ticlawk 0.1.17-dev.19 → 0.1.17-dev.20

package/README.md

@@ -13,57 +13,42 @@ from your phone.
 
 ## Quickstart — 2 minutes
 
-You need a project directory on this machine where Claude Code (or another
-supported runtime) can run, and the Ticlawk app installed on your phone.
+You need a machine with at least one supported runtime installed and the
+Ticlawk app installed on your phone.
 
 ```bash
 # 1. install
 curl -fsSL https://raw.githubusercontent.com/darthjaja6/ticlawk/main/install.sh | bash
 
 # 2. connect this machine to your Ticlawk account by scanning the QR code
-cd /path/to/project
 ticlawk connect
 ```
 
-`ticlawk connect` auto-detects every supported runtime in that project
-directory (Codex, Claude Code, opencode, pi) and lets you pick one inside the
-app once pairing completes. Run `ticlawk connect` again from a different
-directory when you want to bind a new project.
+`ticlawk connect` authorizes the current machine as a Ticlawk host. After the
+host is connected, create agents in the app by choosing that host and one of
+the runtimes the daemon reports as available.
 
 > ⚠️ **Single user, by design.** The connector binds to your Ticlawk account;
 > agents run with your local user's permissions and can edit files / run
-> commands inside the bound `--workdir`. Don't share your connector API key
-> and don't connect a workdir you wouldn't trust a shell to touch.
+> commands on that host. Don't share your connector API key and don't connect
+> a host you wouldn't trust a shell to touch.
 
 ---
 
-## Resuming an existing runtime session
+## Creating Agents
 
-By default each new chat creates a fresh runtime session. To resume an
-existing Claude Code or Codex transcript, point at it explicitly:
-
-| Runtime     | Required       | Optional resume handle | Where to find it                                              |
-|-------------|----------------|------------------------|---------------------------------------------------------------|
-| Claude Code | `--workdir`    | `--session-id`         | filename of `~/.claude/projects/**/*.jsonl` (without `.jsonl`)|
-| Codex       | `--workdir`    | `--session-id`         | `payload.id` in the first `session_meta` record of `~/.codex/sessions/**/*.jsonl` |
-| OpenClaw    | `--agent-id`   | none                   | logical agent name (`main` by default)                        |
-| opencode    | `--workdir`    | `--session-id` (with `--workdir`) | `.id` from `opencode session list --format json` (run inside the project dir) |
+`ticlawk connect` does not create an agent. It connects a host. The daemon
+then reports runtime health for Codex, Claude Code, opencode, OpenClaw, and pi.
+In the mobile app, tap `+`, choose a connected host, choose an available
+runtime, and create the agent there.
 
 [OpenClaw](https://github.com/openclaw/openclaw) is an open-source local-first
-agent runtime; skip this row if you don't use it.
-
-[opencode](https://opencode.ai) is provider-agnostic — it doesn't carry its own
-account system. Before connecting through `ticlawk`, install the CLI
-(`npm i -g opencode-ai`) and authenticate it once against the LLM provider
-you want it to use (`opencode auth login`, then pick Anthropic / OpenAI /
-Google / OpenRouter / etc. and paste the corresponding API key). Model
-selection lives in opencode's own config (`opencode.json` in the project
-root, or user-level config) — `ticlawk` does not pass `--model`.
+agent runtime; skip it if you don't use it.
 
-`ticlawk` spawns opencode and codex with `--dangerously-skip-permissions`-style
-flags so chat messages can drive shell commands and file edits in the bound
-workdir without further confirmation prompts. Only connect a workdir you
-trust to a chat you control.
+[opencode](https://opencode.ai) is provider-agnostic. Before creating an
+opencode-backed agent through Ticlawk, install the CLI (`npm i -g opencode-ai`)
+and authenticate it once against the LLM provider you want it to use
+(`opencode auth login`).
 
 ---
 
@@ -74,11 +59,10 @@ After setup:
 - Keep `ticlawk` running as a user service. If Linux prints an
   `Action required` message during install or connect, run the command it
   shows so the daemon keeps running after logout and reboot.
-- Bind to a new project: run `ticlawk connect` from the new directory.
-- Resume an existing transcript: add `--session-id` (Claude Code / Codex /
-  opencode) or `--agent-id` (OpenClaw) to the `connect` call.
-- If replies stop because the local runtime session ended, run `connect`
-  again or reset the session from the app.
+- Connect another host: run `ticlawk connect` on that machine.
+- Create a new agent from the app by choosing a connected host and runtime.
+- If replies stop because the local runtime session ended, reset the agent
+  session from the app.
 - `ticlawk health` is the first thing to check when something feels off.
 
