openclaw-node-harness 2.0.1 → 2.0.2

package/bin/mesh-join-token.js

@@ -43,6 +43,21 @@ const PROVIDER = getArg('--provider', 'claude');
 const EXPIRES = getArg('--expires', '48h');
 const REPO = getArg('--repo', 'https://github.com/moltyguibros-design/openclaw-node.git');
 const ONE_LINER = args.includes('--one-liner');
+const NO_SSH = args.includes('--no-ssh');
+
+// Read lead node's SSH public key (auto-discover from ~/.ssh/)
+function getLeadSSHPubkey() {
+  if (NO_SSH) return null;
+  const sshDir = path.join(os.homedir(), '.ssh');
+  const candidates = ['id_ed25519_openclaw.pub', 'id_ed25519.pub', 'id_rsa.pub', 'id_ecdsa.pub'];
+  for (const f of candidates) {
+    const p = path.join(sshDir, f);
+    if (fs.existsSync(p)) {
+      return fs.readFileSync(p, 'utf8').trim();
+    }
+  }
+  return null;
+}
 
 // ── Token secret ──────────────────────────────────────
 // Stored at ~/.openclaw/.mesh-secret. Created on first use.
@@ -81,8 +96,10 @@ function generateToken() {
   const secret = getOrCreateSecret();
   const expiresAt = parseExpiry(EXPIRES);
 
+  const sshPubkey = getLeadSSHPubkey();
+
   const payload = {
-    v: 2,                           // token version (v2: added repo field)
+    v: 3,                           // token version (v3: added ssh_pubkey)
     nats: NATS_URL,                 // NATS server URL
     role: ROLE,                     // node role
     provider: PROVIDER,             // default LLM provider
@@ -90,6 +107,7 @@ function generateToken() {
     lead: os.hostname(),            // lead node hostname (for reference)
     issued: Date.now(),             // issued timestamp
     expires: expiresAt,             // expiry timestamp
+    ...(sshPubkey && { ssh_pubkey: sshPubkey }), // lead node's SSH public key
   };
 
   // HMAC-SHA256 signature for integrity

package/bin/openclaw-node-init.js

@@ -1,32 +1,31 @@
 #!/usr/bin/env node
 
 /**
- * openclaw-node-init.js — One-click mesh node provisioner.
+ * openclaw-node-init.js — Zero-config mesh node provisioner.
  *
- * Takes a join token (from mesh-join-token.js) and bootstraps a fully
- * functional mesh worker node. Handles:
- *   1. Token validation (signature + expiry)
+ * Tailscale IS the trust layer. No tokens. No secrets. No lead interaction.
+ *
+ * What it does:
+ *   1. Scan Tailscale peers for NATS (port 4222)
  *   2. OS detection (macOS/Linux)
- *   3. Dependency checks (Node.js, git, nats-server optional)
+ *   3. Dependency checks (Node.js, git)
  *   4. Directory structure (~/.openclaw/)
- *   5. NATS configuration (from token)
- *   6. Mesh code installation (repo URL from token)
+ *   5. NATS configuration (auto-discovered)
+ *   6. Mesh code installation (git clone)
  *   7. Service installation (launchd/systemd)
  *   8. Health verification (service alive + NATS connectivity)
  *
  * Usage:
- *   MESH_JOIN_TOKEN=<token> node bin/openclaw-node-init.js
- *   node bin/openclaw-node-init.js --token <token>
- *   node bin/openclaw-node-init.js --token <token> --dry-run
- *   node bin/openclaw-node-init.js --token <token> --provider deepseek
- *
- * The token contains NATS URL, repo URL, role, and default provider.
- * API keys must be set separately in ~/.openclaw/openclaw.env after provisioning.
+ *   npx openclaw-node                                    # auto-discover everything
+ *   node bin/openclaw-node-init.js                        # same
+ *   node bin/openclaw-node-init.js --nats nats://x:4222   # explicit NATS URL
+ *   node bin/openclaw-node-init.js --provider deepseek    # set default LLM
+ *   node bin/openclaw-node-init.js --dry-run              # preview only
  */
 
 const { execSync, spawnSync } = require('child_process');
-const crypto = require('crypto');
 const fs = require('fs');
+const net = require('net');
 const os = require('os');
 const path = require('path');
 
