nodeclaw 0.1.0-alpha.1

package/dist/cli.js

@@ -0,0 +1,1754 @@
+#!/usr/bin/env node
+import {
+  PROTOCOL_VERSION,
+  VERSION
+} from "./chunk-F5XQ5PZF.js";
+
+// src/cli.ts
+import { Command } from "commander";
+
+// src/pairing/pair.ts
+import os2 from "os";
+
+// src/crypto/identity.ts
+import crypto from "crypto";
+import fs from "fs";
+import path from "path";
+var ED25519_SPKI_PREFIX = Buffer.from("302a300506032b6570032100", "hex");
+function base64UrlEncode(buf) {
+  return buf.toString("base64").replaceAll("+", "-").replaceAll("/", "_").replace(/=+$/g, "");
+}
+function derivePublicKeyRaw(publicKeyPem) {
+  const key = crypto.createPublicKey(publicKeyPem);
+  const spki = key.export({ type: "spki", format: "der" });
+  if (spki.length === ED25519_SPKI_PREFIX.length + 32 && spki.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)) {
+    return spki.subarray(ED25519_SPKI_PREFIX.length);
+  }
+  return spki;
+}
+function fingerprintPublicKey(publicKeyPem) {
+  const raw = derivePublicKeyRaw(publicKeyPem);
+  return crypto.createHash("sha256").update(raw).digest("hex");
+}
+function generateIdentity() {
+  const { publicKey, privateKey } = crypto.generateKeyPairSync("ed25519");
+  const publicKeyPem = publicKey.export({ type: "spki", format: "pem" }).toString();
+  const privateKeyPem = privateKey.export({ type: "pkcs8", format: "pem" }).toString();
+  const deviceId = fingerprintPublicKey(publicKeyPem);
+  return { deviceId, publicKeyPem, privateKeyPem };
+}
+function loadOrCreateIdentity(filePath) {
+  try {
+    if (fs.existsSync(filePath)) {
+      const raw = fs.readFileSync(filePath, "utf8");
+      const parsed = JSON.parse(raw);
+      if (parsed?.version === 1 && typeof parsed.deviceId === "string" && typeof parsed.publicKeyPem === "string" && typeof parsed.privateKeyPem === "string") {
+        const derivedId = fingerprintPublicKey(parsed.publicKeyPem);
+        if (derivedId && derivedId !== parsed.deviceId) {
+          const updated = { ...parsed, deviceId: derivedId };
+          fs.writeFileSync(filePath, `${JSON.stringify(updated, null, 2)}
+`, { mode: 384 });
+          return { deviceId: derivedId, publicKeyPem: parsed.publicKeyPem, privateKeyPem: parsed.privateKeyPem };
+        }
+        return { deviceId: parsed.deviceId, publicKeyPem: parsed.publicKeyPem, privateKeyPem: parsed.privateKeyPem };
+      }
+    }
+  } catch {
+  }
+  const identity = generateIdentity();
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  const stored = {
+    version: 1,
+    deviceId: identity.deviceId,
+    publicKeyPem: identity.publicKeyPem,
+    privateKeyPem: identity.privateKeyPem,
+    createdAtMs: Date.now()
+  };
+  fs.writeFileSync(filePath, `${JSON.stringify(stored, null, 2)}
+`, { mode: 384 });
+  return identity;
+}
+function signDevicePayload(privateKeyPem, payload) {
+  const key = crypto.createPrivateKey(privateKeyPem);
+  const sig = crypto.sign(null, Buffer.from(payload, "utf8"), key);
+  return base64UrlEncode(sig);
+}
+function publicKeyRawBase64Url(publicKeyPem) {
+  return base64UrlEncode(derivePublicKeyRaw(publicKeyPem));
+}
+
+// src/crypto/device-auth.ts
+function normalizeMetadataForAuth(value) {
+  if (typeof value !== "string") {
+    return "";
+  }
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return "";
+  }
+  return trimmed.replace(
+    /[A-Z]/g,
+    (ch) => String.fromCharCode(ch.charCodeAt(0) + 32)
+  );
+}
+function buildDeviceAuthPayloadV3(params) {
+  const scopes = params.scopes.join(",");
+  const token = params.token ?? "";
+  const platform = normalizeMetadataForAuth(params.platform);
+  const deviceFamily = normalizeMetadataForAuth(params.deviceFamily);
+  return [
+    "v3",
+    params.deviceId,
+    params.clientId,
+    params.clientMode,
+    params.role,
+    scopes,
+    String(params.signedAtMs),
+    token,
+    params.nonce,
+    platform,
+    deviceFamily
+  ].join("|");
+}
+
+// src/crypto/token-store.ts
+import fs2 from "fs";
+import path2 from "path";
+function readStore(filePath) {
+  try {
+    if (!fs2.existsSync(filePath)) {
+      return null;
+    }
+    const raw = fs2.readFileSync(filePath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed?.version !== 1 || typeof parsed.deviceId !== "string" || !parsed.tokens || typeof parsed.tokens !== "object") {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function writeStore(filePath, store) {
+  fs2.mkdirSync(path2.dirname(filePath), { recursive: true });
+  fs2.writeFileSync(filePath, `${JSON.stringify(store, null, 2)}
+`, {
+    mode: 384
+  });
+}
+function loadDeviceAuthToken(filePath, deviceId, role) {
+  const store = readStore(filePath);
+  if (!store || store.deviceId !== deviceId) {
+    return null;
+  }
+  const entry = store.tokens[role];
+  if (!entry || typeof entry.token !== "string") {
+    return null;
+  }
+  return entry;
+}
+function storeDeviceAuthToken(filePath, deviceId, role, token, scopes = []) {
+  let store = readStore(filePath);
+  if (!store || store.deviceId !== deviceId) {
+    store = { version: 1, deviceId, tokens: {} };
+  }
+  const entry = {
+    token,
+    scopes,
+    issuedAtMs: Date.now()
+  };
+  store.tokens[role] = entry;
+  writeStore(filePath, store);
+  return entry;
+}
+function clearDeviceAuthToken(filePath, deviceId, role) {
+  const store = readStore(filePath);
+  if (!store || store.deviceId !== deviceId) {
+    return;
+  }
+  delete store.tokens[role];
+  writeStore(filePath, store);
+}
+
+// src/config/schema.ts
+import { z } from "zod";
+var GatewayConfigSchema = z.object({
+  url: z.string().url().default("ws://127.0.0.1:18789"),
+  tlsVerify: z.boolean().default(true)
+});
+var DeviceConfigSchema = z.object({
+  name: z.string().default(""),
+  workdir: z.string().default("")
+});
+var ExecConfigSchema = z.object({
+  blockedCommands: z.array(z.string()).default([]),
+  timeoutMs: z.number().int().min(0).default(6e4),
+  maxConcurrent: z.number().int().min(1).default(3)
+});
+var LogConfigSchema = z.object({
+  level: z.enum(["debug", "info", "warn", "error"]).default("info"),
+  path: z.string().optional()
+});
+var NodeClawConfigSchema = z.object({
+  gateway: GatewayConfigSchema.default({}),
+  device: DeviceConfigSchema.default({}),
