lobsterboard 0.5.0 → 0.5.2

package/dist/lobsterboard.css

@@ -1,4 +1,4 @@
-/* LobsterBoard v0.5.0 - Dashboard Styles */
+/* LobsterBoard v0.5.2 - Dashboard Styles */
 /* LobsterBoard Dashboard - Generated Styles */
 
 :root {

package/dist/lobsterboard.esm.js

@@ -1,5 +1,5 @@
 /*!
- * LobsterBoard v0.5.0
+ * LobsterBoard v0.5.2
  * Dashboard builder with customizable widgets
  * https://github.com/curbob/LobsterBoard
  * @license MIT

package/dist/lobsterboard.esm.min.js

@@ -1,5 +1,5 @@
 /*!
- * LobsterBoard v0.5.0
+ * LobsterBoard v0.5.2
  * Dashboard builder with customizable widgets
  * https://github.com/curbob/LobsterBoard
  * @license MIT

package/dist/lobsterboard.umd.js

@@ -1,5 +1,5 @@
 /*!
- * LobsterBoard v0.5.0
+ * LobsterBoard v0.5.2
  * Dashboard builder with customizable widgets
  * https://github.com/curbob/LobsterBoard
  * @license MIT

package/dist/lobsterboard.umd.min.js

@@ -1,5 +1,5 @@
 /*!
- * LobsterBoard v0.5.0
+ * LobsterBoard v0.5.2
  * Dashboard builder with customizable widgets
  * https://github.com/curbob/LobsterBoard
  * @license MIT

package/js/builder.js

@@ -652,7 +652,7 @@ async function loadServersList() {
       <div class="server-item" style="display:flex;align-items:center;justify-content:space-between;padding:8px 12px;background:var(--bg-tertiary);border-radius:6px;margin-bottom:8px;">
         <div>
           <strong style="font-size:13px;">${_escHtml(s.name)}</strong>
-          ${s.type === 'local' ? '<span style="color:#8b949e;font-size:11px;margin-left:8px;">(built-in)</span>' : `<span style="color:#8b949e;font-size:11px;margin-left:8px;">${_escHtml(s.url || '')}</span>`}
+          ${s.type === 'local' ? '<span style="color:#8b949e;font-size:11px;margin-left:8px;">(built-in)</span>' : `<span style="color:#8b949e;font-size:11px;margin-left:8px;">${_escHtml(s.url || '')} ${s.encrypted ? '🔐' : ''}</span>`}
         </div>
         <div style="display:flex;gap:6px;">
           ${s.type !== 'local' ? `
@@ -718,7 +718,8 @@ async function testServerConnection() {
     });
     if (res.ok) {
       const data = await res.json();
-      resultEl.innerHTML = `<span style="color:#3fb950;">✓ Connected to ${_escHtml(data.serverName || 'server')}</span>`;
+      const encStatus = data.encrypted ? ' 🔐' : ' ⚠️ unencrypted';
+      resultEl.innerHTML = `<span style="color:#3fb950;">✓ Connected to ${_escHtml(data.serverName || 'server')}${encStatus}</span>`;
     } else {
       resultEl.innerHTML = `<span style="color:#f85149;">HTTP ${res.status}</span>`;
     }
@@ -732,7 +733,8 @@ async function testServer(id) {
     const res = await fetch(`/api/servers/${id}/test`, { method: 'POST' });
     const data = await res.json();
     if (data.status === 'ok') {
-      alert(`✓ Connected to ${data.serverName || 'server'}`);
+      const encStatus = data.localEncryption ? '🔐 Encrypted' : '⚠️ Not encrypted';
+      alert(`✓ Connected to ${data.serverName || 'server'}\n${encStatus}`);
     } else {
       alert(`Connection failed: ${data.message || 'Unknown error'}`);
     }
@@ -1546,8 +1548,8 @@ function showProperties(widget) {
     document.getElementById('prop-endpoint').value = widget.properties.endpoint || '';
   }
 
