velaclaw-dev 0.2.0

package/dist/data.js

@@ -0,0 +1,2988 @@
+import crypto from "node:crypto";
+import { execFile } from "node:child_process";
+import fs from "node:fs/promises";
+import path from "node:path";
+import { promisify } from "node:util";
+export class HttpError extends Error {
+    status;
+    constructor(status, message) {
+        super(message);
+        this.name = "HttpError";
+        this.status = status;
+    }
+}
+const ROOT = process.cwd();
+const MEMBERS_ROOT = path.join(ROOT, "members");
+const STATE_ROOT = path.join(ROOT, "state");
+const TEAM_STATE_PATH = path.join(STATE_ROOT, "team.json");
+const MEMBER_TEMPLATE_ID = "member-template";
+const MEMBER_ID_RE = /^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/;
+const DEFAULT_MEMBER_PORT = 18800;
+const TEAM_OVERVIEW_CACHE_TTL_MS = 2000;
+const MEMBER_UPGRADE_SCHEDULE_DELAY_MS = 1500;
+let teamStateMutationQueue = Promise.resolve();
+const execFileAsync = promisify(execFile);
+const teamOverviewCache = new Map();
+const teamOverviewInflight = new Map();
+const memberRuntimeUpgradeInflight = new Map();
+const TEAM_BUCKETS = [
+    ["shared-memory", "Shared memory"],
+    ["shared-skills", "Shared skills"],
+    ["shared-workflows", "Shared workflows"],
+    ["shared-docs", "Shared docs"],
+    ["policies", "Policies"]
+];
+const SNAPSHOT_BUCKETS = [
+    ["memory", "Snapshot memory"],
+    ["skills", "Snapshot skills"],
+    ["workflows", "Snapshot workflows"],
+    ["docs", "Snapshot docs"]
+];
+const MEMBER_BUCKETS = [
+    ["private-memory", "Private memory"],
+    ["private-skills", "Private skills"],
+    ["private-tools", "Private tools"],
+    ["private-docs", "Private docs"]
+];
+const RESERVED_MEMBER_DIR_NAMES = new Set([
+    MEMBER_TEMPLATE_ID,
+    ...MEMBER_BUCKETS.map(([key]) => key)
+]);
+const MEMBER_PROXY_URL = "http://host.docker.internal:17892";
+const MEMBER_NO_PROXY = "127.0.0.1,localhost,::1,host.docker.internal";
+const MEMBER_PROXY_ENV_LINES = [
+    `      HTTP_PROXY: ${MEMBER_PROXY_URL}`,
+    `      HTTPS_PROXY: ${MEMBER_PROXY_URL}`,
+    `      http_proxy: ${MEMBER_PROXY_URL}`,
+    `      https_proxy: ${MEMBER_PROXY_URL}`,
+    `      NO_PROXY: ${MEMBER_NO_PROXY}`,
+    `      no_proxy: ${MEMBER_NO_PROXY}`
+].join("\n");
+async function safeStat(targetPath) {
+    try {
+        return await fs.stat(targetPath);
+    }
+    catch {
+        return null;
+    }
+}
+async function fileExists(targetPath) {
+    return Boolean(await safeStat(targetPath));
+}
+async function readText(targetPath) {
+    return fs.readFile(targetPath, "utf8");
+}
+async function writeText(targetPath, content) {
+    await fs.writeFile(targetPath, content, "utf8");
+}
+function invalidateTeamOverviewCache(teamSlug) {
+    if (teamSlug) {
+        teamOverviewCache.delete(teamSlug);
+        teamOverviewInflight.delete(teamSlug);
+        return;
+    }
+    teamOverviewCache.clear();
+    teamOverviewInflight.clear();
+}
+async function writeSecretText(targetPath, content) {
+    await fs.mkdir(path.dirname(targetPath), { recursive: true });
+    await fs.writeFile(targetPath, content, { encoding: "utf8", mode: 0o600 });
+    await fs.chmod(targetPath, 0o600);
+}
+function parseTelegramTargetToChatId(rawValue) {
+    const value = String(rawValue || "").trim();
+    const match = value.match(/^telegram:(-?\d+)$/);
+    return match?.[1] || null;
+}
+async function loadLatestTelegramNotificationTarget(teamSlug, memberId) {
+    const sessionsPath = path.join(memberRoot(teamSlug, memberId), "runtime", "config", "agents", "main", "sessions", "sessions.json");
+    if (!(await fileExists(sessionsPath))) {
+        return null;
+    }
+    try {
+        const raw = JSON.parse(await readText(sessionsPath));
+        const candidates = Object.values(raw)
+            .filter((entry) => entry && typeof entry === "object")
+            .map((entry) => ({
+            updatedAt: Number(entry.updatedAt || 0),
+            channel: String(entry.deliveryContext?.channel || entry.lastChannel || ""),
+            to: String(entry.deliveryContext?.to || entry.lastTo || "")
+        }))
+            .filter((entry) => entry.channel === "telegram" && parseTelegramTargetToChatId(entry.to));
+        if (!candidates.length) {
+            return null;
+        }
+        candidates.sort((left, right) => right.updatedAt - left.updatedAt);
+        return {
+            channel: "telegram",
+            to: candidates[0].to
+        };
+    }
+    catch {
+        return null;
+    }
+}
+async function notifyTelegramUpgradeResult(teamSlug, memberId, target, text) {
+    const chatId = parseTelegramTargetToChatId(target.to);
+    if (!chatId) {
+        return false;
+    }
+    const tokenPath = path.join(memberRoot(teamSlug, memberId), "runtime", "secrets", "telegram-bot-token");
+    if (!(await fileExists(tokenPath))) {
+        return false;
+    }
+    const token = (await readText(tokenPath)).trim();
+    if (!token) {
+        return false;
+    }
+    const result = await runHostCommand("curl", [
+        "-sS",
+        "-X",
+        "POST",
+        `https://api.telegram.org/bot${token}/sendMessage`,
+        "-d",
+        `chat_id=${chatId}`,
+        "--data-urlencode",
+        `text=${text}`
+    ]);
+    if (!result.ok) {
+        console.error(`[upgrade-notify] Telegram send failed for ${memberId}: ${result.stderr || result.error || "curl failed"}`);
+        return false;
+    }
+    try {
+        const payload = JSON.parse(result.stdout || "{}");
+        if (!payload.ok) {
+            console.error(`[upgrade-notify] Telegram send failed for ${memberId}: ${payload.description || result.stdout}`);
+            return false;
+        }
+    }
+    catch {
+        console.error(`[upgrade-notify] Telegram send returned non-json for ${memberId}: ${result.stdout}`);
+        return false;
+    }
+    console.log(`[upgrade-notify] Telegram sent for ${memberId} -> ${chatId}`);
+    return true;
+}
+async function notifyMemberUpgradeResult(teamSlug, memberId, target, outcome) {
+    const resolvedTarget = target ?? (await loadLatestTelegramNotificationTarget(teamSlug, memberId));
+    if (!resolvedTarget || resolvedTarget.channel !== "telegram") {
+        return;
+    }
+    const text = outcome.ok
+        ? "升级完成，当前成员 runtime 已同步最新模板和镜像，可以继续聊天。"
+        : `升级失败：${outcome.detail || "unknown error"}`;
+    try {
+        await notifyTelegramUpgradeResult(teamSlug, memberId, resolvedTarget, text);
+    }
+    catch (error) {
+        console.error("[upgrade-notify] unexpected error:", error instanceof Error ? error.message : String(error));
+    }
+}
+async function runHostCommand(command, args, cwd) {
+    try {
+        const result = await execFileAsync(command, args, {
+            cwd,
+            maxBuffer: 1024 * 1024 * 4
+        });
+        return {
+            ok: true,
+            stdout: result.stdout.trim(),
+            stderr: result.stderr.trim()
+        };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        const stdout = typeof error === "object" && error !== null && "stdout" in error && typeof error.stdout === "string"
+            ? error.stdout.trim()
+            : "";
+        const stderr = typeof error === "object" && error !== null && "stderr" in error && typeof error.stderr === "string"
+            ? error.stderr.trim()
+            : message;
+        return {
+            ok: false,
+            stdout,
+            stderr,
+            error: message
+        };
+    }
+}
+function parseDockerHealth(statusText) {
+    if (!statusText) {
+        return undefined;
+    }
+    const match = statusText.match(/\(([^)]+)\)\s*$/);
+    if (!match) {
+        return undefined;
+    }
+    return match[1].replace(/^health:\s*/, "");
+}
+async function listDockerContainers() {
+    const result = await runHostCommand("sudo", ["-n", "docker", "ps", "-a", "--format", "{{json .}}"]);
+    if (!result.ok) {
+        return result;
+    }
+    const containersByName = new Map();
+    for (const line of result.stdout.split("\n").map((entry) => entry.trim()).filter(Boolean)) {
+        try {
+            const row = JSON.parse(line);
+            const containerName = typeof row.Names === "string" ? row.Names : "";
+            if (!containerName) {
+                continue;
+            }
+            const state = typeof row.State === "string" ? row.State : undefined;
+            const statusText = typeof row.Status === "string" ? row.Status : undefined;
+            containersByName.set(containerName, {
+                exists: true,
+                running: state === "running",
+                status: state,
+                health: parseDockerHealth(statusText)
+            });
+        }
+        catch {
+            // Skip malformed rows; docker ps --format json should emit one valid JSON object per line.
