squad-openclaw 1.0.0 → 2026.2.27

package/dist/index.js

@@ -1,803 +1,714 @@
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
-});
+// src/agents.ts
+import { execSync } from "child_process";
+import path3 from "path";
 
-// src/entities.ts
-import { Type as T } from "@sinclair/typebox";
-import Database from "better-sqlite3";
+// src/paths.ts
 import path from "path";
+import os from "os";
 import fs from "fs";
-var DB_NAME = "squad.db";
-var EMBEDDING_DIMENSIONS = 1536;
-var EMBEDDING_MODEL = "google/gemini-embedding-001";
-var SYNC_INTERVAL_MS = 6e4;
-var EntityType = T.Union([
-  T.Literal("agent"),
-  T.Literal("skill"),
-  T.Literal("tool"),
-  T.Literal("session"),
-  T.Literal("file"),
-  T.Literal("directory"),
-  T.Literal("url"),
-  T.Literal("memory"),
-  T.Literal("asset")
-]);
-var db;
-var vecEnabled = false;
-function getDb(configDir) {
-  if (db) return db;
-  const pluginDir = path.join(configDir, "extensions", "squad-app");
-  const dataDir = path.join(pluginDir, "data");
-  fs.mkdirSync(dataDir, { recursive: true });
-  const dbPath = path.join(dataDir, DB_NAME);
-  db = new Database(dbPath);
-  db.pragma("journal_mode = WAL");
-  db.pragma("foreign_keys = ON");
-  try {
-    const sqliteVec = __require("sqlite-vec");
-    sqliteVec.load(db);
-    vecEnabled = true;
-  } catch {
+function getOpenclawStateDir() {
+  if (process.env.OPENCLAW_STATE_DIR) {
+    return process.env.OPENCLAW_STATE_DIR;
   }
-  runMigrations(db);
-  return db;
-}
-function runMigrations(db2) {
-  db2.exec(`
-    CREATE TABLE IF NOT EXISTS _schema_version (
-      version INTEGER PRIMARY KEY
-    )
-  `);
-  const currentVersion = db2.prepare("SELECT MAX(version) as v FROM _schema_version").get()?.v ?? 0;
-  const migrations = [
-    {
-      version: 1,
-      up: () => {
-        db2.exec(`
-          CREATE TABLE IF NOT EXISTS entities (
-            id          TEXT PRIMARY KEY,
-            type        TEXT NOT NULL,
-            name        TEXT NOT NULL,
-            title       TEXT,
-            description TEXT,
-            metadata    TEXT,
-            source      TEXT NOT NULL DEFAULT 'manual',
-            source_key  TEXT,
-            created_at  INTEGER NOT NULL,
-            updated_at  INTEGER NOT NULL
-          );
-          CREATE INDEX IF NOT EXISTS idx_entities_type ON entities(type);
-          CREATE INDEX IF NOT EXISTS idx_entities_name ON entities(name);
-        `);
+  if (process.env.OPENCLAW_CONFIG_PATH) {
+    return path.dirname(process.env.OPENCLAW_CONFIG_PATH);
+  }
+  const legacyDir = process.env.OPENCLAW_DIR;
+  if (legacyDir) {
+    const resolvedLegacyDir = path.resolve(legacyDir);
+    const configPath = path.join(resolvedLegacyDir, "openclaw.json");
+    const hasStateMarkers = fs.existsSync(configPath) || fs.existsSync(path.join(resolvedLegacyDir, "agents")) || fs.existsSync(path.join(resolvedLegacyDir, "workspace"));
+    const looksLikeStateDir = resolvedLegacyDir.endsWith(`${path.sep}.openclaw`);
+    if (hasStateMarkers || looksLikeStateDir) {
+      return resolvedLegacyDir;
+    }
+  }
+  return path.join(os.homedir(), ".openclaw");
+}
+
+// src/auth-profiles.ts
+import fs2 from "fs";
+import path2 from "path";
+function getMainAuthProfilesPath(stateDir) {
+  return path2.join(stateDir, "agents", "main", "agent", "auth-profiles.json");
+}
+function getAgentAuthProfilesPath(stateDir, agentId) {
+  return path2.join(stateDir, "agents", agentId, "agent", "auth-profiles.json");
+}
+function ensureAgentAuthProfiles(agentId) {
+  const normalizedAgentId = agentId.trim();
+  if (!normalizedAgentId || normalizedAgentId === "main") return false;
+  const stateDir = getOpenclawStateDir();
+  const sourcePath = getMainAuthProfilesPath(stateDir);
+  const targetPath = getAgentAuthProfilesPath(stateDir, normalizedAgentId);
+  if (!fs2.existsSync(sourcePath) || fs2.existsSync(targetPath)) return false;
+  fs2.mkdirSync(path2.dirname(targetPath), { recursive: true });
+  fs2.copyFileSync(sourcePath, targetPath);
+  return true;
+}
+function backfillAgentAuthProfiles() {
+  const stateDir = getOpenclawStateDir();
+  const agentsDir = path2.join(stateDir, "agents");
+  if (!fs2.existsSync(agentsDir)) return [];
+  const copied = [];
+  for (const entry of fs2.readdirSync(agentsDir, { withFileTypes: true })) {
+    if (!entry.isDirectory()) continue;
+    const agentId = entry.name;
+    if (ensureAgentAuthProfiles(agentId)) {
+      copied.push(agentId);
+    }
+  }
+  return copied;
+}
+
+// src/agents.ts
+function deriveAgentIdFromName(name) {
+  const normalized = name.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+  return normalized || "agent";
+}
+function registerAgentMethods(api) {
+  const callGateway = async (ctx, method, params = {}) => {
+    const ctxRequest = ctx.request;
+    if (typeof ctxRequest === "function") return ctxRequest(method, params);
+    const apiRequest = api?.request;
+    if (typeof apiRequest === "function") return apiRequest(method, params);
+    const apiCallGatewayMethod = api?.callGatewayMethod;
+    if (typeof apiCallGatewayMethod === "function") return apiCallGatewayMethod(method, params);
+    throw new Error("Gateway method invocation API unavailable in plugin context");
+  };
+  api.registerGatewayMethod(
+    "squad.agents.add",
+    async ({ params, respond }) => {
+      const name = params?.name;
+      const agentId = params?.agentId;
+      const workspace = params?.workspace;
+      const model = params?.model;
+      if (!name || typeof name !== "string" || !name.trim()) {
+        respond(false, { error: "Missing or empty 'name' parameter" });
+        return;
       }
-    },
-    {
-      version: 3,
-      up: () => {
-        db2.exec(`
-          CREATE VIRTUAL TABLE IF NOT EXISTS search_fts USING fts5(
-            entity_id UNINDEXED,
-            entity_type UNINDEXED,
-            name,
-            title,
-            description,
-            content,
-            tokenize='porter unicode61'
-          );
-        `);
+      const safeName = name.trim();
+      if (!/^[a-zA-Z0-9][a-zA-Z0-9 _-]*$/.test(safeName)) {
+        respond(false, { error: "Agent name must start with a letter/number and contain only letters, numbers, spaces, hyphens, or underscores" });
+        return;
       }
-    },
-    {
-      version: 4,
-      up: () => {
-        if (!vecEnabled) return;
-        db2.exec(`
-          CREATE VIRTUAL TABLE IF NOT EXISTS search_vec USING vec0(
-            entity_id TEXT PRIMARY KEY,
-            embedding float[${EMBEDDING_DIMENSIONS}]
-          );
-        `);
+      const providedAgentId = typeof agentId === "string" ? agentId.trim() : "";
+      if (providedAgentId && !/^[a-z0-9][a-z0-9-]*$/.test(providedAgentId)) {
+        respond(false, { error: "Invalid agentId format" });
+        return;
       }
-    }
-  ];
-  const pending = migrations.filter((m) => m.version > currentVersion);
-  if (pending.length === 0) return;
-  const migrate = db2.transaction(() => {
-    for (const m of pending) {
-      m.up();
-      db2.prepare("INSERT INTO _schema_version (version) VALUES (?)").run(
-        m.version
+      const effectiveAgentId = providedAgentId || deriveAgentIdFromName(safeName);
+      const defaultWorkspace = path3.join(
+        getOpenclawStateDir(),
+        effectiveAgentId === "main" ? "workspace" : `workspace-${effectiveAgentId}`
       );
+      const workspacePath = typeof workspace === "string" && workspace.trim() ? workspace.trim() : defaultWorkspace;
+      try {
+        let cmd = `openclaw agents add ${JSON.stringify(safeName)} --non-interactive --workspace ${JSON.stringify(workspacePath)}`;
+        if (model) {
+          cmd += ` --model ${JSON.stringify(model)}`;
+        }
+        const output = execSync(cmd, {
+          timeout: 3e4,
+          encoding: "utf-8",
+          stdio: ["pipe", "pipe", "pipe"]
+        });
+        try {
+          ensureAgentAuthProfiles(effectiveAgentId);
+        } catch (authErr) {
+          console.warn("[squad.agents.add] failed to copy main auth profile to agent:", authErr);
+        }
+        respond(true, { ok: true, output: output.slice(0, 1e3) });
+      } catch (err2) {
+        const msg = err2 instanceof Error ? err2.message : String(err2);
+        const stderr = err2?.stderr;
+        respond(false, {
+          error: `Failed to add agent: ${stderr || msg}`.slice(0, 500)
+        });
+      }
     }
-  });
-  migrate();
+  );
+  api.registerGatewayMethod(
+    "squad.agents.delete",
+    async ({ params, respond }) => {
+      const agentId = params?.agentId;
+      if (!agentId || typeof agentId !== "string" || !agentId.trim()) {
+        respond(false, { error: "Missing or empty 'agentId' parameter" });
+        return;
+      }
+      if (agentId === "main") {
+        respond(false, { error: "Cannot delete the main agent" });
+        return;
+      }
+      if (!/^[a-z0-9][a-z0-9-]*$/.test(agentId)) {
+        respond(false, { error: "Invalid agent ID format" });
+        return;
+      }
+      try {
+        const output = execSync(
+          `openclaw agents delete ${JSON.stringify(agentId)} --non-interactive 2>&1`,
+          { timeout: 3e4, encoding: "utf-8" }
+        );
+        respond(true, { ok: true, output: output.slice(0, 1e3) });
+      } catch (err2) {
+        const msg = err2 instanceof Error ? err2.message : String(err2);
+        const stderr = err2?.stderr;
+        respond(false, {
+          error: `Failed to delete agent: ${stderr || msg}`.slice(0, 500)
+        });
+      }
+    }
+  );
+  api.registerGatewayMethod(
+    "squad.agents.set-identity",
+    async (ctx) => {
+      const { params, respond } = ctx;
+      const agentId = params?.agentId;
+      const name = params?.name;
+      const emoji = params?.emoji;
+      const theme = params?.theme;
+      if (!agentId || typeof agentId !== "string") {
+        respond(false, { error: "Missing 'agentId' parameter" });
+        return;
+      }
+      const identity = {};
+      const trimmedName = typeof name === "string" ? name.trim() : "";
+      const trimmedEmoji = typeof emoji === "string" ? emoji.trim() : "";
+      const trimmedTheme = typeof theme === "string" ? theme.trim() : "";
+      if (trimmedName) identity.name = trimmedName;
+      if (trimmedEmoji) identity.emoji = trimmedEmoji;
+      if (trimmedTheme) identity.theme = trimmedTheme;
+      if (Object.keys(identity).length === 0) {
+        respond(false, { error: "No identity fields provided (name, emoji, or theme)" });
+        return;
+      }
+      try {
+        const doPatch = async (baseHash) => {
+          await callGateway(ctx, "config.patch", {
+            ...baseHash ? { baseHash } : {},
+            raw: JSON.stringify({
+              agents: {
+                list: [{ id: agentId, identity }]
+              }
+            })
+          });
+        };
+        let snapshot = await callGateway(ctx, "config.get", {});
+        try {
+          await doPatch(snapshot?.hash);
+        } catch (firstErr) {
+          const msg = firstErr instanceof Error ? firstErr.message : String(firstErr);
+          if (!/config changed since last load/i.test(msg)) throw firstErr;
+          snapshot = await callGateway(ctx, "config.get", {});
+          await doPatch(snapshot?.hash);
+        }
+        respond(true, { ok: true, identity });
+      } catch (err2) {
+        const msg = err2 instanceof Error ? err2.message : String(err2);
+        respond(false, {
+          error: `Failed to set identity: ${msg}`.slice(0, 500)
+        });
+      }
+    }
+  );
+  api.registerGatewayMethod(
+    "squad.agents.patch-config",
+    async (ctx) => {
+      const { params, respond } = ctx;
+      const agentId = params?.agentId;
+      const fields = params?.fields ?? {};
+      if (!agentId || typeof agentId !== "string") {
+        respond(false, { error: "Missing 'agentId' parameter" });
+        return;
+      }
+      const allowedFieldNames = /* @__PURE__ */ new Set(["tools", "skills", "default", "model"]);
+      const filteredFields = {};
+      for (const [k, v] of Object.entries(fields)) {
+        if (allowedFieldNames.has(k) && v !== void 0) filteredFields[k] = v;
+      }
+      if (Object.keys(filteredFields).length === 0) {
+        respond(false, { error: "No patchable fields provided (tools, skills, default, model)" });
+        return;
+      }
+      try {
+        const doPatch = async (baseHash) => {
+          await callGateway(ctx, "config.patch", {
+            ...baseHash ? { baseHash } : {},
+            raw: JSON.stringify({
+              agents: {
+                list: [{ id: agentId, ...filteredFields }]
+              }
+            })
+          });
+        };
+        let snapshot = await callGateway(ctx, "config.get", {});
+        try {
+          await doPatch(snapshot?.hash);
+        } catch (firstErr) {
+          const msg = firstErr instanceof Error ? firstErr.message : String(firstErr);
+          if (!/config changed since last load/i.test(msg)) throw firstErr;
+          snapshot = await callGateway(ctx, "config.get", {});
+          await doPatch(snapshot?.hash);
+        }
+        respond(true, { ok: true, fields: filteredFields });
+      } catch (err2) {
+        const msg = err2 instanceof Error ? err2.message : String(err2);
+        respond(false, {
+          error: `Failed to patch agent config: ${msg}`.slice(0, 500)
+        });
+      }
+    }
+  );
 }
-function entityRow(row) {
-  return {
-    ...row,
-    metadata: row.metadata ? JSON.parse(row.metadata) : {}
-  };
+
+// src/entities.ts
+import { Type as T } from "@sinclair/typebox";
+import path7 from "path";
+import fs6 from "fs";
+
+// src/watcher.ts
+import path4 from "path";
+import fs3 from "fs";
+import chokidar from "chokidar";
+var debounceTimers = /* @__PURE__ */ new Map();
+var DEBOUNCE_MS = 500;
+function debounced(key, fn) {
+  const existing = debounceTimers.get(key);
+  if (existing) clearTimeout(existing);
+  debounceTimers.set(
+    key,
+    setTimeout(() => {
+      debounceTimers.delete(key);
+      fn();
+    }, DEBOUNCE_MS)
+  );
 }
-function ftsUpsert(db2, entityId, entityType, name, title, description, content) {
-  ftsDelete(db2, entityId);
-  db2.prepare(
-    `INSERT INTO search_fts (entity_id, entity_type, name, title, description, content)
-     VALUES (?, ?, ?, ?, ?, ?)`
-  ).run(entityId, entityType, name, title ?? "", description ?? "", content);
-}
-function ftsDelete(db2, entityId) {
-  const existing = db2.prepare("SELECT * FROM search_fts WHERE entity_id = ?").get(entityId);
-  if (existing) {
-    db2.prepare(
-      `INSERT INTO search_fts (search_fts, entity_id, entity_type, name, title, description, content)
-       VALUES ('delete', ?, ?, ?, ?, ?, ?)`
-    ).run(
-      existing.entity_id,
-      existing.entity_type,
-      existing.name,
-      existing.title,
-      existing.description,
-      existing.content
-    );
-  }
+var fsDebounceTimers = /* @__PURE__ */ new Map();
+var FS_DEBOUNCE_MS = 300;
+function debouncedFs(relPath, action, fn) {
+  const key = `fs:${action}:${relPath}`;
+  const existing = fsDebounceTimers.get(key);
+  if (existing) clearTimeout(existing);
+  fsDebounceTimers.set(
+    key,
+    setTimeout(() => {
+      fsDebounceTimers.delete(key);
+      fn();
+    }, FS_DEBOUNCE_MS)
+  );
+}
+function isWorkspaceIdentity(filePath, configDir) {
+  const rel = path4.relative(configDir, filePath);
+  const match = rel.match(/^(workspace(?:-([^/]+))?)\/IDENTITY\.md$/);
+  if (!match) return null;
+  const dirName = match[1];
+  const agentId = match[2] ?? "main";
+  return { agentId, workspacePath: path4.join(configDir, dirName) };
+}
+function isWorkspaceAgentJson(filePath, configDir) {
+  const rel = path4.relative(configDir, filePath);
+  const match = rel.match(/^(workspace(?:-([^/]+))?)\/agent\.json$/);
+  if (!match) return null;
+  const dirName = match[1];
+  const agentId = match[2] ?? "main";
+  return { agentId, workspacePath: path4.join(configDir, dirName) };
+}
+function isGlobalSkillDir(filePath, configDir) {
+  const rel = path4.relative(configDir, filePath);
+  const match = rel.match(/^skills\/([^/]+)\/?$/);
+  if (!match) return null;
+  return { skillKey: match[1] };
 }
-function ftsSearch(db2, query, entityType, limit = 20) {
-  const safeQuery = query.replace(/[*"(){}[\]^~\\:]/g, " ").trim().split(/\s+/).filter(Boolean).map((term) => `"${term}"*`).join(" OR ");
-  if (!safeQuery) return [];
-  let sql = `
-    SELECT e.*, search_fts.rank
-    FROM search_fts
-    JOIN entities e ON e.id = search_fts.entity_id
-    WHERE search_fts MATCH ?