-  // Show server dropdown for system widgets
-  const systemWidgets = ['uptime-monitor', 'docker-containers', 'disk-usage', 'network-speed', 'cpu-memory'];
+  // Show server dropdown for system/remote widgets
+  const systemWidgets = ['uptime-monitor', 'docker-containers', 'disk-usage', 'network-speed', 'cpu-memory', 'ai-usage', 'openclaw-release', 'auth-status', 'cron-jobs', 'system-log', 'session-count', 'activity-list'];
   const serverGroup = document.getElementById('prop-server-group');
   if (serverGroup && systemWidgets.includes(widget.type)) {
     serverGroup.style.display = 'block';

package/js/widgets.js

@@ -446,6 +446,7 @@ const WIDGETS = {
     apiKeyName: 'OPENCLAW_API',
     properties: {
       title: 'Auth Type',
+      server: 'local',
       endpoint: '/api/status',
       refreshInterval: 30
     },
@@ -465,15 +466,25 @@ const WIDGETS = {
         </div>
       </div>`,
     generateJs: (props) => `
-      // Auth Status Widget: ${props.id}
+      // Auth Status Widget: ${props.id} — ${props.server === 'local' ? 'local' : 'remote: ' + props.server}
       async function update_${props.id.replace(/-/g, '_')}() {
+        const serverId = '${props.server || 'local'}';
+        const dot = document.getElementById('${props.id}-dot');
+        const val = document.getElementById('${props.id}-value');
         try {
-          const res = await fetch('/api/auth');
-          const data = await res.json();
-          const dot = document.getElementById('${props.id}-dot');
-          const val = document.getElementById('${props.id}-value');
-          if (data.status === 'ok') {
-            const isMonthly = data.mode === 'Monthly';
+          let authData;
+          if (serverId === 'local') {
+            const res = await fetch('/api/auth');
+            authData = await res.json();
+          } else {
+            const res = await fetch('/api/servers/' + serverId + '/stats');
+            const data = await res.json();
+            if (data.error) throw new Error(data.error);
+            if (!data.openclaw?.auth) throw new Error('Auth data not available');
+            authData = { status: 'ok', mode: data.openclaw.auth.mode };
+          }
+          if (authData.status === 'ok' || authData.mode) {
+            const isMonthly = authData.mode === 'Monthly';
             val.textContent = isMonthly ? 'Max' : 'API';
             dot.className = 'kpi-indicator ' + (isMonthly ? 'green' : 'yellow');
           } else {
@@ -481,7 +492,7 @@ const WIDGETS = {
           }
         } catch (e) {
           console.error('Auth status widget error:', e);
-          document.getElementById('${props.id}-value').textContent = '—';
+          val.textContent = '—';
         }
       }
       update_${props.id.replace(/-/g, '_')}();
@@ -632,6 +643,7 @@ const WIDGETS = {
     hasApiKey: false,
     properties: {
       title: 'OpenClaw',
+      server: 'local',
       openclawUrl: '',
       refreshInterval: 3600
     },
@@ -658,21 +670,38 @@ const WIDGETS = {
       </div>`,
     generateJs: (props) => `
       async function update_${props.id.replace(/-/g, '_')}() {
+        const serverId = '${props.server || 'local'}';
         const currentEl = document.getElementById('${props.id}-current');
         const arrowEl = document.getElementById('${props.id}-arrow');
         const latestEl = document.getElementById('${props.id}-latest');
         const statusEl = document.getElementById('${props.id}-status');
         
         try {
-          const res = await fetch('/api/releases');
-          const data = await res.json();
-          if (data.status !== 'ok') throw new Error(data.message);
+          let cur, lat;
+          
+          if (serverId === 'local') {
+            // Local: fetch from /api/releases
+            const res = await fetch('/api/releases');
+            const data = await res.json();
+            if (data.status !== 'ok') throw new Error(data.message);
+            cur = (data.current || '').replace(/^v/, '');
+            lat = (data.latest || '').replace(/^v/, '');
+          } else {
+            // Remote: fetch from server stats and get openclaw.version
+            const res = await fetch('/api/servers/' + serverId + '/stats');
+            const data = await res.json();
+            if (data.error) throw new Error(data.error);
+            if (!data.openclaw) throw new Error('OpenClaw not installed on remote');
+            cur = (data.openclaw.version || '').replace(/^v/, '');
+            // Fetch latest from GitHub
+            const ghRes = await fetch('https://api.github.com/repos/openclaw/openclaw/releases/latest');
+            const ghData = await ghRes.json();
+            lat = (ghData.tag_name || '').replace(/^v/, '');
+          }
           