+        }
+    }
+    return {
+        ok: true,
+        stdout: result.stdout,
+        stderr: result.stderr,
+        containersByName
+    };
+}
+async function getDockerAccess() {
+    const result = await listDockerContainers();
+    if (result.ok) {
+        return {
+            available: true,
+            containersByName: result.containersByName
+        };
+    }
+    return {
+        available: false,
+        error: result.stderr || result.error || "docker unavailable"
+    };
+}
+function parsePublishedPort(composeText) {
+    const match = composeText.match(/127\.0\.0\.1:(\d+):18789/);
+    return match ? Number(match[1]) : null;
+}
+function containerNameForMember(teamSlug, memberId) {
+    const base = `openclaw-member-${teamSlug}-${memberId}`
+        .toLowerCase()
+        .replace(/[^a-z0-9_-]+/g, "-")
+        .replace(/^-+|-+$/g, "");
+    if (base.length <= 63) {
+        return base;
+    }
+    const hash = crypto.createHash("sha1").update(`container:${teamSlug}:${memberId}`).digest("hex").slice(0, 8);
+    return `${base.slice(0, 54)}-${hash}`;
+}
+function parseContainerName(teamSlug, memberId, composeText) {
+    const match = composeText.match(/container_name:\s*([^\s]+)/);
+    if (!match) {
+        return containerNameForMember(teamSlug, memberId);
+    }
+    return match[1]
+        .replace("REPLACE_CONTAINER_ID", containerNameForMember(teamSlug, memberId))
+        .replace("REPLACE_MEMBER_ID", memberId);
+}
+function composeProjectNameForMember(teamSlug, memberId) {
+    const base = `member-${teamSlug}-${memberId}`
+        .toLowerCase()
+        .replace(/[^a-z0-9_-]+/g, "-")
+        .replace(/^-+|-+$/g, "");
+    if (base.length <= 48) {
+        return base;
+    }
+    const hash = crypto.createHash("sha1").update(`${teamSlug}:${memberId}`).digest("hex").slice(0, 8);
+    return `${base.slice(0, 39)}-${hash}`;
+}
+function ensureMemberProxyComposeDefaults(composeText, composeProjectName, containerName) {
+    let next = composeText.replaceAll("http://172.19.0.1:17892", MEMBER_PROXY_URL);
+    next = next.replaceAll("HTTPS_PROXY: http://host.docker.internal:17892", `HTTPS_PROXY: ${MEMBER_PROXY_URL}`);
+    next = next.replaceAll("HTTP_PROXY: http://host.docker.internal:17892", `HTTP_PROXY: ${MEMBER_PROXY_URL}`);
+    next = next.replaceAll("http_proxy: http://host.docker.internal:17892", `http_proxy: ${MEMBER_PROXY_URL}`);
+    next = next.replaceAll("https_proxy: http://host.docker.internal:17892", `https_proxy: ${MEMBER_PROXY_URL}`);
+    next = next.replace(/^name:\s*.*$/m, `name: ${composeProjectName}`);
+    if (containerName) {
+        next = next.replace(/^(\s*container_name:\s*).+$/m, `$1${containerName}`);
+        next = next.replaceAll("REPLACE_CONTAINER_ID", containerName);
+    }
+    if (!/^\s+HTTP_PROXY:\s+/m.test(next)) {
+        next = next.replace("      OPENCLAW_WORKSPACE_DIR: /home/node/.openclaw/workspace", `      OPENCLAW_WORKSPACE_DIR: /home/node/.openclaw/workspace\n${MEMBER_PROXY_ENV_LINES}`);
+    }
+    if (!/^\s+NO_PROXY:\s+/m.test(next)) {
+        next = next.replace(`      https_proxy: ${MEMBER_PROXY_URL}`, `      https_proxy: ${MEMBER_PROXY_URL}\n      NO_PROXY: ${MEMBER_NO_PROXY}\n      no_proxy: ${MEMBER_NO_PROXY}`);
+    }
+    if (!/^name:\s+/m.test(next)) {
+        next = `name: ${composeProjectName}\n${next}`;
+    }
+    return next;
+}
+async function ensureMemberRuntimeComposeDefaults(teamSlug, memberId) {
+    const composePath = path.join(memberRuntimeRoot(teamSlug, memberId), "docker-compose.yml");
+    if (!(await fileExists(composePath))) {
+        return;
+    }
+    const raw = await readText(composePath);
+    const next = ensureMemberProxyComposeDefaults(raw, composeProjectNameForMember(teamSlug, memberId), containerNameForMember(teamSlug, memberId));
+    if (next !== raw) {
+        await writeText(composePath, next);
+    }
+}
+async function inspectDockerContainer(containerName) {
+    const inspect = await runHostCommand("sudo", [
+        "-n",
+        "docker",
+        "inspect",
+        containerName,
+        "--format",
+        "{{json .State}}"
+    ]);
+    if (!inspect.ok) {
+        const combinedError = `${inspect.stderr || ""}\n${inspect.error || ""}`.toLowerCase();
+        if (combinedError.includes("no such object")) {
+            return { exists: false, running: false };
+        }
+        throw new HttpError(502, inspect.stderr || inspect.error || `docker inspect failed for ${containerName}`);
+    }
+    const state = JSON.parse(inspect.stdout || "{}");
+    return {
+        exists: true,
+        running: Boolean(state.Running),
+        status: typeof state.Status === "string" ? state.Status : undefined,
+        health: typeof state.Health === "object" &&
+            state.Health !== null &&
+            "Status" in state.Health &&
+            typeof state.Health.Status === "string"
+            ? state.Health.Status
+            : undefined,
+        startedAt: typeof state.StartedAt === "string" ? state.StartedAt : undefined
+    };
+}
+function memberRuntimeRoot(teamSlug, memberId) {
+    return path.join(memberRoot(teamSlug, memberId), "runtime");
+}
+function memberRuntimeWorkspaceRoot(teamSlug, memberId) {
+    return path.join(memberRuntimeRoot(teamSlug, memberId), "workspace");
+}
+function wrapMarkdownAsSkillDoc(skillName, description, content) {
+    const trimmed = content.trim();
+    if (trimmed.startsWith("---")) {
+        return `${trimmed}\n`;
+    }
+    return `---\nname: ${skillName}\ndescription: ${description}\n---\n\n${trimmed}\n`;
+}
+function summarizeMarkdownTitle(content, fallback) {
+    const line = content
+        .split("\n")
+        .map((entry) => entry.trim())
+        .find(Boolean);
+    return (line || fallback).replace(/^#+\s*/, "").slice(0, 120);
+}
+function wrapMarkdownAsMemorySkillDoc(skillName, title, content) {
+    const summary = summarizeMarkdownTitle(content, title);
+    const description = `Shared team memory for ${summary}. Use when the task needs team preferences, standing rules, or required phrasing.`;
+    const body = [
+        `# ${summary}`,
+        "",
+        "Apply this shared team memory when it is relevant to the current task.",
+        "If it contains a required phrase or standing preference, follow it exactly.",
+        "",
+        content.trim()
+    ].join("\n");
+    return wrapMarkdownAsSkillDoc(skillName, description, body);
+}
+function wrapMarkdownAsWorkflowSkillDoc(skillName, title, content) {
+    const summary = summarizeMarkdownTitle(content, title);
+    const description = `Follow the shared workflow ${summary}. Use when the task asks for a structured process, required sections, or a repeatable output format.`;
+    const body = [
+        `# ${summary}`,
+        "",
+        "Follow this shared workflow exactly when it matches the current task.",
+        "Preserve any required section headings, ordering, and output constraints.",
+        "",
+        content.trim()
+    ].join("\n");
+    return wrapMarkdownAsSkillDoc(skillName, description, body);
+}
+async function mirrorWorkspaceSkillsFromDirectory(params) {
+    const sourceExists = await safeStat(params.sourceDir);
+    if (!sourceExists) {
+        return;
+    }
+    const entries = await fs.readdir(params.sourceDir, { withFileTypes: true });
+    for (const entry of entries.sort((left, right) => left.name.localeCompare(right.name))) {
+        if (entry.name.startsWith(".")) {
+            continue;
+        }
+        if (entry.isDirectory()) {
+            const nestedSkillPath = path.join(params.sourceDir, entry.name, "SKILL.md");
+            if (!(await fileExists(nestedSkillPath))) {
+                continue;
+            }
+            const targetSkillDir = path.join(params.targetDir, `${params.namePrefix}${entry.name}`);
+            await fs.mkdir(targetSkillDir, { recursive: true });
+            await writeText(path.join(targetSkillDir, "SKILL.md"), await readText(nestedSkillPath));
+            continue;
+        }
+        if (!entry.isFile() || !entry.name.endsWith(".md") || entry.name.toLowerCase() === "readme.md") {
+            continue;
+        }
+        const skillName = slugifyAssetName(path.basename(entry.name, ".md")) || `skill-${crypto.randomUUID().slice(0, 8)}`;
+        const targetSkillName = `${params.namePrefix}${skillName}`;
+        const targetSkillDir = path.join(params.targetDir, targetSkillName);
+        await fs.mkdir(targetSkillDir, { recursive: true });
+        const sourceContent = await readText(path.join(params.sourceDir, entry.name));
+        await writeText(path.join(targetSkillDir, "SKILL.md"), wrapMarkdownAsSkillDoc(targetSkillName, `${params.descriptionPrefix} ${entry.name}`, sourceContent));
+    }
+}
+async function clearGeneratedSkillViews(skillsRoot) {
+    await fs.rm(path.join(skillsRoot, "_generated"), { recursive: true, force: true });
+    const entries = await fs.readdir(skillsRoot, { withFileTypes: true }).catch(() => []);
+    for (const entry of entries) {
+        if (!entry.isDirectory()) {
+            continue;
+        }
+        if (entry.name.startsWith("team-shared-") ||
+            entry.name.startsWith("private-") ||
+            entry.name.startsWith("team-shared-active-") ||
+            entry.name.startsWith("team-shared-workflow-")) {
+            await fs.rm(path.join(skillsRoot, entry.name), { recursive: true, force: true });
+        }
+    }
+}
+async function syncGeneratedSharedMemoryFile(teamSlug, workspaceRoot) {
+    const sourceDir = path.join(teamRoot(teamSlug), "assets", "current", "shared-memory");
+    const memoryPath = path.join(workspaceRoot, "MEMORY.md");
+    const stat = await safeStat(sourceDir);
+    if (!stat) {
+        await fs.rm(memoryPath, { force: true });
+        return;
+    }
+    const entries = (await fs.readdir(sourceDir, { withFileTypes: true }))
+        .filter((entry) => entry.isFile() && entry.name.endsWith(".md") && entry.name.toLowerCase() !== "readme.md")
+        .sort((left, right) => left.name.localeCompare(right.name));
+    if (!entries.length) {
+        await fs.rm(memoryPath, { force: true });
+        return;
+    }
+    const sections = ["# MEMORY", "", "## Team Shared Memory", ""];
+    for (const entry of entries) {
+        const content = (await readText(path.join(sourceDir, entry.name))).trim();
+        if (!content) {
+            continue;
+        }
+        sections.push(`### ${path.basename(entry.name, ".md")}`);
+        sections.push(content);
+        sections.push("");
+    }
+    await writeText(memoryPath, `${sections.join("\n").trim()}\n`);
+}
+async function syncGeneratedSharedWorkflowSkills(teamSlug, skillsRoot) {
+    const sourceDir = path.join(teamRoot(teamSlug), "assets", "current", "shared-workflows");
