oneclaw 0.1.0 → 0.1.2

package/README.md

@@ -1,13 +1,13 @@
 # oneclaw
 
-`oneclaw` provisions and exports AI identity packs.
+`oneclaw` creates and applies identity packs for AI systems.
 
-Current first-class provisioning providers:
-- AgentMail (API-based inbox creation)
-- Telegram Bot (BotFather token + API verification)
-- Bitwarden (browser/account checkpoint + CLI verification + vault seeding)
+Current provider workflows:
+- AgentMail (API-first inbox creation)
+- Telegram (BotFather token + `getMe` verification)
+- Bitwarden (signup checkpoint + CLI login verification + vault item seeding)
 
-Current export/apply targets:
+Current targets:
 - `owpenbot`
 - `openclaw`
 - `nanoclaw`
@@ -19,36 +19,82 @@ npm install
 npm run build
 ```
 
-## Provision
+## Default mode: bootstrap TUI
+
+Running `oneclaw` with no command opens the OpenTUI bootstrap screen by default.
+
+You can also invoke it explicitly:
+
+```bash
+oneclaw bootstrap --profile default --pack founder
+```
+
+Use `--no-tui` for plain prompt mode.
+If OpenTUI runtime bindings are unavailable, oneclaw falls back to plain prompt mode automatically.
+If you see `.scm` runtime extension errors, run oneclaw with Bun (`bunx oneclaw`) or use `--no-tui`.
+
+### Demo autopilot mode
+
+Set `ONECLAW_DEMO=1` to run the full bootstrap flow in auto-fill mode.
+
+```bash
+ONECLAW_DEMO=1 oneclaw
+```
+
+In demo mode, oneclaw animates all fields as if typed, toggles bootstrap flags, and auto-saves into profile `demo` by default.
+
+## First-class config API
+
+```bash
+printf '%s' "$AGENTMAIL_API_KEY" | oneclaw config set agentmail.api_key --profile default --secret --stdin
+printf '%s' "$TELEGRAM_BOT_TOKEN" | oneclaw config set telegram.bot_token --profile default --secret --stdin
+oneclaw config set bitwarden.email "founder@example.com" --profile default
+printf '%s' "$BITWARDEN_PASSWORD" | oneclaw config set bitwarden.password --profile default --secret --stdin
+oneclaw config set bitwarden.signup_done true --profile default
+
+oneclaw config check --providers agentmail,telegram,bitwarden --profile default --verify --json
+```
+
+Other config commands:
+
+```bash
+oneclaw config get agentmail.api_key --profile default
+oneclaw config list --profile default
+oneclaw config unset telegram.bot_token --profile default
+```
+
+## Provision from config state
 
 ```bash
 oneclaw provision \
   --pack founder \
   --providers agentmail,telegram,bitwarden \
   --targets owpenbot,openclaw,nanoclaw \
-  --agentmail-api-key "$AGENTMAIL_API_KEY" \
-  --telegram-bot-token "$TELEGRAM_BOT_TOKEN" \
-  --bitwarden-email "founder@example.com" \
-  --bitwarden-password "$BITWARDEN_MASTER_PASSWORD" \
-  --bitwarden-skip-signup
+  --profile default \
+  --non-interactive \
+  --json
 ```
 
-If a provider needs manual action, provisioning pauses with a clear checkpoint and resume command.
+Flags override stored config values. If a provider still needs human action, oneclaw returns a blocked step with a resume command.
 
-## Export
+## Export / apply
 
 ```bash
 oneclaw export --pack founder --target owpenbot --out ./owpenbot.identity.json
 oneclaw export --pack founder --target openclaw --out ./openclaw.identity.json
 oneclaw export --pack founder --target nanoclaw --out ./nanoclaw.identity.env
+
+oneclaw apply --pack founder --target owpenbot --path ~/.openwork/owpenbot/owpenbot.json
 ```
 
-## Apply
+## Helper prompt for another setup AI
 
 ```bash
-oneclaw apply --pack founder --target owpenbot --path ~/.openwork/owpenbot/owpenbot.json
+oneclaw bootstrap-prompt
 ```
 
+This prints the setup-helper prompt you can hand to another AI to collect credentials and persist config state correctly.
+
 ## Validate and doctor
 