-          const cur = (data.current || '').replace(/^v/, '');
-          const lat = (data.latest || '').replace(/^v/, '');
           // Strip -N suffixes for comparison (e.g. 2026.2.22-2 matches 2026.2.22)
-          const curBase = cur.replace(/-\d+$/, '');
-          const latBase = lat.replace(/-\d+$/, '');
+          const curBase = cur.replace(/-\\d+$/, '');
+          const latBase = lat.replace(/-\\d+$/, '');
           const isUpToDate = cur === lat || curBase === latBase || cur.startsWith(latBase + '-');
           
           if (!cur || cur === 'unknown') {
@@ -695,7 +724,7 @@ const WIDGETS = {
           }
         } catch (e) {
           currentEl.textContent = '—';
-          statusEl.textContent = 'Error';
+          statusEl.textContent = e.message || 'Error';
           console.error('OpenClaw Release widget error:', e);
         }
       }
@@ -840,6 +869,7 @@ const WIDGETS = {
     apiKeyName: 'OPENCLAW_API',
     properties: {
       title: 'Today',
+      server: 'local',
       endpoint: '/api/today',
       maxItems: 10,
       refreshInterval: 60
@@ -863,13 +893,22 @@ const WIDGETS = {
         </div>
       </div>`,
     generateJs: (props) => `
-      // Activity List Widget: ${props.id} (Today style)
+      // Activity List Widget: ${props.id} — ${props.server === 'local' ? 'local' : 'remote: ' + props.server}
       async function update_${props.id.replace(/-/g, '_')}() {
+        const serverId = '${props.server || 'local'}';
+        const list = document.getElementById('${props.id}-list');
+        const badge = document.getElementById('${props.id}-badge');
         try {
-          const res = await fetch('${props.endpoint || '/api/today'}');
-          const data = await res.json();
-          const list = document.getElementById('${props.id}-list');
-          const badge = document.getElementById('${props.id}-badge');
+          let data;
+          if (serverId === 'local') {
+            const res = await fetch('${props.endpoint || '/api/today'}');
+            data = await res.json();
+          } else {
+            const res = await fetch('/api/servers/' + serverId + '/stats');
+            const stats = await res.json();
+            if (stats.error) throw new Error(stats.error);
+            data = stats.openclaw?.today || { date: new Date().toISOString().split('T')[0], activities: [] };
+          }
 
