idlewatch 0.1.0

package/scripts/package-macos.sh

@@ -0,0 +1,228 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+DIST_DIR="$ROOT_DIR/dist"
+APP_DIR="$DIST_DIR/IdleWatch.app"
+CONTENTS_DIR="$APP_DIR/Contents"
+RESOURCES_DIR="$CONTENTS_DIR/Resources"
+MACOS_DIR="$CONTENTS_DIR/MacOS"
+VERSION="$(node -p "require('./package.json').version" 2>/dev/null || node -e "import('./package.json',{with:{type:'json'}}).then(m=>console.log(m.default.version))")"
+SOURCE_GIT_COMMIT="$(git -C "$ROOT_DIR" rev-parse HEAD 2>/dev/null || true)"
+SOURCE_GIT_DIRTY="false"
+SOURCE_GIT_DIRTY_KNOWN="false"
+if [[ -n "$SOURCE_GIT_COMMIT" ]]; then
+  if git -C "$ROOT_DIR" diff --quiet --ignore-submodules -- . && [[ -z "$(git -C "$ROOT_DIR" status --porcelain 2>/dev/null || true)" ]]; then
+    SOURCE_GIT_DIRTY_KNOWN="true"
+    SOURCE_GIT_DIRTY="false"
+  else
+    SOURCE_GIT_DIRTY_KNOWN="true"
+    SOURCE_GIT_DIRTY="true"
+  fi
+fi
+CODESIGN_IDENTITY="${MACOS_CODESIGN_IDENTITY:-}"
+REQUIRE_TRUSTED="${IDLEWATCH_REQUIRE_TRUSTED_DISTRIBUTION:-0}"
+NODE_RUNTIME_DIR="${IDLEWATCH_NODE_RUNTIME_DIR:-}"
+OPENCLAW_BIN_HINT="${IDLEWATCH_OPENCLAW_BIN:-${IDLEWATCH_OPENCLAW_BIN_HINT:-}}"
+ALLOW_UNSIGNED_TAG_RELEASE="${IDLEWATCH_ALLOW_UNSIGNED_TAG_RELEASE:-0}"
+SKIP_SOURCEMAP_VALIDATION="${IDLEWATCH_SKIP_SOURCEMAP_VALIDATION:-0}"
+
+if [[ "$REQUIRE_TRUSTED" != "1" && "${GITHUB_ACTIONS:-}" == "true" ]]; then
+  REF_NAME="${GITHUB_REF:-}"
+  REF_TYPE="${GITHUB_REF_TYPE:-}"
+  if [[ "$REF_TYPE" == "tag" || "$REF_NAME" == refs/tags/* ]]; then
+    if [[ "$ALLOW_UNSIGNED_TAG_RELEASE" != "1" ]]; then
+      REQUIRE_TRUSTED="1"
+      echo "Detected CI tag build; enforcing trusted distribution requirements (set IDLEWATCH_ALLOW_UNSIGNED_TAG_RELEASE=1 to bypass intentionally)."
+    fi
+  fi
+fi
+
+if [[ "$REQUIRE_TRUSTED" == "1" && -z "$CODESIGN_IDENTITY" ]]; then
+  echo "IDLEWATCH_REQUIRE_TRUSTED_DISTRIBUTION=1 requires MACOS_CODESIGN_IDENTITY to be set." >&2
+  exit 1
+fi
+
+rm -rf "$APP_DIR" "$DIST_DIR/dmg-root"
+mkdir -p "$RESOURCES_DIR" "$MACOS_DIR"
+
+pushd "$ROOT_DIR" >/dev/null
+TMP_PACK_INFO="$(mktemp)"
+npm pack --silent --json >"$TMP_PACK_INFO"
+PKG_TGZ="$(node -e 'const fs = require("fs"); const txt = fs.readFileSync(0, "utf8"); let data = null; try { data = JSON.parse(txt.trim()); } catch { process.exit(1) } const entry = Array.isArray(data) ? data[0] : data; const filename = entry && (entry.filename || entry.name); if (!filename) process.exit(1); process.stdout.write(String(filename));' <"$TMP_PACK_INFO")"
+rm -f "$TMP_PACK_INFO"
+cp "$PKG_TGZ" "$RESOURCES_DIR/"
+PAYLOAD_DIR="$RESOURCES_DIR/payload"
+rm -rf "$PAYLOAD_DIR"
+mkdir -p "$PAYLOAD_DIR"
+tar -xzf "$RESOURCES_DIR/$PKG_TGZ" -C "$PAYLOAD_DIR"
+rm -f "$PKG_TGZ"
+
+PAYLOAD_PKG_DIR="$PAYLOAD_DIR/package"
+if [[ ! -f "$PAYLOAD_PKG_DIR/package.json" ]]; then
+  echo "IdleWatch package payload missing package.json ($PAYLOAD_PKG_DIR/package.json)" >&2
+  exit 1
+fi
+
+# Ensure runtime dependencies are present inside the packaged payload so DMG installs
+# run without relying on workspace-level node_modules.
