openclaw-node-harness 2.0.1 → 2.0.3

package/bin/fleet-deploy.js

@@ -23,7 +23,7 @@ const os = require('os');
 
 const { NATS_URL, natsConnectOpts } = require('../lib/nats-resolve');
 const sc = StringCodec();
-const REPO_DIR = process.env.OPENCLAW_REPO_DIR || path.join(os.homedir(), 'openclaw-node');
+const REPO_DIR = process.env.OPENCLAW_REPO_DIR || path.join(os.homedir(), 'openclaw');
 const NODE_ID = process.env.OPENCLAW_NODE_ID ||
   os.hostname().toLowerCase().replace(/[^a-z0-9-]/g, '-');
 

package/bin/mesh-agent.js

@@ -117,7 +117,7 @@ function buildInitialPrompt(task) {
     parts.push('');
   }
 
-  if (task.success_criteria.length > 0) {
+  if (task.success_criteria && task.success_criteria.length > 0) {
     parts.push('## Success Criteria');
     for (const c of task.success_criteria) {
       parts.push(`- ${c}`);
@@ -132,7 +132,7 @@ function buildInitialPrompt(task) {
     parts.push('');
   }
 
-  if (task.scope.length > 0) {
+  if (task.scope && task.scope.length > 0) {
     parts.push('## Scope');
     parts.push('Only modify these files/paths:');
     for (const s of task.scope) {
@@ -192,7 +192,7 @@ function buildRetryPrompt(task, previousAttempts, attemptNumber) {
     parts.push('');
   }
 
-  if (task.scope.length > 0) {
+  if (task.scope && task.scope.length > 0) {
     parts.push('## Scope');
     for (const s of task.scope) {
       parts.push(`- ${s}`);

package/bin/mesh-deploy-listener.js

@@ -26,7 +26,7 @@ const os = require('os');
 const NODE_ID = process.env.OPENCLAW_NODE_ID ||
   os.hostname().toLowerCase().replace(/[^a-z0-9-]/g, '-');
 const REPO_DIR = process.env.OPENCLAW_REPO_DIR ||
-  path.join(os.homedir(), 'openclaw-node');
+  path.join(os.homedir(), 'openclaw');
 const DEPLOY_SCRIPT = path.join(REPO_DIR, 'bin', 'mesh-deploy.js');
 
 const { NATS_URL, natsConnectOpts } = require('../lib/nats-resolve');

package/bin/mesh-deploy.js

@@ -32,7 +32,7 @@
  *
  * ENVIRONMENT:
  *   OPENCLAW_DEPLOY_BRANCH   — git branch (default: main)
- *   OPENCLAW_REPO_DIR        — repo location (default: ~/openclaw-node)
+ *   OPENCLAW_REPO_DIR        — repo location (default: ~/openclaw)
  *   OPENCLAW_NATS            — NATS server URL (from env or openclaw.env)
  */
 
@@ -47,7 +47,7 @@ const crypto = require('crypto');
 const IS_MAC = os.platform() === 'darwin';
 const HOME = os.homedir();
 const DEPLOY_BRANCH = process.env.OPENCLAW_DEPLOY_BRANCH || 'main';
-const REPO_DIR = process.env.OPENCLAW_REPO_DIR || path.join(HOME, 'openclaw-node');
+const REPO_DIR = process.env.OPENCLAW_REPO_DIR || path.join(HOME, 'openclaw');
 
 // Standard directory layout
 const DIRS = {
@@ -884,7 +884,7 @@ async function main() {
 
     if (!fs.existsSync(REPO_DIR)) {
       fail(`Repo not found at ${REPO_DIR}`);
-      console.log(`  Clone it: git clone https://github.com/moltyguibros-design/openclaw-node.git ${REPO_DIR}`);
+      console.log(`  Clone it: git clone https://github.com/moltyguibros-design/openclaw-node.git "${REPO_DIR}"`);
       process.exit(1);
     }
 

package/bin/mesh-health-publisher.js

@@ -29,7 +29,7 @@ const HEALTH_BUCKET = "MESH_NODE_HEALTH";
 const KV_TTL_MS = 120_000; // entries expire after 2 minutes if node dies
 
 const REPO_DIR = process.env.OPENCLAW_REPO_DIR ||
-  path.join(os.homedir(), 'openclaw-node');
+  path.join(os.homedir(), 'openclaw');
 
 const sc = StringCodec();
 const IS_MAC = os.platform() === "darwin";

package/bin/mesh-join-token.js

@@ -43,6 +43,21 @@ const PROVIDER = getArg('--provider', 'claude');
 const EXPIRES = getArg('--expires', '48h');
 const REPO = getArg('--repo', 'https://github.com/moltyguibros-design/openclaw-node.git');
 const ONE_LINER = args.includes('--one-liner');
+const NO_SSH = args.includes('--no-ssh');
+
+// Read lead node's SSH public key (auto-discover from ~/.ssh/)
+function getLeadSSHPubkey() {
+  if (NO_SSH) return null;
+  const sshDir = path.join(os.homedir(), '.ssh');
+  const candidates = ['id_ed25519_openclaw.pub', 'id_ed25519.pub', 'id_rsa.pub', 'id_ecdsa.pub'];
+  for (const f of candidates) {
+    const p = path.join(sshDir, f);
+    if (fs.existsSync(p)) {
+      return fs.readFileSync(p, 'utf8').trim();
+    }
+  }
+  return null;
+}
 
 // ── Token secret ──────────────────────────────────────
 // Stored at ~/.openclaw/.mesh-secret. Created on first use.
@@ -81,8 +96,10 @@ function generateToken() {
   const secret = getOrCreateSecret();
   const expiresAt = parseExpiry(EXPIRES);
 
+  const sshPubkey = getLeadSSHPubkey();
+
   const payload = {
-    v: 2,                           // token version (v2: added repo field)
+    v: 3,                           // token version (v3: added ssh_pubkey)
     nats: NATS_URL,                 // NATS server URL
     role: ROLE,                     // node role
     provider: PROVIDER,             // default LLM provider
@@ -90,6 +107,7 @@ function generateToken() {
     lead: os.hostname(),            // lead node hostname (for reference)
     issued: Date.now(),             // issued timestamp
     expires: expiresAt,             // expiry timestamp
+    ...(sshPubkey && { ssh_pubkey: sshPubkey }), // lead node's SSH public key
   };
 
   // HMAC-SHA256 signature for integrity

package/bin/mesh.js

@@ -29,23 +29,44 @@ const path = require('path');
 const os = require('os');
 