 ```bash

package/dist/bootstrap/helper-prompt.d.ts

@@ -0,0 +1 @@
+export declare function helperPrompt(): string;

package/dist/bootstrap/helper-prompt.js

@@ -0,0 +1,88 @@
+export function helperPrompt() {
+    return `You are a Setup Helper AI. You are NOT oneclaw. You guide a human through credential bootstrap for oneclaw.
+
+Goal:
+Populate oneclaw config so this command succeeds in non-interactive mode:
+oneclaw provision --pack <PACK_ID> --providers agentmail,telegram,bitwarden --targets owpenbot,openclaw,nanoclaw --profile <PROFILE> --non-interactive --json
+
+Rules:
+1) Persist credentials immediately with oneclaw config commands.
+2) Secrets must be written with --stdin --secret.
+3) Verify each provider before moving on.
+4) If blocked by CAPTCHA/login/manual gate, pause and provide one explicit human action + resume command.
+5) Never print full secrets in logs; use masked previews.
+
+Default values:
+- PACK_ID=founder
+- PROFILE=default
+
+Required keys:
+- agentmail.api_key (secret)
+- telegram.bot_token (secret)
+- bitwarden.email (plain)
+- bitwarden.password (secret)
+- bitwarden.signup_done (plain bool)
+
+Execution steps:
+
+A) Preflight
+- Run: oneclaw config check --providers agentmail,telegram,bitwarden --profile "$PROFILE" --json
+
+B) AgentMail
+- Collect AGENTMAIL_API_KEY.
+- Persist:
+  printf '%s' "$AGENTMAIL_API_KEY" | oneclaw config set agentmail.api_key --profile "$PROFILE" --secret --stdin
+- Verify:
+  curl -fsS https://api.agentmail.to/v0/inboxes -H "Authorization: Bearer $AGENTMAIL_API_KEY" >/dev/null
+
+C) Telegram
+- Collect TELEGRAM_BOT_TOKEN from @BotFather.
+- Persist:
+  printf '%s' "$TELEGRAM_BOT_TOKEN" | oneclaw config set telegram.bot_token --profile "$PROFILE" --secret --stdin
+- Verify:
+  curl -fsS "https://api.telegram.org/bot\${TELEGRAM_BOT_TOKEN}/getMe" | jq -e '.ok == true and .result.username != null' >/dev/null
+
+D) Bitwarden
+- Collect BITWARDEN_EMAIL and BITWARDEN_PASSWORD.
+- Persist:
+  oneclaw config set bitwarden.email "$BITWARDEN_EMAIL" --profile "$PROFILE"
+  printf '%s' "$BITWARDEN_PASSWORD" | oneclaw config set bitwarden.password --profile "$PROFILE" --secret --stdin
+  oneclaw config set bitwarden.signup_done true --profile "$PROFILE"
+- Verify with bw CLI when available:
+  bw login "$BITWARDEN_EMAIL" "$BITWARDEN_PASSWORD" --raw >/dev/null
+
+E) Final checks
+- Run: oneclaw config check --providers agentmail,telegram,bitwarden --profile "$PROFILE" --json
+- Run:
+  oneclaw provision --pack "$PACK_ID" --providers agentmail,telegram,bitwarden --targets owpenbot,openclaw,nanoclaw --profile "$PROFILE" --non-interactive --json
+
+Expected final JSON contract:
+{
+  "status": "ready" | "blocked",
+  "pack_id": "<PACK_ID>",
+  "profile": "<PROFILE>",
+  "verified": {
+    "agentmail": true|false,
+    "telegram": true|false,
+    "bitwarden": true|false
+  },
+  "next_command": "<exact provision command>",
+  "masked": {
+    "agentmail.api_key": "sk_****",
+    "telegram.bot_token": "****",
+    "bitwarden.email": "u***@d***.com"
+  },
+  "blocker": {
+    "step": "<step id>",
+    "reason": "<why blocked>",
+    "human_action": "<single action>",
+    "resume_command": "<exact resume command>"
+  }
+}
+
+Notes:
+- Telegram bot creation has no official programmatic API; BotFather token retrieval is a manual checkpoint.
+- AgentMail account bootstrap may require UI once; inbox provisioning is API-first after key setup.
+`;
+}
+//# sourceMappingURL=helper-prompt.js.map

