seclaw 0.1.1

package/dist/cli.js

@@ -0,0 +1,2573 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { program } from "commander";
+
+// src/commands/create.ts
+import { resolve as resolve5 } from "path";
+import { existsSync as existsSync5 } from "fs";
+import { cp as cp2, mkdir as mkdir2 } from "fs/promises";
+import * as p2 from "@clack/prompts";
+import { execa as execa3 } from "execa";
+import pc2 from "picocolors";
+
+// src/prompts.ts
+import { existsSync as existsSync2, readFileSync, readdirSync } from "fs";
+import { resolve as resolve2, join } from "path";
+import { homedir, platform } from "os";
+import { exec } from "child_process";
+import * as p from "@clack/prompts";
+import pc from "picocolors";
+
+// src/tunnel.ts
+import { execa } from "execa";
+import { writeFile, readFile } from "fs/promises";
+import { existsSync } from "fs";
+import { resolve } from "path";
+async function getTunnelUrl(cwd, maxRetries = 20) {
+  const projectDir = cwd || process.cwd();
+  const cachedPath = resolve(projectDir, ".tunnel-url");
+  if (existsSync(cachedPath)) {
+    try {
+      const cached = (await readFile(cachedPath, "utf-8")).trim();
+      if (cached.includes("trycloudflare.com")) {
+        const fresh = await fetchTunnelUrlFromLogs(projectDir);
+        if (fresh) {
+          if (fresh !== cached) {
+            await writeFile(cachedPath, fresh);
+            return fresh;
+          }
+          return cached;
+        }
+        return cached;
+      }
+    } catch {
+    }
+  }
+  for (let i = 0; i < maxRetries; i++) {
+    const url = await fetchTunnelUrlFromLogs(projectDir);
+    if (url) {
+      try {
+        await writeFile(cachedPath, url);
+      } catch {
+      }
+      return url;
+    }
+    await new Promise((r) => setTimeout(r, 2e3));
+  }
+  return null;
+}
+async function fetchTunnelUrlFromLogs(cwd) {
+  try {
+    const result = await execa(
+      "docker",
+      ["compose", "logs", "cloudflared", "--no-log-prefix"],
+      { cwd, env: { ...process.env, COMPOSE_PROJECT_NAME: "seclaw" } }
+    );
+    const combined = result.stdout + "\n" + result.stderr;
+    const match = combined.match(
+      /https:\/\/[a-z0-9-]+\.trycloudflare\.com/
+    );
+    return match ? match[0] : null;
+  } catch {
+    return null;
+  }
+}
+async function setTelegramWebhook(botToken, tunnelUrl) {
+  const webhookUrl = `${tunnelUrl}/webhook`;
+  try {
+    const res = await fetch(
+      `https://api.telegram.org/bot${botToken}/setWebhook`,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          url: webhookUrl,
+          allowed_updates: ["message", "callback_query"]
+        })
+      }
+    );
+    const data = await res.json();
+    return data.ok;
+  } catch {
+    return false;
+  }
+}
+async function clearTunnelCache(projectDir) {
+  const cachedPath = resolve(projectDir, ".tunnel-url");
+  if (existsSync(cachedPath)) {
+    try {
+      await writeFile(cachedPath, "");
+    } catch {
+    }
+  }
+}
+async function verifyTelegramToken(botToken) {
+  try {
+    const res = await fetch(
+      `https://api.telegram.org/bot${botToken}/getMe`
+    );
+    const data = await res.json();
+    if (data.ok && data.result) {
+      return { valid: true, botName: `@${data.result.username}` };
+    }
+    return { valid: false };
+  } catch {
+    return { valid: false };
+  }
+}
+
+// src/prompts.ts
+var PROVIDER_CONFIG = {
+  anthropic: {
+    label: "Anthropic (Claude)",
+    hint: "Claude Opus, Sonnet, Haiku",
+    envVar: "ANTHROPIC_API_KEY",
+    placeholder: "sk-ant-api03-...",
+    prefix: "sk-ant-",
+    keyUrl: "https://console.anthropic.com/settings/keys"
+  },
+  openai: {
+    label: "OpenAI (GPT-4o)",
+    hint: "GPT-4o, GPT-4o-mini, o1, o3",
+    envVar: "OPENAI_API_KEY",
+    placeholder: "sk-proj-...",
+    prefix: "sk-",
+    keyUrl: "https://platform.openai.com/api-keys"
+  },
+  gemini: {
+    label: "Google (Gemini)",
+    hint: "Gemini 2.5 Pro, Flash",
+    envVar: "GOOGLE_AI_API_KEY",
+    placeholder: "AI...",
+    prefix: "",
+    keyUrl: "https://aistudio.google.com/apikey"
+  },
+  openrouter: {
+    label: "OpenRouter (Gemini 3 Flash)",
+    hint: "Gemini 3 Flash \u2014 fast, affordable, 100+ models available",
+    envVar: "OPENROUTER_API_KEY",
+    placeholder: "sk-or-...",
+    prefix: "sk-or-",
+    keyUrl: "https://openrouter.ai/keys"
+  }
+};
+function getProviderConfig(provider) {
+  return PROVIDER_CONFIG[provider];
+}
+async function collectSetupAnswers(targetDir) {
+  p.intro(
+    `${pc.bgCyan(pc.black(" seclaw "))} ${pc.dim("Secure autonomous AI agents in 60 seconds.")}`
+  );
+  const provider = await p.select({
+    message: "Which LLM provider?",
+    options: [
+      { value: "openrouter", label: "OpenRouter", hint: "recommended \u2014 Gemini 3 Flash, ~$3-10/mo" },
+      { value: "anthropic", label: "Anthropic (Claude)", hint: "~$15-30/mo" },
+      { value: "openai", label: "OpenAI (GPT-4o)", hint: "~$10-25/mo" },
+      { value: "gemini", label: "Google (Gemini)", hint: "~$7-20/mo" }
+    ]
+  });
+  if (p.isCancel(provider)) process.exit(0);
+  const config = PROVIDER_CONFIG[provider];
+  p.log.step(
+    `${pc.bold("Step 1:")} ${config.label} API Key
+  ${pc.dim("Go to")} ${pc.cyan(config.keyUrl)}
+  ${pc.dim("Create a key and copy it")}`
+  );
+  const llmApiKey = await p.text({
+    message: `Paste your ${config.label} API Key`,
+    placeholder: config.placeholder,
+    validate: (v) => {
+      if (!v || v.length < 10) return "API key is too short";
+      if (config.prefix && !v.startsWith(config.prefix)) {
+        return `Expected key starting with ${config.prefix}`;
+      }
+    }
+  });
+  if (p.isCancel(llmApiKey)) process.exit(0);
+  p.log.step(
+    `${pc.bold("Step 2:")} Telegram Bot Token
+  ${pc.dim("1. Open Telegram, search")} ${pc.cyan("@BotFather")}
+  ${pc.dim("2. Send")} ${pc.bold("/newbot")} ${pc.dim("-> pick a name")}
+  ${pc.dim("3. Copy the token it gives you")}`
+  );
+  let telegramToken = "";
+  let telegramBotName = "";
+  const tokenInput = await p.text({
+    message: "Paste your Telegram Bot Token (Enter to skip)",
+    placeholder: "7234567890:AAF...",
+    defaultValue: ""
+  });
+  if (p.isCancel(tokenInput)) process.exit(0);
+  if (tokenInput && tokenInput.includes(":")) {
+    telegramToken = tokenInput;
+    const s = p.spinner();
+    s.start("Verifying Telegram token...");
+    const result = await verifyTelegramToken(telegramToken);
+    if (result.valid) {
+      telegramBotName = result.botName || "";
+      s.stop(`Bot verified: ${pc.green(telegramBotName)}`);
+    } else {
+      s.stop("Token looks invalid \u2014 continuing anyway, you can fix it later.");
+    }
+  }
+  let composioApiKey = readComposioLocalKey() || "";
+  if (composioApiKey) {
+    p.log.step(
+      `${pc.bold("Step 3:")} Composio ${pc.green("auto-detected!")}
+  ${pc.dim("Found API key in")} ~/.composio/user_data.json`
+    );
+  } else {
+    p.log.step(
+      `${pc.bold("Step 3:")} Composio ${pc.dim("(for Gmail, Calendar, etc.)")}`
+    );
+    const method = await p.select({
+      message: "How would you like to set up Composio?",
+      options: [
+        { value: "browser", label: "Open browser", hint: "sign up + get API key (recommended)" },
+        { value: "paste", label: "Paste API key", hint: "if you already have one" },
+        { value: "skip", label: "Skip for now", hint: "add later with: npx seclaw integrations" }
+      ]
+    });
+    if (p.isCancel(method)) process.exit(0);
+    if (method === "browser") {
+      composioApiKey = await composioFromBrowser();
+    } else if (method === "paste") {
+      const composioKey = await p.text({
+        message: "Paste your Composio API Key",
+        placeholder: "ak_..."
+      });
+      if (p.isCancel(composioKey)) process.exit(0);
+      composioApiKey = composioKey || "";
+    }
+  }
+  const templateOptions = [
+    {
+      value: "productivity-agent",
+      label: "Productivity Agent (recommended)",
+      hint: "free \u2014 task management, Telegram chat, file tools"
+    }
+  ];
+  if (targetDir) {
+    const installedTemplates = discoverInstalledTemplates(targetDir);
+    for (const t of installedTemplates) {
+      templateOptions.push({
+        value: t.id,
+        label: `${t.name} (installed)`,
+        hint: `${t.tier} \u2014 ${t.description.substring(0, 60)}`
+      });
+    }
+  }
+  templateOptions.push({
+    value: "blank",
+    label: "Empty project",
+    hint: "just the infrastructure, no template"
+  });
+  const template = await p.select({
+    message: "Select a starter template",
+    options: templateOptions
+  });
+  if (p.isCancel(template)) process.exit(0);
+  const tz = Intl.DateTimeFormat().resolvedOptions().timeZone;
+  return {
+    llmProvider: provider,
+    llmApiKey,
+    telegramToken,
+    telegramBotName,
+    composioApiKey,
+    composioUserId: "",
+    template,
+    timezone: tz
+  };
+}
+async function composioFromBrowser() {
+  const url = "https://platform.composio.dev";
+  p.log.info(
+    `${pc.dim("Opening:")} ${pc.cyan(url)}
+  ${pc.dim("1.")} Sign up or log in
+  ${pc.dim("2.")} Click ${pc.bold("Settings")} \u2192 ${pc.bold("API Keys")} tab
+  ${pc.dim("3.")} Click ${pc.bold("New API key")}, copy and paste it below`
+  );
+  openUrl(url);
+  const key = await p.text({
+    message: "Paste your Composio API Key",
+    placeholder: "ak_..."