-  `;
-  const params = [safeQuery];
-  if (entityType) {
-    sql += ` AND search_fts.entity_type = ?`;
-    params.push(entityType);
-  }
-  sql += ` ORDER BY search_fts.rank LIMIT ?`;
-  params.push(limit);
-  return db2.prepare(sql).all(...params).map(entityRow);
-}
-function vecUpsert(db2, entityId, embedding) {
-  if (!vecEnabled) return;
-  db2.prepare("DELETE FROM search_vec WHERE entity_id = ?").run(entityId);
-  const buffer = embedding instanceof Float32Array ? Buffer.from(embedding.buffer) : Buffer.from(new Float32Array(embedding).buffer);
-  db2.prepare("INSERT INTO search_vec (entity_id, embedding) VALUES (?, ?)").run(
-    entityId,
-    buffer
+function isWorkspaceSkillDir(filePath, configDir) {
+  const rel = path4.relative(configDir, filePath);
+  const match = rel.match(
+    /^workspace(?:-([^/]+))?\/skills\/([^/]+)\/?$/
   );
+  if (!match) return null;
+  return { agentId: match[1] ?? "main", skillKey: match[2] };
 }
-function vecSearch(db2, embedding, limit = 20) {
-  if (!vecEnabled) return [];
-  const buffer = embedding instanceof Float32Array ? Buffer.from(embedding.buffer) : Buffer.from(new Float32Array(embedding).buffer);
-  const rows = db2.prepare(
-    `SELECT entity_id, distance
-       FROM search_vec
-       WHERE embedding MATCH ?
-       ORDER BY distance
-       LIMIT ?`
-  ).all(buffer, limit);
-  if (rows.length === 0) return [];
-  const ids = rows.map((r) => r.entity_id);
-  const placeholders = ids.map(() => "?").join(",");
-  const entities = db2.prepare(`SELECT * FROM entities WHERE id IN (${placeholders})`).all(...ids).map(entityRow);
-  const entityMap = new Map(entities.map((e) => [e.id, e]));
-  return rows.map((r) => {
-    const entity = entityMap.get(r.entity_id);
-    if (!entity) return null;
-    return { ...entity, _distance: r.distance };
-  }).filter(Boolean);
-}
-async function generateEmbedding(text, configDir) {
-  const config = readEmbeddingsConfig(configDir);
-  if (!config) return null;
-  const response = await fetch(`${config.apiUrl}/embeddings`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      Authorization: `Bearer ${config.apiKey}`
-    },
-    body: JSON.stringify({
-      model: config.model,
-      input: text,
-      dimensions: config.dimensions
-    })
-  });
-  if (!response.ok) {
-    const err2 = await response.text();
-    throw new Error(`Embedding API error (${response.status}): ${err2}`);
-  }
-  const data = await response.json();
-  return new Float32Array(data.data[0].embedding);
+function isPluginManifest(filePath, configDir) {
+  const rel = path4.relative(configDir, filePath);
+  const match = rel.match(/^extensions\/([^/]+)\/openclaw\.plugin\.json$/);
+  if (!match) return null;
+  return { pluginDirName: match[1] };
+}
+function isOpenClawConfig(filePath, configDir) {
+  return path4.relative(configDir, filePath) === "openclaw.json";
 }
-function readEmbeddingsConfig(configDir) {
+function updateAgent(agentId, workspacePath) {
+  const now = Date.now();
+  let name = agentId;
+  const metadata = { workspacePath };
   try {
-    const raw = fs.readFileSync(
-      path.join(configDir, "openclaw.json"),
+    const content = fs3.readFileSync(
+      path4.join(workspacePath, "IDENTITY.md"),
       "utf-8"
     );
-    const config = JSON.parse(raw);
-    const emb = config.embeddings;
-    if (!emb?.apiUrl || !emb?.apiKey) return null;
-    return {
-      apiUrl: emb.apiUrl,
-      apiKey: emb.apiKey,
-      model: emb.model ?? EMBEDDING_MODEL,
-      dimensions: emb.dimensions ?? EMBEDDING_DIMENSIONS
-    };
+    const parsed = parseIdentityName(content);
+    if (parsed) name = parsed;
   } catch {
-    return null;
   }
+  if (name === agentId) {
+    try {
+      const raw = fs3.readFileSync(
+        path4.join(workspacePath, "agent.json"),
+        "utf-8"
+      );
+      const config = JSON.parse(raw);
+      if (config.displayName) name = config.displayName;
+      if (config.model) metadata.model = config.model;
+    } catch {
+    }
+  }
+  registrySet({
+    id: agentId,
+    type: "agent",
+    name,
+    title: name,
+    description: null,
+    metadata,
+    source: "filesystem",
+    source_key: workspacePath,
+    created_at: now,
+    updated_at: now
+  });
 }
-function buildEmbeddingText(entity) {
-  const parts = [entity.type + ":", entity.name];
-  if (entity.title) parts.push(entity.title);
-  if (entity.description) parts.push(entity.description);
-  return parts.join(" ");
-}
-function syncEntitiesFromFilesystem(db2, configDir) {
-  let synced = 0;
-  let removed = 0;
+function updatePlugin(pluginDirName, configDir) {
   const now = Date.now();
-  const upsert = db2.prepare(`
-    INSERT INTO entities (id, type, name, title, description, metadata, source, source_key, created_at, updated_at)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-    ON CONFLICT(id) DO UPDATE SET
-      name = excluded.name,
-      title = excluded.title,
-      description = excluded.description,
-      metadata = excluded.metadata,
-      updated_at = excluded.updated_at
-  `);
-  const agentsDir = path.join(configDir, "agents");
-  const seenAgentIds = /* @__PURE__ */ new Set();
-  if (fs.existsSync(agentsDir)) {
-    const entries = fs.readdirSync(agentsDir, { withFileTypes: true });
-    for (const entry of entries) {
-      if (!entry.isDirectory()) continue;
-      const agentId = entry.name;
-      seenAgentIds.add(agentId);
-      let name = agentId;
-      let description = "";
-      const metadata = {};
-      const soulPath = path.join(agentsDir, agentId, "SOUL.md");
-      if (fs.existsSync(soulPath)) {
-        try {
-          const content = fs.readFileSync(soulPath, "utf-8");
-          const firstLine = content.split("\n")[0]?.replace(/^#\s*/, "").trim();
-          if (firstLine) name = firstLine;
-          description = content.slice(0, 500);
-          metadata.soul_content = content;
-        } catch {
-        }
-      }
-      upsert.run(
-        agentId,
-        "agent",
-        name,
-        name,
-        description,
-        JSON.stringify(metadata),
-        "filesystem",
-        soulPath,
-        now,
-        now
+  const manifestPath = path4.join(
+    configDir,
+    "extensions",
+    pluginDirName,
+    "openclaw.plugin.json"
+  );
+  try {
+    const raw = fs3.readFileSync(manifestPath, "utf-8");
+    const manifest = JSON.parse(raw);
+    const pluginId = manifest.id || pluginDirName;
+    const name = manifest.name || pluginId;
+    registrySet({
+      id: `plugin:${pluginId}`,
+      type: "plugin",
+      name,
+      title: name,
+      description: manifest.description || null,
+      metadata: { pluginId, pluginDir: path4.dirname(manifestPath) },
+      source: "filesystem",
+      source_key: manifestPath,
+      created_at: now,
+      updated_at: now
+    });
+  } catch {
+    registryDelete(`plugin:${pluginDirName}`);
+  }
+}
+function startWatcher(configDir, onFsChange) {
+  const watcher = chokidar.watch(configDir, {
+    persistent: true,
+    usePolling: false,
+    ignoreInitial: true,
+    awaitWriteFinish: { stabilityThreshold: 300 },
+    depth: 4,
+    ignored: [
+      // Ignore heavy directories that aren't relevant
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/.git/**",
+      "**/data/**"
+    ]
+  });
+  const emitFsChange = (action, filePath) => {
+    if (!onFsChange) return;
+    const rel = path4.relative(configDir, filePath);
+    debouncedFs(rel, action, () => {
+      onFsChange({ action, path: rel });
+    });
+  };
+  const handleChange = (filePath, action) => {
+    emitFsChange(action, filePath);
+    const identity = isWorkspaceIdentity(filePath, configDir);
+    if (identity) {
+      debounced(
+        `agent:${identity.agentId}`,
+        () => updateAgent(identity.agentId, identity.workspacePath)
       );
-      ftsUpsert(db2, agentId, "agent", name, name, description, "");
-      synced++;
+      return;
     }
-  }
-  const staleAgents = db2.prepare(
-    "SELECT id FROM entities WHERE type = 'agent' AND source = 'filesystem' AND id NOT IN (" + Array.from(seenAgentIds).map(() => "?").join(",") + ")"
-  ).all(...Array.from(seenAgentIds));
-  if (seenAgentIds.size > 0) {
-    for (const stale of staleAgents) {
-      db2.prepare("DELETE FROM entities WHERE id = ?").run(stale.id);
-      ftsDelete(db2, stale.id);
-      removed++;
+    const agentJson = isWorkspaceAgentJson(filePath, configDir);
+    if (agentJson) {
+      debounced(
+        `agent:${agentJson.agentId}`,
+        () => updateAgent(agentJson.agentId, agentJson.workspacePath)
+      );
+      return;
     }
-  }
-  try {
-    const raw = fs.readFileSync(
-      path.join(configDir, "openclaw.json"),
-      "utf-8"
-    );
-    const config = JSON.parse(raw);
-    const allowedTools = config?.tools?.allow ?? [];
-    for (const toolName of allowedTools) {
-      const toolId = `tool:${toolName}`;
-      upsert.run(
-        toolId,
-        "tool",
-        toolName,
-        toolName,
-        null,
-        JSON.stringify({ tool_name: toolName }),
-        "filesystem",
-        "openclaw.json:tools.allow",
-        now,
-        now
+    const plugin = isPluginManifest(filePath, configDir);
+    if (plugin) {
+      debounced(
+        `plugin:${plugin.pluginDirName}`,
+        () => updatePlugin(plugin.pluginDirName, configDir)
       );
-      ftsUpsert(db2, toolId, "tool", toolName, toolName, "", "");
-      synced++;
+      return;
+    }
+    if (isOpenClawConfig(filePath, configDir)) {
+      debounced("tools", () => scanTools(configDir));
+      return;
+    }
+  };
+  const handleAddDir = (dirPath) => {
+    emitFsChange("addDir", dirPath);
+    const globalSkill = isGlobalSkillDir(dirPath, configDir);
+    if (globalSkill) {
+      debounced(
+        `skill:${globalSkill.skillKey}`,
+        () => scanSkills(configDir)
+      );
+      return;
+    }
+    const wsSkill = isWorkspaceSkillDir(dirPath, configDir);
+    if (wsSkill) {
+      debounced(
+        `skill:${wsSkill.agentId}:${wsSkill.skillKey}`,
+        () => scanSkills(configDir)
+      );
+      return;
+    }
+    const rel = path4.relative(configDir, dirPath);
+    if (/^workspace(-[^/]+)?$/.test(rel)) {
+      debounced("agents", () => scanAgents(configDir));
+      return;
+    }
+  };
+  const handleUnlinkDir = (dirPath) => {
+    emitFsChange("unlinkDir", dirPath);
+    const rel = path4.relative(configDir, dirPath);
+    const wsMatch = rel.match(/^workspace(?:-([^/]+))?$/);
+    if (wsMatch) {
+      const agentId = wsMatch[1] ?? "main";
+      registryDelete(agentId);
+      return;
+    }
+    const globalSkill = isGlobalSkillDir(dirPath, configDir);
+    if (globalSkill) {
+      registryDelete(`skill:${globalSkill.skillKey}`);
+      return;
+    }
+    const wsSkill = isWorkspaceSkillDir(dirPath, configDir);
+    if (wsSkill) {
+      registryDelete(`skill:${wsSkill.agentId}:${wsSkill.skillKey}`);
+      return;
+    }
+  };
+  watcher.on("add", (fp) => handleChange(fp, "add"));
+  watcher.on("change", (fp) => handleChange(fp, "change"));
+  watcher.on("unlink", (fp) => handleChange(fp, "unlink"));
+  watcher.on("addDir", handleAddDir);
+  watcher.on("unlinkDir", handleUnlinkDir);
+  return () => {
+    for (const timer of debounceTimers.values()) {
+      clearTimeout(timer);
+    }
+    debounceTimers.clear();
+    for (const timer of fsDebounceTimers.values()) {
+      clearTimeout(timer);
     }
+    fsDebounceTimers.clear();
+    watcher.close();
+  };
+}
+
+// src/filesystem.ts
+import fs5 from "fs";
+import path6 from "path";
+
+// src/layout.ts
+import fs4 from "fs";
+import path5 from "path";
+function resolveMaybeRelativePath(stateDir, p) {
+  if (path5.isAbsolute(p)) return path5.resolve(p);
+  return path5.resolve(stateDir, p);
+}
+function listWorkspaceFallbacks(stateDir) {
+  let entries;
+  try {
+    entries = fs4.readdirSync(stateDir, { withFileTypes: true });
   } catch {
+    return [];
   }
-  const seedPath = path.join(
-    configDir,
-    "extensions",
-    "squad-app",
-    "data",
-    "search-seed.json"
-  );
+  return entries.filter((entry) => entry.isDirectory() && (entry.name === "workspace" || entry.name.startsWith("workspace-"))).map((entry) => {
+    const agentId = entry.name === "workspace" ? "main" : entry.name.replace("workspace-", "");
+    const workspacePath = path5.join(stateDir, entry.name);
+    return {
+      agentId,
+      path: workspacePath,
+      source: "filesystem",
+      exists: true
+    };
+  });
+}
+function readOpenclawConfig(configPath) {
   try {
-    if (fs.existsSync(seedPath)) {
-      const seedRaw = fs.readFileSync(seedPath, "utf-8");
-      const seedEntities = JSON.parse(seedRaw);
-      for (const entity of seedEntities) {
-        upsert.run(
-          entity.id,
-          entity.type,
-          entity.name,
-          entity.title,
-          entity.description,
-          JSON.stringify(entity.metadata ?? {}),
-          entity.source ?? "gateway",
-          entity.sourceKey ?? null,
-          now,
-          now
-        );
-        ftsUpsert(
-          db2,
-          entity.id,
-          entity.type,
-          entity.name,
-          entity.title,
-          entity.description,
-          ""
-        );
-        synced++;
-      }
-    }
+    const raw = fs4.readFileSync(configPath, "utf-8");
+    return JSON.parse(raw);
   } catch {
+    return null;
   }
-  return { synced, removed };
 }
-function hybridSearch(db2, ftsResults, vecResults, limit) {
-  const k = 60;
-  const scores = /* @__PURE__ */ new Map();
-  for (let i = 0; i < ftsResults.length; i++) {
-    const entity = ftsResults[i];
-    const rrf = 1 / (k + i + 1);
-    const existing = scores.get(entity.id);
-    if (existing) {
-      existing.score += rrf;
-    } else {
-      scores.set(entity.id, { score: rrf, entity });
+function resolveGatewayLayout() {
+  const stateDir = getOpenclawStateDir();
+  const configPath = path5.join(stateDir, "openclaw.json");
+  const config = readOpenclawConfig(configPath);
+  const workspaces = [];
+  if (config?.agents?.main?.workspace || config?.agents?.main?.workspacePath) {
+    const rawPath = config.agents.main.workspace ?? config.agents.main.workspacePath;
+    if (rawPath) {
+      const resolvedPath = resolveMaybeRelativePath(stateDir, rawPath);
+      workspaces.push({
+        agentId: "main",
+        path: resolvedPath,
+        source: "config",
+        exists: fs4.existsSync(resolvedPath)
+      });
     }
   }
-  for (let i = 0; i < vecResults.length; i++) {
-    const entity = vecResults[i];
-    const rrf = 1 / (k + i + 1);
-    const existing = scores.get(entity.id);
-    if (existing) {
-      existing.score += rrf;
-    } else {
-      scores.set(entity.id, { score: rrf, entity });
+  for (const agent of config?.agents?.list ?? []) {
+    const agentId = typeof agent.id === "string" && agent.id.trim() ? agent.id : null;
+    const rawPath = agent.workspace ?? agent.workspacePath;
+    if (!agentId || !rawPath) continue;
+    const resolvedPath = resolveMaybeRelativePath(stateDir, rawPath);
+    workspaces.push({
+      agentId,
+      path: resolvedPath,
+      source: "config",
+      exists: fs4.existsSync(resolvedPath)
+    });
+  }
+  const deduped = /* @__PURE__ */ new Map();
+  for (const ws of [...workspaces, ...listWorkspaceFallbacks(stateDir)]) {
+    if (!deduped.has(ws.agentId)) {
+      deduped.set(ws.agentId, ws);
     }
   }
-  return Array.from(scores.values()).sort((a, b) => b.score - a.score).slice(0, limit).map((s) => ({ ...s.entity, _rrf_score: s.score }));
+  const resolvedWorkspaces = Array.from(deduped.values());
+  const defaultFileBrowserRoot = stateDir;
+  return {
+    stateDir,
+    configPath,
+    mediaDir: path5.join(stateDir, "media"),
+    skillsDir: path5.join(stateDir, "skills"),
+    extensionsDir: path5.join(stateDir, "extensions"),
+    defaultFileBrowserRoot,
+    workspaces: resolvedWorkspaces
+  };
 }
-function registerEntityTools(api) {
-  let syncTimer = null;
-  api.registerTool({
-    name: "entity_upsert",
-    description: "Register or update an entity in the unified entity registry. Makes the entity searchable and resolvable via {{type:id}} references.",
-    parameters: T.Object({
-      id: T.String({ description: "Unique entity ID" }),
-      type: EntityType,
-      name: T.String({ description: "Primary display name" }),
-      title: T.Optional(T.String({ description: "Longer title" })),
-      description: T.Optional(T.String({ description: "Description text" })),
-      metadata: T.Optional(
-        T.Any({ description: "JSON object with type-specific data" })
-      ),
-      source: T.Optional(
-        T.String({
-          description: "Origin: gateway, filesystem, plugin, manual"
-        })
-      ),
-      sourceKey: T.Optional(
-        T.String({ description: "Source-specific identifier" })
-      ),
-      content: T.Optional(
-        T.String({
-          description: "Additional searchable text content (e.g., file contents, memory text)"
-        })
-      )
-    }),
-    async execute(_id, params, _ctx) {
-      const configDir2 = _ctx?.configDir ?? process.env.HOME + "/.openclaw";
-      const database = getDb(configDir2);
-      const now = Date.now();
-      const existing = database.prepare("SELECT created_at FROM entities WHERE id = ?").get(params.id);
-      const createdAt = existing?.created_at ?? now;
-      database.prepare(
-        `INSERT INTO entities (id, type, name, title, description, metadata, source, source_key, created_at, updated_at)
-           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-           ON CONFLICT(id) DO UPDATE SET
-             type = excluded.type,
-             name = excluded.name,
-             title = excluded.title,
-             description = excluded.description,
-             metadata = excluded.metadata,
-             source = excluded.source,
-             source_key = excluded.source_key,
-             updated_at = excluded.updated_at`
-      ).run(
-        params.id,
-        params.type,