 ---
@@ -201,7 +185,6 @@ Usage:
   ticlawk config
   ticlawk config get <streaming...|runtimes.claude_code.path|runtimes.codex.path|runtimes.opencode.path|runtimes.pi.path|ticlawk.connector-api-key|ticlawk.api-url|ticlawk.connector-ws-url>
   ticlawk config set <streaming...|runtimes.claude_code.path|runtimes.codex.path|runtimes.opencode.path|runtimes.pi.path|ticlawk.connector-api-key|ticlawk.api-url|ticlawk.connector-ws-url> <value>
-  ticlawk auth --code <6-digit-code> [--api-url <url>]
   ticlawk connect
   ticlawk profile list
   ticlawk profile current
@@ -221,8 +204,7 @@ Agent CLI (run inside an agent runtime; requires TICLAWK_RUNTIME_AGENT_ID):
   ticlawk server info [--refresh]
 
 Commands:
-  auth     store the ticlawk app pairing code locally
-  connect  connect ticlawk to a local runtime
+  connect  connect this host to Ticlawk
   profile  list or switch saved local identities
   message  send/read chat messages (agent CLI surface)
   task     claim/update/list tasks (agent CLI surface)
@@ -245,7 +227,6 @@ Config examples:
 
 Examples:
   ticlawk connect
-  ticlawk auth --code <6-digit-code>
 ```
 <!-- usage:end -->
 
@@ -254,7 +235,7 @@ Examples:
 ## Security model
 
 - **Agents can run code on your machine.** Whatever Claude Code / Codex /
-  OpenClaw / opencode / pi can do in the bound workdir, the Ticlawk app can
+  OpenClaw / opencode / pi can do on the connected host, the Ticlawk app can
   ask it to do. Treat the chat as you'd treat a shell.
 - **Single user.** The connector binds to one Ticlawk account. Don't share
   your connector API key.

package/bin/ticlawk.mjs

@@ -18,7 +18,6 @@ import {
   getActiveProfile,
   listProfiles,
 } from '../src/core/profiles.mjs';
-import { runAdapterAuth } from '../src/core/adapter-registry.mjs';
 import { runTiclawkConnect } from '../src/core/ticlawk-control.mjs';
 import {
   RUNTIME_DEFINITIONS,
@@ -81,7 +80,6 @@ Usage:
   ticlawk config
   ticlawk config get <${configKeys}>
   ticlawk config set <${configKeys}> <value>
-  ticlawk auth --code <6-digit-code> [--api-url <url>]
   ticlawk connect
   ticlawk profile list
   ticlawk profile current
@@ -101,8 +99,7 @@ Agent CLI (run inside an agent runtime; requires TICLAWK_RUNTIME_AGENT_ID):
   ticlawk server info [--refresh]
 
 Commands:
-  auth     store the ticlawk app pairing code locally
-  connect  connect ticlawk to a local runtime
+  connect  connect this host to Ticlawk
   profile  list or switch saved local identities
   message  send/read chat messages (agent CLI surface)
   task     claim/update/list tasks (agent CLI surface)
@@ -122,30 +119,15 @@ ${getRuntimeConfigExamples()}
 
 Examples:
   ticlawk connect
-  ticlawk auth --code <6-digit-code>
-`;
-}
-
-function getAuthHelp() {
-  return `ticlawk auth --code <6-digit-code> [--api-url <url>]
-
-Store the ticlawk app pairing code locally. The daemon picks it up on the
-next start and exchanges it for an API key.
-
-Options:
-  --code <code>       6-digit setup code from the ticlawk app
-  --api-url <url>     optional ticlawk API base URL override
 `;
 }
 
 function getConnectHelp() {
   return `ticlawk connect
 
-Use \`connect\` to connect the selected adapter to a local runtime.
-For ticlawk, connect starts the QR pairing flow when no local credential exists.
-Run \`ticlawk connect\` from a project directory to auto-detect
-Codex, Claude Code, opencode, and pi, then choose the runtime in ticlawk.
-No pairing QR code is shown when no local agent harness is detected.
+Use \`connect\` to authorize this machine as a Ticlawk host.
+After the host is connected, create agents from the app by choosing this host
+and one of the detected local runtimes.
 
 Examples:
   ticlawk connect
@@ -162,10 +144,6 @@ function printHelp(helpPath, args = {}) {
     printUsage();
     return;
   }
-  if (head === 'auth') {
-    console.log(getAuthHelp());
-    return;
-  }
   if (head === 'connect') {
     console.log(getConnectHelp());
     return;
@@ -242,7 +220,7 @@ function formatSecretConfigValue(configKey, value) {
 }
 
 function buildConnectPayload(args) {
-  const legacyArgs = [
+  const rejectedArgs = [
     'adapter',
     'type',
     'session-id',
@@ -252,21 +230,19 @@ function buildConnectPayload(args) {
     'agent-id',
     'runtime-path',
     'code',