           if (data.date && badge) {
             const d = new Date(data.date + 'T12:00:00');
@@ -892,7 +931,10 @@ const WIDGETS = {
               '<div style="flex-shrink:0;font-size:0.85em;color:#8b949e;margin-left:8px;">' + _esc(icon) + ' ' + source + '</div>' +
             '</div>';
           }).join('');
-        } catch (e) { console.error('Today widget error:', e); }
+        } catch (e) { 
+          console.error('Today widget error:', e);
+          list.innerHTML = '<div style="padding:8px;color:#f85149;font-size:calc(12px * var(--font-scale,1));">Error: ' + _esc(e.message) + '</div>';
+        }
       }
       update_${props.id.replace(/-/g, '_')}();
       setInterval(update_${props.id.replace(/-/g, '_')}, ${(props.refreshInterval || 60) * 1000});
@@ -910,6 +952,7 @@ const WIDGETS = {
     hasApiKey: false,
     properties: {
       title: 'AI Usage',
+      server: 'local',
       providers: 'all',
       hideUnauthenticated: true,
       showPlan: true,
@@ -931,15 +974,34 @@ const WIDGETS = {
         </div>
       </div>`,
     generateJs: (props) => `
-      // AI Usage Widget: ${props.id}
+      // AI Usage Widget: ${props.id} — ${props.server === 'local' ? 'local' : 'remote: ' + props.server}
       async function update_${props.id.replace(/-/g, '_')}() {
         const content = document.getElementById('${props.id}-content');
         const badge = document.getElementById('${props.id}-badge');
         try {
+          const serverId = '${props.server || 'local'}';
           const providers = '${props.providers || 'all'}';
-          const url = providers === 'all' ? '/api/ai-usage' : '/api/ai-usage/' + providers;
-          const res = await fetch(url);
-          const json = await res.json();
+          let json;
+          
+          if (serverId === 'local') {
+            // Local: fetch from /api/ai-usage
+            const url = providers === 'all' ? '/api/ai-usage' : '/api/ai-usage/' + providers;
+            const res = await fetch(url);
+            json = await res.json();
+          } else {
+            // Remote: fetch from server stats endpoint
+            const res = await fetch('/api/servers/' + serverId + '/stats');
+            const data = await res.json();
+            if (data.error) {
+              json = { status: 'error', message: data.error };
+            } else if (data.aiUsage && data.aiUsage.providers) {
+              json = { status: 'ok', providers: data.aiUsage.providers };
+            } else if (data.aiUsage === undefined) {
+              json = { status: 'error', message: 'AI usage not enabled on remote agent (enableAiUsage: false)' };
+            } else {
+              json = { status: 'error', message: 'No AI providers found on remote server' };
+            }
+          }
           