+  });
+  if (p.isCancel(key)) process.exit(0);
+  return key || "";
+}
+function openUrl(url) {
+  const cmd = platform() === "darwin" ? `open "${url}"` : platform() === "win32" ? `start "${url}"` : `xdg-open "${url}"`;
+  exec(cmd, () => {
+  });
+}
+function discoverInstalledTemplates(targetDir) {
+  const templates2 = [];
+  const templatesDir = join(targetDir, "templates");
+  if (!existsSync2(templatesDir)) return templates2;
+  try {
+    const entries = readdirSync(templatesDir);
+    for (const entry of entries) {
+      if (entry === "productivity-agent") continue;
+      const manifestPath = join(templatesDir, entry, "manifest.json");
+      if (!existsSync2(manifestPath)) continue;
+      try {
+        const manifest = JSON.parse(readFileSync(manifestPath, "utf-8"));
+        templates2.push({
+          id: manifest.id || entry,
+          name: manifest.name || entry,
+          description: manifest.description || "",
+          tier: manifest.tier || "paid"
+        });
+      } catch {
+      }
+    }
+  } catch {
+  }
+  return templates2;
+}
+function readComposioLocalKey() {
+  try {
+    const dataPath = resolve2(homedir(), ".composio", "user_data.json");
+    if (!existsSync2(dataPath)) return null;
+    const data = JSON.parse(readFileSync(dataPath, "utf-8"));
+    const key = data.api_key;
+    if (key && typeof key === "string" && key.startsWith("ak_")) {
+      return key;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+// src/scaffold.ts
+import { mkdir, writeFile as writeFile2, cp, rm, readFile as readFile2 } from "fs/promises";
+import { existsSync as existsSync3 } from "fs";
+import { join as join2, resolve as resolve3 } from "path";
+async function scaffoldProject(targetDir, answers) {
+  const dirs = [
+    "shared/tasks",
+    "shared/reports",
+    "shared/notes",
+    "shared/drafts",
+    "shared/memory",
+    "shared/config",
+    "templates",
+    "commander",
+    "agent"
+  ];
+  for (const dir of dirs) {
+    await mkdir(join2(targetDir, dir), { recursive: true });
+  }
+  await writeEnv(targetDir, answers);
+  await writeDockerCompose(targetDir);
+  await writePermissions(targetDir);
+  await writeGitignore(targetDir);
+  await writeDockerignore(targetDir);
+  await copyAgentFiles(targetDir);
+  await copyCommanderFiles(targetDir);
+  await writeSeedFiles(targetDir, answers);
+}
+async function writeEnv(dir, answers) {
+  const config = getProviderConfig(answers.llmProvider);
+  const existing = await readExistingEnv(join2(dir, ".env"));
+  const lines = [
+    `# LLM Provider: ${config.label}`,
+    `LLM_PROVIDER=${answers.llmProvider}`,
+    ...existing.LLM_MODEL ? [`LLM_MODEL=${existing.LLM_MODEL}`] : [],
+    `${config.envVar}=${answers.llmApiKey}`,
+    `TIMEZONE=${answers.timezone}`,
+    `TELEGRAM_BOT_TOKEN=${answers.telegramToken}`,
+    `TELEGRAM_CHAT_ID=${existing.TELEGRAM_CHAT_ID || ""}`
+  ];
+  if (answers.composioApiKey) {
+    lines.push(`COMPOSIO_API_KEY=${answers.composioApiKey}`);
+    lines.push(`COMPOSIO_USER_ID=${existing.COMPOSIO_USER_ID || answers.composioUserId || generateUserId()}`);
+  }
+  if (existing.INNGEST_DEV) {
+    lines.push(`INNGEST_DEV=${existing.INNGEST_DEV}`);
+  }
+  await writeFile2(join2(dir, ".env"), lines.join("\n") + "\n");
+}
+async function readExistingEnv(path) {
+  const env = {};
+  try {
+    const content = await readFile2(path, "utf-8");
+    for (const line of content.split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith("#")) continue;
+      const eqIdx = trimmed.indexOf("=");
+      if (eqIdx > 0) {
+        env[trimmed.substring(0, eqIdx)] = trimmed.substring(eqIdx + 1);
+      }
+    }
+  } catch {
+  }
+  return env;
+}
+function generateUserId() {
+  const chars = "abcdefghijklmnopqrstuvwxyz0123456789";
+  let id = "seclaw-user-";
+  for (let i = 0; i < 16; i++) {
+    id += chars[Math.floor(Math.random() * chars.length)];
+  }
+  return id;
+}
+async function writeDockerCompose(dir) {
+  const content = `services:
+  inngest:
+    image: inngest/inngest:latest
+    command: ["inngest", "dev", "-u", "http://agent:3000/api/inngest", "--no-discovery"]
+    ports:
+      - "8288:8288"
+    networks:
+      - agent-net
+    restart: unless-stopped
+
+  agent:
+    build:
+      context: ./agent
+      dockerfile: Dockerfile
+    image: seclaw/agent:latest
+    restart: unless-stopped
+    volumes:
+      - ./shared:/workspace:rw
+      - ./templates:/templates:ro
+    env_file:
+      - .env
+    environment:
+      - WORKSPACE_PATH=/workspace
+      - COMMANDER_URL=http://desktop-commander:3000
+      - INNGEST_BASE_URL=http://inngest:8288
+      - INNGEST_DEV=1
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    networks:
+      - agent-net
+    depends_on:
+      - inngest
+      - desktop-commander
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3000/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  cloudflared:
+    image: cloudflare/cloudflared:latest
+    restart: unless-stopped
+    command: tunnel --no-autoupdate --url http://agent:3000
+    networks:
+      - agent-net
+    depends_on:
+      agent:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "wget --spider -q http://agent:3000/health || exit 1"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+
+  desktop-commander:
+    build:
+      context: ./commander
+      dockerfile: Dockerfile
+    image: seclaw/desktop-commander:latest
+    restart: unless-stopped
+    volumes:
+      - ./shared:/workspace:rw
+      - ./permissions.yml:/permissions.yml:ro
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:size=100M
+    cap_drop:
+      - ALL
+    networks:
+      - agent-net
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+          cpus: "1.0"
+
+networks:
+  agent-net:
+    driver: bridge
+`;
+  await writeFile2(join2(dir, "docker-compose.yml"), content);
+}
+async function copyAgentFiles(dir) {
+  const agentTemplateSrc = resolve3(import.meta.dirname, "runtime");
+  const agentDest = join2(dir, "agent");
+  if (existsSync3(agentDest)) {
+    await rm(agentDest, { recursive: true });
+  }
+  await mkdir(agentDest, { recursive: true });
+  if (existsSync3(agentTemplateSrc)) {
+    await cp(agentTemplateSrc, agentDest, { recursive: true });
+  } else {
+    await writeMinimalAgent(agentDest);
+  }
+}
+async function writeMinimalAgent(dir) {
+  await mkdir(dir, { recursive: true });
+  await writeFile2(
+    join2(dir, "package.json"),
+    JSON.stringify(
+      {
+        name: "seclaw-agent",
+        version: "1.0.0",
+        private: true,
+        type: "module",
+        dependencies: {
+          openai: "^4.73.0",
+          "@modelcontextprotocol/sdk": "^1.0.0",
+          inngest: "^3.22.0"
+        }
+      },
+      null,
+      2
+    )
+  );
+  await writeFile2(
+    join2(dir, "Dockerfile"),
+    `FROM node:20-alpine
+RUN apk add --no-cache wget && rm -rf /var/cache/apk/*
+WORKDIR /app
+COPY package.json ./
+RUN npm install --omit=dev && npm cache clean --force
+COPY *.js ./
+EXPOSE 3000
+HEALTHCHECK --interval=10s --timeout=3s --retries=3 CMD wget --spider -q http://localhost:3000/health || exit 1
+CMD ["node", "agent.js"]
+`
+  );
+  await writeFile2(
+    join2(dir, "agent.js"),
+    `import { createServer } from "node:http";
+const PORT = parseInt(process.env.AGENT_PORT || "3000", 10);
+const server = createServer(async (req, res) => {
+  if (req.url === "/health") {
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ status: "ok" }));
+    return;
+  }
+  if (req.method === "POST" && req.url === "/webhook") {
+    let data = "";
+    req.on("data", (c) => data += c);
+    req.on("end", async () => {
+      res.writeHead(200); res.end();
+      try {
+        const body = JSON.parse(data);
+        const chatId = body?.message?.chat?.id;
+        const text = body?.message?.text;
+        if (chatId && text) {
+          await fetch(\`https://api.telegram.org/bot\${process.env.TELEGRAM_BOT_TOKEN}/sendMessage\`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ chat_id: chatId, text: "Agent is starting up. Please wait..." }),
+          });
+        }
+      } catch {}
+    });
+    return;
+  }
+  res.writeHead(404); res.end();
+});
+server.listen(PORT, () => console.log(\`seclaw agent on port \${PORT}\`));
+`
+  );
+}
+async function copyCommanderFiles(dir) {
+  const packageJson = `{
+  "name": "seclaw-commander",
+  "version": "1.0.0",
+  "private": true,
+  "type": "module",
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0"
+  }
+}
+`;
+  const dockerfile = `FROM node:20-alpine
+
+RUN apk add --no-cache git python3 && rm -rf /var/cache/apk/*
+
+RUN addgroup -g 1001 -S commander && \\
+    adduser -S commander -u 1001 -G commander
+
+WORKDIR /app
+
+COPY package.json ./
+RUN npm install --omit=dev && npm cache clean --force
+
+COPY server.js ./
+
+RUN mkdir -p /workspace /tmp && \\
+    chown -R commander:commander /workspace /tmp
+
+USER commander
+
+EXPOSE 3000
+
+HEALTHCHECK --interval=10s --timeout=3s --retries=3 \\
+    CMD wget --spider -q http://localhost:3000/health || exit 1
+
+CMD ["node", "server.js"]
+`;
+  const serverJs = `import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema,
+} from "@modelcontextprotocol/sdk/types.js";
+import { execSync } from "node:child_process";
+import {
+  readFileSync, writeFileSync, mkdirSync,
+  readdirSync, statSync, existsSync,
+} from "node:fs";
+import { resolve, join, dirname } from "node:path";
+import { createServer } from "node:http";
+
+const WORKSPACE = "/workspace";
+
+function safePath(p) {
+  const resolved = resolve(WORKSPACE, p);
+  if (!resolved.startsWith(WORKSPACE)) {
+    throw new Error("Path outside workspace");
+  }
+  return resolved;
+}
+
+const TOOLS = [
+  {
+    name: "read_file",
+    description: "Read a file from the workspace",
+    inputSchema: {
+      type: "object",
+      properties: { path: { type: "string", description: "Relative path within workspace" } },
+      required: ["path"],
+    },
+  },
+  {
+    name: "write_file",
+    description: "Write content to a file (creates parent directories automatically)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Relative path within workspace" },
+        content: { type: "string", description: "File content to write" },
+      },
+      required: ["path", "content"],
+    },
+  },
+  {
+    name: "list_directory",
+    description: "List files and directories in the workspace",
+    inputSchema: {
+      type: "object",
+      properties: { path: { type: "string", description: "Relative path within workspace (use '.' for root)" } },
+      required: ["path"],
+    },
+  },
+  {
+    name: "execute_command",
+    description: "Execute a shell command in the workspace",
+    inputSchema: {
+      type: "object",
+      properties: { command: { type: "string", description: "Shell command to execute" } },
+      required: ["command"],
+    },
+  },
+];
+
+function handleTool(name, args) {
+  switch (name) {
+    case "read_file": {
+      const p = safePath(args.path);
+      if (!existsSync(p)) {
+        return { content: [{ type: "text", text: "File not found: " + args.path }], isError: true };
+      }
+      const content = readFileSync(p, "utf-8");
+      return { content: [{ type: "text", text: content }] };
+    }
+    case "write_file": {
+      const p = safePath(args.path);
+      mkdirSync(dirname(p), { recursive: true });
+      writeFileSync(p, args.content);
+      return { content: [{ type: "text", text: "Written: " + args.path }] };
+    }
+    case "list_directory": {
+      const dirPath = safePath(args.path);
+      if (!existsSync(dirPath)) {
+        return { content: [{ type: "text", text: "Directory not found: " + args.path }], isError: true };
+      }
+      const entries = readdirSync(dirPath).map((name) => {
