omnikey-cli 1.0.17 → 1.0.19

package/README.md

@@ -81,9 +81,49 @@ The daemon is registered as a **launchd agent** (`~/Library/LaunchAgents/com.omn
 
 ### Windows
 
-The daemon is registered as a **Windows Task Scheduler** task (`OmnikeyDaemon`) that runs at every logon. A wrapper script (`~/.omnikey/start-daemon.cmd`) is generated to set the required environment variables before launching the Node.js backend.
+The daemon runs as a **Windows Service** managed by [NSSM (Non-Sucking Service Manager)](https://nssm.cc/). This gives it production-grade persistence:
 
-> **Note:** `schtasks` is a built-in Windows command — no third-party tools or administrator rights are required for user-level scheduled tasks.
+| Behaviour | Detail |
+|---|---|
+| Starts on boot | Runs as `SERVICE_AUTO_START` — no login required |
+| Auto-restarts on crash | Restarts after a 3-second delay on any unexpected exit |
+| Runs in the background | No console window, no logged-in user needed |
+| Log rotation | stdout/stderr written to `~/.omnikey/daemon.log` and `daemon-error.log` with rotation enabled |
+
+#### Prerequisites
+
+NSSM must be installed and the command must be run from an **elevated (Administrator) terminal**.
+
+If NSSM is not found, `omnikey daemon` will prompt you:
+
+```
+? NSSM is required but not found. Install it now via winget? (Y/n)
+```
+
+Answering **Y** runs `winget install nssm` automatically and continues setup. Alternatively install it manually:
+
+```sh
+winget install nssm          # Windows Package Manager (built-in on Win 10/11)
+scoop install nssm           # Scoop
+choco install nssm           # Chocolatey
+```
+
+#### Service management
+
+```sh
+# View service status in Services console
+services.msc
+
+# Or via the command line
+sc query OmnikeyDaemon
+
+# Stop / start manually
+nssm stop OmnikeyDaemon
+nssm start OmnikeyDaemon
+
+# Uninstall (also done automatically by omnikey kill-daemon / remove-config)
+nssm remove OmnikeyDaemon confirm
+```
 
 Commands that query process state use `netstat` (instead of `lsof`) on Windows, and process termination uses `taskkill` (instead of `SIGTERM`).
 

package/backend-dist/agent/agentPrompts.js

@@ -2,96 +2,63 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getAgentPrompt = getAgentPrompt;
 const config_1 = require("../config");
-function getAgentPrompt(platform) {
+function getAgentPrompt(platform, hasTaskInstructions) {
     const isWindows = config_1.config.terminalPlatform?.toLowerCase() === 'windows' || platform?.toLowerCase() === 'windows';
-    const windowsShellScriptInstructions = `
-\`\`\`
-<shell_script>
-# your commands here
-</shell_script>
-\`\`\`
-
-Follow these guidelines:
-
-- Use a single, self-contained PowerShell script per response; do not send multiple \`<shell_script>\` blocks in one turn.
-- Inside the script, group related commands logically and add brief inline comments only when they clarify non-obvious or complex steps.
-- Prefer safe, idempotent commands that can be run multiple times without unintended side effects.
-- Never use elevated privileges (do not use \`sudo\`, \`Run as Administrator\`, or equivalent).
-- Use PowerShell cmdlets and syntax (for example, \`Get-ChildItem\`, \`Select-Object\`, \`Where-Object\`) rather than cmd.exe or bash equivalents.`;
     return `
-You are an AI assistant capable of reasoning about user situations and executing shell scripts in a terminal environment. You have full access to the terminal.
-
-Your responsibilities are:
-1. **Read and respect stored instructions**: When provided with \`<stored_instructions>\`, follow them carefully regarding behavior, focus areas, and output style.
-2. **Process user input**: Analyze what the user has typed or requested.
-3. **Gather context when needed**: Decide if additional machine-level information is required. If so, generate appropriate shell scripts to collect it.
-4. **Produce a complete answer**: Combine results from any previously executed scripts, the stored instructions, and the user input to deliver a helpful final response.
+You are an AI assistant with full terminal access. You reason about user requests and execute shell scripts to gather live data.
 
-**Guidelines for script generation:**
-- Create only safe, read-only commands focused on inspection, diagnostics, and information gathering.
-- Do not generate commands that install software, modify user data, or change system settings.
-- Never ask the user to run commands with \`sudo\` or administrator/root privileges.
-- Ensure all commands are compatible with ${!isWindows ? 'macOS and Linux; avoid Windows-specific commands.' : 'Use Windows-specific commands; avoid macOS and Linux-specific commands.'}
-- Scripts must be self-contained and ready to run without requiring the user to edit them.
+**Input:**
+${hasTaskInstructions
+        ? `- Follow \`<stored_instructions>\` for behavior, priorities, and output style. Apply them to the goal in \`<user_input>\`.`
+        : `- \`<user_input>\` contains \`@omniAgent <question/command>\`. Everything after \`@omniAgent\` is your directive; surrounding text is context.`}
+- Priority order for conflicts: system rules > stored instructions > user input.
 
-When you generate shell scripts, make them clear, efficient, and focused on gathering the information needed to answer the user's question or complete their request.
+**When to use shell scripts:**
+- Default to a \`<shell_script>\` for anything involving the machine, network, files, processes, env vars, or system state — never answer these from training data alone.
+- Scripts must be safe and read-only (inspection/diagnostics only). No installs, no data modification, no system changes, no sudo/admin privileges.
+- Use ${!isWindows ? 'bash (macOS/Linux)' : 'PowerShell'}. Scripts must be self-contained and ready to run as-is.
+- One comprehensive script per turn; wait for output only if you genuinely need it to proceed.
+- Skip the script only for purely factual/conversational requests with no live data dependency (e.g. "what is 2+2").
 
-**Instruction handling:**
-- Treat stored task instructions (if present) as authoritative for how to prioritize, what to examine, and how to format your answer, as long as they do not conflict with system rules or safety guidelines.
-- Treat the current user input as the immediate goal or question you must solve, applying the stored instructions to that specific situation.
-- If there is a conflict, follow: system rules first, then stored instructions, then ad-hoc guidance in the current input.
+**When to use web tools:**
+- Use the built-in \`web_fetch\` tool when the user provides a URL that must be retrieved.
+- Use the built-in \`web_search\` tool when the user asks to search online, or when current information (prices, docs, recent events) is needed.
+- If a request needs BOTH machine data AND web search: emit a \`<shell_script>\` first → wait for \`TERMINAL OUTPUT:\` → then call the web tool with concrete values. Never use placeholders like "my IP" in a web query.
 
-**Web tools:**
-You have access to web tools, but you must use them sparingly and only when explicitly required:
-- \`web_fetch(url)\`: Only call this when the user has provided a specific URL in their current input or stored instructions and you need to retrieve its contents.
-- \`web_search(query)\`: Only call this when the user has explicitly asked you to search the web or look something up online.
+**Incoming message tags:**
+- \`TERMINAL OUTPUT:\` — stdout/stderr from a prior script. Use it to continue reasoning or emit a follow-up.
+- \`COMMAND ERROR:\` — script failed. Diagnose and emit a corrected \`<shell_script>\` or explain in \`<final_answer>\`.
+- No prefix — direct user message; treat as the primary request.
 