+    const sourceExists = await safeStat(sourceDir);
+    if (!sourceExists) {
+        return;
+    }
+    const entries = (await fs.readdir(sourceDir, { withFileTypes: true }))
+        .filter((entry) => entry.isFile() && entry.name.endsWith(".md") && entry.name.toLowerCase() !== "readme.md")
+        .sort((left, right) => left.name.localeCompare(right.name));
+    for (const entry of entries) {
+        const workflowName = slugifyAssetName(path.basename(entry.name, ".md")) || `workflow-${crypto.randomUUID().slice(0, 8)}`;
+        const targetSkillName = `team-shared-workflow-${workflowName}`;
+        const targetSkillDir = path.join(skillsRoot, targetSkillName);
+        await fs.mkdir(targetSkillDir, { recursive: true });
+        const sourceContent = await readText(path.join(sourceDir, entry.name));
+        await writeText(path.join(targetSkillDir, "SKILL.md"), wrapMarkdownAsWorkflowSkillDoc(targetSkillName, path.basename(entry.name, ".md"), sourceContent));
+    }
+}
+async function syncGeneratedSharedMemorySkills(teamSlug, skillsRoot) {
+    const sourceDir = path.join(teamRoot(teamSlug), "assets", "current", "shared-memory");
+    const sourceExists = await safeStat(sourceDir);
+    if (!sourceExists) {
+        return;
+    }
+    const entries = (await fs.readdir(sourceDir, { withFileTypes: true }))
+        .filter((entry) => entry.isFile() && entry.name.endsWith(".md") && entry.name.toLowerCase() !== "readme.md")
+        .sort((left, right) => left.name.localeCompare(right.name));
+    for (const entry of entries) {
+        const memoryName = slugifyAssetName(path.basename(entry.name, ".md")) || `memory-${crypto.randomUUID().slice(0, 8)}`;
+        const targetSkillName = `team-shared-memory-${memoryName}`;
+        const targetSkillDir = path.join(skillsRoot, targetSkillName);
+        await fs.mkdir(targetSkillDir, { recursive: true });
+        const sourceContent = await readText(path.join(sourceDir, entry.name));
+        await writeText(path.join(targetSkillDir, "SKILL.md"), wrapMarkdownAsMemorySkillDoc(targetSkillName, path.basename(entry.name, ".md"), sourceContent));
+    }
+}
+async function syncMemberGeneratedWorkspaceViews(teamSlugRaw, memberIdRaw) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const memberId = validateMemberId(memberIdRaw);
+    const workspaceRoot = memberRuntimeWorkspaceRoot(teamSlug, memberId);
+    const skillsRoot = path.join(workspaceRoot, "skills");
+    await fs.mkdir(skillsRoot, { recursive: true });
+    await clearGeneratedSkillViews(skillsRoot);
+    await mirrorWorkspaceSkillsFromDirectory({
+        sourceDir: path.join(memberRoot(teamSlug, memberId), "private-skills"),
+        targetDir: skillsRoot,
+        namePrefix: "private-",
+        descriptionPrefix: "Generated private workspace skill from"
+    });
+    await mirrorWorkspaceSkillsFromDirectory({
+        sourceDir: path.join(teamRoot(teamSlug), "assets", "current", "shared-skills"),
+        targetDir: skillsRoot,
+        namePrefix: "team-shared-",
+        descriptionPrefix: "Generated team-shared workspace skill from"
+    });
+    await syncGeneratedSharedMemorySkills(teamSlug, skillsRoot);
+    await syncGeneratedSharedWorkflowSkills(teamSlug, skillsRoot);
+    await syncGeneratedSharedMemoryFile(teamSlug, workspaceRoot);
+}
+async function syncGeneratedWorkspaceViewsForTeamMembers(teamSlugRaw) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const members = await getMembersForTeam(teamSlug);
+    await Promise.all(members
+        .filter((member) => member.id !== MEMBER_TEMPLATE_ID)
+        .map((member) => syncMemberGeneratedWorkspaceViews(teamSlug, member.id)));
+}
+function validateMemberId(rawMemberId) {
+    const memberId = rawMemberId.trim().toLowerCase();
+    if (!memberId) {
+        throw new HttpError(400, "memberId is required");
+    }
+    if (memberId === MEMBER_TEMPLATE_ID) {
+        throw new HttpError(400, "memberId cannot reuse the reserved template id");
+    }
+    if (!MEMBER_ID_RE.test(memberId)) {
+        throw new HttpError(400, "memberId must use lowercase letters, numbers, or dashes, start/end with an alphanumeric, and stay under 63 chars");
+    }
+    return memberId;
+}
+function validateMemberEmail(rawValue) {
+    const email = rawValue.trim().toLowerCase();
+    if (!email) {
+        throw new HttpError(400, "memberEmail is required");
+    }
+    if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+        throw new HttpError(400, "memberEmail must be a valid email address");
+    }
+    return email;
+}
+function deriveRuntimeMemberIdFromEmail(email) {
+    const base = email
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "")
+        .slice(0, 48) || "member";
+    const hash = crypto.createHash("sha1").update(email).digest("hex").slice(0, 8);
+    return validateMemberId(`${base}-${hash}`.slice(0, 63));
+}
+function validateTelegramBotToken(rawToken) {
+    const token = rawToken.trim();
+    if (!token) {
+        throw new HttpError(400, "telegramBotToken is required");
+    }
+    if (!/^\d+:[A-Za-z0-9_-]{20,}$/.test(token)) {
+        throw new HttpError(400, "telegramBotToken does not look like a valid Telegram bot token");
+    }
+    return token;
+}
+function validateDiscordBotToken(rawToken) {
+    const token = rawToken.trim();
+    if (!token) {
+        throw new HttpError(400, "discordBotToken is required");
+    }
+    if (token.length < 20) {
+        throw new HttpError(400, "discordBotToken does not look valid");
+    }
+    return token;
+}
+function validateDiscordUserId(rawValue) {
+    const value = rawValue.trim();
+    const match = value.match(/^(?:<@!?(\d+)>|user:(\d+)|(\d+))$/);
+    const id = match?.[1] || match?.[2] || match?.[3] || "";
+    if (!id) {
+        throw new HttpError(400, "discord user id must be a Discord snowflake or <@id>");
+    }
+    return id;
+}
+function validateWhatsappPhone(rawValue) {
+    const trimmed = rawValue.trim();
+    const normalized = trimmed.startsWith("+") ? trimmed : `+${trimmed}`;
+    if (!/^\+[1-9]\d{7,15}$/.test(normalized)) {
+        throw new HttpError(400, "whatsapp phone must be in international format like +15551234567");
+    }
+    return normalized;
+}
+function resolveAcceptedInviteChannel(input) {
+    const requestedKind = input.channelKind?.trim().toLowerCase();
+    const hasChannelFields = Boolean(requestedKind || input.channelHandle?.trim() || input.botToken?.trim());
+    if (!hasChannelFields) {
+        return {
+            legacyTelegramUserId: input.telegramUserId?.trim() || "REPLACE_WITH_USER_ID"
+        };
+    }
+    const kind = (requestedKind || "telegram");
+    if (!["telegram", "discord", "whatsapp"].includes(kind)) {
+        throw new HttpError(400, `unsupported invite channel: ${input.channelKind}`);
+    }
+    if (kind === "telegram") {
+        const handle = (input.channelHandle?.trim() || input.telegramUserId?.trim() || "");
+        const token = input.botToken?.trim() ? validateTelegramBotToken(input.botToken) : undefined;
+        if (!handle) {
+            if (!token) {
+                throw new HttpError(400, "telegram bot token is required when telegram user id is omitted");
+            }
+            return {
+                setup: {
+                    kind,
+                    handle: "*",
+                    requiresAdditionalLogin: false,
+                    accessMode: "open"
+                },
+                botToken: token,
+                legacyTelegramUserId: "REPLACE_WITH_USER_ID"
+            };
+        }
+        return {
+            setup: {
+                kind,
+                handle,
+                requiresAdditionalLogin: !token,
+                accessMode: "allowlist"
+            },
+            botToken: token,
+            legacyTelegramUserId: handle
+        };
+    }
+    if (kind === "discord") {
+        const handle = validateDiscordUserId(input.channelHandle ?? "");
+        return {
+            setup: {
+                kind,
+                handle,
+                requiresAdditionalLogin: false
+            },
+            botToken: validateDiscordBotToken(input.botToken ?? ""),
+            legacyTelegramUserId: "REPLACE_WITH_USER_ID"
+        };
+    }
+    const handle = validateWhatsappPhone(input.channelHandle ?? "");
+    return {
+        setup: {
+            kind: "whatsapp",
+            handle,
+            requiresAdditionalLogin: true,
+            selfChatMode: Boolean(input.whatsappSelfChatMode)
+        },
+        legacyTelegramUserId: "REPLACE_WITH_USER_ID"
+    };
+}
+function slugifyTeamLabel(rawValue) {
+    return rawValue
+        .trim()
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "")
+        .slice(0, 63);
+}
+function nowIso() {
+    return new Date().toISOString();
+}
+const LEGACY_DIRECT_MODEL_GATEWAY_BASE_URL = "https://saymycode.xyz/v1";
+const LOCAL_LITELLM_GATEWAY_BASE_URL = "http://127.0.0.1:4000";
+const LOCAL_LITELLM_GATEWAY_ENV = "LITELLM_MASTER_KEY";
+function normalizeTeamModelGateway(gateway, fallback) {
+    const merged = {
+        ...fallback,
+        ...gateway
+    };
+    if (merged.upstreamBaseUrl === LEGACY_DIRECT_MODEL_GATEWAY_BASE_URL && merged.upstreamApiKeyEnv === "OPENAI_API_KEY") {
+        merged.upstreamBaseUrl = LOCAL_LITELLM_GATEWAY_BASE_URL;
+        merged.upstreamApiKeyEnv = LOCAL_LITELLM_GATEWAY_ENV;
+    }
+    return merged;
+}
+function defaultTeamModelGateway() {
+    return {
+        enabled: true,
+        providerId: "team-gateway",
+        upstreamBaseUrl: LOCAL_LITELLM_GATEWAY_BASE_URL,
+        upstreamApiKeyEnv: LOCAL_LITELLM_GATEWAY_ENV,
+        defaultModelId: "gpt-4.1-mini",
+        allowedModelIds: ["gpt-4.1-mini", "gpt-5.1-codex-mini", "gpt-5.4"],
+        token: crypto.randomBytes(24).toString("hex")
+    };
+}
+function defaultTeamState() {
+    const timestamp = nowIso();
+    return {
+        version: 1,
+        profile: {
+            name: "Velaclaw Team",
+            slug: "velaclaw-team",
+            description: "Private member runtimes, shared assets, and operator-controlled invitations.",
+            managerLabel: "Team Manager",
+            inviteBasePath: "/invite",
+            createdAt: timestamp,
+            updatedAt: timestamp
+        },
+        modelGateway: defaultTeamModelGateway(),
+        invitations: [],
+        memberPolicies: [],
+        assetRolePolicies: [
+            { role: "owner", canPropose: true, publishWithoutApproval: true, canApprove: true, canPromote: true },
+            { role: "manager", canPropose: true, publishWithoutApproval: true, canApprove: true, canPromote: true },
+            { role: "operator", canPropose: true, publishWithoutApproval: true, canApprove: true, canPromote: true },