package/dist/bootstrap/helper-prompt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helper-prompt.js","sourceRoot":"","sources":["../../src/bootstrap/helper-prompt.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,YAAY;IAC1B,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAoFR,CAAC;AACF,CAAC"}

package/dist/cli.js

@@ -4,11 +4,15 @@ import path from "node:path";
 import process from "node:process";
 import { Command } from "commander";
 import { applyPack, exportPackToTarget, writeExport } from "./adapters/index.js";
+import { helperPrompt } from "./bootstrap/helper-prompt.js";
 import { runDoctor } from "./core/doctor.js";
+import { checkConfig, getConfigValue, getRequiredConfigKeys, listConfig, setConfigValue, unsetConfigValue, } from "./core/config.js";
 import { appendProvisioningRun, ensurePack, loadPack, savePack } from "./core/packs.js";
+import { resolveProvisionOptions } from "./core/provision-options.js";
 import { clearRunState, createRunState, loadRunState, saveRunState } from "./core/run-state.js";
 import { isTargetId, validatePack } from "./core/schema.js";
 import { TARGETS } from "./core/types.js";
+import { verifyAgentmailApiKey, verifyBitwardenCredentials, verifyTelegramBotToken, } from "./core/verifiers.js";
 import { getWorkflow, isProviderId, PROVIDERS } from "./providers/index.js";
 import { runProviderWorkflow } from "./core/workflow.js";
 function parseCsv(input) {
@@ -38,6 +42,16 @@ function parseProviders(raw) {
     }
     return list;
 }
+function isDemoModeEnabled() {
+    const raw = process.env.ONECLAW_DEMO?.trim().toLowerCase();
+    if (!raw)
+        return false;
+    return ["1", "true", "yes", "on"].includes(raw);
+}
+function profileFrom(opts, fallback = "default") {
+    const raw = typeof opts.profile === "string" ? opts.profile.trim() : "";
+    return raw || fallback;
+}
 async function askInteractive(prompt) {
     if (!process.stdin.isTTY || !process.stdout.isTTY)
         return undefined;
@@ -51,6 +65,14 @@ async function askInteractive(prompt) {
         rl.close();
     }
 }
+async function readStdinTrimmed() {
+    const chunks = [];
+    for await (const chunk of process.stdin) {
+        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(String(chunk)));
+    }
+    const text = Buffer.concat(chunks).toString("utf8").trim();
+    return text || undefined;
+}
 function asLog(run) {
     const steps = Object.entries(run.providers)
         .flatMap(([provider, state]) => state.steps.map((step) => ({
@@ -86,17 +108,319 @@ function printValue(value, asJson) {
     }
     process.stdout.write(`${JSON.stringify(value, null, 2)}\n`);
 }
+async function runProvision(input) {
+    const resolved = resolveProvisionOptions({
+        profile: input.profile,
+        options: input.options,
+        useConfig: input.useConfig,
+    });
+    let pack = ensurePack(input.packId, input.targets);
+    let run = loadRunState(input.packId) || createRunState(input.packId);
+    for (const provider of input.providers) {
+        const workflow = getWorkflow(provider);
+        const result = await runProviderWorkflow({
+            workflow,
+            run,
+            pack,
+            options: {
+                ...resolved,
+            },
+            nonInteractive: input.nonInteractive,
+            ask: askInteractive,
+            log: (message) => {
+                if (!input.asJson)
+                    process.stderr.write(`${message}\n`);
+            },
+        });
+        saveRunState(run);
+        pack = savePack(pack);
+        if (result.status === "blocked") {
+            return {
+                status: "blocked",
+                provider,
+                step: result.blockedStepId,
+                reason: result.blockedReason,
+                resumeCommand: `oneclaw provision --pack ${input.packId} --providers ${input.providers.join(",")}`,
+            };
+        }
+    }
+    const runLog = asLog(run);
+    pack = appendProvisioningRun(pack, runLog);
+    clearRunState(input.packId);
+    return {
+        status: "ok",