-Do NOT use web tools proactively. Do NOT call them to look up documentation, error references, or general information you could infer from the machine output or your own knowledge. Your primary workflow is to generate shell scripts, wait for the terminal output, and reason from that output. Only reach for web tools when there is a clear, explicit instruction or a URL provided by the user.
+**Response format — every response must be exactly one of:**
+1. \`<shell_script>...</shell_script>\` — to run commands.
+2. A \`web_search\` or \`web_fetch\` tool call — to fetch web context (use native tool calling, not XML tags).
+3. \`<final_answer>...</final_answer>\` — when done.
 
-**User message tags:**
-User messages may be prefixed with special tags that indicate their origin:
-- \`TERMINAL OUTPUT:\` — the content is stdout/stderr returned from a previously requested \`<shell_script>\`. Parse it as machine output and use it to continue your reasoning toward a \`<final_answer>\` or a follow-up \`<shell_script>\`.
-- \`COMMAND ERROR:\` — the shell script failed or the terminal returned a non-zero exit code. Treat the content as error output: diagnose the failure, then either emit a corrected \`<shell_script>\` or explain the issue in a \`<final_answer>\`.
-- No prefix — the content is a direct message from the user; treat it as the primary request or question to address.
+No plain text, reasoning, or other tags outside these blocks. Never wrap in additional XML/JSON.
 
-**Interaction rules:**
-- When you need to execute ANY shell command, respond with a single \`<shell_script>\` block that contains the FULL script to run.
-- Within that script, include all steps needed to carry out the current diagnostic or information-gathering task as completely as possible (for example, collect all relevant logs, inspect all relevant services, perform all necessary checks), rather than issuing minimal or placeholder commands.
-- Prefer one comprehensive script over multiple small scripts; only wait for another round of output if you genuinely need the previous results to decide on the next actions.
-- If further machine-level investigation is unnecessary, skip the shell script and respond directly with a \`<final_answer>\`.
-- Every response MUST be exactly one of:
-  - A single \`<shell_script>...</shell_script>\` block, and nothing else; or
-  - A single \`<final_answer>...</final_answer>\` block, and nothing else.
-- Never send plain text or explanation outside of these tags. If you are not emitting a \`<shell_script>\`, you MUST emit a \`<final_answer>\`.
-- When you are completely finished and ready to present the result back to the user, respond with a single \`<final_answer>\` block.
-- Do NOT include reasoning, commentary, or any other tags outside of \`<shell_script>...</shell_script>\` or \`<final_answer>...</final_answer>\`.
-- Never wrap your entire response in other XML or JSON structures.
-
-**Shell script block structure:**
-Always emit exactly this structure when you want to run commands: ${!isWindows
-        ? `
-\`\`\`bash
+**Shell script structure:**
+${!isWindows
+        ? `\`\`\`bash
 <shell_script>
 #!/usr/bin/env bash
 set -euo pipefail
-# your commands here
+# commands here
 </shell_script>
-\`\`\`
-
-- Use a single, self-contained script per turn; do not send multiple \`<shell_script>\` blocks in one response.
-- Inside the script, group related commands logically and add brief inline comments ONLY when they clarify non-obvious steps.
-- Prefer safe, idempotent commands. Never ask for sudo.`
-        : windowsShellScriptInstructions}
-
-**Final answer block structure:**
-When you have gathered enough information and completed the requested work, respond once with:
+\`\`\``
+        : `\`\`\`
+<shell_script>
+# PowerShell commands here
+# Use cmdlets (Get-ChildItem, Select-Object, etc.), not cmd.exe/bash equivalents
+# No Run as Administrator
+</shell_script>
+\`\`\``}
 
+**Final answer structure:**
 \`\`\`
 <final_answer>
-...user-facing result here (clear summary, key findings, concrete recommendations or next steps, formatted according to any stored instructions)...
+...summary, key findings, and next steps formatted per stored instructions...
 </final_answer>
 \`\`\`
-
-- Do not emit any text before or after the \`<final_answer>\` block; the entire response must be inside the \`<final_answer>\` tags.
   `;
 }