+            { role: "publisher", canPropose: true, publishWithoutApproval: true, canApprove: false, canPromote: false },
+            { role: "contributor", canPropose: true, publishWithoutApproval: false, canApprove: false, canPromote: false },
+            { role: "member", canPropose: true, publishWithoutApproval: false, canApprove: false, canPromote: false },
+            { role: "viewer", canPropose: false, publishWithoutApproval: false, canApprove: false, canPromote: false }
+        ],
+        assets: []
+    };
+}
+function defaultTeamsState() {
+    return {
+        version: 2,
+        teams: [defaultTeamState()]
+    };
+}
+function teamMembersRoot(teamSlug) {
+    return path.join(MEMBERS_ROOT, teamSlug);
+}
+function memberRoot(teamSlug, memberId) {
+    return path.join(teamMembersRoot(teamSlug), memberId);
+}
+function teamsRoot() {
+    return path.join(ROOT, "teams");
+}
+function teamRoot(teamSlug) {
+    return path.join(teamsRoot(), teamSlug);
+}
+function teamAssetsRoot(teamSlug) {
+    return path.join(teamRoot(teamSlug), "assets");
+}
+function teamAssetStageRoot(teamSlug, stage) {
+    return path.join(teamAssetsRoot(teamSlug), stage);
+}
+function teamAssetCategoryDir(teamSlug, stage, category) {
+    return path.join(teamAssetStageRoot(teamSlug, stage), category);
+}
+function teamAssetApprovalsDir(teamSlug) {
+    return path.join(teamAssetStageRoot(teamSlug, "approvals"), "queue");
+}
+function teamAssetReleasesDir(teamSlug) {
+    return path.join(teamAssetStageRoot(teamSlug, "published"), "releases");
+}
+function resolveDefaultTeamSlug(state) {
+    const first = state.teams[0];
+    if (!first) {
+        throw new HttpError(500, "no teams configured");
+    }
+    return first.profile.slug;
+}
+function findTeamBySlugOrThrow(state, teamSlugRaw) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const team = state.teams.find((entry) => entry.profile.slug === teamSlug);
+    if (!team) {
+        throw new HttpError(404, `team not found: ${teamSlugRaw}`);
+    }
+    return team;
+}
+async function ensureTeamStateFile() {
+    await fs.mkdir(STATE_ROOT, { recursive: true });
+    const stat = await safeStat(TEAM_STATE_PATH);
+    if (!stat) {
+        await writeText(TEAM_STATE_PATH, `${JSON.stringify(defaultTeamsState(), null, 2)}\n`);
+    }
+}
+async function readTeamsState() {
+    await ensureTeamStateFile();
+    const parsed = JSON.parse(await readText(TEAM_STATE_PATH));
+    if (Array.isArray(parsed.teams)) {
+        return {
+            version: 2,
+            teams: parsed.teams.map((team) => {
+                const fallback = defaultTeamState();
+                const assetRolePolicies = Array.isArray(team.assetRolePolicies) && team.assetRolePolicies.length > 0 ? team.assetRolePolicies : fallback.assetRolePolicies;
+                return {
+                    version: 1,
+                    profile: {
+                        ...fallback.profile,
+                        ...team.profile
+                    },
+                    modelGateway: normalizeTeamModelGateway(team.modelGateway, fallback.modelGateway),
+                    invitations: Array.isArray(team.invitations)
+                        ? team.invitations.map((entry) => {
+                            const role = typeof entry?.role === "string" && entry.role ? entry.role : "member";
+                            return {
+                                ...entry,
+                                teamSlug: entry?.teamSlug || team.profile.slug,
+                                role,
+                                quota: normalizeQuota(role, entry?.quota)
+                            };
+                        })
+                        : [],
+                    memberPolicies: Array.isArray(team.memberPolicies)
+                        ? team.memberPolicies.map((entry) => {
+                            const role = typeof entry?.role === "string" && entry.role ? entry.role : "member";
+                            return {
+                                ...entry,
+                                role,
+                                quota: normalizeQuota(role, entry?.quota),
+                                assetPermissions: normalizeAssetPermissions(role, entry?.assetPermissions, assetRolePolicies)
+                            };
+                        })
+                        : [],
+                    assetRolePolicies,
+                    assets: Array.isArray(team.assets) ? team.assets.map((asset) => ({ ...asset, teamSlug: asset?.teamSlug || team.profile.slug })) : []
+                };
+            })
+        };
+    }
+    const fallback = defaultTeamState();
+    const legacyProfile = {
+        ...fallback.profile,
+        ...parsed.profile
+    };
+    const legacyTeam = {
+        version: 1,
+        profile: legacyProfile,
+        modelGateway: normalizeTeamModelGateway(parsed.modelGateway, fallback.modelGateway),
+        invitations: Array.isArray(parsed.invitations)
+            ? parsed.invitations.map((entry) => {
+                const role = typeof entry?.role === "string" && entry.role ? entry.role : "member";
+                return {
+                    ...entry,
+                    teamSlug: entry?.teamSlug || legacyProfile.slug,
+                    role,
+                    quota: normalizeQuota(role, entry?.quota)
+                };
+            })
+            : [],
+        memberPolicies: Array.isArray(parsed.memberPolicies)
+            ? parsed.memberPolicies.map((entry) => {
+                const role = typeof entry?.role === "string" && entry.role ? entry.role : "member";
+                return {
+                    ...entry,
+                    role,
+                    quota: normalizeQuota(role, entry?.quota),
+                    assetPermissions: normalizeAssetPermissions(role, entry?.assetPermissions, fallback.assetRolePolicies)
+                };
+            })
+            : [],
+        assetRolePolicies: Array.isArray(parsed.assetRolePolicies) &&
+            parsed.assetRolePolicies.length > 0
+            ? parsed.assetRolePolicies
+            : fallback.assetRolePolicies,
+        assets: Array.isArray(parsed.assets) ? parsed.assets : []
+    };
+    return {
+        version: 2,
+        teams: [legacyTeam]
+    };
+}
+async function writeTeamsState(state) {
+    await fs.mkdir(STATE_ROOT, { recursive: true });
+    await writeText(TEAM_STATE_PATH, `${JSON.stringify(state, null, 2)}\n`);
+}
+async function mutateTeamsState(mutator) {
+    const run = teamStateMutationQueue.then(async () => {
+        const state = await readTeamsState();
+        const result = await mutator(state);
+        await writeTeamsState(state);
+        invalidateTeamOverviewCache();
+        return result;
+    });
+    teamStateMutationQueue = run.then(() => undefined, () => undefined);
+    return run;
+}
+async function ensureTeamAssetLayout(teamSlugRaw) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const dirs = [
+        teamRoot(teamSlug),
+        teamAssetsRoot(teamSlug),
+        teamAssetApprovalsDir(teamSlug),
+        teamAssetReleasesDir(teamSlug)
+    ];
+    for (const dir of dirs) {
+        await fs.mkdir(dir, { recursive: true });
+    }
+    const categoryDirs = [
+        "shared-memory",
+        "shared-skills",
+        "shared-workflows",
+        "shared-docs"
+    ];
+    for (const category of categoryDirs) {
+        await fs.mkdir(teamAssetCategoryDir(teamSlug, "drafts", category), { recursive: true });
+        await fs.mkdir(teamAssetCategoryDir(teamSlug, "collab", category), { recursive: true });
+        await fs.mkdir(teamAssetCategoryDir(teamSlug, "current", category), { recursive: true });
+    }
+}
+async function mutateNamedTeamState(teamSlug, mutator) {
+    return mutateTeamsState(async (root) => {
+        const team = findTeamBySlugOrThrow(root, teamSlug);
+        return mutator(team, root);
+    });
+}
+async function readTeamState() {
+    const root = await readTeamsState();
+    return findTeamBySlugOrThrow(root, resolveDefaultTeamSlug(root));
+}
+function findInvitationByIdOrThrow(state, invitationId) {
+    const invitation = state.invitations.find((entry) => entry.id === invitationId);
+    if (!invitation) {
+        throw new HttpError(404, `invitation not found: ${invitationId}`);
+    }
+    return invitation;
+}
+function findInvitationByCodeOrThrow(state, code) {
+    const invitation = state.invitations.find((entry) => entry.code === code);
+    if (!invitation) {
+        throw new HttpError(404, `invitation not found for code: ${code}`);
+    }
+    return invitation;
+}
+function ensurePositiveInteger(name, value) {
+    if (!Number.isInteger(value) || value <= 0) {
+        throw new HttpError(400, `${name} must be a positive integer`);
+    }
+    return value;
+}
+function ensureNonNegativeInteger(name, value) {
+    if (!Number.isInteger(value) || value < 0) {
+        throw new HttpError(400, `${name} must be a non-negative integer`);
+    }
+    return value;
+}
+function defaultQuotaForRole(role) {
+    if (role === "operator") {
+        return {
+            dailyMessages: 500,
+            monthlyMessages: 12000,
+            maxSubagents: 3,
+            maxThinking: "xhigh",
+            allowedModels: ["saymycode/gpt-5.4", "saymycode/gpt-5.1-codex-mini"],
+            status: "active"
+        };
+    }
+    return {
+        dailyMessages: 150,
+        monthlyMessages: 3000,
+        maxSubagents: 1,
+        maxThinking: "medium",
+        allowedModels: ["saymycode/gpt-5.1-codex-mini", "saymycode/gpt-5.4"],
+        status: "active"
+    };
+}
+function defaultAssetPermissionsForRole(role, rolePolicies) {
+    const normalizedRole = String(role || "member").trim().toLowerCase() || "member";
+    const policies = rolePolicies ?? defaultTeamState().assetRolePolicies;
+    const match = policies.find((entry) => entry.role === normalizedRole) ?? policies.find((entry) => entry.role === "member");
+    return {
+        canPropose: match?.canPropose ?? true,
+        canPublishWithoutApproval: match?.publishWithoutApproval ?? false,
+        canApprove: match?.canApprove ?? false
+    };
+}
+function normalizeAssetPermissions(role, input, rolePolicies) {
+    const base = defaultAssetPermissionsForRole(role, rolePolicies);
+    return {
+        canPropose: input?.canPropose ?? base.canPropose,
+        canPublishWithoutApproval: input?.canPublishWithoutApproval ?? base.canPublishWithoutApproval,
+        canApprove: input?.canApprove ?? base.canApprove
+    };
+}
+function normalizeAllowedModels(rawModels) {
+    if (!rawModels) {
+        return undefined;
+    }
+    const models = rawModels.map((entry) => entry.trim()).filter(Boolean);
+    if (!models.length) {
+        throw new HttpError(400, "allowedModels cannot be empty");
+    }
