notoken-core 1.8.0 → 1.8.1

package/dist/utils/openclawDiag.js

@@ -10,9 +10,11 @@
  *   6. What's the config state?
  *   7. Any errors in recent logs?
  */
-import { exec } from "node:child_process";
+import { exec, execSync } from "node:child_process";
 import { promisify } from "node:util";
+import { resolve } from "node:path";
 import { discoverInstallations } from "./entityResolver.js";
+import { getUserContext, findFreshestClaudeToken, detectUserMismatch, getAuthProfilesPath } from "./userContext.js";
 const execAsync = promisify(exec);
 const c = {
     reset: "\x1b[0m", bold: "\x1b[1m", dim: "\x1b[2m",
@@ -106,6 +108,382 @@ function getClaudeCredsPath() {
 function getOpenclawHome() {
     return `${userHome}${isWin ? "\\" : "/"}.openclaw`;
 }
+/**
+ * Check Claude CLI status and sync OAuth token to OpenClaw if needed.
+ * Full diagnostic:
+ *   1. Is Claude CLI installed?
+ *   2. Does Claude have a valid OAuth token?
+ *   3. Is OpenClaw's copy stale?
+ *   4. Sync if needed.
+ */
+/**
+ * Full OpenClaw auth refresh — uses expect for proper TTY flow,
+ * falls back to direct file write if expect unavailable.
+ *
+ * Flow:
+ *   1. Read fresh token from Claude CLI credentials
+ *   2. Try: expect → openclaw models auth paste-token --provider anthropic
+ *   3. Fallback: write directly to auth-profiles.json
+ *   4. Update lastGood pointer
+ */
+export function refreshOpenclawAuth() {
+    try {
+        const { existsSync: ef, readFileSync: rf, writeFileSync: wf } = require("node:fs");
+        // Get fresh token from Claude
+        const claudePath = getClaudeCredsPath();
+        if (!ef(claudePath))
+            return { success: false, method: "none", message: "Claude CLI not found" };
+        const claude = JSON.parse(rf(claudePath, "utf-8"));
+        const freshToken = claude?.claudeAiOauth?.accessToken;
+        const freshExpires = claude?.claudeAiOauth?.expiresAt;
+        if (!freshToken)
+            return { success: false, method: "none", message: "No Claude OAuth token" };
+        // Find Node 22 and openclaw binary
+        let node22 = "node";
+        const nvmPaths = ["/home/ino/.nvm/versions/node/v22.22.2/bin/node", "/home/ino/.nvm/versions/node/v22.22.1/bin/node"];
+        for (const p of nvmPaths) {
+            try {
+                if (require("node:fs").existsSync(p)) {
+                    node22 = p;
+                    break;
+                }
+            }
+            catch { }
+        }
+        if (node22 === "node") {
+            try {
+                const found = execSync("ls /home/ino/.nvm/versions/node/v22*/bin/node 2>/dev/null | tail -1", { encoding: "utf-8", timeout: 3000, stdio: "pipe" }).trim();
+                if (found)
+                    node22 = found;
+            }
+            catch { }
+        }
+        let ocBin = "openclaw";
+        try {
+            ocBin = execSync("readlink -f $(which openclaw) 2>/dev/null || which openclaw", { encoding: "utf-8", timeout: 3000, stdio: "pipe" }).trim();
+        }
+        catch { }
+        // Method 1: Try expect for proper OpenClaw registration
+        let expectAvailable = false;
+        try {
+            execSync("which expect 2>/dev/null", { stdio: "pipe" });
+            expectAvailable = true;
+        }
+        catch { }
+        if (expectAvailable) {
+            try {
+                const expectScript = `
+set timeout 15
+spawn ${node22} ${ocBin} models auth paste-token --provider anthropic
+expect "Paste token"
+send "${freshToken}\\r"
+expect eof
+`;
+                const result = execSync(`expect -c '${expectScript.replace(/'/g, "'\\''")}'`, {
+                    encoding: "utf-8", timeout: 20000, stdio: ["pipe", "pipe", "pipe"]
+                });
+                if (result.includes("Auth profile")) {
+                    return { success: true, method: "expect", message: "Token registered via OpenClaw auth (proper flow)" };
+                }
+            }
+            catch { /* fall through to direct write */ }
+        }
+        // Method 2: Direct write to auth-profiles.json
+        const authPath = `${getOpenclawHome()}/agents/main/agent/auth-profiles.json`;