           if (json.status !== 'ok') {
             content.innerHTML = '<div style="color:#f85149;font-size:12px;">' + _esc(json.message || 'Error') + '</div>';
@@ -1430,6 +1492,7 @@ const WIDGETS = {
     hasApiKey: false,
     properties: {
       title: 'Cron',
+      server: 'local',
       endpoint: '/api/cron',
       columns: 1,
       refreshInterval: 30
@@ -1451,14 +1514,24 @@ const WIDGETS = {
         </div>
       </div>`,
     generateJs: (props) => `
-      // Cron Jobs Widget: ${props.id}
+      // Cron Jobs Widget: ${props.id} — ${props.server === 'local' ? 'local' : 'remote: ' + props.server}
       async function update_${props.id.replace(/-/g, '_')}() {
+        const serverId = '${props.server || 'local'}';
+        const list = document.getElementById('${props.id}-list');
+        const badge = document.getElementById('${props.id}-badge');
         try {
-          const res = await fetch('${props.endpoint || '/api/cron'}');
-          const json = await res.json();
-          const jobs = json.jobs || [];
-          const list = document.getElementById('${props.id}-list');
-          const badge = document.getElementById('${props.id}-badge');
+          let jobs;
+          if (serverId === 'local') {
+            const res = await fetch('${props.endpoint || '/api/cron'}');
+            const json = await res.json();
+            jobs = json.jobs || [];
+          } else {
+            const res = await fetch('/api/servers/' + serverId + '/stats');
+            const data = await res.json();
+            if (data.error) throw new Error(data.error);
+            if (!data.openclaw?.cron) throw new Error('Cron data not available');
+            jobs = data.openclaw.cron.jobs || [];
+          }
           if (!jobs.length) {
             list.innerHTML = '<div class="cron-item"><span class="cron-name" style="opacity:0.5;">No cron jobs found</span></div>';
             badge.textContent = '0';
@@ -1486,7 +1559,7 @@ const WIDGETS = {
           badge.textContent = jobs.length + ' jobs';
         } catch (e) {
           console.error('Cron jobs widget error:', e);
-          document.getElementById('${props.id}-list').innerHTML = '<div class="cron-item"><span class="cron-name">Error loading</span></div>';
+          list.innerHTML = '<div class="cron-item"><span class="cron-name">Error: ' + _esc(e.message) + '</span></div>';
         }
       }
       update_${props.id.replace(/-/g, '_')}();
@@ -1505,6 +1578,7 @@ const WIDGETS = {
     hasApiKey: false,
     properties: {
       title: 'System Log',
+      server: 'local',
       endpoint: '/api/system-log',
       maxLines: 50,
       refreshInterval: 10
@@ -1537,20 +1611,29 @@ const WIDGETS = {
         if (level === 'OK') return 'ok';
         return 'info';
       }
+      // System Log Widget: ${props.id} — ${props.server === 'local' ? 'local' : 'remote: ' + props.server}
       async function update_${props.id.replace(/-/g, '_')}() {
+        const serverId = '${props.server || 'local'}';
         try {
-          const res = await fetch('${props.endpoint || '/api/system-log'}?max=${props.maxLines || 50}');
-          const json = await res.json();
-          // Handle both new format (json.entries) and old format (json.lines)
-          let entries = json.entries || [];
-          if (!entries.length && json.lines && json.lines.length) {
-            entries = json.lines.map(line => {
-              let level = 'INFO';
-              if (/\\b(error|fatal)\\b/i.test(line)) level = 'ERROR';
-              else if (/\\bwarn/i.test(line)) level = 'WARN';
-              else if (/\\b(ok|success|ready|started)\\b/i.test(line)) level = 'OK';
-              return { time: new Date().toISOString(), level, category: 'system', message: line };
-            });
+          let entries = [];
+          if (serverId === 'local') {
+            const res = await fetch('${props.endpoint || '/api/system-log'}?max=${props.maxLines || 50}');
+            const json = await res.json();
+            entries = json.entries || [];
+            if (!entries.length && json.lines && json.lines.length) {
+              entries = json.lines.map(line => {
+                let level = 'INFO';
+                if (/\\b(error|fatal)\\b/i.test(line)) level = 'ERROR';
+                else if (/\\bwarn/i.test(line)) level = 'WARN';
+                else if (/\\b(ok|success|ready|started)\\b/i.test(line)) level = 'OK';
+                return { time: new Date().toISOString(), level, category: 'system', message: line };
+              });
+            }
+          } else {
+            const res = await fetch('/api/servers/' + serverId + '/stats');
+            const data = await res.json();
+            if (data.error) throw new Error(data.error);
+            entries = data.openclaw?.systemLog?.entries || [];
           }
           const log = document.getElementById('${props.id}-log');
           const badge = document.getElementById('${props.id}-badge');
@@ -2115,6 +2198,7 @@ const WIDGETS = {
     apiKeyName: 'OPENCLAW_API',
     properties: {
       title: 'Sessions',
+      server: 'local',
       endpoint: '/api/sessions',
       refreshInterval: 30
     },
@@ -2133,13 +2217,23 @@ const WIDGETS = {
         </div>
       </div>`,
     generateJs: (props) => `
-      // Session Count Widget: ${props.id}
+      // Session Count Widget: ${props.id} — ${props.server === 'local' ? 'local' : 'remote: ' + props.server}
       async function update_${props.id.replace(/-/g, '_')}() {
+        const serverId = '${props.server || 'local'}';
         try {
-          const res = await fetch('${props.endpoint || '/api/sessions'}');
-          const json = await res.json();
-          const data = json.data || json;
-          document.getElementById('${props.id}-count').textContent = data.active || data.length || 0;
+          let count;
+          if (serverId === 'local') {
+            const res = await fetch('${props.endpoint || '/api/sessions'}');
+            const json = await res.json();
+            const data = json.data || json;
+            count = data.active || data.length || 0;
+          } else {
+            const res = await fetch('/api/servers/' + serverId + '/stats');
+            const data = await res.json();
+            if (data.error) throw new Error(data.error);
+            count = data.openclaw?.sessions?.active || data.openclaw?.sessions?.recent24h || 0;
+          }
+          document.getElementById('${props.id}-count').textContent = count;
         } catch (e) {
           document.getElementById('${props.id}-count').textContent = '—';
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lobsterboard",
-  "version": "0.5.0",
+  "version": "0.5.2",
   "description": "Self-hosted drag-and-drop dashboard builder with 50 widgets, template gallery, and custom pages. Works standalone or with OpenClaw.",
   "keywords": [
     "dashboard",