+    'name',
+    'switch-user',
   ].filter((key) => args[key] !== undefined);
   const positionalRuntime = args._?.[1];
-  if (positionalRuntime || legacyArgs.length > 0) {
+  if (positionalRuntime || rejectedArgs.length > 0) {
     const suffix = positionalRuntime ? ` ${positionalRuntime}` : '';
     console.error(`ticlawk connect${suffix} no longer accepts explicit runtime, adapter, session, or workdir arguments.`);
-    console.error('Run `ticlawk connect` from the directory you want to offer to local agent harnesses.');
-    console.error('Ticlawk will detect Codex, Claude Code, opencode, and pi locally, then let you choose in the app.');
+    console.error('Run `ticlawk connect` with no runtime arguments to authorize this host.');
+    console.error('Create agents from the app after the host is connected.');
     process.exit(1);
   }
   return {
     adapter: 'ticlawk',
-    autoRuntime: true,
-    switchUser: Boolean(args['switch-user']),
-    workdir: process.cwd(),
-    ...(args.name ? { name: args.name } : {}),
   };
 }
 
@@ -637,18 +613,6 @@ async function main() {
     return;
   }
 
-  if (command === 'auth') {
-    if (args.help || args.h) {
-      printHelp(['auth'], args);
-      return;
-    }
-    const adapterArgv = rawArgv.slice(1);
-    const res = await runAdapterAuth('ticlawk', adapterArgv);
-    printCommandResult(res);
-    process.exitCode = res.statusCode >= 400 ? 1 : 0;
-    return;
-  }
-
   if (command === 'connect') {
     if (args.help || args.h) {
       console.log(getConnectHelp());

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ticlawk",
-  "version": "0.1.17-dev.19",
+  "version": "0.1.17-dev.20",
   "description": "Local connector that links agent harnesses (Claude Code, Codex, OpenClaw, opencode, Pi) to the Ticlawk mobile app.",
   "type": "module",
   "main": "ticlawk.mjs",
@@ -15,6 +15,7 @@
     "assets/",
     "bin/",
     "scripts/postinstall.mjs",
+    "scripts/publish-dev.sh",
     "src/",
     "cc-watcher.mjs",
     "ticlawk.mjs",
@@ -33,7 +34,8 @@
     "health": "node ./bin/ticlawk.mjs health",
     "dev": "echo 'Configure ~/.ticlawk/.config, then: npm run start'",
     "generate:usage-docs": "node scripts/generate-usage-docs.mjs",
-    "verify:public-package": "bash scripts/verify-ticlawk-public.sh"
+    "verify:public-package": "bash scripts/verify-ticlawk-public.sh",
+    "publish:dev": "bash scripts/publish-dev.sh"
   },
   "repository": {
     "type": "git",

package/scripts/publish-dev.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$ROOT_DIR"
+
+EXPECTED_VERSION=""
+DRY_RUN=false
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --expected-version)
+      EXPECTED_VERSION="${2:-}"
+      if [[ -z "$EXPECTED_VERSION" ]]; then
+        echo "--expected-version requires a value" >&2
+        exit 2
+      fi
+      shift 2
+      ;;
+    --dry-run)
+      DRY_RUN=true
+      shift
+      ;;
+    *)
+      echo "unknown argument: $1" >&2
+      echo "usage: npm run publish:dev -- [--expected-version X.Y.Z-dev.N] [--dry-run]" >&2
+      exit 2
+      ;;
+  esac
+done
+
+VERSION="$(node -p "JSON.parse(require('fs').readFileSync('package.json', 'utf8')).version")"
+
+if [[ -n "$EXPECTED_VERSION" && "$EXPECTED_VERSION" != "$VERSION" ]]; then
+  echo "expected version ($EXPECTED_VERSION) does not match cli/package.json ($VERSION)" >&2
+  exit 1
+fi
+
+if [[ "$VERSION" != *-* ]]; then
+  echo "refusing to publish stable version $VERSION with the dev script" >&2
+  exit 1
+fi
+
+NPM_ARGS=(--registry https://registry.npmjs.org/)
+TMP_NPMRC=""
+if [[ -n "${NPM_TOKEN:-}" ]]; then
+  TMP_NPMRC="$(mktemp)"
+  chmod 0600 "$TMP_NPMRC"
+  printf '//registry.npmjs.org/:_authToken=%s\n' "$NPM_TOKEN" > "$TMP_NPMRC"
+  NPM_ARGS+=(--userconfig "$TMP_NPMRC")
+fi
+
+cleanup() {
+  if [[ -n "$TMP_NPMRC" ]]; then
+    rm -f "$TMP_NPMRC"
+  fi
+}
+trap cleanup EXIT
+
+if npm "${NPM_ARGS[@]}" view "ticlawk@$VERSION" version >/dev/null 2>&1; then
+  echo "ticlawk@$VERSION is already published" >&2
+  exit 1
+fi
+
+if ! npm "${NPM_ARGS[@]}" whoami >/dev/null; then
+  echo "npm auth failed; run npm login or set a valid NPM_TOKEN with publish access to ticlawk" >&2
+  exit 1
+fi
+
+npm run verify:public-package
+
+PUBLISH_ARGS=(publish --access public --tag dev)
+if [[ "$DRY_RUN" == "true" ]]; then