+        const full = join(dirPath, name);
+        const stat = statSync(full);
+        return (stat.isDirectory() ? "d" : "-") + " " + name;
+      });
+      return { content: [{ type: "text", text: entries.join("\\n") || "(empty)" }] };
+    }
+    case "execute_command": {
+      const output = execSync(args.command, {
+        cwd: WORKSPACE,
+        timeout: 30000,
+        maxBuffer: 1024 * 1024,
+        encoding: "utf-8",
+      });
+      return { content: [{ type: "text", text: output }] };
+    }
+    default:
+      return { content: [{ type: "text", text: "Unknown tool: " + name }], isError: true };
+  }
+}
+
+function createMCPServer() {
+  const srv = new Server(
+    { name: "seclaw-commander", version: "1.0.0" },
+    { capabilities: { tools: {} } }
+  );
+  srv.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOLS }));
+  srv.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const { name, arguments: args } = request.params;
+    try { return handleTool(name, args); }
+    catch (err) { return { content: [{ type: "text", text: "Error: " + err.message }], isError: true }; }
+  });
+  return srv;
+}
+
+const sessions = new Map();
+const httpServer = createServer(async (req, res) => {
+  res.setHeader("Access-Control-Allow-Origin", "*");
+  res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type");
+  if (req.method === "OPTIONS") { res.writeHead(204); res.end(); return; }
+
+  const url = new URL(req.url, "http://localhost:3000");
+  if (req.method === "GET" && url.pathname === "/sse") {
+    const mcpServer = createMCPServer();
+    const transport = new SSEServerTransport("/messages", res);
+    sessions.set(transport.sessionId, { server: mcpServer, transport });
+    res.on("close", () => sessions.delete(transport.sessionId));
+    await mcpServer.connect(transport);
+  } else if (req.method === "POST" && url.pathname === "/messages") {
+    const sessionId = url.searchParams.get("sessionId");
+    const session = sessions.get(sessionId);
+    if (session) { await session.transport.handlePostMessage(req, res); }
+    else { res.writeHead(400); res.end("Session not found"); }
+  } else if (url.pathname === "/health") {
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ status: "ok", transport: "sse", sessions: sessions.size }));
+  } else { res.writeHead(404); res.end(); }
+});
+httpServer.listen(3000, () => { console.log("seclaw-commander MCP server (SSE) on port 3000"); });
+`;
+  await writeFile2(join2(dir, "commander", "package.json"), packageJson);
+  await writeFile2(join2(dir, "commander", "Dockerfile"), dockerfile);
+  await writeFile2(join2(dir, "commander", "server.js"), serverJs);
+}
+async function writePermissions(dir) {
+  const content = `version: 1
+rules:
+  filesystem:
+    allow:
+      - /workspace/**
+    deny:
+      - /workspace/.env*
+      - /workspace/.git/**
+      - /workspace/node_modules/**
+  commands:
+    allow:
+      - ls
+      - cat
+      - head
+      - tail
+      - grep
+      - find
+      - wc
+      - sort
+      - uniq
+      - node
+      - npm
+      - npx
+      - python3
+      - pip
+      - git status
+      - git log
+      - git diff
+    deny:
+      - rm -rf /
+      - curl
+      - wget
+      - ssh
+      - sudo
+      - chmod
+      - chown
+    max_execution_time: 30s
+    max_output_size: 1MB
+  confirmation_required:
+    - pattern: "send*email*"
+    - pattern: "delete*"
+    - pattern: "post*"
+    - pattern: "publish*"
+    - pattern: "deploy*"
+`;
+  await writeFile2(join2(dir, "permissions.yml"), content);
+}
+async function writeIfMissing(path, content) {
+  if (!existsSync3(path)) {
+    await writeFile2(path, content);
+  }
+}
+async function writeSeedFiles(dir, answers) {
+  const today = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+  await writeIfMissing(
+    join2(dir, "shared/memory/learnings.md"),
+    `# Agent Memory
+
+## User Profile
+- Timezone: ${answers.timezone}
+- Setup date: ${today}
+- Provider: ${answers.llmProvider}
+
+## Preferences
+- (Agent will learn and add preferences here over time)
+
+## Lessons Learned
+- (Agent will record what works and what doesn't)
+`
+  );
+  await writeIfMissing(
+    join2(dir, "shared/tasks/welcome.md"),
+    `# Welcome Task
+- [ ] Introduce yourself to the user on Telegram
+- [ ] Explain what you can do (file management, email, task tracking)
+- [ ] Ask the user what they'd like help with today
+- [ ] Create today's report at reports/${today}.md after first interaction
+`
+  );
+  await writeIfMissing(
+    join2(dir, "shared/config/agent.md"),
+    `# Agent Configuration
+
+## Workspace Structure
+- tasks/    \u2014 active tasks and TODO lists
+- reports/  \u2014 daily reports (YYYY-MM-DD.md)
+- notes/    \u2014 quick notes and references
+- drafts/   \u2014 work in progress documents
+- memory/   \u2014 persistent learnings (survives restarts)
+- config/   \u2014 this file and user preferences
+
+## Behavior Rules
+- Always read memory/learnings.md at the start of a conversation
+- Always check tasks/ for pending work
+- Write daily reports to reports/
+- Update memory/learnings.md when you learn something new about the user
+- Keep Telegram messages concise \u2014 use bullet points
+- Detect user language and respond in the same language
+`
+  );
+  const integrations2 = [
+    `# Connected Integrations`,
+    ``,
+    `Template: ${answers.template}`,
+    ``,
+    `## Connected`,
+    `- [x] telegram \u2014 Telegram Bot`,
+    `- [x] ${answers.llmProvider} \u2014 LLM Provider`
+  ];
+  if (answers.composioApiKey) {
+    integrations2.push(`- [x] composio \u2014 Integration Hub (Gmail, Calendar, etc.)`);
+  }
+  integrations2.push(
+    ``,
+    `## Available`,
+    `Run \`npx seclaw integrations\` to add integrations (Gmail, Google Drive, GitHub, etc.)`,
+    ``
+  );
+  await writeIfMissing(
+    join2(dir, "shared/config/integrations.md"),
+    integrations2.join("\n")
+  );
+  await writeIfMissing(
+    join2(dir, `shared/reports/${today}.md`),
+    `# Daily Report \u2014 ${today}
+
+## Status
+Agent initialized. Waiting for first interaction.
+
+## Tasks
+(Will be populated after first conversation)
+
+## Notes
+(Will be populated throughout the day)
+`
+  );
+}
+async function writeGitignore(dir) {
+  const content = `.env
+.env.*
+!.env.example
+node_modules/
+*.log
+.DS_Store
+.tunnel-url
+`;
+  await writeIfMissing(join2(dir, ".gitignore"), content);
+}
+async function writeDockerignore(dir) {
+  const content = `.env
+.env.*
+.git
+.gitignore
+.DS_Store
+*.log
+*.md
+shared/
+templates/
+.tunnel-url
+`;
+  await writeIfMissing(join2(dir, ".dockerignore"), content);
+}
+
+// src/docker.ts
+import { execa as execa2, execaSync } from "execa";
+import { existsSync as existsSync4, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve4 } from "path";
+async function checkDocker() {
+  try {
+    await execa2("docker", ["version"]);
+  } catch {
+    return { ok: false, error: "Docker is not installed. Download it at https://docker.com/get-started" };
+  }
+  try {
+    await execa2("docker", ["info"]);
+  } catch {
+    return { ok: false, error: "Docker is not running. Open Docker Desktop and try again." };
+  }
+  return { ok: true };
+}
+async function stopExistingSeclaw() {
+  try {
+    const result = await execa2("docker", [
+      "ps",
+      "-a",
+      "--filter",
+      "label=com.docker.compose.service=agent",
+      "--format",
+      '{{index .Labels "com.docker.compose.project"}}'
+    ]);
+    const projects = /* @__PURE__ */ new Set();
+    for (const line of result.stdout.split("\n").filter(Boolean)) {
+      projects.add(line.trim());
+    }
+    try {
+      const portResult = await execa2("docker", [
+        "ps",
+        "--filter",
+        "publish=8288",
+        "--format",
+        '{{index .Labels "com.docker.compose.project"}}'
+      ]);
+      for (const line of portResult.stdout.split("\n").filter(Boolean)) {
+        projects.add(line.trim());
+      }
+    } catch {
+    }
+    for (const project of projects) {
+      if (!project) continue;
+      try {
+        await execa2("docker", ["compose", "-p", project, "down"]);
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
+async function findRunningSeclaw() {
+  const agentResult = await findContainerByLabel("seclaw");
+  if (agentResult) return agentResult;
+  try {
+    const result = await execa2("docker", [
+      "ps",
+      "--filter",
+      "publish=5678",
+      "--format",
+      "{{.Names}}"
+    ]);
+    const names = result.stdout.trim();
+    if (!names) return null;
+    const containerName = names.split("\n")[0];
+    try {
+      const inspect = await execa2("docker", [
+        "inspect",
+        containerName,
+        "--format",
+        '{{index .Config.Labels "com.docker.compose.project.working_dir"}}'
+      ]);
+      return { dir: inspect.stdout.trim() || null };
+    } catch {
+      return { dir: null };
+    }
+  } catch {
+    return null;
+  }
+}
+async function findContainerByLabel(project) {
+  try {
+    const result = await execa2("docker", [
+      "ps",
+      "--filter",
+      `label=com.docker.compose.project=${project}`,
+      "--format",
+      "{{.Names}}"
+    ]);
+    const names = result.stdout.trim();
+    if (!names) return null;
+    const containerName = names.split("\n")[0];
+    try {
+      const inspect = await execa2("docker", [
+        "inspect",
+        containerName,
+        "--format",
+        '{{index .Config.Labels "com.docker.compose.project.working_dir"}}'
+      ]);
+      return { dir: inspect.stdout.trim() || null };
+    } catch {
+      return { dir: null };
+    }
+  } catch {
+    return null;
+  }
+}
+function findProjectDir() {
+  try {
+    const result = execaSync("docker", [
+      "ps",
+      "--filter",
+      "label=com.docker.compose.service=agent",
+      "--format",
+      "{{.Names}}"
+    ]);
+    const names = result.stdout.trim().split("\n").filter(Boolean);
+    for (const name of names) {
+      try {
+        const inspect = execaSync("docker", [
+          "inspect",
+          name,
+          "--format",
+          '{{index .Config.Labels "com.docker.compose.project.working_dir"}}'
+        ]);
+        const dir = inspect.stdout.trim();
+        if (dir && existsSync4(resolve4(dir, "docker-compose.yml"))) {
+          return dir;
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  const candidates = [
+    process.cwd(),
+    resolve4(process.cwd(), ".."),
+    resolve4(process.env.HOME || "~", "seclaw"),
+    resolve4(process.env.HOME || "~", "my-agent")
+  ];
+  for (const dir of candidates) {
+    const composePath = resolve4(dir, "docker-compose.yml");
+    if (existsSync4(composePath)) {
+      try {
+        const content = readFileSync2(composePath, "utf-8");
+        if (content.includes("agent") && content.includes("agent-net")) {
+          return dir;
+        }
+      } catch {
+        continue;
+      }
+    }
+  }
+  return null;
+}
+
+// src/commands/create.ts
+async function create(directory) {
+  let targetDir = resolve5(process.cwd(), directory);
+  try {
+    await mkdir2(targetDir, { recursive: true });
+  } catch (err) {
+    p2.intro(`${pc2.bgCyan(pc2.black(" seclaw "))}`);
+    p2.log.error(`Cannot create directory: ${pc2.cyan(targetDir)}`);
+    p2.log.info(pc2.dim(err instanceof Error ? err.message : String(err)));
+    p2.outro(`Try a different path, e.g.: ${pc2.cyan(`npx seclaw create ./${directory.replace(/^\/+/, "")}`)}`);
+    return;
+  }
+  const docker = await checkDocker();
+  if (!docker.ok) {
+    p2.intro(`${pc2.bgCyan(pc2.black(" seclaw "))}`);
+    p2.log.error(docker.error);
+    p2.outro("Install Docker and try again.");
+    return;
+  }
+  const running = await findRunningSeclaw();