+        if (!ef(authPath))
+            return { success: false, method: "none", message: "OpenClaw auth file not found" };
+        const auth = JSON.parse(rf(authPath, "utf-8"));
+        if (!auth.profiles)
+            auth.profiles = {};
+        auth.profiles["anthropic:claude-oauth"] = {
+            type: "oauth",
+            provider: "anthropic",
+            access: freshToken,
+            expires: freshExpires,
+        };
+        if (!auth.lastGood)
+            auth.lastGood = {};
+        auth.lastGood.anthropic = "anthropic:claude-oauth";
+        wf(authPath, JSON.stringify(auth, null, 2));
+        return { success: true, method: "direct", message: "Token written directly to auth profiles" };
+    }
+    catch (err) {
+        return { success: false, method: "error", message: err.message };
+    }
+}
+/**
+ * Sync Codex (OpenAI) OAuth token to OpenClaw.
+ * Reads from ~/.codex/auth.json
+ */
+/**
+ * Parse `openclaw models` output to understand current configuration.
+ */
+export function parseOpenclawModels(output) {
+    const result = {
+        defaultModel: null,
+        configuredModels: [],
+        providers: [],
+        errors: [],
+    };
+    // Parse default model
+    const defaultMatch = output.match(/Default\s*:\s*(\S+)/);
+    if (defaultMatch)
+        result.defaultModel = defaultMatch[1];
+    // Parse configured models
+    const modelsMatch = output.match(/Configured models\s*\(\d+\):\s*(.+)/);
+    if (modelsMatch) {
+        result.configuredModels = modelsMatch[1].split(",").map(s => s.trim().replace(/"/g, "")).filter(Boolean);
+    }
+    // Parse providers with auth
+    const providerLines = output.split("\n").filter(l => l.match(/^- \w+\s+effective=/));
+    for (const line of providerLines) {
+        const nameMatch = line.match(/^- (\S+)/);
+        const hasOAuth = line.includes("OAuth") || line.includes("oauth=1");
+        const hasToken = line.includes("token=1") || line.includes("token:");
+        const isMissing = line.includes("missing:missing");
+        result.providers.push({
+            name: nameMatch?.[1] ?? "unknown",
+            status: isMissing ? "missing" : "configured",
+            hasAuth: hasOAuth || hasToken,
+        });
+    }
+    // Parse errors
+    const errorLines = output.split("\n").filter(l => l.includes("Token refresh failed") || l.includes("error") || l.includes("Missing auth"));
+    result.errors = errorLines.map(l => l.trim());
+    return result;
+}
+/**
+ * Parse `openclaw status --deep` for health and channel details.
+ */
+export function parseOpenclawDeepStatus(output) {
+    const result = {
+        health: [],
+        channels: [],
+        sessions: [],
+    };
+    // Parse Health table
+    const healthRows = output.match(/│\s*(\w+)\s*│\s*(reachable|OK|error|timeout|unreachable)\s*│\s*(.+?)│/g);
+    if (healthRows) {
+        for (const row of healthRows) {
+            const m = row.match(/│\s*(\w+)\s*│\s*(\w+)\s*│\s*(.+?)│/);
+            if (m && m[1] !== "Item")
+                result.health.push({ item: m[1], status: m[2], detail: m[3].trim() });
+        }
+    }
+    // Parse Channels table
+    const chanRows = output.match(/│\s*(\w+)\s*│\s*(ON|OFF)\s*│\s*(OK|error|warn|off)\s*│\s*(.+?)│/g);
+    if (chanRows) {
+        for (const row of chanRows) {
+            const m = row.match(/│\s*(\w+)\s*│\s*(ON|OFF)\s*│\s*(\w+)\s*│\s*(.+?)│/);
+            if (m && m[1] !== "Channel")
+                result.channels.push({ channel: m[1], enabled: m[2] === "ON", state: m[3], detail: m[4].trim() });
+        }
+    }
+    // Parse Sessions table
+    const sessRows = output.match(/│\s*agent:\S+\s*│\s*\w+\s*│\s*\S+\s+ago\s*│\s*\S+\s*│\s*.+?│/g);
+    if (sessRows) {
+        for (const row of sessRows) {
+            const m = row.match(/│\s*(\S+)\s*│\s*(\w+)\s*│\s*(\S+\s+ago)\s*│\s*(\S+)\s*│\s*(.+?)│/);
+            if (m)
+                result.sessions.push({ key: m[1], kind: m[2], age: m[3], model: m[4], tokens: m[5].trim() });
+        }
+    }
+    return result;
+}
+/**
+ * Parse `openclaw status` output to understand gateway and system state.
