squad-openclaw 2026.2.2003 → 2026.2.2005

package/README.md

@@ -31,7 +31,7 @@ These directories are **completely blocked** from all filesystem operations (rea
 
 | Path | Reason |
 |---|---|
-| `~/.openclaw/squad-ceo-data/squad-relay.json` | Contains ed25519 private key for relay device identity |
+| `~/.openclaw/squad-ceo-data/relay/squad-relay.json` | Contains ed25519 private key for relay device identity |
 | `~/.openclaw/*.bak` | Backup files at the top level contain unredacted config (tokens, keys) that would bypass redaction |
 
 ### Layer 2: Redacted Files (hardcoded, non-configurable)
@@ -60,7 +60,7 @@ Operators can customize via the `fs.allowedRoots` config option.
 These files/directories cannot be written to, even if they fall within `allowedRoots`:
 
 - `~/.openclaw/openclaw.json` — operator configuration (read-only with redaction)
-- `~/.openclaw/squad-ceo-data/squad-relay.json` — relay device private key
+- `~/.openclaw/squad-ceo-data/relay/squad-relay.json` — relay device private key
 - All blocked directories above (credentials, devices, identity)
 - All `.bak` files at `~/.openclaw/` top level
 

package/dist/cli.js

@@ -0,0 +1,223 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import crypto2 from "crypto";
+import fs2 from "fs";
+import path2 from "path";
+import os2 from "os";
+import { execSync } from "child_process";
+
+// src/device-keys.ts
+import crypto from "crypto";
+import fs from "fs";
+import path from "path";
+import os from "os";
+var RELAY_DATA_DIR = path.join(os.homedir(), ".openclaw", "squad-ceo-data", "relay");
+var RELAY_STATE_PATH = path.join(RELAY_DATA_DIR, "squad-relay.json");
+var PENDING_APPROVAL_PATH = path.join(RELAY_DATA_DIR, "pending-approval.json");
+function readRelayState() {
+  try {
+    const raw = fs.readFileSync(RELAY_STATE_PATH, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return {};
+  }
+}
+function writeRelayState(state) {
+  if (!fs.existsSync(RELAY_DATA_DIR)) {
+    fs.mkdirSync(RELAY_DATA_DIR, { recursive: true });
+  }
+  fs.writeFileSync(RELAY_STATE_PATH, JSON.stringify(state, null, 2), { mode: 384 });
+}
+function toBase64Url(buf) {
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function loadOrCreateRelayDeviceKeys() {
+  const state = readRelayState();
+  if (state.deviceKeys) {
+    return state.deviceKeys;
+  }
+  const { publicKey, privateKey } = crypto.generateKeyPairSync("ed25519");
+  const pubDer = publicKey.export({ type: "spki", format: "der" });
+  const rawPub = pubDer.subarray(pubDer.length - 32);
+  const deviceId = crypto.createHash("sha256").update(rawPub).digest("hex");
+  const publicKeyB64 = toBase64Url(rawPub);
+  const privateKeyPem = privateKey.export({ type: "pkcs8", format: "pem" });
+  const keys = { deviceId, publicKey: publicKeyB64, privateKeyPem };
+  writeRelayState({ ...state, deviceKeys: keys });
+  console.log(`[device-keys] Generated relay device identity: ${deviceId.substring(0, 12)}...`);
+  return keys;
+}
+function writeDeviceInfoFile(keys) {
+  const stateDir = process.env.OPENCLAW_STATE_DIR || path.join(os.homedir(), ".openclaw");
+  const infoPath = path.join(stateDir, "squad-ceo-data", "relay", "relay-device-info.json");
+  const info = {
+    deviceId: keys.deviceId,
+    publicKey: keys.publicKey,
+    displayName: "squad-relay",
+    platform: process.platform,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  try {
+    fs.writeFileSync(infoPath, JSON.stringify(info, null, 2));
+  } catch (err) {
+    console.error("[device-keys] Failed to write relay-device-info.json:", err);
+  }
+}
+
+// src/cli.ts
+var RELAY_URL = "https://relay.squad.ceo";
+var DEVICES_DIR = path2.join(os2.homedir(), ".openclaw", "devices");
+var PAIRED_JSON_PATH = path2.join(DEVICES_DIR, "paired.json");
+function generateApprovalCode() {
+  const chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
+  const bytes = crypto2.randomBytes(8);
+  let code = "";
+  for (let i = 0; i < 8; i++) {
+    code += chars[bytes[i] % chars.length];
+  }
+  return code;
+}
+function readPendingApproval() {
+  try {
+    const raw = fs2.readFileSync(PENDING_APPROVAL_PATH, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function writePendingApproval(approval) {
+  if (!fs2.existsSync(RELAY_DATA_DIR)) {