+  PUBLISH_ARGS+=(--dry-run)
+fi
+
+npm "${NPM_ARGS[@]}" "${PUBLISH_ARGS[@]}"

package/src/adapters/ticlawk/api.mjs

@@ -552,34 +552,6 @@ export async function postEvent({ agent, agent_id, runtime_host_id, session_id,
   return queued;
 }
 
-// ── Pair (no auth needed) ──
-
-export async function pair(payload) {
-  const url = `${getApiUrl()}/dispatch`;
-  const res = await fetch(url, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ action: 'pair', ...payload }),
-    signal: AbortSignal.timeout(15000),
-  });
-  const body = await res.json().catch(() => ({}));
-  return {
-    statusCode: res.status,
-    ...body,
-  };
-}
-
-export async function pairPreview(payload) {
-  const url = `${getApiUrl()}/dispatch`;
-  const res = await fetch(url, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ action: 'pair-preview', ...payload }),
-    signal: AbortSignal.timeout(15000),
-  });
-  return res.json();
-}
-
 async function pairingRequest(payload, timeout = 15000) {
   const url = `${getApiUrl()}/api/agent-pairings`;
   const res = await fetch(url, {

package/src/adapters/ticlawk/credentials.mjs

@@ -13,9 +13,7 @@ export function persistApiCredential(apiKey) {
 
   persistConfig({
     [TICLAWK_CONNECTOR_API_KEY]: apiKey,
-    TICLAWK_SETUP_CODE: '',
   });
   process.env[TICLAWK_CONNECTOR_API_KEY] = apiKey;
-  delete process.env.TICLAWK_SETUP_CODE;
   console.log(`[connect] saved ${TICLAWK_CONNECTOR_API_KEY} to ${AF_CONFIG_PATH}`);
 }

package/src/adapters/ticlawk/index.mjs

@@ -1,11 +1,9 @@
-import { parseOptionArgs } from '../../core/argv.mjs';
 import { createHash, randomBytes } from 'node:crypto';
 import { createRequire } from 'node:module';
-import { basename } from 'node:path';
 import { loadPersistentConfig, persistConfig, TICLAWK_CONNECTOR_API_KEY, TICLAWK_CONNECTOR_WS_URL } from '../../core/config.mjs';
 import { belongsToRuntimeHost, getBindingRuntimeHostId, getHostId, getHostLabel } from '../../core/host-id.mjs';
 import { debugError, debugLog } from '../../core/logger.mjs';
-import { getActiveProfile, ensureLegacyProfile, readProfileMeta, saveAndActivateProfile } from '../../core/profiles.mjs';
+import { getActiveProfile, saveAndActivateProfile } from '../../core/profiles.mjs';
 import { isTerminalRuntimeFailure } from '../../core/runtime-support.mjs';
 import { clearUpdateRequiredState, readUpdateState, setUpdateRequiredState } from '../../core/update-state.mjs';
 import { isManagedInstall, startDetachedSelfUpdate } from '../../core/update.mjs';
@@ -71,9 +69,6 @@ function normalizeInboundMediaAssets(msg) {
 }
 
 export function normalizeInboundMessage(msg) {
-  // Claimed delivery rows carry the recipient agent id; legacy messages
-  // (history sync, manual inserts) may still use plain agent_id. Prefer
-  // the new field but fall back so the same normalizer works for both.
   const recipientAgentId = msg.recipient_agent_id || '';
   const messageId = msg.id || msg.message_id || null;
   const deliveryId = msg.delivery_id || null;
@@ -123,16 +118,12 @@ function getRuntimeHostLabelFromPayload(payload) {
 
 function getAgentIdFromPayload(payload) {
   // claim_pending_deliveries is the canonical source and returns
-  // `recipient_agent_id`. The historical fallbacks (`agent_id`,
-  // `agentId`) were left in by an earlier partial cleanup but they
-  // never fire against the current schema — dead branches.
+  // `recipient_agent_id`.
   return String(payload?.recipient_agent_id || '').trim();
 }
 
 // Whitelist of meta keys runtimes actually consume. Anything else in
-// the source row's meta blob is dropped on the floor so stale fields
-// (like the post-Y2 workdir/cwd/projectDir leftovers) can't sneak
-// back into runtimeMeta and confuse downstream code.
+// the source row's meta blob is dropped before reaching runtimeMeta.
 const RUNTIME_META_KEYS = [
   'sessionId',
   'path',
@@ -225,24 +216,6 @@ function maskIdentity(identity = {}) {
   };
 }
 
-function formatIdentityLines(identity = {}) {
-  const normalized = maskIdentity(identity);
-  return [
-    `  user: ${normalized.userId || 'unknown'}`,
-    normalized.emailMasked ? `  email: ${normalized.emailMasked}` : null,
-    normalized.phoneMasked ? `  phone: ${normalized.phoneMasked}` : null,
-  ].filter(Boolean);
-}
-