 // ─── Config ──────────────────────────────────────────
-// NATS URL resolved via shared lib (env var → openclaw.env → .mesh-config → localhost fallback)
-const { NATS_URL, natsConnectOpts } = require('../lib/nats-resolve');
+// ── NATS URL resolution: env var → ~/.openclaw/openclaw.env → fallback IP ──
+const NATS_FALLBACK = 'nats://100.91.131.61:4222';
+function resolveNatsUrl() {
+  if (process.env.OPENCLAW_NATS) return process.env.OPENCLAW_NATS;
+  try {
+    const envFile = path.join(os.homedir(), '.openclaw', 'openclaw.env');
+    if (fs.existsSync(envFile)) {
+      const content = fs.readFileSync(envFile, 'utf8');
+      const match = content.match(/^\s*OPENCLAW_NATS\s*=\s*(.+)/m);
+      if (match && match[1].trim()) return match[1].trim();
+    }
+  } catch {}
+  return NATS_FALLBACK;
+}
+const NATS_URL = resolveNatsUrl();
 const SHARED_DIR = path.join(os.homedir(), 'openclaw', 'shared');
 const LOCAL_NODE = os.hostname().toLowerCase().replace(/[^a-z0-9-]/g, '-');
 const sc = StringCodec();
 
 // ─── Known nodes (for --node shortcuts) ──────────────
-// Load from ~/.openclaw/mesh-aliases.json if it exists, otherwise empty.
-let NODE_ALIASES = {};
-try {
-  const aliasFile = path.join(os.homedir(), '.openclaw', 'mesh-aliases.json');
-  if (fs.existsSync(aliasFile)) {
-    NODE_ALIASES = JSON.parse(fs.readFileSync(aliasFile, 'utf8'));
-  }
-} catch {
-  // File missing or malformed — proceed with no aliases
+const NODE_ALIASES_DEFAULTS = {
+  'ubuntu': 'calos-vmware-virtual-platform',
+  'linux': 'calos-vmware-virtual-platform',
+  'mac': 'moltymacs-virtual-machine-local',
+  'macos': 'moltymacs-virtual-machine-local',
+};
+
+function loadNodeAliases() {
+  const aliasPath = path.join(os.homedir(), '.openclaw', 'mesh-aliases.json');
+  try {
+    if (fs.existsSync(aliasPath)) {
+      const custom = JSON.parse(fs.readFileSync(aliasPath, 'utf8'));
+      return { ...NODE_ALIASES_DEFAULTS, ...custom };
+    }
+  } catch {}
+  return NODE_ALIASES_DEFAULTS;
 }
+const NODE_ALIASES = loadNodeAliases();
 
 /**
  * Resolve a node name — accepts aliases, full IDs, or "self"/"local"
@@ -98,7 +119,7 @@ function checkExecSafety(command) {
  */
 async function natsConnect() {
   try {
-    return await connect(natsConnectOpts({ timeout: 5000 }));
+    return await connect({ servers: NATS_URL, timeout: 5000 });
   } catch (err) {
     console.error(`Error: Cannot connect to NATS at ${NATS_URL}`);
     console.error(`Is the NATS server running? Is Tailscale connected?`);
@@ -140,21 +161,15 @@ async function collectHeartbeats(nc, waitMs = 3000) {
     uptime: os.uptime(),
   };
 
-  // Force-unsubscribe after deadline to prevent hanging if no messages arrive
-  const timer = setTimeout(() => sub.unsubscribe(), waitMs);
-
   // Listen for heartbeats for a few seconds
   const deadline = Date.now() + waitMs;
   for await (const msg of sub) {
-    try {
-      const s = JSON.parse(sc.decode(msg.data));
-      if (s.node !== LOCAL_NODE) {
-        nodes[s.node] = s;
-      }
-    } catch {}
+    const s = JSON.parse(sc.decode(msg.data));
+    if (s.node !== LOCAL_NODE) {
+      nodes[s.node] = s;
+    }
     if (Date.now() >= deadline) break;
   }
-  clearTimeout(timer);
   sub.unsubscribe();
   return nodes;
 }
@@ -575,6 +590,119 @@ async function cmdRepair(args) {
   }
 }
 