package/server.cjs

@@ -11,6 +11,47 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 const si = require('systeminformation');
+const crypto = require('crypto');
+
+// ─────────────────────────────────────────────
+// ECDH Crypto utilities for encrypted agent communication
+// ─────────────────────────────────────────────
+const ECDH_CURVE = 'prime256v1';
+const AES_ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+
+function generateEcdhKeyPair() {
+  const ecdh = crypto.createECDH(ECDH_CURVE);
+  ecdh.generateKeys();
+  return {
+    publicKey: ecdh.getPublicKey('base64'),
+    privateKey: ecdh.getPrivateKey('base64'),
+  };
+}
+
+function deriveSharedSecret(privateKeyBase64, theirPublicKeyBase64) {
+  const ecdh = crypto.createECDH(ECDH_CURVE);
+  ecdh.setPrivateKey(Buffer.from(privateKeyBase64, 'base64'));
+  const sharedPoint = ecdh.computeSecret(Buffer.from(theirPublicKeyBase64, 'base64'));
+  return crypto.createHash('sha256').update(sharedPoint).digest();
+}
+
+function decryptPayload(encryptedBase64, keyBuffer) {
+  const packed = Buffer.from(encryptedBase64, 'base64');
+  const iv = packed.subarray(0, IV_LENGTH);
+  const authTag = packed.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);
+  const ciphertext = packed.subarray(IV_LENGTH + AUTH_TAG_LENGTH);
+  
+  const decipher = crypto.createDecipheriv(AES_ALGORITHM, keyBuffer, iv, { authTagLength: AUTH_TAG_LENGTH });
+  decipher.setAuthTag(authTag);
+  
+  const decrypted = Buffer.concat([
+    decipher.update(ciphertext),
+    decipher.final(),
+  ]);
+  return JSON.parse(decrypted.toString('utf8'));
+}
 
 const PORT = process.env.PORT || 8080;
 const HOST = process.env.HOST || '127.0.0.1';
@@ -300,7 +341,6 @@ const SECRETS_FILE = path.join(__dirname, 'secrets.json');
 // ─────────────────────────────────────────────
 // Server-side Session Authentication
 // ─────────────────────────────────────────────
-const crypto = require('crypto');
 