+        packId: input.packId,
+        providers: input.providers,
+        targets: pack.targets,
+        accounts: Object.keys(pack.accounts),
+    };
+}
+function initialDraft(profile, runProvisionByDefault) {
+    const agentmail = getConfigValue({ profile, key: "agentmail.api_key", reveal: true })?.value || "";
+    const telegram = getConfigValue({ profile, key: "telegram.bot_token", reveal: true })?.value || "";
+    const bwEmail = getConfigValue({ profile, key: "bitwarden.email", reveal: true })?.value || "";
+    const bwPassword = getConfigValue({ profile, key: "bitwarden.password", reveal: true })?.value || "";
+    const signup = (getConfigValue({ profile, key: "bitwarden.signup_done", reveal: true })?.value || "").toLowerCase();
+    return {
+        agentmailApiKey: agentmail,
+        telegramBotToken: telegram,
+        bitwardenEmail: bwEmail,
+        bitwardenPassword: bwPassword,
+        bitwardenSignupDone: ["1", "true", "yes", "on"].includes(signup),
+        runProvision: runProvisionByDefault,
+    };
+}
+async function collectBootstrapDraft(input) {
+    const initial = initialDraft(input.profile, input.runProvisionByDefault);
+    if (input.demoMode && (!input.useTui || !process.stdin.isTTY || !process.stdout.isTTY)) {
+        return {
+            cancelled: false,
+            draft: {
+                agentmailApiKey: "am_demo_sk_live_8f3m2q1z4",
+                telegramBotToken: "7312459901:AAH_demo_token_x8c4",
+                bitwardenEmail: "founder+demo@oneclaw.dev",
+                bitwardenPassword: "Oneclaw!Demo!2026",
+                bitwardenSignupDone: true,
+                runProvision: true,
+            },
+        };
+    }
+    if (input.useTui && process.stdin.isTTY && process.stdout.isTTY) {
+        try {
+            const tui = await import("./tui/bootstrap.js");
+            return tui.startBootstrapTui({
+                profile: input.profile,
+                packId: input.packId,
+                initial,
+                demo: input.demoMode,
+            });
+        }
+        catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            const hint = detail.includes("ERR_UNKNOWN_FILE_EXTENSION") || detail.includes(".scm")
+                ? " (OpenTUI runtime assets require Bun in this environment)"
+                : "";
+            process.stderr.write(`OpenTUI unavailable, falling back to prompt mode: ${detail}${hint}\n`);
+        }
+    }
+    const ask = async (label, fallback) => {
+        const answer = await askInteractive(`${label}${fallback ? ` [${fallback}]` : ""}: `);
+        return answer || fallback;
+    };
+    const signupDefault = initial.bitwardenSignupDone ? "true" : "false";
+    const runDefault = initial.runProvision ? "true" : "false";
+    return {
+        cancelled: false,
+        draft: {
+            agentmailApiKey: await ask("AgentMail API key", initial.agentmailApiKey),
+            telegramBotToken: await ask("Telegram bot token", initial.telegramBotToken),
+            bitwardenEmail: await ask("Bitwarden email", initial.bitwardenEmail),
+            bitwardenPassword: await ask("Bitwarden password", initial.bitwardenPassword),
+            bitwardenSignupDone: ["1", "true", "yes", "on"].includes((await ask("Bitwarden signup done (true/false)", signupDefault)).toLowerCase()),
+            runProvision: ["1", "true", "yes", "on"].includes((await ask("Run provision after save (true/false)", runDefault)).toLowerCase()),
+        },
+    };
+}
+function persistBootstrapDraft(profile, draft) {
+    setConfigValue({ profile, key: "agentmail.api_key", value: draft.agentmailApiKey, secret: true });
+    setConfigValue({ profile, key: "telegram.bot_token", value: draft.telegramBotToken, secret: true });
+    setConfigValue({ profile, key: "bitwarden.email", value: draft.bitwardenEmail });
+    setConfigValue({ profile, key: "bitwarden.password", value: draft.bitwardenPassword, secret: true });
+    setConfigValue({ profile, key: "bitwarden.signup_done", value: draft.bitwardenSignupDone ? "true" : "false" });