-function formatAffectedAgents(agents = []) {
-  if (!agents.length) return ['  - none found for this host'];
-  return agents.map((agent) => {
-    const display = agent.display_name || agent.name || agent.id;
-    const runtime = agent.service_type || 'unknown';
-    return `  - ${display} (${runtime}) ${agent.id}`;
-  });
-}
-
 function sha256Hex(value) {
   return createHash('sha256').update(String(value)).digest('hex');
 }
@@ -251,63 +224,6 @@ function makeClientSecret() {
   return randomBytes(32).toString('base64url');
 }
 
-function getRuntimeWorkdir(runtimeMeta = {}) {
-  return String(runtimeMeta.workdir || runtimeMeta.cwd || runtimeMeta.projectDir || '').trim();
-}
-
-function runtimeLabel(runtime) {
-  if (runtime === 'claude_code') return 'Claude Code';
-  if (runtime === 'opencode') return 'OpenCode';
-  if (runtime === 'openclaw') return 'OpenClaw';
-  if (runtime === 'codex') return 'Codex';
-  if (runtime === 'pi') return 'Pi';
-  return runtime || 'Agent';
-}
-
-function printDetectedRuntimeOptions(runtimeOptions = []) {
-  console.log('Detected agent harness:');
-  if (!runtimeOptions.length) {
-    console.log('  none');
-    return;
-  }
-  for (const option of runtimeOptions) {
-    const label = option.runtime_label || runtimeLabel(option.runtime);
-    const workdir = option.workdir ? ` (${option.workdir})` : '';
-    console.log(`  - ${label}${workdir}`);
-  }
-}
-
-async function buildAutoRuntimeOptions(ctx, payload = {}) {
-  const workdir = getRuntimeWorkdir(payload) || process.cwd();
-  const candidates = ['codex', 'claude_code', 'opencode', 'pi'];
-  const options = [];
-  for (const serviceType of candidates) {
-    try {
-      const resolved = await ctx.resolveRuntimeBinding({
-        ...payload,
-        serviceType,
-        workdir,
-      });
-      const runtimeMeta = resolved.runtimeMeta || {};
-      const optionWorkdir = getRuntimeWorkdir(runtimeMeta) || workdir;
-      options.push({
-        runtime: resolved.runtime,
-        runtime_label: runtimeLabel(resolved.runtime),
-        display_name: resolved.displayName || basename(optionWorkdir) || runtimeLabel(resolved.runtime),
-        workdir: optionWorkdir,
-        binding_key: optionWorkdir,
-        runtime_meta: runtimeMeta,
-      });
-    } catch (err) {
-      debugLog('ticlawk-pairing', 'auto-runtime.skip', {
-        runtime: serviceType,
-        reason: err?.message || String(err),
-      });
-    }
-  }
-  return options;
-}
-
 function printPairingChallenge(session) {
   console.log();
   console.log('Open Ticlawk and scan the QR code below, or enter the pairing code.');
@@ -372,6 +288,7 @@ export function createTiclawkAdapter(ctx) {
   let lastBindingsWakeAt = 0;
   let updateRequired = null;
   let lastUpdateRequiredLogAt = 0;
+  let startupSyncing = false;
 
   function clearDebounce(timer) {
     if (timer) clearTimeout(timer);
@@ -851,10 +768,11 @@ export function createTiclawkAdapter(ctx) {
   function handleWakeEvent(event) {
     wakeState.lastEventAt = new Date().toISOString();
     if (event?.type === 'hello') {
+      void reportHostCapabilitiesNow();
+      if (startupSyncing) return;
       void refreshBindings('wake.hello')
         .then(() => requestDrain('wake.hello'))
         .catch(() => {});
-      void reportHostCapabilitiesNow();
       return;
     }
     if (event?.type === 'jobs.available') {
@@ -907,9 +825,21 @@ export function createTiclawkAdapter(ctx) {
     });
   }
 
+  function getConnectorWakeUrlForHost() {
+    const raw = api.getConnectorWsUrl();
+    try {
+      const url = new URL(raw);
+      url.searchParams.set('runtime_host_id', hostId);
+      return url.toString();
+    } catch {
+      const separator = raw.includes('?') ? '&' : '?';
+      return `${raw}${separator}runtime_host_id=${encodeURIComponent(hostId)}`;
+    }
+  }
+
   function connectWakeSocket() {
     connectorSocket = new TiclawkWakeClient({
-      getUrl: api.getConnectorWsUrl,
+      getUrl: getConnectorWakeUrlForHost,
       getApiKey: api.getApiKey,
       onEvent: handleWakeEvent,
       onStatus: handleWakeStatus,
@@ -937,7 +867,7 @@ export function createTiclawkAdapter(ctx) {
     bindingAuditTimer.unref?.();
   }
 
-  async function finishPairing(resolved, pairData) {
+  async function finishHostPairing(pairData) {