+(
+  cd "$PAYLOAD_PKG_DIR"
+
+  # Prefer lockfile-based install when available for reproducible dependency snapshots.
+  if [[ -f "$ROOT_DIR/package-lock.json" ]]; then
+    cp "$ROOT_DIR/package-lock.json" package-lock.json
+  fi
+
+  if [[ -f package-lock.json ]]; then
+    npm ci --omit=dev --ignore-scripts --no-audit --no-fund --silent
+  else
+    npm install --omit=dev --ignore-scripts --no-audit --no-fund --silent
+  fi
+)
+
+if [[ "$SKIP_SOURCEMAP_VALIDATION" != "1" ]]; then
+  node "$ROOT_DIR/scripts/validate-packaged-sourcemaps.mjs" "$PAYLOAD_PKG_DIR"
+fi
+
+if [[ -n "$NODE_RUNTIME_DIR" ]]; then
+  RUNTIME_NODE_BIN="$NODE_RUNTIME_DIR/bin/node"
+  if [[ ! -x "$RUNTIME_NODE_BIN" ]]; then
+    echo "IDLEWATCH_NODE_RUNTIME_DIR must contain an executable bin/node (missing: $RUNTIME_NODE_BIN)" >&2
+    exit 1
+  fi
+
+  RUNTIME_DEST_DIR="$RESOURCES_DIR/runtime/node"
+  rm -rf "$RUNTIME_DEST_DIR"
+  mkdir -p "$(dirname "$RUNTIME_DEST_DIR")"
+  # Copy essential runtime directories with symlink dereference so packaged runtime is portable even if host runtime is a symlink.
+  # This avoids pulling in nonessential completion/doc symlink trees that can create copy noise.
+  for runtimeDir in bin lib include; do
+    if [[ -d "$NODE_RUNTIME_DIR/$runtimeDir" ]]; then
+      mkdir -p "$RUNTIME_DEST_DIR/$runtimeDir"
+      cp -R -L "$NODE_RUNTIME_DIR/$runtimeDir/" "$RUNTIME_DEST_DIR/$runtimeDir/"
+    fi
+  done
+fi
+NODE_RUNTIME_BUNDLED=false
+SIGNED_ARTIFACT=false
+if [[ -n "$NODE_RUNTIME_DIR" ]]; then
+  NODE_RUNTIME_BUNDLED=true
+fi
+if [[ -n "$CODESIGN_IDENTITY" ]]; then
+  SIGNED_ARTIFACT=true
+fi
+
+cat > "$RESOURCES_DIR/packaging-metadata.json" <<METADATA
+{
+  "name": "idlewatch-agent",
+  "version": "${VERSION}",
+  "builtAt": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+  "platform": "darwin",
+  "bundleName": "IdleWatch.app",
+  "nodeRuntimeBundled": ${NODE_RUNTIME_BUNDLED},
+  "nodeRuntimeSource": "${NODE_RUNTIME_DIR:-}",
+  "signed": ${SIGNED_ARTIFACT},
+  "codesignIdentity": "${CODESIGN_IDENTITY:-}",
+  "openclawBinHint": "${OPENCLAW_BIN_HINT:-}",
+  "launcher": "Contents/MacOS/IdleWatch",
+  "payloadTarball": "${PKG_TGZ}",
+  "payloadNode": "$(node -v 2>/dev/null || echo unknown)",
+  "sourceGitCommit": "${SOURCE_GIT_COMMIT}",
+  "sourceGitDirty": ${SOURCE_GIT_DIRTY},
+  "sourceGitDirtyKnown": ${SOURCE_GIT_DIRTY_KNOWN}
+}
+METADATA
+
+cat > "$CONTENTS_DIR/Info.plist" <<PLIST
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>CFBundleName</key><string>IdleWatch</string>
+  <key>CFBundleDisplayName</key><string>IdleWatch</string>
+  <key>CFBundleIdentifier</key><string>com.idlewatch.agent</string>
+  <key>CFBundleVersion</key><string>${VERSION}</string>