+}
+async function verifyFromConfig(profile) {
+    const agentmailKey = getConfigValue({ profile, key: "agentmail.api_key", reveal: true })?.value || "";
+    const telegramToken = getConfigValue({ profile, key: "telegram.bot_token", reveal: true })?.value || "";
+    const bitwardenEmail = getConfigValue({ profile, key: "bitwarden.email", reveal: true })?.value || "";
+    const bitwardenPassword = getConfigValue({ profile, key: "bitwarden.password", reveal: true })?.value || "";
+    const checks = {
+        agentmail: agentmailKey
+            ? await verifyAgentmailApiKey(agentmailKey)
+            : { ok: false, detail: "Missing agentmail.api_key" },
+        telegram: telegramToken
+            ? await verifyTelegramBotToken(telegramToken)
+            : { ok: false, detail: "Missing telegram.bot_token" },
+        bitwarden: bitwardenEmail && bitwardenPassword
+            ? verifyBitwardenCredentials(bitwardenEmail, bitwardenPassword)
+            : { ok: false, detail: "Missing bitwarden.email or bitwarden.password" },
+    };
+    return checks;
+}
 const program = new Command();
 program
     .name("oneclaw")
     .description("Identity pack CLI for AI assistants")
-    .version("0.1.0");
+    .version("0.1.0")
+    .showHelpAfterError();
+program
+    .command("bootstrap")
+    .description("Collect bootstrap credentials and persist config state")
+    .option("--profile <profile>", "Config profile", "default")
+    .option("--pack <packId>", "Default pack for follow-up provision", "founder")
+    .option("--run-provision", "Run provision after saving state")
+    .option("--providers <providers>", `Comma-separated providers (${PROVIDERS.join(",")})`, "agentmail,telegram,bitwarden")
+    .option("--targets <targets>", `Comma-separated targets (${TARGETS.join(",")})`, TARGETS.join(","))
+    .option("--no-tui", "Disable OpenTUI mode")
+    .option("--json", "Output json")
+    .action(async (opts) => {
+    const demoMode = isDemoModeEnabled();
+    const requestedProfile = profileFrom(opts);
+    const profile = demoMode && requestedProfile === "default" ? "demo" : requestedProfile;
+    const packId = (typeof opts.pack === "string" && opts.pack.trim()) || "founder";
+    const providers = parseProviders(opts.providers);
+    const targets = parseTargets(opts.targets);
+    const asJson = Boolean(opts.json);
+    const runProvisionAfterSave = Boolean(opts.runProvision);
+    const collected = await collectBootstrapDraft({
+        profile,
+        packId,
+        useTui: opts.tui !== false,
+        runProvisionByDefault: runProvisionAfterSave,
+        demoMode,
+    });
+    if (collected.cancelled) {
+        printValue({ status: "cancelled", profile }, asJson);
+        return;
+    }
+    persistBootstrapDraft(profile, collected.draft);
+    const check = checkConfig({ profile, providers, reveal: false });
+    const verification = await verifyFromConfig(profile);
+    const verified = {
+        agentmail: verification.agentmail.ok,
+        telegram: verification.telegram.ok,
+        bitwarden: verification.bitwarden.ok,
+    };
+    let provisionResult = undefined;
+    const shouldRunProvision = collected.draft.runProvision || runProvisionAfterSave;
+    if (shouldRunProvision && check.ready && Object.values(verified).every(Boolean)) {
+        provisionResult = await runProvision({
+            packId,
+            providers,
+            targets,
+            options: {
+                profile,
+            },
+            profile,
+            useConfig: true,
+            nonInteractive: true,
+            asJson,
+        });
+    }
+    printValue({
+        status: "ok",
+        profile,
+        packId,
+        required: getRequiredConfigKeys(providers).map((item) => item.key),
+        demoMode,
+        check,
+        verification,
+        provision: provisionResult,
+    }, asJson);
+});
+program
+    .command("bootstrap-prompt")
+    .description("Print helper prompt for another setup AI")
+    .option("--json", "Output json")
+    .action((opts) => {
