openvoiceui 1.0.0

package/deploy/skill-runner/server.py

@@ -0,0 +1,269 @@
+"""
+skill-runner/server.py — Shared JamBot skill execution service
+
+Runs on jambot-shared Docker network at http://skill-runner:8900
+NOT exposed to the host or the internet — internal only.
+
+Endpoints:
+  GET  /health          — liveness check
+  POST /extract         — document text extraction (PDF, DOCX, XLSX, PPTX)
+  POST /analyze-csv     — pandas CSV summary + stats
+"""
+
+import logging
+import os
+import re
+import tempfile
+from pathlib import Path
+
+from flask import Flask, jsonify, request
+
+logging.basicConfig(level=logging.INFO, format='%(asctime)s %(levelname)s %(message)s')
+logger = logging.getLogger(__name__)
+
+app = Flask(__name__)
+
+# ---------------------------------------------------------------------------
+# Constants
+# ---------------------------------------------------------------------------
+
+MAX_FILE_BYTES = 25 * 1024 * 1024   # 25 MB — matches openvoiceui upload limit
+MAX_PREVIEW_CHARS = 6000
+
+ALLOWED_EXTRACT_EXTENSIONS = {
+    '.pdf', '.docx', '.xlsx', '.pptx',
+}
+
+ALLOWED_CSV_EXTENSIONS = {'.csv', '.tsv'}
+
+# Control characters: strip everything except \t \n \r
+_CTRL_RE = re.compile(r'[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]')
+
+
+# ---------------------------------------------------------------------------
+# Sanitization
+# ---------------------------------------------------------------------------
+
+def sanitize(text: str) -> str:
+    """Strip control chars, collapse blank lines, cap at MAX_PREVIEW_CHARS."""
+    text = _CTRL_RE.sub('', text)
+    text = re.sub(r'\n{4,}', '\n\n\n', text)
+    return text[:MAX_PREVIEW_CHARS].strip()
+
+
+# ---------------------------------------------------------------------------
+# Extractors
+# ---------------------------------------------------------------------------
+
+def extract_pdf(path: Path) -> tuple[str, dict]:
+    from pypdf import PdfReader
+    reader = PdfReader(str(path))
+    pages = []
+    for i, page in enumerate(reader.pages):
+        try:
+            pages.append(page.extract_text() or '')
+        except Exception:
+            pages.append(f'[Page {i + 1}: extraction failed]')
+    text = sanitize('\n\n'.join(pages))
+    return text, {'pages': len(reader.pages)}
+
+
+def extract_docx(path: Path) -> tuple[str, dict]:
+    from docx import Document
+    doc = Document(str(path))
+    parts = []
+    for para in doc.paragraphs:
+        t = para.text.strip()
+        if t:
+            parts.append(t)
+    for table in doc.tables:
+        for row in table.rows:
+            cells = [c.text.strip() for c in row.cells if c.text.strip()]
+            if cells:
+                parts.append(' | '.join(cells))
+    text = sanitize('\n'.join(parts))
+    return text, {'paragraphs': len(doc.paragraphs), 'tables': len(doc.tables)}
+
+
+def extract_xlsx(path: Path) -> tuple[str, dict]:
+    import openpyxl
+    wb = openpyxl.load_workbook(str(path), read_only=True, data_only=True)
+    parts = []
+    sheet_count = 0
+    try:
+        for sheet in wb.worksheets:
+            sheet_count += 1
+            parts.append(f'[Sheet: {sheet.title}]')
+            for row in sheet.iter_rows(values_only=True):
+                cells = [str(c) for c in row if c is not None and str(c).strip()]
+                if cells:
+                    parts.append('\t'.join(cells))
+    finally:
+        wb.close()
+    text = sanitize('\n'.join(parts))
+    return text, {'sheets': sheet_count}
+
+
+def extract_pptx(path: Path) -> tuple[str, dict]:
+    from pptx import Presentation
+    prs = Presentation(str(path))
+    parts = []
+    for i, slide in enumerate(prs.slides, 1):
+        slide_texts = []
+        for shape in slide.shapes:
+            if shape.has_text_frame:
+                for para in shape.text_frame.paragraphs:
+                    t = para.text.strip()
+                    if t:
+                        slide_texts.append(t)
+        if slide_texts:
+            parts.append(f'[Slide {i}]')
+            parts.extend(slide_texts)
+    text = sanitize('\n'.join(parts))
+    return text, {'slides': len(prs.slides)}
+
+
+# ---------------------------------------------------------------------------
+# Routes
+# ---------------------------------------------------------------------------
+
+@app.route('/health')
+def health():
+    return jsonify({'status': 'ok', 'service': 'skill-runner'})
+
+