+/**
+ * mesh deploy [--force] [--component <name>] [--node <name>] — trigger fleet deploy.
+ *
+ * Publishes mesh.deploy.trigger to NATS. All nodes with mesh-deploy-listener
+ * will pull from git and self-deploy. Polls MESH_DEPLOY_RESULTS for status.
+ */
+async function cmdDeploy(args) {
+  const { execSync } = require('child_process');
+  const repoDir = process.env.OPENCLAW_REPO_DIR || path.join(os.homedir(), 'openclaw');
+  const force = args.includes('--force');
+
+  // Parse --component flags
+  const components = [];
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === '--component' && args[i + 1]) {
+      components.push(args[i + 1]);
+      i++;
+    }
+  }
+
+  // Parse --node flags (target specific nodes, default: all)
+  const targetNodes = [];
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === '--node' && args[i + 1]) {
+      targetNodes.push(resolveNode(args[i + 1]));
+      i++;
+    }
+  }
+
+  // Get current SHA and branch
+  let sha, branch;
+  try {
+    sha = execSync('git rev-parse --short HEAD', { cwd: repoDir, encoding: 'utf8' }).trim();
+    branch = execSync('git rev-parse --abbrev-ref HEAD', { cwd: repoDir, encoding: 'utf8' }).trim();
+  } catch {
+    console.error(`Error: Cannot read git state from ${repoDir}`);
+    process.exit(1);
+  }
+
+  console.log(`Deploying ${sha} (${branch})${force ? ' [FORCE]' : ''}`);
+  if (components.length > 0) console.log(`  Components: ${components.join(', ')}`);
+  if (targetNodes.length > 0) console.log(`  Targets: ${targetNodes.join(', ')}`);
+  else console.log('  Targets: all nodes');
+
+  const nc = await natsConnect();
+
+  const trigger = {
+    sha,
+    branch,
+    components: components.length > 0 ? components : ['all'],
+    nodes: targetNodes.length > 0 ? targetNodes : ['all'],
+    force,
+    initiator: LOCAL_NODE,
+    timestamp: new Date().toISOString(),
+  };
+
+  // Write "latest" marker so offline nodes can catch up
+  try {
+    const js = nc.jetstream();
+    const resultsKv = await js.views.kv('MESH_DEPLOY_RESULTS', { history: 5, ttl: 7 * 24 * 60 * 60 * 1000 });
+    await resultsKv.put('latest', sc.encode(JSON.stringify({ sha, branch })));
+  } catch {}
+
+  // Publish trigger
+  nc.publish('mesh.deploy.trigger', sc.encode(JSON.stringify(trigger)));
+  await nc.flush();
+  console.log('Deploy trigger sent.\n');
+
+  // Poll for results (15s timeout)
+  console.log('Waiting for node responses...');
+  const deadline = Date.now() + 15000;
+  const seen = new Set();
+
+  try {
+    const js = nc.jetstream();
+    const resultsKv = await js.views.kv('MESH_DEPLOY_RESULTS');
+
+    while (Date.now() < deadline) {
+      const allAliasNodes = [...new Set(Object.values(NODE_ALIASES))];
+      const checkNodes = targetNodes.length > 0 ? targetNodes : allAliasNodes;
+
+      for (const nodeId of checkNodes) {
+        if (seen.has(nodeId)) continue;
+        const key = `${sha}-${nodeId}`;
+        try {
+          const entry = await resultsKv.get(key);
+          if (entry && entry.value) {
+            const result = JSON.parse(sc.decode(entry.value));
+            if (result.status === 'success' || result.status === 'failed' || result.status === 'skipped') {
+              const icon = result.status === 'success' ? '\x1b[32m✓\x1b[0m' : result.status === 'skipped' ? '\x1b[33m-\x1b[0m' : '\x1b[31m✗\x1b[0m';
+              console.log(`  ${icon} ${nodeId}: ${result.status} (${result.durationSeconds || 0}s)`);
+              if (result.errors && result.errors.length > 0) {
+                for (const e of result.errors) console.log(`    Error: ${e}`);
+              }
+              seen.add(nodeId);
+            }
+          }
+        } catch {}
+      }
+
+      if (seen.size >= checkNodes.length) break;
+      await new Promise(r => setTimeout(r, 2000));
+    }
+  } catch {}
+
+  if (seen.size === 0) {
+    console.log('  (no responses yet — nodes may still be deploying)');
+  }
+
+  console.log('');
+  await nc.close();
+}
+
 /**
  * mesh help — show usage.
  */
@@ -602,6 +730,10 @@ function cmdHelp() {
     '  mesh health --json                      Health check (JSON output)',
     '  mesh repair                             Self-repair this node',
     '  mesh repair --all                       Self-repair ALL nodes',
+    '  mesh deploy                             Deploy to all nodes',
+    '  mesh deploy --force                     Force deploy (even if up to date)',
+    '  mesh deploy --component <name>          Deploy specific component',
+    '  mesh deploy --node <name>               Deploy to specific node',
     '',
     'NODE ALIASES:',
     '  ubuntu, linux   = Ubuntu VM (calos-vmware-virtual-platform)',
@@ -632,6 +764,7 @@ async function main() {
     case 'tasks':     return cmdTasks(args);
     case 'health':    return cmdHealth(args);
     case 'repair':    return cmdRepair(args);
+    case 'deploy':    return cmdDeploy(args);
     case 'help':
     case '--help':
     case '-h':        return cmdHelp();

package/bin/openclaw-node-init.js

@@ -1,32 +1,31 @@
 #!/usr/bin/env node
 
 /**
- * openclaw-node-init.js — One-click mesh node provisioner.
+ * openclaw-node-init.js — Zero-config mesh node provisioner.
  *
- * Takes a join token (from mesh-join-token.js) and bootstraps a fully
- * functional mesh worker node. Handles:
- *   1. Token validation (signature + expiry)
+ * Tailscale IS the trust layer. No tokens. No secrets. No lead interaction.
+ *
+ * What it does:
+ *   1. Scan Tailscale peers for NATS (port 4222)
  *   2. OS detection (macOS/Linux)
- *   3. Dependency checks (Node.js, git, nats-server optional)
+ *   3. Dependency checks (Node.js, git)
  *   4. Directory structure (~/.openclaw/)
- *   5. NATS configuration (from token)
- *   6. Mesh code installation (repo URL from token)
+ *   5. NATS configuration (auto-discovered)
+ *   6. Mesh code installation (git clone)
  *   7. Service installation (launchd/systemd)
  *   8. Health verification (service alive + NATS connectivity)
  *
  * Usage:
- *   MESH_JOIN_TOKEN=<token> node bin/openclaw-node-init.js
- *   node bin/openclaw-node-init.js --token <token>
- *   node bin/openclaw-node-init.js --token <token> --dry-run
- *   node bin/openclaw-node-init.js --token <token> --provider deepseek
- *
- * The token contains NATS URL, repo URL, role, and default provider.
- * API keys must be set separately in ~/.openclaw/openclaw.env after provisioning.
+ *   npx openclaw-node                                    # auto-discover everything
+ *   node bin/openclaw-node-init.js                        # same
+ *   node bin/openclaw-node-init.js --nats nats://x:4222   # explicit NATS URL
+ *   node bin/openclaw-node-init.js --provider deepseek    # set default LLM
+ *   node bin/openclaw-node-init.js --dry-run              # preview only
  */
 
 const { execSync, spawnSync } = require('child_process');
-const crypto = require('crypto');
 const fs = require('fs');
+const net = require('net');
 const os = require('os');
 const path = require('path');
 
@@ -40,11 +39,10 @@ function getArg(flag, defaultVal) {
   return idx >= 0 && args[idx + 1] ? args[idx + 1] : defaultVal;
 }
 
-const TOKEN_RAW = getArg('--token', null) || process.env.MESH_JOIN_TOKEN;
-const PROVIDER_OVERRIDE = getArg('--provider', null);
-
-// Default repo URL — used when token is v1 (no repo field)
-const DEFAULT_REPO = 'https://github.com/moltyguibros-design/openclaw-node.git';
+const NATS_OVERRIDE = getArg('--nats', null);
+const PROVIDER_OVERRIDE = getArg('--provider', 'claude');
+const REPO = getArg('--repo', 'https://github.com/moltyguibros-design/openclaw-node.git');
+const SSH_PUBKEY = getArg('--ssh-key', null);
 
 // ── Logging ───────────────────────────────────────────
 
@@ -61,39 +59,91 @@ function warn(msg){ console.log(`${YELLOW}  ⚠${RESET} ${msg}`); }
 function fail(msg){ console.error(`${RED}  ✗${RESET} ${msg}`); }
 function step(n, msg) { console.log(`\n${BOLD}[${n}]${RESET} ${msg}`); }
 