@@ -40,11 +39,10 @@ function getArg(flag, defaultVal) {
   return idx >= 0 && args[idx + 1] ? args[idx + 1] : defaultVal;
 }
 
-const TOKEN_RAW = getArg('--token', null) || process.env.MESH_JOIN_TOKEN;
-const PROVIDER_OVERRIDE = getArg('--provider', null);
-
-// Default repo URL — used when token is v1 (no repo field)
-const DEFAULT_REPO = 'https://github.com/moltyguibros-design/openclaw-node.git';
+const NATS_OVERRIDE = getArg('--nats', null);
+const PROVIDER_OVERRIDE = getArg('--provider', 'claude');
+const REPO = getArg('--repo', 'https://github.com/moltyguibros-design/openclaw-node.git');
+const SSH_PUBKEY = getArg('--ssh-key', null);
 
 // ── Logging ───────────────────────────────────────────
 
@@ -61,39 +59,91 @@ function warn(msg){ console.log(`${YELLOW}  ⚠${RESET} ${msg}`); }
 function fail(msg){ console.error(`${RED}  ✗${RESET} ${msg}`); }
 function step(n, msg) { console.log(`\n${BOLD}[${n}]${RESET} ${msg}`); }
 
-// ── Token Parsing ─────────────────────────────────────
+// ── TCP Port Probe (pure Node, no nc dependency) ────
+
+function probePort(ip, port) {
+  return new Promise((resolve) => {
+    const sock = new net.Socket();
+    sock.setTimeout(2000);
+    sock.on('connect', () => { sock.destroy(); resolve(true); });
+    sock.on('error', () => resolve(false));
+    sock.on('timeout', () => { sock.destroy(); resolve(false); });
+    sock.connect(port, ip);
+  });
+}
 
-function parseToken(raw) {
-  if (!raw) {
-    fail('No join token provided. Use --token <token> or set MESH_JOIN_TOKEN env var.');
-    fail('Generate a token on the lead node: node bin/mesh-join-token.js');
-    process.exit(1);
+// ── Tailscale NATS Discovery ─────────────────────────
+
+async function discoverNats() {
+  if (NATS_OVERRIDE) {
+    ok(`Using explicit NATS URL: ${NATS_OVERRIDE}`);
+    return NATS_OVERRIDE;
   }
 
+  // Check existing config first
+  const envPath = path.join(os.homedir(), '.openclaw', 'openclaw.env');
+  if (fs.existsSync(envPath)) {
+    const content = fs.readFileSync(envPath, 'utf8');
+    const match = content.match(/^\s*OPENCLAW_NATS\s*=\s*(.+)/m);
+    if (match) {
+      const existing = match[1].trim();
+      ok(`Found existing NATS config: ${existing}`);
+      return existing;
+    }
+  }
+
+  // Scan Tailscale peers
+  log('Scanning Tailscale network for NATS...');
+
+  let tsStatus;
   try {
-    const decoded = JSON.parse(Buffer.from(raw, 'base64url').toString('utf8'));
-    return { payload: decoded.p, signature: decoded.s };
+    tsStatus = JSON.parse(execSync('tailscale status --json', { encoding: 'utf8', timeout: 10000 }));
   } catch (e) {
-    fail(`Invalid token format: ${e.message}`);
+    fail('Tailscale not available or not connected.');
+    fail('Install Tailscale and join your network, or use --nats nats://host:4222');
     process.exit(1);
   }
-}
 