+  exec: ExecConfigSchema.default({}),
+  log: LogConfigSchema.default({})
+});
+
+// src/config/paths.ts
+import path3 from "path";
+import os from "os";
+function resolveBaseDir(env = process.env) {
+  if (env.NODECLAW_HOME) {
+    return env.NODECLAW_HOME;
+  }
+  return path3.join(os.homedir(), ".nodeclaw");
+}
+function resolveConfigPath(env) {
+  return path3.join(resolveBaseDir(env), "config.json");
+}
+function resolveIdentityPath(env) {
+  return path3.join(resolveBaseDir(env), "identity", "device.json");
+}
+function resolveTokenStorePath(env) {
+  return path3.join(resolveBaseDir(env), "identity", "device-auth.json");
+}
+
+// src/config/loader.ts
+import fs3 from "fs";
+import path4 from "path";
+function loadConfig(env) {
+  const configPath = resolveConfigPath(env);
+  try {
+    if (fs3.existsSync(configPath)) {
+      const raw = fs3.readFileSync(configPath, "utf8");
+      const parsed = JSON.parse(raw);
+      return NodeClawConfigSchema.parse(parsed);
+    }
+  } catch {
+  }
+  return NodeClawConfigSchema.parse({});
+}
+
+// src/client/gateway-client.ts
+import { randomUUID } from "crypto";
+import { WebSocket } from "ws";
+
+// src/protocol/constants.ts
+var PROTOCOL_VERSION2 = 3;
+var CLIENT_NAME = "nodeclaw";
+var CLIENT_MODES = {
+  NODE: "node",
+  BACKEND: "backend",
+  PROBE: "probe"
+};
+
+// src/protocol/guards.ts
+function isEventFrame(msg) {
+  return typeof msg === "object" && msg !== null && msg.type === "event" && typeof msg.event === "string";
+}
+function isResponseFrame(msg) {
+  return typeof msg === "object" && msg !== null && msg.type === "res" && typeof msg.id === "string" && typeof msg.ok === "boolean";
+}
+function coerceNodeInvokePayload(payload) {
+  if (typeof payload !== "object" || payload === null) {
+    return null;
+  }
+  const obj = payload;
+  if (typeof obj.id !== "string" || typeof obj.command !== "string") {
+    return null;
+  }
+  return {
+    id: obj.id,
+    nodeId: typeof obj.nodeId === "string" ? obj.nodeId : "",
+    command: obj.command,
+    paramsJSON: typeof obj.paramsJSON === "string" ? obj.paramsJSON : void 0,
+    timeoutMs: typeof obj.timeoutMs === "number" ? obj.timeoutMs : void 0,
+    idempotencyKey: typeof obj.idempotencyKey === "string" ? obj.idempotencyKey : void 0
+  };
+}
+
+// src/client/gateway-client.ts
+var DEFAULT_CONNECT_TIMEOUT_MS = 2e3;
+var DEFAULT_REQUEST_TIMEOUT_MS = 3e4;
+var MAX_BACKOFF_MS = 3e4;
+var FORCE_STOP_GRACE_MS = 250;
+var GatewayClient = class {
+  ws = null;
+  opts;
+  pending = /* @__PURE__ */ new Map();
+  backoffMs = 1e3;
+  closed = false;
+  connectNonce = null;
+  connectSent = false;
+  connectTimer = null;
+  lastTick = null;
+  tickIntervalMs = 3e4;
+  tickTimer = null;
+  reconnectTimer = null;
+  requestTimeoutMs;
+  connectedAtMs = null;
+  reconnectCount = 0;
+  constructor(opts) {
+    this.opts = opts;
+    this.requestTimeoutMs = typeof opts.requestTimeoutMs === "number" ? Math.max(1, opts.requestTimeoutMs) : DEFAULT_REQUEST_TIMEOUT_MS;
+  }
+  start() {
+    if (this.closed) {
+      return;
+    }
+    const url = this.opts.url;
+    const ws = new WebSocket(url, {
+      maxPayload: 25 * 1024 * 1024,
+      rejectUnauthorized: this.opts.tlsVerify !== false
+    });
+    this.ws = ws;
+    ws.on("open", () => {
+      this.queueConnect();
+    });
+    ws.on("message", (data) => {
+      const raw = typeof data === "string" ? data : Buffer.isBuffer(data) ? data.toString("utf8") : Buffer.from(data).toString("utf8");
+      this.handleMessage(raw);
+    });
+    ws.on("close", (code, reason) => {
+      const reasonText = typeof reason === "string" ? reason : Buffer.isBuffer(reason) ? reason.toString("utf8") : "";
+      if (this.ws === ws) {
+        this.ws = null;
+      }
+      this.flushPendingErrors(
+        new Error(`gateway closed (${code}): ${reasonText}`)
+      );
+      this.scheduleReconnect();
+      this.opts.onClose?.(code, reasonText);
+    });
+    ws.on("error", (err) => {
+      if (!this.connectSent) {
+        this.opts.onConnectError?.(
+          err instanceof Error ? err : new Error(String(err))
+        );
+      }
+    });
+  }
+  stop() {
+    this.closed = true;
+    if (this.tickTimer) {
+      clearInterval(this.tickTimer);
+      this.tickTimer = null;
+    }
+    if (this.connectTimer) {
+      clearTimeout(this.connectTimer);
+      this.connectTimer = null;
+    }
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+    const ws = this.ws;
+    this.ws = null;
+    if (ws) {
+      ws.close();
+      setTimeout(() => {
+        try {
+          ws.terminate();
+        } catch {
+        }
+      }, FORCE_STOP_GRACE_MS).unref();
+    }
+    this.flushPendingErrors(new Error("gateway client stopped"));
+  }
+  async stopAndWait(timeoutMs = 1e3) {
+    this.stop();
+    await new Promise((resolve) => {
+      const timer = setTimeout(resolve, Math.min(timeoutMs, FORCE_STOP_GRACE_MS + 100));
+      timer.unref();
+    });
+  }
+  async request(method, params, opts) {
+    if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
+      throw new Error("gateway not connected");
+    }
+    const id = randomUUID();
+    const frame = { type: "req", id, method, params };
+    this.ws.send(JSON.stringify(frame));
+    const timeoutMs = opts?.timeoutMs ?? this.requestTimeoutMs;
+    return new Promise((resolve, reject) => {
+      const timeout = setTimeout(() => {
+        this.pending.delete(id);
+        reject(new Error(`request ${method} timed out after ${timeoutMs}ms`));
+      }, timeoutMs);
+      this.pending.set(id, {
+        resolve,
+        reject,
+        timeout
+      });
+    });
+  }
+  isConnected() {
+    return this.ws !== null && this.ws.readyState === WebSocket.OPEN && this.connectSent;
+  }
+  getHealth() {
+    return {
+      connected: this.isConnected(),
+      connectedAtMs: this.connectedAtMs,
+      lastTickMs: this.lastTick,
+      reconnectCount: this.reconnectCount,
+      tickIntervalMs: this.tickIntervalMs
+    };
+  }
+  queueConnect() {
+    this.connectNonce = null;
+    this.connectSent = false;
+    const connectTimeoutMs = this.opts.connectTimeoutMs ?? DEFAULT_CONNECT_TIMEOUT_MS;
+    if (this.connectTimer) {