-// ── Token Parsing ─────────────────────────────────────
+// ── TCP Port Probe (pure Node, no nc dependency) ────
+
+function probePort(ip, port) {
+  return new Promise((resolve) => {
+    const sock = new net.Socket();
+    sock.setTimeout(2000);
+    sock.on('connect', () => { sock.destroy(); resolve(true); });
+    sock.on('error', () => resolve(false));
+    sock.on('timeout', () => { sock.destroy(); resolve(false); });
+    sock.connect(port, ip);
+  });
+}
 
-function parseToken(raw) {
-  if (!raw) {
-    fail('No join token provided. Use --token <token> or set MESH_JOIN_TOKEN env var.');
-    fail('Generate a token on the lead node: node bin/mesh-join-token.js');
-    process.exit(1);
+// ── Tailscale NATS Discovery ─────────────────────────
+
+async function discoverNats() {
+  if (NATS_OVERRIDE) {
+    ok(`Using explicit NATS URL: ${NATS_OVERRIDE}`);
+    return NATS_OVERRIDE;
+  }
+
+  // Check existing config first
+  const envPath = path.join(os.homedir(), '.openclaw', 'openclaw.env');
+  if (fs.existsSync(envPath)) {
+    const content = fs.readFileSync(envPath, 'utf8');
+    const match = content.match(/^\s*OPENCLAW_NATS\s*=\s*(.+)/m);
+    if (match) {
+      const existing = match[1].trim();
+      ok(`Found existing NATS config: ${existing}`);
+      return existing;
+    }
   }
 
+  // Scan Tailscale peers
+  log('Scanning Tailscale network for NATS...');
+
+  let tsStatus;
   try {
-    const decoded = JSON.parse(Buffer.from(raw, 'base64url').toString('utf8'));
-    return { payload: decoded.p, signature: decoded.s };
+    tsStatus = JSON.parse(execSync('tailscale status --json', { encoding: 'utf8', timeout: 10000 }));
   } catch (e) {
-    fail(`Invalid token format: ${e.message}`);
+    fail('Tailscale not available or not connected.');
+    fail('Install Tailscale and join your network, or use --nats nats://host:4222');
     process.exit(1);
   }
-}
 
-function validateToken(payload) {
-  // Accept v1 (no repo) and v2 (with repo)
-  if (payload.v !== 1 && payload.v !== 2) {
-    fail(`Unsupported token version: ${payload.v}. This provisioner supports v1 and v2.`);
-    process.exit(1);
+  // Collect all peer IPs (including self)
+  const candidates = [];
+
+  // Add self
+  if (tsStatus.Self && tsStatus.Self.TailscaleIPs) {
+    for (const ip of tsStatus.Self.TailscaleIPs) {
+      if (ip.includes('.')) candidates.push(ip); // IPv4 only
+    }
   }
-  if (payload.expires && Date.now() > payload.expires) {
-    fail(`Token expired at ${new Date(payload.expires).toISOString()}`);
-    fail('Generate a new token on the lead node: node bin/mesh-join-token.js');
-    process.exit(1);
+
+  // Add peers
+  if (tsStatus.Peer) {
+    for (const [, peer] of Object.entries(tsStatus.Peer)) {
+      if (peer.TailscaleIPs) {
+        for (const ip of peer.TailscaleIPs) {
+          if (ip.includes('.')) candidates.push(ip); // IPv4 only
+        }
+      }
+    }
   }
-  if (!payload.nats) {
-    fail('Token missing NATS URL');
+
+  if (candidates.length === 0) {
+    fail('No Tailscale peers found. Is Tailscale connected?');
+    fail('Run: tailscale up');
     process.exit(1);
   }
+
+  log(`Found ${candidates.length} Tailscale IPs. Probing port 4222...`);
+
+  for (const ip of candidates) {
+    if (await probePort(ip, 4222)) {
+      const natsUrl = `nats://${ip}:4222`;
+      ok(`NATS found at ${natsUrl}`);
+      return natsUrl;
+    }
+  }
+
+  fail('No NATS server found on any Tailscale peer (port 4222).');
+  fail('Ensure NATS is running on your lead node, or use --nats nats://host:4222');
+  process.exit(1);
 }
 
 // ── OS Detection ──────────────────────────────────────
@@ -130,11 +180,10 @@ function getNodeVersion() {
   }
 }
 
-function checkDependencies(osInfo) {
+function checkDependencies() {
   const deps = [];
   const missing = [];
 
-  // Node.js 18+
   const nodeInfo = getNodeVersion();
   if (nodeInfo && nodeInfo.major >= 18) {
     deps.push({ name: 'Node.js', status: 'ok', detail: nodeInfo.version });
@@ -146,7 +195,6 @@ function checkDependencies(osInfo) {
     missing.push('node');
   }
 
-  // Git
   if (checkCommand('git')) {
     const v = execSync('git --version', { encoding: 'utf8' }).trim();
     deps.push({ name: 'Git', status: 'ok', detail: v });
@@ -155,11 +203,11 @@ function checkDependencies(osInfo) {
     missing.push('git');
   }
 
-  // Tailscale (optional but recommended)
   if (checkCommand('tailscale')) {
     deps.push({ name: 'Tailscale', status: 'ok', detail: 'installed' });
   } else {
-    deps.push({ name: 'Tailscale', status: 'optional', detail: 'not installed (recommended for secure mesh)' });
+    deps.push({ name: 'Tailscale', status: 'missing', detail: 'required for mesh discovery' });
+    if (!NATS_OVERRIDE) missing.push('tailscale');
   }
 
   return { deps, missing };
@@ -186,7 +234,6 @@ function installMissing(missing, osInfo) {
       spawnSync('brew', ['install', pkg], { stdio: 'inherit' });
     }
   } else {
-    // Linux — try apt, then yum, then dnf
     const pm = checkCommand('apt-get') ? 'apt-get'
              : checkCommand('yum') ? 'yum'
              : checkCommand('dnf') ? 'dnf'
@@ -199,7 +246,6 @@ function installMissing(missing, osInfo) {
 
     for (const dep of missing) {
       if (dep === 'node') {
-        // Use NodeSource for recent Node.js
         log('  Installing Node.js 22.x via NodeSource...');
         try {
           execSync('curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -', { stdio: 'inherit' });
@@ -208,6 +254,15 @@ function installMissing(missing, osInfo) {
           fail(`Node.js installation failed: ${e.message}`);
           process.exit(1);
         }
+      } else if (dep === 'tailscale') {
+        log('  Installing Tailscale...');
+        try {
+          execSync('curl -fsSL https://tailscale.com/install.sh | sh', { stdio: 'inherit' });
+        } catch (e) {
+          fail(`Tailscale installation failed: ${e.message}`);
+          fail('Install manually: https://tailscale.com/download');
+          process.exit(1);
+        }
       } else {
         log(`  sudo ${pm} install -y ${dep}`);
         spawnSync('sudo', [pm, 'install', '-y', dep], { stdio: 'inherit' });
@@ -243,6 +298,46 @@ function setupDirectories() {
   }
 }
 