-        params.name,
-        params.title ?? null,
-        params.description ?? null,
-        params.metadata ? JSON.stringify(params.metadata) : null,
-        params.source ?? "manual",
-        params.sourceKey ?? null,
-        createdAt,
-        now
-      );
-      ftsUpsert(
-        database,
-        params.id,
-        params.type,
-        params.name,
-        params.title ?? null,
-        params.description ?? null,
-        params.content ?? ""
-      );
-      const entity = database.prepare("SELECT * FROM entities WHERE id = ?").get(params.id);
-      return {
-        content: [{ type: "text", text: JSON.stringify(entityRow(entity)) }]
-      };
+
+// src/filesystem.ts
+var HOME_DIR = process.env.HOME ?? "/root";
+var OPENCLAW_DIR = getOpenclawStateDir();
+var SENSITIVE_BLOCKED_DIRS = [
+  path6.join(OPENCLAW_DIR, "credentials"),
+  path6.join(OPENCLAW_DIR, "devices"),
+  path6.join(OPENCLAW_DIR, "identity")
+];
+var SENSITIVE_BLOCKED_FILES = [
+  path6.join(OPENCLAW_DIR, "squad-ceo-data", "relay", "squad-relay.json")
+];
+function isSensitivePath(resolvedPath) {
+  for (const blocked of SENSITIVE_BLOCKED_DIRS) {
+    if (resolvedPath === blocked || resolvedPath.startsWith(blocked + path6.sep)) {
+      return true;
     }
-  });
-  api.registerTool({
-    name: "entity_get",
-    description: "Get a single entity by ID with full details. Used for reference resolution.",
-    parameters: T.Object({
-      entityId: T.String({ description: "The entity ID to retrieve" })
-    }),
-    async execute(_id, params, _ctx) {
-      const configDir2 = _ctx?.configDir ?? process.env.HOME + "/.openclaw";
-      const database = getDb(configDir2);
-      const entity = database.prepare("SELECT * FROM entities WHERE id = ?").get(params.entityId);
-      if (!entity) {
-        return {
-          content: [
-            {
-              type: "text",
-              text: JSON.stringify({ error: "Entity not found" })
-            }
-          ],
-          isError: true
-        };
+  }
+  for (const blocked of SENSITIVE_BLOCKED_FILES) {
+    if (resolvedPath === blocked) {
+      return true;
+    }
+  }
+  if (path6.dirname(resolvedPath) === OPENCLAW_DIR && resolvedPath.endsWith(".bak")) {
+    return true;
+  }
+  return false;
+}
+var OPENCLAW_JSON_FILENAME = "openclaw.json";
+function redactOpenclawJson(rawContent) {
+  let config;
+  try {
+    config = JSON.parse(rawContent);
+  } catch {
+    return rawContent;
+  }
+  let redactedCount = 0;
+  const channels = config.channels;
+  if (channels && typeof channels === "object") {
+    for (const channelKey of Object.keys(channels)) {
+      const channel = channels[channelKey];
+      if (channel && typeof channel === "object" && "botToken" in channel) {
+        channel.botToken = "[REDACTED]";
+        redactedCount++;
       }
-      return {
-        content: [{ type: "text", text: JSON.stringify(entityRow(entity)) }]
-      };
     }
-  });
-  api.registerTool({
-    name: "entity_list",
-    description: "List entities with optional type and source filters.",
-    parameters: T.Object({
-      type: T.Optional(EntityType),
-      source: T.Optional(T.String({ description: "Filter by source" })),
-      limit: T.Optional(
-        T.Number({ description: "Max results (default 100)" })
-      )
-    }),
-    async execute(_id, params, _ctx) {
-      const configDir2 = _ctx?.configDir ?? process.env.HOME + "/.openclaw";
-      const database = getDb(configDir2);
-      const conditions = [];
-      const values = [];
-      if (params.type) {
-        conditions.push("type = ?");
-        values.push(params.type);
-      }
-      if (params.source) {
-        conditions.push("source = ?");
-        values.push(params.source);
-      }
-      const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
-      const limit = params.limit ?? 100;
-      const entities = database.prepare(
-        `SELECT * FROM entities ${where} ORDER BY updated_at DESC LIMIT ?`
-      ).all(...values, limit);
-      return {
-        content: [
-          { type: "text", text: JSON.stringify(entities.map(entityRow)) }
-        ]
-      };
+  }
+  const gateway = config.gateway;
+  if (gateway && typeof gateway === "object") {
+    if (gateway.auth && typeof gateway.auth === "object") {
+      const auth = gateway.auth;
+      for (const key of Object.keys(auth)) {
+        auth[key] = "[REDACTED]";
+        redactedCount++;
+      }
+    }
+    if ("token" in gateway) {
+      gateway.token = "[REDACTED]";
+      redactedCount++;
     }
+    const remote = gateway.remote;
+    if (remote && typeof remote === "object" && "token" in remote) {
+      remote.token = "[REDACTED]";
+      redactedCount++;
+    }
+  }
+  if (redactedCount > 0) {
+    console.log(`[security] Redacted ${redactedCount} sensitive field(s) from openclaw.json before returning to client`);
+  }
+  return JSON.stringify(config, null, 2);
+}
+function isOpenclawJson(resolvedPath) {
+  return path6.basename(resolvedPath) === OPENCLAW_JSON_FILENAME && resolvedPath.startsWith(OPENCLAW_DIR);
+}
+function expandHome(p) {
+  if (p.startsWith("~/") || p === "~") {
+    return path6.join(HOME_DIR, p.slice(1));
+  }
+  return p;
+}
+function validatePath(p, allowedRoots) {
+  const resolved = path6.resolve(expandHome(p));
+  if (!allowedRoots || allowedRoots.length === 0) return resolved;
+  const allowed = allowedRoots.some((root) => {
+    const resolvedRoot = path6.resolve(expandHome(root));
+    return resolved === resolvedRoot || resolved.startsWith(resolvedRoot + path6.sep);
   });
-  api.registerTool({
-    name: "entity_delete",
-    description: "Delete an entity from the registry by ID. Also removes FTS and vector data.",
-    parameters: T.Object({
-      entityId: T.String({ description: "The entity ID to delete" })
-    }),
-    async execute(_id, params, _ctx) {
-      const configDir2 = _ctx?.configDir ?? process.env.HOME + "/.openclaw";
-      const database = getDb(configDir2);
-      const del = database.transaction(() => {
-        const result2 = database.prepare("DELETE FROM entities WHERE id = ?").run(params.entityId);
-        ftsDelete(database, params.entityId);
-        if (vecEnabled) {
-          database.prepare("DELETE FROM search_vec WHERE entity_id = ?").run(params.entityId);
-        }
-        return result2;
-      });
-      const result = del();
-      if (result.changes === 0) {
-        return {
-          content: [
-            {
-              type: "text",
-              text: JSON.stringify({ error: "Entity not found" })
-            }
-          ],
-          isError: true
-        };
-      }
-      return {
-        content: [
-          {
-            type: "text",
-            text: JSON.stringify({ deleted: params.entityId })
-          }
-        ]
-      };
-    }
-  });
-  api.registerTool({
-    name: "entity_search",
-    description: "Search entities using full-text search, vector search, or hybrid. Returns ranked results.",
-    parameters: T.Object({
-      query: T.String({ description: "Search query text" }),
-      type: T.Optional(
-        T.String({ description: "Filter results by entity type" })
-      ),
-      mode: T.Optional(
-        T.Union(
-          [T.Literal("fts"), T.Literal("vector"), T.Literal("hybrid")],
-          {
-            description: "Search mode: fts (full-text, default), vector (semantic), hybrid (both merged via RRF)"
-          }
-        )
-      ),
-      limit: T.Optional(
-        T.Number({ description: "Max results (default 20)" })
-      )
-    }),
-    async execute(_id, params, _ctx) {
-      const configDir2 = _ctx?.configDir ?? process.env.HOME + "/.openclaw";
-      const database = getDb(configDir2);
-      const mode = params.mode ?? "fts";
-      const limit = params.limit ?? 20;
-      let results;
-      if (mode === "fts") {
-        results = ftsSearch(database, params.query, params.type, limit);
-      } else if (mode === "vector") {
-        if (!vecEnabled) {
-          return {
-            content: [
-              {
-                type: "text",
-                text: JSON.stringify({
-                  error: "Vector search unavailable \u2014 sqlite-vec extension not loaded"
-                })
-              }
-            ],
-            isError: true
-          };
-        }
-        const embedding = await generateEmbedding(params.query, configDir2);
-        if (!embedding) {
-          return {
-            content: [
-              {
-                type: "text",
-                text: JSON.stringify({
-                  error: "Embedding generation failed \u2014 check embeddings config in openclaw.json"
-                })
-              }
-            ],
-            isError: true
-          };
-        }
-        results = vecSearch(database, embedding, limit);
-        if (params.type) {
-          results = results.filter((r) => r.type === params.type);
-        }
-      } else {
-        const ftsResults = ftsSearch(
-          database,
-          params.query,
-          params.type,
-          limit
-        );
-        let vecResults = [];
-        if (vecEnabled) {
-          const embedding = await generateEmbedding(params.query, configDir2);
-          if (embedding) {
-            vecResults = vecSearch(database, embedding, limit);
-            if (params.type) {
-              vecResults = vecResults.filter(
-                (r) => r.type === params.type
-              );
-            }
-          }
-        }
-        results = hybridSearch(database, ftsResults, vecResults, limit);
-      }
-      return {
-        content: [{ type: "text", text: JSON.stringify(results) }]
-      };
-    }
-  });
-  api.registerTool({
-    name: "entity_batch_resolve",
-    description: "Resolve multiple entity IDs in a single call. Returns a map of ID to entity data. Missing entities are omitted.",
-    parameters: T.Object({
-      entityIds: T.Array(T.String(), {
-        description: "Array of entity IDs to resolve"
-      })
-    }),
-    async execute(_id, params, _ctx) {
-      const configDir2 = _ctx?.configDir ?? process.env.HOME + "/.openclaw";
-      const database = getDb(configDir2);
-      if (!params.entityIds || params.entityIds.length === 0) {
-        return {
-          content: [{ type: "text", text: JSON.stringify({}) }]
-        };
-      }
-      const placeholders = params.entityIds.map(() => "?").join(",");
-      const entities = database.prepare(`SELECT * FROM entities WHERE id IN (${placeholders})`).all(...params.entityIds);
-      const result = {};
-      for (const entity of entities) {
-        const parsed = entityRow(entity);
-        result[parsed.id] = parsed;
-      }
-      return {
-        content: [{ type: "text", text: JSON.stringify(result) }]
-      };
-    }
-  });
-  api.registerTool({
-    name: "entity_embed",
-    description: "Generate and store a vector embedding for an entity using OpenRouter (google/gemini-embedding-001). Requires embeddings config in openclaw.json.",
-    parameters: T.Object({
-      entityId: T.String({
-        description: "The entity ID to generate an embedding for"
-      })
-    }),
-    async execute(_id, params, _ctx) {
-      const configDir2 = _ctx?.configDir ?? process.env.HOME + "/.openclaw";
-      const database = getDb(configDir2);
-      if (!vecEnabled) {
-        return {
-          content: [
-            {
-              type: "text",
-              text: JSON.stringify({
-                error: "Vector search unavailable \u2014 sqlite-vec extension not loaded"
-              })
-            }
-          ],
-          isError: true
-        };
-      }
-      const entity = database.prepare("SELECT * FROM entities WHERE id = ?").get(params.entityId);
-      if (!entity) {
-        return {
-          content: [
-            {
-              type: "text",
-              text: JSON.stringify({ error: "Entity not found" })
-            }
-          ],
-          isError: true
-        };
-      }
-      const text = buildEmbeddingText(entity);
-      const embedding = await generateEmbedding(text, configDir2);
-      if (!embedding) {
-        return {
-          content: [
-            {
-              type: "text",
-              text: JSON.stringify({
-                error: "Embedding generation failed \u2014 check embeddings config in openclaw.json"
-              })
-            }
-          ],
-          isError: true
-        };
-      }
-      vecUpsert(database, params.entityId, embedding);
-      return {
-        content: [
-          {
-            type: "text",
-            text: JSON.stringify({
-              entityId: params.entityId,
-              dimensions: embedding.length,
-              embedded: true
-            })
-          }
-        ]
-      };
-    }
-  });
-  api.registerTool({
-    name: "entity_sync",
-    description: "Reconcile the entity registry with data on the filesystem (agents, tools from openclaw.json). Call this after configuration changes to ensure the registry is up to date.",
-    parameters: T.Object({
-      sources: T.Optional(
-        T.Array(T.String(), {
-          description: "Which sources to sync: 'agents', 'tools'. Default: all."
-        })
-      )
-    }),
-    async execute(_id, _params, _ctx) {
-      const configDir2 = _ctx?.configDir ?? process.env.HOME + "/.openclaw";
-      const database = getDb(configDir2);
-      const result = syncEntitiesFromFilesystem(database, configDir2);
-      return {
-        content: [{ type: "text", text: JSON.stringify(result) }]
-      };
-    }
-  });
-  const configDir = process.env.HOME + "/.openclaw";
-  try {
-    const database = getDb(configDir);
-    syncEntitiesFromFilesystem(database, configDir);
-  } catch {
+  if (!allowed) {
+    throw new Error(`Path "${p}" is outside allowed roots`);
   }
-  syncTimer = setInterval(() => {
-    try {
-      if (db) {
-        syncEntitiesFromFilesystem(db, configDir);
-      }
-    } catch {
-    }
-  }, SYNC_INTERVAL_MS);
+  return resolved;
 }
-
-// src/filesystem.ts
-import fs2 from "fs";
-import path2 from "path";
-function expandHome(p) {
-  if (p.startsWith("~/") || p === "~") {
-    return path2.join(process.env.HOME ?? "/root", p.slice(1));
+function validateAndBlockSensitive(p, allowedRoots) {
+  const resolved = validatePath(p, allowedRoots);
+  if (isSensitivePath(resolved)) {
+    throw new Error(
+      `Access denied: path "${p}" is inside a protected directory (credentials/devices/identity)`
+    );
   }
-  return p;
+  return resolved;
 }
-function validatePath(p, allowedRoots) {
-  const resolved = path2.resolve(expandHome(p));
-  if (!allowedRoots || allowedRoots.length === 0) return resolved;
-  const allowed = allowedRoots.some((root) => {
-    const resolvedRoot = path2.resolve(expandHome(root));
-    return resolved === resolvedRoot || resolved.startsWith(resolvedRoot + path2.sep);
-  });
-  if (!allowed) {
-    throw new Error(`Path "${p}" is outside allowed roots`);
+function validateWritePath(p, allowedRoots) {
+  const resolved = validateAndBlockSensitive(p, allowedRoots);
+  if (isOpenclawJson(resolved)) {
+    throw new Error(
+      `Write denied: "${p}" is a protected configuration file (openclaw.json)`
+    );
   }
   return resolved;
 }
@@ -813,18 +724,18 @@ function err(message) {
   };
 }
 function listDir(dirPath, opts) {
-  const dirents = fs2.readdirSync(dirPath, { withFileTypes: true });
+  const dirents = fs5.readdirSync(dirPath, { withFileTypes: true });
   const results = [];
   for (const dirent of dirents) {
     if (!opts.includeHidden && dirent.name.startsWith(".")) continue;
-    const entryPath = path2.join(dirPath, dirent.name);
+    const entryPath = path6.join(dirPath, dirent.name);
     let type = "other";
     if (dirent.isFile()) type = "file";
     else if (dirent.isDirectory()) type = "directory";
     else if (dirent.isSymbolicLink()) type = "symlink";
     const entry = { name: dirent.name, path: entryPath, type };
     try {
-      const stat = fs2.statSync(entryPath);
+      const stat = fs5.statSync(entryPath);
       entry.size = stat.size;
       entry.modified = stat.mtime.toISOString();
     } catch {
@@ -839,12 +750,25 @@ function listDir(dirPath, opts) {
   }
   return results;
 }
+function filterSensitiveEntries(entries) {
+  return entries.filter((entry) => !isSensitivePath(entry.path)).map((entry) => {
+    if (entry.children) {
+      return { ...entry, children: filterSensitiveEntries(entry.children) };
+    }
+    return entry;
+  });
+}
 function registerFilesystemTools(api) {
-  const allowedRoots = api.pluginConfig?.["fs.allowedRoots"] ?? [];
+  const layout = resolveGatewayLayout();
+  const DEFAULT_ALLOWED_ROOTS = Array.from(/* @__PURE__ */ new Set([
+    OPENCLAW_DIR,
+    ...layout.workspaces.map((ws) => ws.path)
+  ]));
+  const allowedRoots = api.pluginConfig?.["fs.allowedRoots"] ?? DEFAULT_ALLOWED_ROOTS;
   api.registerTool({
     name: "fs_read",
     label: "Read File",
-    description: "Read a file from the server filesystem. Returns the file contents as text. Supports ~ for home directory expansion.",
+    description: "Read a file from the server filesystem. Returns the file contents as text. Supports ~ for home directory expansion. Sensitive directories (credentials, devices, identity) are blocked. Config files are returned with auth tokens redacted.",
     parameters: {
       type: "object",
       properties: {
@@ -862,10 +786,13 @@ function registerFilesystemTools(api) {
     },
     async execute(_id, params) {
       try {
-        const filePath = validatePath(params.path, allowedRoots);
+        const filePath = validateAndBlockSensitive(params.path, allowedRoots);
         const encoding = params.encoding ?? "utf-8";
-        const content = fs2.readFileSync(filePath, encoding);
-        const stat = fs2.statSync(filePath);
+        let content = fs5.readFileSync(filePath, encoding);
+        const stat = fs5.statSync(filePath);
+        if (isOpenclawJson(filePath) && encoding === "utf-8") {
