBotStatus();
 	process.exit(0);
 });
 botCmd.command("setup").description("Configure HyperClaw Bot (Telegram token, allowed users)").action(async () => {
 	const inquirer$2 = require("inquirer");
-	const { saveBotConfig } = await Promise.resolve().then(() => require("./hyperclawbot-D9KCtc4P.js"));
-	const chalk$10 = require("chalk");
-	console.log(chalk$10.bold.hex("#06b6d4")("\n  🦅 HYPERCLAW BOT SETUP\n"));
-	console.log(chalk$10.gray("  Create a bot at t.me/BotFather, then paste the token below.\n"));
+	const { saveBotConfig } = await Promise.resolve().then(() => require("./hyperclawbot-zvczQgKx.js"));
+	const chalk$11 = require("chalk");
+	console.log(chalk$11.bold.hex("#06b6d4")("\n  🦅 HYPERCLAW BOT SETUP\n"));
+	console.log(chalk$11.gray("  Create a bot at t.me/BotFather, then paste the token below.\n"));
 	const { platform } = await inquirer$2.prompt([{
 		type: "list",
 		name: "platform",
@@ -2638,20 +3786,20 @@ botCmd.command("setup").description("Configure HyperClaw Bot (Telegram token, al
 		createdAt: (/* @__PURE__ */ new Date()).toISOString()
 	};
 	await saveBotConfig(cfg);
-	console.log(chalk$10.hex("#06b6d4")("\n  ✔  HyperClaw Bot configured"));
+	console.log(chalk$11.hex("#06b6d4")("\n  ✔  HyperClaw Bot configured"));
 	if (platform === "discord") try {
 		require.resolve("discord.js");
 	} catch {
-		console.log(chalk$10.yellow("  ⚠  For Discord: run: npm install discord.js"));
+		console.log(chalk$11.yellow("  ⚠  For Discord: run: npm install discord.js"));
 	}
-	console.log(chalk$10.gray("  Start with: hyperclaw bot start\n"));
+	console.log(chalk$11.gray("  Start with: hyperclaw bot start\n"));
 	process.exit(0);
 });
 botCmd.command("start").description("Start HyperClaw Bot (foreground or background)").option("--background", "Run bot in background (use hyperclaw bot stop to stop)").action(async (opts) => {
 	const { spawn } = await import("child_process");
-	const path$6 = await import("path");
+	const path$7 = await import("path");
 	if (opts?.background) {
-		const entry = process.argv[1] || path$6.join(__dirname, "run-main.js");
+		const entry = process.argv[1] || path$7.join(__dirname, "run-main.js");
 		const child = spawn(process.execPath, [
 			entry,
 			"bot",
@@ -2663,14 +3811,14 @@ botCmd.command("start").description("Start HyperClaw Bot (foreground or backgrou
 			cwd: process.cwd()
 		});
 		child.unref();
-		const { writeBotPid } = await Promise.resolve().then(() => require("./hyperclawbot-D9KCtc4P.js"));
+		const { writeBotPid } = await Promise.resolve().then(() => require("./hyperclawbot-zvczQgKx.js"));
 		await writeBotPid(child.pid);
 		console.log(require("chalk").green(`\n  ✔  HyperClaw Bot started in background (PID ${child.pid})`));
 		console.log(require("chalk").gray("  Stop with: hyperclaw bot stop\n"));
 		process.exit(0);
 		return;
 	}
-	const { loadBotConfig, TelegramHyperClawBot, DiscordHyperClawBot } = await Promise.resolve().then(() => require("./hyperclawbot-D9KCtc4P.js"));
+	const { loadBotConfig, TelegramHyperClawBot, DiscordHyperClawBot } = await Promise.resolve().then(() => require("./hyperclawbot-zvczQgKx.js"));
 	const cfg = await loadBotConfig();
 	if (!cfg) {
 		console.log(require("chalk").red("\n  ✖  HyperClaw Bot not configured. Run: hyperclaw bot setup\n"));
@@ -2696,42 +3844,42 @@ botCmd.command("start").description("Start HyperClaw Bot (foreground or backgrou
 	}
 });
 botCmd.command("stop").description("Stop HyperClaw Bot (when running in background)").action(async () => {
-	const chalk$10 = require("chalk");
-	const { stopBotProcess } = await Promise.resolve().then(() => require("./hyperclawbot-D9KCtc4P.js"));
+	const chalk$11 = require("chalk");