+// ── SSH Key Provisioning ─────────────────────────────
+
+function provisionSSHKey(pubkey) {
+  if (!pubkey) return;
+
+  const sshDir = path.join(os.homedir(), '.ssh');
+  const authKeysPath = path.join(sshDir, 'authorized_keys');
+
+  if (DRY_RUN) {
+    warn(`[DRY RUN] Would add SSH key to ${authKeysPath}`);
+    return;
+  }
+
+  if (!fs.existsSync(sshDir)) {
+    fs.mkdirSync(sshDir, { mode: 0o700 });
+    ok(`Created ${sshDir}`);
+  } else {
+    try { fs.chmodSync(sshDir, 0o700); } catch { /* best effort */ }
+  }
+
+  let existing = '';
+  if (fs.existsSync(authKeysPath)) {
+    existing = fs.readFileSync(authKeysPath, 'utf8');
+    const keyParts = pubkey.trim().split(/\s+/);
+    const keyFingerprint = keyParts.length >= 2 ? `${keyParts[0]} ${keyParts[1]}` : pubkey.trim();
+    if (existing.includes(keyFingerprint)) {
+      ok('SSH key already authorized');
+      return;
+    }
+  }
+
+  const entry = existing.endsWith('\n') || existing === ''
+    ? `${pubkey.trim()}\n`
+    : `\n${pubkey.trim()}\n`;
+  fs.appendFileSync(authKeysPath, entry, { mode: 0o600 });
+  try { fs.chmodSync(authKeysPath, 0o600); } catch { /* best effort */ }
+
+  ok('SSH key added to authorized_keys');
+}
+
 // ── NATS Configuration ───────────────────────────────
 
 function configureNats(natsUrl) {
@@ -256,7 +351,6 @@ function configureNats(natsUrl) {
   let content = '';
   if (fs.existsSync(envPath)) {
     content = fs.readFileSync(envPath, 'utf8');
-    // Update existing OPENCLAW_NATS line or append
     if (content.match(/^\s*OPENCLAW_NATS\s*=/m)) {
       content = content.replace(/^\s*OPENCLAW_NATS\s*=.*/m, `OPENCLAW_NATS=${natsUrl}`);
     } else {
@@ -276,12 +370,12 @@ function installMeshCode(repoUrl) {
   const meshDir = path.join(os.homedir(), 'openclaw');
 
   if (fs.existsSync(path.join(meshDir, 'package.json'))) {
-    ok(`Mesh code already installed at ${meshDir}`);
-    // npm install to ensure deps are current
+    ok(`Mesh code exists at ${meshDir}`);
     if (!DRY_RUN) {
-      log('  Updating dependencies...');
+      log('  Pulling latest + installing deps...');
+      spawnSync('git', ['pull', '--ff-only'], { cwd: meshDir, stdio: 'pipe' });
       spawnSync('npm', ['install', '--production'], { cwd: meshDir, stdio: 'pipe' });
-      ok('Dependencies updated');
+      ok('Updated');
     }
     return meshDir;
   }
@@ -293,15 +387,11 @@ function installMeshCode(repoUrl) {
 
   log(`Cloning mesh code from ${repoUrl}...`);
   try {
-    execSync(
-      `git clone "${repoUrl}" "${meshDir}"`,
-      { stdio: 'inherit', timeout: 60000 }
-    );
+    execSync(`git clone "${repoUrl}" "${meshDir}"`, { stdio: 'inherit', timeout: 60000 });
     spawnSync('npm', ['install', '--production'], { cwd: meshDir, stdio: 'pipe' });
     ok('Mesh code installed');
   } catch (e) {
     fail(`Failed to clone mesh code: ${e.message}`);
-    fail(`Repo URL: ${repoUrl}`);
     process.exit(1);
   }
 
@@ -312,7 +402,7 @@ function installMeshCode(repoUrl) {
 
 function installService(osInfo, meshDir, config) {
   const nodeId = os.hostname().toLowerCase().replace(/[^a-z0-9-]/g, '-');
-  const nodeBin = process.execPath; // path to current node binary
+  const nodeBin = process.execPath;
   const provider = config.provider;
 
   if (osInfo.serviceType === 'launchd') {
@@ -370,15 +460,60 @@ function installLaunchdService(meshDir, nodeBin, nodeId, provider, natsUrl) {
     return;
   }
 
+  // Deploy listener plist
+  const deployPlistPath = path.join(plistDir, 'ai.openclaw.deploy-listener.plist');
+  const deployPlist = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>ai.openclaw.deploy-listener</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>${nodeBin}</string>
+    <string>${meshDir}/bin/mesh-deploy-listener.js</string>
+  </array>
+  <key>KeepAlive</key>
+  <true/>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>StandardOutPath</key>
+  <string>${os.homedir()}/.openclaw/workspace/.tmp/mesh-deploy-listener.log</string>
+  <key>StandardErrorPath</key>
+  <string>${os.homedir()}/.openclaw/workspace/.tmp/mesh-deploy-listener.err</string>
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>OPENCLAW_NATS</key>
+    <string>${natsUrl}</string>
+    <key>OPENCLAW_NODE_ID</key>
+    <string>${nodeId}</string>
+    <key>OPENCLAW_NODE_ROLE</key>
+    <string>worker</string>
+    <key>OPENCLAW_REPO_DIR</key>
+    <string>${meshDir}</string>
+    <key>PATH</key>
+    <string>/usr/local/bin:/usr/bin:/bin:/opt/homebrew/bin:${os.homedir()}/.npm-global/bin</string>
+    <key>NODE_PATH</key>
+    <string>${meshDir}/node_modules:${meshDir}/lib</string>
+  </dict>
+  <key>ThrottleInterval</key>
+  <integer>30</integer>
+</dict>
+</plist>`;
+
   fs.mkdirSync(plistDir, { recursive: true });
   fs.writeFileSync(plistPath, plist);
-  ok(`Launchd service written: ${plistPath}`);
+  ok(`Mesh agent service written: ${plistPath}`);
+  fs.writeFileSync(deployPlistPath, deployPlist);
+  ok(`Deploy listener service written: ${deployPlistPath}`);
 