+          content = redactOpenclawJson(content);
+        }
         return ok({
           path: filePath,
           content,
@@ -881,7 +808,7 @@ function registerFilesystemTools(api) {
   api.registerTool({
     name: "fs_write",
     label: "Write File",
-    description: "Write content to a file on the server filesystem. Creates parent directories if they don't exist. Supports ~ for home directory expansion.",
+    description: "Write content to a file on the server filesystem. Creates parent directories if they don't exist. Supports ~ for home directory expansion. Writes to protected directories (credentials, devices, identity) and config files (openclaw.json) are denied.",
     parameters: {
       type: "object",
       properties: {
@@ -907,15 +834,15 @@ function registerFilesystemTools(api) {
     },
     async execute(_id, params) {
       try {
-        const filePath = validatePath(params.path, allowedRoots);
+        const filePath = validateWritePath(params.path, allowedRoots);
         const content = params.content;
         const encoding = params.encoding ?? "utf-8";
         const mkdir = params.mkdir !== false;
         if (mkdir) {
-          fs2.mkdirSync(path2.dirname(filePath), { recursive: true });
+          fs5.mkdirSync(path6.dirname(filePath), { recursive: true });
         }
-        fs2.writeFileSync(filePath, content, encoding);
-        const stat = fs2.statSync(filePath);
+        fs5.writeFileSync(filePath, content, encoding);
+        const stat = fs5.statSync(filePath);
         return ok({
           path: filePath,
           size: stat.size,
@@ -930,7 +857,7 @@ function registerFilesystemTools(api) {
   api.registerTool({
     name: "fs_list",
     label: "List Directory",
-    description: "List contents of a directory on the server filesystem. Returns file metadata including name, type, size, and modification time. Supports ~ for home directory expansion.",
+    description: "List contents of a directory on the server filesystem. Returns file metadata including name, type, size, and modification time. Supports ~ for home directory expansion. Protected directories (credentials, devices, identity) are excluded from results.",
     parameters: {
       type: "object",
       properties: {
@@ -951,10 +878,11 @@ function registerFilesystemTools(api) {
     },
     async execute(_id, params) {
       try {
-        const dirPath = validatePath(params.path, allowedRoots);
+        const dirPath = validateAndBlockSensitive(params.path, allowedRoots);
         const recursive = params.recursive === true;
         const includeHidden = params.includeHidden === true;
-        const entries = listDir(dirPath, { recursive, includeHidden, depth: 0, maxDepth: 3 });
+        let entries = listDir(dirPath, { recursive, includeHidden, depth: 0, maxDepth: 3 });
+        entries = filterSensitiveEntries(entries);
         return ok({
           path: dirPath,
           count: entries.length,
@@ -966,115 +894,2513 @@ function registerFilesystemTools(api) {
       }
     }
   });
-}
-
-// src/version.ts
-import { execSync } from "child_process";
-import fs3 from "fs";
-import path3 from "path";
-import { fileURLToPath } from "url";
-var PACKAGE_NAME = "squad-openclaw";
-function getCurrentVersion() {
-  const thisFile = fileURLToPath(import.meta.url);
-  const pkgPath = path3.resolve(path3.dirname(thisFile), "..", "package.json");
-  try {
-    const pkg = JSON.parse(fs3.readFileSync(pkgPath, "utf-8"));
-    return pkg.version ?? "0.0.0";
-  } catch {
-    return "0.0.0";
-  }
-}
-async function fetchLatestVersion() {
-  const controller = new AbortController();
-  const timeout = setTimeout(() => controller.abort(), 1e4);
-  try {
-    const res = await fetch(`https://registry.npmjs.org/${PACKAGE_NAME}`, {
-      signal: controller.signal
-    });
-    if (!res.ok) throw new Error(`npm registry returned ${res.status}`);
-    const data = await res.json();
-    return data["dist-tags"]?.latest ?? "0.0.0";
-  } finally {
-    clearTimeout(timeout);
-  }
-}
-function registerVersionMethods(api) {
-  api.registerGatewayMethod(
-    "squad.version.check",
-    async ({ respond }) => {
+  api.registerTool({
+    name: "fs_mkdir",
+    label: "Create Directory",
+    description: "Create a directory on the server filesystem. Creates parent directories as needed. Supports ~ for home directory expansion. Cannot create directories inside protected paths (credentials, devices, identity).",
+    parameters: {
+      type: "object",
+      properties: {
+        path: {
+          type: "string",
+          description: "Absolute or ~-prefixed path of the directory to create"
+        }
+      },
+      required: ["path"]
+    },
+    async execute(_id, params) {
       try {
-        const current = getCurrentVersion();
-        let latest;
-        try {
-          latest = await fetchLatestVersion();
-        } catch {
-          respond(true, {
-            current,
-            latest: null,
-            updateAvailable: false,
-            registryError: "Could not reach npm registry"
-          });
-          return;
+        const targetPath = validateWritePath(params.path, allowedRoots);
+        fs5.mkdirSync(targetPath, { recursive: true });
+        return ok({
+          path: targetPath,
+          created: true
+        });
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return err(`fs_mkdir failed: ${msg}`);
+      }
+    }
+  });
+  api.registerTool({
+    name: "fs_rename",
+    label: "Rename / Move",
+    description: "Rename or move a file or directory on the server filesystem. Supports ~ for home directory expansion. Cannot move files into or out of protected directories.",
+    parameters: {
+      type: "object",
+      properties: {
+        oldPath: {
+          type: "string",
+          description: "Current absolute or ~-prefixed path"
+        },
+        newPath: {
+          type: "string",
+          description: "New absolute or ~-prefixed path"
         }
-        respond(true, {
-          current,
-          latest,
-          updateAvailable: latest !== current && latest !== "0.0.0"
+      },
+      required: ["oldPath", "newPath"]
+    },
+    async execute(_id, params) {
+      try {
+        const resolvedOld = validateWritePath(params.oldPath, allowedRoots);
+        const resolvedNew = validateWritePath(params.newPath, allowedRoots);
+        fs5.renameSync(resolvedOld, resolvedNew);
+        return ok({
+          oldPath: resolvedOld,
+          newPath: resolvedNew,
+          renamed: true
         });
       } catch (e) {
         const msg = e instanceof Error ? e.message : String(e);
-        respond(false, { error: msg });
+        return err(`fs_rename failed: ${msg}`);
       }
     }
-  );
-  api.registerGatewayMethod(
-    "squad.version.update",
-    async ({ respond }) => {
+  });
+  api.registerTool({
+    name: "fs_delete",
+    label: "Delete File or Directory",
+    description: "Delete a file or directory from the server filesystem. For directories, removes recursively. Supports ~ for home directory expansion. Cannot delete protected directories or config files.",
+    parameters: {
+      type: "object",
+      properties: {
+        path: {
+          type: "string",
+          description: "Absolute or ~-prefixed path to the file or directory to delete"
+        }
+      },
+      required: ["path"]
+    },
+    async execute(_id, params) {
       try {
-        const before = getCurrentVersion();
-        let updateOutput = "";
-        try {
-          updateOutput = execSync(
-            `openclaw plugins update ${PACKAGE_NAME} 2>&1`,
-            { timeout: 12e4, encoding: "utf-8" }
-          );
-        } catch {
-          try {
-            updateOutput = execSync(
-              `npm install -g ${PACKAGE_NAME}@latest 2>&1`,
-              { timeout: 12e4, encoding: "utf-8" }
-            );
-          } catch (npmErr) {
-            const msg = npmErr instanceof Error ? npmErr.message : String(npmErr);
-            respond(false, {
-              error: `Update failed: ${msg}`,
-              output: updateOutput
-            });
-            return;
-          }
+        const targetPath = validateWritePath(params.path, allowedRoots);
+        const stat = fs5.statSync(targetPath);
+        const wasDirectory = stat.isDirectory();
+        if (wasDirectory) {
+          fs5.rmSync(targetPath, { recursive: true });
+        } else {
+          fs5.unlinkSync(targetPath);
         }
-        const after = getCurrentVersion();
-        const updated = before !== after;
-        respond(true, {
-          previousVersion: before,
-          currentVersion: after,
-          updated,
-          restartRequired: updated,
-          output: updateOutput.slice(0, 500)
+        return ok({
+          path: targetPath,
+          deleted: true,
+          type: wasDirectory ? "directory" : "file"
         });
       } catch (e) {
         const msg = e instanceof Error ? e.message : String(e);
-        respond(false, { error: msg });
+        return err(`fs_delete failed: ${msg}`);
       }
     }
-  );
+  });
 }
 
-// src/index.ts
-function squadAppPlugin(api) {
-  registerEntityTools(api);
-  registerFilesystemTools(api);
-  registerVersionMethods(api);
+// src/entities.ts
+var EntityType = T.Union([
+  T.Literal("agent"),
+  T.Literal("skill"),
+  T.Literal("tool"),
+  T.Literal("plugin"),
+  T.Literal("session"),
+  T.Literal("file"),
+  T.Literal("directory"),
+  T.Literal("url"),
+  T.Literal("memory"),
+  T.Literal("asset")
+]);
+var registry = /* @__PURE__ */ new Map();
+function registrySet(entity) {
+  registry.set(entity.id, entity);
+}
+function registryDelete(id) {
+  registry.delete(id);
+}
+function registryList(type) {
+  const all = Array.from(registry.values());
+  if (!type) return all;
+  return all.filter((e) => e.type === type);
+}
+var IDENTITY_NAME_RE = /\*\*Name:\*\*\s*\n?\s*(.+?)(?=\n|$)/;
+function parseIdentityName(content) {
+  const match = content.match(IDENTITY_NAME_RE);
+  const name = match?.[1]?.trim();
+  if (!name) return null;
+  if (/^_\(.+\)_$/.test(name)) return null;
+  return name;
+}
+function scanAgents(configDir) {
+  const now = Date.now();
+  let entries;
+  try {
+    entries = fs6.readdirSync(configDir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  const workspaceDirs = entries.filter(
+    (e) => e.isDirectory() && (e.name === "workspace" || e.name.startsWith("workspace-"))
+  );
+  for (const dir of workspaceDirs) {
+    const agentId = dir.name === "workspace" ? "main" : dir.name.replace("workspace-", "");
+    const workspacePath = path7.join(configDir, dir.name);
+    let name = agentId;
+    const metadata = { workspacePath };
+    const identityPath = path7.join(workspacePath, "IDENTITY.md");
+    try {
+      const content = fs6.readFileSync(identityPath, "utf-8");
+      const parsed = parseIdentityName(content);
+      if (parsed) name = parsed;
+    } catch {
+    }
+    if (name === agentId) {
+      const agentJsonPath = path7.join(workspacePath, "agent.json");
+      try {
+        const raw = fs6.readFileSync(agentJsonPath, "utf-8");
+        const config = JSON.parse(raw);
+        if (config.displayName) name = config.displayName;
+        if (config.model) metadata.model = config.model;
+        if (config.tools) metadata.tools = config.tools;
+        if (config.skills) metadata.skills = config.skills;
+      } catch {
+      }
+    }
+    registrySet({
+      id: agentId,
+      type: "agent",
+      name,
+      title: name,
+      description: null,
+      metadata,
+      source: "filesystem",
+      source_key: workspacePath,
+      created_at: now,
+      updated_at: now
+    });
+  }
+}
+function scanSkills(configDir) {
+  const now = Date.now();
+  const globalSkillsDir = path7.join(configDir, "skills");
+  scanSkillsDir(globalSkillsDir, "global", now);
+  let entries;
+  try {
+    entries = fs6.readdirSync(configDir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const dir of entries) {
+    if (!dir.isDirectory() || !(dir.name === "workspace" || dir.name.startsWith("workspace-"))) {
+      continue;
+    }
+    const agentId = dir.name === "workspace" ? "main" : dir.name.replace("workspace-", "");
+    const agentSkillsDir = path7.join(configDir, dir.name, "skills");
+    scanSkillsDir(agentSkillsDir, agentId, now);
+  }
+}
+function scanSkillsDir(skillsDir, scope, now) {
+  let entries;
+  try {
+    entries = fs6.readdirSync(skillsDir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    const skillKey = entry.name;
+    const skillPath = path7.join(skillsDir, skillKey);
+    let name = skillKey;
+    for (const manifestName of ["manifest.json", "package.json"]) {
+      try {
+        const raw = fs6.readFileSync(
+          path7.join(skillPath, manifestName),
+          "utf-8"
+        );
+        const manifest = JSON.parse(raw);
+        if (manifest.name) name = manifest.name;
+        break;
+      } catch {
+        continue;
+      }
+    }
+    const entityId = scope === "global" ? `skill:${skillKey}` : `skill:${scope}:${skillKey}`;
+    registrySet({
+      id: entityId,
+      type: "skill",
+      name,
+      title: name,
+      description: null,
+      metadata: { skillKey, scope, skillPath },
+      source: "filesystem",
+      source_key: skillPath,
+      created_at: now,
+      updated_at: now
+    });
+  }
+}
+function scanPlugins2(configDir) {
+  const now = Date.now();
+  const extensionsDir = path7.join(configDir, "extensions");
+  let entries;
+  try {
+    entries = fs6.readdirSync(extensionsDir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const dir of entries) {
+    if (!dir.isDirectory()) continue;
+    const pluginDir = path7.join(extensionsDir, dir.name);
+    const manifestPath = path7.join(pluginDir, "openclaw.plugin.json");
+    try {
+      const raw = fs6.readFileSync(manifestPath, "utf-8");
+      const manifest = JSON.parse(raw);
+      const pluginId = manifest.id || dir.name;
+      const name = manifest.name || pluginId;
+      registrySet({
+        id: `plugin:${pluginId}`,
+        type: "plugin",
+        name,
+        title: name,
+        description: manifest.description || null,
+        metadata: { pluginId, pluginDir },
+        source: "filesystem",
+        source_key: manifestPath,
+        created_at: now,
+        updated_at: now
+      });
+    } catch {
+    }
+  }
+}
+function scanTools(configDir) {
+  const now = Date.now();
+  try {
+    const raw = fs6.readFileSync(
+      path7.join(configDir, "openclaw.json"),
+      "utf-8"
+    );
+    const config = JSON.parse(raw);
+    const allowedTools = config?.tools?.allow ?? [];
+    for (const toolName of allowedTools) {
+      registrySet({
+        id: `tool:${toolName}`,
+        type: "tool",
+        name: toolName,
+        title: toolName,
+        description: null,
+        metadata: { tool_name: toolName },
+        source: "filesystem",
+        source_key: "openclaw.json:tools.allow",
+        created_at: now,
+        updated_at: now
+      });
+    }
+  } catch {
+  }
+}
+var MIME_MAP = {
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".webp": "image/webp",
+  ".svg": "image/svg+xml",
+  ".bmp": "image/bmp",
+  ".ico": "image/x-icon",
+  ".mp4": "video/mp4",
+  ".webm": "video/webm",
+  ".mov": "video/quicktime",
+  ".avi": "video/x-msvideo",
+  ".mkv": "video/x-matroska",
+  ".mp3": "audio/mpeg",
+  ".wav": "audio/wav",
+  ".ogg": "audio/ogg",
+  ".flac": "audio/flac",
+  ".aac": "audio/aac",
+  ".pdf": "application/pdf",
+  ".json": "application/json",
+  ".txt": "text/plain",
+  ".md": "text/markdown",
+  ".csv": "text/csv",
+  ".zip": "application/zip",
+  ".tar": "application/x-tar",
+  ".gz": "application/gzip"
+};
+function getMimeType(filename) {
+  const ext = path7.extname(filename).toLowerCase();
+  return MIME_MAP[ext] ?? "application/octet-stream";
+}
+function scanMedia(configDir) {
+  const now = Date.now();
+  const mediaDir = path7.join(configDir, "media");
+  scanMediaDir(mediaDir, now);
+}
+function scanMediaDir(dirPath, now) {
+  let entries;
+  try {
+    entries = fs6.readdirSync(dirPath, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    if (entry.name.startsWith(".")) continue;
+    const entryPath = path7.join(dirPath, entry.name);
+    if (isSensitivePath(entryPath)) continue;
+    if (entry.isDirectory()) {
+      registrySet({
+        id: entryPath,
+        type: "directory",
+        name: entry.name,
+        title: entry.name,
+        description: null,
+        metadata: { path: entryPath },
+        source: "filesystem",
+        source_key: entryPath,
+        created_at: now,
+        updated_at: now
+      });
+      scanMediaDir(entryPath, now);
+    } else if (entry.isFile()) {
+      const mimeType = getMimeType(entry.name);
+      let size;
+      let mtime = now;
+      try {
+        const stat = fs6.statSync(entryPath);
+        size = stat.size;
+        mtime = stat.mtimeMs;
+      } catch {
+      }
+      registrySet({
+        id: entryPath,
+        type: "asset",
+        name: entry.name,
+        title: entry.name,
+        description: null,
+        metadata: { path: entryPath, size, mime_type: mimeType, original_name: entry.name },
+        source: "filesystem",
+        source_key: entryPath,
+        created_at: mtime,
+        updated_at: mtime
+      });
+    }
+  }
+}
+function fullScan(configDir) {
+  registry.clear();
+  scanAgents(configDir);
+  scanSkills(configDir);
+  scanPlugins2(configDir);
+  scanTools(configDir);
+  scanMedia(configDir);
+}
+function registerEntityTools(api, onFsChange) {
+  const configDir = getOpenclawStateDir();
+  api.registerTool({
+    name: "entity_list",
+    description: "List all entities in the registry, optionally filtered by type. Returns lightweight entity data for @mention autocomplete.",
+    parameters: T.Object({
+      type: T.Optional(EntityType),
+      limit: T.Optional(
+        T.Number({ description: "Max results (default 500)" })