package/backend-dist/agent/agentServer.js

@@ -49,6 +49,82 @@ const featureRoutes_1 = require("../featureRoutes");
 const authMiddleware_1 = require("../authMiddleware");
 const web_search_provider_1 = require("../web-search-provider");
 const ai_client_1 = require("../ai-client");
+async function runToolLoop(initialResult, session, sessionId, send, log, tools, onUsage) {
+    const MAX_TOOL_ITERATIONS = 10;
+    let toolIterations = 0;
+    let result = initialResult;
+    while (result.finish_reason === 'tool_calls' && toolIterations < MAX_TOOL_ITERATIONS) {
+        toolIterations++;
+        const toolCalls = result.tool_calls ?? [];
+        // If the model claims tool_calls but sent none, treat it as a normal text
+        // response — pushing an assistant message with no following tool results
+        // would leave the history ending with an assistant turn, causing a 400.
+        if (!toolCalls.length)
+            break;
+        session.history.push(result.assistantMessage);
+        log.info('Agent executing tool calls', {
+            sessionId,
+            turn: session.turns,
+            toolIteration: toolIterations,
+            tools: toolCalls.map((tc) => tc.name),
+        });
+        const toolResults = await Promise.all(toolCalls.map(async (tc) => {
+            const args = tc.arguments;
+            // Notify the frontend that a web tool call is about to execute.
+            const webCallContent = tc.name === 'web_search'
+                ? `Searching the web for: "${args.query ?? ''}"`
+                : `Fetching URL: ${args.url ?? ''}`;
+            send({
+                session_id: sessionId,
+                sender: 'agent',
+                content: webCallContent,
+                is_terminal_output: false,
+                is_error: false,
+                is_web_call: true,
+            });
+            const toolResult = await (0, web_search_provider_1.executeTool)(tc.name, args, log);
+            log.info('Tool call completed', {
+                sessionId,
+                tool: tc.name,
+                resultLength: toolResult.length,
+            });
+            return { id: tc.id, name: tc.name, result: toolResult };
+        }));
+        for (const { id, name, result: toolResult } of toolResults) {
+            session.history.push({
+                role: 'tool',
+                tool_call_id: id,
+                tool_name: name,
+                content: toolResult,
+            });
+        }
+        // Call the AI again with the tool results in history to get the next response.
+        result = await ai_client_1.aiClient.complete(aiModel, session.history, {
+            tools: tools.length ? tools : undefined,
+            temperature: 0.2,
+        });
+        await onUsage(result);
+    }
+    // If we exhausted the iteration cap and the model still wants to call tools,
+    // force a final text response by calling again without tools.
+    if (result.finish_reason === 'tool_calls') {
+        log.warn('Tool loop hit MAX_TOOL_ITERATIONS; forcing final conclusion', { sessionId });
+        session.history.push(result.assistantMessage);
+        session.history.push({
+            role: 'user',
+            content: 'You have reached the maximum number of tool calls. Based on all the information gathered so far, provide a single, final, concise answer. Do not call any more tools.',
+        });
+        result = await ai_client_1.aiClient.complete(aiModel, session.history, {
+            tools: undefined,
+            temperature: 0.2,
+        });
+        await onUsage(result);
+    }
+    log.info('Finished reasoning and tool calls: ', {
+        reason: result.finish_reason,
+    });
+    return result;
+}
 function buildAvailableTools() {
     // web_search is always available — DuckDuckGo is used as free fallback
     return [web_search_provider_1.WEB_FETCH_TOOL, web_search_provider_1.WEB_SEARCH_TOOL];
@@ -64,14 +140,19 @@ async function getOrCreateSession(sessionId, subscription, platform, log) {
             subscriptionId: existing.subscription.id,
             turns: existing.turns,
         });
-        return existing;
+        return {
+            sessionState: existing,
+            hasStoredPrompt: existing.history
+                .filter((h) => h.role === 'user')
+                .some((h) => h.content.includes('<stored_instructions>')),
+        };
     }
-    const systemPrompt = (0, agentPrompts_1.getAgentPrompt)(platform);
     // use these instructions as user instructions
     const prompt = await (0, featureRoutes_1.getPromptForCommand)(log, 'task', subscription).catch((err) => {
         log.error('Failed to get system prompt for new agent session', { error: err });
         return '';
     });
+    const systemPrompt = (0, agentPrompts_1.getAgentPrompt)(platform, !!prompt);
     const entry = {
         subscription,
         history: [
@@ -102,7 +183,10 @@ ${prompt}
         subscriptionId: subscription.id,
         hasCustomPrompt: Boolean(prompt),
     });
-    return entry;
+    return {
+        sessionState: entry,
+        hasStoredPrompt: !!prompt,
+    };
 }
 async function authenticateFromAuthHeader(authHeader, log) {
     if (config_1.config.isSelfHosted) {
@@ -169,8 +253,11 @@ async function authenticateFromAuthHeader(authHeader, log) {
         return null;
     }
 }
+function createUserContent(content, hasStoredPrompt) {
+    return hasStoredPrompt ? content.replace(/@omniAgent/g, '').trim() : content;
+}
 async function runAgentTurn(sessionId, subscription, clientMessage, send, log) {
-    const session = await getOrCreateSession(sessionId, subscription, clientMessage.platform, log);
+    const { sessionState: session, hasStoredPrompt } = await getOrCreateSession(sessionId, subscription, clientMessage.platform, log);
     // Count this call as one agent iteration.
     session.turns += 1;
     log.info('Starting agent turn', {
@@ -204,10 +291,15 @@ async function runAgentTurn(sessionId, subscription, clientMessage, send, log) {
         rawContentLength: (clientMessage.content || '').length,
         userContentLength: userContent.length,
     });
-    session.history.push({
-        role: 'user',
-        content: userContent,
-    });
+    const isAssistance = isTerminalOutput || isErrorFlag;
+    if (!clientMessage?.is_web_call) {
+        session.history.push({
+            role: 'user',
+            content: isAssistance
+                ? userContent
+                : `<user_input>${createUserContent(userContent, hasStoredPrompt)}</user_input>`,
+        });
+    }
     // On the final turn we omit tools so the model is forced to emit a
     // plain text <final_answer> rather than issuing another tool call.
     const isFinalTurn = session.turns >= MAX_TURNS;
@@ -249,88 +341,8 @@ async function runAgentTurn(sessionId, subscription, clientMessage, send, log) {
             temperature: 0.2,
         });
         await recordUsage(result);
-        // Tool-call loop: execute any requested tools and feed results back
-        // until the model emits a non-tool-call response (or we hit the limit).
-        const MAX_TOOL_ITERATIONS = 10;
-        let toolIterations = 0;
-        while (result.finish_reason === 'tool_calls' && toolIterations < MAX_TOOL_ITERATIONS) {
-            toolIterations++;
-            const toolCalls = result.tool_calls ?? [];
-            // If the model claims tool_calls but sent none, treat it as a normal text
-            // response — pushing an assistant message with no following tool results
-            // would leave the history ending with an assistant turn, causing a 400.
-            if (!toolCalls.length)
-                break;
-            session.history.push(result.assistantMessage);
-            log.info('Agent executing tool calls', {
-                sessionId,
-                turn: session.turns,
-                toolIteration: toolIterations,
-                tools: toolCalls.map((tc) => tc.name),
-            });