-function validateToken(payload) {
-  // Accept v1 (no repo) and v2 (with repo)
-  if (payload.v !== 1 && payload.v !== 2) {
-    fail(`Unsupported token version: ${payload.v}. This provisioner supports v1 and v2.`);
-    process.exit(1);
+  // Collect all peer IPs (including self)
+  const candidates = [];
+
+  // Add self
+  if (tsStatus.Self && tsStatus.Self.TailscaleIPs) {
+    for (const ip of tsStatus.Self.TailscaleIPs) {
+      if (ip.includes('.')) candidates.push(ip); // IPv4 only
+    }
   }
-  if (payload.expires && Date.now() > payload.expires) {
-    fail(`Token expired at ${new Date(payload.expires).toISOString()}`);
-    fail('Generate a new token on the lead node: node bin/mesh-join-token.js');
-    process.exit(1);
+
+  // Add peers
+  if (tsStatus.Peer) {
+    for (const [, peer] of Object.entries(tsStatus.Peer)) {
+      if (peer.TailscaleIPs) {
+        for (const ip of peer.TailscaleIPs) {
+          if (ip.includes('.')) candidates.push(ip); // IPv4 only
+        }
+      }
+    }
   }
-  if (!payload.nats) {
-    fail('Token missing NATS URL');
+
+  if (candidates.length === 0) {
+    fail('No Tailscale peers found. Is Tailscale connected?');
+    fail('Run: tailscale up');
     process.exit(1);
   }
+
+  log(`Found ${candidates.length} Tailscale IPs. Probing port 4222...`);
+
+  for (const ip of candidates) {
+    if (await probePort(ip, 4222)) {
+      const natsUrl = `nats://${ip}:4222`;
+      ok(`NATS found at ${natsUrl}`);
+      return natsUrl;
+    }
+  }
+
+  fail('No NATS server found on any Tailscale peer (port 4222).');
+  fail('Ensure NATS is running on your lead node, or use --nats nats://host:4222');
+  process.exit(1);
 }
 
 // ── OS Detection ──────────────────────────────────────
@@ -130,11 +180,10 @@ function getNodeVersion() {
   }
 }
 
-function checkDependencies(osInfo) {
+function checkDependencies() {
   const deps = [];
   const missing = [];
 
-  // Node.js 18+
   const nodeInfo = getNodeVersion();
   if (nodeInfo && nodeInfo.major >= 18) {
     deps.push({ name: 'Node.js', status: 'ok', detail: nodeInfo.version });
@@ -146,7 +195,6 @@ function checkDependencies(osInfo) {
     missing.push('node');
   }
 
-  // Git
   if (checkCommand('git')) {
     const v = execSync('git --version', { encoding: 'utf8' }).trim();
     deps.push({ name: 'Git', status: 'ok', detail: v });
@@ -155,11 +203,11 @@ function checkDependencies(osInfo) {
     missing.push('git');
   }
 
-  // Tailscale (optional but recommended)
   if (checkCommand('tailscale')) {
     deps.push({ name: 'Tailscale', status: 'ok', detail: 'installed' });
   } else {
-    deps.push({ name: 'Tailscale', status: 'optional', detail: 'not installed (recommended for secure mesh)' });
+    deps.push({ name: 'Tailscale', status: 'missing', detail: 'required for mesh discovery' });
+    if (!NATS_OVERRIDE) missing.push('tailscale');
   }
 
   return { deps, missing };
@@ -186,7 +234,6 @@ function installMissing(missing, osInfo) {
       spawnSync('brew', ['install', pkg], { stdio: 'inherit' });
     }
   } else {
-    // Linux — try apt, then yum, then dnf
     const pm = checkCommand('apt-get') ? 'apt-get'
              : checkCommand('yum') ? 'yum'
              : checkCommand('dnf') ? 'dnf'
@@ -199,7 +246,6 @@ function installMissing(missing, osInfo) {
 
     for (const dep of missing) {
       if (dep === 'node') {
-        // Use NodeSource for recent Node.js
         log('  Installing Node.js 22.x via NodeSource...');
         try {
           execSync('curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -', { stdio: 'inherit' });
@@ -208,6 +254,15 @@ function installMissing(missing, osInfo) {
           fail(`Node.js installation failed: ${e.message}`);
           process.exit(1);
         }
+      } else if (dep === 'tailscale') {
+        log('  Installing Tailscale...');
+        try {
+          execSync('curl -fsSL https://tailscale.com/install.sh | sh', { stdio: 'inherit' });
+        } catch (e) {
+          fail(`Tailscale installation failed: ${e.message}`);
+          fail('Install manually: https://tailscale.com/download');
+          process.exit(1);
+        }
       } else {
         log(`  sudo ${pm} install -y ${dep}`);
         spawnSync('sudo', [pm, 'install', '-y', dep], { stdio: 'inherit' });
@@ -243,6 +298,46 @@ function setupDirectories() {
   }
 }
 