+    return Array.from(new Set(models));
+}
+function buildRuntimeCommands(runtimeDir, composePath, composeProjectName) {
+    const quotedRuntime = `"${runtimeDir}"`;
+    const quotedCompose = `"${composePath}"`;
+    const quotedProject = `"${composeProjectName}"`;
+    return {
+        start: `cd ${quotedRuntime} && sudo -n docker compose -p ${quotedProject} -f ${quotedCompose} up -d`,
+        stop: `cd ${quotedRuntime} && sudo -n docker compose -p ${quotedProject} -f ${quotedCompose} stop`,
+        restart: `cd ${quotedRuntime} && sudo -n docker compose -p ${quotedProject} -f ${quotedCompose} restart`,
+        upgrade: `cd ${quotedRuntime} && sudo -n docker compose -p ${quotedProject} -f ${quotedCompose} up -d --pull always --force-recreate`,
+        logs: `cd ${quotedRuntime} && sudo -n docker compose -p ${quotedProject} -f ${quotedCompose} logs --tail=200`
+    };
+}
+function normalizeQuota(role, input, current) {
+    const base = current ?? defaultQuotaForRole(role);
+    const quota = {
+        dailyMessages: input?.dailyMessages != null ? ensurePositiveInteger("dailyMessages", input.dailyMessages) : base.dailyMessages,
+        monthlyMessages: input?.monthlyMessages != null ? ensurePositiveInteger("monthlyMessages", input.monthlyMessages) : base.monthlyMessages,
+        maxSubagents: input?.maxSubagents != null ? ensureNonNegativeInteger("maxSubagents", input.maxSubagents) : base.maxSubagents,
+        maxThinking: input?.maxThinking ?? base.maxThinking,
+        allowedModels: normalizeAllowedModels(input?.allowedModels) ?? base.allowedModels,
+        status: input?.status ?? base.status
+    };
+    if (!["low", "medium", "high", "xhigh"].includes(quota.maxThinking)) {
+        throw new HttpError(400, "maxThinking must be one of low, medium, high, xhigh");
+    }
+    if (!["active", "paused"].includes(quota.status)) {
+        throw new HttpError(400, "status must be active or paused");
+    }
+    if (quota.monthlyMessages < quota.dailyMessages) {
+        throw new HttpError(400, "monthlyMessages must be greater than or equal to dailyMessages");
+    }
+    return quota;
+}
+async function writeMemberPolicyFile(profile, teamSlug, memberId, policy, invitationCode) {
+    const policyPath = path.join(memberRoot(teamSlug, memberId), "runtime", "config", "team-policy.json");
+    await fs.mkdir(path.dirname(policyPath), { recursive: true });
+    await writeText(policyPath, `${JSON.stringify({
+        team: {
+            name: profile.name,
+            slug: profile.slug,
+            managerLabel: profile.managerLabel
+        },
+        isolation: {
+            runtime: "docker",
+            scope: "member-local"
+        },
+        member: {
+            id: policy.memberId,
+            role: policy.role,
+            invitationId: policy.invitationId ?? null,
+            invitationCode: invitationCode ?? null
+        },
+        quota: policy.quota,
+        policyUpdatedAt: policy.updatedAt
+    }, null, 2)}\n`);
+}
+async function syncManagedMemberLocalPlugin(teamSlug, memberId, pluginId) {
+    const templatePluginPath = path.join(MEMBERS_ROOT, MEMBER_TEMPLATE_ID, "runtime", "config", "local-plugins", pluginId);
+    const targetPluginPath = path.join(memberRoot(teamSlug, memberId), "runtime", "config", "local-plugins", pluginId);
+    if (!(await safeStat(templatePluginPath))) {
+        return;
+    }
+    await fs.mkdir(path.dirname(targetPluginPath), { recursive: true });
+    await fs.rm(targetPluginPath, { recursive: true, force: true });
+    await fs.cp(templatePluginPath, targetPluginPath, { recursive: true, force: true });
+}
+async function syncManagedMemberLocalPlugins(teamSlug, memberId) {
+    await syncManagedMemberLocalPlugin(teamSlug, memberId, "member-quota-guard");
+    await syncManagedMemberLocalPlugin(teamSlug, memberId, "shared-asset-injector");
+    await syncManagedMemberLocalPlugin(teamSlug, memberId, "member-runtime-upgrader");
+}
+async function syncMemberRuntimeConfigFromPolicy(team, memberId, policy) {
+    await syncManagedMemberLocalPlugins(team.profile.slug, memberId);
+    await ensureMemberRuntimeComposeDefaults(team.profile.slug, memberId);
+    await syncMemberGeneratedWorkspaceViews(team.profile.slug, memberId);
+    const configPath = path.join(memberRoot(team.profile.slug, memberId), "runtime", "config", "openclaw.json");
+    const raw = await readText(configPath);
+    const parsed = JSON.parse(raw);
+    const providerId = team.modelGateway.providerId;
+    const primaryModel = `${providerId}/${team.modelGateway.defaultModelId}`;
+    const allowedModels = team.modelGateway.allowedModelIds.map((id) => `${providerId}/${id}`);
+    parsed.agents ??= {};
+    parsed.agents.defaults ??= {};
+    parsed.agents.defaults.model = {
+        primary: primaryModel
+    };
+    parsed.agents.defaults.models = Object.fromEntries(allowedModels.map((modelRef) => [
+        modelRef,
+        {
+            alias: modelRef.split("/")[1] ?? modelRef
+        }
+    ]));
+    if (Array.isArray(parsed.agents.list)) {
+        for (const agent of parsed.agents.list) {
+            if (agent?.id === "main") {
+                agent.model = primaryModel;
+                agent.thinkingDefault = policy.quota.maxThinking;
+            }
+        }
+    }
+    parsed.plugins ??= {};
+    parsed.plugins.entries ??= {};
+    parsed.plugins.entries["member-quota-guard"] ??= {
+        enabled: true,
+        config: {}
+    };
+    parsed.plugins.entries["member-quota-guard"].enabled = true;
+    parsed.plugins.entries["member-quota-guard"].config = {
+        policyPath: "/home/node/.openclaw/team-policy.json",
+        usagePath: "/home/node/.openclaw/team-usage.json"
+    };
+    parsed.plugins.entries["shared-asset-injector"] ??= {
+        enabled: true,
+        config: {}
+    };
+    parsed.plugins.entries["shared-asset-injector"].enabled = true;
+    parsed.plugins.entries["shared-asset-injector"].hooks = {
+        ...(typeof parsed.plugins.entries["shared-asset-injector"].hooks === "object" &&
+            parsed.plugins.entries["shared-asset-injector"].hooks
+            ? parsed.plugins.entries["shared-asset-injector"].hooks
+            : {}),
+        allowPromptInjection: true
+    };
+    parsed.plugins.entries["shared-asset-injector"].config = {
+        assetServerBaseUrl: `http://host.docker.internal:4318/api/teams/${team.profile.slug}/asset-server`,
+        assetServerToken: team.modelGateway.token,
+        workspaceRoot: "/home/node/.openclaw/workspace",
+        statePath: "/home/node/.openclaw/shared-assets-state.json",
+        syncTtlMs: 30000,
+        resolveLimitPerKind: 2
+    };
+    parsed.plugins.entries["member-runtime-upgrader"] ??= {
+        enabled: true,
+        config: {}
+    };
+    parsed.plugins.entries["member-runtime-upgrader"].enabled = true;
+    parsed.plugins.entries["member-runtime-upgrader"].config = {
+        apiBaseUrl: `http://host.docker.internal:${process.env.PORT || 4318}`,
+        teamSlug: team.profile.slug,
+        memberId
+    };
+    parsed.plugins.load ??= {};
+    parsed.plugins.load.paths = Array.from(new Set([
+        ...(Array.isArray(parsed.plugins.load.paths) ? parsed.plugins.load.paths : []),
+        "/home/node/.openclaw/local-plugins/member-quota-guard",
+        "/home/node/.openclaw/local-plugins/shared-asset-injector",
+        "/home/node/.openclaw/local-plugins/member-runtime-upgrader"
+    ]));
+    parsed.tools ??= {};
+    parsed.tools.alsoAllow = Array.from(new Set([...(Array.isArray(parsed.tools.alsoAllow) ? parsed.tools.alsoAllow : []), "read"]));
+    parsed.tools.fs = {
+        ...(typeof parsed.tools.fs === "object" && parsed.tools.fs ? parsed.tools.fs : {}),
+        workspaceOnly: true
+    };
+    if (typeof parsed.mcp === "object" && parsed.mcp) {
+        const nextMcp = { ...parsed.mcp };
+        if (typeof nextMcp.servers === "object" && nextMcp.servers) {
+            const nextServers = { ...nextMcp.servers };
+            for (const key of Object.keys(nextServers)) {
+                if (key.startsWith("team-shared-")) {
+                    delete nextServers[key];
+                }
+            }
+            if (Object.keys(nextServers).length) {
+                nextMcp.servers = nextServers;
+            }
+            else {
+                delete nextMcp.servers;
+            }
+        }
+        if (Object.keys(nextMcp).length) {
+            parsed.mcp = nextMcp;
+        }
+        else {
+            delete parsed.mcp;
+        }
+    }
+    parsed.models = {
+        providers: {
+            [providerId]: {
+                baseUrl: `http://host.docker.internal:4318/api/teams/${team.profile.slug}/model-gateway/v1`,
+                apiKey: team.modelGateway.token,
+                api: "openai-completions",
+                request: {
+                    headers: {
+                        "User-Agent": "curl/8.5.0",
+                        "Accept": "*/*"
+                    }
+                },
+                models: team.modelGateway.allowedModelIds.map((id) => ({
+                    id,
+                    name: id,
+                    reasoning: true,
+                    input: ["text", "image"],
+                    contextWindow: id === "gpt-5.4" ? 272000 : 400000
+                }))
+            }
+        }
+    };
+    await writeText(configPath, `${JSON.stringify(parsed, null, 2)}\n`);
+    await syncGeneratedSharedMemoryFile(team.profile.slug, memberRuntimeWorkspaceRoot(team.profile.slug, memberId));
+    await syncGeneratedSharedWorkflowSkills(team.profile.slug, path.join(memberRuntimeWorkspaceRoot(team.profile.slug, memberId), "skills"));
+}
+async function applyAcceptedInviteChannelConfig(teamSlugRaw, memberIdRaw, channel, botToken) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const memberId = validateMemberId(memberIdRaw);
+    const configPath = path.join(memberRoot(teamSlug, memberId), "runtime", "config", "openclaw.json");
+    const secretsDir = path.join(memberRoot(teamSlug, memberId), "runtime", "secrets");
+    const raw = await readText(configPath);
+    const parsed = JSON.parse(raw);
+    parsed.channels = {};
+    if (channel.kind === "telegram") {
+        if (botToken?.trim()) {
+            await writeSecretText(path.join(secretsDir, "telegram-bot-token"), `${validateTelegramBotToken(botToken)}\n`);
+        }
+        const accessMode = channel.accessMode === "open" ? "open" : "allowlist";
+        parsed.channels.telegram = {
+            enabled: true,
+            tokenFile: "/home/node/.openclaw/secrets/telegram-bot-token",
+            dmPolicy: accessMode,
+            allowFrom: accessMode === "open" ? ["*"] : [channel.handle],
+            groupPolicy: "disabled"
+        };
+    }
+    else if (channel.kind === "discord") {