+  <key>CFBundleShortVersionString</key><string>${VERSION}</string>
+  <key>CFBundleExecutable</key><string>IdleWatch</string>
+  <key>LSMinimumSystemVersion</key><string>13.0</string>
+</dict>
+</plist>
+PLIST
+
+cat > "$MACOS_DIR/IdleWatch" <<'SH'
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+RESOURCES_DIR="$(cd "$SCRIPT_DIR/../Resources" && pwd)"
+NODE_BIN="${IDLEWATCH_NODE_BIN:-}"
+if [[ -z "$NODE_BIN" ]]; then
+  BUNDLED_NODE_BIN="$RESOURCES_DIR/runtime/node/bin/node"
+  if [[ -x "$BUNDLED_NODE_BIN" ]]; then
+    NODE_BIN="$BUNDLED_NODE_BIN"
+  else
+    NODE_BIN="$(command -v node || true)"
+  fi
+fi
+
+if [[ -z "$NODE_BIN" || ! -x "$NODE_BIN" ]]; then
+  echo "IdleWatch requires Node.js 20+ (node binary not found). Install Node.js or set IDLEWATCH_NODE_BIN and retry." >&2
+  exit 1
+fi
+
+NODE_MAJOR="$($NODE_BIN -p "process.versions.node.split('.')[0]" 2>/dev/null || echo "")"
+if [[ -z "$NODE_MAJOR" || "$NODE_MAJOR" -lt 20 ]]; then
+  NODE_VERSION="$($NODE_BIN -v 2>/dev/null || echo "unknown")"
+  echo "IdleWatch requires Node.js 20+ (found $NODE_VERSION at $NODE_BIN). Upgrade Node.js or set IDLEWATCH_NODE_BIN to a compatible runtime." >&2
+  exit 1
+fi
+
+# Backward-compatible OpenClaw launcher hint precedence:
+# 1) IDLEWATCH_OPENCLAW_BIN  (runtime override)
+# 2) IDLEWATCH_OPENCLAW_BIN_HINT (legacy launcher hint)
+# 3) packaging metadata fallback (build-time hint)
+OPENCLAW_BIN_HINT="${IDLEWATCH_OPENCLAW_BIN:-${IDLEWATCH_OPENCLAW_BIN_HINT:-}}"
+if [[ -z "$OPENCLAW_BIN_HINT" && -f "$RESOURCES_DIR/packaging-metadata.json" ]]; then
+  OPENCLAW_BIN_HINT="$($NODE_BIN -e 'const fs = require("fs"); const filePath = process.argv[1]; try { const data = JSON.parse(fs.readFileSync(filePath, "utf8")); const hint = data && data.openclawBinHint ? data.openclawBinHint : ""; if (hint) process.stdout.write(String(hint)); } catch (_) {}' "$RESOURCES_DIR/packaging-metadata.json")"
+fi
+
+if [[ -n "$OPENCLAW_BIN_HINT" && -x "$OPENCLAW_BIN_HINT" ]]; then
+  export IDLEWATCH_OPENCLAW_BIN="$OPENCLAW_BIN_HINT"
+elif [[ -n "$OPENCLAW_BIN_HINT" ]]; then
+  echo "Warning: packaged OpenClaw binary hint is not executable at: $OPENCLAW_BIN_HINT" >&2
+fi
+
+PAYLOAD_BIN="$RESOURCES_DIR/payload/package/bin/idlewatch-agent.js"
+if [[ ! -f "$PAYLOAD_BIN" ]]; then
+  echo "IdleWatch package payload missing ($PAYLOAD_BIN)" >&2
+  exit 1
+fi
+
+exec "$NODE_BIN" "$PAYLOAD_BIN" "$@"
+SH
+chmod +x "$MACOS_DIR/IdleWatch"
+
+if [[ -n "$CODESIGN_IDENTITY" ]]; then
+  echo "Codesigning IdleWatch.app with identity: $CODESIGN_IDENTITY"
+  codesign --deep --force --options runtime --sign "$CODESIGN_IDENTITY" "$APP_DIR"
+  codesign --verify --deep --strict "$APP_DIR"
+else
+  echo "MACOS_CODESIGN_IDENTITY not set; leaving app unsigned."