+@app.route('/extract', methods=['POST'])
+def extract():
+    """
+    Extract text from a document file.
+
+    Accepts: multipart/form-data with:
+      file     — the document bytes
+      filename — original filename (used to determine type; optional, falls back to file.filename)
+
+    Returns:
+      {text, type, chars, ...type-specific meta}
+    """
+    if 'file' not in request.files:
+        return jsonify({'error': 'No file provided'}), 400
+
+    f = request.files['file']
+    filename = request.form.get('filename') or f.filename or ''
+    ext = Path(filename).suffix.lower()
+
+    if ext not in ALLOWED_EXTRACT_EXTENSIONS:
+        return jsonify({'error': f'Unsupported extension for extraction: {ext}'}), 415
+
+    # Size check before writing to disk
+    f.stream.seek(0, 2)
+    size = f.stream.tell()
+    f.stream.seek(0)
+    if size > MAX_FILE_BYTES:
+        return jsonify({'error': 'File too large (25 MB max)'}), 413
+
+    # Write to a secure temp file
+    with tempfile.NamedTemporaryFile(suffix=ext, delete=False) as tmp:
+        tmp_path = Path(tmp.name)
+        f.save(tmp_path)
+
+    try:
+        if ext == '.pdf':
+            text, meta = extract_pdf(tmp_path)
+        elif ext == '.docx':
+            text, meta = extract_docx(tmp_path)
+        elif ext == '.xlsx':
+            text, meta = extract_xlsx(tmp_path)
+        elif ext == '.pptx':
+            text, meta = extract_pptx(tmp_path)
+        else:
+            return jsonify({'error': f'No extractor for {ext}'}), 415
+
+    except Exception as exc:
+        logger.exception('Extraction failed for %s', filename)
+        return jsonify({'error': f'Extraction failed: {exc}'}), 500
+    finally:
+        try:
+            tmp_path.unlink()
+        except Exception:
+            pass
+
+    logger.info('Extracted %s → %d chars (%s)', filename, len(text), ext)
+    return jsonify({'text': text, 'type': ext.lstrip('.'), 'chars': len(text), **meta})
+
+
+@app.route('/analyze-csv', methods=['POST'])
+def analyze_csv():
+    """
+    Run pandas summary analysis on a CSV/TSV file.
+
+    Accepts: multipart/form-data with:
+      file     — the CSV bytes
+      filename — original filename
+
+    Returns:
+      {summary, rows, columns, dtypes, missing}
+    """
+    if 'file' not in request.files:
+        return jsonify({'error': 'No file provided'}), 400
+
+    f = request.files['file']
+    filename = request.form.get('filename') or f.filename or ''
+    ext = Path(filename).suffix.lower()
+
+    if ext not in ALLOWED_CSV_EXTENSIONS:
+        return jsonify({'error': f'Unsupported extension: {ext}. Send .csv or .tsv'}), 415
+
+    f.stream.seek(0, 2)
+    size = f.stream.tell()
+    f.stream.seek(0)
+    if size > MAX_FILE_BYTES:
+        return jsonify({'error': 'File too large (25 MB max)'}), 413
+
+    with tempfile.NamedTemporaryFile(suffix=ext, delete=False) as tmp:
+        tmp_path = Path(tmp.name)
+        f.save(tmp_path)
+
+    try:
+        import pandas as pd
+        sep = '\t' if ext == '.tsv' else ','
+        df = pd.read_csv(tmp_path, sep=sep)
+
+        rows, cols = df.shape
+        dtypes = {col: str(dtype) for col, dtype in df.dtypes.items()}
+        missing = {col: int(df[col].isna().sum()) for col in df.columns if df[col].isna().any()}
+
+        # Build a readable text summary
+        desc = df.describe(include='all').to_string()
+        summary = sanitize(
+            f'Rows: {rows}, Columns: {cols}\n\nColumn types:\n'
+            + '\n'.join(f'  {c}: {t}' for c, t in dtypes.items())
+            + f'\n\nStats:\n{desc}'
+        )
+
+    except Exception as exc:
+        logger.exception('CSV analysis failed for %s', filename)
+        return jsonify({'error': f'Analysis failed: {exc}'}), 500
+    finally:
+        try:
+            tmp_path.unlink()
+        except Exception:
+            pass
+
+    logger.info('Analyzed CSV %s → %d rows × %d cols', filename, rows, cols)
+    return jsonify({
+        'summary': summary,
+        'rows': rows,
+        'columns': cols,
+        'dtypes': dtypes,
+        'missing': missing,
+    })
+
+
+# ---------------------------------------------------------------------------
+# Main
+# ---------------------------------------------------------------------------
+
+if __name__ == '__main__':
+    port = int(os.environ.get('PORT', 8900))
+    logger.info('skill-runner starting on port %d', port)
+    app.run(host='0.0.0.0', port=port, threaded=True)