+// ── SSH Key Provisioning ─────────────────────────────
+
+function provisionSSHKey(pubkey) {
+  if (!pubkey) return;
+
+  const sshDir = path.join(os.homedir(), '.ssh');
+  const authKeysPath = path.join(sshDir, 'authorized_keys');
+
+  if (DRY_RUN) {
+    warn(`[DRY RUN] Would add SSH key to ${authKeysPath}`);
+    return;
+  }
+
+  if (!fs.existsSync(sshDir)) {
+    fs.mkdirSync(sshDir, { mode: 0o700 });
+    ok(`Created ${sshDir}`);
+  } else {
+    try { fs.chmodSync(sshDir, 0o700); } catch { /* best effort */ }
+  }
+
+  let existing = '';
+  if (fs.existsSync(authKeysPath)) {
+    existing = fs.readFileSync(authKeysPath, 'utf8');
+    const keyParts = pubkey.trim().split(/\s+/);
+    const keyFingerprint = keyParts.length >= 2 ? `${keyParts[0]} ${keyParts[1]}` : pubkey.trim();
+    if (existing.includes(keyFingerprint)) {
+      ok('SSH key already authorized');
+      return;
+    }
+  }
+
+  const entry = existing.endsWith('\n') || existing === ''
+    ? `${pubkey.trim()}\n`
+    : `\n${pubkey.trim()}\n`;
+  fs.appendFileSync(authKeysPath, entry, { mode: 0o600 });
+  try { fs.chmodSync(authKeysPath, 0o600); } catch { /* best effort */ }
+
+  ok('SSH key added to authorized_keys');
+}
+
 // ── NATS Configuration ───────────────────────────────
 
 function configureNats(natsUrl) {
@@ -256,7 +351,6 @@ function configureNats(natsUrl) {
   let content = '';
   if (fs.existsSync(envPath)) {
     content = fs.readFileSync(envPath, 'utf8');
-    // Update existing OPENCLAW_NATS line or append
     if (content.match(/^\s*OPENCLAW_NATS\s*=/m)) {
       content = content.replace(/^\s*OPENCLAW_NATS\s*=.*/m, `OPENCLAW_NATS=${natsUrl}`);
     } else {
@@ -276,12 +370,12 @@ function installMeshCode(repoUrl) {
   const meshDir = path.join(os.homedir(), 'openclaw');
 
   if (fs.existsSync(path.join(meshDir, 'package.json'))) {
-    ok(`Mesh code already installed at ${meshDir}`);
-    // npm install to ensure deps are current
+    ok(`Mesh code exists at ${meshDir}`);
     if (!DRY_RUN) {
-      log('  Updating dependencies...');
+      log('  Pulling latest + installing deps...');
+      spawnSync('git', ['pull', '--ff-only'], { cwd: meshDir, stdio: 'pipe' });
       spawnSync('npm', ['install', '--production'], { cwd: meshDir, stdio: 'pipe' });
-      ok('Dependencies updated');
+      ok('Updated');
     }
     return meshDir;
   }
@@ -293,15 +387,11 @@ function installMeshCode(repoUrl) {
 
   log(`Cloning mesh code from ${repoUrl}...`);
   try {
-    execSync(
-      `git clone "${repoUrl}" "${meshDir}"`,
-      { stdio: 'inherit', timeout: 60000 }
-    );
+    execSync(`git clone "${repoUrl}" "${meshDir}"`, { stdio: 'inherit', timeout: 60000 });
     spawnSync('npm', ['install', '--production'], { cwd: meshDir, stdio: 'pipe' });
     ok('Mesh code installed');
   } catch (e) {
     fail(`Failed to clone mesh code: ${e.message}`);
-    fail(`Repo URL: ${repoUrl}`);
     process.exit(1);
   }
 
@@ -312,7 +402,7 @@ function installMeshCode(repoUrl) {
 
 function installService(osInfo, meshDir, config) {
   const nodeId = os.hostname().toLowerCase().replace(/[^a-z0-9-]/g, '-');
-  const nodeBin = process.execPath; // path to current node binary
+  const nodeBin = process.execPath;
   const provider = config.provider;
 
   if (osInfo.serviceType === 'launchd') {
@@ -374,7 +464,6 @@ function installLaunchdService(meshDir, nodeBin, nodeId, provider, natsUrl) {
   fs.writeFileSync(plistPath, plist);
   ok(`Launchd service written: ${plistPath}`);
 