+        parsed.channels.discord = {
+            enabled: true,
+            token: validateDiscordBotToken(botToken ?? ""),
+            dmPolicy: "allowlist",
+            allowFrom: [channel.handle],
+            groupPolicy: "allowlist"
+        };
+    }
+    else {
+        parsed.channels.whatsapp = {
+            dmPolicy: "allowlist",
+            allowFrom: [channel.handle],
+            groupPolicy: "allowlist",
+            groupAllowFrom: [channel.handle],
+            selfChatMode: Boolean(channel.selfChatMode)
+        };
+    }
+    await writeText(configPath, `${JSON.stringify(parsed, null, 2)}\n`);
+}
+export async function configureMemberChannelForTeam(teamSlugRaw, memberIdRaw, input) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const memberId = validateMemberId(memberIdRaw);
+    const member = await getMemberByIdForTeam(teamSlug, memberId);
+    if (!member) {
+        throw new HttpError(404, `member not found in team ${teamSlug}: ${memberId}`);
+    }
+    const resolvedChannel = resolveAcceptedInviteChannel({
+        telegramUserId: input.telegramUserId,
+        channelKind: input.channelKind,
+        channelHandle: input.channelHandle,
+        botToken: input.botToken,
+        whatsappSelfChatMode: input.whatsappSelfChatMode
+    });
+    if (!resolvedChannel.setup) {
+        throw new HttpError(400, "channel configuration is incomplete");
+    }
+    await applyAcceptedInviteChannelConfig(teamSlug, memberId, resolvedChannel.setup, resolvedChannel.botToken);
+    invalidateTeamOverviewCache(teamSlug);
+    return getMemberRuntimeStatus(teamSlug, memberId);
+}
+async function getUsedMemberPorts() {
+    const root = await readTeamsState();
+    const ports = new Set();
+    await Promise.all(root.teams.map(async (team) => {
+        const members = await getMembersForTeam(team.profile.slug);
+        await Promise.all(members.map(async (member) => {
+            const composePath = path.join(ROOT, member.path, "runtime", "docker-compose.yml");
+            const stat = await safeStat(composePath);
+            if (!stat) {
+                return;
+            }
+            const compose = await readText(composePath);
+            const match = compose.match(/127\.0\.0\.1:(\d+):18789/);
+            if (match) {
+                ports.add(Number(match[1]));
+            }
+        }));
+    }));
+    return ports;
+}
+async function resolveMemberPort(requestedPort) {
+    const usedPorts = await getUsedMemberPorts();
+    if (requestedPort != null) {
+        if (!Number.isInteger(requestedPort) || requestedPort < 1024 || requestedPort > 65535) {
+            throw new HttpError(400, "port must be an integer between 1024 and 65535");
+        }
+        if (usedPorts.has(requestedPort)) {
+            throw new HttpError(409, `port already in use by another member runtime: ${requestedPort}`);
+        }
+        return requestedPort;
+    }
+    let port = DEFAULT_MEMBER_PORT;
+    while (usedPorts.has(port)) {
+        port += 1;
+    }
+    return port;
+}
+async function writeGitkeep(directoryPath) {
+    await fs.mkdir(directoryPath, { recursive: true });
+    await writeText(path.join(directoryPath, ".gitkeep"), "");
+}
+function slugifyAssetName(rawValue) {
+    return rawValue
+        .trim()
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "")
+        .slice(0, 80);
+}
+function resolveMemberAssetPermissions(team, memberId, fallbackRole = "manager") {
+    if (!memberId) {
+        return {
+            role: fallbackRole,
+            permissions: defaultAssetPermissionsForRole(fallbackRole, team.assetRolePolicies)
+        };
+    }
+    const memberPolicy = team.memberPolicies.find((entry) => entry.memberId === memberId);
+    if (!memberPolicy) {
+        const normalizedActor = String(memberId).trim().toLowerCase();
+        const privilegedRoles = new Set(["owner", "manager", "operator", "publisher", "contributor", "viewer", "member"]);
+        if (privilegedRoles.has(normalizedActor)) {
+            return {
+                role: normalizedActor,
+                permissions: defaultAssetPermissionsForRole(normalizedActor, team.assetRolePolicies)
+            };
+        }
+    }
+    const role = memberPolicy?.role ?? "member";
+    return {
+        role,
+        permissions: memberPolicy?.assetPermissions ?? defaultAssetPermissionsForRole(role, team.assetRolePolicies)
+    };
+}
+function resolveAssetFileExtension(category) {
+    return category === "shared-tools" ? ".json" : ".md";
+}
+async function writeTeamAssetSourceFile(params) {
+    const targetPath = path.join(teamAssetCategoryDir(params.teamSlug, params.sourceZone, params.category), params.fileName);
+    await fs.mkdir(path.dirname(targetPath), { recursive: true });
+    await writeText(targetPath, params.content);
+    return path.relative(ROOT, targetPath);
+}
+async function writeTeamAssetApprovalMarker(params) {
+    const targetPath = path.join(teamAssetApprovalsDir(params.teamSlug), `${params.assetId}.json`);
+    await fs.mkdir(path.dirname(targetPath), { recursive: true });
+    await writeText(targetPath, `${JSON.stringify({
+        assetId: params.assetId,
+        title: params.title,
+        category: params.category
+    }, null, 2)}\n`);
+    return path.relative(ROOT, targetPath);
+}
+async function publishTeamAssetRecord(params) {
+    const releaseId = new Date().toISOString().replace(/[-:]/g, "").replace(/\.\d{3}Z$/, "Z");
+    const sourceAbsolute = path.join(ROOT, params.asset.sourcePath);
+    const content = await readText(sourceAbsolute);
+    const releasePath = path.join(teamAssetReleasesDir(params.team.profile.slug), releaseId, params.asset.category, params.asset.filename);
+    const currentPath = path.join(teamAssetCategoryDir(params.team.profile.slug, "current", params.asset.category), params.asset.filename);
+    await fs.mkdir(path.dirname(releasePath), { recursive: true });
+    await fs.mkdir(path.dirname(currentPath), { recursive: true });
+    await writeText(releasePath, content);
+    await writeText(currentPath, content);
+    params.asset.status = "published";
+    params.asset.updatedAt = nowIso();
+    params.asset.publishedAt = params.asset.updatedAt;
+    params.asset.publishedBy = params.actorId;
+    params.asset.releaseId = releaseId;
+    params.asset.publishedPath = path.relative(ROOT, releasePath);
+    params.asset.currentPath = path.relative(ROOT, currentPath);
+    params.asset.approvalPath = undefined;
+    const approvalMarker = path.join(teamAssetApprovalsDir(params.team.profile.slug), `${params.asset.id}.json`);
+    if (await fileExists(approvalMarker)) {
+        await fs.rm(approvalMarker, { force: true });
+    }
+    if (params.asset.category === "shared-skills") {
+        await syncGeneratedWorkspaceViewsForTeamMembers(params.team.profile.slug);
+    }
+}
+function assetKindFromCategory(category) {
+    switch (category) {
+        case "shared-skills":
+            return "skills";
+        case "shared-memory":
+            return "memory";
+        case "shared-tools":
+            return null;
+        case "shared-workflows":
+            return "workflows";
+        case "shared-docs":
+        default:
+            return "docs";
+    }
+}
+const ASSET_SERVER_KINDS = ["skills", "memory", "workflows", "docs"];
+const ASSET_MATCH_STOP_WORDS = new Set([
+    "the",
+    "and",
+    "for",
+    "with",
+    "from",
+    "this",
+    "that",
+    "into",
+    "your",
+    "team",
+    "shared",
+    "asset",
+    "assets",
+    "skill",
+    "skills",
+    "memory",
+    "workflow",
+    "workflows",
+    "docs",
+    "doc",
+    "file",
+    "files",
+    "about",
+    "have",
+    "will",
+    "should",
+    "would",
+    "just",
+    "then",
+    "than",
+    "when",
+    "what",
+    "where",
+    "which",
+    "while",
+    "also",
+    "using",
+    "used",
+    "use",
+    "able",
+    "make",
+    "need",
+    "needs"
+]);
+function summarizeAssetContent(content, fallback) {
+    const line = content
+        .split("\n")
+        .map((entry) => entry.trim())
+        .find(Boolean);
+    if (!line) {
+        return fallback;
+    }
+    return line.replace(/^#+\s*/, "").slice(0, 160);
+}
+function parseFrontmatterListValue(rawValue) {
+    const trimmed = rawValue.trim();
+    const normalized = trimmed.startsWith("[") && trimmed.endsWith("]")
+        ? trimmed.slice(1, -1)
+        : trimmed;
+    return normalized
+        .split(",")
+        .map((entry) => entry.trim().replace(/^['"]|['"]$/g, ""))
+        .filter(Boolean);
+}
+function parseSimpleFrontmatter(content) {
+    if (!content.startsWith("---\n")) {
+        return null;
+    }
+    const closingIndex = content.indexOf("\n---\n", 4);
+    if (closingIndex < 0) {
+        return null;
+    }
+    const header = content.slice(4, closingIndex);
+    const data = {};
+    for (const line of header.split("\n")) {
+        const match = line.match(/^([A-Za-z0-9_-]+):\s*(.+)$/);
+        if (!match) {
+            continue;
+        }
+        const [, keyRaw, valueRaw] = match;
+        const key = keyRaw.trim();
+        const value = valueRaw.trim();
+        if (/^\[.*\]$/.test(value) || value.includes(",")) {
+            data[key] = parseFrontmatterListValue(value);
+        }
+        else {
+            data[key] = value.replace(/^['"]|['"]$/g, "");
+        }
+    }
+    return {
+        data,
+        body: content.slice(closingIndex + "\n---\n".length)
+    };
+}
+function capabilityDefaultsForKind(kind) {
+    switch (kind) {
+        case "skills":
+            return {
+                role: "instruction",
+                consumptionMode: "skill",
+                baseCapabilities: ["guide", "apply", "execute"],
+                defaultHint: "Use when the agent needs reusable instructions for a concrete task."
+            };
+        case "memory":
+            return {
+                role: "knowledge",
+                consumptionMode: "retrieval",
+                baseCapabilities: ["recall", "inform", "prioritize"],
+                defaultHint: "Use when persistent team knowledge should shape the response or decision."
+            };
+        case "workflows":
+            return {
+                role: "process",
+                consumptionMode: "workflow",
+                baseCapabilities: ["coordinate", "sequence", "repeat"],
+                defaultHint: "Use when the task should follow a repeatable multi-step process."
+            };
+        case "docs":
+        default:
+            return {
+                role: "reference",
+                consumptionMode: "reference",
+                baseCapabilities: ["reference", "ground", "clarify"],
+                defaultHint: "Use when the agent needs reference material, guidance, or context."