+      )
+    }),
+    async execute(_id, params, _ctx) {
+      const results = registryList(params.type);
+      const limit = params.limit ?? 500;
+      return {
+        content: [
+          { type: "text", text: JSON.stringify(results.slice(0, limit)) }
+        ]
+      };
+    }
+  });
+  api.registerTool({
+    name: "entity_search",
+    description: "Search entities by name/title substring match for @mention autocomplete.",
+    parameters: T.Object({
+      query: T.String({ description: "Search query text" }),
+      type: T.Optional(
+        T.String({ description: "Filter results by entity type" })
+      ),
+      limit: T.Optional(
+        T.Number({ description: "Max results (default 20)" })
+      )
+    }),
+    async execute(_id, params, _ctx) {
+      const q = (params.query ?? "").toLowerCase();
+      const limit = params.limit ?? 20;
+      let results = Array.from(registry.values());
+      if (params.type) {
+        results = results.filter((e) => e.type === params.type);
+      }
+      if (q) {
+        results = results.filter(
+          (e) => e.name.toLowerCase().includes(q) || (e.title ?? "").toLowerCase().includes(q)
+        );
+      }
+      return {
+        content: [
+          { type: "text", text: JSON.stringify(results.slice(0, limit)) }
+        ]
+      };
+    }
+  });
+  api.registerTool({
+    name: "entity_sync",
+    description: "Re-scan the filesystem to refresh the entity registry. Call after configuration changes for immediate updates.",
+    parameters: T.Object({}),
+    async execute(_id, _params, _ctx) {
+      const before = registry.size;
+      fullScan(configDir);
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({ synced: registry.size, previous: before })
+          }
+        ]
+      };
+    }
+  });
+  try {
+    fullScan(configDir);
+  } catch (err2) {
+    console.error("[squad-openclaw] Initial scan failed:", err2);
+  }
+  let stopWatcher = null;
+  try {
+    stopWatcher = startWatcher(configDir, onFsChange);
+  } catch (err2) {
+    console.error("[squad-openclaw] Watcher failed to start:", err2);
+  }
+  const cleanup = () => {
+    stopWatcher?.();
+  };
+  process.on("SIGTERM", cleanup);
+  process.on("SIGINT", cleanup);
+}
+
+// src/sql.ts
+import { execFile } from "child_process";
+import path8 from "path";
+import fs7 from "fs";
+import { Type as T2 } from "@sinclair/typebox";
+var HOME_DIR2 = process.env.HOME ?? "/root";
+var ALLOWED_DATA_DIR = path8.join(getOpenclawStateDir(), "squad-ceo-data");
+function validateDbPath(dbPath) {
+  let expanded = dbPath;
+  if (expanded.startsWith("~/") || expanded === "~") {
+    expanded = path8.join(HOME_DIR2, expanded.slice(1));
+  }
+  const resolved = path8.resolve(expanded);
+  if (resolved !== ALLOWED_DATA_DIR && !resolved.startsWith(ALLOWED_DATA_DIR + path8.sep)) {
+    throw new Error(
+      `Access denied: database path must be within ~/.openclaw/squad-ceo-data/`
+    );
+  }
+  try {
+    const stat = fs7.statSync(resolved);
+    if (!stat.isFile()) {
+      throw new Error(`Not a file: ${dbPath}`);
+    }
+  } catch (e) {
+    if (e.code === "ENOENT") {
+      throw new Error(`Database file not found: ${dbPath}`);
+    }
+    throw e;
+  }
+  return resolved;
+}
+function runSqlite3(dbPath, args) {
+  return new Promise((resolve, reject) => {
+    execFile(
+      "sqlite3",
+      [dbPath, ...args],
+      { timeout: 3e4, maxBuffer: 10 * 1024 * 1024 },
+      (error, stdout, stderr) => {
+        if (error) {
+          reject(new Error(stderr || error.message));
+          return;
+        }
+        resolve(stdout);
+      }
+    );
+  });
+}
+function registerSqlTools(api) {
+  api.registerTool({
+    name: "sql_query",
+    label: "SQL Query",
+    description: "Execute a sqlite3 query on a database file within ~/.openclaw/squad-ceo-data/. Only sqlite3 is allowed \u2014 no arbitrary shell commands. Use jsonOutput: true for structured JSON results.",
+    parameters: T2.Object({
+      dbPath: T2.String({
+        description: "Path to the SQLite database file (must be within ~/.openclaw/squad-ceo-data/)"
+      }),
+      query: T2.String({ description: "SQL query to execute" }),
+      jsonOutput: T2.Optional(
+        T2.Boolean({
+          description: "Return results as JSON (sqlite3 -json flag)"
+        })
+      )
+    }),
+    async execute(_id, params) {
+      try {
+        const resolvedDb = validateDbPath(params.dbPath);
+        const args = [];
+        if (params.jsonOutput) args.push("-json");
+        args.push(params.query);
+        const output = await runSqlite3(resolvedDb, args);
+        return {
+          content: [{ type: "text", text: output }]
+        };
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return {
+          content: [{ type: "text", text: JSON.stringify({ error: msg }) }],
+          isError: true
+        };
+      }
+    }
+  });
+}
+
+// src/version.ts
+import { spawn } from "child_process";
+import fs8 from "fs";
+import path9 from "path";
+import { fileURLToPath } from "url";
+var PACKAGE_NAME = "squad-openclaw";
+var CONFIG_PATH = path9.join(getOpenclawStateDir(), "openclaw.json");
+var updateInProgress = false;
+var VERIFY_TIMEOUT_MS = 2e4;
+var VERIFY_INTERVAL_MS = 500;
+var RESTART_BUFFER_MS = 5e3;
+var REGISTRY_TIMEOUT_MS = 2500;
+var COMMAND_OUTPUT_LIMIT = 8e3;
+var COMMAND_KILL_GRACE_MS = 2e3;
+function readInstalledVersionFromConfig() {
+  try {
+    const raw = fs8.readFileSync(CONFIG_PATH, "utf-8");
+    const cfg = JSON.parse(raw);
+    const v = cfg?.plugins?.installs?.[PACKAGE_NAME]?.version;
+    return typeof v === "string" ? v : null;
+  } catch {
+    return null;
+  }
+}
+function reconcileInstallMetadata(verification) {
+  if (!verification.installPath || !verification.packageVersion) return;
+  try {
+    const raw = fs8.readFileSync(CONFIG_PATH, "utf-8");
+    const config = JSON.parse(raw);
+    if (!config.plugins || typeof config.plugins !== "object") config.plugins = {};
+    if (!config.plugins.installs || typeof config.plugins.installs !== "object") {
+      config.plugins.installs = {};
+    }
+    if (!config.plugins.entries || typeof config.plugins.entries !== "object") {
+      config.plugins.entries = {};
+    }
+    const current = config.plugins.installs[PACKAGE_NAME] ?? {};
+    config.plugins.installs[PACKAGE_NAME] = {
+      ...current,
+      source: "npm",
+      spec: PACKAGE_NAME,
+      installPath: verification.installPath,
+      version: verification.packageVersion,
+      installedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    const entry = config.plugins.entries[PACKAGE_NAME] ?? {};
+    config.plugins.entries[PACKAGE_NAME] = {
+      ...entry,
+      enabled: true
+    };
+    fs8.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), "utf-8");
+  } catch {
+  }
+}
+function getCurrentVersion() {
+  const thisFile = fileURLToPath(import.meta.url);
+  const pkgPath = path9.resolve(path9.dirname(thisFile), "..", "package.json");
+  try {
+    const pkg = JSON.parse(fs8.readFileSync(pkgPath, "utf-8"));
+    return pkg.version ?? "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
+async function fetchLatestVersion(timeoutMs = REGISTRY_TIMEOUT_MS) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetch(`https://registry.npmjs.org/${PACKAGE_NAME}`, {
+      signal: controller.signal
+    });
+    if (!res.ok) throw new Error(`npm registry returned ${res.status}`);
+    const data = await res.json();
+    return data["dist-tags"]?.latest ?? "0.0.0";
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function runCommand(args, timeoutMs) {
+  return new Promise((resolve) => {
+    const child = spawn("openclaw", args, {
+      stdio: ["ignore", "pipe", "pipe"],
+      detached: true
+    });
+    let output = "";
+    let timedOut = false;
+    let resolved = false;
+    let killGraceTimer = null;
+    const append = (chunk) => {
+      output += chunk.toString();
+      if (output.length > COMMAND_OUTPUT_LIMIT) {
+        output = output.slice(output.length - COMMAND_OUTPUT_LIMIT);
+      }
+    };
+    const finalize = (result) => {
+      if (resolved) return;
+      resolved = true;
+      if (killGraceTimer) clearTimeout(killGraceTimer);
+      clearTimeout(timeout);
+      resolve(result);
+    };
+    child.stdout?.on("data", append);
+    child.stderr?.on("data", append);
+    child.on("error", (err2) => {
+      append(String(err2));
+      finalize({
+        ok: false,
+        timedOut,
+        exitCode: null,
+        signal: null,
+        output
+      });
+    });
+    child.on("close", (code, signal) => {
+      finalize({
+        ok: !timedOut && code === 0,
+        timedOut,
+        exitCode: code,
+        signal,
+        output
+      });
+    });
+    const timeout = setTimeout(() => {
+      timedOut = true;
+      try {
+        process.kill(-child.pid, "SIGTERM");
+      } catch {
+      }
+      killGraceTimer = setTimeout(() => {
+        try {
+          process.kill(-child.pid, "SIGKILL");
+        } catch {
+        }
+      }, COMMAND_KILL_GRACE_MS);
+    }, timeoutMs);
+  });
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function compareVersions(a, b) {
+  const pa = a.split(".").map((x) => Number(x) || 0);
+  const pb = b.split(".").map((x) => Number(x) || 0);
+  const len = Math.max(pa.length, pb.length);
+  for (let i = 0; i < len; i++) {
+    const d = (pa[i] ?? 0) - (pb[i] ?? 0);
+    if (d !== 0) return d;
+  }
+  return 0;
+}
+function verifyInstalledPluginState() {
+  let configRaw;
+  try {
+    configRaw = fs8.readFileSync(CONFIG_PATH, "utf-8");
+  } catch (err2) {
+    const msg = err2 instanceof Error ? err2.message : String(err2);
+    return {
+      ok: false,
+      reason: `Could not read openclaw.json: ${msg}`,
+      installPath: null,
+      configVersion: null,
+      packageVersion: null,
+      requiredFilesMissing: []
+    };
+  }
+  let config;
+  try {
+    config = JSON.parse(configRaw);
+  } catch (err2) {
+    const msg = err2 instanceof Error ? err2.message : String(err2);
+    return {
+      ok: false,
+      reason: `Could not parse openclaw.json: ${msg}`,
+      installPath: null,
+      configVersion: null,
+      packageVersion: null,
+      requiredFilesMissing: []
+    };
+  }
+  const installMeta = config?.plugins?.installs?.[PACKAGE_NAME];
+  const installPath = typeof installMeta?.installPath === "string" ? installMeta.installPath : null;
+  const configVersion = typeof installMeta?.version === "string" ? installMeta.version : null;
+  if (!installPath) {
+    return {
+      ok: false,
+      reason: "Missing plugins.installs entry or installPath for squad-openclaw",
+      installPath: null,
+      configVersion,
+      packageVersion: null,
+      requiredFilesMissing: []
+    };
+  }
+  const requiredFiles = [
+    path9.join(installPath, "package.json"),
+    path9.join(installPath, "openclaw.plugin.json"),
+    path9.join(installPath, "dist", "index.js")
+  ];
+  const requiredFilesMissing = requiredFiles.filter((p) => !fs8.existsSync(p));
+  if (requiredFilesMissing.length > 0) {
+    return {
+      ok: false,
+      reason: "Missing required installed plugin files",
+      installPath,
+      configVersion,
+      packageVersion: null,
+      requiredFilesMissing
+    };
+  }
+  let installedPackage;
+  try {
+    installedPackage = JSON.parse(
+      fs8.readFileSync(path9.join(installPath, "package.json"), "utf-8")
+    );
+  } catch (err2) {
+    const msg = err2 instanceof Error ? err2.message : String(err2);
+    return {
+      ok: false,
+      reason: `Could not parse installed package.json: ${msg}`,
+      installPath,
+      configVersion,
+      packageVersion: null,
+      requiredFilesMissing: []
+    };
+  }
+  try {
+    JSON.parse(
+      fs8.readFileSync(path9.join(installPath, "openclaw.plugin.json"), "utf-8")
+    );
+  } catch (err2) {
+    const msg = err2 instanceof Error ? err2.message : String(err2);
+    return {
+      ok: false,
+      reason: `Could not parse installed openclaw.plugin.json: ${msg}`,
+      installPath,
+      configVersion,
+      packageVersion: null,
+      requiredFilesMissing: []
+    };
+  }
+  const packageVersion = typeof installedPackage?.version === "string" ? installedPackage.version : null;
+  if (!packageVersion) {
+    return {
+      ok: false,
+      reason: "Installed package.json missing version",
+      installPath,
+      configVersion,
+      packageVersion,
+      requiredFilesMissing: []
+    };
+  }
+  return {
+    ok: true,
+    installPath,
+    configVersion,
+    packageVersion,
+    requiredFilesMissing: []
+  };
+}
+async function waitForVerifiedInstall() {
+  const deadline = Date.now() + VERIFY_TIMEOUT_MS;
+  let last = verifyInstalledPluginState();
+  while (!last.ok && Date.now() < deadline) {
+    await sleep(VERIFY_INTERVAL_MS);
+    last = verifyInstalledPluginState();
+  }
+  return last;
+}
+function registerVersionMethods(api) {
+  api.registerGatewayMethod(
+    "squad.version.check",
+    async ({ respond, params }) => {
+      try {
+        const checkParams = params ?? {};
+        const current = getCurrentVersion();
+        if (checkParams.skipRegistry) {
+          console.log("[version_check_local] returning local version only");
+          respond(true, {
+            current,
+            latest: null,
+            updateAvailable: false,
+            registrySkipped: true
+          });
+          return;
+        }
+        let latest;
+        try {
+          latest = await fetchLatestVersion();
+        } catch {
+          console.log("[version_check_registry_timeout] npm registry unavailable");
+          respond(true, {
+            current,
+            latest: null,
+            updateAvailable: false,
+            registryError: "Could not reach npm registry"
+          });
+          return;
+        }
+        respond(true, {
+          current,
+          latest,
+          updateAvailable: latest !== current && latest !== "0.0.0"
+        });
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        respond(false, { error: msg });
+      }
+    }
+  );
+  api.registerGatewayMethod(
+    "squad.version.update",
+    async ({ respond }) => {
+      if (updateInProgress) {
+        respond(false, { error: "Update already in progress" });
+        return;
+      }
+      updateInProgress = true;
+      const updateAttemptId = `${Date.now()}-${Math.random().toString(16).slice(2, 8)}`;
+      try {
+        const before = getCurrentVersion();
+        const beforeInstalledVersion = readInstalledVersionFromConfig();
+        let latestVersion = null;
+        try {
+          latestVersion = await fetchLatestVersion();
+        } catch {
+          latestVersion = null;
+        }
+        let updateOutput = "";
+        let configBackup = null;
+        try {
+          configBackup = fs8.readFileSync(CONFIG_PATH, "utf-8");
+        } catch {
+        }
+        await runCommand(["doctor", "--fix"], 3e4);
+        try {
+          const first = await runCommand(["plugins", "update", PACKAGE_NAME], 12e4);
+          updateOutput = first.output;
+          if (!first.ok) {
+            throw new Error(
+              first.timedOut ? "UPDATE_TIMEOUT: plugins update timed out" : `UPDATE_FAILED: plugins update exited with code ${String(first.exitCode)}`
+            );
+          }
+        } catch (firstErr) {
+          await runCommand(["doctor", "--fix"], 3e4);
+          try {
+            const retry = await runCommand(["plugins", "update", PACKAGE_NAME], 12e4);
+            updateOutput = retry.output;
+            if (!retry.ok) {
+              throw new Error(
+                retry.timedOut ? "UPDATE_TIMEOUT: plugins update timed out after retry" : `UPDATE_FAILED: plugins update retry exited with code ${String(retry.exitCode)}`
+              );
+            }
+          } catch (installErr) {
+            if (configBackup) {
+              try {
+                fs8.writeFileSync(CONFIG_PATH, configBackup, "utf-8");
+              } catch {
+              }
+            }
+            const firstMsg = firstErr instanceof Error ? firstErr.message : String(firstErr);
+            const retryMsg = installErr instanceof Error ? installErr.message : String(installErr);
+            respond(false, {
+              code: /UPDATE_TIMEOUT/.test(retryMsg) ? "UPDATE_TIMEOUT" : "UPDATE_FAILED",
+              error: `Update failed after doctor fix retry: ${retryMsg}`,
+              output: updateOutput,
+              firstError: firstMsg,
+              updateAttemptId
+            });
+            return;
+          }
+        }
+        const verification = await waitForVerifiedInstall();
+        if (!verification.ok) {
+          if (configBackup) {
+            try {
+              fs8.writeFileSync(CONFIG_PATH, configBackup, "utf-8");
+            } catch {
+            }
+          }
+          respond(false, {
+            code: "VERIFY_FAILED",
+            error: `Update verification failed: ${verification.reason ?? "unknown error"}`,
+            output: updateOutput.slice(0, 500),
+            verification,
+            updateAttemptId
+          });
+          return;
+        }
+        reconcileInstallMetadata(verification);
+        const verificationAfterReconcile = verifyInstalledPluginState();
+        if (beforeInstalledVersion && verificationAfterReconcile.packageVersion && beforeInstalledVersion === verificationAfterReconcile.packageVersion) {
+          const alreadyLatest = !!latestVersion && compareVersions(verificationAfterReconcile.packageVersion, latestVersion) >= 0;
+          respond(false, {
+            code: "UPDATE_FAILED",
+            error: alreadyLatest ? `Already at latest version (${verificationAfterReconcile.packageVersion}).` : `Update command completed but installed version did not change (${verificationAfterReconcile.packageVersion}).`,
+            output: updateOutput.slice(0, 500),
+            verification: verificationAfterReconcile,
+            latestVersion,