+  const existingDir = findProjectDir();
+  const hasExisting = existsSync5(resolve5(targetDir, "docker-compose.yml"));
+  if (running || existingDir || hasExisting) {
+    const location = existingDir || running?.dir || (hasExisting ? targetDir : null);
+    if (location) {
+      targetDir = location;
+    }
+    p2.intro(`${pc2.bgCyan(pc2.black(" seclaw "))}`);
+    p2.log.warn(
+      `An agent is already running` + (location ? ` at ${pc2.cyan(location)}` : "")
+    );
+    const proceed = await p2.confirm({
+      message: "Stop everything and start fresh?",
+      initialValue: false
+    });
+    if (p2.isCancel(proceed) || !proceed) {
+      p2.outro("Cancelled.");
+      return;
+    }
+  }
+  const answers = await collectSetupAnswers(targetDir);
+  const s = p2.spinner();
+  s.start("Preparing environment...");
+  try {
+    await stopExistingSeclaw();
+    s.stop("Environment ready.");
+  } catch (err) {
+    s.stop("Warning: could not stop existing containers.");
+    p2.log.warn(err instanceof Error ? err.message : String(err));
+  }
+  s.start("Creating project files...");
+  try {
+    await scaffoldProject(targetDir, answers);
+    s.stop("Project files created.");
+  } catch (err) {
+    s.stop("Failed to create project files.");
+    p2.log.error(err instanceof Error ? err.message : String(err));
+    if (err instanceof Error && err.stack) {
+      p2.log.info(pc2.dim(err.stack));
+    }
+    p2.outro("Fix the issue above and try again.");
+    return;
+  }
+  if (answers.template !== "blank") {
+    s.start(`Copying template: ${answers.template}...`);
+    try {
+      const templateSrc = getTemplatePath(answers.template, targetDir);
+      const templateDest = resolve5(targetDir, "templates", answers.template);
+      if (templateSrc && existsSync5(templateSrc)) {
+        if (resolve5(templateSrc) !== resolve5(templateDest)) {
+          await cp2(templateSrc, templateDest, { recursive: true });
+        }
+        const promptSrc = resolve5(templateSrc, "system-prompt.md");
+        if (existsSync5(promptSrc)) {
+          await cp2(promptSrc, resolve5(targetDir, "shared", "config", "system-prompt.md"));
+        }
+        const schedulesSrc = resolve5(templateSrc, "schedules.json");
+        if (existsSync5(schedulesSrc)) {
+          await cp2(schedulesSrc, resolve5(targetDir, "shared", "config", "schedules.json"));
+        }
+        s.stop(`Template ready.`);
+      } else {
+        s.stop("Template will be available after setup.");
+      }
+    } catch (err) {
+      s.stop("Failed to copy template.");
+      p2.log.error(err instanceof Error ? err.message : String(err));
+      if (err instanceof Error && err.stack) {
+        p2.log.info(pc2.dim(err.stack));
+      }
+      p2.outro("Fix the issue above and try again.");
+      return;
+    }
+  }
+  await startServices(targetDir, s);
+  s.start("Waiting for agent...");
+  const ready = await waitForAgent(targetDir);
+  s.stop(ready ? "Agent is ready!" : "Agent is starting (may take a moment).");
+  let tunnelUrl = "";
+  s.start("Waiting for Cloudflare Tunnel...");
+  const url = await getTunnelUrl(targetDir);
+  if (url) {
+    tunnelUrl = url;
+    s.stop(`Tunnel ready: ${pc2.cyan(tunnelUrl)}`);
+  } else {
+    s.stop("Tunnel starting \u2014 check with: npx seclaw status");
+  }
+  if (tunnelUrl && answers.telegramToken) {
+    s.start("Setting up Telegram webhook...");
+    const webhookUrl = `${tunnelUrl}/webhook`;
+    const ok = await setTelegramWebhook(answers.telegramToken, tunnelUrl);
+    if (ok) {
+      s.stop("Telegram webhook configured!");
+    } else {
+      s.stop(`Webhook URL: ${pc2.cyan(webhookUrl)}`);
+    }
+  }
+  showSuccess(targetDir, tunnelUrl, answers.telegramBotName, answers.llmProvider, answers.composioApiKey);
+}
+async function waitForAgent(targetDir, maxRetries = 30, intervalMs = 2e3) {
+  for (let i = 0; i < maxRetries; i++) {
+    try {
+      const result = await execa3("docker", [
+        "compose",
+        "ps",
+        "--format",
+        "json",
+        "agent"
+      ], {
+        cwd: targetDir,
+        env: { ...process.env, COMPOSE_PROJECT_NAME: "seclaw" }
+      });
+      const lines = result.stdout.trim().split("\n");
+      for (const line of lines) {
+        try {
+          const container = JSON.parse(line);
+          if (container.Health === "healthy" || container.State === "running") {
+            try {
+              const healthRes = await fetch("http://localhost:3000/health");
+              if (healthRes.ok) return true;
+            } catch {
+            }
+            if (container.Health === "healthy") return true;
+          }
+        } catch {
+        }
+      }
+    } catch {
+    }
+    await new Promise((r) => setTimeout(r, intervalMs));
+  }
+  return false;
+}
+async function startServices(targetDir, s) {
+  s.start("Starting services (first run builds images, ~1-2 min)...");
+  try {
+    await execa3("docker", ["compose", "up", "-d", "--build"], {
+      cwd: targetDir,
+      env: { ...process.env, COMPOSE_PROJECT_NAME: "seclaw" }
+    });
+    s.stop("All services started.");
+  } catch (err) {
+    s.stop("Failed to start services.");
+    const stderr = err instanceof Error && "stderr" in err ? err.stderr : "";
+    if (stderr.includes("port is already allocated") || stderr.includes("address already in use")) {
+      p2.log.error("Port 3000 is already in use by another application.");
+      p2.log.info(`  Run: ${pc2.cyan("npx seclaw stop")} first, then try again.`);
+    } else if (stderr.includes("Cannot connect to the Docker daemon")) {
+      p2.log.error("Docker is not running. Open Docker Desktop and try again.");
+    } else {
+      p2.log.error("Docker error:");
+      p2.log.info(pc2.dim(stderr || "Unknown error \u2014 check Docker Desktop for details."));
+      p2.log.info(`  Manual start: ${pc2.cyan(`cd ${targetDir} && docker compose up -d --build`)}`);
+    }
+    p2.outro("Fix the issue above and try again.");
+    process.exit(1);
+  }
+}
+var PROVIDER_LABELS = {
+  openrouter: { model: "Gemini 3 Flash", cost: "~$3-10/mo" },
+  anthropic: { model: "Claude Sonnet 4.5", cost: "~$15-30/mo" },
+  openai: { model: "GPT-4o", cost: "~$10-25/mo" },
+  gemini: { model: "Gemini 2.5 Pro", cost: "~$7-20/mo" }
+};
+function showSuccess(targetDir, tunnelUrl, botName, provider, composioKey) {
+  const label = (s) => pc2.white(pc2.bold(s));
+  const lines = [
+    `${pc2.green(pc2.bold("Your AI agent is live!"))}`,
+    ""
+  ];
+  if (tunnelUrl) {
+    lines.push(`${label("Public URL:")} ${pc2.cyan(tunnelUrl)}`);
+  }
+  if (botName) {
+    lines.push(`${label("Telegram:")}   Open ${pc2.green(botName)} and send a message`);
+  }
+  lines.push(`${label("Workspace:")}  ${pc2.white(targetDir + "/shared/")}`);
+  if (provider) {
+    const info = PROVIDER_LABELS[provider];
+    if (info) {
+      lines.push(`${label("Model:")}      ${pc2.cyan(info.model)}`);
+      lines.push(`${label("Est. cost:")}  ${pc2.green(info.cost)}`);
+    }
+  }
+  if (composioKey) {
+    lines.push(`${label("Composio:")}   ${pc2.green("Connected")} \u2014 run ${pc2.cyan("npx seclaw integrations")} to add Gmail, etc.`);
+  } else {
+    lines.push(`${label("Composio:")}   ${pc2.yellow("Skipped")} \u2014 run ${pc2.cyan("npx seclaw integrations")} later to add integrations`);
+  }
+  p2.note(lines.join("\n"), "seclaw");
+  if (provider === "openrouter") {
+    p2.log.info(
+      `${pc2.bold("Gemini 3 Flash:")} Fast, affordable, and great with tools.
+  Change model anytime in .env \u2192 LLM_MODEL=your/model`
+    );
+  }
+  p2.outro(`${pc2.white("Manage:")} npx seclaw status | stop | integrations`);
+}
+function getTemplatePath(template, targetDir) {
+  if (targetDir) {
+    const installed = resolve5(targetDir, "templates", template);
+    if (existsSync5(installed)) return installed;
+  }
+  const bundled = resolve5(import.meta.dirname, "templates", "free", template);
+  if (existsSync5(bundled)) return bundled;
+  const bundledPaid = resolve5(import.meta.dirname, "templates", "paid", template);
+  if (existsSync5(bundledPaid)) return bundledPaid;
+  const local = resolve5(process.cwd(), "packages", "cli", "templates", "free", template);
+  if (existsSync5(local)) return local;
+  return null;
+}
+
+// src/commands/add.ts
+import { resolve as resolve6 } from "path";
+import { existsSync as existsSync6 } from "fs";
+import { writeFile as writeFile3, mkdir as mkdir3, readFile as readFile3, cp as cp3 } from "fs/promises";
+import { execSync } from "child_process";
+import * as p3 from "@clack/prompts";
+import pc3 from "picocolors";
+var API_URL = process.env.SECLAW_API || "https://seclawai.com";
+var FREE_TEMPLATES = ["productivity-agent", "data-analyst"];
+async function add(template, options) {
+  p3.intro(`${pc3.bgCyan(pc3.black(" seclaw "))} Adding template: ${template}`);
+  const isFree = FREE_TEMPLATES.includes(template);
+  const s = p3.spinner();
+  const monorepoTemplatesDir = resolve6(import.meta.dirname, "..", "..", "templates", "paid");
+  const templateDir = !isFree && existsSync6(resolve6(import.meta.dirname, "..", "..", "templates")) ? resolve6(monorepoTemplatesDir, template) : resolve6(process.cwd(), "templates", template);
+  if (isFree) {
+    s.start("Setting up free template...");
+    const bundledPath = resolve6(
+      import.meta.dirname,
+      "templates",
+      "free",
+      template
+    );
+    if (!existsSync6(bundledPath)) {
+      s.stop("Template not found.");
+      p3.log.error("Bundled template not found. Try updating: npm i -g seclaw");
+      return;
+    }
+    await mkdir3(templateDir, { recursive: true });
+    const filesToCopy = [
+      "system-prompt.md",
+      "config.json",
+      "README.md",
+      "manifest.json",
+      "schedules.json"
+    ];
+    for (const file of filesToCopy) {
+      const src = resolve6(bundledPath, file);
+      if (existsSync6(src)) {
+        const content = await readFile3(src, "utf-8");
+        await writeFile3(resolve6(templateDir, file), content);
+      }
+    }
+    s.stop("Template files ready.");
+  } else {
+    if (!options.key) {
+      p3.log.error(
+        `${pc3.bold(template)} is a paid template. Provide your token with --key`
+      );
+      p3.log.info("");
+      p3.log.info(`  ${pc3.dim("1.")} Purchase at ${pc3.cyan("https://seclawai.com/templates")}`);
+      p3.log.info(`  ${pc3.dim("2.")} npx seclaw add ${template} --key YOUR_TOKEN`);
+      return;
+    }
+    s.start("Validating token...");
+    try {
+      const res = await fetch(`${API_URL}/api/templates/activate`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token: options.key, templateId: template })
+      });
+      if (!res.ok) {
+        const err = await res.json();
+        s.stop("Activation failed.");
+        p3.log.error(err.error || "Invalid token or template not owned.");
+        return;
+      }
+      const data = await res.json();
+      s.stop(`Template ready: ${pc3.green(data.templateName)}`);
+      s.start("Writing template files...");
+      await mkdir3(templateDir, { recursive: true });
+      for (const [filename, content] of Object.entries(data.files)) {
+        await writeFile3(resolve6(templateDir, filename), content);
+      }
+      s.stop(`${Object.keys(data.files).length} files written to ${pc3.dim(templateDir)}`);
+      const cliDir = resolve6(import.meta.dirname, "..");
+      const cliPkgPath = resolve6(cliDir, "package.json");
+      if (existsSync6(cliPkgPath)) {
+        s.start("Rebuilding CLI...");
+        try {
+          execSync("pnpm build", { cwd: cliDir, stdio: "pipe" });
+          s.stop("CLI rebuilt with new template.");
+        } catch {
+          s.stop("CLI rebuild failed \u2014 run `pnpm build` manually.");