package/deploy/supertonic/Dockerfile

@@ -0,0 +1,22 @@
+FROM python:3.12-slim
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends libsndfile1 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN pip install --no-cache-dir supertonic==1.1.2 fastapi uvicorn soundfile numpy
+
+RUN useradd -r -m appuser
+
+WORKDIR /app
+COPY server.py .
+RUN chown -R appuser:appuser /app
+
+USER appuser
+
+# Pre-download models as appuser so the cache path matches runtime
+RUN python3 -c "from supertonic import TTS; tts = TTS(auto_download=True)"
+
+EXPOSE 8765
+
+CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "8765"]

package/deploy/supertonic/server.py

@@ -0,0 +1,79 @@
+"""Supertonic TTS microservice — thin FastAPI wrapper around `supertonic`."""
+
+import logging
+from contextlib import asynccontextmanager
+from io import BytesIO
+
+import numpy as np
+import soundfile as sf
+from fastapi import FastAPI, HTTPException
+from fastapi.responses import Response
+from pydantic import BaseModel, Field
+from supertonic import TTS
+
+logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s")
+logger = logging.getLogger("supertonic-service")
+
+VOICES = ["M1", "M2", "M3", "M4", "M5", "F1", "F2", "F3", "F4", "F5"]
+LANGUAGES = ["en", "ko", "es", "pt", "fr"]
+
+# Pre-loaded voice styles keyed by name
+_styles: dict = {}
+_tts: TTS | None = None
+
+
+@asynccontextmanager
+async def lifespan(_app: FastAPI):
+    """Load TTS engine and all voice styles once at startup."""
+    global _tts
+    logger.info("Loading Supertonic TTS engine …")
+    _tts = TTS(auto_download=True)
+    for voice in VOICES:
+        logger.info("Loading voice style %s …", voice)
+        _styles[voice] = _tts.get_voice_style(voice)
+    logger.info("All %d voices loaded — ready to serve.", len(_styles))
+    yield
+
+
+app = FastAPI(title="Supertonic TTS", lifespan=lifespan)
+
+
+class TTSRequest(BaseModel):
+    text: str
+    voice: str = "F3"
+    speed: float = Field(default=1.05, gt=0, le=2)
+    steps: int = Field(default=40, ge=1, le=100)
+    lang: str = "en"
+    silence_duration: float = Field(default=0.1, ge=0.0, le=2.0)
+
+
+@app.get("/health")
+async def health():
+    return {"status": "ok"}
+
+
+@app.post("/tts")
+async def tts(req: TTSRequest):
+    if req.voice not in _styles:
+        raise HTTPException(400, f"Unknown voice '{req.voice}'. Available: {VOICES}")
+    if req.lang not in LANGUAGES:
+        raise HTTPException(400, f"Unsupported lang '{req.lang}'. Available: {LANGUAGES}")
+    if not req.text.strip():
+        raise HTTPException(400, "Text cannot be empty")
+
+    try:
+        wav, duration = _tts(
+            text=req.text,
+            lang=req.lang,
+            voice_style=_styles[req.voice],
+            speed=req.speed,
+            total_steps=req.steps,
+            silence_duration=req.silence_duration,
+        )
+        audio = wav[0, : int(_tts.sample_rate * duration[0].item())]
+        buf = BytesIO()
+        sf.write(buf, audio, _tts.sample_rate, format="WAV")
+        return Response(content=buf.getvalue(), media_type="audio/wav")
+    except Exception as exc:
+        logger.exception("TTS generation failed")
+        raise HTTPException(500, str(exc))