+    fs2.mkdirSync(RELAY_DATA_DIR, { recursive: true });
+  }
+  fs2.writeFileSync(PENDING_APPROVAL_PATH, JSON.stringify(approval, null, 2));
+}
+async function handleRequest() {
+  const state = readRelayState();
+  if (!state.claimToken) {
+    console.error("Error: No claim token found in squad-relay.json.");
+    console.error("Run the setup from the Squad web app first to get a claim token.");
+    process.exit(1);
+  }
+  const keys = loadOrCreateRelayDeviceKeys();
+  console.log(`Device ID: ${keys.deviceId.substring(0, 16)}...`);
+  writeDeviceInfoFile(keys);
+  const code = generateApprovalCode();
+  const approval = {
+    code,
+    deviceId: keys.deviceId,
+    createdAt: Date.now()
+  };
+  writePendingApproval(approval);
+  console.log("Sending pairing request to relay...");
+  try {
+    const res = await fetch(`${RELAY_URL}/api/relay/device-pair-request`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        claimToken: state.claimToken,
+        deviceId: keys.deviceId,
+        publicKey: keys.publicKey,
+        code
+      })
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      console.error(`Error: Relay returned ${res.status}: ${text}`);
+      process.exit(1);
+    }
+    console.log("");
+    console.log("Pairing request sent successfully.");
+    console.log("Ask the user to check their Squad dashboard for the approval command.");
+  } catch (err) {
+    console.error("Error: Failed to reach relay server:", err.message);
+    process.exit(1);
+  }
+}
+async function handleApprove(code) {
+  const pending = readPendingApproval();
+  if (!pending) {
+    console.error("Error: No pending pairing request found.");
+    console.error("Run 'squad-pair request' first.");
+    process.exit(1);
+  }
+  if (pending.code !== code.toUpperCase()) {
+    console.error("Error: Approval code does not match.");
+    console.error("Check the code shown in the Squad dashboard and try again.");
+    process.exit(1);
+  }
+  if (Date.now() - pending.createdAt > 30 * 60 * 1e3) {
+    console.error("Error: Pairing request has expired. Run 'squad-pair request' again.");
+    try {
+      fs2.unlinkSync(PENDING_APPROVAL_PATH);
+    } catch {
+    }
+    process.exit(1);
+  }
+  const state = readRelayState();
+  if (!state.deviceKeys) {
+    console.error("Error: No device keys found. Run 'squad-pair request' first.");
+    process.exit(1);
+  }
+  const { deviceId, publicKey } = state.deviceKeys;
+  let paired = {};
+  if (!fs2.existsSync(DEVICES_DIR)) {
+    fs2.mkdirSync(DEVICES_DIR, { recursive: true });
+  }
+  try {
+    const raw = fs2.readFileSync(PAIRED_JSON_PATH, "utf-8");
+    paired = JSON.parse(raw);
+  } catch {
+  }
+  paired[deviceId] = {
+    deviceId,
+    publicKey,
+    role: "operator",
+    scopes: ["operator"],
+    approvedAtMs: Date.now(),
+    displayName: "squad-relay"
+  };
+  fs2.writeFileSync(PAIRED_JSON_PATH, JSON.stringify(paired, null, 2));
+  console.log("Device paired successfully.");
+  try {
+    fs2.unlinkSync(PENDING_APPROVAL_PATH);
+  } catch {
+  }
+  console.log("Restarting gateway...");
+  try {
+    execSync("openclaw gateway restart", { stdio: "inherit" });
+  } catch {
+    console.error("Warning: Could not restart gateway automatically.");
+    console.error("Run 'openclaw gateway restart' manually.");
+  }
+}
+var args = process.argv.slice(2);
+var command = args[0];
+switch (command) {
+  case "request":
+    handleRequest().catch((err) => {
+      console.error("Fatal error:", err);
+      process.exit(1);
+    });
+    break;
+  case "approve": {
+    const code = args[1];
+    if (!code) {
+      console.error("Usage: squad-pair approve <CODE>");
+      console.error("The approval code is shown in your Squad dashboard.");
+      process.exit(1);
+    }
+    handleApprove(code).catch((err) => {
+      console.error("Fatal error:", err);
+      process.exit(1);
+    });
+    break;
+  }
+  default:
+    console.log("squad-pair \u2014 Device pairing for Squad relay");
+    console.log("");
+    console.log("Commands:");
+    console.log("  squad-pair request          Send a pairing request to the relay");
+    console.log("  squad-pair approve <CODE>   Approve device pairing and restart gateway");
+    process.exit(command ? 1 : 0);
+}