+            updateAttemptId
+          });
+          return;
+        }
+        const after = getCurrentVersion();
+        respond(true, {
+          previousVersion: before,
+          currentVersion: after,
+          updated: true,
+          restartRequired: true,
+          restartInMs: RESTART_BUFFER_MS,
+          verification: verificationAfterReconcile,
+          latestVersion,
+          output: updateOutput.slice(0, 500),
+          updateAttemptId
+        });
+        await sleep(RESTART_BUFFER_MS);
+        console.log(
+          `[version] Plugin update verified (was ${before}), restarting gateway...`
+        );
+        const restartResult = await runCommand(["gateway", "restart"], 3e4);
+        if (!restartResult.ok && !restartResult.timedOut) {
+          console.log("[update_cmd_timeout] restart command failed unexpectedly", {
+            updateAttemptId,
+            exitCode: restartResult.exitCode,
+            signal: restartResult.signal
+          });
+        }
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        respond(false, {
+          code: /VERIFY_FAILED/.test(msg) ? "VERIFY_FAILED" : /UPDATE_TIMEOUT/.test(msg) ? "UPDATE_TIMEOUT" : "UPDATE_FAILED",
+          error: msg
+        });
+      } finally {
+        updateInProgress = false;
+      }
+    }
+  );
+}
+
+// src/questions.ts
+var MARKER = "[HUMAN_INPUT_REQUIRED]";
+function normalizeEnvelope(raw) {
+  if (raw.blocking !== true) return null;
+  if (typeof raw.qid !== "string" || !raw.qid.trim()) return null;
+  if (typeof raw.sessionKey !== "string" || !raw.sessionKey.trim()) return null;
+  if (typeof raw.title !== "string" || !raw.title.trim()) return null;
+  if (typeof raw.question !== "string" || !raw.question.trim()) return null;
+  const agentId = typeof raw.agentId === "string" && raw.agentId.trim() ? raw.agentId.trim() : void 0;
+  return {
+    qid: raw.qid.trim(),
+    sessionKey: raw.sessionKey.trim(),
+    agentId,
+    title: raw.title.trim(),
+    question: raw.question.trim(),
+    blocking: true
+  };
+}
+function validateHumanQuestionEnvelope(text, options) {
+  const markerIndex = text.indexOf(MARKER);
+  if (markerIndex < 0) return { valid: false, markerFound: false };
+  const tail = text.slice(markerIndex + MARKER.length).trimStart();
+  const firstLine = tail.split("\n")[0]?.trim() ?? "";
+  if (!firstLine.startsWith("{")) {
+    return { valid: false, markerFound: true, errorCode: "missing_json_line" };
+  }
+  let parsed = null;
+  try {
+    parsed = JSON.parse(firstLine);
+  } catch {
+    return { valid: false, markerFound: true, errorCode: "invalid_json" };
+  }
+  const normalized = normalizeEnvelope(parsed);
+  if (!normalized) {
+    return { valid: false, markerFound: true, errorCode: "schema_invalid" };
+  }
+  const expectedSessionKey = options?.expectedSessionKey?.trim();
+  const sessionKeyMismatch = !!(expectedSessionKey && normalized.sessionKey !== expectedSessionKey);
+  return {
+    valid: true,
+    markerFound: true,
+    normalizedEnvelope: normalized,
+    sessionKeyMismatch
+  };
+}
+function registerQuestionMethods(api) {
+  api.registerGatewayMethod(
+    "squad.questions.validate-envelope",
+    async ({ params, respond }) => {
+      const text = typeof params?.text === "string" ? params.text : "";
+      const expectedSessionKey = typeof params?.expectedSessionKey === "string" ? params.expectedSessionKey : void 0;
+      if (!text) {
+        respond(false, { error: "Missing 'text' parameter" });
+        return;
+      }
+      const result = validateHumanQuestionEnvelope(text, { expectedSessionKey });
+      respond(true, result);
+    }
+  );
+}
+
+// src/sessions.ts
+import fs9 from "fs";
+import path10 from "path";
+import crypto from "crypto";
+
+// src/gateway-invoke.ts
+function asRecord(value) {
+  return value && typeof value === "object" ? value : null;
+}
+function isInvoker(fn) {
+  return typeof fn === "function";
+}
+function isUnknownGatewayMethodError(message) {
+  return /unknown method|method .* unavailable|not found|invalid[_ ]request|does not exist/i.test(
+    message
+  );
+}
+async function callGatewayAny(ctx, api, method, params) {
+  const ctxGateway = asRecord(ctx.gateway);
+  const apiGateway = asRecord(api?.gateway);
+  const candidates = [
+    ctx.request,
+    ctx.callGatewayMethod,
+    ctx.gatewayRequest,
+    ctx.invokeGatewayMethod,
+    ctxGateway?.request,
+    ctxGateway?.callGatewayMethod,
+    api?.request,
+    api?.callGatewayMethod,
+    api?.gatewayRequest,
+    api?.invokeGatewayMethod,
+    apiGateway?.request,
+    apiGateway?.callGatewayMethod
+  ];
+  let lastErr = null;
+  for (const candidate of candidates) {
+    if (!isInvoker(candidate)) continue;
+    try {
+      return await candidate(method, params);
+    } catch (err2) {
+      lastErr = err2;
+      const msg = err2 instanceof Error ? err2.message : String(err2);
+      if (isUnknownGatewayMethodError(msg)) {
+        continue;
+      }
+      throw err2;
+    }
+  }
+  if (lastErr) throw lastErr;
+  throw new Error("Gateway method invocation API unavailable in plugin context");
+}
+
+// src/sessions.ts
+function asRecord2(value) {
+  return value && typeof value === "object" ? value : null;
+}
+function extractSessionKey(value) {
+  const record = asRecord2(value);
+  if (!record) return null;
+  if (typeof record.key === "string" && record.key.trim()) {
+    return record.key.trim();
+  }
+  const nestedKey = asRecord2(record.key);
+  if (nestedKey && typeof nestedKey.key === "string" && nestedKey.key.trim()) {
+    return nestedKey.key.trim();
+  }
+  if (typeof record.sessionKey === "string" && record.sessionKey.trim()) {
+    return record.sessionKey.trim();
+  }
+  const nestedSession = asRecord2(record.session);
+  if (nestedSession && typeof nestedSession.key === "string" && nestedSession.key.trim()) {
+    return nestedSession.key.trim();
+  }
+  return null;
+}
+function parseAgentIdFromSessionKey(sessionKey) {
+  const m = sessionKey.match(/^agent:([^:]+):/);
+  return m?.[1] ?? null;
+}
+function ensureDir(dirPath) {
+  fs9.mkdirSync(dirPath, { recursive: true });
+}
+function readSessionsMap(sessionsJsonPath) {
+  try {
+    const raw = fs9.readFileSync(sessionsJsonPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (parsed && typeof parsed === "object") {
+      return parsed;
+    }
+  } catch {
+  }
+  return {};
+}
+function writeSessionsMap(sessionsJsonPath, sessionsMap) {
+  fs9.writeFileSync(sessionsJsonPath, JSON.stringify(sessionsMap, null, 2), "utf-8");
+}
+function createSessionOnDisk(input) {
+  const requestedSessionKey = input.requestedSessionKey?.trim();
+  const requestedAgentId = input.requestedAgentId?.trim();
+  const derivedAgentId = requestedAgentId || (requestedSessionKey ? parseAgentIdFromSessionKey(requestedSessionKey) : null) || "main";
+  const sessionKey = requestedSessionKey || `agent:${derivedAgentId}:${crypto.randomUUID()}`;
+  const stateDir = getOpenclawStateDir();
+  const sessionsDir = path10.join(stateDir, "agents", derivedAgentId, "sessions");
+  const sessionsJsonPath = path10.join(sessionsDir, "sessions.json");
+  ensureDir(sessionsDir);
+  const now = Date.now();
+  const sessionsMap = readSessionsMap(sessionsJsonPath);
+  const existing = sessionsMap[sessionKey];
+  const sessionId = typeof existing?.sessionId === "string" && existing.sessionId.trim() ? existing.sessionId : crypto.randomUUID();
+  const jsonlPath = path10.join(sessionsDir, `${sessionId}.jsonl`);
+  sessionsMap[sessionKey] = {
+    ...existing ?? {},
+    sessionId,
+    updatedAt: now,
+    label: typeof existing?.label === "string" && existing.label.trim() ? existing.label : "New Session",
+    totalTokens: typeof existing?.totalTokens === "number" ? existing.totalTokens : 0,
+    lastMessageRole: existing?.lastMessageRole ?? "assistant",
+    lastAssistantHasText: typeof existing?.lastAssistantHasText === "boolean" ? existing.lastAssistantHasText : true
+  };
+  writeSessionsMap(sessionsJsonPath, sessionsMap);
+  if (!fs9.existsSync(jsonlPath)) {
+    fs9.writeFileSync(jsonlPath, "", "utf-8");
+  }
+  return {
+    key: sessionKey,
+    sessionKey,
+    sessionId,
+    agentId: derivedAgentId,
+    displayName: sessionKey,
+    status: "active",
+    createdAt: now
+  };
+}
+function registerSessionMethods(api) {
+  api.registerGatewayMethod(
+    "squad.sessions.create",
+    async (ctx) => {
+      const { params, respond } = ctx;
+      const sessionKey = params?.sessionKey;
+      const agentId = params?.agentId;
+      if (sessionKey !== void 0) {
+        if (typeof sessionKey !== "string" || !sessionKey.trim()) {
+          respond(false, { error: "Invalid 'sessionKey' parameter (must be a non-empty string when provided)" });
+          return;
+        }
+      }
+      if (agentId !== void 0) {
+        if (typeof agentId !== "string" || !agentId.trim()) {
+          respond(false, { error: "Invalid 'agentId' parameter (must be a non-empty string when provided)" });
+          return;
+        }
+      }
+      const createParams = {
+        ...typeof sessionKey === "string" ? { sessionKey: sessionKey.trim() } : {},
+        ...typeof agentId === "string" ? { agentId: agentId.trim() } : {}
+      };
+      try {
+        const nativeResult = await callGatewayAny(
+          ctx,
+          api,
+          "sessions.create",
+          createParams
+        );
+        const normalizedKey = extractSessionKey(nativeResult);
+        if (!normalizedKey) {
+          const local = createSessionOnDisk({
+            requestedSessionKey: typeof sessionKey === "string" ? sessionKey : void 0,
+            requestedAgentId: typeof agentId === "string" ? agentId : void 0
+          });
+          respond(true, local);
+          return;
+        }
+        const nativeRecord = asRecord2(nativeResult);
+        respond(true, {
+          ...nativeRecord ?? {},
+          key: normalizedKey
+        });
+      } catch (err2) {
+        const msg = err2 instanceof Error ? err2.message : String(err2);
+        if (/gateway method invocation api unavailable in plugin context/i.test(msg)) {
+          try {
+            const local = createSessionOnDisk({
+              requestedSessionKey: typeof sessionKey === "string" ? sessionKey : void 0,
+              requestedAgentId: typeof agentId === "string" ? agentId : void 0
+            });
+            respond(true, local);
+            return;
+          } catch (fallbackErr) {
+            const fallbackMsg = fallbackErr instanceof Error ? fallbackErr.message : String(fallbackErr);
+            respond(false, {
+              error: `Failed to create session (local fallback): ${fallbackMsg}`.slice(0, 500)
+            });
+            return;
+          }
+        }
+        respond(false, {
+          error: `Failed to create session: ${msg}`.slice(0, 500)
+        });
+      }
+    }
+  );
+}
+
+// src/agent-send.ts
+import fs10 from "fs";
+import path11 from "path";
+import { execFile as execFile2 } from "child_process";
+import { promisify } from "util";
+var ASSET_REFERENCE_RE = /\{\{asset:([^}]+)\}\}/g;
+var RETRY_INTERVAL_MS = 1e3;
+var RETRY_BUDGET_MS = 2e4;
+var CLI_AGENT_TIMEOUT_MS = 3e4;
+var execFileAsync = promisify(execFile2);
+var IMAGE_MIME_BY_EXT = {
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".webp": "image/webp",
+  ".bmp": "image/bmp",
+  ".svg": "image/svg+xml",
+  ".ico": "image/x-icon",
+  ".tif": "image/tiff",
+  ".tiff": "image/tiff",
+  ".avif": "image/avif"
+};
+function asRecord3(value) {
+  return value && typeof value === "object" ? value : null;
+}
+function sleep2(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function pathWithin(root, candidate) {
+  return candidate === root || candidate.startsWith(`${root}${path11.sep}`);
+}
+function parseAssetPathsFromMessage(message) {
+  const result = [];
+  const re = new RegExp(ASSET_REFERENCE_RE.source, "g");
+  let match;
+  while ((match = re.exec(message)) !== null) {
+    const rawPath = String(match[1] ?? "").trim();
+    if (rawPath) result.push(rawPath);
+  }
+  return result;
+}
+function parseAssetPathsFromContext(params) {
+  const context = asRecord3(params.context);
+  const assets = context?.assets;
+  if (!Array.isArray(assets)) return [];
+  const result = [];
+  for (const entry of assets) {
+    if (typeof entry === "string") {
+      const trimmed = entry.trim();
+      if (trimmed) result.push(trimmed);
+      continue;
+    }
+    const record = asRecord3(entry);
+    if (!record) continue;
+    const assetPath = typeof record.path === "string" ? record.path.trim() : "";
+    if (assetPath) result.push(assetPath);
+  }
+  return result;
+}
+function resolveOpenClawPath(rawPath, stateDir) {
+  const trimmed = rawPath.trim();
+  if (!trimmed) return "";
+  if (trimmed === "~/.openclaw") return stateDir;
+  if (trimmed.startsWith("~/.openclaw/")) {
+    return path11.join(stateDir, trimmed.slice("~/.openclaw/".length));
+  }
+  return trimmed;
+}
+function resolveMediaAssetCandidate(rawPath, stateDir) {
+  const mapped = resolveOpenClawPath(rawPath, stateDir);
+  if (!mapped) return null;
+  const mediaRoot = path11.resolve(path11.join(stateDir, "media"));
+  const resolved = path11.resolve(mapped);
+  if (!pathWithin(mediaRoot, resolved)) return null;
+  return {
+    sourcePath: rawPath,
+    resolvedPath: resolved
+  };
+}
+function dedupeAssetCandidates(candidates) {
+  const seen = /* @__PURE__ */ new Set();
+  const deduped = [];
+  for (const candidate of candidates) {
+    if (seen.has(candidate.resolvedPath)) continue;
+    seen.add(candidate.resolvedPath);
+    deduped.push(candidate);
+  }
+  return deduped;
+}
+async function waitForAvailableAssets(candidates) {
+  if (candidates.length === 0) return [];
+  const pending = new Map(
+    candidates.map((candidate) => [candidate.resolvedPath, candidate])
+  );
+  const deadline = Date.now() + RETRY_BUDGET_MS;
+  while (pending.size > 0) {
+    for (const [resolvedPath, candidate] of pending.entries()) {
+      try {
+        const stat = await fs10.promises.stat(resolvedPath);
+        if (stat.isFile()) {
+          pending.delete(resolvedPath);
+        }
+      } catch {
+      }
+    }
+    if (pending.size === 0) break;
+    if (Date.now() >= deadline) break;
+    await sleep2(RETRY_INTERVAL_MS);
+  }
+  return Array.from(pending.values());
+}
+function resolveImageMimeType(filePath) {
+  const ext = path11.extname(filePath).toLowerCase();
+  return IMAGE_MIME_BY_EXT[ext] ?? "application/octet-stream";
+}
+function extractGatewayToken(config) {
+  const gateway = asRecord3(config.gateway);
+  const auth = asRecord3(gateway?.auth);
+  const remote = asRecord3(gateway?.remote);
+  const fromAuth = typeof auth?.token === "string" ? auth.token.trim() : "";
+  if (fromAuth) return fromAuth;
+  const fromRemote = typeof remote?.token === "string" ? remote.token.trim() : "";
+  if (fromRemote) return fromRemote;
+  const fromGateway = typeof gateway?.token === "string" ? gateway.token.trim() : "";
+  if (fromGateway) return fromGateway;
+  return void 0;
+}
+function resolveGatewayUrlFromConfig(config) {
+  const gateway = asRecord3(config.gateway);
+  const host = typeof gateway?.host === "string" && gateway.host.trim() ? gateway.host.trim() : "127.0.0.1";
+  const port = typeof gateway?.port === "number" && Number.isFinite(gateway.port) ? gateway.port : 18789;
+  const tlsRaw = gateway?.tls;
+  const tls = typeof tlsRaw === "boolean" ? tlsRaw : Boolean(asRecord3(tlsRaw)?.enabled);
+  return `${tls ? "wss" : "ws"}://${host}:${port}`;
+}
+function extractCliErrorMessage(payload) {
+  const payloadRecord = asRecord3(payload);
+  if (typeof payloadRecord?.error === "string") return payloadRecord.error;
+  const errorRecord = asRecord3(payloadRecord?.error);
+  if (typeof errorRecord?.message === "string") return errorRecord.message;
+  const nestedPayload = asRecord3(payloadRecord?.payload);
+  if (typeof nestedPayload?.error === "string") return nestedPayload.error;
+  return "";
+}
+function parseCliJson(raw) {
+  const trimmed = raw.trim();
+  if (!trimmed) return null;
+  try {
+    const parsed = JSON.parse(trimmed);
+    return asRecord3(parsed);
+  } catch {
+    return null;
+  }
+}
+function isGatewayCallUnavailableError(message) {
+  return /gateway method invocation api unavailable in plugin context/i.test(message);
+}
+async function callAgentViaCli(stateDir, params) {
+  const configPath = path11.join(stateDir, "openclaw.json");
+  const configRaw = fs10.readFileSync(configPath, "utf-8");
+  const parsedConfig = JSON.parse(configRaw);
+  const token = extractGatewayToken(parsedConfig);
+  const url = resolveGatewayUrlFromConfig(parsedConfig);
+  const args = [
+    "gateway",
+    "call",
+    "agent",
+    "--json",
+    "--timeout",
+    String(CLI_AGENT_TIMEOUT_MS),
+    "--params",
+    JSON.stringify(params),
+    "--url",
+    url
+  ];
+  if (token) {
+    args.push("--token", token);
+  }
+  try {
+    const { stdout } = await execFileAsync("openclaw", args, {
+      env: process.env,
+      maxBuffer: 10 * 1024 * 1024
+    });
+    const json2 = parseCliJson(stdout);
+    if (!json2) {
+      throw new Error("openclaw gateway call agent returned non-JSON output");
+    }
+    if (json2.ok === false) {
+      const msg = extractCliErrorMessage(json2) || JSON.stringify(json2.error ?? json2);
+      throw new Error(msg);
+    }
+    if ("payload" in json2) return json2.payload;
+    return json2;
+  } catch (err2) {
+    const error = err2;
+    const stdoutJson = parseCliJson(typeof error.stdout === "string" ? error.stdout : "");
+    if (stdoutJson) {
+      if (stdoutJson.ok === false) {
+        const msg = extractCliErrorMessage(stdoutJson) || JSON.stringify(stdoutJson.error ?? stdoutJson);
+        throw new Error(msg);
+      }
+      if ("payload" in stdoutJson) return stdoutJson.payload;
+      return stdoutJson;
+    }
+    const stderr = typeof error.stderr === "string" ? error.stderr.trim() : "";