+fi
+
+mkdir -p "$DIST_DIR/dmg-root"
+cp -R "$APP_DIR" "$DIST_DIR/dmg-root/"
+ln -s /Applications "$DIST_DIR/dmg-root/Applications"
+
+cat <<'EOF'
+Mac app scaffold package complete.
+Next steps:
+  1) Test: ./dist/IdleWatch.app/Contents/MacOS/IdleWatch --dry-run
+  2) Build DMG: ./scripts/build-dmg.sh
+  3) Optional bundle runtime for node-less targets: export IDLEWATCH_NODE_RUNTIME_DIR="/path/to/node-runtime"
+  4) Optional signing: export MACOS_CODESIGN_IDENTITY="Developer ID Application: ..." then rerun package-macos
+  5) Optional notarize+staple DMG: set MACOS_NOTARY_PROFILE and rerun build-dmg
+  6) Enforce trusted artifacts: export IDLEWATCH_REQUIRE_TRUSTED_DISTRIBUTION=1
+EOF
+
+popd >/dev/null

package/scripts/uninstall-macos-launch-agent.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+PLIST_LABEL="${IDLEWATCH_LAUNCH_AGENT_LABEL:-com.idlewatch.agent}"
+PLIST_ROOT="${IDLEWATCH_LAUNCH_AGENT_PLIST_ROOT:-$HOME/Library/LaunchAgents}"
+PLIST_PATH="$PLIST_ROOT/$PLIST_LABEL.plist"
+
+if ! command -v launchctl >/dev/null 2>&1; then
+  echo "launchctl not available; this script must be run on macOS." >&2
+  exit 1
+fi
+
+if [[ -z "${PLIST_LABEL}" ]]; then
+  echo "IDLEWATCH_LAUNCH_AGENT_LABEL is required" >&2
+  exit 1
+fi
+
+USER_GUID="$(id -u)"
+PLIST_ID="gui/$USER_GUID/$PLIST_LABEL"
+
+if launchctl print "$PLIST_ID" >/dev/null 2>&1; then
+  launchctl bootout "$PLIST_ID" || true
+fi
+
+if [[ -f "$PLIST_PATH" ]]; then
+  rm -f "$PLIST_PATH"
+fi
+
+echo "Uninstalled LaunchAgent: $PLIST_ID"
+echo "Removed plist: $PLIST_PATH"

package/scripts/validate-all.sh

@@ -0,0 +1,142 @@
+#!/usr/bin/env bash
+# validate-all.sh — Run all IdleWatch validators in one pass.