+            };
+    }
+}
+function buildAssetCapabilityProfile(params) {
+    const frontmatter = parseSimpleFrontmatter(params.content);
+    const header = frontmatter?.data ?? {};
+    const defaults = capabilityDefaultsForKind(params.kind);
+    const fallbackKeywords = topKeywordsFromText(params.title, params.filename, params.summary, params.content.slice(0, 4000));
+    const fromHeader = (key) => {
+        const value = header[key];
+        if (Array.isArray(value)) {
+            return value.map((entry) => String(entry).trim()).filter(Boolean);
+        }
+        if (typeof value === "string" && value.trim()) {
+            return parseFrontmatterListValue(value);
+        }
+        return [];
+    };
+    const capabilities = Array.from(new Set([
+        ...fromHeader("capabilities"),
+        ...defaults.baseCapabilities,
+        ...fallbackKeywords.slice(0, 3)
+    ])).slice(0, 8);
+    const tags = Array.from(new Set([...fromHeader("tags"), ...fallbackKeywords.slice(0, 6)])).slice(0, 10);
+    const triggerTerms = Array.from(new Set([
+        ...fromHeader("triggers"),
+        ...fromHeader("triggerTerms"),
+        ...fallbackKeywords.slice(0, 8)
+    ])).slice(0, 12);
+    const activationHints = Array.from(new Set([
+        ...fromHeader("activationHints"),
+        ...fromHeader("whenToUse"),
+        ...fromHeader("useCases"),
+        defaults.defaultHint
+    ])).slice(0, 5);
+    const roleRaw = typeof header.role === "string" ? header.role.trim().toLowerCase() : "";
+    const role = (["instruction", "knowledge", "integration", "process", "reference"].includes(roleRaw)
+        ? roleRaw
+        : defaults.role);
+    const consumptionRaw = typeof header.consumptionMode === "string" ? header.consumptionMode.trim().toLowerCase() : "";
+    const consumptionMode = (["skill", "retrieval", "integration", "workflow", "reference"].includes(consumptionRaw)
+        ? consumptionRaw
+        : defaults.consumptionMode);
+    return {
+        role,
+        consumptionMode,
+        capabilities,
+        tags,
+        activationHints,
+        triggerTerms
+    };
+}
+function normalizeCapabilityRole(rawValue, fallback) {
+    const normalized = String(rawValue || "").trim().toLowerCase();
+    if (["instruction", "knowledge", "integration", "process", "reference"].includes(normalized)) {
+        return normalized;
+    }
+    return fallback;
+}
+function normalizeConsumptionMode(rawValue, fallback) {
+    const normalized = String(rawValue || "").trim().toLowerCase();
+    if (["skill", "retrieval", "integration", "workflow", "reference"].includes(normalized)) {
+        return normalized;
+    }
+    return fallback;
+}
+function normalizeListInput(rawValues) {
+    return Array.from(new Set((rawValues ?? [])
+        .map((entry) => String(entry || "").trim())
+        .filter(Boolean)));
+}
+function prependCapabilityFrontmatter(params) {
+    const kind = assetKindFromCategory(params.category) ?? "docs";
+    const defaults = capabilityDefaultsForKind(kind);
+    const role = normalizeCapabilityRole(params.capabilityRole, defaults.role);
+    const consumptionMode = normalizeConsumptionMode(params.consumptionMode, defaults.consumptionMode);
+    const capabilities = normalizeListInput(params.capabilityList);
+    const tags = normalizeListInput(params.tagList);
+    const activationHints = normalizeListInput(params.activationHintList);
+    const triggerTerms = normalizeListInput(params.triggerTermList);
+    if (!capabilities.length && !tags.length && !activationHints.length && !triggerTerms.length &&
+        role === defaults.role && consumptionMode === defaults.consumptionMode) {
+        return params.content.trim();
+    }
+    const body = params.content.trim();
+    const frontmatterLines = [
+        "---",
+        `role: ${role}`,
+        `consumptionMode: ${consumptionMode}`
+    ];
+    if (capabilities.length) {
+        frontmatterLines.push(`capabilities: [${capabilities.map((entry) => JSON.stringify(entry)).join(", ")}]`);
+    }
+    if (tags.length) {
+        frontmatterLines.push(`tags: [${tags.map((entry) => JSON.stringify(entry)).join(", ")}]`);
+    }
+    if (activationHints.length) {
+        frontmatterLines.push(`activationHints: [${activationHints.map((entry) => JSON.stringify(entry)).join(", ")}]`);
+    }
+    if (triggerTerms.length) {
+        frontmatterLines.push(`triggerTerms: [${triggerTerms.map((entry) => JSON.stringify(entry)).join(", ")}]`);
+    }
+    frontmatterLines.push("---", "", body);
+    return frontmatterLines.join("\n");
+}
+function tokenizeAssetText(value) {
+    return String(value || "")
+        .toLowerCase()
+        .normalize("NFKC")
+        .replace(/[^\p{L}\p{N}]+/gu, " ")
+        .split(/\s+/)
+        .map((entry) => entry.trim())
+        .filter((entry) => entry && entry.length >= 3 && !ASSET_MATCH_STOP_WORDS.has(entry));
+}
+function topKeywordsFromText(...parts) {
+    const frequencies = new Map();
+    for (const part of parts) {
+        for (const token of tokenizeAssetText(part)) {
+            frequencies.set(token, (frequencies.get(token) ?? 0) + 1);
+        }
+    }
+    return [...frequencies.entries()]
+        .sort((left, right) => right[1] - left[1] || left[0].localeCompare(right[0]))
+        .slice(0, 24)
+        .map(([token]) => token);
+}
+function emptyAssetKindRecord(factory) {
+    return {
+        skills: factory(),
+        memory: factory(),
+        workflows: factory(),
+        docs: factory()
+    };
+}
+function scoreAssetMatch(query, item) {
+    const queryTokens = Array.from(new Set(tokenizeAssetText(query)));
+    if (!queryTokens.length) {
+        return null;
+    }
+    const titleTokens = new Set(tokenizeAssetText(item.title));
+    const summaryTokens = new Set(tokenizeAssetText(item.summary));
+    const filenameTokens = new Set(tokenizeAssetText(item.filename.replace(/\.[^.]+$/, "")));
+    const keywordTokens = new Set([
+        ...item.keywords,
+        ...item.capability.tags,
+        ...item.capability.capabilities,
+        ...item.capability.triggerTerms
+    ]);
+    const hintTokens = new Set(tokenizeAssetText(item.capability.activationHints.join(" ")));
+    const matchedTerms = new Set();
+    let score = 0;
+    for (const token of queryTokens) {
+        let matched = false;
+        if (titleTokens.has(token)) {
+            score += 7;
+            matched = true;
+        }
+        if (summaryTokens.has(token)) {
+            score += 4;
+            matched = true;
+        }
+        if (filenameTokens.has(token)) {
+            score += 3;
+            matched = true;
+        }
+        if (keywordTokens.has(token)) {
+            score += 2;
+            matched = true;
+        }
+        if (hintTokens.has(token)) {
+            score += 1;
+            matched = true;
+        }
+        if (matched) {
+            matchedTerms.add(token);
+        }
+    }
+    if (!score || !matchedTerms.size) {
+        return null;
+    }
+    return {
+        score,
+        matchedTerms: [...matchedTerms]
+    };
+}
+async function buildAssetServerBundleForTeam(teamSlugRaw) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const root = await readTeamsState();
+    const team = findTeamBySlugOrThrow(root, teamSlug);
+    const publishedAssets = [...team.assets]
+        .filter((asset) => asset.status === "published")
+        .sort((left, right) => left.updatedAt.localeCompare(right.updatedAt));
+    const items = [];
+    for (const asset of publishedAssets) {
+        const kind = assetKindFromCategory(asset.category);
+        if (!kind) {
+            continue;
+        }
+        const contentPath = asset.currentPath ?? asset.publishedPath ?? asset.sourcePath;
+        const content = await readText(path.join(ROOT, contentPath));
+        const summary = summarizeAssetContent(content, asset.title);
+        items.push({
+            id: asset.id,
+            kind,
+            category: asset.category,
+            title: asset.title,
+            filename: asset.filename,
+            updatedAt: asset.updatedAt,
+            contentHash: crypto.createHash("sha256").update(content).digest("hex"),
+            summary,
+            keywords: topKeywordsFromText(asset.title, asset.filename, content.slice(0, 4000)),
+            capability: buildAssetCapabilityProfile({
+                kind,
+                title: asset.title,
+                filename: asset.filename,
+                content,
+                summary
+            }),
+            content,
+            currentPath: asset.currentPath,
+            publishedPath: asset.publishedPath
+        });
+    }
+    const counts = {
+        skills: 0,
+        memory: 0,
+        workflows: 0,
+        docs: 0
+    };
+    for (const item of items) {
+        counts[item.kind] += 1;
+    }
+    const manifestHash = crypto
+        .createHash("sha256")
+        .update(JSON.stringify(items.map((item) => [item.id, item.kind, item.updatedAt, item.contentHash])))
+        .digest("hex");
+    return {
+        team: {
+            slug: team.profile.slug,
+            name: team.profile.name
+        },
+        generatedAt: nowIso(),
+        manifestHash,
+        counts,
+        items: items.map(({ content: _content, ...rest }) => rest),
+        byKind: {
+            skills: items.filter((item) => item.kind === "skills"),
+            memory: items.filter((item) => item.kind === "memory"),
+            workflows: items.filter((item) => item.kind === "workflows"),
+            docs: items.filter((item) => item.kind === "docs")
+        }
+    };
+}
+export async function getTeamAssetServerManifestBySlug(teamSlugRaw) {
+    const bundle = await buildAssetServerBundleForTeam(teamSlugRaw);
+    return {
+        team: bundle.team,
+        generatedAt: bundle.generatedAt,
+        manifestHash: bundle.manifestHash,
+        counts: bundle.counts,
+        items: bundle.items
+    };
+}
+export async function getTeamAssetServerBundleBySlug(teamSlugRaw) {
+    return buildAssetServerBundleForTeam(teamSlugRaw);
+}
+export async function getTeamAssetCapabilityRegistryBySlug(teamSlugRaw) {
+    const bundle = await buildAssetServerBundleForTeam(teamSlugRaw);
+    return {
+        team: bundle.team,
+        generatedAt: bundle.generatedAt,
+        manifestHash: bundle.manifestHash,
+        counts: bundle.counts,
+        byKind: {
+            skills: bundle.byKind.skills.map(({ content: _content, ...rest }) => rest),
+            memory: bundle.byKind.memory.map(({ content: _content, ...rest }) => rest),
+            workflows: bundle.byKind.workflows.map(({ content: _content, ...rest }) => rest),
+            docs: bundle.byKind.docs.map(({ content: _content, ...rest }) => rest)
+        }
+    };
+}
+export async function getTeamAssetServerItemById(teamSlugRaw, assetId) {
+    const bundle = await buildAssetServerBundleForTeam(teamSlugRaw);
+    for (const kind of ASSET_SERVER_KINDS) {
+        const match = bundle.byKind[kind].find((item) => item.id === assetId);
+        if (match) {
+            return match;
+        }
+    }
+    throw new HttpError(404, `shared asset not found: ${assetId}`);
+}
+export async function resolveTeamAssetServerMatchesBySlug(teamSlugRaw, input) {
+    const query = String(input.query || "").trim();
+    if (!query) {
+        throw new HttpError(400, "asset resolve query is required");
+    }
+    const bundle = await buildAssetServerBundleForTeam(teamSlugRaw);
+    const requestedKinds = Array.isArray(input.kinds) && input.kinds.length
+        ? input.kinds.filter((kind) => ASSET_SERVER_KINDS.includes(kind))
+        : ASSET_SERVER_KINDS;
+    const allowedKinds = new Set(requestedKinds);
+    const limitPerKind = Math.max(1, Math.min(6, Number(input.limitPerKind) || 2));
+    const matches = emptyAssetKindRecord(() => []);
+    for (const item of bundle.items) {
+        if (!allowedKinds.has(item.kind)) {
+            continue;
+        }
+        const scored = scoreAssetMatch(query, item);
+        if (!scored) {
+            continue;
+        }
+        matches[item.kind].push({
+            ...item,
+            score: scored.score,
+            matchedTerms: scored.matchedTerms
+        });
+    }
+    for (const kind of ASSET_SERVER_KINDS) {
+        matches[kind] = matches[kind]
+            .sort((left, right) => right.score - left.score || right.updatedAt.localeCompare(left.updatedAt))