+      clearTimeout(this.connectTimer);
+    }
+    this.connectTimer = setTimeout(() => {
+      if (this.connectSent || this.ws?.readyState !== WebSocket.OPEN) {
+        return;
+      }
+      this.opts.onConnectError?.(new Error("gateway connect challenge timeout"));
+      this.ws?.close(1008, "connect challenge timeout");
+    }, connectTimeoutMs);
+  }
+  sendConnect() {
+    if (this.connectSent) {
+      return;
+    }
+    const nonce = this.connectNonce?.trim() ?? "";
+    if (!nonce) {
+      this.opts.onConnectError?.(new Error("gateway connect challenge missing nonce"));
+      this.ws?.close(1008, "connect challenge missing nonce");
+      return;
+    }
+    this.connectSent = true;
+    if (this.connectTimer) {
+      clearTimeout(this.connectTimer);
+      this.connectTimer = null;
+    }
+    const role = this.opts.role ?? "node";
+    const scopes = this.opts.scopes ?? ["node.invoke"];
+    const platform = this.opts.platform ?? process.platform;
+    const signedAtMs = Date.now();
+    const device = (() => {
+      if (!this.opts.deviceIdentity) {
+        return void 0;
+      }
+      const payload = buildDeviceAuthPayloadV3({
+        deviceId: this.opts.deviceIdentity.deviceId,
+        clientId: this.opts.clientName ?? CLIENT_NAME,
+        clientMode: this.opts.mode ?? CLIENT_MODES.NODE,
+        role,
+        scopes,
+        signedAtMs,
+        token: this.opts.token ?? this.opts.deviceToken ?? null,
+        nonce,
+        platform,
+        deviceFamily: this.opts.deviceFamily
+      });
+      const signature = signDevicePayload(
+        this.opts.deviceIdentity.privateKeyPem,
+        payload
+      );
+      return {
+        id: this.opts.deviceIdentity.deviceId,
+        publicKey: publicKeyRawBase64Url(this.opts.deviceIdentity.publicKeyPem),
+        signature,
+        signedAt: signedAtMs,
+        nonce
+      };
+    })();
+    const auth = this.opts.token || this.opts.deviceToken ? {
+      token: this.opts.token,
+      deviceToken: this.opts.deviceToken
+    } : void 0;
+    const params = {
+      minProtocol: PROTOCOL_VERSION2,
+      maxProtocol: PROTOCOL_VERSION2,
+      client: {
+        id: this.opts.clientName ?? CLIENT_NAME,
+        displayName: this.opts.clientDisplayName,
+        version: this.opts.clientVersion ?? VERSION,
+        platform,
+        deviceFamily: this.opts.deviceFamily,
+        mode: this.opts.mode ?? CLIENT_MODES.NODE,
+        instanceId: this.opts.instanceId
+      },
+      caps: this.opts.caps ?? [],
+      commands: this.opts.commands,
+      permissions: this.opts.permissions,
+      pathEnv: this.opts.pathEnv,
+      auth,
+      role,
+      scopes,
+      device
+    };
+    void this.request("connect", params).then((helloOk) => {
+      this.backoffMs = 1e3;
+      this.connectedAtMs = Date.now();
+      this.tickIntervalMs = typeof helloOk.policy?.tickIntervalMs === "number" ? helloOk.policy.tickIntervalMs : 3e4;
+      this.lastTick = Date.now();
+      this.startTickWatch();
+      this.opts.onHelloOk?.(helloOk);
+    }).catch((err) => {
+      this.opts.onConnectError?.(
+        err instanceof Error ? err : new Error(String(err))
+      );
+      this.ws?.close(1008, "connect failed");
+    });
+  }
+  handleMessage(raw) {
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      return;
+    }
+    if (isEventFrame(parsed)) {
+      this.lastTick = Date.now();
+      if (parsed.event === "connect.challenge") {
+        const payload = parsed.payload;
+        const nonce = payload && typeof payload.nonce === "string" ? payload.nonce : null;
+        if (!nonce || nonce.trim().length === 0) {
+          this.opts.onConnectError?.(
+            new Error("gateway connect challenge missing nonce")
+          );
+          this.ws?.close(1008, "connect challenge missing nonce");
+          return;
+        }
+        this.connectNonce = nonce.trim();
+        this.sendConnect();
+        return;
+      }
+      if (parsed.event === "tick") {
+        this.lastTick = Date.now();
+      }
+      this.opts.onEvent?.(parsed);
+      return;
+    }
+    if (isResponseFrame(parsed)) {
+      this.lastTick = Date.now();
+      const pending = this.pending.get(parsed.id);
+      if (!pending) {
+        return;
+      }
+      this.pending.delete(parsed.id);
+      if (pending.timeout) {
+        clearTimeout(pending.timeout);
+      }
+      if (parsed.ok) {
+        pending.resolve(parsed.payload);
+      } else {
+        pending.reject(
+          new Error(
+            parsed.error?.message ?? `request failed: ${parsed.error?.code ?? "unknown"}`
+          )
+        );
+      }
+    }
+  }
+  scheduleReconnect() {
+    if (this.closed) {
+      return;
+    }
+    this.connectedAtMs = null;
+    this.reconnectCount++;
+    if (this.tickTimer) {
+      clearInterval(this.tickTimer);
+      this.tickTimer = null;
+    }
+    const delay = this.backoffMs;
+    this.backoffMs = Math.min(this.backoffMs * 2, MAX_BACKOFF_MS);
+    this.reconnectTimer = setTimeout(() => this.start(), delay);
+    this.reconnectTimer.unref();
+  }
+  flushPendingErrors(err) {
+    for (const [, p] of this.pending) {
+      if (p.timeout) {
+        clearTimeout(p.timeout);
+      }
+      p.reject(err);
+    }
+    this.pending.clear();
+  }
+  startTickWatch() {
+    if (this.tickTimer) {
+      clearInterval(this.tickTimer);
+    }
+    const interval = Math.max(this.tickIntervalMs, 1e3);
+    this.tickTimer = setInterval(() => {
+      if (this.closed || !this.lastTick) {
+        return;
+      }
+      const gap = Date.now() - this.lastTick;
+      if (gap > this.tickIntervalMs * 2) {
+        this.ws?.close(4e3, "tick timeout");
+      }
+    }, interval);
+    this.tickTimer.unref();
+  }
+};
+
+// src/pairing/pair.ts
+async function pairWithGateway(opts) {
+  const identityPath = resolveIdentityPath(opts.env);
+  const tokenStorePath = resolveTokenStorePath(opts.env);
+  const identity = loadOrCreateIdentity(identityPath);
+  const role = "node";
+  const existingToken = loadDeviceAuthToken(tokenStorePath, identity.deviceId, role);
+  if (existingToken) {
+    return {
+      deviceId: identity.deviceId,
+      paired: true,
+      message: "Already paired with gateway."