     const apiKey = pairData.connector_api_key || pairData.apiKey || pairData.api_key;
     persistApiCredential(apiKey);
     if (pairData.connector_ws_url) {
@@ -956,61 +886,26 @@ export function createTiclawkAdapter(ctx) {
       restartWakeSocket('connect.paired');
     }
 
-    const bindingId = pairData.agent_id || pairData.agentId;
-    if (!bindingId) {
-      throw new Error('pairing did not return agent_id');
-    }
-    const runtimeMeta = pairData.runtime_meta || resolved.runtimeMeta;
-    const binding = await ctx.upsertBinding({
-      id: bindingId,
-      adapter: 'ticlawk',
-      targetKey: bindingId,
-      targetMeta: {
-        agentId: bindingId,
-        runtime_host_id: hostId,
-        binding_key: pairData.binding_key || null,
-      },
-      runtime_host_id: hostId,
-      runtime_host_label: hostLabel,
-      runtime: resolved.runtime,
-      runtimeMeta,
-      displayName: resolved.displayName,
-      status: 'connected',
-    });
+    await reportHostCapabilitiesNow();
     return {
       statusCode: 200,
       body: {
         ok: true,
-        agentId: binding.id,
-        serviceType: resolved.runtime,
-        name: binding.displayName,
-        bindingKey: pairData.binding_key || null,
+        hostId,
+        hostLabel,
         user: pairedIdentity,
       },
     };
   }
 
-  async function connectWithQrPairing(payload) {
-    const autoRuntime = Boolean(payload?.autoRuntime);
-    const runtimeOptions = autoRuntime ? await buildAutoRuntimeOptions(ctx, payload) : [];
-    if (autoRuntime) {
-      printDetectedRuntimeOptions(runtimeOptions);
-      if (runtimeOptions.length === 0) {
-        return connectError(400, 'No supported local agent harness detected in this terminal. Install or sign in to Codex, Claude Code, OpenCode, or pi, then run `ticlawk connect` again.');
-      }
-    }
-    const resolved = autoRuntime ? null : await ctx.resolveRuntimeBinding(payload);
-    const runtimeMeta = resolved?.runtimeMeta || {};
-    const workdir = getRuntimeWorkdir(runtimeMeta) || getRuntimeWorkdir(payload) || process.cwd();
+  async function connectWithQrPairing() {
     const clientSecret = makeClientSecret();
     const created = await api.createPairingSession({
       client: 'ticlawk',
       client_version: api.getTiclawkVersion(),
       host_id: hostId,
       host_label: hostLabel,
-      ...(autoRuntime ? { runtime_options: runtimeOptions } : { runtime: resolved.runtime }),
-      workdir,
-      display_name: resolved?.displayName || basename(workdir) || 'Agent',
+      scope: 'host',
       challenge_hash: sha256Hex(clientSecret),
     });
     if (!created?.ok) {
@@ -1031,20 +926,9 @@ export function createTiclawkAdapter(ctx) {
         pollAfterMs: Number(created.poll_after_ms || 1500),
         expiresAt: created.expires_at,
       });
-      const approvedRuntime = approved.runtime || approved.selected_runtime;
-      const approvedOption = runtimeOptions.find((option) => option.runtime === approvedRuntime) || null;
-      const finalResolved = resolved || {
-        runtime: approvedRuntime || approvedOption?.runtime,
-        displayName: approved.display_name || approvedOption?.display_name || runtimeLabel(approvedRuntime),
-        runtimeMeta: approved.runtime_meta || approvedOption?.runtime_meta || {},
-      };
-      if (!finalResolved.runtime) {
-        throw new Error('ticlawk pairing did not return a selected runtime');
-      }
-      return await finishPairing.call(this, finalResolved, {
+      return await finishHostPairing({
         ...created,
         ...approved,
-        binding_key: approved.binding_key || created.binding_key || null,
       });
     } catch (err) {
       await api.cancelPairingSession({
@@ -1063,9 +947,14 @@ export function createTiclawkAdapter(ctx) {
       // mid-claim, the row stays `claimed` forever. lease_expires_at
       // was dropped in X1; no cron has replaced it. Rare in practice;
       // when it happens the fix is a one-row UPDATE in supabase.
-      await refreshBindings('startup');
-      await requestDrain('startup');
+      startupSyncing = true;
       connectWakeSocket();
+      try {
+        await refreshBindings('startup');
+        await requestDrain('startup');
+      } finally {