+	const { stopBotProcess } = await Promise.resolve().then(() => require("./hyperclawbot-zvczQgKx.js"));
 	const stopped = await stopBotProcess();
-	if (stopped) console.log(chalk$10.green("\n  ✔  HyperClaw Bot stopped\n"));
-	else console.log(chalk$10.gray("\n  Bot not running in background (no PID file). Use Ctrl+C to stop foreground bot.\n"));
+	if (stopped) console.log(chalk$11.green("\n  ✔  HyperClaw Bot stopped\n"));
+	else console.log(chalk$11.gray("\n  Bot not running in background (no PID file). Use Ctrl+C to stop foreground bot.\n"));
 	process.exit(stopped ? 0 : 0);
 });
 memCmd.command("search <query>").description("Search MEMORY.md").action(async (query) => {
-	const { searchMemory } = await Promise.resolve().then(() => require("./src-BEVLgaF1.js"));
+	const { searchMemory } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await searchMemory(query);
 	process.exit(0);
 });
 memCmd.command("auto-show").description("Show auto-extracted memories from MEMORY.md").action(async () => {
-	const { showMemory } = await Promise.resolve().then(() => require("./src-BEVLgaF1.js"));
+	const { showMemory } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await showMemory();
 	process.exit(0);
 });
 memCmd.command("clear").description("Clear all auto-extracted memories").action(async () => {
-	const { clearMemory } = await Promise.resolve().then(() => require("./src-BEVLgaF1.js"));
+	const { clearMemory } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await clearMemory();
 	process.exit(0);
 });
 memCmd.command("save <text>").description("Manually save a fact to MEMORY.md").action(async (text) => {
-	const { saveMemoryDirect } = await Promise.resolve().then(() => require("./src-BEVLgaF1.js"));
+	const { saveMemoryDirect } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await saveMemoryDirect(text);
 	console.log(chalk.default.hex("#06b6d4")(`  ✅ Saved: ${text}\n`));
 	process.exit(0);
 });
 const pcCmd = program.command("pc").description("PC access — give the AI access to your computer");
 pcCmd.command("status").description("Show PC access status and config").action(async () => {
-	const { showPCAccessStatus } = await Promise.resolve().then(() => require("./src-BEVLgaF1.js"));
+	const { showPCAccessStatus } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await showPCAccessStatus();
 	process.exit(0);
 });
 pcCmd.command("enable").description("Enable PC access for the AI").option("--level <level>", "Access level: read-only | sandboxed | full", "full").option("--paths <paths>", "Comma-separated allowed paths (sandboxed mode)").action(async (opts) => {
-	const { savePCAccessConfig } = await Promise.resolve().then(() => require("./src-BEVLgaF1.js"));
+	const { savePCAccessConfig } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	const level = opts.level;
 	const allowed = [
 		"read-only",
@@ -2758,7 +3906,7 @@ pcCmd.command("enable").description("Enable PC access for the AI").option("--lev
 	process.exit(0);
 });
 pcCmd.command("disable").description("Disable PC access").action(async () => {
-	const { savePCAccessConfig } = await Promise.resolve().then(() => require("./src-BEVLgaF1.js"));
+	const { savePCAccessConfig } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	await savePCAccessConfig({ enabled: false });
 	console.log(chalk.default.hex("#06b6d4")("\n  ✅ PC access disabled\n"));
 	process.exit(0);
@@ -2782,7 +3930,7 @@ pcCmd.command("log").description("Show PC access audit log").option("-n, --lines
 	process.exit(0);
 });
 pcCmd.command("run <command>").description("Run a shell command via PC access (must be enabled)").action(async (command) => {
-	const { loadPCAccessConfig, getPCAccessTools } = await Promise.resolve().then(() => require("./src-BEVLgaF1.js"));