+    const message = stderr || (typeof error.message === "string" ? error.message : String(err2));
+    throw new Error(message);
+  }
+}
+async function buildImageAttachments(candidates) {
+  const attachments = [];
+  for (const candidate of candidates) {
+    const buffer = await fs10.promises.readFile(candidate.resolvedPath);
+    attachments.push({
+      type: "image",
+      mimeType: resolveImageMimeType(candidate.resolvedPath),
+      fileName: path11.basename(candidate.resolvedPath),
+      content: buffer.toString("base64")
+    });
+  }
+  return attachments;
+}
+function registerAgentSendMethod(api) {
+  api.registerGatewayMethod(
+    "squad.agent.send",
+    async (ctx) => {
+      const { params, respond } = ctx;
+      const message = typeof params?.message === "string" ? params.message : "";
+      if (!message.trim()) {
+        respond(false, { error: "Invalid 'message' parameter (must be a non-empty string)" });
+        return;
+      }
+      const stateDir = getOpenclawStateDir();
+      const rawAssetPaths = [
+        ...parseAssetPathsFromMessage(message),
+        ...parseAssetPathsFromContext(params)
+      ];
+      const candidates = dedupeAssetCandidates(
+        rawAssetPaths.map((rawPath) => resolveMediaAssetCandidate(rawPath, stateDir)).filter((candidate) => candidate !== null)
+      );
+      if (rawAssetPaths.length > 0 && candidates.length === 0) {
+        respond(false, {
+          error: "Referenced image assets must be under ~/.openclaw/media/"
+        });
+        return;
+      }
+      if (candidates.length > 0) {
+        const missing = await waitForAvailableAssets(candidates);
+        if (missing.length > 0) {
+          const missingPaths = missing.map((entry) => entry.sourcePath).join(", ");
+          respond(false, {
+            error: `Referenced image assets not available after ${RETRY_BUDGET_MS}ms: ${missingPaths}`
+          });
+          return;
+        }
+      }
+      try {
+        const imageAttachments = await buildImageAttachments(candidates);
+        const existingAttachments = Array.isArray(params.attachments) ? params.attachments : [];
+        const forwardedParams = {
+          ...params,
+          attachments: [...existingAttachments, ...imageAttachments]
+        };
+        let nativeResult;
+        try {
+          nativeResult = await callGatewayAny(
+            ctx,
+            api,
+            "agent",
+            forwardedParams
+          );
+        } catch (err2) {
+          const msg = err2 instanceof Error ? err2.message : String(err2);
+          if (!isGatewayCallUnavailableError(msg)) {
+            throw err2;
+          }
+          nativeResult = await callAgentViaCli(stateDir, forwardedParams);
+        }
+        respond(true, nativeResult);
+      } catch (err2) {
+        const msg = err2 instanceof Error ? err2.message : String(err2);
+        respond(false, { error: msg });
+      }
+    }
+  );
+}
+
+// src/shared-api.ts
+var CORE_TOOLS = [
+  "exec",
+  "bash",
+  "process",
+  "read",
+  "write",
+  "edit",
+  "apply_patch",
+  "web_search",
+  "web_fetch",
+  "browser",
+  "canvas",
+  "nodes",
+  "image",
+  "message",
+  "cron",
+  "gateway",
+  "sessions_list",
+  "sessions_history",
+  "sessions_send",
+  "sessions_spawn",
+  "session_status",
+  "agents_list",
+  "memory_search"
+];
+var CORE_TOOL_GROUPS = [
+  "group:fs",
+  "group:runtime",
+  "group:sessions",
+  "group:memory",
+  "group:web",
+  "group:ui",
+  "group:automation",
+  "group:messaging",
+  "group:nodes"
+];
+function registerSquadSharedApi(api, onFsChange) {
+  const toolExecutors = /* @__PURE__ */ new Map();
+  const origRegisterTool = api.registerTool.bind(api);
+  api.registerTool = (toolDef) => {
+    if (typeof toolDef.name === "string" && typeof toolDef.execute === "function") {
+      toolExecutors.set(toolDef.name, toolDef.execute);
+    }
+    return origRegisterTool(toolDef);
+  };
+  registerEntityTools(api, onFsChange);
+  registerFilesystemTools(api);
+  registerSqlTools(api);
+  registerVersionMethods(api);
+  registerAgentMethods(api);
+  registerQuestionMethods(api);
+  registerSessionMethods(api);
+  registerAgentSendMethod(api);
+  const invokeTool = async (tool, args) => {
+    const executeFn = toolExecutors.get(tool);
+    if (!executeFn) {
+      throw new Error(`Unknown tool: ${tool}`);
+    }
+    return executeFn(`internal-${Date.now()}`, args);
+  };
+  const listTools = () => [...CORE_TOOLS, ...CORE_TOOL_GROUPS, ...Array.from(toolExecutors.keys())];
+  const registerCoreGatewayMethods = () => {
+    api.registerGatewayMethod(
+      "tools.invoke",
+      async ({ params, respond }) => {
+        const tool = params?.tool;
+        const args = params?.args ?? {};
+        if (!tool) {
+          respond(false, { errorMessage: "Missing 'tool' parameter" });
+          return;
+        }
+        try {
+          const result = await invokeTool(tool, args);
+          respond(true, result);
+        } catch (err2) {
+          const msg = err2 instanceof Error ? err2.message : String(err2);
+          respond(false, { errorMessage: msg });
+        }
+      }
+    );
+    api.registerGatewayMethod(
+      "tools.list",
+      async ({ respond }) => {
+        respond(true, { tools: listTools() });
+      }
+    );
+    api.registerGatewayMethod(
+      "squad.layout.get",
+      async ({ respond }) => {
+        try {
+          const layout = resolveGatewayLayout();
+          respond(true, layout);
+        } catch (err2) {
+          const msg = err2 instanceof Error ? err2.message : String(err2);
+          respond(false, { errorMessage: msg });
+        }
+      }
+    );
+  };
+  return {
+    invokeTool,
+    listTools,
+    registerCoreGatewayMethods
+  };
+}
+
+// src/migrations/runner.ts
+import fs12 from "fs";
+import path13 from "path";
+
+// src/migrations/001-enable-main-subagent-access.ts
+import fs11 from "fs";
+import path12 from "path";
+function asRecord4(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return null;
+  return value;
+}
+function mergeStringArrayWithWildcard(value) {
+  const next = /* @__PURE__ */ new Set();
+  if (Array.isArray(value)) {
+    for (const entry of value) {
+      if (typeof entry === "string" && entry.trim()) next.add(entry.trim());
+    }
+  }
+  next.add("*");
+  return Array.from(next);
+}
+function patchConfigOnDisk() {
+  const configPath = path12.join(getOpenclawStateDir(), "openclaw.json");
+  const raw = fs11.readFileSync(configPath, "utf-8");
+  const parsed = JSON.parse(raw);
+  const agents = asRecord4(parsed.agents) ?? {};
+  const defaults = asRecord4(agents.defaults) ?? {};
+  const subagentsDefaults = asRecord4(defaults.subagents) ?? {};
+  defaults.maxConcurrent = 4;
+  defaults.subagents = {
+    ...subagentsDefaults,
+    maxConcurrent: 8
+  };
+  const listRaw = Array.isArray(agents.list) ? agents.list : [];
+  const list = listRaw.map((entry) => asRecord4(entry)).filter((entry) => Boolean(entry));
+  const mainIndex = list.findIndex((entry) => entry.id === "main");
+  const existingMain = mainIndex >= 0 ? list[mainIndex] : {};
+  const existingIdentity = asRecord4(existingMain.identity) ?? {};
+  const existingTools = asRecord4(existingMain.tools) ?? {};
+  const existingSubagents = asRecord4(existingMain.subagents) ?? {};
+  const nextMain = {
+    ...existingMain,
+    id: "main",
+    identity: {
+      ...existingIdentity,
+      name: typeof existingIdentity.name === "string" && existingIdentity.name.trim() ? existingIdentity.name : "Pepper"
+    },
+    tools: {
+      ...existingTools,
+      allow: mergeStringArrayWithWildcard(existingTools.allow)
+    },
+    subagents: {
+      ...existingSubagents,
+      allowAgents: mergeStringArrayWithWildcard(existingSubagents.allowAgents)
+    }
+  };
+  if (mainIndex >= 0) list[mainIndex] = nextMain;
+  else list.push(nextMain);
+  parsed.agents = {
+    ...agents,
+    defaults,
+    list
+  };
+  fs11.writeFileSync(configPath, `${JSON.stringify(parsed, null, 2)}
+`, "utf-8");
+}
+var migration = {
+  id: "001-enable-main-subagent-access",
+  description: "Enable full main-agent tool and subagent spawning defaults",
+  run: async ({ gatewayCall }) => {
+    const isGatewayApiUnavailableError = (error) => {
+      const msg = error instanceof Error ? error.message : String(error);
+      return /gateway method invocation api unavailable in plugin context/i.test(msg);
+    };
+    const doPatch = async (baseHash) => {
+      await gatewayCall("config.patch", {
+        ...baseHash ? { baseHash } : {},
+        raw: JSON.stringify({
+          agents: {
+            defaults: {
+              maxConcurrent: 4,
+              subagents: {
+                maxConcurrent: 8
+              }
+            },
+            list: [
+              {
+                id: "main",
+                identity: {
+                  name: "Pepper"
+                },
+                tools: {
+                  allow: ["*"]
+                },
+                subagents: {
+                  allowAgents: ["*"]
+                }
+              }
+            ]
+          }
+        })
+      });
+    };
+    let snapshot;
+    try {
+      snapshot = await gatewayCall("config.get", {});
+    } catch (error) {
+      if (isGatewayApiUnavailableError(error)) {
+        patchConfigOnDisk();
+        return;
+      }
+      throw error;
+    }
+    try {
+      await doPatch(snapshot?.hash);
+    } catch (firstErr) {
+      const msg = firstErr instanceof Error ? firstErr.message : String(firstErr);
+      if (isGatewayApiUnavailableError(firstErr)) {
+        patchConfigOnDisk();
+        return;
+      }
+      if (!/config changed since last load/i.test(msg)) throw firstErr;
+      try {
+        snapshot = await gatewayCall("config.get", {});
+      } catch (secondErr) {
+        if (isGatewayApiUnavailableError(secondErr)) {
+          patchConfigOnDisk();
+          return;
+        }
+        throw secondErr;
+      }
+      await doPatch(snapshot?.hash);
+    }
+  }
+};
+var enable_main_subagent_access_default = migration;
+
+// src/migrations/002-backfill-agent-auth-profiles.ts
+var migration2 = {
+  id: "002-backfill-agent-auth-profiles",
+  description: "Ensure non-main agents have auth-profiles copied from main when missing",
+  run: async () => {
+    const copied = backfillAgentAuthProfiles();
+    if (copied.length > 0) {
+      console.log(`[startup-migrations] auth profile backfill copied: ${copied.join(", ")}`);
+    }
+  }
+};
+var backfill_agent_auth_profiles_default = migration2;
+
+// src/migrations/index.ts
+var STARTUP_MIGRATIONS = [
+  enable_main_subagent_access_default,
+  backfill_agent_auth_profiles_default
+  // Append new startup migrations here.
+];
+
+// src/migrations/runner.ts
+var MIGRATIONS_DIR = path13.join(getOpenclawStateDir(), "squad-ceo-data");
+var MIGRATIONS_PATH = path13.join(MIGRATIONS_DIR, "migrations.json");
+function defaultState() {
+  return {
+    version: 1,
+    completed: []
+  };
+}
+function readState() {
+  try {
+    const raw = fs12.readFileSync(MIGRATIONS_PATH, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed.completed)) return defaultState();
+    return {
+      version: 1,
+      completed: parsed.completed.filter((row) => row && typeof row.id === "string" && typeof row.completedAt === "string").map((row) => ({ id: row.id, completedAt: row.completedAt }))
+    };
+  } catch {
+    return defaultState();
+  }
+}
+function writeState(state) {
+  fs12.mkdirSync(MIGRATIONS_DIR, { recursive: true });
+  fs12.writeFileSync(MIGRATIONS_PATH, JSON.stringify(state, null, 2), "utf-8");
+}
+function makeGatewayCaller(api) {
+  return async (method, params = {}) => {
+    const apiRequest = api?.request;
+    if (typeof apiRequest === "function") {
+      return apiRequest(method, params);
+    }
+    const apiCallGatewayMethod = api?.callGatewayMethod;
+    if (typeof apiCallGatewayMethod === "function") {
+      return apiCallGatewayMethod(method, params);
+    }
+    throw new Error("Gateway method invocation API unavailable in plugin context");
+  };
+}
+async function runMigration(state, migration3, gatewayCall) {
+  if (state.completed.some((row) => row.id === migration3.id)) {
+    return { state, applied: false };
+  }
+  await migration3.run({ gatewayCall });
+  return {
+    applied: true,
+    state: {
+      ...state,
+      completed: [
+        ...state.completed,
+        {
+          id: migration3.id,
+          completedAt: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      ]
+    }
+  };
+}
+async function runStartupMigrations(api) {
+  const gatewayCall = makeGatewayCaller(api);
+  let state = readState();
+  for (const migration3 of STARTUP_MIGRATIONS) {
+    try {
+      const result = await runMigration(state, migration3, gatewayCall);
+      state = result.state;
+      if (result.applied) {
+        writeState(state);
+        console.log(`[startup-migrations] applied: ${migration3.id}`);
+      }
+    } catch (err2) {
+      const msg = err2 instanceof Error ? err2.message : String(err2);
+      console.warn(`[startup-migrations] failed: ${migration3.id}: ${msg}`);
+      break;
+    }
+  }
+}
+
+// src/http-routes.ts
+import crypto2 from "crypto";
+var DEFAULT_ALLOWED_ORIGINS = [
+  "https://squad.ceo",
+  "https://www.squad.ceo",
+  "https://squad.pages.dev",
+  "http://localhost:5174",
+  "http://localhost:5800"
+];
+var PAIRING_REQUEST_METHODS = [
+  "node.pair.request",
+  "devices.pair.request",
+  "device.pair.request"
+];
+var PAIRING_STATUS_METHODS = [
+  "node.pair.status",
+  "devices.pair.status",
+  "device.pair.status",
+  "node.pair.get"
+];
+var PROOF_MAX_SKEW_MS = 5 * 60 * 1e3;
+var DEFAULT_PAIRING_TTL_MS = 15 * 60 * 1e3;
+var NONCE_TTL_MS = 10 * 60 * 1e3;
+var LOCATOR_REFRESH_INTERVAL_MS = 15 * 60 * 1e3;
+function asRecord5(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return null;
+  return value;
+}
+function pickString(value) {
+  if (typeof value !== "string") return null;
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function pickNumber(value) {
+  if (typeof value !== "number" || !Number.isFinite(value)) return null;
+  return value;
+}
+function json(body, status = 200) {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: {
+      "Content-Type": "application/json",
+      "Cache-Control": "no-store"
+    }
+  });
+}
+function withCors(request, response, allowMethods = "GET, POST, OPTIONS") {
+  const headers = new Headers(response.headers);
+  const origin = request.headers.get("origin");
+  const allowedOrigin = resolveAllowedOrigin(origin);
+  if (allowedOrigin) {
+    headers.set("Access-Control-Allow-Origin", allowedOrigin);
+    headers.set("Access-Control-Allow-Methods", allowMethods);
+    headers.set("Access-Control-Allow-Headers", "Content-Type");
+    headers.set("Vary", "Origin");
+  }
+  return new Response(response.body, {
+    status: response.status,
+    statusText: response.statusText,
+    headers
+  });
+}
+function jsonError(request, code, message, status = 500, extra = {}) {
+  return withCors(request, json({ ok: false, code, error: message, ...extra }, status));
+}
+function resolveAllowedOrigin(origin) {
+  if (!origin) return null;
+  const configured = process.env.SQUAD_ALLOWED_ORIGINS ? process.env.SQUAD_ALLOWED_ORIGINS.split(",").map((item) => item.trim()).filter(Boolean) : [];
+  const allowed = configured.length > 0 ? configured : DEFAULT_ALLOWED_ORIGINS;
+  return allowed.includes(origin) ? origin : null;
+}
+function isTailnetContext(request) {
+  if (/^(1|true)$/i.test(process.env.SQUAD_ALLOW_NON_TAILNET_INTERNAL ?? "")) {
+    return true;
+  }
+  const hasTailnetHeader = !!request.headers.get("x-tailscale-user-login") || !!request.headers.get("x-tailscale-user-name") || !!request.headers.get("x-tailscale-user-email") || !!request.headers.get("x-tailscale-node-name") || !!request.headers.get("x-tailscale-tailnet");
+  if (hasTailnetHeader) return true;
+  try {
+    const url = new URL(request.url);
+    if (url.hostname.toLowerCase().endsWith(".ts.net")) return true;
+  } catch {
+  }
+  const forwardedHost = request.headers.get("x-forwarded-host")?.toLowerCase() ?? "";
+  return forwardedHost.endsWith(".ts.net");
+}
+function ensureOriginAllowed(request) {
+  const origin = request.headers.get("origin");
+  if (!origin) return null;
+  return resolveAllowedOrigin(origin);
+}
+function decodeBase64Url(value) {
+  const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = normalized + "=".repeat((4 - normalized.length % 4) % 4);
+  return Uint8Array.from(Buffer.from(padded, "base64"));
+}
+function encodeUtf8(value) {
+  return new TextEncoder().encode(value);
+}
+function canonicalizeP256Jwk(value) {
+  const record = asRecord5(value);
+  const kty = pickString(record?.kty);
+  const crv = pickString(record?.crv);
+  const x = pickString(record?.x);
+  const y = pickString(record?.y);
+  if (kty !== "EC" || crv !== "P-256" || !x || !y) {
+    throw new Error("INVALID_PROOF_KEY");
+  }
+  return { kty: "EC", crv: "P-256", x, y };
+}
+function computeDeviceIdFromJwk(jwk) {
+  const canonical = JSON.stringify(jwk);
+  return crypto2.createHash("sha256").update(canonical).digest("hex");
+}
+function buildProofPayload(action, deviceId, nonce, signedAt, origin) {
+  return `squad.${action}|${deviceId}|${nonce}|${signedAt}|${origin}`;
+}
+async function verifyBrowserProof(payload, origin, action, usedProofNonces) {
+  const deviceId = pickString(payload.deviceId);
+  const signature = pickString(payload.signature);
+  const nonce = pickString(payload.nonce);
+  const signedAtRaw = pickNumber(payload.signedAt);
+  if (!deviceId || !signature || !nonce || signedAtRaw == null) {
+    return {
+      ok: false,
+      code: "INVALID_PROOF",
+      status: 400,
+      message: "Missing browser proof fields"
+    };
+  }
+  const signedAt = Math.trunc(signedAtRaw);
+  if (Math.abs(Date.now() - signedAt) > PROOF_MAX_SKEW_MS) {
+    return {
+      ok: false,
+      code: "INVALID_PROOF",
+      status: 401,