-            const toolResults = await Promise.all(toolCalls.map(async (tc) => {
-                const args = tc.arguments;
-                // Notify the frontend that a web tool call is about to execute.
-                const webCallContent = tc.name === 'web_search'
-                    ? `Searching the web for: "${args.query ?? ''}"`
-                    : `Fetching URL: ${args.url ?? ''}`;
-                send({
-                    session_id: sessionId,
-                    sender: 'agent',
-                    content: webCallContent,
-                    is_terminal_output: false,
-                    is_error: false,
-                    is_web_call: true,
-                });
-                const toolResult = await (0, web_search_provider_1.executeTool)(tc.name, args, log);
-                log.info('Tool call completed', {
-                    sessionId,
-                    tool: tc.name,
-                    resultLength: toolResult.length,
-                });
-                return { id: tc.id, name: tc.name, result: toolResult };
-            }));
-            for (const { id, name, result: toolResult } of toolResults) {
-                session.history.push({
-                    role: 'tool',
-                    tool_call_id: id,
-                    tool_name: name,
-                    content: toolResult,
-                });
-            }
-            result = await ai_client_1.aiClient.complete(aiModel, session.history, {
-                tools: tools?.length ? tools : undefined,
-                temperature: 0.2,
-            });
-            await recordUsage(result);
-        }
-        log.info('Finished reasoning and tool calls: ', {
-            reason: result.finish_reason,
-        });
-        const content = result.content.trim();
-        // If the tool loop was exhausted while the model still wants more tool calls,
-        // the last result has empty content. Force one final no-tools call so the model
-        // must synthesize a text answer from everything gathered so far.
-        if (result.finish_reason === 'tool_calls' || !content) {
-            log.warn('Tool iteration limit reached with pending tool calls; forcing final text response', {
-                sessionId,
-                turn: session.turns,
-            });
-            // Do NOT push result.assistantMessage here — it contains tool_use blocks that
-            // require corresponding tool_result blocks (Anthropic API constraint). Since we
-            // are not executing those tool calls, just inject a plain user nudge so the model
-            // synthesizes a text answer from the history already accumulated.
-            session.history.push({
-                role: 'user',
-                content: 'You have reached the maximum number of tool calls. Based on all information gathered so far, please provide your best answer now.',
-            });
-            result = await ai_client_1.aiClient.complete(aiModel, session.history, {
-                tools: undefined,
-                temperature: 0.2,
-            });
-            await recordUsage(result);
-        }
-        if (!content) {
+        let content = result.content.trim();
+        if (!content && result.finish_reason !== 'tool_calls') {
             log.warn('Agent LLM returned empty content; sending generic error to client.');
             const errorMessage = 'The agent returned an empty response. Please try again.';
             sendFinalAnswer(send, sessionId, errorMessage, true);
@@ -339,6 +351,23 @@ async function runAgentTurn(sessionId, subscription, clientMessage, send, log) {
             sessionMessages.delete(sessionId);
             return;
         }
+        // If the model requested web tool calls, execute them and get a follow-up
+        // response before deciding what to send to the client.
+        if (!isFinalTurn && result.finish_reason === 'tool_calls') {
+            log.info('Running web tool calls to gather information', {
+                sessionId,
+                subscriptionId: subscription.id,
+                turn: session.turns,
+            });
+            result = await runToolLoop(result, session, sessionId, send, log, buildAvailableTools(), recordUsage);
+            content = result.content.trim();
+            if (!content) {
+                log.warn('Agent returned empty content after tool loop; sending generic error.');
+                sendFinalAnswer(send, sessionId, 'The agent returned an empty response. Please try again.', true);
+                sessionMessages.delete(sessionId);
+                return;
+            }
+        }
         // Ensure that a proper <final_answer> block is produced for the
         // desktop clients once we reach the final turn. If the model did
         // not emit either a <shell_script> or <final_answer> tag on the
@@ -347,50 +376,40 @@ async function runAgentTurn(sessionId, subscription, clientMessage, send, log) {
         // waiting and paste the result.
         const hasShellScriptTag = content.includes('<shell_script>');
         const hasFinalAnswerTag = content.includes('<final_answer>');
-        log.info('Agent LLM raw response summary', {
-            sessionId,
-            turn: session.turns,
-            rawContentLength: content.length,
-            hasShellScriptTag,
-            hasFinalAnswerTag,
-        });
-        const normalizedContent = !hasShellScriptTag && !hasFinalAnswerTag && session.turns >= MAX_TURNS
-            ? `<final_answer>\n${content}\n</final_answer>`
-            : content;
-        log.info('Agent LLM normalized response summary', {
-            sessionId,
-            turn: session.turns,
-            normalizedContentLength: normalizedContent.length,
-        });
-        // Record assistant message back into history for future turns.
-        session.history.push({
-            role: 'assistant',
-            content: normalizedContent,
-        });
-        send({
-            session_id: sessionId,
-            sender: 'agent',
-            content: normalizedContent,
-            is_terminal_output: false,
-            is_error: false,
-        });
-        // After the MAX_TURNS iteration or if a final answer tag is present, treat this as the final answer
-        // and clear the session from memory while marking it completed.
-        if (session.turns >= MAX_TURNS || hasFinalAnswerTag) {
+        if (hasShellScriptTag && !isFinalTurn) {
+            log.info('Completed agent turn. Sending back scripts, waiting for results.', {
+                sessionId,
+                subscriptionId: subscription.id,
+                turn: session.turns,
+                responseLength: result.content.length,
+            });
+            session.history.push({
+                role: 'assistant',
+                content,
+            });
+            send({
+                session_id: sessionId,
+                sender: 'agent',
+                content,
+                is_terminal_output: false,
+                is_error: false,
+            });
+            return;
+        }
+        if (isFinalTurn || hasFinalAnswerTag) {
             log.info('Finalizing agent session after max turns or final answer tag', {
                 sessionId,
                 subscriptionId: subscription.id,
                 turns: session.turns,
                 hasFinalAnswerTag,
             });
+            send({
+                session_id: sessionId,
+                sender: 'agent',
+                content: hasFinalAnswerTag ? content : `<final_answer>\n${content}\n</final_answer>`,
+            });
             sessionMessages.delete(sessionId);
         }
-        log.info('Completed agent turn', {
-            sessionId,
-            subscriptionId: subscription.id,
-            turn: session.turns,
-            responseLength: normalizedContent.length,
-        });
     }
     catch (err) {
         log.error('Agent LLM call failed', { error: err });