+	const { loadPCAccessConfig, getPCAccessTools } = await Promise.resolve().then(() => require("./src-BxPHKO5x.js"));
 	const cfg = await loadPCAccessConfig();
 	if (!cfg.enabled) {
 		console.log(chalk.default.red("\n  ✖  PC access disabled. Run: hyperclaw pc enable\n"));
@@ -2798,9 +3946,9 @@ pcCmd.command("run <command>").description("Run a shell command via PC access (m
 function checkForUpdate() {
 	const { execFile: execFile$1 } = require("child_process");
 	const { readFileSync } = require("fs");
-	const path$6 = require("path");
+	const path$7 = require("path");
 	try {
-		const pkgPath = path$6.resolve(__dirname, "../../package.json");
+		const pkgPath = path$7.resolve(__dirname, "../../package.json");
 		const current = JSON.parse(readFileSync(pkgPath, "utf8")).version;
 		execFile$1("npm", [
 			"view",
@@ -2822,15 +3970,31 @@ function checkForUpdate() {
 		});
 	} catch {}
 }
+program.command("setup").description("Setup wizard — alias for `hyperclaw onboard`").option("--install-daemon", "Auto-install system daemon").option("--reset", "Reset config before running wizard").option("--non-interactive", "Non-interactive mode").option("--json", "Output result as JSON (use with --non-interactive)").option("--anthropic-api-key <key>", "Anthropic API key (non-interactive)").option("--openai-api-key <key>", "OpenAI API key (non-interactive)").option("--gateway-port <port>", "Gateway port (non-interactive)", "18789").option("--gateway-bind <bind>", "Gateway bind: loopback | all", "loopback").action(async (opts) => {
+	await new require_onboard.Banner().showNeonBanner(false);
+	const wizardOpts = {
+		wizard: true,
+		installDaemon: opts.installDaemon ?? false,
+		reset: opts.reset ?? false,
+		nonInteractive: opts.nonInteractive ?? false,
+		jsonOutput: opts.json ?? false,
+		gatewayPort: opts.gatewayPort ? parseInt(opts.gatewayPort) : void 0,
+		gatewayBind: opts.gatewayBind ?? "loopback",
+		anthropicApiKey: opts.anthropicApiKey,
+		openaiApiKey: opts.openaiApiKey
+	};
+	await new require_onboard.HyperClawWizard().run(wizardOpts);
+	process.exit(0);
+});
 checkForUpdate();
 if (process.argv.length === 2) (async () => {
-	const { ConfigManager: ConfigManager$1 } = await Promise.resolve().then(() => require("./manager-DLmZI-9R.js"));
+	const { ConfigManager: ConfigManager$1 } = await Promise.resolve().then(() => require("./manager-CrVDn6eN.js"));
 	const cfg = await new ConfigManager$1().load().catch(() => null);
 	if (cfg?.provider?.apiKey || cfg?.provider?.providerId) {
 		await new require_onboard.Banner().showNeonBanner(false);
-		const { getTheme } = await Promise.resolve().then(() => require("./theme-Iefa3L63.js"));
+		const { getTheme } = await Promise.resolve().then(() => require("./theme-cx0fkgWC.js"));
 		const t = getTheme(false);
-		const chalk$10 = require("chalk");
+		const chalk$11 = require("chalk");
 		console.log(t.bold("  Quick actions:\n"));
 		console.log(`  ${t.c("hyperclaw onboard")}                    — re-run setup wizard`);
 		console.log(`  ${t.c("hyperclaw onboard --install-daemon")}   — wizard + daemon (full PC access)`);
@@ -2842,7 +4006,7 @@ if (process.argv.length === 2) (async () => {
 		console.log(`  ${t.c("hyperclaw --help")}                     — all commands\n`);
 	} else {
 		await new require_onboard.Banner().showNeonBanner(false);
-		const { HyperClawWizard: HyperClawWizard$1 } = await Promise.resolve().then(() => require("./onboard-aTwlQs-4.js"));
+		const { HyperClawWizard: HyperClawWizard$1 } = await Promise.resolve().then(() => require("./onboard-0WoDxbv_.js"));
 		await new HyperClawWizard$1().run({ wizard: true });
 	}
 	process.exit(0);