+      message: "Proof timestamp expired"
+    };
+  }
+  const nonceKey = `${deviceId}:${nonce}`;
+  const existingNonce = usedProofNonces.get(nonceKey);
+  if (existingNonce && existingNonce > Date.now()) {
+    return {
+      ok: false,
+      code: "INVALID_PROOF",
+      status: 401,
+      message: "Proof nonce replay detected"
+    };
+  }
+  let jwk;
+  try {
+    jwk = canonicalizeP256Jwk(payload.publicKeyJwk);
+  } catch {
+    return {
+      ok: false,
+      code: "INVALID_PROOF",
+      status: 400,
+      message: "Invalid browser public key"
+    };
+  }
+  const expectedDeviceId = computeDeviceIdFromJwk(jwk);
+  if (expectedDeviceId !== deviceId) {
+    return {
+      ok: false,
+      code: "INVALID_PROOF",
+      status: 401,
+      message: "Proof deviceId does not match browser key"
+    };
+  }
+  const proofPayload = buildProofPayload(action, deviceId, nonce, signedAt, origin);
+  let verified = false;
+  try {
+    const key = await crypto2.webcrypto.subtle.importKey(
+      "jwk",
+      jwk,
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      ["verify"]
+    );
+    verified = await crypto2.webcrypto.subtle.verify(
+      { name: "ECDSA", hash: "SHA-256" },
+      key,
+      decodeBase64Url(signature),
+      encodeUtf8(proofPayload)
+    );
+  } catch {
+    verified = false;
+  }
+  if (!verified) {
+    return {
+      ok: false,
+      code: "INVALID_PROOF",
+      status: 401,
+      message: "Proof signature verification failed"
+    };
+  }
+  usedProofNonces.set(nonceKey, Date.now() + NONCE_TTL_MS);
+  return { ok: true, deviceId };
+}
+function normalizePairingStatus(value) {
+  if (typeof value !== "string") return "unknown";
+  const normalized = value.trim().toLowerCase();
+  if (["pending", "requested", "waiting", "open"].includes(normalized)) return "pending";
+  if (["approved", "paired", "accepted", "granted", "success"].includes(normalized)) return "approved";
+  if (["rejected", "denied", "failed"].includes(normalized)) return "rejected";
+  if (["expired", "timeout", "timed_out"].includes(normalized)) return "expired";
+  return "unknown";
+}
+function extractRequestId(result) {
+  const obj = asRecord5(result);
+  if (!obj) return null;
+  const nestedRequest = asRecord5(obj.request);
+  return pickString(obj.requestId) ?? pickString(obj.id) ?? pickString(nestedRequest?.requestId) ?? pickString(nestedRequest?.id);
+}
+function extractExpiresAt(result) {
+  const obj = asRecord5(result);
+  const candidates = [
+    obj?.expiresAt,
+    obj?.expiresAtMs,
+    asRecord5(obj?.request)?.expiresAt,
+    asRecord5(obj?.request)?.expiresAtMs
+  ];
+  for (const candidate of candidates) {
+    if (typeof candidate === "number" && Number.isFinite(candidate) && candidate > Date.now()) {
+      return Math.trunc(candidate);
+    }
+    if (typeof candidate === "string") {
+      const asNumber = Number(candidate);
+      if (Number.isFinite(asNumber) && asNumber > Date.now()) {
+        return Math.trunc(asNumber);
+      }
+      const parsedDate = Date.parse(candidate);
+      if (Number.isFinite(parsedDate) && parsedDate > Date.now()) {
+        return Math.trunc(parsedDate);
+      }
+    }
+  }
+  return Date.now() + DEFAULT_PAIRING_TTL_MS;
+}
+function extractPairingStatus(result) {
+  const obj = asRecord5(result);
+  if (!obj) return "unknown";
+  const candidates = [
+    obj.status,
+    asRecord5(obj.request)?.status,
+    asRecord5(obj.pairing)?.status
+  ];
+  for (const candidate of candidates) {
+    const parsed = normalizePairingStatus(candidate);
+    if (parsed !== "unknown") return parsed;
+  }
+  return "unknown";
+}
+function isRateLimited(bucket, key, limit, windowMs) {
+  const now = Date.now();
+  const existing = bucket.get(key);
+  if (!existing || existing.resetAt <= now) {
+    bucket.set(key, { count: 1, resetAt: now + windowMs });
+    return false;
+  }
+  if (existing.count >= limit) {
+    return true;
+  }
+  existing.count += 1;
+  return false;
+}
+function normalizeTailnetHostname(value) {
+  const trimmed = value.trim();
+  if (!trimmed) return null;
+  const withProtocol = /^[a-z][a-z0-9+.-]*:\/\//i.test(trimmed) ? trimmed : `https://${trimmed}`;
+  try {
+    const parsed = new URL(withProtocol);
+    const hostname = parsed.hostname.toLowerCase();
+    if (!hostname.endsWith(".ts.net")) return null;
+    return hostname.endsWith(".") ? hostname.slice(0, -1) : hostname;
+  } catch {
+    return null;
+  }
+}
+function readRegistrationConfig() {
+  const token = pickString(process.env.SQUAD_TAILNET_REGISTRATION_TOKEN) ?? pickString(process.env.OPENCLAW_SQUAD_TAILNET_REGISTRATION_TOKEN);
+  const hostname = pickString(process.env.SQUAD_TAILNET_HOSTNAME) ?? pickString(process.env.TS_HOSTNAME) ?? pickString(process.env.TAILSCALE_HOSTNAME);
+  const normalizedHostname = hostname ? normalizeTailnetHostname(hostname) : null;
+  if (!token || !normalizedHostname) return null;
+  const relayUrlRaw = pickString(process.env.OPENCLAW_SQUAD_RELAY_HTTP_URL) ?? pickString(process.env.SQUAD_RELAY_HTTP_URL) ?? pickString(process.env.OPENCLAW_SQUAD_RELAY_URL) ?? pickString(process.env.SQUAD_RELAY_URL) ?? "https://relay.squad.ceo";
+  const relayApiBaseUrl = relayUrlRaw.replace(/^wss:/i, "https:").replace(/^ws:/i, "http:").replace(/\/+$/, "");
+  const version = pickString(process.env.SQUAD_PLUGIN_VERSION) ?? pickString(process.env.npm_package_version) ?? "unknown";
+  const displayName = pickString(process.env.SQUAD_TAILNET_DISPLAY_NAME) ?? "squad-openclaw";
+  return {
+    relayApiBaseUrl,
+    registrationToken: token,
+    hostname: normalizedHostname,
+    displayName,
+    version
+  };
+}
+async function registerLocatorToRelay(config) {
+  const response = await fetch(`${config.relayApiBaseUrl}/api/gateway/register-tailnet`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${config.registrationToken}`
+    },
+    body: JSON.stringify({
+      hostname: config.hostname,
+      displayName: config.displayName,
+      version: config.version
+    })
+  });
+  if (!response.ok) {
+    const text = await response.text();
+    throw new Error(`Locator registration failed (${response.status}): ${text}`);
+  }
+}
+function registerTailnetInternalRoutes(api) {
+  const pendingPairings = /* @__PURE__ */ new Map();
+  const proofNonces = /* @__PURE__ */ new Map();
+  const rateLimitBucket = /* @__PURE__ */ new Map();
+  let preferredPairingRequestMethod = null;
+  let preferredPairingStatusMethod = null;
+  const cleanupCaches = () => {
+    const now = Date.now();
+    for (const [key, value] of pendingPairings) {
+      if (value.expiresAt <= now) pendingPairings.delete(key);
+    }
+    for (const [key, expiresAt] of proofNonces) {
+      if (expiresAt <= now) proofNonces.delete(key);
+    }
+    for (const [key, bucket] of rateLimitBucket) {
+      if (bucket.resetAt <= now) rateLimitBucket.delete(key);
+    }
+  };
+  const callGatewayMethod = async (method, params) => {
+    return callGatewayAny({}, api, method, params);
+  };
+  const requestPairingFromGateway = async () => {
+    const methods = preferredPairingRequestMethod ? [preferredPairingRequestMethod, ...PAIRING_REQUEST_METHODS.filter((m) => m !== preferredPairingRequestMethod)] : [...PAIRING_REQUEST_METHODS];
+    let lastError = null;
+    for (const method of methods) {
+      try {
+        const result = await callGatewayMethod(method, { displayName: "squad-browser" });
+        const requestId = extractRequestId(result);
+        if (!requestId) {
+          throw new Error("Pairing request created but no requestId was returned");
+        }
+        preferredPairingRequestMethod = method;
+        return {
+          requestId,
+          expiresAt: extractExpiresAt(result)
+        };
+      } catch (error) {
+        lastError = error;
+        const message = error instanceof Error ? error.message : String(error);
+        if (isUnknownGatewayMethodError(message)) {
+          continue;
+        }
+      }
+    }
+    const details = lastError instanceof Error ? lastError.message : String(lastError ?? "");
+    throw new Error(
+      details ? `PAIRING_REQUEST_UNAVAILABLE: ${details}` : "PAIRING_REQUEST_UNAVAILABLE: No pairing request method supported"
+    );
+  };
+  const readPairingStatusFromGateway = async (requestId) => {
+    const methods = preferredPairingStatusMethod ? [preferredPairingStatusMethod, ...PAIRING_STATUS_METHODS.filter((m) => m !== preferredPairingStatusMethod)] : [...PAIRING_STATUS_METHODS];
+    for (const method of methods) {
+      try {
+        const result = await callGatewayMethod(method, { requestId });
+        const status = extractPairingStatus(result);
+        preferredPairingStatusMethod = method;
+        return status;
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (isUnknownGatewayMethodError(message)) continue;
+      }
+    }
+    return "unknown";
+  };
+  const handle = async (request) => {
+    const url = new URL(request.url);
+    const path14 = url.pathname;
+    cleanupCaches();
+    if (request.method === "OPTIONS" && path14.startsWith("/squad-internal/")) {
+      const origin = ensureOriginAllowed(request);
+      if (!origin) {
+        return new Response(null, { status: 403 });
+      }
+      return withCors(
+        request,
+        new Response(null, {
+          status: 204,
+          headers: {
+            "Access-Control-Allow-Origin": origin,
+            "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
+            "Access-Control-Allow-Headers": "Content-Type",
+            "Access-Control-Max-Age": "86400"
+          }
+        })
+      );
+    }
+    if (request.method === "GET" && path14 === "/squad-internal/health") {
+      if (!isTailnetContext(request)) {
+        return jsonError(request, "TAILNET_REQUIRED", "Tailnet context required", 403);
+      }
+      return withCors(
+        request,
+        json({
+          ok: true,
+          mode: "tailnet-direct",
+          pairing: {
+            requestSupported: preferredPairingRequestMethod ?? PAIRING_REQUEST_METHODS[0],
+            statusSupported: preferredPairingStatusMethod ?? "auto"
+          }
+        })
+      );
+    }
+    if (request.method === "POST" && path14 === "/squad-internal/pairing/request") {
+      const origin = ensureOriginAllowed(request);
+      if (!origin) {
+        return jsonError(request, "ORIGIN_NOT_ALLOWED", "Origin is not allowed", 403);
+      }
+      if (!isTailnetContext(request)) {
+        return jsonError(request, "TAILNET_REQUIRED", "Tailnet context required", 403);
+      }
+      let body;
+      try {
+        body = await request.json();
+      } catch {
+        return jsonError(request, "INVALID_REQUEST", "Invalid JSON body", 400);
+      }
+      const proofCheck = await verifyBrowserProof(body, origin, "pairing.request", proofNonces);
+      if (!proofCheck.ok) {
+        return jsonError(request, proofCheck.code, proofCheck.message, proofCheck.status);
+      }
+      const forwardedFor = request.headers.get("x-forwarded-for") ?? "unknown";
+      const ipKey = `ip:${forwardedFor}`;
+      const deviceKey = `device:${proofCheck.deviceId}`;
+      if (isRateLimited(rateLimitBucket, ipKey, 20, 6e4) || isRateLimited(rateLimitBucket, deviceKey, 8, 6e4)) {
+        return jsonError(request, "RATE_LIMITED", "Too many pairing requests", 429);
+      }
+      try {
+        const pairing = await requestPairingFromGateway();
+        pendingPairings.set(pairing.requestId, {
+          requestId: pairing.requestId,
+          deviceId: proofCheck.deviceId,
+          createdAt: Date.now(),
+          expiresAt: pairing.expiresAt
+        });
+        return withCors(
+          request,
+          json({
+            ok: true,
+            requestId: pairing.requestId,
+            approveCommand: `openclaw devices approve ${pairing.requestId}`,
+            expiresAt: pairing.expiresAt
+          })
+        );
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return jsonError(
+          request,
+          "PAIRING_REQUEST_UNAVAILABLE",
+          message.replace(/^PAIRING_REQUEST_UNAVAILABLE:\s*/i, ""),
+          501,
+          { nextStep: "openclaw devices list --json" }
+        );
+      }
+    }
+    if (request.method === "GET" && path14 === "/squad-internal/pairing/status") {
+      const origin = ensureOriginAllowed(request);
+      if (!origin) {
+        return jsonError(request, "ORIGIN_NOT_ALLOWED", "Origin is not allowed", 403);
+      }
+      if (!isTailnetContext(request)) {
+        return jsonError(request, "TAILNET_REQUIRED", "Tailnet context required", 403);
+      }
+      const requestId = pickString(url.searchParams.get("requestId"));
+      const deviceId = pickString(url.searchParams.get("deviceId"));
+      if (!requestId || !deviceId) {
+        return jsonError(request, "INVALID_REQUEST", "requestId and deviceId are required", 400);
+      }
+      const record = pendingPairings.get(requestId);
+      if (!record || record.deviceId !== deviceId) {
+        return jsonError(request, "NOT_FOUND", "No pending pairing request for this device", 404);
+      }
+      if (record.expiresAt <= Date.now()) {
+        pendingPairings.delete(requestId);
+        return withCors(request, json({ ok: true, status: "expired" }));
+      }
+      const forwardedFor = request.headers.get("x-forwarded-for") ?? "unknown";
+      if (isRateLimited(rateLimitBucket, `status:${forwardedFor}`, 90, 6e4)) {
+        return jsonError(request, "RATE_LIMITED", "Too many status checks", 429);
+      }
+      const status = await readPairingStatusFromGateway(requestId);
+      if (status === "approved" || status === "expired" || status === "rejected") {
+        pendingPairings.delete(requestId);
+      }
+      return withCors(request, json({ ok: true, status }));
+    }
+    if (request.method === "POST" && path14 === "/squad-internal/locator/register") {
+      const origin = ensureOriginAllowed(request);
+      if (!origin) {
+        return jsonError(request, "ORIGIN_NOT_ALLOWED", "Origin is not allowed", 403);
+      }
+      if (!isTailnetContext(request)) {
+        return jsonError(request, "TAILNET_REQUIRED", "Tailnet context required", 403);
+      }
+      let body;
+      try {
+        body = await request.json();
+      } catch {
+        return jsonError(request, "INVALID_REQUEST", "Invalid JSON body", 400);
+      }
+      const proofCheck = await verifyBrowserProof(body, origin, "locator.register", proofNonces);
+      if (!proofCheck.ok) {
+        return jsonError(request, proofCheck.code, proofCheck.message, proofCheck.status);
+      }
+      const registrationToken = pickString(body.registrationToken);
+      const hostname = normalizeTailnetHostname(pickString(body.hostname) ?? "");
+      if (!registrationToken || !hostname) {
+        return jsonError(
+          request,
+          "INVALID_REQUEST",
+          "registrationToken and hostname (*.ts.net) are required",
+          400
+        );
+      }
+      const relayApiBaseUrl = pickString(body.relayApiBaseUrl) ?? readRegistrationConfig()?.relayApiBaseUrl ?? "https://relay.squad.ceo";
+      const displayName = pickString(body.displayName) ?? "squad-openclaw";
+      const version = pickString(body.version) ?? pickString(process.env.SQUAD_PLUGIN_VERSION) ?? pickString(process.env.npm_package_version) ?? "unknown";
+      const config = {
+        relayApiBaseUrl: relayApiBaseUrl.replace(/\/+$/, ""),
+        registrationToken,
+        hostname,
+        displayName,
+        version
+      };
+      try {
+        await registerLocatorToRelay(config);
+        return withCors(
+          request,
+          json({
+            ok: true,
+            locator: {
+              hostname,
+              source: "plugin",
+              lastSeenAt: Date.now(),
+              displayName,
+              version
+            }
+          })
+        );
+      } catch (error) {
+        return jsonError(
+          request,
+          "LOCATOR_REGISTRATION_FAILED",
+          error instanceof Error ? error.message : String(error),
+          502
+        );
+      }
+    }
+    return new Response("Not Found", { status: 404 });
+  };
+  if (typeof api.registerHttpHandler === "function") {
+    api.registerHttpHandler(handle);
+  } else if (typeof api.registerHttpRoute === "function") {
+    api.registerHttpRoute("/squad-internal/health", handle);
+    api.registerHttpRoute("/squad-internal/pairing/request", handle);
+    api.registerHttpRoute("/squad-internal/pairing/status", handle);
+    api.registerHttpRoute("/squad-internal/locator/register", handle);
+    api.registerHttpRoute("/squad-internal/*", handle);
+  } else if (typeof api.registerHttpMiddleware === "function") {
+    api.registerHttpMiddleware(handle);
+  } else {
+    console.warn("[squad-openclaw] no supported HTTP registration API found for tailnet routes");
+  }
+  const registrationConfig = readRegistrationConfig();
+  if (!registrationConfig) return;
+  const runRegistration = async () => {
+    try {
+      await registerLocatorToRelay(registrationConfig);
+      console.log("[squad-openclaw] tailnet locator registered");
+    } catch (error) {
+      console.warn(
+        "[squad-openclaw] tailnet locator registration failed:",
+        error instanceof Error ? error.message : String(error)
+      );
+    }
+  };
+  void runRegistration();
+  const timer = setInterval(() => {
+    void runRegistration();
+  }, LOCATOR_REFRESH_INTERVAL_MS);
+  const teardown = () => {
+    clearInterval(timer);
+  };
+  if (typeof api.onShutdown === "function") {
+    api.onShutdown(teardown);
+  } else if (typeof api.on === "function") {
+    const maybeOff = api.on("shutdown", teardown);
+    if (typeof maybeOff === "function") {
+    }
+  }
+}
+
+// src/index.ts
+function squadAppPlugin(api) {
+  const sharedApi = registerSquadSharedApi(api);
+  sharedApi.registerCoreGatewayMethods();
+  registerTailnetInternalRoutes(api);
+  void runStartupMigrations(api);
 }
 export {
   squadAppPlugin as default