+    };
+  }
+  return new Promise((resolve, reject) => {
+    let pairRequestSent = false;
+    let timeoutTimer = null;
+    const client = new GatewayClient({
+      url: opts.gatewayUrl,
+      deviceIdentity: identity,
+      role,
+      scopes: ["node.invoke"],
+      caps: ["system"],
+      commands: ["system.run", "system.run.prepare", "system.which"],
+      clientDisplayName: opts.deviceName || os2.hostname(),
+      platform: process.platform,
+      mode: "node",
+      onHelloOk: (hello) => {
+        if (hello.auth?.deviceToken) {
+          storeDeviceAuthToken(
+            tokenStorePath,
+            identity.deviceId,
+            role,
+            hello.auth.deviceToken,
+            hello.auth.scopes
+          );
+          cleanup();
+          resolve({
+            deviceId: identity.deviceId,
+            paired: true,
+            message: "Paired successfully!"
+          });
+          return;
+        }
+        if (!pairRequestSent) {
+          pairRequestSent = true;
+          const params = {
+            nodeId: identity.deviceId,
+            displayName: opts.deviceName || os2.hostname(),
+            platform: process.platform,
+            version: VERSION,
+            caps: ["system"],
+            commands: ["system.run", "system.run.prepare", "system.which"]
+          };
+          void client.request("node.pair.request", params).then(() => {
+            console.log(
+              `Pairing request sent. Waiting for approval on the gateway...
+Run "openclaw nodes approve" on your gateway to approve this device.`
+            );
+          }).catch((err) => {
+            cleanup();
+            reject(new Error(`Pair request failed: ${String(err)}`));
+          });
+        }
+      },
+      onConnectError: (err) => {
+        if (!pairRequestSent) {
+        }
+      },
+      onClose: () => {
+      }
+    });
+    const cleanup = () => {
+      if (timeoutTimer) {
+        clearTimeout(timeoutTimer);
+        timeoutTimer = null;
+      }
+      client.stop();
+    };
+    timeoutTimer = setTimeout(() => {
+      cleanup();
+      reject(new Error("Pairing timed out after 5 minutes. Try again."));
+    }, 5 * 60 * 1e3);
+    client.start();
+  });
+}
+
+// src/cli/pair.ts
+function registerPairCommand(program2) {
+  program2.command("pair").description("Pair this device with an OpenClaw gateway").argument("<gateway-url>", "WebSocket URL of the gateway (e.g. wss://host:18789)").option("-n, --name <name>", "Display name for this device").action(async (gatewayUrl, opts) => {
+    try {
+      const result = await pairWithGateway({
+        gatewayUrl,
+        deviceName: opts.name
+      });
+      console.log(result.message);
+      console.log(`Device ID: ${result.deviceId}`);
+      process.exit(0);
+    } catch (err) {
+      console.error(`Pairing failed: ${err instanceof Error ? err.message : String(err)}`);
+      process.exit(1);
+    }
+  });
+}
+
+// src/runtime/router.ts
+var CommandRouter = class {
+  handlers = /* @__PURE__ */ new Map();
+  register(command, handler) {
+    this.handlers.set(command, handler);
+  }
+  async dispatch(payload, client) {
+    const handler = this.handlers.get(payload.command);
+    if (handler) {
+      await handler(payload, client);
+      return;
+    }
+    const result = {
+      id: payload.id,
+      nodeId: payload.nodeId,
+      ok: false,
+      error: {
+        code: "UNKNOWN_COMMAND",
+        message: `Unknown command: ${payload.command}`
+      }
+    };
+    await client.request("node.invoke.result", result);
+  }
+};
+
+// src/runtime/node-runtime.ts
+import os3 from "os";
+async function startNode(opts = {}) {
+  const config = opts.config ?? loadConfig(opts.env);
+  const identityPath = resolveIdentityPath(opts.env);
+  const tokenStorePath = resolveTokenStorePath(opts.env);
+  const identity = loadOrCreateIdentity(identityPath);
+  const role = "node";
+  const storedAuth = loadDeviceAuthToken(
+    tokenStorePath,
+    identity.deviceId,
+    role
+  );
+  if (!storedAuth) {
+    throw new Error(
+      "Not paired with a gateway. Run 'nodeclaw pair <gateway-url>' first."
+    );
+  }
+  const router = opts.router ?? new CommandRouter();
+  const client = new GatewayClient({
+    url: config.gateway.url,
+    deviceIdentity: identity,
+    deviceToken: storedAuth.token,
+    role,
+    scopes: ["node.invoke"],
+    caps: ["system"],
+    commands: [
+      "system.run",
+      "system.run.prepare",
+      "system.which",
+      "system.execApprovals.get",
+      "system.execApprovals.set"
+    ],
+    clientDisplayName: config.device.name || os3.hostname(),
+    clientVersion: VERSION,
+    platform: process.platform,
+    mode: "node",
+    tlsVerify: config.gateway.tlsVerify,
+    onHelloOk: (hello) => {
+      console.log(
+        `Connected to gateway (protocol ${hello.protocol ?? "?"}, connId: ${hello.server?.connId ?? "?"})`
+      );
+    },
+    onEvent: (evt) => {
+      if (evt.event === "node.invoke.request") {
+        const invokePayload = coerceNodeInvokePayload(evt.payload);
+        if (invokePayload) {
+          void router.dispatch(invokePayload, client).catch((err) => {
+            console.error(
+              `Handler error for ${invokePayload.command}: ${String(err)}`
+            );
+          });
+        }
+      }
+    },
+    onConnectError: (err) => {
+      console.error(`Connection error: ${err.message}`);
+    },
+    onClose: (code, reason) => {
+      if (code !== 1e3) {
+        console.log(`Disconnected (${code}): ${reason || "unknown"}`);
+      }
+    }
+  });
+  client.start();
+  return {
+    client,
+    router,
+    stop: () => client.stop()
+  };
+}
+
+// src/handlers/system-run.ts
+import { spawn } from "child_process";
+import { randomUUID as randomUUID2 } from "crypto";
+import path5 from "path";
+
+// src/handlers/node-events.ts
+var EVENT_OUTPUT_MAX = 2e4;
+function tailOutput(output, max) {
+  if (output.length <= max) return output;
+  return output.slice(-max);
+}
+async function emitNodeEvent(client, event, payload) {
+  const params = {
+    event,
+    payloadJSON: JSON.stringify(payload)
+  };
+  try {
+    await client.request("node.event", params);
+  } catch {
+  }
+}
+async function emitExecStarted(client, opts) {
+  await emitNodeEvent(client, "exec.started", {
+    sessionKey: opts.sessionKey,
+    runId: opts.runId,
+    host: "node",
+    command: opts.command,
+    suppressNotifyOnExit: opts.suppressNotifyOnExit
+  });
+}
+async function emitExecFinished(client, opts) {
+  await emitNodeEvent(client, "exec.finished", {
+    sessionKey: opts.sessionKey,
+    runId: opts.runId,
+    host: "node",
+    command: opts.command,
+    exitCode: opts.exitCode,
+    timedOut: opts.timedOut,
+    success: opts.success,
+    output: opts.output ? tailOutput(opts.output, EVENT_OUTPUT_MAX) : void 0,