+ */
+export function parseOpenclawStatus(output) {
+    const result = {
+        dashboard: null,
+        gateway: { status: "unknown", url: null, reachable: false, latency: null },
+        agents: { count: 0, lastActive: null },
+        sessions: { count: 0, defaultModel: null, contextSize: null },
+        update: { available: false, version: null },
+        security: { critical: 0, warn: 0, info: 0, issues: [] },
+        services: { gateway: "unknown", node: "unknown" },
+    };
+    // Dashboard URL
+    const dashMatch = output.match(/Dashboard\s*│\s*(https?:\/\/\S+)/);
+    if (dashMatch)
+        result.dashboard = dashMatch[1].trim();
+    // Gateway
+    const gwMatch = output.match(/Gateway\s*│\s*(.+?)│/s);
+    if (gwMatch) {
+        const gwText = gwMatch[1];
+        result.gateway.status = gwText.includes("reachable") ? "running" : "unknown";
+        const urlMatch = gwText.match(/(wss?:\/\/\S+)/);
+        if (urlMatch)
+            result.gateway.url = urlMatch[1];
+        result.gateway.reachable = gwText.includes("reachable");
+        const latMatch = gwText.match(/reachable\s+(\d+ms)/);
+        if (latMatch)
+            result.gateway.latency = latMatch[1];
+    }
+    // Gateway/Node services
+    const gwSvcMatch = output.match(/Gateway service\s*│\s*(.+?)│/);
+    if (gwSvcMatch)
+        result.services.gateway = gwSvcMatch[1].trim();
+    const nodeSvcMatch = output.match(/Node service\s*│\s*(.+?)│/);
+    if (nodeSvcMatch)
+        result.services.node = nodeSvcMatch[1].trim();
+    // Agents
+    const agentMatch = output.match(/Agents\s*│\s*(\d+)/);
+    if (agentMatch)
+        result.agents.count = parseInt(agentMatch[1]);
+    const activeMatch = output.match(/active\s+(\S+\s+ago)/);
+    if (activeMatch)
+        result.agents.lastActive = activeMatch[1];
+    // Sessions
+    const sessMatch = output.match(/Sessions\s*│\s*(\d+)\s+active.*?default\s+(\S+)\s+\((\S+)\s+ctx\)/);
+    if (sessMatch) {
+        result.sessions.count = parseInt(sessMatch[1]);
+        result.sessions.defaultModel = sessMatch[2];
+        result.sessions.contextSize = sessMatch[3];
+    }
+    // Update
+    const updateMatch = output.match(/Update\s*│\s*(.+?)│/);
+    if (updateMatch) {
+        result.update.available = updateMatch[1].includes("available");
+        const verMatch = updateMatch[1].match(/(\d{4}\.\d+\.\d+)/);
+        if (verMatch)
+            result.update.version = verMatch[1];
+    }
+    // Security
+    const secMatch = output.match(/Summary:\s*(\d+)\s*critical.*?(\d+)\s*warn.*?(\d+)\s*info/);
+    if (secMatch) {
+        result.security.critical = parseInt(secMatch[1]);
+        result.security.warn = parseInt(secMatch[2]);
+        result.security.info = parseInt(secMatch[3]);
+    }
+    const critLines = output.match(/CRITICAL\s+.+/g);
+    if (critLines)
+        result.security.issues = critLines.map(l => l.trim());
+    return result;
+}
+function syncCodexToken() {
+    try {
+        const ctx = getUserContext();
+        const { existsSync: ef, readFileSync: rf, writeFileSync: wf } = require("node:fs");