package/docker-compose.pinokio.yml

@@ -0,0 +1,11 @@
+# Pinokio local install override
+# - Swaps openclaw-data volume for local dir (pre-configured openclaw.json + auth-profiles)
+# - Injects .env into both containers so API keys are available
+# - dangerouslyDisableDeviceAuth is set in openclaw.json so no device pairing needed
+services:
+  openclaw:
+    env_file:
+      - .env
+    volumes:
+      - ./openclaw-data:/root/.openclaw
+      - canvas-pages:/root/.openclaw/workspace/canvas-pages

package/docker-compose.yml

@@ -0,0 +1,59 @@
+services:
+  openclaw:
+    build:
+      context: deploy/openclaw
+      args:
+        OPENCLAW_VERSION: ${OPENCLAW_VERSION:-2026.3.13}
+        CODING_CLI: ${CODING_CLI:-none}
+    volumes:
+      - openclaw-data:/root/.openclaw
+      - canvas-pages:/root/.openclaw/workspace/canvas-pages
+    ports:
+      - "18791:18791"
+      - "${PORT:-5001}:${PORT:-5001}"
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "node", "-e", "const h=require('http');h.get('http://localhost:18791',r=>{process.exit(r.statusCode<500?0:1)}).on('error',()=>process.exit(1))"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+
+  supertonic:
+    build: deploy/supertonic
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "python3", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8765/health')"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 120s
+
+  openvoiceui:
+    build: .
+    network_mode: "service:openclaw"
+    env_file:
+      - .env
+    environment:
+      - CLAWDBOT_GATEWAY_URL=ws://127.0.0.1:18791
+      - SUPERTONIC_API_URL=http://supertonic:8765
+    volumes:
+      - openvoiceui-runtime:/app/runtime
+      - canvas-pages:/app/runtime/canvas-pages
+    depends_on:
+      openclaw:
+        condition: service_healthy
+      supertonic:
+        condition: service_healthy
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "python3", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:5001/health/ready', timeout=5)"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+
+volumes:
+  openclaw-data:
+  openvoiceui-runtime:
+  canvas-pages:

package/greetings.json

@@ -0,0 +1,25 @@
+{
+  "version": 1,
+  "updated_at": "",
+  "updated_by": "system",
+  "notes": "Default greeting library. Edit or extend via /api/greetings/add. Categories: generic (all users) and contextual (face-recognized users).",
+  "next_greeting": null,
+  "last_context": null,
+  "greetings": {
+    "generic": {
+      "standard": [
+        "Hello! How can I help you today?",
+        "Hey there! What can I do for you?",
+        "Hi! What's on your mind?",
+        "Good to see you. What do you need?",
+        "Hello! Ready when you are.",
+        "Hey! What can I help you with?",
+        "Hi there! Ask me anything.",
+        "What can I do for you today?",
+        "Hey, what's up? How can I help?",
+        "Hello! What would you like to talk about?"
+      ]
+    },
+    "contextual": []
+  }
+}