package/backend-dist/index.js

@@ -64,8 +64,8 @@ app.get('/macos/appcast', (req, res) => {
     const appcastUrl = `${baseUrl}/macos/appcast`;
     // These should match the values embedded into the macOS app
     // Info.plist in macOS/build_release_dmg.sh.
-    const bundleVersion = '14';
-    const shortVersion = '1.0.13';
+    const bundleVersion = '16';
+    const shortVersion = '1.0.15';
     const xml = `<?xml version="1.0" encoding="utf-8"?>
 <rss version="2.0"
      xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle"
@@ -93,7 +93,7 @@ app.get('/macos/appcast', (req, res) => {
 // ── Windows distribution endpoints ───────────────────────────────────────────
 // These should match the values in windows/OmniKey.Windows.csproj
 // <Version> and windows/build_release_zip.ps1 $APP_VERSION.
-const WIN_VERSION = '1.2';
+const WIN_VERSION = '1.3';
 const WIN_ZIP_FILENAME = 'OmniKeyAI-windows-win-x64.zip';
 const WIN_ZIP_PATH = path_1.default.join(process.cwd(), 'windows', WIN_ZIP_FILENAME);
 // Serves the pre-built ZIP produced by windows/build_release_zip.ps1.

package/dist/daemon.js

@@ -4,18 +4,18 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.startDaemon = startDaemon;
-const child_process_1 = require("child_process");
 const path_1 = __importDefault(require("path"));
 const fs_1 = __importDefault(require("fs"));
-const child_process_2 = require("child_process");
+const child_process_1 = require("child_process");
+const inquirer_1 = __importDefault(require("inquirer"));
 const utils_1 = require("./utils");
 /**
  * Start the Omnikey API backend as a daemon on the specified port.
  * On macOS: creates and registers a launchd agent for persistence.
- * On Windows: creates a wrapper script and registers a Windows Task Scheduler task.
+ * On Windows: installs an NSSM Windows service for boot-time persistence.
  * @param port The port to run the backend on
  */
-function startDaemon(port = 7071) {
+async function startDaemon(port = 7071) {
     const backendPath = path_1.default.resolve(__dirname, '../backend-dist/index.js');
     const configDir = (0, utils_1.getConfigDir)();
     const configPath = (0, utils_1.getConfigPath)();
@@ -33,7 +33,7 @@ function startDaemon(port = 7071) {
     const logPath = path_1.default.join(configDir, 'daemon.log');
     const errorLogPath = path_1.default.join(configDir, 'daemon-error.log');
     if (utils_1.isWindows) {
-        startDaemonWindows({
+        await startDaemonWindows({
             port,
             configDir,
             configVars,
@@ -47,105 +47,108 @@ function startDaemon(port = 7071) {
         startDaemonMacOS({ port, configDir, configVars, nodePath, backendPath, logPath, errorLogPath });
     }
 }
-function startDaemonWindows(opts) {
-    const { port, configDir, configVars, nodePath, backendPath, logPath, errorLogPath } = opts;
-    // Write a wrapper .cmd script that sets env vars and launches the backend
-    const wrapperPath = path_1.default.join(configDir, 'start-daemon.cmd');
-    const envSetLines = Object.entries({ ...configVars, OMNIKEY_PORT: String(port) })
-        .map(([k, v]) => `set "${k}=${v}"`)
-        .join('\r\n');
-    const wrapperContent = [
-        '@echo off',
-        envSetLines,
-        `"${nodePath}" "${backendPath}" >> "${logPath}" 2>> "${errorLogPath}"`,
-        '',
-    ].join('\r\n');
+function resolveNssm() {
     try {
-        fs_1.default.mkdirSync(configDir, { recursive: true });
-        fs_1.default.writeFileSync(wrapperPath, wrapperContent, 'utf-8');
-    }
-    catch (e) {
-        console.error('Failed to write start-daemon.cmd:', e);
-        return;
+        return (0, child_process_1.execSync)('where nssm', { stdio: 'pipe' }).toString().trim().split('\n')[0].trim();
     }
-    // Register with Windows Task Scheduler so the daemon persists across reboots.
-    // Use XML-based registration to avoid cmd.exe quoting issues with paths containing spaces.
-    const taskName = 'OmnikeyDaemon';
-    const username = process.env.USERNAME || process.env.USER || '';
-    // Escape characters that are special in XML
-    const xmlEscape = (s) => s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
-    const taskXml = `<?xml version="1.0" encoding="UTF-16"?>
-<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
-  <RegistrationInfo>
-    <Description>Omnikey API Backend Daemon</Description>
-  </RegistrationInfo>
-  <Triggers>
-    <LogonTrigger>
-      <Enabled>true</Enabled>
-      <UserId>${xmlEscape(username)}</UserId>
-    </LogonTrigger>
-  </Triggers>
-  <Principals>
-    <Principal id="Author">
-      <UserId>${xmlEscape(username)}</UserId>
-      <LogonType>InteractiveToken</LogonType>
-      <RunLevel>LeastPrivilege</RunLevel>
-    </Principal>
-  </Principals>
-  <Settings>
-    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
-    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
-    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
-    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
-    <Hidden>true</Hidden>
-  </Settings>
-  <Actions Context="Author">
-    <Exec>
-      <Command>cmd.exe</Command>
-      <Arguments>/c &quot;${xmlEscape(wrapperPath)}&quot;</Arguments>
-      <WorkingDirectory>${xmlEscape(configDir)}</WorkingDirectory>
-    </Exec>
-  </Actions>
-</Task>`;
-    const taskXmlPath = path_1.default.join(configDir, 'task.xml');
-    try {
-        // Task Scheduler XML must be UTF-16 LE encoded
-        fs_1.default.writeFileSync(taskXmlPath, '\ufeff' + taskXml, 'utf16le');
+    catch {
+        return null;
     }
-    catch (e) {
-        console.error('Failed to write task XML:', e);
-        return;
+}
+async function startDaemonWindows(opts) {
+    const { port, configDir, configVars, nodePath, backendPath, logPath, errorLogPath } = opts;
+    const serviceName = 'OmnikeyDaemon';
+    let nssmPath = resolveNssm();
+    if (!nssmPath) {
+        const { install } = await inquirer_1.default.prompt([
+            {
+                type: 'confirm',
+                name: 'install',
+                message: 'NSSM is required but not found. Install it now via winget?',
+                default: true,
+            },
+        ]);
+        if (!install) {
+            console.log('Aborted. Install NSSM manually and re-run in an elevated (Administrator) terminal.');
+            return;
+        }
+        console.log('Installing NSSM via winget...');
+        try {
+            (0, child_process_1.execSync)('winget install nssm --accept-package-agreements --accept-source-agreements', {
+                stdio: 'inherit',
+            });
+        }
+        catch (e) {
+            console.error('winget install failed:', e?.message ?? e);
+            console.log('Try manually: scoop install nssm  or  choco install nssm');
+            return;
+        }
+        // winget updates the machine PATH in the registry but the current process
+        // won't see it — spawn a fresh cmd to resolve the new location.
+        try {
+            nssmPath = (0, child_process_1.execSync)('cmd /c where nssm', { stdio: 'pipe' })
+                .toString().trim().split('\n')[0].trim();
+        }
+        catch {
+            nssmPath = null;
+        }
+        if (!nssmPath) {
+            console.log('NSSM installed successfully.');
+            console.log('Please open a new elevated (Administrator) terminal and re-run this command.');
+            return;
+        }
     }
+    (0, utils_1.initLogFiles)(logPath, errorLogPath);
+    // Remove any existing service (stop first, then remove)
     try {
-        // Delete existing task silently before creating a fresh one
-        (0, child_process_2.execSync)(`schtasks /delete /tn "${taskName}" /f`, { stdio: 'pipe' });
+        (0, child_process_1.execFileSync)(nssmPath, ['stop', serviceName], { stdio: 'pipe' });
     }
-    catch {
-        // Task may not exist — that's fine
+    catch { /* not running */ }
+    try {
+        (0, child_process_1.execFileSync)(nssmPath, ['remove', serviceName, 'confirm'], { stdio: 'pipe' });
     }
+    catch { /* didn't exist */ }
+    // NSSM services run as LocalSystem; pass USERPROFILE so the backend's
+    // getHomeDir() resolves to the correct user config directory.
+    const env = {
+        ...configVars,
+        OMNIKEY_PORT: String(port),
+        USERPROFILE: process.env.USERPROFILE || configDir.replace(/[/\\]\.omnikey$/, ''),
+        HOME: process.env.USERPROFILE || configDir.replace(/[/\\]\.omnikey$/, ''),
+    };
     try {
-        (0, child_process_2.execSync)(`schtasks /create /tn "${taskName}" /xml "${taskXmlPath}" /f`, { stdio: 'pipe' });
-        console.log(`Windows Task Scheduler task created: ${taskName}`);
-        console.log('Omnikey daemon will auto-start on next logon.');
+        // Install: nssm install <name> <application> [args...]
+        (0, child_process_1.execFileSync)(nssmPath, ['install', serviceName, nodePath, backendPath], { stdio: 'pipe' });
+        (0, child_process_1.execFileSync)(nssmPath, ['set', serviceName, 'AppDirectory', configDir], { stdio: 'pipe' });
+        // Pass all env vars in a single call (replaces the entire AppEnvironmentExtra key)
+        const envEntries = Object.entries(env).map(([k, v]) => `${k}=${v}`);
+        (0, child_process_1.execFileSync)(nssmPath, ['set', serviceName, 'AppEnvironmentExtra', ...envEntries], { stdio: 'pipe' });
+        (0, child_process_1.execFileSync)(nssmPath, ['set', serviceName, 'AppStdout', logPath], { stdio: 'pipe' });
+        (0, child_process_1.execFileSync)(nssmPath, ['set', serviceName, 'AppStderr', errorLogPath], { stdio: 'pipe' });
+        (0, child_process_1.execFileSync)(nssmPath, ['set', serviceName, 'AppRotateFiles', '1'], { stdio: 'pipe' });
+        // Restart automatically after a 3-second delay on any exit
+        (0, child_process_1.execFileSync)(nssmPath, ['set', serviceName, 'AppExit', 'Default', 'Restart'], { stdio: 'pipe' });
+        (0, child_process_1.execFileSync)(nssmPath, ['set', serviceName, 'AppRestartDelay', '3000'], { stdio: 'pipe' });
+        // Start automatically at boot (no login required)
+        (0, child_process_1.execFileSync)(nssmPath, ['set', serviceName, 'Start', 'SERVICE_AUTO_START'], { stdio: 'pipe' });
+        (0, child_process_1.execFileSync)(nssmPath, ['set', serviceName, 'DisplayName', 'Omnikey API Backend'], { stdio: 'pipe' });
+        (0, child_process_1.execFileSync)(nssmPath, ['set', serviceName, 'Description', 'Omnikey API Backend Daemon'], { stdio: 'pipe' });
+        (0, child_process_1.execFileSync)(nssmPath, ['start', serviceName], { stdio: 'pipe' });
+        console.log(`NSSM service installed and started: ${serviceName}`);
+        console.log('Omnikey daemon runs on boot, without login, and auto-restarts on crash.');
+        console.log(`Logs: ${logPath}`);
+        console.log(`      ${errorLogPath}`);
     }
     catch (e) {
-        console.error('Failed to create Windows Task Scheduler task:', e);
-    }
-    finally {
-        try {
-            fs_1.default.rmSync(taskXmlPath);
+        const msg = e?.stderr?.toString() || e?.message || String(e);
+        if (msg.toLowerCase().includes('access') || msg.toLowerCase().includes('privilege')) {
+            console.error('Failed to install NSSM service: administrator privileges are required.');
+            console.error('Re-run this command in an elevated (Administrator) terminal.');
+        }
+        else {
+            console.error('Failed to install NSSM service:', msg);
         }
-        catch { /* ignore */ }
     }
-    // Also start the backend immediately for the current session
-    const { out, err } = (0, utils_1.initLogFiles)(logPath, errorLogPath);
-    const child = (0, child_process_1.spawn)(nodePath, [backendPath], {
-        env: { ...configVars, OMNIKEY_PORT: String(port) },
-        detached: true,
-        stdio: ['ignore', out, err],
-    });
-    child.unref();
-    console.log(`Omnikey API backend started as a daemon on port ${port}. PID: ${child.pid}`);
 }
 function startDaemonMacOS(opts) {
     const { port, configDir, configVars, nodePath, backendPath, logPath, errorLogPath } = opts;
@@ -188,8 +191,8 @@ function startDaemonMacOS(opts) {
         fs_1.default.mkdirSync(launchAgentsDir, { recursive: true });
         fs_1.default.writeFileSync(plistPath, plistContent, 'utf-8');
         (0, utils_1.initLogFiles)(logPath, errorLogPath);
-        (0, child_process_2.execSync)(`launchctl unload "${plistPath}" || true`);
-        (0, child_process_2.execSync)(`launchctl load "${plistPath}"`);
+        (0, child_process_1.execSync)(`launchctl unload "${plistPath}" || true`);
+        (0, child_process_1.execSync)(`launchctl load "${plistPath}"`);
         console.log(`Launch agent created and loaded: ${plistPath}`);
         console.log('Omnikey daemon will auto-restart and persist across reboots.');
         // launchd starts the process via RunAtLoad — no manual spawn needed here.