-  // Load the service
   try {
     execSync(`launchctl unload "${plistPath}" 2>/dev/null || true`, { stdio: 'pipe' });
     execSync(`launchctl load "${plistPath}"`, { stdio: 'pipe' });
@@ -403,6 +492,7 @@ Environment=MESH_NODE_ID=${nodeId}
 Environment=MESH_LLM_PROVIDER=${provider}
 Environment=MESH_WORKSPACE=${os.homedir()}/.openclaw/workspace
 Environment=NODE_PATH=${meshDir}/node_modules:${meshDir}/lib
+Environment=PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:${os.homedir()}/.local/bin:${os.homedir()}/.npm-global/bin
 WorkingDirectory=${meshDir}
 
 [Install]
@@ -418,7 +508,6 @@ WantedBy=default.target
   fs.writeFileSync(servicePath, service);
   ok(`Systemd service written: ${servicePath}`);
 
-  // Enable and start
   try {
     execSync('systemctl --user daemon-reload', { stdio: 'pipe' });
     execSync('systemctl --user enable openclaw-mesh-agent', { stdio: 'pipe' });
@@ -429,22 +518,17 @@ WantedBy=default.target
     warn('Try manually: systemctl --user start openclaw-mesh-agent');
   }
 
-  // Enable lingering — requires either sudo or polkit permission.
-  // Without linger, the service dies when the user logs out.
   const username = os.userInfo().username;
   try {
-    // Try without sudo first (works if polkit allows it)
     execSync(`loginctl enable-linger ${username}`, { stdio: 'pipe', timeout: 5000 });
     ok(`Linger enabled for ${username} (service survives logout)`);
   } catch {
     try {
-      // Try with sudo
       execSync(`sudo loginctl enable-linger ${username}`, { stdio: 'pipe', timeout: 5000 });
-      ok(`Linger enabled for ${username} via sudo (service survives logout)`);
-    } catch (e2) {
-      warn(`Could not enable linger for ${username}: ${e2.message}`);
-      warn('Without linger, the mesh-agent service will stop when you log out.');
-      warn(`Fix manually: sudo loginctl enable-linger ${username}`);
+      ok(`Linger enabled for ${username} via sudo`);
+    } catch {
+      warn(`Could not enable linger. Service stops on logout.`);
+      warn(`Fix: sudo loginctl enable-linger ${username}`);
     }
   }
 }
@@ -458,19 +542,15 @@ function verifyServiceRunning(osInfo) {
   }
 
   log('Waiting 8s for service to stabilize...');
-
-  // Wait for the service to either stabilize or crash
-  const waitMs = 8000;
   const start = Date.now();
-  while (Date.now() - start < waitMs) {
-    spawnSync('sleep', ['1']); // cross-platform 1s sleep
+  while (Date.now() - start < 8000) {
+    spawnSync('sleep', ['1']);
   }
 
   if (osInfo.serviceType === 'launchd') {
     try {
       const out = execSync('launchctl list | grep mesh-agent', { encoding: 'utf8', stdio: 'pipe' }).trim();
       if (out) {
-        // launchctl list format: PID\tStatus\tLabel
         const parts = out.split(/\s+/);
         const pid = parts[0];
         const exitStatus = parts[1];
@@ -488,7 +568,6 @@ function verifyServiceRunning(osInfo) {
       return false;
     }
   } else {
-    // systemd
     try {
       const result = spawnSync('systemctl', ['--user', 'is-active', 'openclaw-mesh-agent'], { encoding: 'utf8', stdio: 'pipe' });
       const status = (result.stdout || '').trim();
@@ -519,13 +598,11 @@ async function verifyNatsHealth(natsUrl, nodeId) {
   }
 
   try {
-    // Dynamic require — nats module should be installed by now
     const nats = require('nats');
     const nc = await nats.connect({ servers: natsUrl, timeout: 10000 });
 
     ok(`NATS connected: ${nc.getServer()}`);
 
-    // Publish a health announcement
     const sc = nats.StringCodec();
     nc.publish(`mesh.health.${nodeId}`, sc.encode(JSON.stringify({
       node_id: nodeId,
@@ -535,27 +612,20 @@ async function verifyNatsHealth(natsUrl, nodeId) {
       arch: os.arch(),
       timestamp: new Date().toISOString(),
     })));
-
     ok('Health announcement published');
 