package/index.html

@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
+    <title>OpenVoiceUI</title>
+
+    <!-- Favicon -->
+    <link rel="icon" type="image/svg+xml" href="/static/favicon.svg">
+    <link rel="icon" type="image/png" sizes="32x32" href="/static/icons/favicon-32.png">
+
+    <!-- PWA -->
+    <link rel="manifest" href="/manifest.json">
+    <meta name="theme-color" content="#060610">
+    <meta name="mobile-web-app-capable" content="yes">
+    <!-- iOS PWA (Safari "Add to Home Screen") -->
+    <meta name="apple-mobile-web-app-capable" content="yes">
+    <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
+    <meta name="apple-mobile-web-app-title" content="OpenVoiceUI">
+    <link rel="apple-touch-icon" href="/static/icons/apple-touch-icon.png">
+
+    <!-- iOS Safari Audio Fix — must run before any AudioContext usage -->
+    <script>(function(){var A=window.AudioContext||window.webkitAudioContext;if(!A)return;window.audioContext=new A();var u=false;function f(){if(u)return;var b=window.audioContext.createBuffer(1,1,22050),s=window.audioContext.createBufferSource();s.buffer=b;s.connect(window.audioContext.destination);(s.start||s.noteOn).call(s,0);window.audioContext.resume().then(function(){u=true;}).catch(function(){});}['touchstart','touchend','click','keydown'].forEach(function(e){document.addEventListener(e,f,{passive:true});});window.isAudioUnlocked=function(){return u;};}());
+    // Register PWA service worker
+    if('serviceWorker' in navigator){navigator.serviceWorker.register('/sw.js',{scope:'/'}).then(function(r){console.log('[SW] registered:',r.scope);}).catch(function(e){console.warn('[SW] registration failed:',e);});}
+    </script>
+
+    <!-- Styles -->
+    <link rel="stylesheet" href="src/styles/theme-dark.css?v=3">
+    <link rel="stylesheet" href="src/styles/face.css?v=10">
+    <link rel="stylesheet" href="src/styles/base.css?v=11">
+    <link rel="stylesheet" href="src/ui/settings/SettingsPanel.css?v=3">
+
+    <!-- Mobile overrides — inlined to bypass any CSS file caching -->
+    <style>
+        @media (max-width: 500px) {
+            .eye-cap-top { top: -13px; }
+        }
+    </style>
+
+    <!-- UI modules (global scripts — must load before app module) -->
+    <script src="src/ui/themes/ThemeManager.js?v=2"></script>
+    <script src="src/ui/face/FaceRenderer.js?v=2"></script>
+    <script src="src/face/HaloSmokeFace.js?v=2"></script>
+    <script src="src/ui/face/FacePicker.js?v=2"></script>
+    <script src="src/ui/settings/SettingsPanel.js?v=2"></script>
+
+    <!-- Clerk Authentication (optional — set CLERK_PUBLISHABLE_KEY in .env) -->
+    <script>
+        // Only load Clerk if a key is injected by the server
+        if (window.AGENT_CONFIG?.clerkPublishableKey) {
+            const s = document.createElement('script');
+            s.async = true;
+            s.crossOrigin = 'anonymous';
+            s.dataset.clerkPublishableKey = window.AGENT_CONFIG.clerkPublishableKey;
+            s.src = 'https://cdn.jsdelivr.net/npm/@clerk/clerk-js@5/dist/clerk.browser.js';
+            document.head.appendChild(s);
+        }
+    </script>
+</head>
+<body>
+    <!-- App entry point: injects DOM shell + initializes all modules -->
+    <script type="module" src="src/app.js?v=19"></script>
+</body>
+</html>