package/dist/index.js

@@ -25,9 +25,9 @@ program
     .command('daemon')
     .description('Start the Omnikey API backend as a daemon on a specified port')
     .option('--port <port>', 'Port to run the backend on', '7071')
-    .action((options) => {
+    .action(async (options) => {
     const port = Number(options.port) || 7071;
-    (0, daemon_1.startDaemon)(port);
+    await (0, daemon_1.startDaemon)(port);
 });
 program
     .command('kill-daemon')
@@ -74,9 +74,9 @@ program
     .command('restart-daemon')
     .description('Restart the Omnikey API backend daemon')
     .option('--port <port>', 'Port to run the backend on', '7071')
-    .action((options) => {
+    .action(async (options) => {
     (0, killDaemon_1.killDaemon)();
     const port = Number(options.port) || 7071;
-    (0, daemon_1.startDaemon)(port);
+    await (0, daemon_1.startDaemon)(port);
 });
 program.parseAsync(process.argv);

package/dist/removeConfig.js

@@ -29,29 +29,47 @@ function killLaunchdAgent() {
     }
 }
 function killWindowsTask() {
-    const taskName = 'OmnikeyDaemon';
+    const serviceName = 'OmnikeyDaemon';
+    // Try NSSM first (current implementation)
+    let nssmPath = null;
     try {
-        (0, child_process_1.execSync)(`schtasks /end /tn "${taskName}"`, { stdio: 'pipe' });
+        nssmPath = (0, child_process_1.execSync)('where nssm', { stdio: 'pipe' }).toString().trim().split('\n')[0].trim();
     }
-    catch {
-        // Task may not be running — that's fine
-    }
-    try {
-        (0, child_process_1.execSync)(`schtasks /delete /tn "${taskName}" /f`, { stdio: 'pipe' });
-        console.log(`Removed Windows Task Scheduler task: ${taskName}`);
+    catch { /* NSSM not installed */ }
+    if (nssmPath) {
+        try {
+            (0, child_process_1.execFileSync)(nssmPath, ['stop', serviceName], { stdio: 'pipe' });
+        }
+        catch { /* not running */ }
+        try {
+            (0, child_process_1.execFileSync)(nssmPath, ['remove', serviceName, 'confirm'], { stdio: 'pipe' });
+            console.log(`Removed NSSM service: ${serviceName}`);
+        }
+        catch {
+            console.log(`NSSM service does not exist: ${serviceName}`);
+        }
     }
-    catch {
-        console.log(`Windows Task Scheduler task does not exist: ${taskName}`);
+    else {
+        // Fallback: remove legacy Task Scheduler task from previous installs
+        try {
+            (0, child_process_1.execSync)(`schtasks /end /tn "${serviceName}"`, { stdio: 'pipe' });
+        }
+        catch { /* not running */ }
+        try {
+            (0, child_process_1.execSync)(`schtasks /delete /tn "${serviceName}" /f`, { stdio: 'pipe' });
+            console.log(`Removed Windows Task Scheduler task: ${serviceName}`);
+        }
+        catch {
+            console.log(`Windows Task Scheduler task does not exist: ${serviceName}`);
+        }
     }
-    // Also remove the wrapper script
+    // Remove legacy wrapper script if present
     const wrapperPath = path_1.default.join((0, utils_1.getConfigDir)(), 'start-daemon.cmd');
     if (fs_1.default.existsSync(wrapperPath)) {
         try {
             fs_1.default.rmSync(wrapperPath);
         }
-        catch {
-            // Ignore
-        }
+        catch { /* ignore */ }
     }
 }
 /**

package/package.json

@@ -4,7 +4,7 @@
     "access": "public",
     "registry": "https://registry.npmjs.org/"
   },
-  "version": "1.0.17",
+  "version": "1.0.19",
   "description": "CLI for onboarding users to Omnikey AI and configuring OPENAI_API_KEY. Use Yarn for install/build.",
   "engines": {
     "node": ">=14.0.0",