+# Usage: ./scripts/validate-all.sh [--skip-packaging]
+#
+# Exit codes:
+#   0  All validators passed
+#   1  One or more validators failed (summary printed at end)
+set -uo pipefail
+
+SKIP_PACKAGING=0
+for arg in "$@"; do
+  case "$arg" in
+    --skip-packaging) SKIP_PACKAGING=1 ;;
+  esac
+done
+
+IS_MACOS=0
+if [[ "$(uname -s)" == "Darwin" ]]; then
+  IS_MACOS=1
+fi
+
+PASS=0
+FAIL=0
+SKIP=0
+FAILED_NAMES=()
+
+run_validator() {
+  local name="$1"
+  shift
+  printf "%55s " "$name"
+  if "$@" >/dev/null 2>&1; then
+    echo "✅ pass"
+    PASS=$((PASS + 1))
+  else
+    echo "❌ FAIL"
+    FAIL=$((FAIL + 1))
+    FAILED_NAMES+=("$name")
+  fi
+}
+
+skip_validator() {
+  local name="$1"
+  local reason=${2:--skip-packaging}
+  printf "%55s ⏭ skip (%s)\n" "$name" "$reason"
+  SKIP=$((SKIP + 1))
+}
+
+can_run_trusted_prereqs() {
+  [[ "$IS_MACOS" -eq 1 ]] || return 1
+  [[ -n "${MACOS_CODESIGN_IDENTITY:-}" ]] || return 1
+  [[ -n "${MACOS_NOTARY_PROFILE:-}" ]] || return 1
+  return 0
+}
+
+has_service_account_path() {
+  local candidate="$1"
+  [[ -n "$candidate" ]] && [[ -f "$candidate" ]]
+}
+
+can_run_firebase_write_once() {
+  [[ -n "${FIREBASE_PROJECT_ID:-}" ]] || return 1
+  if has_service_account_path "${FIREBASE_SERVICE_ACCOUNT_FILE:-}"; then
+    return 0
+  fi
+  [[ -n "${FIREBASE_SERVICE_ACCOUNT_JSON:-}" ]] || \
+    [[ -n "${FIREBASE_SERVICE_ACCOUNT_B64:-}" ]] || \
+    [[ -n "${FIRESTORE_EMULATOR_HOST:-}" ]] || \
+    return 1
+
+  return 0
+}
+
+echo "=== IdleWatch full validation sweep ==="
+echo ""
+
+# --- Core ---
+run_validator "validate:bin"                         npm run validate:bin --silent
+run_validator "test:unit"                            npm run test:unit --silent
+run_validator "smoke:help"                           npm run smoke:help --silent
+run_validator "smoke:dry-run"                        npm run smoke:dry-run --silent
+run_validator "smoke:once"                           npm run smoke:once --silent
+run_validator "validate:dry-run-schema"              npm run validate:dry-run-schema --silent
+run_validator "validate:usage-freshness-e2e"         npm run validate:usage-freshness-e2e --silent
+run_validator "validate:usage-alert-rate-e2e"        npm run validate:usage-alert-rate-e2e --silent
+run_validator "validate:openclaw-release-gates" npm run validate:openclaw-release-gates --silent
+
+if can_run_trusted_prereqs; then
+  run_validator "validate:trusted-prereqs"            npm run validate:trusted-prereqs --silent
+else
+  if [[ "$IS_MACOS" -ne 1 ]]; then
+    skip_validator "validate:trusted-prereqs" "non-macOS host"
+  elif [[ -z "${MACOS_CODESIGN_IDENTITY:-}" || -z "${MACOS_NOTARY_PROFILE:-}" ]]; then
+    skip_validator "validate:trusted-prereqs" "missing MACOS_CODESIGN_IDENTITY/MACOS_NOTARY_PROFILE"
+  else
+    skip_validator "validate:trusted-prereqs" "trusted tooling unavailable"
+  fi
+fi
+
+if can_run_firebase_write_once; then
+  run_validator "validate:firebase-write-required-once" npm run validate:firebase-write-required-once --silent