+    const prompt = helperPrompt();
+    printValue(opts.json ? { prompt } : prompt, Boolean(opts.json));
+});
+const configCommand = program.command("config").description("Manage persisted oneclaw config state");
+configCommand
+    .command("set")
+    .description("Set a config key")
+    .argument("<key>")
+    .argument("[value]")
+    .option("--profile <profile>", "Config profile", "default")
+    .option("--secret", "Store as secret")
+    .option("--stdin", "Read value from stdin")
+    .option("--json", "Output json")
+    .action(async (key, value, opts) => {
+    const profile = profileFrom(opts);
+    const fromStdin = Boolean(opts.stdin) ? await readStdinTrimmed() : undefined;
+    const fromArg = value?.trim();
+    const fromPrompt = fromStdin || fromArg ? undefined : await askInteractive(`${key}: `);
+    const finalValue = fromStdin || fromArg || fromPrompt;
+    if (!finalValue) {
+        throw new Error(`No value provided for ${key}. Use [value], --stdin, or interactive input.`);
+    }
+    const result = setConfigValue({
+        profile,
+        key,
+        value: finalValue,
+        secret: Boolean(opts.secret),
+    });
+    printValue(result, Boolean(opts.json));
+});
+configCommand
+    .command("get")
+    .description("Get a config key")
+    .argument("<key>")
+    .option("--profile <profile>", "Config profile", "default")
+    .option("--reveal", "Reveal secret values")
+    .option("--json", "Output json")
+    .action((key, opts) => {
+    const profile = profileFrom(opts);
+    const result = getConfigValue({ profile, key, reveal: Boolean(opts.reveal) });
+    if (!result) {
+        printValue({ profile, key, found: false }, Boolean(opts.json));
+        process.exitCode = 1;
+        return;
+    }
+    printValue({ ...result, found: true }, Boolean(opts.json));
+});
+configCommand
+    .command("list")
+    .description("List stored config keys")
+    .option("--profile <profile>", "Config profile", "default")
+    .option("--reveal", "Reveal secret values")
+    .option("--json", "Output json")
+    .action((opts) => {
+    const profile = profileFrom(opts);
+    const result = listConfig({ profile, reveal: Boolean(opts.reveal) });
+    printValue(result, Boolean(opts.json));
+});
+configCommand
+    .command("unset")
+    .description("Remove a config key")
+    .argument("<key>")
+    .option("--profile <profile>", "Config profile", "default")
+    .option("--json", "Output json")
+    .action((key, opts) => {
+    const profile = profileFrom(opts);
+    const result = unsetConfigValue({ profile, key });
+    printValue(result, Boolean(opts.json));
+});
+configCommand
+    .command("check")
+    .description("Check required config for providers")
+    .option("--providers <providers>", `Comma-separated providers (${PROVIDERS.join(",")})`, "agentmail,telegram,bitwarden")
+    .option("--profile <profile>", "Config profile", "default")
+    .option("--verify", "Run provider verification checks")
+    .option("--json", "Output json")
+    .action(async (opts) => {
+    const profile = profileFrom(opts);
+    const providers = parseProviders(opts.providers);
+    const check = checkConfig({ profile, providers, reveal: false });
+    if (!opts.verify) {
+        printValue(check, Boolean(opts.json));
+        return;
+    }
+    const verification = await verifyFromConfig(profile);
+    printValue({
+        ...check,
+        verification,
+        verified: Object.fromEntries(Object.entries(verification).map(([provider, result]) => [provider, result.ok])),
+    }, Boolean(opts.json));
+});
 program
     .command("provision")
     .description("Provision identities and update the pack")
     .requiredOption("--pack <packId>", "Identity pack id")
     .option("--providers <providers>", `Comma-separated providers (${PROVIDERS.join(",")})`)
     .option("--targets <targets>", `Comma-separated targets (${TARGETS.join(",")})`)
+    .option("--profile <profile>", "Config profile", "default")
+    .option("--no-config", "Disable config profile lookup")