package/inject-device-identity.js

@@ -0,0 +1,142 @@
+#!/usr/bin/env node
+// inject-device-identity.js — Sync device identity between OpenVoiceUI and OpenClaw.
+//
+// Called by start.js AFTER containers are up but BEFORE the user opens the browser.
+//
+// Handles two scenarios:
+//   1. Fresh install (no identity in volume): inject pre-paired identity
+//   2. Reinstall (old identity in volume): read it, update paired.json to match
+//
+// Windows compatibility:
+//   - MSYS_NO_PATHCONV=1 prevents Git Bash from mangling /container/paths
+//   - docker cp avoids single-quote issues with cmd.exe
+//   - No sh -c with single quotes (Windows doesn't support them)
+
+const { execSync } = require("child_process");
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+const COMPOSE = "docker compose -f docker-compose.yml -f docker-compose.pinokio.yml";
+const IDENTITY_FILE = "openclaw-data/pre-paired-device.json";
+const PAIRED_FILE = "openclaw-data/devices/paired.json";
+const CONTAINER_PATH = "/app/runtime/uploads/.device-identity.json";
+
+// MSYS_NO_PATHCONV=1 prevents Git Bash on Windows from converting
+// /app/runtime/... to E:/pinokio/bin/.../app/runtime/...
+const EXEC_ENV = Object.assign({}, process.env, { MSYS_NO_PATHCONV: "1" });
+
+function exec(cmd, opts) {
+  return execSync(cmd, Object.assign(
+    { encoding: "utf8", timeout: 15000, stdio: ["pipe", "pipe", "pipe"], env: EXEC_ENV },
+    opts || {}
+  )).trim();
+}
+
+function writePairedJson(deviceId, publicKeyPem) {
+  // Derive base64url public key from PEM
+  var pubPemLines = publicKeyPem.split("\n").filter(function(l) {
+    return !l.startsWith("---") && l.trim();
+  });
+  var derBuf = Buffer.from(pubPemLines.join(""), "base64");
+  // Ed25519 SPKI DER = 12 byte header + 32 byte raw key
+  var rawPub = derBuf.slice(-32);
+  var pubB64url = rawPub.toString("base64url");
+
+  var nowMs = Date.now();
+  var pairingToken = crypto.randomBytes(32).toString("hex");
+  var paired = {};
+  paired[deviceId] = {
+    deviceId: deviceId,
+    publicKey: pubB64url,
+    displayName: "pinokio-openvoiceui",
+    platform: "linux",
+    clientId: "cli",
+    clientMode: "cli",
+    role: "operator",
+    roles: ["operator"],
+    scopes: ["operator.read", "operator.write"],
+    approvedScopes: ["operator.read", "operator.write"],
+    tokens: {
+      operator: {
+        token: pairingToken,
+        role: "operator",
+        scopes: ["operator.read", "operator.write"],
+        createdAtMs: nowMs,
+      },
+    },
+    createdAtMs: nowMs,
+    approvedAtMs: nowMs,
+  };
+
+  fs.mkdirSync("openclaw-data/devices", { recursive: true });
+  fs.writeFileSync(PAIRED_FILE, JSON.stringify(paired, null, 2) + "\n");
+  fs.writeFileSync("openclaw-data/devices/pending.json", "{}\n");
+}
+
+// Step 1: Check if the container already has a device identity (from a previous run)
+var containerIdentity = null;
+try {
+  var out = exec(COMPOSE + " exec -T openvoiceui cat " + CONTAINER_PATH);
+  if (out && out.startsWith("{")) {
+    containerIdentity = JSON.parse(out);
+    if (!containerIdentity.deviceId) containerIdentity = null;
+  }
+} catch (e) {
+  // File doesn't exist — fresh volume
+}
+
+if (containerIdentity) {
+  // Scenario 2: Container already has an identity (Docker volume persisted it).
+  // Update paired.json to match whatever the container has.
+  console.log("  Found existing device identity: " + containerIdentity.deviceId.slice(0, 16) + "...");
+
+  try {
+    writePairedJson(containerIdentity.deviceId, containerIdentity.publicKeyPem);
+    console.log("  Updated paired.json to match container identity");
+
+    // Save locally so they stay in sync
+    fs.writeFileSync(IDENTITY_FILE, JSON.stringify(containerIdentity, null, 2) + "\n");
+
+    // No restart needed — openclaw-data/ is a bind mount so paired.json
+    // changes are immediately visible inside the container. OpenClaw reads
+    // paired.json on each WS connection attempt (getPairedDevice()), not
+    // just at startup. DO NOT restart openclaw here — openvoiceui uses
+    // network_mode: "service:openclaw" so restarting openclaw kills both.
+    console.log("  Device is now paired (no restart needed — bind mount is live)");
+  } catch (e) {
+    console.log("  Warning: could not sync identity: " + e.message);
+  }
+} else {
+  // Scenario 1: Fresh install — no identity in container yet.
+  // Inject the pre-paired identity that setup-config.js generated.
+  if (!fs.existsSync(IDENTITY_FILE)) {
+    console.log("  No pre-paired device identity found — skipping");
+    process.exit(0);
+  }
+
+  var identity = fs.readFileSync(IDENTITY_FILE, "utf8");
+
+  try {
+    // Get the container ID for docker cp (avoids shell quoting issues on Windows)
+    var containerId = exec(COMPOSE + " ps -q openvoiceui");
+    if (!containerId) throw new Error("openvoiceui container not found");
+
+    // Ensure uploads dir exists (use double quotes, not single quotes — Windows compat)
+    exec(COMPOSE + ' exec -T openvoiceui mkdir -p /app/runtime/uploads');
+
+    // Write identity to a temp file and docker cp it in
+    // docker cp avoids all shell quoting and stdin piping issues
+    var tmpFile = path.join("openclaw-data", ".tmp-device-identity.json");
+    fs.writeFileSync(tmpFile, identity);
+    exec("docker cp " + JSON.stringify(tmpFile) + " " + containerId + ":" + CONTAINER_PATH);
+
+    // Clean up temp file
+    try { fs.unlinkSync(tmpFile); } catch (e) { /* ignore */ }
+
+    var deviceId = JSON.parse(identity).deviceId || "unknown";
+    console.log("  Injected pre-paired device identity: " + deviceId.slice(0, 16) + "...");
+  } catch (e) {
+    console.log("  Warning: Could not inject device identity: " + e.message.split("\n")[0]);
+  }
+}