package/dist/index.d.ts

@@ -21,11 +21,11 @@
  * │  REDACTED on read (sensitive fields replaced with "[REDACTED]"):       │
  * │    • ~/.openclaw/openclaw.json → channel.*.botToken                    │
  * │    • ~/.openclaw/openclaw.json → gateway.auth.*                        │
- * │    • squad-ceo-data/squad-relay.json → deviceKeys.privateKeyPem        │
+ * │    • squad-ceo-data/relay/squad-relay.json → deviceKeys.privateKeyPem   │
  * │                                                                         │
  * │  WRITE-PROTECTED (no writes, deletes, or renames):                      │
  * │    • ~/.openclaw/openclaw.json                                          │
- * │    • squad-ceo-data/squad-relay.json                                    │
+ * │    • squad-ceo-data/relay/squad-relay.json                               │
  * │    • All blocked directories above                                      │
  * │                                                                         │
  * │  The bundle is NOT minified to allow security auditing of the           │

package/dist/index.js

@@ -370,7 +370,7 @@ var SENSITIVE_BLOCKED_DIRS = [
   path2.join(OPENCLAW_DIR, "identity")
 ];
 var SENSITIVE_BLOCKED_FILES = [
-  path2.join(OPENCLAW_DIR, "squad-ceo-data", "squad-relay.json")
+  path2.join(OPENCLAW_DIR, "squad-ceo-data", "relay", "squad-relay.json")
 ];
 function isSensitivePath(resolvedPath) {
   for (const blocked of SENSITIVE_BLOCKED_DIRS) {
@@ -1220,6 +1220,11 @@ import fs5 from "fs";
 import path5 from "path";
 import { fileURLToPath } from "url";
 var PACKAGE_NAME = "squad-openclaw";
+var CONFIG_PATH = path5.join(
+  process.env.HOME ?? "/root",
+  ".openclaw",
+  "openclaw.json"
+);
 function getCurrentVersion() {
   const thisFile = fileURLToPath(import.meta.url);
   const pkgPath = path5.resolve(path5.dirname(thisFile), "..", "package.json");
@@ -1279,6 +1284,18 @@ function registerVersionMethods(api) {
       try {
         const before = getCurrentVersion();
         let updateOutput = "";
+        let configBackup = null;
+        try {
+          configBackup = fs5.readFileSync(CONFIG_PATH, "utf-8");
+        } catch {
+        }
+        try {
+          execSync2("openclaw doctor --fix 2>&1", {
+            timeout: 3e4,
+            encoding: "utf-8"
+          });
+        } catch {
+        }
         try {
           updateOutput = execSync2(
             `openclaw plugins update ${PACKAGE_NAME} 2>&1`,
@@ -1291,6 +1308,12 @@ function registerVersionMethods(api) {
               { timeout: 12e4, encoding: "utf-8" }
             );
           } catch (npmErr) {
+            if (configBackup) {
+              try {
+                fs5.writeFileSync(CONFIG_PATH, configBackup, "utf-8");
+              } catch {
+              }
+            }
             const msg = npmErr instanceof Error ? npmErr.message : String(npmErr);
             respond(false, {
               error: `Update failed: ${msg}`,
@@ -1329,10 +1352,10 @@ function registerVersionMethods(api) {
 
 // src/relay-client.ts
 import { WebSocket as NodeWebSocket } from "ws";
-import crypto2 from "crypto";
-import fs6 from "fs";
-import path6 from "path";
-import os from "os";
+import crypto3 from "crypto";
+import fs7 from "fs";
+import path7 from "path";
+import os2 from "os";
 
 // src/e2e-crypto.ts
 import crypto from "crypto";
@@ -1411,20 +1434,14 @@ var E2ECrypto = class {
   }
 };
 