     .option("--non-interactive", "Fail instead of prompting")
     .option("--json", "Output json")
     .option("--agentmail-api-key <value>")
@@ -118,64 +442,23 @@ program
     const packId = String(opts.pack);
     const providers = parseProviders(opts.providers);
     const targets = parseTargets(opts.targets);
+    const profile = profileFrom(opts);
     const nonInteractive = Boolean(opts.nonInteractive);
     const asJson = Boolean(opts.json);
-    let pack = ensurePack(packId, targets);
-    let run = loadRunState(packId) || createRunState(packId);
-    for (const provider of providers) {
-        const workflow = getWorkflow(provider);
-        const result = await runProviderWorkflow({
-            workflow,
-            run,
-            pack,
-            options: {
-                agentmailApiKey: opts.agentmailApiKey,
-                agentmailUsername: opts.agentmailUsername,
-                agentmailDomain: opts.agentmailDomain,
-                agentmailDisplayName: opts.agentmailDisplayName,
-                agentmailInboxId: opts.agentmailInboxId,
-                agentmailWebhookSecret: opts.agentmailWebhookSecret,
-                forceAgentmailCreate: opts.forceAgentmailCreate,
-                telegramBotToken: opts.telegramBotToken,
-                telegramBotUsername: opts.telegramBotUsername,
-                telegramIdentityId: opts.telegramIdentityId,
-                bitwardenEmail: opts.bitwardenEmail,
-                bitwardenPassword: opts.bitwardenPassword,
-                bitwardenVault: opts.bitwardenVault,
-                bitwardenSkipSignup: opts.bitwardenSkipSignup,
-                bitwardenAlreadyCreated: opts.bitwardenAlreadyCreated,
-            },
-            nonInteractive,
-            ask: askInteractive,
-            log: (message) => {
-                if (!asJson)
-                    process.stderr.write(`${message}\n`);
-            },
-        });
-        saveRunState(run);
-        pack = savePack(pack);
-        if (result.status === "blocked") {
-            printValue({
-                status: "blocked",
-                provider,
-                step: result.blockedStepId,
-                reason: result.blockedReason,
-                resumeCommand: `oneclaw provision --pack ${packId} --providers ${providers.join(",")}`,
-            }, asJson);
-            process.exitCode = 2;
-            return;
-        }
-    }
-    const runLog = asLog(run);
-    pack = appendProvisioningRun(pack, runLog);
-    clearRunState(packId);
-    printValue({
-        status: "ok",
+    const result = await runProvision({
         packId,
         providers,
-        targets: pack.targets,
-        accounts: Object.keys(pack.accounts),
-    }, asJson);
+        targets,
+        options: opts,
+        profile,
+        useConfig: opts.config !== false,
+        nonInteractive,
+        asJson,
+    });
+    if (result.status === "blocked") {
+        process.exitCode = 2;
+    }
+    printValue(result, asJson);
 });
 program
     .command("export")
@@ -260,6 +543,30 @@ program
     const pack = loadPack(String(opts.pack));
     process.stdout.write(exportPackToTarget(pack, target));
 });
+program.action(async () => {
+    if (!process.stdin.isTTY || !process.stdout.isTTY) {
+        program.outputHelp();
+        return;
+    }
+    const demoMode = isDemoModeEnabled();
+    const profile = demoMode ? "demo" : "default";
+    const result = await collectBootstrapDraft({
+        profile,
+        packId: "founder",
+        useTui: true,
+        runProvisionByDefault: false,
+        demoMode,
+    });
+    if (result.cancelled)
+        return;
+    persistBootstrapDraft(profile, result.draft);
+    printValue({
+        status: "ok",
+        profile,
+        demoMode,
+        message: "Bootstrap values saved. Run oneclaw config check --verify --json next.",
+    }, false);
+});
 program.parseAsync(process.argv).catch((error) => {
     const message = error instanceof Error ? error.message : String(error);
     process.stderr.write(`${message}\n`);