+    suppressNotifyOnExit: opts.suppressNotifyOnExit
+  });
+}
+async function emitExecDenied(client, opts) {
+  await emitNodeEvent(client, "exec.denied", {
+    sessionKey: opts.sessionKey,
+    runId: opts.runId,
+    host: "node",
+    command: opts.command,
+    reason: opts.reason,
+    suppressNotifyOnExit: opts.suppressNotifyOnExit
+  });
+}
+
+// src/handlers/system-run.ts
+var OUTPUT_CAP = 2e5;
+var activeCount = 0;
+function parseRunParams(paramsJSON) {
+  if (!paramsJSON) {
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(paramsJSON);
+    if (typeof parsed !== "object" || parsed === null) {
+      return null;
+    }
+    const obj = parsed;
+    let command = null;
+    if (Array.isArray(obj.command)) {
+      command = obj.command.filter((s) => typeof s === "string");
+    } else if (typeof obj.command === "string" && obj.command.trim()) {
+      command = [obj.command];
+    } else if (typeof obj.rawCommand === "string" && obj.rawCommand.trim()) {
+      command = ["sh", "-c", obj.rawCommand];
+    }
+    if (!command || command.length === 0) {
+      return null;
+    }
+    return {
+      command,
+      cwd: typeof obj.cwd === "string" ? obj.cwd : void 0,
+      env: typeof obj.env === "object" && obj.env !== null ? obj.env : void 0,
+      timeoutMs: typeof obj.timeoutMs === "number" ? obj.timeoutMs : void 0,
+      sessionKey: typeof obj.sessionKey === "string" ? obj.sessionKey : void 0,
+      runId: typeof obj.runId === "string" ? obj.runId : void 0,
+      suppressNotifyOnExit: typeof obj.suppressNotifyOnExit === "boolean" ? obj.suppressNotifyOnExit : void 0
+    };
+  } catch {
+    return null;
+  }
+}
+function isPathWithinWorkdir(testPath, workdir) {
+  if (!workdir) {
+    return true;
+  }
+  const resolved = path5.resolve(testPath);
+  const resolvedWorkdir = path5.resolve(workdir);
+  return resolved === resolvedWorkdir || resolved.startsWith(resolvedWorkdir + path5.sep);
+}
+function isBlockedCommand(command, blockedCommands) {
+  if (blockedCommands.length === 0) {
+    return false;
+  }
+  const cmdStr = command.join(" ");
+  return blockedCommands.some(
+    (blocked) => cmdStr === blocked || cmdStr.startsWith(blocked + " ")
+  );
+}
+function runCommand(params, execConfig) {
+  return new Promise((resolve) => {
+    const timeoutMs = params.timeoutMs ?? execConfig.timeoutMs;
+    const [bin, ...args] = params.command;
+    const cwd = params.cwd || void 0;
+    const env = params.env ? { ...process.env, ...params.env } : void 0;
+    const proc = spawn(bin, args, {
+      cwd,
+      env,
+      stdio: ["ignore", "pipe", "pipe"],
+      windowsHide: true
+    });
+    let stdout = "";
+    let stderr = "";
+    let truncated = false;
+    let timedOut = false;
+    let totalOutput = 0;
+    const appendOutput = (target, chunk) => {
+      const remaining = OUTPUT_CAP - totalOutput;
+      if (remaining <= 0) {
+        truncated = true;
+        return;
+      }
+      const text = chunk.toString("utf8");
+      const toAppend = text.length > remaining ? text.slice(0, remaining) : text;
+      totalOutput += toAppend.length;
+      if (target === "stdout") {
+        stdout += toAppend;
+      } else {
+        stderr += toAppend;
+      }
+      if (totalOutput >= OUTPUT_CAP) {
+        truncated = true;
+      }
+    };
+    proc.stdout.on("data", (chunk) => appendOutput("stdout", chunk));
+    proc.stderr.on("data", (chunk) => appendOutput("stderr", chunk));
+    let timeoutTimer = null;
+    if (timeoutMs > 0) {
+      timeoutTimer = setTimeout(() => {
+        timedOut = true;
+        try {
+          proc.kill("SIGKILL");
+        } catch {
+        }
+      }, timeoutMs);
+    }
+    proc.on("close", (code) => {
+      if (timeoutTimer) {
+        clearTimeout(timeoutTimer);
+      }
+      resolve({
+        exitCode: code,
+        stdout,
+        stderr,
+        timedOut,
+        truncated
+      });
+    });
+    proc.on("error", (err) => {
+      if (timeoutTimer) {
+        clearTimeout(timeoutTimer);
+      }
+      resolve({
+        exitCode: null,
+        stdout,
+        stderr: stderr + (stderr ? "\n" : "") + err.message,
+        timedOut: false,
+        truncated
+      });
+    });
+  });
+}
+function createSystemRunHandler(execConfig, workdir) {
+  return async (payload, client) => {
+    const sendResult = async (result) => {
+      await client.request("node.invoke.result", result);
+    };
+    const params = parseRunParams(payload.paramsJSON);
+    if (!params) {
+      await sendResult({
+        id: payload.id,
+        nodeId: payload.nodeId,
+        ok: false,
+        error: { code: "INVALID_PARAMS", message: "Invalid system.run params" }
+      });
+      return;
+    }
+    const commandText = params.command.join(" ");
+    const sessionKey = params.sessionKey ?? "";
+    const runId = params.runId ?? randomUUID2();
+    const suppressNotifyOnExit = params.suppressNotifyOnExit;
+    if (isBlockedCommand(params.command, execConfig.blockedCommands)) {
+      void emitExecDenied(client, {
+        sessionKey,
+        runId,
+        command: commandText,
+        reason: "allowlist-miss",
+        suppressNotifyOnExit
+      });
+      await sendResult({
+        id: payload.id,
+        nodeId: payload.nodeId,
+        ok: false,
+        error: { code: "BLOCKED", message: "Command is blocked by policy" }
+      });
+      return;
+    }
+    if (params.cwd && !isPathWithinWorkdir(params.cwd, workdir)) {
+      void emitExecDenied(client, {
+        sessionKey,
+        runId,
+        command: commandText,
+        reason: "security=deny",
+        suppressNotifyOnExit
+      });
+      await sendResult({
+        id: payload.id,
+        nodeId: payload.nodeId,
+        ok: false,
+        error: {
+          code: "WORKDIR_VIOLATION",
+          message: `Working directory ${params.cwd} is outside allowed workdir ${workdir}`
+        }
+      });
+      return;
+    }
+    if (activeCount >= execConfig.maxConcurrent) {
+      await sendResult({
+        id: payload.id,
+        nodeId: payload.nodeId,
+        ok: false,
+        error: {
+          code: "RESOURCE_EXHAUSTED",
+          message: `Max concurrent executions (${execConfig.maxConcurrent}) reached`
+        }
+      });
+      return;
+    }
+    activeCount++;
+    void emitExecStarted(client, {
+      sessionKey,
+      runId,
+      command: commandText,
+      suppressNotifyOnExit
+    });
+    try {
+      const result = await runCommand(params, execConfig);
+      void emitExecFinished(client, {
+        sessionKey,
+        runId,
+        command: commandText,
+        exitCode: result.exitCode,
+        timedOut: result.timedOut,
+        success: result.exitCode === 0 && !result.timedOut,
+        output: result.stdout + result.stderr,