 const DASHBOARD_PASSWORD = process.env.DASHBOARD_PASSWORD || null;
 const SESSION_TTL_MS = (parseInt(process.env.SESSION_TTL_HOURS) || 24) * 60 * 60 * 1000;
@@ -1839,10 +1879,11 @@ const server = http.createServer(async (req, res) => {
   // GET /api/servers - List all servers
   if (req.method === 'GET' && pathname === '/api/servers') {
     const servers = loadServers();
-    // Mask API keys for security
+    // Mask API keys and secrets for security
     const masked = servers.map(s => ({
       ...s,
-      apiKey: s.apiKey ? s.apiKey.slice(0, 10) + '...' : undefined
+      apiKey: s.apiKey ? s.apiKey.slice(0, 10) + '...' : undefined,
+      sharedSecret: s.sharedSecret ? '🔐' : undefined, // Just indicate presence
     }));
     sendJson(res, 200, { servers: masked });
     return;
@@ -1852,7 +1893,7 @@ const server = http.createServer(async (req, res) => {
   if (req.method === 'POST' && pathname === '/api/servers') {
     let body = '';
     req.on('data', c => body += c);
-    req.on('end', () => {
+    req.on('end', async () => {
       try {
         const { name, url, apiKey } = JSON.parse(body);
         if (!name || !url || !apiKey) {
@@ -1863,9 +1904,58 @@ const server = http.createServer(async (req, res) => {
         if (servers.find(s => s.id === id)) {
           return sendJson(res, 400, { error: 'Server with this name already exists' });
         }
-        servers.push({ id, name, url, apiKey, type: 'remote' });
+        
+        // Generate ECDH key pair for encrypted communication
+        const keyPair = generateEcdhKeyPair();
+        
+        // Perform handshake with agent
+        let sharedSecret = null;
+        let encrypted = false;
+        try {
+          const handshakeRes = await fetch(url + '/handshake', {
+            method: 'POST',
+            headers: { 
+              'X-API-Key': apiKey,
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({ 
+              clientId: id, 
+              publicKey: keyPair.publicKey,
+            }),
+            signal: AbortSignal.timeout(10000),
+          });
+          
+          if (handshakeRes.ok) {
+            const handshakeData = await handshakeRes.json();
+            if (handshakeData.publicKey) {
+              sharedSecret = deriveSharedSecret(keyPair.privateKey, handshakeData.publicKey);
+              encrypted = true;
+              console.log(`🔐 Encrypted connection established with server: ${name}`);
+            }
+          }
+        } catch (e) {
+          // Handshake failed - agent may not support encryption, continue without it
+          console.log(`⚠️ Handshake failed for ${name}, using unencrypted: ${e.message}`);
+        }
+        
+        const serverEntry = { 
+          id, 
+          name, 
+          url, 
+          apiKey, 
+          type: 'remote',
+          encrypted,
+        };
+        
+        // Store shared secret (base64 encoded) if encryption is enabled
+        if (sharedSecret) {
+          serverEntry.sharedSecret = sharedSecret.toString('base64');
+          serverEntry.clientId = id;
+        }
+        
+        servers.push(serverEntry);
         saveServers(servers);
-        sendJson(res, 200, { status: 'success', id });
+        sendJson(res, 200, { status: 'success', id, encrypted });
       } catch (e) {
         sendJson(res, 400, { error: e.message });
       }
@@ -1924,11 +2014,72 @@ const server = http.createServer(async (req, res) => {
       signal: AbortSignal.timeout(5000),
     })
       .then(r => r.json())
-      .then(data => sendJson(res, 200, { status: 'ok', serverName: data.serverName }))
+      .then(data => sendJson(res, 200, { 
+        status: 'ok', 
+        serverName: data.serverName,
+        agentEncryption: data.encrypted || false,
+        localEncryption: server.encrypted || false,
+      }))
       .catch(e => sendJson(res, 200, { status: 'error', message: e.message }));
     return;
   }
 