+        startupSyncing = false;
+      }
       startAuditTimers();
     },
 
@@ -1102,131 +991,9 @@ export function createTiclawkAdapter(ctx) {
     },
 
     async connect(payload) {
-      const config = loadPersistentConfig();
-      if (!payload?.__legacyConnect) {
-        try {
-          return await connectWithQrPairing.call(this, {
-            ...payload,
-            autoRuntime: true,
-          });
-        } catch (err) {
-          return connectError(err?.status || 500, err.message);
-        }
-      }
-
-      // Archived setup-code connect path. It is intentionally not reachable
-      // from the public CLI; keep it here only until the old flow is deleted.
-      const connectCode = String(payload?.code || config.TICLAWK_SETUP_CODE || '').trim();
-      if (!connectCode) {
-        return connectError(400, 'legacy ticlawk setup-code connect requires code');
-      }
-
       try {
-        const resolved = await ctx.resolveRuntimeBinding(payload);
-        const runtimeMeta = resolved.runtimeMeta;
-        let currentIdentity = null;
-        const activeProfile = getActiveProfile();
-        if (activeProfile?.adapter === 'ticlawk') {
-          currentIdentity = readProfileMeta(activeProfile.adapter, activeProfile.userId) || {
-            userId: activeProfile.userId,
-          };
-        } else if (config[TICLAWK_CONNECTOR_API_KEY]) {
-          try {
-            const me = await api.getMe();
-            if (me?.userId || me?.user_id) {
-              currentIdentity = maskIdentity(me);
-              ensureLegacyProfile({
-                adapter: 'ticlawk',
-                userId: currentIdentity.userId,
-                meta: currentIdentity,
-              });
-            }
-          } catch {}
-        }
-
-        let previewIdentity = null;
-        try {
-          const preview = await api.pairPreview({ code: connectCode });
-          if (preview?.ok) {
-            previewIdentity = maskIdentity(preview);
-          } else if (preview?.userId || preview?.user_id) {
-            previewIdentity = maskIdentity(preview);
-          }
-        } catch {}
-
-        if (currentIdentity?.userId && !previewIdentity?.userId && !payload.switchUser) {
-          return {
-            statusCode: 409,
-            body: {
-              ok: false,
-              code: 'ticlawk_pairing_user_unverified',
-              currentUser: currentIdentity,
-              error: [
-                'This ticlawk home is already paired to ticlawk user:',
-                ...formatIdentityLines(currentIdentity),
-                '',
-                'Could not verify which ticlawk user owns the new pairing code.',
-                'Refusing to switch users because existing agents may stop processing messages.',
-                '',
-                'If you want to switch user, please rerun this command with --switch-user.',
-              ].join('\n'),
-            },
-          };
-        }
-
-        if (
-          currentIdentity?.userId
-          && previewIdentity?.userId
-          && currentIdentity.userId !== previewIdentity.userId
-          && !payload.switchUser
-        ) {
-          let affectedAgents = [];
-          try {
-            affectedAgents = await api.getAgents({ hostId });
-          } catch {}
-          const message = [
-            'This ticlawk home is already paired to ticlawk user:',
-            ...formatIdentityLines(currentIdentity),
-            '',
-            'The pairing code belongs to a different ticlawk user:',
-            ...formatIdentityLines(previewIdentity),
-            '',
-            'Refusing to switch users because these agents are currently bound to this host:',
-            ...formatAffectedAgents(affectedAgents),
-            '',
-            'Switching would stop this daemon from processing messages for those agents.',
-            '',
-            'If you want to switch user, please rerun this command with --switch-user.',
-          ].join('\n');
-          return {
-            statusCode: 409,
-            body: {
-              ok: false,
-              error: message,
-              code: 'ticlawk_user_mismatch',
-              currentUser: currentIdentity,
-              pairingUser: previewIdentity,
-              affectedAgents,