+        const codexPath = resolve(ctx.loginHomeDir, ".codex", "auth.json");
+        const authPath = getAuthProfilesPath();
+        if (!ef(codexPath)) {
+            let codexInstalled = "";
+            try {
+                codexInstalled = execSync("which codex 2>/dev/null || where codex 2>nul", { encoding: "utf-8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"] }).trim();
+            }
+            catch { }
+            if (!codexInstalled)
+                return { status: "no_claude", message: "Codex CLI not installed. Install: npm install -g @openai/codex" };
+            return { status: "no_claude_token", message: "Codex CLI installed but no auth file. Run: codex" };
+        }
+        const codex = JSON.parse(rf(codexPath, "utf-8"));
+        const freshToken = codex?.tokens?.access_token;
+        const refreshToken = codex?.tokens?.refresh_token;
+        const freshExpires = (codex?.tokens?.expires_at ?? 0) * 1000; // Codex uses seconds, we use ms
+        const accountId = codex?.tokens?.account_id;
+        if (!freshToken && !refreshToken)
+            return { status: "no_claude_token", message: "Codex has no tokens. Run: codex (to authenticate)" };
+        if (!ef(authPath))
+            return { status: "no_openclaw_auth", message: "OpenClaw auth file not found" };
+        const auth = JSON.parse(rf(authPath, "utf-8"));
+        const ocProfile = auth?.profiles?.["openai-codex:default"];
+        if (!ocProfile) {
+            // Create profile
+            if (!auth.profiles)
+                auth.profiles = {};
+            auth.profiles["openai-codex:default"] = { type: "oauth", provider: "openai-codex", access: freshToken, refresh: refreshToken, expires: freshExpires, accountId };
+            if (!auth.lastGood)
+                auth.lastGood = {};
+            auth.lastGood["openai-codex"] = "openai-codex:default";
+            wf(authPath, JSON.stringify(auth, null, 2));
+            return { status: "synced", message: "Created OpenClaw Codex auth profile from Codex CLI" };
+        }
+        // Check if stale
+        const ocExpires = ocProfile.expires ?? 0;
+        const now = Date.now();
+        if (ocExpires - now > 3600000) {
+            return { status: "already_fresh", message: `Codex token fresh (${((ocExpires - now) / 3600000).toFixed(1)}h remaining)` };
+        }
+        // Sync — update access token and refresh token
+        if (freshToken)
+            ocProfile.access = freshToken;
+        if (refreshToken)
+            ocProfile.refresh = refreshToken;
+        ocProfile.expires = freshExpires;
+        if (accountId)
+            ocProfile.accountId = accountId;
+        wf(authPath, JSON.stringify(auth, null, 2));
+        return { status: "synced", message: "Codex token synced from ~/.codex/auth.json" };
+    }
+    catch (err) {
+        return { status: "error", message: `Codex sync error: ${err.message}` };
+    }
+}
+function syncClaudeToken() {
+    try {
+        const ctx = getUserContext();
+        const { existsSync: ef, readFileSync: rf, writeFileSync: wf } = require("node:fs");
+        // 1. Find freshest Claude token across all users (root, ino, etc.)