-  // Load the service
   try {
     execSync(`launchctl unload "${plistPath}" 2>/dev/null || true`, { stdio: 'pipe' });
     execSync(`launchctl load "${plistPath}"`, { stdio: 'pipe' });
-    ok('Service loaded and started');
+    ok('Mesh agent loaded and started');
+    execSync(`launchctl unload "${deployPlistPath}" 2>/dev/null || true`, { stdio: 'pipe' });
+    execSync(`launchctl load "${deployPlistPath}"`, { stdio: 'pipe' });
+    ok('Deploy listener loaded and started');
   } catch (e) {
     warn(`Service load warning: ${e.message}`);
   }
@@ -403,6 +538,7 @@ Environment=MESH_NODE_ID=${nodeId}
 Environment=MESH_LLM_PROVIDER=${provider}
 Environment=MESH_WORKSPACE=${os.homedir()}/.openclaw/workspace
 Environment=NODE_PATH=${meshDir}/node_modules:${meshDir}/lib
+Environment=PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:${os.homedir()}/.local/bin:${os.homedir()}/.npm-global/bin
 WorkingDirectory=${meshDir}
 
 [Install]
@@ -418,33 +554,56 @@ WantedBy=default.target
   fs.writeFileSync(servicePath, service);
   ok(`Systemd service written: ${servicePath}`);
 
-  // Enable and start
+  // Deploy listener service
+  const deployServicePath = path.join(serviceDir, 'openclaw-deploy-listener.service');
+  const deployService = `[Unit]
+Description=OpenClaw Deploy Listener
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=${nodeBin} ${meshDir}/bin/mesh-deploy-listener.js
+Restart=always
+RestartSec=30
+Environment=OPENCLAW_NATS=${natsUrl}
+Environment=OPENCLAW_NODE_ID=${nodeId}
+Environment=OPENCLAW_NODE_ROLE=worker
+Environment=OPENCLAW_REPO_DIR=${meshDir}
+Environment=NODE_PATH=${meshDir}/node_modules:${meshDir}/lib
+Environment=PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:${os.homedir()}/.local/bin:${os.homedir()}/.npm-global/bin
+WorkingDirectory=${meshDir}
+
+[Install]
+WantedBy=default.target
+`;
+  fs.writeFileSync(deployServicePath, deployService);
+  ok(`Deploy listener service written: ${deployServicePath}`);
+
   try {
     execSync('systemctl --user daemon-reload', { stdio: 'pipe' });
     execSync('systemctl --user enable openclaw-mesh-agent', { stdio: 'pipe' });
     execSync('systemctl --user start openclaw-mesh-agent', { stdio: 'pipe' });
-    ok('Service enabled and started');
+    ok('Mesh agent enabled and started');
+    execSync('systemctl --user enable openclaw-deploy-listener', { stdio: 'pipe' });
+    execSync('systemctl --user start openclaw-deploy-listener', { stdio: 'pipe' });
+    ok('Deploy listener enabled and started');
   } catch (e) {
     warn(`Service start warning: ${e.message}`);
     warn('Try manually: systemctl --user start openclaw-mesh-agent');
   }
 
-  // Enable lingering — requires either sudo or polkit permission.
-  // Without linger, the service dies when the user logs out.
   const username = os.userInfo().username;
   try {
-    // Try without sudo first (works if polkit allows it)
     execSync(`loginctl enable-linger ${username}`, { stdio: 'pipe', timeout: 5000 });
     ok(`Linger enabled for ${username} (service survives logout)`);
   } catch {
     try {
-      // Try with sudo
       execSync(`sudo loginctl enable-linger ${username}`, { stdio: 'pipe', timeout: 5000 });
-      ok(`Linger enabled for ${username} via sudo (service survives logout)`);
-    } catch (e2) {
-      warn(`Could not enable linger for ${username}: ${e2.message}`);
-      warn('Without linger, the mesh-agent service will stop when you log out.');
-      warn(`Fix manually: sudo loginctl enable-linger ${username}`);
+      ok(`Linger enabled for ${username} via sudo`);
+    } catch {
+      warn(`Could not enable linger. Service stops on logout.`);
+      warn(`Fix: sudo loginctl enable-linger ${username}`);
     }
   }
 }
@@ -458,19 +617,15 @@ function verifyServiceRunning(osInfo) {
   }
 
   log('Waiting 8s for service to stabilize...');
-
-  // Wait for the service to either stabilize or crash
-  const waitMs = 8000;
   const start = Date.now();
-  while (Date.now() - start < waitMs) {
-    spawnSync('sleep', ['1']); // cross-platform 1s sleep
+  while (Date.now() - start < 8000) {
+    spawnSync('sleep', ['1']);
   }
 
   if (osInfo.serviceType === 'launchd') {
     try {
       const out = execSync('launchctl list | grep mesh-agent', { encoding: 'utf8', stdio: 'pipe' }).trim();
       if (out) {
-        // launchctl list format: PID\tStatus\tLabel
         const parts = out.split(/\s+/);
         const pid = parts[0];
         const exitStatus = parts[1];
@@ -488,7 +643,6 @@ function verifyServiceRunning(osInfo) {
       return false;
     }
   } else {
-    // systemd
     try {
       const result = spawnSync('systemctl', ['--user', 'is-active', 'openclaw-mesh-agent'], { encoding: 'utf8', stdio: 'pipe' });
       const status = (result.stdout || '').trim();
@@ -519,13 +673,11 @@ async function verifyNatsHealth(natsUrl, nodeId) {
   }
 
   try {
-    // Dynamic require — nats module should be installed by now
     const nats = require('nats');
     const nc = await nats.connect({ servers: natsUrl, timeout: 10000 });
 
     ok(`NATS connected: ${nc.getServer()}`);
 
-    // Publish a health announcement
     const sc = nats.StringCodec();
     nc.publish(`mesh.health.${nodeId}`, sc.encode(JSON.stringify({
       node_id: nodeId,
@@ -535,73 +687,109 @@ async function verifyNatsHealth(natsUrl, nodeId) {
       arch: os.arch(),
       timestamp: new Date().toISOString(),
     })));
-
     ok('Health announcement published');
 