+        suppressNotifyOnExit
+      });
+      await sendResult({
+        id: payload.id,
+        nodeId: payload.nodeId,
+        ok: true,
+        payloadJSON: JSON.stringify({
+          exitCode: result.exitCode,
+          stdout: result.stdout,
+          stderr: result.stderr,
+          timedOut: result.timedOut,
+          truncated: result.truncated
+        })
+      });
+    } catch (err) {
+      await sendResult({
+        id: payload.id,
+        nodeId: payload.nodeId,
+        ok: false,
+        error: {
+          code: "EXEC_ERROR",
+          message: err instanceof Error ? err.message : String(err)
+        }
+      });
+    } finally {
+      activeCount--;
+    }
+  };
+}
+
+// src/handlers/system-run-prepare.ts
+import path6 from "path";
+import crypto2 from "crypto";
+import fs4 from "fs";
+function resolveCommandArgv(params) {
+  if (Array.isArray(params.command)) {
+    const argv = params.command.filter(
+      (s) => typeof s === "string"
+    );
+    return argv.length > 0 ? argv : null;
+  }
+  if (typeof params.command === "string" && params.command.trim()) {
+    return [params.command.trim()];
+  }
+  if (typeof params.rawCommand === "string" && params.rawCommand.trim()) {
+    return ["sh", "-c", params.rawCommand.trim()];
+  }
+  return null;
+}
+function resolveMutableFileOperand(argv) {
+  for (let i = 1; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg.startsWith("-")) continue;
+    try {
+      const resolved = path6.resolve(arg);
+      if (fs4.existsSync(resolved) && fs4.statSync(resolved).isFile()) {
+        const content = fs4.readFileSync(resolved);
+        const sha256 = crypto2.createHash("sha256").update(content).digest("hex");
+        return { argvIndex: i, path: resolved, sha256 };
+      }
+    } catch {
+    }
+  }
+  return null;
+}
+async function systemRunPrepareHandler(payload, client) {
+  let params = {};
+  if (payload.paramsJSON) {
+    try {
+      params = JSON.parse(payload.paramsJSON);
+    } catch {
+      await client.request("node.invoke.result", {
+        id: payload.id,
+        nodeId: payload.nodeId,
+        ok: false,
+        error: { code: "INVALID_PARAMS", message: "Invalid params" }
+      });
+      return;
+    }
+  }
+  const argv = resolveCommandArgv(params);
+  if (!argv) {
+    await client.request("node.invoke.result", {
+      id: payload.id,
+      nodeId: payload.nodeId,
+      ok: false,
+      error: { code: "INVALID_PARAMS", message: "No command provided" }
+    });
+    return;
+  }
+  const cwd = typeof params.cwd === "string" && params.cwd.trim() ? path6.resolve(params.cwd.trim()) : null;
+  const agentId = typeof params.agentId === "string" ? params.agentId : null;
+  const sessionKey = typeof params.sessionKey === "string" ? params.sessionKey : null;
+  const plan = {
+    argv,
+    cwd,
+    commandText: argv.join(" "),
+    commandPreview: argv.length > 3 ? argv.slice(0, 3).join(" ") + "..." : null,
+    agentId,
+    sessionKey,
+    mutableFileOperand: resolveMutableFileOperand(argv)
+  };
+  const result = {
+    id: payload.id,
+    nodeId: payload.nodeId,
+    ok: true,
+    payloadJSON: JSON.stringify({ plan })
+  };
+  await client.request("node.invoke.result", result);
+}
+
+// src/handlers/system-info.ts
+import os4 from "os";
+import fs5 from "fs";
+function getSystemInfo(workdir) {
+  const cpus = os4.cpus();
+  const totalMem = os4.totalmem();
+  const freeMem = os4.freemem();
+  const info = {
+    cpu: {
+      model: cpus.length > 0 ? cpus[0].model : "unknown",
+      cores: cpus.length
+    },
+    memory: {
+      totalBytes: totalMem,
+      freeBytes: freeMem,
+      usedBytes: totalMem - freeMem
+    },
+    uptime: os4.uptime(),
+    platform: process.platform,
+    arch: process.arch,
+    hostname: os4.hostname(),
+    nodeVersion: process.version
+  };
+  const statfsPath = workdir || "/";
+  try {
+    const stats = fs5.statfsSync(statfsPath);
+    info.disk = {
+      totalBytes: stats.blocks * stats.bsize,
+      freeBytes: stats.bavail * stats.bsize,
+      usedBytes: (stats.blocks - stats.bavail) * stats.bsize
+    };
+  } catch {
+  }
+  return info;
+}
+async function systemInfoHandler(payload, client, workdir) {
+  const info = getSystemInfo(workdir);
+  const result = {
+    id: payload.id,
+    nodeId: payload.nodeId,
+    ok: true,
+    payloadJSON: JSON.stringify(info)
+  };
+  await client.request("node.invoke.result", result);
+}
+
+// src/handlers/system-which.ts
+import { execFileSync } from "child_process";
+function whichBin(bin) {
+  try {
+    const result = execFileSync("which", [bin], {
+      encoding: "utf8",
+      timeout: 5e3,
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    return result.trim() || null;
+  } catch {
+    return null;
+  }
+}
+function resolveWhich(bins) {
+  const result = {};
+  for (const bin of bins) {
+    result[bin] = whichBin(bin);
+  }
+  return result;
+}
+async function systemWhichHandler(payload, client) {
+  let bins = [];
+  if (payload.paramsJSON) {
+    try {
+      const parsed = JSON.parse(payload.paramsJSON);
+      if (Array.isArray(parsed.bins)) {
+        bins = parsed.bins.filter((b) => typeof b === "string");
+      }
+    } catch {
+    }
+  }
+  const resolved = resolveWhich(bins);
+  const result = {
+    id: payload.id,
+    nodeId: payload.nodeId,
+    ok: true,
+    payloadJSON: JSON.stringify({ bins: resolved })
+  };
+  await client.request("node.invoke.result", result);
+}
+
+// src/handlers/exec-approvals.ts
+import crypto3 from "crypto";
+import fs6 from "fs";
+import path7 from "path";
+function resolveExecApprovalsPath(env) {
+  return path7.join(resolveBaseDir(env), "exec-approvals.json");
+}
+function hashRaw(raw) {
+  return crypto3.createHash("sha256").update(raw ?? "").digest("hex");
+}
+function loadExecApprovalsFile(filePath) {
+  try {
+    if (fs6.existsSync(filePath)) {
+      const raw = fs6.readFileSync(filePath, "utf8");
+      const parsed = JSON.parse(raw);
+      if (parsed?.version === 1) {
+        return { path: filePath, exists: true, raw, file: parsed, hash: hashRaw(raw) };
+      }
+    }
+  } catch {
+  }
+  const defaultFile = { version: 1 };
+  return { path: filePath, exists: false, raw: null, file: defaultFile, hash: hashRaw(null) };
+}
+function saveExecApprovalsFile(filePath, file) {
+  fs6.mkdirSync(path7.dirname(filePath), { recursive: true });
+  const raw = JSON.stringify(file, null, 2) + "\n";
+  fs6.writeFileSync(filePath, raw, { mode: 384 });
+  return { path: filePath, exists: true, raw, file, hash: hashRaw(raw) };
+}
+function createExecApprovalsGetHandler(env) {
+  return async (payload, client) => {
+    const filePath = resolveExecApprovalsPath(env);
+    const snapshot = loadExecApprovalsFile(filePath);
+    const result = {
+      id: payload.id,
+      nodeId: payload.nodeId,