-    // Try to reach the task daemon
     try {
       const msg = await nc.request('mesh.tasks.list', sc.encode(JSON.stringify({ status: 'queued' })), { timeout: 5000 });
       const resp = JSON.parse(sc.decode(msg.data));
-      if (resp.ok) {
-        ok(`Task daemon reachable — ${resp.data.length} queued task(s)`);
-      } else {
-        warn(`Task daemon responded with error: ${resp.error}`);
-      }
+      if (resp.ok) ok(`Task daemon reachable — ${resp.data.length} queued task(s)`);
     } catch {
-      warn('Task daemon not reachable (may not be running yet — this is OK for worker-only nodes)');
+      warn('Task daemon not reachable (OK for worker-only nodes)');
     }
 
     await nc.drain();
     return true;
   } catch (e) {
     fail(`NATS connection failed: ${e.message}`);
-    fail('Check that the NATS server is running and the node has network access');
     return false;
   }
 }
@@ -564,44 +634,22 @@ async function verifyNatsHealth(natsUrl, nodeId) {
 
 async function main() {
   console.log(`\n${BOLD}${CYAN}╔══════════════════════════════════════╗${RESET}`);
-  console.log(`${BOLD}${CYAN}║   OpenClaw Mesh Node Provisioner     ║${RESET}`);
+  console.log(`${BOLD}${CYAN}║   OpenClaw Mesh — Join Network       ║${RESET}`);
   console.log(`${BOLD}${CYAN}╚══════════════════════════════════════╝${RESET}\n`);
 
   if (DRY_RUN) warn('DRY RUN MODE — no changes will be made\n');
 
-  // ── Step 1: Parse and validate token ──
-  step(1, 'Validating join token...');
-  const { payload } = parseToken(TOKEN_RAW);
-  validateToken(payload);
-  ok(`Token valid (v${payload.v}, role: ${payload.role}, provider: ${payload.provider}, lead: ${payload.lead})`);
-  ok(`Expires: ${new Date(payload.expires).toISOString()}`);
-
-  // Extract config from token (with defaults for v1 tokens)
-  const repoUrl = payload.repo || DEFAULT_REPO;
-  const config = {
-    nats: payload.nats,
-    role: payload.role,
-    provider: PROVIDER_OVERRIDE || payload.provider,
-    repo: repoUrl,
-  };
-
-  if (payload.repo) {
-    ok(`Repo: ${repoUrl}`);
-  } else {
-    warn(`Token v1 (no repo field) — using default: ${DEFAULT_REPO}`);
-  }
-
-  // ── Step 2: Detect OS ──
-  step(2, 'Detecting environment...');
+  // ── Step 1: Detect OS ──
+  step(1, 'Detecting environment...');
   const osInfo = detectOS();
   const nodeId = os.hostname().toLowerCase().replace(/[^a-z0-9-]/g, '-');
   ok(`OS: ${osInfo.os} (${osInfo.arch})`);
   ok(`Node ID: ${nodeId}`);
   ok(`Service type: ${osInfo.serviceType}`);
 
-  // ── Step 3: Check dependencies ──
-  step(3, 'Checking dependencies...');
-  const { deps, missing } = checkDependencies(osInfo);
+  // ── Step 2: Check & install dependencies (including Tailscale) ──
+  step(2, 'Checking dependencies...');
+  const { deps, missing } = checkDependencies();
   for (const d of deps) {
     if (d.status === 'ok') ok(`${d.name}: ${d.detail}`);
     else if (d.status === 'optional') warn(`${d.name}: ${d.detail}`);
@@ -609,14 +657,30 @@ async function main() {
   }
 
   if (missing.length > 0) {
-    step('3b', 'Installing missing dependencies...');
+    step('2b', 'Installing missing dependencies...');
     installMissing(missing, osInfo);
   }
 
+  // ── Step 3: Discover NATS via Tailscale ──
+  step(3, 'Discovering NATS server...');
+  const natsUrl = await discoverNats();
+
+  const config = {
+    nats: natsUrl,
+    provider: PROVIDER_OVERRIDE,
+    repo: REPO,
+  };
+
   // ── Step 4: Create directory structure ──
   step(4, 'Setting up directories...');
   setupDirectories();
 