-    // Try to reach the task daemon
     try {
       const msg = await nc.request('mesh.tasks.list', sc.encode(JSON.stringify({ status: 'queued' })), { timeout: 5000 });
       const resp = JSON.parse(sc.decode(msg.data));
-      if (resp.ok) {
-        ok(`Task daemon reachable — ${resp.data.length} queued task(s)`);
-      } else {
-        warn(`Task daemon responded with error: ${resp.error}`);
-      }
+      if (resp.ok) ok(`Task daemon reachable — ${resp.data.length} queued task(s)`);
     } catch {
-      warn('Task daemon not reachable (may not be running yet — this is OK for worker-only nodes)');
+      warn('Task daemon not reachable (OK for worker-only nodes)');
     }
 
     await nc.drain();
     return true;
   } catch (e) {
     fail(`NATS connection failed: ${e.message}`);
-    fail('Check that the NATS server is running and the node has network access');
     return false;
   }
 }
 
+// ── Mesh Topology Discovery ──────────────────────────
+
+async function discoverTopology(natsUrl, localNodeId) {
+  log('Discovering mesh topology...');
+
+  if (DRY_RUN) {
+    warn('[DRY RUN] Would query MESH_NODE_HEALTH and write mesh-aliases.json');
+    return;
+  }
+
+  try {
+    const nats = require('nats');
+    const nc = await nats.connect({ servers: natsUrl, timeout: 10000 });
+    const sc = nats.StringCodec();
+    const js = nc.jetstream();
+
+    const aliases = {};
+
+    // Query MESH_NODE_HEALTH for all known nodes
+    try {
+      const kv = await js.views.kv('MESH_NODE_HEALTH');
+      const keys = await kv.keys();
+      for await (const key of keys) {
+        const entry = await kv.get(key);
+        if (entry && entry.value) {
+          const health = JSON.parse(sc.decode(entry.value));
+          const nodeId = health.nodeId || key;
+          // Create short alias from node ID (strip common suffixes)
+          const short = nodeId
+            .replace(/-virtual-machine.*$/i, '')
+            .replace(/-vmware.*$/i, '')
+            .replace(/-local$/, '');
+          aliases[short] = nodeId;
+          if (health.role === 'lead') aliases['lead'] = nodeId;
+          ok(`Peer: ${nodeId} (${health.role || 'worker'}, ${health.tailscaleIp || 'unknown'})`);
+        }
+      }
+    } catch {
+      warn('MESH_NODE_HEALTH bucket not available — skipping topology');
+    }
+
+    // Also add self
+    const selfShort = localNodeId
+      .replace(/-virtual-machine.*$/i, '')
+      .replace(/-vmware.*$/i, '')
+      .replace(/-local$/, '');
+    aliases[selfShort] = localNodeId;
+    aliases['self'] = localNodeId;
+
+    await nc.drain();
+
+    if (Object.keys(aliases).length > 1) {
+      const aliasPath = path.join(os.homedir(), '.openclaw', 'mesh-aliases.json');
+      fs.writeFileSync(aliasPath, JSON.stringify(aliases, null, 2) + '\n', { mode: 0o644 });
+      ok(`Mesh aliases written: ${aliasPath} (${Object.keys(aliases).length} entries)`);
+    } else {
+      warn('No peers found in MESH_NODE_HEALTH — mesh-aliases.json will only have self');
+      const aliasPath = path.join(os.homedir(), '.openclaw', 'mesh-aliases.json');
+      fs.writeFileSync(aliasPath, JSON.stringify(aliases, null, 2) + '\n', { mode: 0o644 });
+    }
+  } catch (e) {
+    warn(`Topology discovery failed: ${e.message} (non-fatal)`);
+  }
+}
+
 // ── Main ──────────────────────────────────────────────
 
 async function main() {
   console.log(`\n${BOLD}${CYAN}╔══════════════════════════════════════╗${RESET}`);
-  console.log(`${BOLD}${CYAN}║   OpenClaw Mesh Node Provisioner     ║${RESET}`);
+  console.log(`${BOLD}${CYAN}║   OpenClaw Mesh — Join Network       ║${RESET}`);
   console.log(`${BOLD}${CYAN}╚══════════════════════════════════════╝${RESET}\n`);
 
   if (DRY_RUN) warn('DRY RUN MODE — no changes will be made\n');
 
-  // ── Step 1: Parse and validate token ──
-  step(1, 'Validating join token...');
-  const { payload } = parseToken(TOKEN_RAW);
-  validateToken(payload);
-  ok(`Token valid (v${payload.v}, role: ${payload.role}, provider: ${payload.provider}, lead: ${payload.lead})`);
-  ok(`Expires: ${new Date(payload.expires).toISOString()}`);
-
-  // Extract config from token (with defaults for v1 tokens)
-  const repoUrl = payload.repo || DEFAULT_REPO;
-  const config = {
-    nats: payload.nats,
-    role: payload.role,
-    provider: PROVIDER_OVERRIDE || payload.provider,
-    repo: repoUrl,
-  };
-
-  if (payload.repo) {
-    ok(`Repo: ${repoUrl}`);
-  } else {
-    warn(`Token v1 (no repo field) — using default: ${DEFAULT_REPO}`);
-  }
-
-  // ── Step 2: Detect OS ──
-  step(2, 'Detecting environment...');
+  // ── Step 1: Detect OS ──
+  step(1, 'Detecting environment...');
   const osInfo = detectOS();
   const nodeId = os.hostname().toLowerCase().replace(/[^a-z0-9-]/g, '-');
   ok(`OS: ${osInfo.os} (${osInfo.arch})`);
   ok(`Node ID: ${nodeId}`);
   ok(`Service type: ${osInfo.serviceType}`);
 
-  // ── Step 3: Check dependencies ──
-  step(3, 'Checking dependencies...');
-  const { deps, missing } = checkDependencies(osInfo);
+  // ── Step 2: Check & install dependencies (including Tailscale) ──
+  step(2, 'Checking dependencies...');
+  const { deps, missing } = checkDependencies();
   for (const d of deps) {
     if (d.status === 'ok') ok(`${d.name}: ${d.detail}`);
     else if (d.status === 'optional') warn(`${d.name}: ${d.detail}`);
@@ -609,14 +797,30 @@ async function main() {
   }
 
   if (missing.length > 0) {
-    step('3b', 'Installing missing dependencies...');
+    step('2b', 'Installing missing dependencies...');
     installMissing(missing, osInfo);
   }
 
+  // ── Step 3: Discover NATS via Tailscale ──
+  step(3, 'Discovering NATS server...');
+  const natsUrl = await discoverNats();
+
+  const config = {
+    nats: natsUrl,
+    provider: PROVIDER_OVERRIDE,
+    repo: REPO,
+  };
+
   // ── Step 4: Create directory structure ──
   step(4, 'Setting up directories...');
   setupDirectories();
 