+      ok: true,
+      payloadJSON: JSON.stringify(snapshot)
+    };
+    await client.request("node.invoke.result", result);
+  };
+}
+function createExecApprovalsSetHandler(env) {
+  return async (payload, client) => {
+    const filePath = resolveExecApprovalsPath(env);
+    let params = {};
+    if (payload.paramsJSON) {
+      try {
+        params = JSON.parse(payload.paramsJSON);
+      } catch {
+        await client.request("node.invoke.result", {
+          id: payload.id,
+          nodeId: payload.nodeId,
+          ok: false,
+          error: { code: "INVALID_PARAMS", message: "Invalid params" }
+        });
+        return;
+      }
+    }
+    if (params.baseHash) {
+      const current = loadExecApprovalsFile(filePath);
+      if (current.hash !== params.baseHash) {
+        await client.request("node.invoke.result", {
+          id: payload.id,
+          nodeId: payload.nodeId,
+          ok: false,
+          error: {
+            code: "HASH_MISMATCH",
+            message: "Exec approvals file was modified concurrently"
+          }
+        });
+        return;
+      }
+    }
+    const file = params.file ?? { version: 1 };
+    const snapshot = saveExecApprovalsFile(filePath, file);
+    const result = {
+      id: payload.id,
+      nodeId: payload.nodeId,
+      ok: true,
+      payloadJSON: JSON.stringify(snapshot)
+    };
+    await client.request("node.invoke.result", result);
+  };
+}
+
+// src/handlers/index.ts
+function registerAllHandlers(router, env) {
+  const config = loadConfig(env);
+  const workdir = config.device.workdir;
+  router.register(
+    "system.run",
+    createSystemRunHandler(config.exec, workdir)
+  );
+  router.register("system.run.prepare", systemRunPrepareHandler);
+  router.register(
+    "system.info",
+    (payload, client) => systemInfoHandler(payload, client, workdir)
+  );
+  router.register("system.which", systemWhichHandler);
+  router.register(
+    "system.execApprovals.get",
+    createExecApprovalsGetHandler(env)
+  );
+  router.register(
+    "system.execApprovals.set",
+    createExecApprovalsSetHandler(env)
+  );
+}
+
+// src/cli/start.ts
+function registerStartCommand(program2) {
+  program2.command("start").description("Start the node daemon (foreground)").action(async () => {
+    try {
+      const { router, stop } = await startNode();
+      registerAllHandlers(router);
+      console.log("NodeClaw running. Press Ctrl+C to stop.");
+      const shutdown = () => {
+        console.log("\nShutting down...");
+        stop();
+        process.exit(0);
+      };
+      process.on("SIGINT", shutdown);
+      process.on("SIGTERM", shutdown);
+      await new Promise(() => {
+      });
+    } catch (err) {
+      console.error(
+        err instanceof Error ? err.message : String(err)
+      );
+      process.exit(1);
+    }
+  });
+}
+
+// src/cli/status.ts
+function registerStatusCommand(program2) {
+  program2.command("status").description("Show connection and pairing status").action(() => {
+    const config = loadConfig();
+    const identityPath = resolveIdentityPath();
+    const tokenStorePath = resolveTokenStorePath();
+    let identity;
+    try {
+      identity = loadOrCreateIdentity(identityPath);
+    } catch {
+      console.log("Device identity: not initialized");
+      return;
+    }
+    const token = loadDeviceAuthToken(
+      tokenStorePath,
+      identity.deviceId,
+      "node"
+    );
+    console.log(`Gateway URL:  ${config.gateway.url}`);
+    console.log(`Device name:  ${config.device.name || "(default)"}`);
+    console.log(`Device ID:    ${identity.deviceId}`);
+    console.log(`Paired:       ${token ? "yes" : "no"}`);
+    if (config.device.workdir) {
+      console.log(`Workdir:      ${config.device.workdir}`);
+    }
+  });
+}
+
+// src/cli/unpair.ts
+import fs7 from "fs";
+function registerUnpairCommand(program2) {
+  program2.command("unpair").description("Remove pairing token and disconnect").option("--full", "Also delete device identity (generates new ID on next pair)").action((opts) => {
+    const identityPath = resolveIdentityPath();
+    const tokenStorePath = resolveTokenStorePath();
+    try {
+      const identity = loadOrCreateIdentity(identityPath);
+      clearDeviceAuthToken(tokenStorePath, identity.deviceId, "node");
+      console.log("Pairing token removed.");
+    } catch {
+      console.log("No pairing token found.");
+    }
+    if (opts.full) {
+      try {
+        if (fs7.existsSync(identityPath)) {
+          fs7.unlinkSync(identityPath);
+          console.log("Device identity deleted.");
+        }
+      } catch (err) {
+        console.error(
+          `Failed to delete identity: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+  });
+}
+
+// src/cli/version.ts
+function registerVersionCommand(program2) {
+  program2.command("info").description("Show version and protocol information").action(() => {
+    console.log(`NodeClaw v${VERSION}`);
+    console.log(`Protocol:     ${PROTOCOL_VERSION}`);
+    console.log(`Node.js:      ${process.version}`);
+    console.log(`Platform:     ${process.platform}`);
+    console.log(`Arch:         ${process.arch}`);
+  });
+}
+
+// src/cli/doctor.ts
+import fs8 from "fs";
+function runChecks() {
+  const checks = [];
+  const nodeVersion = parseInt(process.version.slice(1), 10);
+  checks.push({
+    name: "Node.js version",
+    status: nodeVersion >= 20 ? "ok" : "fail",
+    detail: `${process.version} ${nodeVersion >= 20 ? "(>= 20)" : "(requires >= 20)"}`
+  });
+  const baseDir = resolveBaseDir();
+  checks.push({
+    name: "Config directory",
+    status: fs8.existsSync(baseDir) ? "ok" : "warn",
+    detail: baseDir
+  });
+  const configPath = resolveConfigPath();
+  if (fs8.existsSync(configPath)) {
+    try {
+      loadConfig();
+      checks.push({ name: "Config file", status: "ok", detail: configPath });
+    } catch {
+      checks.push({
+        name: "Config file",
+        status: "fail",
+        detail: `${configPath} (invalid)`
+      });
+    }
+  } else {
+    checks.push({
+      name: "Config file",
+      status: "warn",
+      detail: `${configPath} (not found, using defaults)`
+    });
+  }
+  const identityPath = resolveIdentityPath();
+  if (fs8.existsSync(identityPath)) {
+    try {
+      const identity = loadOrCreateIdentity(identityPath);
+      checks.push({
+        name: "Device identity",
+        status: "ok",
+        detail: `${identity.deviceId.slice(0, 16)}...`
+      });
+    } catch {
+      checks.push({
+        name: "Device identity",
+        status: "fail",
+        detail: `${identityPath} (corrupt)`
+      });
+    }
+  } else {
+    checks.push({
+      name: "Device identity",
+      status: "warn",
+      detail: "Not initialized (will be created on first pair)"
+    });
+  }