package/src/daemon.ts

@@ -1,7 +1,7 @@
-import { spawn } from 'child_process';
 import path from 'path';
 import fs from 'fs';
-import { execSync } from 'child_process';
+import { execSync, execFileSync } from 'child_process';
+import inquirer from 'inquirer';
 import {
   isWindows,
   getHomeDir,
@@ -14,10 +14,10 @@ import {
 /**
  * Start the Omnikey API backend as a daemon on the specified port.
  * On macOS: creates and registers a launchd agent for persistence.
- * On Windows: creates a wrapper script and registers a Windows Task Scheduler task.
+ * On Windows: installs an NSSM Windows service for boot-time persistence.
  * @param port The port to run the backend on
  */
-export function startDaemon(port: number = 7071) {
+export async function startDaemon(port: number = 7071) {
   const backendPath = path.resolve(__dirname, '../backend-dist/index.js');
 
   const configDir = getConfigDir();
@@ -38,7 +38,7 @@ export function startDaemon(port: number = 7071) {
   const errorLogPath = path.join(configDir, 'daemon-error.log');
 
   if (isWindows) {
-    startDaemonWindows({
+    await startDaemonWindows({
       port,
       configDir,
       configVars,
@@ -62,102 +62,115 @@ interface DaemonOptions {
   errorLogPath: string;
 }
 
-function startDaemonWindows(opts: DaemonOptions) {
+function resolveNssm(): string | null {
+  try {
+    return execSync('where nssm', { stdio: 'pipe' }).toString().trim().split('\n')[0].trim();
+  } catch {
+    return null;
+  }
+}
+
+async function startDaemonWindows(opts: DaemonOptions) {
   const { port, configDir, configVars, nodePath, backendPath, logPath, errorLogPath } = opts;
+  const serviceName = 'OmnikeyDaemon';
 
-  // Write a wrapper .cmd script that sets env vars and launches the backend
-  const wrapperPath = path.join(configDir, 'start-daemon.cmd');
-  const envSetLines = Object.entries({ ...configVars, OMNIKEY_PORT: String(port) })
-    .map(([k, v]) => `set "${k}=${v}"`)
-    .join('\r\n');
-  const wrapperContent = [
-    '@echo off',
-    envSetLines,
-    `"${nodePath}" "${backendPath}" >> "${logPath}" 2>> "${errorLogPath}"`,
-    '',
-  ].join('\r\n');
+  let nssmPath = resolveNssm();
+  if (!nssmPath) {
+    const { install } = await inquirer.prompt<{ install: boolean }>([
+      {
+        type: 'confirm',
+        name: 'install',
+        message: 'NSSM is required but not found. Install it now via winget?',
+        default: true,
+      },
+    ]);
 
-  try {
-    fs.mkdirSync(configDir, { recursive: true });
-    fs.writeFileSync(wrapperPath, wrapperContent, 'utf-8');
-  } catch (e) {
-    console.error('Failed to write start-daemon.cmd:', e);
-    return;
-  }
+    if (!install) {
+      console.log('Aborted. Install NSSM manually and re-run in an elevated (Administrator) terminal.');
+      return;
+    }
 
-  // Register with Windows Task Scheduler so the daemon persists across reboots.
-  // Use XML-based registration to avoid cmd.exe quoting issues with paths containing spaces.
-  const taskName = 'OmnikeyDaemon';
-  const username = process.env.USERNAME || process.env.USER || '';
-  // Escape characters that are special in XML
-  const xmlEscape = (s: string) =>
-    s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
-  const taskXml = `<?xml version="1.0" encoding="UTF-16"?>
-<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
-  <RegistrationInfo>
-    <Description>Omnikey API Backend Daemon</Description>
-  </RegistrationInfo>
-  <Triggers>
-    <LogonTrigger>
-      <Enabled>true</Enabled>
-      <UserId>${xmlEscape(username)}</UserId>
-    </LogonTrigger>
-  </Triggers>
-  <Principals>
-    <Principal id="Author">
-      <UserId>${xmlEscape(username)}</UserId>
-      <LogonType>InteractiveToken</LogonType>
-      <RunLevel>LeastPrivilege</RunLevel>
-    </Principal>
-  </Principals>
-  <Settings>
-    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
-    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
-    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
-    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
-    <Hidden>true</Hidden>
-  </Settings>
-  <Actions Context="Author">
-    <Exec>
-      <Command>cmd.exe</Command>
-      <Arguments>/c &quot;${xmlEscape(wrapperPath)}&quot;</Arguments>
-      <WorkingDirectory>${xmlEscape(configDir)}</WorkingDirectory>
-    </Exec>
-  </Actions>
-</Task>`;
-  const taskXmlPath = path.join(configDir, 'task.xml');
-  try {
-    // Task Scheduler XML must be UTF-16 LE encoded
-    fs.writeFileSync(taskXmlPath, '\ufeff' + taskXml, 'utf16le');
-  } catch (e) {
-    console.error('Failed to write task XML:', e);
-    return;
-  }
-  try {
-    // Delete existing task silently before creating a fresh one
-    execSync(`schtasks /delete /tn "${taskName}" /f`, { stdio: 'pipe' });
-  } catch {
-    // Task may not exist — that's fine
+    console.log('Installing NSSM via winget...');
+    try {
+      execSync('winget install nssm --accept-package-agreements --accept-source-agreements', {
+        stdio: 'inherit',
+      });
+    } catch (e) {
+      console.error('winget install failed:', (e as any)?.message ?? e);
+      console.log('Try manually: scoop install nssm  or  choco install nssm');
+      return;
+    }
+
+    // winget updates the machine PATH in the registry but the current process
+    // won't see it — spawn a fresh cmd to resolve the new location.
+    try {
+      nssmPath = execSync('cmd /c where nssm', { stdio: 'pipe' })
+        .toString().trim().split('\n')[0].trim();
+    } catch {
+      nssmPath = null;
+    }
+
+    if (!nssmPath) {
+      console.log('NSSM installed successfully.');
+      console.log('Please open a new elevated (Administrator) terminal and re-run this command.');
+      return;
+    }
   }
+
+  initLogFiles(logPath, errorLogPath);
+
+  // Remove any existing service (stop first, then remove)
+  try { execFileSync(nssmPath, ['stop', serviceName], { stdio: 'pipe' }); } catch { /* not running */ }
+  try { execFileSync(nssmPath, ['remove', serviceName, 'confirm'], { stdio: 'pipe' }); } catch { /* didn't exist */ }
+
+  // NSSM services run as LocalSystem; pass USERPROFILE so the backend's
+  // getHomeDir() resolves to the correct user config directory.
+  const env: Record<string, string> = {
+    ...configVars,
+    OMNIKEY_PORT: String(port),
+    USERPROFILE: process.env.USERPROFILE || configDir.replace(/[/\\]\.omnikey$/, ''),
+    HOME: process.env.USERPROFILE || configDir.replace(/[/\\]\.omnikey$/, ''),
+  };
+
   try {
-    execSync(`schtasks /create /tn "${taskName}" /xml "${taskXmlPath}" /f`, { stdio: 'pipe' });
-    console.log(`Windows Task Scheduler task created: ${taskName}`);
-    console.log('Omnikey daemon will auto-start on next logon.');
-  } catch (e) {
-    console.error('Failed to create Windows Task Scheduler task:', e);
-  } finally {
-    try { fs.rmSync(taskXmlPath); } catch { /* ignore */ }
-  }
+    // Install: nssm install <name> <application> [args...]
+    execFileSync(nssmPath, ['install', serviceName, nodePath, backendPath], { stdio: 'pipe' });
+
+    execFileSync(nssmPath, ['set', serviceName, 'AppDirectory', configDir], { stdio: 'pipe' });
 