+        }
+      }
+    } catch (err) {
+      s.stop("Failed.");
+      p3.log.error(`Network error: ${err}`);
+      p3.log.info("Check your connection and try again.");
+      return;
+    }
+  }
+  const configDir = resolve6(process.cwd(), "shared", "config");
+  if (existsSync6(configDir)) {
+    const capDir = resolve6(configDir, "capabilities", template);
+    await mkdir3(capDir, { recursive: true });
+    const promptPath = resolve6(templateDir, "system-prompt.md");
+    if (existsSync6(promptPath)) {
+      await cp3(promptPath, resolve6(capDir, "system-prompt.md"));
+    }
+    const schedulesPath = resolve6(templateDir, "schedules.json");
+    if (existsSync6(schedulesPath)) {
+      await cp3(schedulesPath, resolve6(capDir, "schedules.json"));
+    }
+    const installedPath = resolve6(configDir, "installed.json");
+    let installed = { capabilities: [] };
+    try {
+      if (existsSync6(installedPath)) {
+        installed = JSON.parse(await readFile3(installedPath, "utf-8"));
+      }
+    } catch {
+    }
+    if (!installed.capabilities.includes(template)) {
+      installed.capabilities.push(template);
+    }
+    await writeFile3(installedPath, JSON.stringify(installed, null, 2) + "\n");
+    let templateName = template;
+    const manifestPath = resolve6(templateDir, "manifest.json");
+    try {
+      if (existsSync6(manifestPath)) {
+        const manifest = JSON.parse(await readFile3(manifestPath, "utf-8"));
+        if (manifest.name) templateName = manifest.name;
+      }
+    } catch {
+    }
+    p3.log.success(
+      `Capability '${pc3.bold(templateName)}' added. ${pc3.cyan(String(installed.capabilities.length))} capabilities active.`
+    );
+    p3.log.info("Restart agent to apply changes.");
+  }
+  p3.outro(`${pc3.green("Done!")} Template ${pc3.bold(template)} is ready.`);
+}
+
+// src/commands/integrations.ts
+import { resolve as resolve7 } from "path";
+import { existsSync as existsSync7, readFileSync as readFileSync3 } from "fs";
+import { readFile as readFile4, writeFile as writeFile4 } from "fs/promises";
+import { exec as exec2 } from "child_process";
+import { platform as platform2, homedir as homedir2 } from "os";
+import { execa as execa4 } from "execa";
+import * as p4 from "@clack/prompts";
+import pc4 from "picocolors";
+var INTEGRATIONS = {
+  gmail: { name: "Gmail", app: "gmail", hint: "email reading, sending, labels" },
+  "google-drive": { name: "Google Drive", app: "googledrive", hint: "file access, sharing" },
+  "google-calendar": { name: "Google Calendar", app: "googlecalendar", hint: "events, scheduling" },
+  "google-sheets": { name: "Google Sheets", app: "googlesheets", hint: "spreadsheets" },
+  notion: { name: "Notion", app: "notion", hint: "notes, databases, pages" },
+  github: { name: "GitHub", app: "github", hint: "repos, issues, PRs" },
+  slack: { name: "Slack", app: "slack", hint: "team messaging, channels" },
+  linear: { name: "Linear", app: "linear", hint: "issues, projects, teams" },
+  trello: { name: "Trello", app: "trello", hint: "boards, cards, lists" },
+  todoist: { name: "Todoist", app: "todoist", hint: "task management" },
+  dropbox: { name: "Dropbox", app: "dropbox", hint: "file storage" },
+  whatsapp: { name: "WhatsApp", app: "whatsapp", hint: "messaging", params: [
+    { key: "WABA_ID", label: "WhatsApp Business Account ID (WABA ID)", placeholder: "123456789012345" }
+  ] }
+};
+async function integrations() {
+  const projectDir = findProjectDir2();
+  if (!projectDir) {
+    p4.intro(`${pc4.bgCyan(pc4.black(" seclaw "))}`);
+    p4.log.error("No seclaw project found. Run from your project directory.");
+    return;
+  }
+  let composioKey = await getComposioKey(projectDir);
+  if (!composioKey) {
+    const localKey = readComposioLocalKey2();
+    if (localKey) {
+      composioKey = localKey;
+      await appendEnv(projectDir, "COMPOSIO_API_KEY", localKey);
+      await appendEnv(projectDir, "COMPOSIO_USER_ID", generateUserId2());
+      p4.intro(`${pc4.bgCyan(pc4.black(" seclaw "))}`);
+      p4.log.success(`Composio API key auto-detected from ${pc4.dim("~/.composio/user_data.json")}`);
+      await restartAgent(projectDir);
+    }
+  }
+  if (!composioKey) {
+    p4.intro(`${pc4.bgCyan(pc4.black(" seclaw "))}`);
+    p4.log.warn("No Composio API key found.");
+    const method = await p4.select({
+      message: "How would you like to set up Composio?",
+      options: [
+        { value: "browser", label: "Open browser", hint: "sign up + get API key (recommended)" },
+        { value: "paste", label: "Paste API key", hint: "if you already have one" },
+        { value: "cancel", label: "Cancel" }
+      ]
+    });
+    if (p4.isCancel(method) || method === "cancel") {
+      p4.outro("Run again when ready.");
+      return;
+    }
+    if (method === "browser") {
+      const url = "https://platform.composio.dev";
+      p4.log.info(
+        `${pc4.dim("Opening:")} ${pc4.cyan(url)}
+  ${pc4.dim("1.")} Sign up or log in
+  ${pc4.dim("2.")} Click ${pc4.bold("Settings")} \u2192 ${pc4.bold("API Keys")} tab
+  ${pc4.dim("3.")} Click ${pc4.bold("New API key")}, copy and paste it below`
+      );
+      openBrowser(url);
+    }
+    const apiKey = await p4.text({
+      message: "Paste your Composio API Key",
+      placeholder: "ak_..."
+    });
+    if (p4.isCancel(apiKey) || !apiKey) {
+      p4.outro("Cancelled.");
+      return;
+    }
+    composioKey = apiKey;
+    await appendEnv(projectDir, "COMPOSIO_API_KEY", composioKey);
+    await appendEnv(projectDir, "COMPOSIO_USER_ID", generateUserId2());
+    p4.log.success("Composio API key saved!");
+    await restartAgent(projectDir);
+  }
+  const activeConnections = await getActiveConnections(composioKey);
+  p4.intro(`${pc4.bgCyan(pc4.black(" seclaw "))} Manage Integrations`);
+  const statusLines = [];
+  const connectedCount = [...activeConnections.values()].length;
+  for (const [, def] of Object.entries(INTEGRATIONS)) {
+    if (activeConnections.has(def.app)) {
+      statusLines.push(`  ${pc4.green("\u2713")} ${def.name}  ${pc4.dim("connected")}`);
+    } else {
+      statusLines.push(`  ${pc4.dim("\u25CB")} ${def.name}  ${pc4.dim(def.hint)}`);
+    }
+  }
+  p4.log.message(statusLines.join("\n"));
+  const hasConnected = connectedCount > 0;
+  const hasAvailable = Object.values(INTEGRATIONS).some((def) => !activeConnections.has(def.app));
+  const actionOptions = [];
+  if (hasAvailable) {
+    actionOptions.push({ value: "connect", label: "Connect a new integration" });
+  }
+  if (hasConnected) {
+    actionOptions.push({ value: "disconnect", label: "Disconnect an integration" });
+  }
+  actionOptions.push({ value: "cancel", label: "Cancel" });
+  if (actionOptions.length === 1) {
+    p4.outro("All integrations are connected!");
+    return;
+  }
+  const action = await p4.select({
+    message: "What would you like to do?",
+    options: actionOptions
+  });
+  if (p4.isCancel(action) || action === "cancel") {
+    p4.outro("Done.");
+    return;
+  }
+  if (action === "connect") {
+    await handleConnect(projectDir, composioKey, activeConnections);
+  } else if (action === "disconnect") {
+    await handleDisconnect(projectDir, composioKey, activeConnections);
+  }
+}
+async function handleConnect(projectDir, composioKey, activeConnections) {
+  const available = Object.entries(INTEGRATIONS).filter(([, def2]) => !activeConnections.has(def2.app)).map(([id, def2]) => ({
+    value: id,
+    label: def2.name,
+    hint: def2.hint
+  }));
+  if (available.length === 0) {
+    p4.outro("All integrations are connected!");
+    return;
+  }
+  const selected = await p4.select({
+    message: "Connect an integration:",
+    options: [
+      ...available,
+      { value: "_cancel", label: "Cancel" }
+    ]
+  });
+  if (p4.isCancel(selected) || selected === "_cancel") {
+    p4.outro("Cancelled.");
+    return;
+  }
+  const def = INTEGRATIONS[selected];
+  const extraParams = {};
+  if (def.params?.length) {
+    for (const param of def.params) {
+      const value = await p4.text({
+        message: param.label,
+        placeholder: param.placeholder
+      });
+      if (p4.isCancel(value) || !value) {
+        p4.outro("Cancelled.");
+        return;
+      }
+      extraParams[param.key] = value;
+    }
+  }
+  const s = p4.spinner();
+  s.start(`Connecting ${def.name} via Composio...`);
+  try {
+    const userId = await getComposioUserId(projectDir);
+    const authConfigId = await getOrCreateAuthConfig(composioKey, def.app);
+    const connection = await createConnection(composioKey, authConfigId, userId, extraParams);
+    s.stop(`${def.name} authorization ready.`);
+    if (connection.redirectUrl) {
+      p4.log.info(
+        `${pc4.bold("Complete the authorization:")}
+  ${pc4.dim("Opening:")} ${pc4.cyan(connection.redirectUrl)}
+
+  ${pc4.dim("Sign in and grant access to")} ${pc4.bold(def.name)}.
+  ${pc4.dim("If browser didn't open, copy the URL above.")}`
+      );
+      openBrowser(connection.redirectUrl);
+      const done = await p4.confirm({
+        message: `Did you complete the ${def.name} authorization?`,
+        initialValue: true
+      });
+      if (p4.isCancel(done) || !done) {
+        p4.outro(`You can retry later with: ${pc4.cyan("npx seclaw integrations")}`);
+        return;
+      }
+      const restartSpinner = p4.spinner();
+      restartSpinner.start("Restarting agent to activate integration...");
+      await restartAgent(projectDir);
+      restartSpinner.stop("Agent restarted.");
+      p4.outro(`${pc4.green("\u2713")} ${def.name} connected! Your agent can now use it.`);
+    } else {
+      s.stop("No authorization URL returned.");
+      p4.outro("Try again or check your Composio dashboard.");
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    s.stop(`Failed to connect ${def.name}.`);
+    if (msg.includes("abort")) {
+      p4.log.error(`Request timed out. Composio API did not respond within 15s.`);
+    } else {
+      p4.log.error(`${msg}
+  ${pc4.dim("Check your Composio API key and try again.")}`);
+    }
+  }
+}
+async function handleDisconnect(projectDir, composioKey, activeConnections) {
+  const connected = Object.entries(INTEGRATIONS).filter(([, def2]) => activeConnections.has(def2.app)).map(([id, def2]) => ({
+    value: id,
+    label: def2.name
+  }));
+  if (connected.length === 0) {
+    p4.outro("No integrations to disconnect.");
+    return;
+  }
+  const selected = await p4.select({
+    message: "Disconnect an integration:",
+    options: [
+      ...connected,
+      { value: "_cancel", label: "Cancel" }
+    ]
+  });
+  if (p4.isCancel(selected) || selected === "_cancel") {
+    p4.outro("Cancelled.");
+    return;
+  }
+  const def = INTEGRATIONS[selected];
+  const accountId = activeConnections.get(def.app);
+  if (!accountId) {
+    p4.log.error(`Could not find account ID for ${def.name}.`);
+    return;
+  }
+  const confirmed = await p4.confirm({
+    message: `Disconnect ${def.name}? Your agent will lose access to it.`,
+    initialValue: false
+  });
+  if (p4.isCancel(confirmed) || !confirmed) {
+    p4.outro("Cancelled.");
+    return;
+  }
+  const s = p4.spinner();
+  s.start(`Disconnecting ${def.name}...`);
+  try {
+    await composioFetch(composioKey, `/connected_accounts/${accountId}`, {
+      method: "DELETE"
+    });
+    s.stop(`${def.name} disconnected.`);
+    const restartSpinner = p4.spinner();
+    restartSpinner.start("Restarting agent to update tools...");
+    await restartAgent(projectDir);
+    restartSpinner.stop("Agent restarted.");
+    p4.outro(`${pc4.green("\u2713")} ${def.name} disconnected.`);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    s.stop(`Failed: ${msg}`);
+    p4.log.error(
+      `Could not disconnect ${def.name}.