+  const tokenStorePath = resolveTokenStorePath();
+  try {
+    const identity = loadOrCreateIdentity(identityPath);
+    const token = loadDeviceAuthToken(
+      tokenStorePath,
+      identity.deviceId,
+      "node"
+    );
+    checks.push({
+      name: "Pairing token",
+      status: token ? "ok" : "warn",
+      detail: token ? "Stored" : "Not paired"
+    });
+  } catch {
+    checks.push({
+      name: "Pairing token",
+      status: "warn",
+      detail: "Cannot check (no identity)"
+    });
+  }
+  const config = loadConfig();
+  checks.push({
+    name: "Gateway URL",
+    status: config.gateway.url ? "ok" : "fail",
+    detail: config.gateway.url || "(not configured)"
+  });
+  if (config.device.workdir) {
+    const exists = fs8.existsSync(config.device.workdir);
+    checks.push({
+      name: "Workdir",
+      status: exists ? "ok" : "fail",
+      detail: `${config.device.workdir} ${exists ? "" : "(not found)"}`
+    });
+  } else {
+    checks.push({
+      name: "Workdir",
+      status: "warn",
+      detail: "Not configured (exec allowed anywhere)"
+    });
+  }
+  return checks;
+}
+function registerDoctorCommand(program2) {
+  program2.command("doctor").description("Check configuration, connectivity, and service status").action(() => {
+    const checks = runChecks();
+    let hasFailures = false;
+    for (const check of checks) {
+      const icon = check.status === "ok" ? "[OK]  " : check.status === "warn" ? "[WARN]" : "[FAIL]";
+      if (check.status === "fail") {
+        hasFailures = true;
+      }
+      console.log(`${icon} ${check.name}: ${check.detail}`);
+    }
+    if (hasFailures) {
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/cli/install-service.ts
+import fs9 from "fs";
+import path8 from "path";
+import os7 from "os";
+
+// src/service/systemd.ts
+import os5 from "os";
+import { execFileSync as execFileSync2 } from "child_process";
+function resolveNodeClawPath() {
+  try {
+    return execFileSync2("which", ["nodeclaw"], {
+      encoding: "utf8",
+      timeout: 5e3
+    }).trim();
+  } catch {
+    return "/usr/local/bin/nodeclaw";
+  }
+}
+function generateSystemdUnit(opts = {}) {
+  const execPath = opts.execPath || resolveNodeClawPath();
+  const user = opts.user || os5.userInfo().username;
+  const workdir = opts.workdir || os5.homedir();
+  return `[Unit]
+Description=NodeClaw - OpenClaw Node Client
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=${execPath} start
+Restart=always
+RestartSec=5
+User=${user}
+WorkingDirectory=${workdir}
+Environment=NODE_ENV=production
+
+[Install]
+WantedBy=multi-user.target
+`;
+}
+
+// src/service/launchd.ts
+import os6 from "os";
+import { execFileSync as execFileSync3 } from "child_process";
+function resolveNodeClawPath2() {
+  try {
+    return execFileSync3("which", ["nodeclaw"], {
+      encoding: "utf8",
+      timeout: 5e3
+    }).trim();
+  } catch {
+    return "/usr/local/bin/nodeclaw";
+  }
+}
+function generateLaunchdPlist(opts = {}) {
+  const execPath = opts.execPath || resolveNodeClawPath2();
+  const workdir = opts.workdir || os6.homedir();
+  const label = opts.label || "ai.nodeclaw";
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${label}</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>${execPath}</string>
+    <string>start</string>
+  </array>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>KeepAlive</key>
+  <true/>
+  <key>WorkingDirectory</key>
+  <string>${workdir}</string>
+  <key>StandardOutPath</key>
+  <string>/tmp/nodeclaw.stdout.log</string>
+  <key>StandardErrorPath</key>
+  <string>/tmp/nodeclaw.stderr.log</string>
+</dict>
+</plist>
+`;
+}
+
+// src/cli/install-service.ts
+function registerInstallServiceCommand(program2) {
+  program2.command("install-service").description("Install systemd (Linux) or launchd (macOS) service").option("--dry-run", "Print the service file without writing").action((opts) => {
+    const config = loadConfig();
+    const platform = process.platform;
+    const workdir = config.device.workdir || os7.homedir();
+    if (platform === "linux") {
+      const unit = generateSystemdUnit({ workdir });
+      if (opts.dryRun) {
+        console.log(unit);
+        return;
+      }
+      const unitPath = path8.join(
+        os7.homedir(),
+        ".config",
+        "systemd",
+        "user",
+        "nodeclaw.service"
+      );
+      fs9.mkdirSync(path8.dirname(unitPath), { recursive: true });
+      fs9.writeFileSync(unitPath, unit);
+      console.log(`Service file written to ${unitPath}`);
+      console.log("To enable: systemctl --user enable --now nodeclaw");
+    } else if (platform === "darwin") {
+      const plist = generateLaunchdPlist({ workdir });
+      if (opts.dryRun) {
+        console.log(plist);
+        return;
+      }
+      const plistPath = path8.join(
+        os7.homedir(),
+        "Library",
+        "LaunchAgents",
+        "ai.nodeclaw.plist"
+      );
+      fs9.mkdirSync(path8.dirname(plistPath), { recursive: true });
+      fs9.writeFileSync(plistPath, plist);
+      console.log(`Plist written to ${plistPath}`);
+      console.log("To load: launchctl load " + plistPath);
+    } else {
+      console.error(`Service installation not supported on ${platform}`);
+      process.exit(1);
+    }
+  });
+  program2.command("uninstall-service").description("Remove installed service").action(() => {
+    const platform = process.platform;
+    if (platform === "linux") {
+      const unitPath = path8.join(
+        os7.homedir(),
+        ".config",
+        "systemd",
+        "user",
+        "nodeclaw.service"
+      );
+      if (fs9.existsSync(unitPath)) {
+        fs9.unlinkSync(unitPath);
+        console.log("Service file removed.");
+        console.log("Run: systemctl --user daemon-reload");
+      } else {
+        console.log("Service file not found.");
+      }
+    } else if (platform === "darwin") {
+      const plistPath = path8.join(
+        os7.homedir(),
+        "Library",
+        "LaunchAgents",
+        "ai.nodeclaw.plist"
+      );
+      if (fs9.existsSync(plistPath)) {
+        fs9.unlinkSync(plistPath);
+        console.log("Plist removed.");
+        console.log("Run: launchctl unload " + plistPath);
+      } else {
+        console.log("Plist not found.");
+      }
+    } else {
+      console.error(`Service uninstall not supported on ${platform}`);
+      process.exit(1);
+    }
+  });
+}
+
+// src/cli.ts
+var program = new Command();
+program.name("nodeclaw").description("Minimal OpenClaw node protocol client").version(VERSION);
+registerPairCommand(program);
+registerStartCommand(program);
+registerStatusCommand(program);
+registerUnpairCommand(program);
+registerVersionCommand(program);
+registerDoctorCommand(program);
+registerInstallServiceCommand(program);
+program.parse();
+//# sourceMappingURL=cli.js.map