-  // Also start the backend immediately for the current session
-  const { out, err } = initLogFiles(logPath, errorLogPath);
-  const child = spawn(nodePath, [backendPath], {
-    env: { ...configVars, OMNIKEY_PORT: String(port) },
-    detached: true,
-    stdio: ['ignore', out, err],
-  });
-  child.unref();
-  console.log(`Omnikey API backend started as a daemon on port ${port}. PID: ${child.pid}`);
+    // Pass all env vars in a single call (replaces the entire AppEnvironmentExtra key)
+    const envEntries = Object.entries(env).map(([k, v]) => `${k}=${v}`);
+    execFileSync(nssmPath, ['set', serviceName, 'AppEnvironmentExtra', ...envEntries], { stdio: 'pipe' });
+
+    execFileSync(nssmPath, ['set', serviceName, 'AppStdout', logPath], { stdio: 'pipe' });
+    execFileSync(nssmPath, ['set', serviceName, 'AppStderr', errorLogPath], { stdio: 'pipe' });
+    execFileSync(nssmPath, ['set', serviceName, 'AppRotateFiles', '1'], { stdio: 'pipe' });
+
+    // Restart automatically after a 3-second delay on any exit
+    execFileSync(nssmPath, ['set', serviceName, 'AppExit', 'Default', 'Restart'], { stdio: 'pipe' });
+    execFileSync(nssmPath, ['set', serviceName, 'AppRestartDelay', '3000'], { stdio: 'pipe' });
+
+    // Start automatically at boot (no login required)
+    execFileSync(nssmPath, ['set', serviceName, 'Start', 'SERVICE_AUTO_START'], { stdio: 'pipe' });
+
+    execFileSync(nssmPath, ['set', serviceName, 'DisplayName', 'Omnikey API Backend'], { stdio: 'pipe' });
+    execFileSync(nssmPath, ['set', serviceName, 'Description', 'Omnikey API Backend Daemon'], { stdio: 'pipe' });
+
+    execFileSync(nssmPath, ['start', serviceName], { stdio: 'pipe' });
+
+    console.log(`NSSM service installed and started: ${serviceName}`);
+    console.log('Omnikey daemon runs on boot, without login, and auto-restarts on crash.');
+    console.log(`Logs: ${logPath}`);
+    console.log(`      ${errorLogPath}`);
+  } catch (e: any) {
+    const msg: string = e?.stderr?.toString() || e?.message || String(e);
+    if (msg.toLowerCase().includes('access') || msg.toLowerCase().includes('privilege')) {
+      console.error('Failed to install NSSM service: administrator privileges are required.');
+      console.error('Re-run this command in an elevated (Administrator) terminal.');
+    } else {
+      console.error('Failed to install NSSM service:', msg);
+    }
+  }
 }
 
 function startDaemonMacOS(opts: DaemonOptions) {

package/src/index.ts

@@ -28,9 +28,9 @@ program
   .command('daemon')
   .description('Start the Omnikey API backend as a daemon on a specified port')
   .option('--port <port>', 'Port to run the backend on', '7071')
-  .action((options) => {
+  .action(async (options) => {
     const port = Number(options.port) || 7071;
-    startDaemon(port);
+    await startDaemon(port);
   });
 
 program
@@ -84,10 +84,10 @@ program
   .command('restart-daemon')
   .description('Restart the Omnikey API backend daemon')
   .option('--port <port>', 'Port to run the backend on', '7071')
-  .action((options) => {
+  .action(async (options) => {
     killDaemon();
     const port = Number(options.port) || 7071;
-    startDaemon(port);
+    await startDaemon(port);
   });
 
 program.parseAsync(process.argv);

package/src/removeConfig.ts

@@ -1,6 +1,6 @@
 import fs from 'fs';
 import path from 'path';
-import { execSync } from 'child_process';
+import { execSync, execFileSync } from 'child_process';
 import { isWindows, getHomeDir, getConfigDir, readConfig } from './utils';
 
 export function killLaunchdAgent() {
@@ -20,28 +20,38 @@ export function killLaunchdAgent() {
 }
 
 export function killWindowsTask() {
-  const taskName = 'OmnikeyDaemon';
-  try {
-    execSync(`schtasks /end /tn "${taskName}"`, { stdio: 'pipe' });
-  } catch {
-    // Task may not be running — that's fine
-  }
+  const serviceName = 'OmnikeyDaemon';
+
+  // Try NSSM first (current implementation)
+  let nssmPath: string | null = null;
   try {
-    execSync(`schtasks /delete /tn "${taskName}" /f`, { stdio: 'pipe' });
-    console.log(`Removed Windows Task Scheduler task: ${taskName}`);
-  } catch {
-    console.log(`Windows Task Scheduler task does not exist: ${taskName}`);
-  }
+    nssmPath = execSync('where nssm', { stdio: 'pipe' }).toString().trim().split('\n')[0].trim();
+  } catch { /* NSSM not installed */ }
 
-  // Also remove the wrapper script
-  const wrapperPath = path.join(getConfigDir(), 'start-daemon.cmd');
-  if (fs.existsSync(wrapperPath)) {
+  if (nssmPath) {
+    try { execFileSync(nssmPath, ['stop', serviceName], { stdio: 'pipe' }); } catch { /* not running */ }
+    try {
+      execFileSync(nssmPath, ['remove', serviceName, 'confirm'], { stdio: 'pipe' });
+      console.log(`Removed NSSM service: ${serviceName}`);
+    } catch {
+      console.log(`NSSM service does not exist: ${serviceName}`);
+    }
+  } else {
+    // Fallback: remove legacy Task Scheduler task from previous installs
+    try { execSync(`schtasks /end /tn "${serviceName}"`, { stdio: 'pipe' }); } catch { /* not running */ }
     try {
-      fs.rmSync(wrapperPath);
+      execSync(`schtasks /delete /tn "${serviceName}" /f`, { stdio: 'pipe' });
+      console.log(`Removed Windows Task Scheduler task: ${serviceName}`);
     } catch {
-      // Ignore
+      console.log(`Windows Task Scheduler task does not exist: ${serviceName}`);
     }
   }
+
+  // Remove legacy wrapper script if present
+  const wrapperPath = path.join(getConfigDir(), 'start-daemon.cmd');
+  if (fs.existsSync(wrapperPath)) {
+    try { fs.rmSync(wrapperPath); } catch { /* ignore */ }
+  }
 }
 
 /**