+  ${pc4.dim("Check your Composio dashboard.")}`
+    );
+  }
+}
+var COMPOSIO_API = "https://backend.composio.dev/api/v3";
+async function composioFetch(apiKey, path, options) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), 15e3);
+  try {
+    const res = await fetch(`${COMPOSIO_API}${path}`, {
+      ...options,
+      signal: controller.signal,
+      headers: {
+        "x-api-key": apiKey,
+        "Content-Type": "application/json",
+        ...options?.headers
+      }
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Composio ${res.status}: ${body}`);
+    }
+    return res.json();
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function getOrCreateAuthConfig(apiKey, appSlug) {
+  const data = await composioFetch(apiKey, `/auth_configs?appName=${appSlug}`);
+  const match = (data.items || []).find(
+    (c) => c.toolkit?.slug === appSlug
+  );
+  if (match) {
+    return match.id;
+  }
+  const created = await composioFetch(apiKey, "/auth_configs", {
+    method: "POST",
+    body: JSON.stringify({ toolkit: { slug: appSlug } })
+  });
+  return created.auth_config?.id ?? created.id;
+}
+async function createConnection(apiKey, authConfigId, entityId, params) {
+  const connection = { entity_id: entityId };
+  if (params && Object.keys(params).length > 0) {
+    connection.config = params;
+  }
+  const data = await composioFetch(apiKey, "/connected_accounts", {
+    method: "POST",
+    body: JSON.stringify({
+      auth_config: { id: authConfigId },
+      connection
+    })
+  });
+  return {
+    id: data.id,
+    redirectUrl: data.redirect_url || data.redirect_uri || null
+  };
+}
+function findProjectDir2() {
+  return findProjectDir();
+}
+async function getComposioKey(projectDir) {
+  try {
+    const env = await readFile4(resolve7(projectDir, ".env"), "utf-8");
+    const match = env.match(/COMPOSIO_API_KEY=(\S+)/);
+    return match ? match[1] : null;
+  } catch {
+    return null;
+  }
+}
+async function getComposioUserId(projectDir) {
+  try {
+    const env = await readFile4(resolve7(projectDir, ".env"), "utf-8");
+    const match = env.match(/COMPOSIO_USER_ID=(\S+)/);
+    return match ? match[1] : "default-user";
+  } catch {
+    return "default-user";
+  }
+}
+function generateUserId2() {
+  const chars = "abcdefghijklmnopqrstuvwxyz0123456789";
+  let id = "seclaw-user-";
+  for (let i = 0; i < 16; i++) {
+    id += chars[Math.floor(Math.random() * chars.length)];
+  }
+  return id;
+}
+async function appendEnv(projectDir, key, value) {
+  const envPath = resolve7(projectDir, ".env");
+  let content = "";
+  try {
+    content = await readFile4(envPath, "utf-8");
+  } catch {
+  }
+  content = content.split("\n").filter((l) => !l.startsWith(`${key}=`)).join("\n");
+  content = content.trimEnd() + `
+${key}=${value}
+`;
+  await writeFile4(envPath, content);
+}
+async function restartAgent(projectDir) {
+  const env = { ...process.env, COMPOSE_PROJECT_NAME: "seclaw" };
+  try {
+    await execa4("docker", ["compose", "restart", "agent"], { cwd: projectDir, env });
+  } catch {
+  }
+}
+async function getActiveConnections(apiKey) {
+  try {
+    const data = await composioFetch(apiKey, "/connected_accounts?status=ACTIVE");
+    const map = /* @__PURE__ */ new Map();
+    for (const a of data.items || []) {
+      if (a.status === "ACTIVE" && a.toolkit?.slug) {
+        if (!map.has(a.toolkit.slug)) {
+          map.set(a.toolkit.slug, a.id);
+        }
+      }
+    }
+    return map;
+  } catch {
+    return /* @__PURE__ */ new Map();
+  }
+}
+function readComposioLocalKey2() {
+  try {
+    const dataPath = resolve7(homedir2(), ".composio", "user_data.json");
+    if (!existsSync7(dataPath)) return null;
+    const data = JSON.parse(readFileSync3(dataPath, "utf-8"));
+    const key = data.api_key;
+    return key && typeof key === "string" && key.startsWith("ak_") ? key : null;
+  } catch {
+    return null;
+  }
+}
+function openBrowser(url) {
+  const cmd = platform2() === "darwin" ? `open "${url}"` : platform2() === "win32" ? `start "${url}"` : `xdg-open "${url}"`;
+  exec2(cmd, () => {
+  });
+}
+
+// src/commands/templates.ts
+import { resolve as resolve8 } from "path";
+import { existsSync as existsSync8 } from "fs";
+import { readFile as readFile5, readdir } from "fs/promises";
+import * as p5 from "@clack/prompts";
+import pc5 from "picocolors";
+var TEMPLATES = [
+  { id: "productivity-agent", name: "Productivity Agent", price: 0, tier: "free", description: "Personal assistant \u2014 task management, daily reports, email drafting, file organization", hook: "npx seclaw add productivity-agent" },
+  { id: "data-analyst", name: "Data Analyst", price: 0, tier: "free", description: "Privacy-first local data analysis \u2014 drop CSV/JSON files, ask questions, get Python-powered insights", hook: "npx seclaw add data-analyst" },
+  { id: "inbox-agent", name: "Inbox Agent", price: 19, tier: "paid", description: "AI inbox manager that categorizes, summarizes, and triages your email", hook: "3 urgent, 5 action needed, 12 FYI, 8 newsletter" },
+  { id: "reddit-hn-digest", name: "Reddit & HN Digest", price: 19, tier: "paid", description: "Daily curated digest from Reddit and Hacker News", hook: "Never miss what matters on Reddit and HN" },
+  { id: "youtube-digest", name: "YouTube Digest", price: 19, tier: "paid", description: "Morning summary of new videos from favorite channels", hook: "Your YouTube feed, distilled to what matters" },
+  { id: "health-tracker", name: "Health Tracker", price: 29, tier: "paid", description: "Food & symptom tracking with weekly correlation analysis", hook: "Understand what your body is telling you" },
+  { id: "earnings-tracker", name: "Earnings Tracker", price: 29, tier: "paid", description: "Tech/AI earnings reports with beat/miss analysis", hook: "Every earnings call, analyzed in minutes" },
+  { id: "research-agent", name: "Research Agent", price: 39, tier: "paid", description: "AI research analyst that monitors competitors, trends, and industry news", hook: "Know when competitors change anything -- in 5 minutes" },
+  { id: "knowledge-base", name: "Knowledge Base", price: 39, tier: "paid", description: "Personal knowledge management from URLs, articles, tweets", hook: "Your second brain, always organized" },
+  { id: "family-calendar", name: "Family Calendar", price: 39, tier: "paid", description: "Household coordination with calendar aggregation", hook: "Everyone in sync, nothing forgotten" },
+  { id: "content-agent", name: "Content Agent", price: 49, tier: "paid", description: "AI content strategist that researches trends, drafts posts in your voice, and tracks engagement", hook: "Your X account grows while you sleep" },
+  { id: "personal-crm", name: "Personal CRM", price: 49, tier: "paid", description: "Contact management with auto-discovery from email", hook: "Never lose touch with anyone important" },
+  { id: "youtube-creator", name: "YouTube Creator", price: 69, tier: "paid", description: "Content pipeline for YouTube creators", hook: "From idea to upload, fully assisted" },
+  { id: "devops-agent", name: "DevOps Agent", price: 79, tier: "paid", description: "Infrastructure monitoring + self-healing", hook: "Sleep through incidents, wake up to fixes" },
+  { id: "customer-service", name: "Customer Service", price: 79, tier: "paid", description: "Multi-channel customer support with knowledge base", hook: "24/7 support without the headcount" },
+  { id: "sales-agent", name: "Sales Agent", price: 79, tier: "paid", description: "AI-powered B2B sales development representative", hook: "Find leads overnight, inbox full by morning" },
+  { id: "six-agent-company", name: "Six Agent Company", price: 149, tier: "paid", description: "6 AI agents running your company: CEO, Engineer, QA, Data, Marketing, Growth", hook: "6 AI agents running your company for $8/month" }
+];
+async function templates() {
+  p5.intro(`${pc5.bgCyan(pc5.black(" seclaw "))} Available Templates`);
+  const all = await loadManifests();
+  if (all.length === 0) {
+    p5.log.warn("No templates found. Try updating: npm i -g seclaw");
+    return;
+  }
+  const free = all.filter((t) => t.tier === "free");
+  const paid = all.filter((t) => t.tier === "paid");
+  if (free.length > 0) {
+    p5.log.info(pc5.bold("Free"));
+    for (const t of free) {
+      p5.log.message(
+        `  ${pc5.green(t.id)}
+  ${t.description}
+  ${pc5.dim(t.hook)}`
+      );
+    }
+  }
+  if (paid.length > 0) {
+    p5.log.info(pc5.bold("Paid"));
+    for (const t of paid) {
+      p5.log.message(
+        `  ${pc5.yellow(t.id)} ${pc5.dim(`$${t.price}`)}
+  ${t.description}
+  ${pc5.dim(t.hook)}`
+      );
+    }
+  }
+  p5.log.info("");
+  p5.log.info(pc5.bold("Usage:"));
+  p5.log.message(`  ${pc5.cyan("npx seclaw add productivity-agent")}          ${pc5.dim("free")}`);
+  p5.log.message(`  ${pc5.cyan("npx seclaw add content-agent --key KEY")}     ${pc5.dim("paid")}`);
+  p5.outro(`${pc5.dim("Browse:")} https://seclawai.com/templates`);
+}
+async function loadManifests() {
+  const manifests = [];
+  const seen = /* @__PURE__ */ new Set();
+  const searchRoots = [
+    resolve8(import.meta.dirname, "templates"),
+    resolve8(process.cwd(), "packages", "cli", "templates")
+  ];
+  for (const root of searchRoots) {
+    for (const tier of ["free", "paid"]) {
+      const base = resolve8(root, tier);
+      if (!existsSync8(base)) continue;
+      let entries;
+      try {
+        entries = await readdir(base, { withFileTypes: true });
+      } catch {
+        continue;
+      }
+      for (const entry of entries) {
+        if (!entry.isDirectory()) continue;
+        if (seen.has(entry.name)) continue;
+        const manifestPath = resolve8(base, entry.name, "manifest.json");
+        if (!existsSync8(manifestPath)) continue;
+        try {
+          const raw = await readFile5(manifestPath, "utf-8");
+          manifests.push(JSON.parse(raw));
+          seen.add(entry.name);
+        } catch {
+        }
+      }
+    }
+  }
+  for (const t of TEMPLATES) {
+    if (!seen.has(t.id)) {
+      manifests.push(t);
+      seen.add(t.id);
+    }
+  }
+  manifests.sort((a, b) => a.price - b.price);
+  return manifests;
+}
+
+// src/commands/status.ts
+import { resolve as resolve9 } from "path";
+import { readFile as readFile6 } from "fs/promises";
+import * as p6 from "@clack/prompts";
+import { execa as execa5 } from "execa";
+import pc6 from "picocolors";
+async function status() {
+  p6.intro(`${pc6.bgCyan(pc6.black(" seclaw "))} Status`);
+  const projectDir = findProjectDir();
+  if (!projectDir) {
+    p6.log.warn("No seclaw project found.");
+    p6.log.info(`  Start one with: ${pc6.cyan("npx seclaw my-agent")}`);
+    p6.outro("");
+    return;
+  }
+  try {
+    const result = await execa5("docker", ["compose", "ps", "--format", "json"], {
+      cwd: projectDir,
+      env: { ...process.env, COMPOSE_PROJECT_NAME: "seclaw" }
+    });