+else
+  skip_validator "validate:firebase-write-required-once" "missing FIREBASE write credentials"
+fi
+
+# --- Packaging ---
+if [[ "$SKIP_PACKAGING" -eq 1 ]]; then
+  skip_validator "package:macos"
+  skip_validator "validate:packaged-metadata"
+  skip_validator "validate:packaged-bundled-runtime"
+  skip_validator "validate:packaged-bundled-runtime:reuse-artifact"
+  skip_validator "validate:packaged-dry-run-schema:reuse-artifact"
+  skip_validator "validate:packaged-openclaw-robustness:reuse-artifact"
+  skip_validator "validate:dmg-install"
+  skip_validator "validate:dmg-checksum"
+elif [[ "$IS_MACOS" -ne 1 ]]; then
+  skip_validator "package:macos" "non-macOS host"
+  skip_validator "validate:packaged-metadata" "non-macOS host"
+  skip_validator "validate:packaged-bundled-runtime" "non-macOS host"
+  skip_validator "validate:packaged-bundled-runtime:reuse-artifact" "non-macOS host"
+  skip_validator "validate:packaged-dry-run-schema:reuse-artifact" "non-macOS host"
+  skip_validator "validate:packaged-openclaw-robustness:reuse-artifact" "non-macOS host"
+  skip_validator "validate:dmg-install" "non-macOS host"
+  skip_validator "validate:dmg-checksum" "non-macOS host"
+else
+  run_validator "validate:packaged-bundled-runtime"            npm run validate:packaged-bundled-runtime --silent
+  run_validator "validate:packaged-metadata"                   npm run validate:packaged-metadata --silent
+  run_validator "validate:packaged-dry-run-schema:reuse-artifact"  npm run validate:packaged-dry-run-schema:reuse-artifact --silent
+  run_validator "validate:packaged-openclaw-robustness:reuse-artifact" npm run validate:packaged-openclaw-robustness:reuse-artifact --silent
+  run_validator "validate:dmg-install"                         npm run validate:dmg-install --silent
+  run_validator "validate:dmg-checksum"                        npm run validate:dmg-checksum --silent
+fi
+
+echo ""
+echo "=== Summary: $PASS pass, $FAIL fail, $SKIP skip ==="
+if [[ ${#FAILED_NAMES[@]} -gt 0 ]]; then
+  echo "Failed:"
+  for n in "${FAILED_NAMES[@]}"; do
+    echo "  - $n"
+  done
+  exit 1
+fi
+exit 0

package/scripts/validate-bin.mjs

@@ -0,0 +1,25 @@
+import fs from 'fs'
+import path from 'path'
+
+const pkgPath = new URL('../package.json', import.meta.url)
+const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'))
+
+if (!pkg.bin || typeof pkg.bin !== 'object') {
+  console.error('package.json is missing a valid "bin" object')
+  process.exit(1)
+}
+
+let errors = 0
+for (const [name, rel] of Object.entries(pkg.bin)) {
+  const abs = path.resolve(path.dirname(pkgPath.pathname), rel)
+  if (!fs.existsSync(abs)) {
+    console.error(`bin entry "${name}" points to missing file: ${rel}`)
+    errors++
+  }
+}
+
+if (errors > 0) {
+  process.exit(1)
+}
+
+console.log(`Validated ${Object.keys(pkg.bin).length} bin entries.`)

package/scripts/validate-dmg-checksum.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+DIST_DIR="$ROOT_DIR/dist"
+
+DMG_PATH="${1:-}"
+if [[ -z "$DMG_PATH" ]]; then