-            },
-          };
-        }
-
-        const pairData = await api.pair({
-          code: connectCode,
-          name: resolved.displayName,
-          serviceType: resolved.runtime,
-          runtimeMeta,
-          runtime_host_id: hostId,
-          runtime_host_label: hostLabel,
-        });
-        if (!pairData?.ok) {
-          return { statusCode: pairData?.statusCode || 401, body: pairData };
-        }
-        return finishPairing.call(this, resolved, {
-          ...pairData,
-          agent_id: pairData.agentId,
-          connector_api_key: pairData.apiKey,
-        });
+        void payload;
+        return await connectWithQrPairing();
       } catch (err) {
         return connectError(err?.status || 500, err.message);
       }
@@ -1290,52 +1057,3 @@ export function createTiclawkAdapter(ctx) {
     },
   };
 }
-
-export function getTiclawkAuthHelp() {
-  return `ticlawk auth ticlawk --code <6-digit-code> [--api-url <url>]
-
-Options:
-  --code <code>       6-digit setup code from the ticlawk app
-  --api-url <url>     optional ticlawk API base URL override
-`;
-}
-
-export async function runTiclawkAuth(rawArgs) {
-  const args = parseOptionArgs(rawArgs);
-  if (args.help || args.h) {
-    return {
-      statusCode: 200,
-      body: {
-        ok: true,
-        help: getTiclawkAuthHelp(),
-      },
-    };
-  }
-  const code = String(args.code || '').trim();
-  if (!code) {
-    return {
-      statusCode: 400,
-      body: {
-        ok: false,
-        error: 'ticlawk auth requires --code',
-      },
-    };
-  }
-  const updates = {
-    TICLAWK_SETUP_CODE: code,
-  };
-  const apiUrl = String(args['api-url'] || '').trim();
-  if (apiUrl) {
-    updates.TICLAWK_API_URL = apiUrl;
-  }
-  persistConfig(updates);
-  return {
-    statusCode: 200,
-    body: {
-      ok: true,
-      adapter: 'ticlawk',
-      setupCode: 'set',
-      apiUrl: apiUrl || undefined,
-    },
-  };
-}

package/src/core/adapter-registry.mjs

@@ -1,8 +1,4 @@
-import {
-  createTiclawkAdapter,
-  getTiclawkAuthHelp,
-  runTiclawkAuth,
-} from '../adapters/ticlawk/index.mjs';
+import { createTiclawkAdapter } from '../adapters/ticlawk/index.mjs';
 
 /**
  * Ticlawk has a single adapter: ticlawk itself. The registry shape is kept
@@ -18,17 +14,3 @@ export function createAdapter(adapterId, ctx) {
   }
   return createTiclawkAdapter(ctx);
 }
-
-export function getAdapterAuthHelp(adapterId) {
-  if (adapterId !== ADAPTER_ID) {
-    throw new Error(`unsupported adapter: ${adapterId}`);
-  }
-  return getTiclawkAuthHelp();
-}
-
-export async function runAdapterAuth(adapterId, rawArgs) {
-  if (adapterId !== ADAPTER_ID) {
-    throw new Error(`unsupported adapter: ${adapterId}`);
-  }
-  return runTiclawkAuth(rawArgs);
-}

package/src/core/profiles.mjs

@@ -92,7 +92,6 @@ export function saveProfile({ adapter, userId, config = {}, meta = {} }) {
   mkdirSync(dir, { recursive: true });
   const currentConfig = readProfileConfig(adapter, userId);
   const nextConfig = { ...currentConfig, ...config };
-  delete nextConfig.TICLAWK_SETUP_CODE;
   writeDotenvAtomic(getProfileConfigPath(adapter, userId), nextConfig);
 
   const currentMeta = readProfileMeta(adapter, userId) || {};

package/src/core/runtime-env.mjs

@@ -15,7 +15,6 @@
 const STRIPPED_KEYS = new Set([
   'TICLAWK_CONNECTOR_API_KEY',
   'TICLAWK_CONNECTOR_WS_URL',
-  'TICLAWK_SETUP_CODE',
 ]);
 
 export function buildRuntimeEnv(extra = {}) {

package/ticlawk.mjs

@@ -266,20 +266,17 @@ export async function startTiclawk() {
   baseRuntimeCtx = createBaseRuntimeCtx(runtimes, persistBinding, (binding) => syncBinding(binding));
 
   printBanner(adapter);
-  if (typeof adapter.refreshBindings === 'function') {
-    await adapter.refreshBindings();
-  }
   registerRuntimeHandlers(runtimeList, baseRuntimeCtx, adapter);
-  await replayBindings(runtimes, adapter);
   startLocalHttpServer({
     port: HTTP_PORT,
     adapter,
     ctx: { listBindings, getBinding },
   });
   startReminderTicker();
+  await adapter.start();
+  await replayBindings(runtimes, adapter);
   await recoverAllRuntimes(runtimeList, adapter);
   await reconcileBindingsAfterRestart(runtimes, adapter);
-  await adapter.start();
 }
 
 if (import.meta.url === `file://${process.argv[1]}`) {