+    const lines = result.stdout.trim().split("\n").filter(Boolean);
+    const services = lines.map(
+      (l) => JSON.parse(l)
+    );
+    if (services.length === 0) {
+      p6.log.warn("Services are not running.");
+      p6.log.info(`  Start with: ${pc6.cyan("npx seclaw")} in ${pc6.dim(projectDir)}`);
+      p6.outro("");
+      return;
+    }
+    for (const svc of services) {
+      const icon = svc.State === "running" ? pc6.green("\u25CF") : pc6.red("\u25CF");
+      const health = svc.Status.includes("healthy") ? pc6.green("healthy") : svc.Status.includes("starting") ? pc6.yellow("starting") : pc6.dim(svc.Status);
+      p6.log.info(`${icon} ${pc6.bold(svc.Service.padEnd(20))} ${health}`);
+    }
+    const infoLines = [];
+    let agentOk = false;
+    try {
+      const agentRes = await execa5("docker", [
+        "compose",
+        "exec",
+        "agent",
+        "wget",
+        "-q",
+        "-O-",
+        "http://localhost:3000/health"
+      ], {
+        cwd: projectDir,
+        env: { ...process.env, COMPOSE_PROJECT_NAME: "seclaw" }
+      });
+      if (agentRes.stdout.includes("ok")) agentOk = true;
+    } catch {
+    }
+    infoLines.push(
+      `${pc6.white(pc6.bold("Agent:"))}     ${agentOk ? pc6.green("healthy") : pc6.yellow("starting...")}`
+    );
+    const tunnelUrl = await getTunnelUrl(projectDir, 3);
+    if (tunnelUrl) {
+      infoLines.push(`${pc6.white(pc6.bold("Public URL:"))} ${pc6.cyan(tunnelUrl)}`);
+    } else {
+      infoLines.push(`${pc6.white(pc6.bold("Public URL:"))} ${pc6.yellow("not detected yet")}`);
+    }
+    try {
+      const env = await readFile6(resolve9(projectDir, ".env"), "utf-8");
+      const tokenMatch = env.match(/TELEGRAM_BOT_TOKEN=(.+)/);
+      if (tokenMatch && tokenMatch[1].includes(":")) {
+        const botToken = tokenMatch[1].trim();
+        try {
+          const res = await fetch(`https://api.telegram.org/bot${botToken}/getMe`);
+          const data = await res.json();
+          if (data.ok && data.result) {
+            infoLines.push(`${pc6.white(pc6.bold("Telegram:"))}   ${pc6.green("@" + data.result.username)}`);
+          }
+        } catch {
+          infoLines.push(`${pc6.white(pc6.bold("Telegram:"))}   ${pc6.green("configured")}`);
+        }
+      }
+    } catch {
+    }
+    try {
+      const env = await readFile6(resolve9(projectDir, ".env"), "utf-8");
+      if (env.includes("COMPOSIO_API_KEY=")) {
+        infoLines.push(`${pc6.white(pc6.bold("Composio:"))}   ${pc6.green("configured")}`);
+      }
+    } catch {
+    }
+    infoLines.push(`${pc6.white(pc6.bold("Workspace:"))}  ${resolve9(projectDir, "shared")}`);
+    infoLines.push(`${pc6.white(pc6.bold("Project:"))}   ${projectDir}`);
+    p6.note(infoLines.join("\n"), "seclaw");
+  } catch {
+    p6.log.error("Could not check status. Is Docker running?");
+  }
+  p6.outro(`${pc6.white("Manage:")} npx seclaw stop | integrations | upgrade`);
+}
+
+// src/commands/stop.ts
+import * as p7 from "@clack/prompts";
+import { execa as execa6 } from "execa";
+import pc7 from "picocolors";
+async function stop() {
+  p7.intro(`${pc7.bgCyan(pc7.black(" seclaw "))} Stopping services...`);
+  const projectDir = findProjectDir();
+  if (!projectDir) {
+    p7.log.warn("No seclaw project found. Nothing to stop.");
+    p7.outro("");
+    return;
+  }
+  const s = p7.spinner();
+  s.start("Stopping containers...");
+  try {
+    await execa6("docker", ["compose", "down"], {
+      cwd: projectDir,
+      env: { ...process.env, COMPOSE_PROJECT_NAME: "seclaw" }
+    });
+    s.stop("All services stopped.");
+  } catch {
+    s.stop("Failed to stop services.");
+    p7.log.error(`Try manually: cd ${projectDir} && docker compose down`);
+  }
+  p7.outro(`Restart anytime: ${pc7.cyan("npx seclaw")} in ${pc7.dim(projectDir)}`);
+}
+
+// src/commands/reconnect.ts
+import { resolve as resolve10 } from "path";
+import { readFile as readFile7 } from "fs/promises";
+import { execa as execa7 } from "execa";
+import * as p8 from "@clack/prompts";
+import pc8 from "picocolors";
+async function reconnect() {
+  const projectDir = findProjectDir();
+  if (!projectDir) {
+    p8.intro(`${pc8.bgCyan(pc8.black(" seclaw "))}`);
+    p8.log.error("No seclaw project found. Run from your project directory.");
+    return;
+  }
+  p8.intro(`${pc8.bgCyan(pc8.black(" seclaw "))} Reconnect`);
+  const s = p8.spinner();
+  const env = { ...process.env, COMPOSE_PROJECT_NAME: "seclaw" };
+  s.start("Restarting all services...");
+  await clearTunnelCache(projectDir);
+  try {
+    await execa7("docker", ["compose", "down"], { cwd: projectDir, env });
+    await execa7("docker", ["compose", "up", "-d"], { cwd: projectDir, env });
+  } catch {
+    s.stop("Failed to restart services.");
+    p8.log.error("Is Docker running? Try: npx seclaw status");
+    return;
+  }
+  s.stop("Services restarted.");
+  s.start("Waiting for agent...");
+  await new Promise((r) => setTimeout(r, 5e3));
+  s.stop("Agent starting.");
+  s.start("Waiting for Cloudflare Tunnel...");
+  const tunnelUrl = await getTunnelUrl(projectDir, 30);
+  if (!tunnelUrl) {
+    s.stop("Could not detect tunnel URL.");
+    p8.log.error("Tunnel may still be starting. Try again in a minute.");
+    return;
+  }
+  s.stop(`Tunnel ready: ${pc8.cyan(tunnelUrl)}`);
+  try {
+    const envContent = await readFile7(resolve10(projectDir, ".env"), "utf-8");
+    const tokenMatch = envContent.match(/TELEGRAM_BOT_TOKEN=(.+)/);
+    if (tokenMatch && tokenMatch[1].includes(":")) {
+      s.start("Setting Telegram webhook...");
+      const ok = await setTelegramWebhook(tokenMatch[1].trim(), tunnelUrl);
+      s.stop(ok ? "Telegram webhook updated!" : "Could not update webhook.");
+    }
+  } catch {
+  }
+  p8.note(
+    `${pc8.white(pc8.bold("Tunnel:"))} ${pc8.cyan(tunnelUrl)}`,
+    "seclaw"
+  );
+  p8.outro("Reconnected! Send a message on Telegram to test.");
+}
+
+// src/commands/doctor.ts
+import { resolve as resolve11 } from "path";
+import { existsSync as existsSync9 } from "fs";
+import { readFile as readFile8 } from "fs/promises";
+import { execa as execa8 } from "execa";
+import * as p9 from "@clack/prompts";
+import pc9 from "picocolors";
+var PASS = pc9.green("PASS");
+var FAIL = pc9.red("FAIL");
+var FIX = pc9.cyan("FIX ");
+async function doctor() {
+  p9.intro(`${pc9.bgCyan(pc9.black(" seclaw "))} Doctor`);
+  const results = [];
+  const s = p9.spinner();
+  s.start("Checking Docker...");
+  const dockerCheck = await checkDockerHealth();
+  results.push(dockerCheck);
+  s.stop(formatCheck(dockerCheck));
+  if (!dockerCheck.ok) {
+    showSummary(results);
+    return;
+  }
+  s.start("Finding project...");
+  const projectDir = findProjectDir();
+  const projectCheck = projectDir ? { name: "Project", ok: true, message: `Found at ${pc9.dim(projectDir)}` } : { name: "Project", ok: false, message: "No seclaw project found. Run from your project directory." };
+  results.push(projectCheck);
+  s.stop(formatCheck(projectCheck));
+  if (!projectDir) {
+    showSummary(results);
+    return;
+  }
+  const env = { ...process.env };
+  s.start("Checking containers...");
+  const containerChecks = await checkContainers(projectDir, env);
+  results.push(...containerChecks);
+  for (const c of containerChecks) {
+    s.stop(formatCheck(c));
+    if (containerChecks.indexOf(c) < containerChecks.length - 1) s.start("Checking containers...");
+  }
+  s.start("Checking agent...");
+  const agentCheck = await checkAgentHealth(projectDir, env);
+  results.push(agentCheck);
+  s.stop(formatCheck(agentCheck));
+  s.start("Checking tunnel...");
+  const tunnelCheck = await checkTunnel(projectDir);
+  results.push(tunnelCheck);
+  s.stop(formatCheck(tunnelCheck));
+  s.start("Checking Telegram...");
+  const telegramCheck = await checkTelegram(projectDir, tunnelCheck);
+  results.push(telegramCheck);
+  s.stop(formatCheck(telegramCheck));
+  s.start("Checking Composio...");
+  const composioCheck = await checkComposio(projectDir);
+  results.push(composioCheck);
+  s.stop(formatCheck(composioCheck));
+  showSummary(results);
+  const fixable = results.filter((r) => !r.ok && r.fix);
+  if (fixable.length > 0) {
+    let shouldFix = false;
+    try {
+      const answer = await p9.confirm({
+        message: `Found ${fixable.length} fixable issue(s). Auto-fix?`,
+        initialValue: true
+      });
+      shouldFix = !p9.isCancel(answer) && !!answer;
+    } catch {
+      shouldFix = true;
+    }
+    if (!shouldFix) {
+      p9.outro("Run again after fixing manually.");
+      return;
+    }
+    s.start("Stopping conflicting containers...");
+    await stopExistingSeclaw();
+    s.stop(`${FIX} Cleared conflicting containers`);
+    for (const check of fixable) {
+      s.start(`Fixing: ${check.name}...`);
+      try {
+        const result = await check.fix();
+        s.stop(result ? `${FIX} ${check.name} \u2014 ${result}` : `${FAIL} ${check.name} \u2014 could not fix`);
+      } catch (err) {
+        s.stop(`${FAIL} ${check.name} \u2014 ${err instanceof Error ? err.message : "unknown error"}`);
+      }
+    }
+    p9.outro("Fixes applied! Run doctor again to verify.");
+  } else {
+    const allOk = results.every((r) => r.ok);
+    p9.outro(allOk ? "All checks passed!" : "Some issues need manual intervention.");
+  }
+}
+async function checkDockerHealth() {
+  try {
+    await execa8("docker", ["version"]);
+  } catch {
+    return { name: "Docker installed", ok: false, message: "Docker is not installed" };
+  }
+  try {
+    await execa8("docker", ["info"]);
+    return { name: "Docker", ok: true, message: "Running" };
+  } catch {
+    return { name: "Docker", ok: false, message: "Docker is not running. Open Docker Desktop." };
+  }
+}
+async function getContainerName(projectDir, service) {
+  try {
+    const result = await execa8("docker", [
+      "compose",
+      "ps",
+      service,
+      "--format",
+      "{{.Name}}"
+    ], { cwd: projectDir, env: { ...process.env, COMPOSE_PROJECT_NAME: getProjectName(projectDir) } });
+    const name = result.stdout.trim().split("\n")[0];
+    return name || null;
+  } catch {
+    return null;
+  }
+}
+function getProjectName(projectDir) {
+  const base = projectDir.split("/").pop() || "seclaw";
+  return base.toLowerCase().replace(/[^a-z0-9-]/g, "");
+}
+async function checkContainers(projectDir, _env) {
+  const expected = ["agent", "cloudflared", "desktop-commander"];
+  const results = [];
+  const env = { ..._env, COMPOSE_PROJECT_NAME: getProjectName(projectDir) };
+  for (const svc of expected) {
+    const containerName = await getContainerName(projectDir, svc) || `${getProjectName(projectDir)}-${svc}-1`;
+    try {
+      const statusResult = await execa8("docker", [
+        "inspect",
+        containerName,
+        "--format",
+        "{{.State.Status}}"
+      ]);
+      const status2 = statusResult.stdout.trim();
+      let health = "";