+  DMG_PATH="$(ls -1 "$DIST_DIR"/IdleWatch-*.dmg 2>/dev/null | sort | tail -n 1 || true)"
+fi
+
+if [[ -z "$DMG_PATH" || ! -f "$DMG_PATH" ]]; then
+  echo "No DMG found to validate. Run package:dmg or pass path: ./scripts/validate-dmg-checksum.sh <path>" >&2
+  exit 1
+fi
+
+CHECKSUM_PATH="${DMG_PATH}.sha256"
+if [[ ! -f "$CHECKSUM_PATH" ]]; then
+  echo "Missing checksum file: $CHECKSUM_PATH" >&2
+  exit 1
+fi
+
+if ! command -v shasum >/dev/null 2>&1; then
+  echo "shasum command unavailable; cannot validate checksum." >&2
+  exit 1
+fi
+
+EXPECTED=$(cut -d' ' -f1 < "$CHECKSUM_PATH")
+ACTUAL=$(shasum -a 256 "$DMG_PATH" | cut -d' ' -f1)
+if [[ "$ACTUAL" != "$EXPECTED" ]]; then
+  echo "Checksum mismatch for $DMG_PATH" >&2
+  echo "Expected: $EXPECTED" >&2
+  echo "Actual:   $ACTUAL" >&2
+  exit 1
+fi
+
+echo "DMG checksum OK: $DMG_PATH"

package/scripts/validate-dmg-install.sh

@@ -0,0 +1,155 @@
+#!/usr/bin/env bash
+set -euo pipefail
+set -o pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+DIST_DIR="$ROOT_DIR/dist"
+
+INPUT_DMG="${1:-}"
+if [[ -z "$INPUT_DMG" ]]; then
+  INPUT_DMG="$(ls -t "$DIST_DIR"/IdleWatch-*.dmg 2>/dev/null | head -n1 || true)"
+fi
+
+if [[ -z "$INPUT_DMG" || ! -f "$INPUT_DMG" ]]; then
+  echo "No DMG found. Build one first (npm run package:dmg) or pass a DMG path." >&2
+  exit 1
+fi
+
+MOUNT_POINT=""
+DEV_ENTRY=""
+TMP_APPS="$(mktemp -d -t idlewatch-apps.XXXXXX)"
+IDLEWATCH_DRY_RUN_TIMEOUT_MS="${IDLEWATCH_DRY_RUN_TIMEOUT_MS:-90000}"
+IDLEWATCH_OPENCLAW_PROBE_TIMEOUT_MS="${IDLEWATCH_OPENCLAW_PROBE_TIMEOUT_MS:-4000}"
+DRY_RUN_TIMEOUT_RETRY_BONUS_MS="${DRY_RUN_TIMEOUT_RETRY_BONUS_MS:-10000}"
+DRY_RUN_TIMEOUT_MAX_ATTEMPTS="${DRY_RUN_TIMEOUT_MAX_ATTEMPTS:-3}"
+DRY_RUN_TIMEOUT_BACKOFF_MS="${DRY_RUN_TIMEOUT_BACKOFF_MS:-2000}"
+IDLEWATCH_DMG_ATTACH_TIMEOUT_MS="${IDLEWATCH_DMG_ATTACH_TIMEOUT_MS:-30000}"
+IDLEWATCH_DMG_DETACH_TIMEOUT_MS="${IDLEWATCH_DMG_DETACH_TIMEOUT_MS:-8000}"
+
+TOOL_TIMEOUT="$(command -v timeout || command -v gtimeout || true)"
+TOOL_TIMEOUT_OPTS=()
+if [[ -n "$TOOL_TIMEOUT" ]]; then
+  if "$TOOL_TIMEOUT" --help 2>&1 | grep -q -- '--signal'; then
+    TOOL_TIMEOUT_OPTS=(--foreground --signal=SIGINT)
+  fi
+fi
+
+ms_to_seconds() {
+  awk -v ms="$1" 'BEGIN { if (ms <= 0) { print 1; exit }; printf "%d", (ms + 999) / 1000 }'
+}
+
+run_with_timeout_ms() {
+  local timeout_ms="$1"
+  shift
+
+  if [[ -n "$TOOL_TIMEOUT" ]]; then
+    local timeout_s
+    timeout_s="$(ms_to_seconds "$timeout_ms")"
+    "$TOOL_TIMEOUT" "${TOOL_TIMEOUT_OPTS[@]}" "${timeout_s}s" "$@"
+    return $?
+  fi
+
+  "$@"
+}
+
+cleanup() {
+  if [[ -n "$DEV_ENTRY" ]]; then
+    if [[ -n "$TOOL_TIMEOUT" ]]; then
+      run_with_timeout_ms "$IDLEWATCH_DMG_DETACH_TIMEOUT_MS" hdiutil detach "$DEV_ENTRY" -quiet || true
+    else
+      hdiutil detach "$DEV_ENTRY" -quiet || true
+    fi
+  fi
+  rm -rf "$TMP_APPS"
+}
+trap cleanup EXIT
+
+ATTACH_OUTPUT="$(run_with_timeout_ms "$IDLEWATCH_DMG_ATTACH_TIMEOUT_MS" hdiutil attach "$INPUT_DMG" -nobrowse -readonly)"