+        const freshest = findFreshestClaudeToken();
+        if (!freshest) {
+            let claudeInstalled = "";
+            try {
+                claudeInstalled = execSync("which claude 2>/dev/null || where claude 2>nul", { encoding: "utf-8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"] }).trim();
+            }
+            catch { }
+            if (!claudeInstalled)
+                return { status: "no_claude", message: "Claude CLI not installed" };
+            return { status: "no_claude_token", message: `Claude CLI installed but no valid token found (checked root + ${ctx.loginUser})` };
+        }
+        const freshToken = freshest.token;
+        const freshExpires = freshest.expires;
+        // 2. Validate token
+        const now = Date.now();
+        const claudeHoursLeft = (freshExpires - now) / 3600000;
+        if (claudeHoursLeft <= 0) {
+            return { status: "no_claude_token", message: `Claude token expired ${Math.abs(claudeHoursLeft).toFixed(1)}h ago (source: ${freshest.source}). Run: claude`, claudeExpires: freshExpires };
+        }
+        // 3. Check OpenClaw's auth file — use user-aware path
+        const authPath = getAuthProfilesPath();
+        if (!ef(authPath)) {
+            return { status: "no_openclaw_auth", message: "OpenClaw auth not configured. Run: diagnose openclaw", claudeExpires: freshExpires };
+        }
+        const auth = JSON.parse(rf(authPath, "utf-8"));
+        // Check both profile names — openclaw uses "anthropic:claude-oauth" or "anthropic:manual"
+        const ocProfile = auth?.profiles?.["anthropic:claude-oauth"] ?? auth?.profiles?.["anthropic:manual"];
+        if (!ocProfile) {
+            // No anthropic profile at all — create one
+            if (!auth.profiles)
+                auth.profiles = {};
+            auth.profiles["anthropic:claude-oauth"] = { type: "oauth", provider: "anthropic", access: freshToken, expires: freshExpires };
+            if (!auth.lastGood)
+                auth.lastGood = {};
+            auth.lastGood.anthropic = "anthropic:claude-oauth";
+            wf(authPath, JSON.stringify(auth, null, 2));
+            return { status: "synced", message: `Created OpenClaw auth profile with Claude token (${claudeHoursLeft.toFixed(1)}h remaining)`, claudeExpires: freshExpires };
+        }
+        // 4. Check if OpenClaw's copy is stale
+        const ocExpires = ocProfile.expires ?? 0;
+        const ocHoursLeft = (ocExpires - now) / 3600000;
+        if (ocHoursLeft > 1) {
+            return { status: "already_fresh", message: `OpenClaw token is fresh (${ocHoursLeft.toFixed(1)}h remaining)`, claudeExpires: freshExpires, openclawExpires: ocExpires };
+        }
+        // 5. Sync fresh token
+        ocProfile.access = freshToken;
+        ocProfile.expires = freshExpires;
+        wf(authPath, JSON.stringify(auth, null, 2));
+        return {
+            status: "synced",
+            message: `Token refreshed — was ${ocHoursLeft > 0 ? `expiring in ${ocHoursLeft.toFixed(1)}h` : `expired ${Math.abs(ocHoursLeft).toFixed(1)}h ago`}, now good for ${claudeHoursLeft.toFixed(1)}h`,
+            claudeExpires: freshExpires,
+            openclawExpires: freshExpires,
+        };
+    }
+    catch (err) {
+        return { status: "error", message: `Token sync error: ${err.message}` };
+    }
+}
 /**
  * Quick connectivity check — escalates from simplest to most thorough.
  * Used for "can you talk to openclaw?" / "is openclaw reachable?"