+  // ── Step 4b: Provision SSH key (if provided) ──
+  if (SSH_PUBKEY) {
+    step('4b', 'Provisioning SSH key...');
+    provisionSSHKey(SSH_PUBKEY);
+  }
+
   // ── Step 5: Configure NATS ──
   step(5, 'Configuring NATS connection...');
   configureNats(config.nats);
@@ -629,12 +833,16 @@ async function main() {
   step(7, `Installing ${osInfo.serviceType} service...`);
   installService(osInfo, meshDir, config);
 
-  // ── Step 8: Verify health (service + NATS) ──
+  // ── Step 8: Verify health ──
   step(8, 'Verifying health...');
   const serviceAlive = verifyServiceRunning(osInfo);
   const natsHealthy = await verifyNatsHealth(config.nats, nodeId);
   const healthy = serviceAlive && natsHealthy;
 
+  // ── Step 9: Discover mesh topology ──
+  step(9, 'Discovering mesh topology...');
+  await discoverTopology(config.nats, nodeId);
+
   // ── Done ──
   console.log(`\n${BOLD}${GREEN}═══════════════════════════════════════${RESET}`);
   if (healthy) {
@@ -646,8 +854,7 @@ async function main() {
     console.log(`${BOLD}${RED}  Service failed to start.${RESET}`);
     console.log(`${RED}  Provisioning complete but agent is not running.${RESET}`);
   } else {
-    console.log(`${BOLD}${YELLOW}  Node provisioned but health check failed.${RESET}`);
-    console.log(`${YELLOW}  The service is installed and will retry automatically.${RESET}`);
+    console.log(`${BOLD}${YELLOW}  Provisioned with warnings.${RESET}`);
   }
   console.log(`${BOLD}${GREEN}═══════════════════════════════════════${RESET}\n`);
 
@@ -661,10 +868,6 @@ async function main() {
     console.log(`  2. Check service: launchctl list | grep mesh-agent`);
     console.log(`  3. View logs: tail -f ~/.openclaw/workspace/.tmp/mesh-agent.log`);
   }
-  console.log(`  4. Submit a test task from lead: node bin/mesh.js submit --title "hello" --provider shell`);
-  if (!serviceAlive) {
-    console.log(`\n  ${RED}IMPORTANT: Fix the service error above before proceeding.${RESET}`);
-  }
   console.log('');
 }
 

package/cli.js

@@ -3,10 +3,8 @@
 /**
  * openclaw-node CLI — entry point for `npx openclaw-node-harness`
  *
- * Flow:
- *   1. Resolve install.sh relative to this package
- *   2. Spawn install.sh with forwarded CLI args
- *   3. Forward exit code
+ * Spawns bin/openclaw-node-init.js directly (no shell wrapper).
+ * Forwards CLI args and exit code.
  */
 
 const { spawnSync } = require('child_process');
@@ -15,19 +13,19 @@ const fs = require('fs');
 
 // ── Package paths ──
 const PKG_ROOT = __dirname;
-const INSTALL_SCRIPT = path.join(PKG_ROOT, 'install.sh');
+const INIT_SCRIPT = path.join(PKG_ROOT, 'bin', 'openclaw-node-init.js');
 
 // ── Sanity checks ──
-if (!fs.existsSync(INSTALL_SCRIPT)) {
-  console.error('ERROR: install.sh not found at', INSTALL_SCRIPT);
-  console.error('Package may be corrupted. Reinstall with: npx openclaw-node-harness');
+if (!fs.existsSync(INIT_SCRIPT)) {
+  console.error('ERROR: bin/openclaw-node-init.js not found at', INIT_SCRIPT);
+  console.error('Package may be corrupted. Reinstall with: npx openclaw-node-harness@latest');
   process.exit(1);
 }
 
-// ── Forward CLI args to install.sh ──
+// ── Forward CLI args to init script ──
 const userArgs = process.argv.slice(2);
 
-const result = spawnSync('bash', [INSTALL_SCRIPT, ...userArgs], {
+const result = spawnSync(process.execPath, [INIT_SCRIPT, ...userArgs], {
   stdio: 'inherit',
   env: { ...process.env },
 });

package/lib/mesh-tasks.js

@@ -140,15 +140,15 @@ class TaskStore {
       // Apply filters
       if (filter.status && task.status !== filter.status) continue;
       if (filter.owner && task.owner !== filter.owner) continue;
-      if (filter.tag && !task.tags.includes(filter.tag)) continue;
+      if (filter.tag && (!task.tags || !task.tags.includes(filter.tag))) continue;
 
       tasks.push(task);
     }
 
     // Sort by priority (higher first), then created_at (older first)
     tasks.sort((a, b) => {
-      if (b.priority !== a.priority) return b.priority - a.priority;
-      return new Date(a.created_at) - new Date(b.created_at);
+      if ((b.priority || 0) !== (a.priority || 0)) return (b.priority || 0) - (a.priority || 0);
+      return (new Date(a.created_at || 0)) - (new Date(b.created_at || 0));
     });
 
     return tasks;
@@ -169,7 +169,7 @@ class TaskStore {
       if (task.exclude_nodes && task.exclude_nodes.includes(nodeId)) continue;
 
       // Respect dependencies
-      if (task.depends_on.length > 0) {
+      if (task.depends_on && task.depends_on.length > 0) {
         const depsReady = await this._checkDeps(task.depends_on);
         if (!depsReady) continue;
       }
@@ -192,9 +192,8 @@ class TaskStore {
     task.status = TASK_STATUS.CLAIMED;
     task.owner = nodeId;
     task.claimed_at = new Date().toISOString();
-    task.budget_deadline = new Date(
-      Date.now() + task.budget_minutes * 60 * 1000
-    ).toISOString();
+    const budgetMs = (task.budget_minutes || 30) * 60 * 1000;
+    task.budget_deadline = new Date(Date.now() + budgetMs).toISOString();
 
     await this.put(task);
     return task;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-node-harness",
-  "version": "2.0.1",
+  "version": "2.0.3",
   "description": "One-command installer for the OpenClaw node layer — identity, skills, souls, daemon, and Mission Control.",
   "bin": {
     "openclaw-node": "./cli.js"
@@ -41,5 +41,8 @@
   },
   "engines": {
     "node": ">=18"
+  },
+  "dependencies": {
+    "nats": "^2.28.2"
   }
 }