+DEV_ENTRY="$(echo "$ATTACH_OUTPUT" | awk '/Apple_HFS|Apple_APFS/ {print $1; exit}')"
+MOUNT_POINT="$(echo "$ATTACH_OUTPUT" | awk '/\/Volumes\// {sub(/^.*\t/, ""); print; exit}')"
+
+if [[ -z "$DEV_ENTRY" || -z "$MOUNT_POINT" ]]; then
+  echo "Failed to parse mounted DMG device or mount point." >&2
+  echo "$ATTACH_OUTPUT" >&2
+  exit 1
+fi
+
+APP_PATH="$MOUNT_POINT/IdleWatch.app"
+if [[ ! -d "$APP_PATH" ]]; then
+  echo "Mounted DMG does not contain IdleWatch.app at expected path: $APP_PATH" >&2
+  exit 1
+fi
+
+if ! IDLEWATCH_ARTIFACT_DIR="$APP_PATH" node "$ROOT_DIR/scripts/validate-packaged-artifact.mjs"; then
+  echo "Mounted DMG artifact metadata/compatibility preflight failed." >&2
+  exit 1
+fi
+
+ditto "$APP_PATH" "$TMP_APPS/IdleWatch.app"
+INSTALLED_LAUNCHER="$TMP_APPS/IdleWatch.app/Contents/MacOS/IdleWatch"
+
+if [[ ! -x "$INSTALLED_LAUNCHER" ]]; then
+  echo "Installed launcher missing or not executable: $INSTALLED_LAUNCHER" >&2
+  exit 1
+fi
+
+run_dmg_dry_run() {
+  local openclaw_usage=${1:-auto}
+  local timeout_ms=${2}
+  local attempt=$3
+  local attempt_log="$TMP_APPS/dry-run-${openclaw_usage}-attempt-${attempt}.log"
+
+  if ! env \
+    IDLEWATCH_DRY_RUN_TIMEOUT_MS="$timeout_ms" \
+    IDLEWATCH_OPENCLAW_PROBE_TIMEOUT_MS="$IDLEWATCH_OPENCLAW_PROBE_TIMEOUT_MS" \
+    IDLEWATCH_OPENCLAW_USAGE="$openclaw_usage" \
+    node "$ROOT_DIR/scripts/validate-dry-run-schema.mjs" "$INSTALLED_LAUNCHER" --dry-run --once >"$attempt_log" 2>&1; then
+    echo "Attempt ${attempt} failed for IDLEWATCH_OPENCLAW_USAGE=${openclaw_usage}. Last output:" >&2
+    tail -n 60 "$attempt_log" >&2 || true
+    return 1
+  fi
+
+  cat "$attempt_log" >&2
+  return 0
+}
+
+run_dmg_dry_run_with_retries() {
+  local openclaw_usage=$1
+  local attempt=1
+  local timeout_ms="$IDLEWATCH_DRY_RUN_TIMEOUT_MS"
+
+  while (( attempt <= DRY_RUN_TIMEOUT_MAX_ATTEMPTS )); do
+    local sleep_ms=0
+    echo "Attempt ${attempt}/${DRY_RUN_TIMEOUT_MAX_ATTEMPTS}: validating DMG-installed launcher dry-run with IDLEWATCH_OPENCLAW_USAGE=${openclaw_usage} timeout=${timeout_ms}ms" >&2
+    if run_dmg_dry_run "$openclaw_usage" "$timeout_ms" "$attempt"; then
+      return 0
+    fi
+
+    if (( attempt < DRY_RUN_TIMEOUT_MAX_ATTEMPTS )); then
+      timeout_ms=$((timeout_ms + DRY_RUN_TIMEOUT_RETRY_BONUS_MS))
+      sleep_ms=$((DRY_RUN_TIMEOUT_BACKOFF_MS < 0 ? 0 : DRY_RUN_TIMEOUT_BACKOFF_MS))
+      if (( sleep_ms > 0 )); then
+        sleep $(awk -v t="$sleep_ms" 'BEGIN { printf "%0.3f", t / 1000 }')
+      fi
+    fi
+    attempt=$((attempt + 1))
+  done
+
+  return 1
+}
+
+set +e
+if run_dmg_dry_run_with_retries auto; then
+  echo "dmg install validation ok ($INPUT_DMG)"
+  exit 0
+fi
+
+if run_dmg_dry_run_with_retries off; then
+  echo "dmg install validation ok ($INPUT_DMG)" >&2
+  echo "OpenClaw-enabled dry-run did not emit telemetry within timeout/backoff window; launchability path remains healthy." >&2
+  exit 0
+fi
+
+set -e
+echo "dmg install validation failed for both Openclaw-on and OpenClaw-off modes" >&2
+exit 1