@@ -121,6 +499,101 @@ export async function quickConnectivityCheck(runRemote) {
     const run = runRemote ?? ((cmd) => runCmd(cmd));
     const lines = [];
     lines.push(`\n${c.bold}${c.cyan}── OpenClaw Connectivity Check ──${c.reset}\n`);
+    // Show user context
+    const ctx = getUserContext();
+    const mismatch = detectUserMismatch();
+    lines.push(`  ${c.dim}User: ${ctx.effectiveUser}${ctx.effectiveUser !== ctx.loginUser ? ` (login: ${ctx.loginUser})` : ""} | Config: ${ctx.openclawHome}${c.reset}`);
+    if (mismatch.mismatch)
+        lines.push(`  ${c.yellow}⚠${c.reset} ${mismatch.message}`);
+    // Parse openclaw models to understand current configuration
+    try {
+        const _tryExec = (cmd) => { try {
+            return execSync(cmd, { encoding: "utf-8", timeout: 5000, stdio: "pipe" }).trim();
+        }
+        catch {
+            return "";
+        } };
+        const _node22 = _tryExec("ls /home/ino/.nvm/versions/node/v22*/bin/node 2>/dev/null | tail -1") || "node";
+        const _ocBin = _tryExec(`ls ${_node22.replace('/bin/node', '/lib/node_modules/openclaw/openclaw.mjs')} 2>/dev/null`) || _tryExec("readlink -f $(which openclaw) 2>/dev/null") || "openclaw";
+        const [modelsOutput, statusOutput] = await Promise.all([
+            run(`${_node22} ${_ocBin} models 2>&1`),
+            run(`${_node22} ${_ocBin} status 2>&1`).catch(() => ""),
+        ]);
+        const ocStatus = parseOpenclawModels(modelsOutput);
+        if (ocStatus.defaultModel)
+            lines.push(`  ${c.bold}Model:${c.reset} ${ocStatus.defaultModel}`);
+        if (ocStatus.providers.length > 0) {
+            for (const p of ocStatus.providers) {
+                const icon = p.hasAuth ? `${c.green}✓` : `${c.yellow}○`;
+                lines.push(`  ${icon}${c.reset} ${p.name}: ${p.status}${p.hasAuth ? "" : " (no auth)"}`);
+            }
+        }
+        if (ocStatus.errors.length > 0) {
+            for (const err of ocStatus.errors.slice(0, 3)) {
+                lines.push(`  ${c.red}✗${c.reset} ${err}`);
+            }
+        }
+        // Parse status output for gateway/session/security info
+        if (statusOutput) {
+            const st = parseOpenclawStatus(statusOutput);
+            if (st.dashboard)
+                lines.push(`  ${c.bold}Dashboard:${c.reset} ${st.dashboard}`);
+            if (st.gateway.reachable) {
+                lines.push(`  ${c.green}✓${c.reset} Gateway: ${st.gateway.url ?? "running"} ${st.gateway.latency ? `(${st.gateway.latency})` : ""}`);
+            }
+            if (st.sessions.defaultModel) {
+                lines.push(`  ${c.bold}Session:${c.reset} ${st.sessions.defaultModel} (${st.sessions.contextSize ?? "?"} ctx)`);
+            }
+            if (st.agents.lastActive) {
+                lines.push(`  ${c.dim}Last active: ${st.agents.lastActive}${c.reset}`);
+            }
+            if (st.update.available) {
+                lines.push(`  ${c.yellow}⬆${c.reset} Update available: ${st.update.version}`);
+            }
+            if (st.security.critical > 0) {
+                lines.push(`  ${c.red}⚠${c.reset} Security: ${st.security.critical} critical, ${st.security.warn} warnings`);
+                for (const issue of st.security.issues.slice(0, 2)) {
+                    lines.push(`    ${c.dim}${issue.substring(0, 80)}${c.reset}`);
+                }
+            }
+        }
+        lines.push("");
+    }
+    catch { /* openclaw CLI not available */ }
+    // Auto-sync Claude OAuth token — prevents "unauthorized" errors
+    const tokenSync = syncClaudeToken();
+    if (tokenSync.status === "synced") {
+        lines.push(`  ${c.green}✓${c.reset} ${tokenSync.message}`);
+    }
+    else if (tokenSync.status === "already_fresh") {
+        // Silent — all good
+    }
+    else if (tokenSync.status === "no_claude") {
+        lines.push(`  ${c.yellow}⚠${c.reset} ${tokenSync.message}`);
+    }
+    else if (tokenSync.status === "no_claude_token") {
+        // Claude exists but token expired — try to refresh by running claude briefly
+        let refreshed = "";
+        try {
+            refreshed = execSync("claude --version 2>/dev/null", { encoding: "utf-8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"] }).trim();