+  // POST /api/servers/:id/handshake - Re-establish encryption with a server
+  if (req.method === 'POST' && pathname.match(/^\/api\/servers\/[^/]+\/handshake$/)) {
+    const id = pathname.split('/')[3];
+    const servers = loadServers();
+    const serverIdx = servers.findIndex(s => s.id === id);
+    if (serverIdx === -1) return sendJson(res, 404, { error: 'Server not found' });
+    const server = servers[serverIdx];
+    if (server.type === 'local') {
+      return sendJson(res, 400, { error: 'Local server does not need handshake' });
+    }
+
+    (async () => {
+      try {
+        // Generate new key pair
+        const keyPair = generateEcdhKeyPair();
+        
+        const handshakeRes = await fetch(server.url + '/handshake', {
+          method: 'POST',
+          headers: { 
+            'X-API-Key': server.apiKey,
+            'Content-Type': 'application/json',
+          },
+          body: JSON.stringify({ 
+            clientId: id, 
+            publicKey: keyPair.publicKey,
+          }),
+          signal: AbortSignal.timeout(10000),
+        });
+        
+        if (!handshakeRes.ok) {
+          const err = await handshakeRes.json().catch(() => ({ error: 'HTTP ' + handshakeRes.status }));
+          return sendJson(res, 500, { error: err.error || 'Handshake failed' });
+        }
+        
+        const handshakeData = await handshakeRes.json();
+        if (!handshakeData.publicKey) {
+          return sendJson(res, 500, { error: 'Agent did not return public key' });
+        }
+        
+        const sharedSecret = deriveSharedSecret(keyPair.privateKey, handshakeData.publicKey);
+        
+        // Update server config
+        servers[serverIdx].encrypted = true;
+        servers[serverIdx].sharedSecret = sharedSecret.toString('base64');
+        servers[serverIdx].clientId = id;
+        saveServers(servers);
+        
+        console.log(`🔐 Re-established encrypted connection with server: ${server.name}`);
+        sendJson(res, 200, { status: 'ok', encrypted: true });
+      } catch (e) {
+        sendJson(res, 500, { error: e.message });
+      }
+    })();
+    return;
+  }
+
   // GET /api/servers/:id/stats - Fetch stats from a remote server
   if (req.method === 'GET' && pathname.match(/^\/api\/servers\/[^/]+\/stats$/)) {
     const id = pathname.split('/')[3];
@@ -1938,16 +2089,40 @@ const server = http.createServer(async (req, res) => {
     if (server.type === 'local') {
       return sendJson(res, 400, { error: 'Use /api/stats/stream for local' });
     }
+    
+    // Build headers - include client ID if we have encryption set up
+    const headers = { 'X-API-Key': server.apiKey };
+    if (server.encrypted && server.clientId) {
+      headers['X-Client-ID'] = server.clientId;
+    }
+    
     // Fetch from remote agent
     fetch(server.url + '/stats', {
-      headers: { 'X-API-Key': server.apiKey },
+      headers,
       signal: AbortSignal.timeout(10000),
     })
       .then(r => {
         if (!r.ok) throw new Error('HTTP ' + r.status);
         return r.json();
       })
-      .then(data => sendJson(res, 200, data))
+      .then(data => {
+        // Decrypt if response is encrypted
+        if (data.encrypted && server.sharedSecret) {
+          try {
+            const keyBuffer = Buffer.from(server.sharedSecret, 'base64');
+            const decrypted = decryptPayload(data.encrypted, keyBuffer);
+            decrypted._remote = true;
+            decrypted._encrypted = true;
+            return sendJson(res, 200, decrypted);
+          } catch (e) {
+            console.error('Decryption failed:', e.message);
+            return sendJson(res, 500, { error: 'Decryption failed: ' + e.message });
+          }
+        }
+        // Plain response (backward compatible)
+        data._remote = true;
+        sendJson(res, 200, data);
+      })
       .catch(e => sendJson(res, 500, { error: e.message }));
     return;
   }
@@ -2439,20 +2614,26 @@ const server = http.createServer(async (req, res) => {
       try {
         let currentVersion = 'unknown';
         try {
-          // Use process.execPath to find the node binary's lib directory
-          const nodeDir = path.dirname(path.dirname(process.execPath)); // e.g. /Users/x/.nvm/versions/node/v24.13.0
-          const candidates = [
-            path.join(nodeDir, 'lib/node_modules/openclaw/package.json'),
-            path.join(os.homedir(), '.nvm/versions/node', process.version, 'lib/node_modules/openclaw/package.json'),
-            '/usr/local/lib/node_modules/openclaw/package.json'
-          ];
-          for (const cand of candidates) {
-            try {
-              currentVersion = JSON.parse(fs.readFileSync(cand, 'utf8')).version;
-              break;
-            } catch (_) {}
-          }
-        } catch (_) {}
+          // Run openclaw --version to get the actual running version
+          const { execSync } = require('child_process');
+          currentVersion = execSync('openclaw --version 2>/dev/null', { encoding: 'utf8', timeout: 5000 }).trim();
+        } catch (_) {
+          // Fallback: try reading from package.json
+          try {
+            const nodeDir = path.dirname(path.dirname(process.execPath));
+            const candidates = [
+              path.join(nodeDir, 'lib/node_modules/openclaw/package.json'),
+              path.join(os.homedir(), '.nvm/versions/node', process.version, 'lib/node_modules/openclaw/package.json'),
+              '/usr/local/lib/node_modules/openclaw/package.json'
+            ];
+            for (const cand of candidates) {
+              try {
+                currentVersion = JSON.parse(fs.readFileSync(cand, 'utf8')).version;
+                break;
+              } catch (_) {}
+            }
+          } catch (_) {}
+        }
 
         const ghRes = await fetch('https://api.github.com/repos/openclaw/openclaw/releases/latest');
         const ghData = await ghRes.json();