+  // ── Step 4b: Provision SSH key (if provided) ──
+  if (SSH_PUBKEY) {
+    step('4b', 'Provisioning SSH key...');
+    provisionSSHKey(SSH_PUBKEY);
+  }
+
   // ── Step 5: Configure NATS ──
   step(5, 'Configuring NATS connection...');
   configureNats(config.nats);
@@ -629,7 +693,7 @@ async function main() {
   step(7, `Installing ${osInfo.serviceType} service...`);
   installService(osInfo, meshDir, config);
 
-  // ── Step 8: Verify health (service + NATS) ──
+  // ── Step 8: Verify health ──
   step(8, 'Verifying health...');
   const serviceAlive = verifyServiceRunning(osInfo);
   const natsHealthy = await verifyNatsHealth(config.nats, nodeId);
@@ -646,8 +710,7 @@ async function main() {
     console.log(`${BOLD}${RED}  Service failed to start.${RESET}`);
     console.log(`${RED}  Provisioning complete but agent is not running.${RESET}`);
   } else {
-    console.log(`${BOLD}${YELLOW}  Node provisioned but health check failed.${RESET}`);
-    console.log(`${YELLOW}  The service is installed and will retry automatically.${RESET}`);
+    console.log(`${BOLD}${YELLOW}  Provisioned with warnings.${RESET}`);
   }
   console.log(`${BOLD}${GREEN}═══════════════════════════════════════${RESET}\n`);
 
@@ -661,10 +724,6 @@ async function main() {
     console.log(`  2. Check service: launchctl list | grep mesh-agent`);
     console.log(`  3. View logs: tail -f ~/.openclaw/workspace/.tmp/mesh-agent.log`);
   }
-  console.log(`  4. Submit a test task from lead: node bin/mesh.js submit --title "hello" --provider shell`);
-  if (!serviceAlive) {
-    console.log(`\n  ${RED}IMPORTANT: Fix the service error above before proceeding.${RESET}`);
-  }
   console.log('');
 }
 

package/cli.js

@@ -3,10 +3,8 @@
 /**
  * openclaw-node CLI — entry point for `npx openclaw-node-harness`
  *
- * Flow:
- *   1. Resolve install.sh relative to this package
- *   2. Spawn install.sh with forwarded CLI args
- *   3. Forward exit code
+ * Spawns bin/openclaw-node-init.js directly (no shell wrapper).
+ * Forwards CLI args and exit code.
  */
 
 const { spawnSync } = require('child_process');
@@ -15,19 +13,19 @@ const fs = require('fs');
 
 // ── Package paths ──
 const PKG_ROOT = __dirname;
-const INSTALL_SCRIPT = path.join(PKG_ROOT, 'install.sh');
+const INIT_SCRIPT = path.join(PKG_ROOT, 'bin', 'openclaw-node-init.js');
 
 // ── Sanity checks ──
-if (!fs.existsSync(INSTALL_SCRIPT)) {
-  console.error('ERROR: install.sh not found at', INSTALL_SCRIPT);
-  console.error('Package may be corrupted. Reinstall with: npx openclaw-node-harness');
+if (!fs.existsSync(INIT_SCRIPT)) {
+  console.error('ERROR: bin/openclaw-node-init.js not found at', INIT_SCRIPT);
+  console.error('Package may be corrupted. Reinstall with: npx openclaw-node-harness@latest');
   process.exit(1);
 }
 
-// ── Forward CLI args to install.sh ──
+// ── Forward CLI args to init script ──
 const userArgs = process.argv.slice(2);
 
-const result = spawnSync('bash', [INSTALL_SCRIPT, ...userArgs], {
+const result = spawnSync(process.execPath, [INIT_SCRIPT, ...userArgs], {
   stdio: 'inherit',
   env: { ...process.env },
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-node-harness",
-  "version": "2.0.1",
+  "version": "2.0.2",
   "description": "One-command installer for the OpenClaw node layer — identity, skills, souls, daemon, and Mission Control.",
   "bin": {
     "openclaw-node": "./cli.js"
@@ -41,5 +41,8 @@
   },
   "engines": {
     "node": ">=18"
+  },
+  "dependencies": {
+    "nats": "^2.28.2"
   }
 }