-// src/relay-client.ts
-function readOperatorToken() {
-  const stateDir = process.env.OPENCLAW_STATE_DIR || path6.join(os.homedir(), ".openclaw");
-  const configPath = path6.join(stateDir, "openclaw.json");
-  try {
-    const raw = fs6.readFileSync(configPath, "utf-8");
-    const config = JSON.parse(raw);
-    return config?.gateway?.auth?.token ?? config?.gateway?.remote?.token ?? config?.gateway?.token ?? null;
-  } catch {
-    return null;
-  }
-}
-var RELAY_DATA_DIR = path6.join(os.homedir(), ".openclaw", "squad-ceo-data");
+// src/device-keys.ts
+import crypto2 from "crypto";
+import fs6 from "fs";
+import path6 from "path";
+import os from "os";
+var RELAY_DATA_DIR = path6.join(os.homedir(), ".openclaw", "squad-ceo-data", "relay");
 var RELAY_STATE_PATH = path6.join(RELAY_DATA_DIR, "squad-relay.json");
+var PENDING_APPROVAL_PATH = path6.join(RELAY_DATA_DIR, "pending-approval.json");
 function readRelayState() {
   try {
     const raw = fs6.readFileSync(RELAY_STATE_PATH, "utf-8");
@@ -1455,12 +1472,12 @@ function loadOrCreateRelayDeviceKeys() {
   const privateKeyPem = privateKey.export({ type: "pkcs8", format: "pem" });
   const keys = { deviceId, publicKey: publicKeyB64, privateKeyPem };
   writeRelayState({ ...state, deviceKeys: keys });
-  console.log(`[relay-client] Generated relay device identity: ${deviceId.substring(0, 12)}...`);
+  console.log(`[device-keys] Generated relay device identity: ${deviceId.substring(0, 12)}...`);
   return keys;
 }
 function writeDeviceInfoFile(keys) {
   const stateDir = process.env.OPENCLAW_STATE_DIR || path6.join(os.homedir(), ".openclaw");
-  const infoPath = path6.join(stateDir, "squad-ceo-data", "relay-device-info.json");
+  const infoPath = path6.join(stateDir, "squad-ceo-data", "relay", "relay-device-info.json");
   const info = {
     deviceId: keys.deviceId,
     publicKey: keys.publicKey,
@@ -1471,16 +1488,29 @@ function writeDeviceInfoFile(keys) {
   try {
     fs6.writeFileSync(infoPath, JSON.stringify(info, null, 2));
   } catch (err2) {
-    console.error("[relay-client] Failed to write relay-device-info.json:", err2);
+    console.error("[device-keys] Failed to write relay-device-info.json:", err2);
+  }
+}
+
+// src/relay-client.ts
+function readOperatorToken() {
+  const stateDir = process.env.OPENCLAW_STATE_DIR || path7.join(os2.homedir(), ".openclaw");
+  const configPath = path7.join(stateDir, "openclaw.json");
+  try {
+    const raw = fs7.readFileSync(configPath, "utf-8");
+    const config = JSON.parse(raw);
+    return config?.gateway?.auth?.token ?? config?.gateway?.remote?.token ?? config?.gateway?.token ?? null;
+  } catch {
+    return null;
   }
 }
 function signDeviceIdentity(keys, clientId, clientMode, role, scopes, token, challengeNonce) {
   const signedAtMs = Date.now();
-  const nonce = challengeNonce || crypto2.randomBytes(16).toString("hex");
+  const nonce = challengeNonce || crypto3.randomBytes(16).toString("hex");
   const scopeStr = scopes.join(",");
   const payload = `v2|${keys.deviceId}|${clientId}|${clientMode}|${role}|${scopeStr}|${signedAtMs}|${token ?? ""}|${nonce}`;
-  const privateKey = crypto2.createPrivateKey(keys.privateKeyPem);
-  const signature = crypto2.sign(null, Buffer.from(payload), privateKey);
+  const privateKey = crypto3.createPrivateKey(keys.privateKeyPem);
+  const signature = crypto3.sign(null, Buffer.from(payload), privateKey);
   return {
     id: keys.deviceId,
     publicKey: keys.publicKey,

package/openclaw.plugin.json

@@ -10,7 +10,7 @@
         "type": "array",
         "items": { "type": "string" },
         "default": ["~/.openclaw"],
-        "description": "Restrict filesystem operations to these directories. Defaults to [\"~/.openclaw\"]. Hardcoded blocks on credentials/, devices/, identity/, squad-relay.json, and .bak files always apply."
+        "description": "Restrict filesystem operations to these directories. Defaults to [\"~/.openclaw\"]. Hardcoded blocks on credentials/, devices/, identity/, relay/squad-relay.json, and .bak files always apply."
       },
       "relay.enabled": {
         "type": "boolean",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "squad-openclaw",
-  "version": "2026.2.2003",
+  "version": "2026.2.2005",
   "description": "Entity registry, filesystem tools, and version management plugin for OpenClaw gateway",
   "type": "module",
   "main": "./dist/index.js",
@@ -16,6 +16,9 @@
       "./dist/index.js"
     ]
   },
+  "bin": {
+    "squad-pair": "./dist/cli.js"
+  },
   "license": "MIT",
   "files": [
     "dist/",