+      if (svc !== "cloudflared") {
+        try {
+          const healthResult = await execa8("docker", [
+            "inspect",
+            containerName,
+            "--format",
+            "{{.State.Health.Status}}"
+          ]);
+          health = healthResult.stdout.trim();
+        } catch {
+        }
+      }
+      if (status2 !== "running") {
+        results.push({
+          name: `Container: ${svc}`,
+          ok: false,
+          message: `Status: ${status2}`,
+          fix: async () => {
+            await execa8("docker", ["compose", "up", "-d", svc], { cwd: projectDir, env });
+            return "Started";
+          }
+        });
+      } else if (health && health !== "healthy" && health !== "") {
+        results.push({
+          name: `Container: ${svc}`,
+          ok: false,
+          message: `Running but ${health}`,
+          fix: async () => {
+            await execa8("docker", ["compose", "restart", svc], { cwd: projectDir, env });
+            return "Restarted";
+          }
+        });
+      } else {
+        results.push({ name: `Container: ${svc}`, ok: true, message: "Running" });
+      }
+    } catch {
+      results.push({
+        name: `Container: ${svc}`,
+        ok: false,
+        message: "Not found",
+        fix: async () => {
+          await execa8("docker", ["compose", "up", "-d", svc], { cwd: projectDir, env });
+          return "Started";
+        }
+      });
+    }
+  }
+  return results;
+}
+async function checkAgentHealth(projectDir, _env) {
+  const env = { ..._env, COMPOSE_PROJECT_NAME: getProjectName(projectDir) };
+  try {
+    const result = await execa8("docker", [
+      "compose",
+      "exec",
+      "agent",
+      "wget",
+      "-q",
+      "-O-",
+      "http://localhost:3000/health"
+    ], { cwd: projectDir, env });
+    if (result.stdout.includes("ok")) {
+      const data = JSON.parse(result.stdout);
+      return {
+        name: "Agent API",
+        ok: true,
+        message: `Healthy \u2014 ${data.tools || 0} tools loaded`
+      };
+    }
+    return { name: "Agent API", ok: false, message: "Unhealthy response" };
+  } catch {
+    return {
+      name: "Agent API",
+      ok: false,
+      message: "Not reachable",
+      fix: async () => {
+        await execa8("docker", ["compose", "restart", "agent"], { cwd: projectDir, env });
+        return "Agent restarted";
+      }
+    };
+  }
+}
+async function checkTunnel(projectDir) {
+  try {
+    const result = await execa8(
+      "docker",
+      ["compose", "logs", "cloudflared", "--no-log-prefix"],
+      { cwd: projectDir, env: { ...process.env, COMPOSE_PROJECT_NAME: getProjectName(projectDir) } }
+    );
+    const combined = result.stdout + "\n" + result.stderr;
+    const match = combined.match(/https:\/\/[a-z0-9-]+\.trycloudflare\.com/);
+    if (!match) {
+      return {
+        name: "Tunnel",
+        ok: false,
+        message: "No URL found in logs",
+        fix: async () => {
+          await clearTunnelCache(projectDir);
+          const env = { ...process.env, COMPOSE_PROJECT_NAME: getProjectName(projectDir) };
+          await execa8("docker", ["compose", "restart", "cloudflared"], { cwd: projectDir, env });
+          const url = await getTunnelUrl(projectDir, 20);
+          return url ? `New tunnel: ${url}` : "Restarted cloudflared";
+        }
+      };
+    }
+    const tunnelUrl = match[0];
+    try {
+      const res = await fetch(`${tunnelUrl}/health`, {
+        signal: AbortSignal.timeout(1e4)
+      });
+      if (res.ok) {
+        return { name: "Tunnel", ok: true, message: tunnelUrl, tunnelUrl };
+      }
+      return {
+        name: "Tunnel",
+        ok: false,
+        message: `URL exists but returns HTTP ${res.status}`,
+        tunnelUrl
+      };
+    } catch {
+      return {
+        name: "Tunnel",
+        ok: false,
+        message: `URL found (${pc9.dim(tunnelUrl)}) but not reachable`,
+        tunnelUrl
+      };
+    }
+  } catch {
+    return { name: "Tunnel", ok: false, message: "Cannot read cloudflared logs" };
+  }
+}
+async function checkTelegram(projectDir, tunnelCheck) {
+  const envPath = resolve11(projectDir, ".env");
+  if (!existsSync9(envPath)) {
+    return { name: "Telegram", ok: false, message: ".env not found" };
+  }
+  let botToken = "";
+  try {
+    const envContent = await readFile8(envPath, "utf-8");
+    const match = envContent.match(/TELEGRAM_BOT_TOKEN=(.+)/);
+    botToken = match?.[1]?.trim() || "";
+  } catch {
+    return { name: "Telegram", ok: false, message: "Cannot read .env" };
+  }
+  if (!botToken || !botToken.includes(":")) {
+    return { name: "Telegram", ok: false, message: "No valid bot token in .env" };
+  }
+  try {
+    const res = await fetch(`https://api.telegram.org/bot${botToken}/getMe`);
+    const data = await res.json();
+    if (!data.ok) {
+      return { name: "Telegram", ok: false, message: "Bot token is invalid" };
+    }
+    const botName = `@${data.result.username}`;
+    const whRes = await fetch(`https://api.telegram.org/bot${botToken}/getWebhookInfo`);
+    const whData = await whRes.json();
+    if (!whData.ok || !whData.result) {
+      return { name: "Telegram", ok: false, message: "Cannot get webhook info" };
+    }
+    const wh = whData.result;
+    const tunnelUrl = tunnelCheck.tunnelUrl || "";
+    if (!wh.url) {
+      return {
+        name: `Telegram (${botName})`,
+        ok: false,
+        message: "Webhook not set",
+        fix: tunnelUrl ? async () => {
+          const ok = await setTelegramWebhook(botToken, tunnelUrl);
+          return ok ? "Webhook set" : "Could not set webhook";
+        } : void 0
+      };
+    }
+    if (tunnelUrl && !wh.url.includes(tunnelUrl.replace("https://", ""))) {
+      return {
+        name: `Telegram (${botName})`,
+        ok: false,
+        message: "Webhook points to old tunnel",
+        fix: async () => {
+          const ok = await setTelegramWebhook(botToken, tunnelUrl);
+          return ok ? "Webhook updated" : "Could not update webhook";
+        }
+      };
+    }
+    if (wh.last_error_message) {
+      const age = wh.last_error_date ? Math.floor((Date.now() / 1e3 - wh.last_error_date) / 60) : 0;
+      return {
+        name: `Telegram (${botName})`,
+        ok: false,
+        message: `Error ${age}m ago: ${wh.last_error_message}`
+      };
+    }
+    return {
+      name: `Telegram (${botName})`,
+      ok: true,
+      message: `Webhook active, ${wh.pending_update_count || 0} pending`
+    };
+  } catch {
+    return { name: "Telegram", ok: false, message: "Cannot reach Telegram API" };
+  }
+}
+async function checkComposio(projectDir) {
+  try {
+    const env = await readFile8(resolve11(projectDir, ".env"), "utf-8");
+    const match = env.match(/COMPOSIO_API_KEY=(\S+)/);
+    if (!match) {
+      return {
+        name: "Composio",
+        ok: false,
+        message: `Not configured \u2014 run ${pc9.cyan("npx seclaw integrations")}`
+      };
+    }
+    return { name: "Composio", ok: true, message: "API key configured" };
+  } catch {
+    return { name: "Composio", ok: false, message: "Cannot read .env" };
+  }
+}
+function formatCheck(check) {
+  const status2 = check.ok ? PASS : FAIL;
+  const fixable = !check.ok && check.fix ? pc9.dim(" (auto-fixable)") : "";
+  return `${status2} ${check.name} \u2014 ${check.message}${fixable}`;
+}
+function showSummary(results) {
+  const passed = results.filter((r) => r.ok).length;
+  const failed = results.filter((r) => !r.ok).length;
+  const fixable = results.filter((r) => !r.ok && r.fix).length;
+  p9.log.message("");
+  p9.log.message(
+    `${pc9.bold("Summary:")} ${pc9.green(`${passed} passed`)}, ${failed > 0 ? pc9.red(`${failed} failed`) : pc9.green("0 failed")}` + (fixable > 0 ? `, ${pc9.cyan(`${fixable} auto-fixable`)}` : "")
+  );
+}
+
+// src/commands/upgrade.ts
+import * as p10 from "@clack/prompts";
+import { execa as execa9 } from "execa";
+import pc10 from "picocolors";
+import { readFile as readFile9 } from "fs/promises";
+import { resolve as resolve12 } from "path";
+async function upgrade() {
+  p10.intro(`${pc10.bgCyan(pc10.black(" seclaw "))} Upgrading...`);
+  const projectDir = findProjectDir();
+  if (!projectDir) {
+    p10.log.warn("No seclaw project found.");
+    p10.log.info(`  Start one with: ${pc10.cyan("npx seclaw my-agent")}`);
+    p10.outro("");
+    return;
+  }
+  const opts = {
+    cwd: projectDir,
+    env: { ...process.env, COMPOSE_PROJECT_NAME: "seclaw" }
+  };
+  const s = p10.spinner();
+  s.start("Pulling latest images...");
+  try {
+    await execa9("docker", ["compose", "pull"], opts);
+    s.stop("Images updated.");
+  } catch {
+    s.stop("Failed to pull images.");
+    p10.log.error("Check your internet connection and try again.");
+    return;
+  }
+  s.start("Restarting services...");
+  try {
+    await execa9("docker", ["compose", "up", "-d", "--build", "--remove-orphans"], opts);
+    s.stop("Services restarted.");
+  } catch {
+    s.stop("Failed to restart.");
+    p10.log.error(`Try manually: cd ${projectDir} && docker compose up -d`);
+    return;
+  }
+  s.start("Reconnecting tunnel...");
+  const tunnelUrl = await getTunnelUrl(projectDir);
+  if (tunnelUrl) {
+    s.stop(`Tunnel ready: ${pc10.cyan(tunnelUrl)}`);
+    try {
+      const env = await readFile9(resolve12(projectDir, ".env"), "utf-8");
+      const tokenMatch = env.match(/TELEGRAM_BOT_TOKEN=(.+)/);
+      if (tokenMatch && tokenMatch[1].includes(":")) {
+        s.start("Updating Telegram webhook...");
+        const ok = await setTelegramWebhook(tokenMatch[1].trim(), tunnelUrl);
+        s.stop(ok ? "Telegram webhook updated!" : "Could not update webhook.");
+      }
+    } catch {
+    }
+  } else {
+    s.stop("Tunnel starting...");
+  }
+  p10.outro("Upgrade complete!");
+}
+
+// src/cli.ts
+program.name("seclaw").description("Secure autonomous AI agents in 60 seconds").version("0.1.0");
+program.command("create", { isDefault: true }).alias("init").description("Set up a new seclaw project").argument("[directory]", "Project directory", ".").action(create);
+program.command("add <template>").description("Add a template to your project").option("--key <license>", "License key for paid templates").action(add);
+program.command("integrations").description("Manage integrations (Gmail, GitHub, Notion...)").action(integrations);
+program.command("templates").alias("list").description("List available templates").action(templates);
+program.command("status").description("Check running services").action(status);
+program.command("stop").description("Stop all services").action(stop);
+program.command("reconnect").description("Reconnect tunnel + Telegram webhook").action(reconnect);
+program.command("doctor").description("Diagnose and fix common issues").action(doctor);
+program.command("upgrade").description("Pull latest images and restart").action(upgrade);
+program.parse();