+        }
+        catch { }
+        if (refreshed) {
+            const retry = syncClaudeToken();
+            if (retry.status === "synced")
+                lines.push(`  ${c.green}✓${c.reset} ${retry.message}`);
+        }
+    }
+    // Auto-sync Codex (OpenAI) token too
+    const codexSync = syncCodexToken();
+    if (codexSync.status === "synced") {
+        lines.push(`  ${c.green}✓${c.reset} ${codexSync.message}`);
+    }
+    else if (codexSync.status !== "already_fresh" && codexSync.status !== "no_claude") {
+        // Only warn if codex is installed but has issues
+        if (codexSync.status === "no_claude_token")
+            lines.push(`  ${c.yellow}⚠${c.reset} ${codexSync.message}`);
+    }
     // Auto-discover and register all OpenClaw installations as entities
     try {
         await discoverInstallations("openclaw");
@@ -704,6 +1177,33 @@ export async function diagnoseOpenclaw(isRemote, runRemote) {
     const steps = [];
     const lines = [];
     lines.push(`\n${c.bold}${c.cyan}── OpenClaw Diagnostics ──${c.reset}\n`);
+    // Auto-sync Claude OAuth token
+    const diagTokenSync = syncClaudeToken();
+    if (diagTokenSync.status === "synced") {
+        steps.push({ name: "OAuth token", status: "pass", detail: diagTokenSync.message });
+        lines.push(`  ${c.green}✓${c.reset} ${diagTokenSync.message}`);
+    }
+    else if (diagTokenSync.status === "already_fresh") {
+        steps.push({ name: "OAuth token", status: "pass", detail: diagTokenSync.message });
+    }
+    else if (diagTokenSync.status === "no_claude") {
+        steps.push({ name: "OAuth token", status: "warn", detail: diagTokenSync.message });
+    }
+    else if (diagTokenSync.status === "no_claude_token") {
+        // Try to auto-refresh by running claude briefly
+        try {
+            execSync("claude --version 2>/dev/null", { timeout: 5000, stdio: "pipe" });
+        }
+        catch { }
+        const retry = syncClaudeToken();
+        if (retry.status === "synced") {
+            steps.push({ name: "OAuth token", status: "pass", detail: retry.message });
+            lines.push(`  ${c.green}✓${c.reset} ${retry.message}`);
+        }
+        else {
+            steps.push({ name: "OAuth token", status: "warn", detail: diagTokenSync.message });
+        }
+    }
     // ── Environment detection ──
     if (isWin) {
         steps.push({ name: "Environment", status: "pass", detail: "Windows" });

package/dist/utils/openclawLogParser.d.ts

@@ -0,0 +1,65 @@
+/**
+ * OpenClaw Log Parser — understand what's happening from openclaw logs.
+ *
+ * Parses JSON log lines from `openclaw logs --json` and extracts
+ * meaningful events for diagnostics, monitoring, and troubleshooting.
+ */
+export interface LogEntry {
+    type: "log" | "meta";
+    time: string;
+    level: "info" | "warn" | "error" | "debug";
+    subsystem?: string;
+    message: string;
+}
+export interface LogAnalysis {
+    /** Total log entries analyzed */
+    totalEntries: number;
+    /** Time range of logs */
+    timeRange: {
+        start: string;
+        end: string;
+    } | null;
+    /** Key events extracted */
+    events: Array<{
+        time: string;
+        type: string;
+        message: string;
+        severity: "info" | "warn" | "error";
+    }>;
+    /** Discord connection status */
+    discord: {
+        connected: boolean;
+        botName: string | null;
+        lastEvent: string | null;
+        rateLimited: boolean;
+        error4014: boolean;
+    };
+    /** Gateway health */
+    gateway: {
+        started: boolean;
+        listening: boolean;
+        port: number | null;
+        model: string | null;
+    };
+    /** Auth issues */
+    auth: {
+        errors: string[];
+        refreshFailed: boolean;
+        tokenExpired: boolean;
+    };
+    /** Errors and warnings */
+    errors: string[];
+    warnings: string[];
+}
+/**
+ * Parse a single JSON log line.
+ */
+export declare function parseLogLine(line: string): LogEntry | null;
+/**
+ * Analyze a batch of log lines and extract meaningful events.
+ */
+export declare function analyzeLogs(logText: string): LogAnalysis;
+/**
+ * Format log analysis for display.
+ */
+export declare function formatLogAnalysis(analysis: LogAnalysis): string;