+            .slice(0, limitPerKind);
+    }
+    return {
+        team: bundle.team,
+        generatedAt: nowIso(),
+        query,
+        matches
+    };
+}
+export async function createTeamAssetProposal(input) {
+    return mutateNamedTeamState(input.teamSlug, async (team) => {
+        await ensureTeamAssetLayout(team.profile.slug);
+        const title = input.title.trim();
+        const content = prependCapabilityFrontmatter({
+            category: input.category,
+            content: input.content,
+            capabilityRole: input.capabilityRole,
+            consumptionMode: input.consumptionMode,
+            capabilityList: input.capabilityList,
+            tagList: input.tagList,
+            activationHintList: input.activationHintList,
+            triggerTermList: input.triggerTermList
+        }).trim();
+        if (!title) {
+            throw new HttpError(400, "asset title is required");
+        }
+        if (!content) {
+            throw new HttpError(400, "asset content is required");
+        }
+        const actor = resolveMemberAssetPermissions(team, input.submittedByMemberId, "manager");
+        if (!actor.permissions.canPropose) {
+            throw new HttpError(403, `member cannot propose shared assets: ${input.submittedByMemberId}`);
+        }
+        const submittedBy = input.submittedByMemberId?.trim() || input.submittedByLabel?.trim() || "manager";
+        const fileStem = slugifyAssetName(title) || `asset-${crypto.randomUUID().slice(0, 8)}`;
+        const fileName = `${fileStem}${resolveAssetFileExtension(input.category)}`;
+        const sourceZone = input.sourceZone ?? "collab";
+        const createdAt = nowIso();
+        const initialStatus = sourceZone === "drafts"
+            ? "draft"
+            : actor.permissions.canPublishWithoutApproval
+                ? "approved"
+                : "pending_approval";
+        const asset = {
+            id: crypto.randomUUID(),
+            teamSlug: team.profile.slug,
+            category: input.category,
+            title,
+            filename: fileName,
+            submittedBy,
+            role: actor.role,
+            sourceZone,
+            status: initialStatus,
+            visibility: "team",
+            approvalRequired: sourceZone === "drafts" ? false : !actor.permissions.canPublishWithoutApproval,
+            note: input.note?.trim() || undefined,
+            submittedAt: createdAt,
+            updatedAt: createdAt,
+            sourcePath: ""
+        };
+        asset.sourcePath = await writeTeamAssetSourceFile({
+            teamSlug: team.profile.slug,
+            sourceZone,
+            category: input.category,
+            fileName,
+            content
+        });
+        if (asset.approvalRequired) {
+            asset.approvalPath = await writeTeamAssetApprovalMarker({
+                teamSlug: team.profile.slug,
+                assetId: asset.id,
+                title: asset.title,
+                category: asset.category
+            });
+        }
+        else if (asset.status === "approved") {
+            asset.approvedAt = createdAt;
+            asset.approvedBy = submittedBy;
+            await publishTeamAssetRecord({
+                team,
+                asset,
+                actorId: submittedBy
+            });
+        }
+        team.assets.unshift(asset);
+        return { asset, changed: true };
+    });
+}
+export async function approveTeamAssetProposal(input) {
+    return mutateNamedTeamState(input.teamSlug, async (team) => {
+        const actor = resolveMemberAssetPermissions(team, input.approvedByMemberId, "manager");
+        if (!actor.permissions.canApprove) {
+            throw new HttpError(403, `member cannot approve shared assets: ${input.approvedByMemberId}`);
+        }
+        const asset = team.assets.find((entry) => entry.id === input.assetId);
+        if (!asset) {
+            throw new HttpError(404, `asset not found: ${input.assetId}`);
+        }
+        if (asset.status !== "pending_approval" && asset.status !== "approved") {
+            throw new HttpError(409, `asset is not awaiting approval: ${asset.id}`);
+        }
+        asset.status = "approved";
+        asset.approvedAt = nowIso();
+        asset.approvedBy = input.approvedByMemberId;
+        await publishTeamAssetRecord({
+            team,
+            asset,
+            actorId: input.approvedByMemberId
+        });
+        return { asset, changed: true };
+    });
+}
+export async function rejectTeamAssetProposal(input) {
+    return mutateNamedTeamState(input.teamSlug, async (team) => {
+        const actor = resolveMemberAssetPermissions(team, input.rejectedByMemberId, "manager");
+        if (!actor.permissions.canApprove) {
+            throw new HttpError(403, `member cannot reject shared assets: ${input.rejectedByMemberId}`);
+        }
+        const asset = team.assets.find((entry) => entry.id === input.assetId);
+        if (!asset) {
+            throw new HttpError(404, `asset not found: ${input.assetId}`);
+        }
+        asset.status = "rejected";
+        asset.updatedAt = nowIso();
+        asset.rejectedAt = asset.updatedAt;
+        asset.rejectedBy = input.rejectedByMemberId;
+        asset.rejectionReason = input.reason?.trim() || undefined;
+        return { asset, changed: true };
+    });
+}
+export async function promoteTeamAsset(teamSlug, assetId, actorId) {
+    return mutateNamedTeamState(teamSlug, async (team) => {
+        const actor = resolveMemberAssetPermissions(team, actorId, "manager");
+        if (!actor.permissions.canPromote && !actor.permissions.canApprove) {
+            throw new HttpError(403, `member cannot promote shared assets: ${actorId}`);
+        }
+        const asset = team.assets.find((entry) => entry.id === assetId);
+        if (!asset) {
+            throw new HttpError(404, `asset not found: ${assetId}`);
+        }
+        asset.approvedAt = nowIso();
+        asset.approvedBy = actorId;
+        await publishTeamAssetRecord({
+            team,
+            asset,
+            actorId
+        });
+        return { asset, changed: true };
+    });
+}
+async function listEntries(targetPath) {
+    try {
+        const entries = await fs.readdir(targetPath, { withFileTypes: true });
+        const mapped = await Promise.all(entries
+            .filter((entry) => !entry.name.startsWith("."))
+            .sort((a, b) => a.name.localeCompare(b.name))
+            .map(async (entry) => {
+            const fullPath = path.join(targetPath, entry.name);
+            const stat = entry.isDirectory() ? null : await safeStat(fullPath);
+            return {
+                name: entry.name,
+                path: path.relative(ROOT, fullPath),
+                type: entry.isDirectory() ? "directory" : "file",
+                size: stat?.size
+            };
+        }));
+        return mapped;
+    }
+    catch {
+        return [];
+    }
+}
+async function buildBucket(basePath, key, label) {
+    const bucketPath = path.join(basePath, key);
+    const exists = Boolean(await safeStat(bucketPath));
+    return {
+        key,
+        label,
+        path: path.relative(ROOT, bucketPath),
+        exists,
+        files: exists ? await listEntries(bucketPath) : []
+    };
+}
+async function listMemberSummariesForTeam(teamSlugRaw) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const membersDir = teamMembersRoot(teamSlug);
+    const rootStat = await safeStat(membersDir);
+    if (!rootStat) {
+        return [];
+    }
+    const entries = await fs.readdir(membersDir, { withFileTypes: true });
+    const memberDirs = entries
+        .filter((entry) => entry.isDirectory() && !entry.name.startsWith(".") && !RESERVED_MEMBER_DIR_NAMES.has(entry.name))
+        .sort((a, b) => a.name.localeCompare(b.name));
+    return Promise.all(memberDirs.map(async (entry) => {
+        const memberPath = path.join(membersDir, entry.name);
+        const runtimePath = path.join(memberPath, "runtime");
+        const composePath = path.join(runtimePath, "docker-compose.yml");
+        const configPath = path.join(runtimePath, "config", "openclaw.json");
+        return {
+            id: entry.name,
+            path: path.relative(ROOT, memberPath),
+            hasRuntime: Boolean(await safeStat(runtimePath)),
+            hasComposeFile: Boolean(await safeStat(composePath)),
+            hasConfigFile: Boolean(await safeStat(configPath))
+        };
+    }));
+}
+function normalizePage(value, fallback = 1) {
+    if (!Number.isInteger(value) || value == null || value < 1) {
+        return fallback;
+    }
+    return value;
+}
+function paginateItems(items, pageRaw, pageSizeRaw, fallbackPageSize) {
+    const pageSize = Math.max(1, normalizePage(pageSizeRaw, fallbackPageSize));
+    const total = items.length;
+    const totalPages = Math.max(1, Math.ceil(total / pageSize));
+    const page = Math.min(normalizePage(pageRaw, 1), totalPages);
+    const start = (page - 1) * pageSize;
+    return {
+        items: items.slice(start, start + pageSize),
+        page,
+        pageSize,
+        total,
+        totalPages,
+        query: ""
+    };
+}
+export async function getTeamAssets() {
+    const teamRoot = path.join(ROOT, "team-assets");
+    const snapshotRoot = path.join(ROOT, "shared-snapshots");
+    return {
+        root: ROOT,
+        teamRoot: path.relative(ROOT, teamRoot),
+        snapshotRoot: path.relative(ROOT, snapshotRoot),
+        teamAssets: await Promise.all(TEAM_BUCKETS.map(([key, label]) => buildBucket(teamRoot, key, label))),
+        sharedSnapshots: await Promise.all(SNAPSHOT_BUCKETS.map(([key, label]) => buildBucket(snapshotRoot, key, label)))
+    };
+}
+export async function getTeamsCatalog() {
+    const root = await readTeamsState();
+    return Promise.all(root.teams.map(async (team) => {
+        const members = await listMemberSummariesForTeam(team.profile.slug);
+        return {
+            profile: team.profile,
+            modelGateway: team.modelGateway,
+            summary: {
+                memberCount: members.length,
+                activeMemberCount: members.length,
+                pendingInvitationCount: team.invitations.filter((invitation) => invitation.status === "pending").length
+            }
+        };
+    }));
+}
+export async function createTeam(input) {
+    const name = input.name.trim();
+    if (!name) {
+        throw new HttpError(400, "team name is required");
+    }
+    const slugSource = input.slug?.trim() || name;
+    const slug = slugifyTeamLabel(slugSource);
+    if (!slug) {
+        throw new HttpError(400, "team slug cannot be empty after normalization");
+    }
+    if (slug === MEMBER_TEMPLATE_ID) {
+        throw new HttpError(400, "team slug cannot reuse reserved template id");
+    }
+    return mutateTeamsState(async (root) => {
+        if (root.teams.some((team) => team.profile.slug === slug)) {
+            throw new HttpError(409, `team already exists: ${slug}`);
+        }
+        const timestamp = nowIso();
+        const team = {
+            version: 1,
+            profile: {
+                name,
+                slug,
+                description: input.description?.trim() || `Team ${name}`,
+                managerLabel: input.managerLabel?.trim() || "Team Manager",
+                inviteBasePath: "/invite",
+                createdAt: timestamp,
+                updatedAt: timestamp
+            },
+            modelGateway: defaultTeamModelGateway(),
+            invitations: [],
+            memberPolicies: [],
+            assetRolePolicies: defaultTeamState().assetRolePolicies,
+            assets: []
+        };
+        root.teams.push(team);
+        await fs.mkdir(teamMembersRoot(slug), { recursive: true });
+        await ensureTeamAssetLayout(slug);
+        return team.profile;
+    });
+}
+export async function getTeamOverviewBySlug(teamSlug) {
+    teamSlug = slugifyTeamLabel(teamSlug);
+    const cached = teamOverviewCache.get(teamSlug);
+    if (cached && cached.expiresAt > Date.now()) {
+        return cached.value;
+    }
+    const inflight = teamOverviewInflight.get(teamSlug);
+    if (inflight) {
+        return inflight;
+    }
+    const compute = (async () => {
+        const root = await readTeamsState();
+        const state = findTeamBySlugOrThrow(root, teamSlug);
+        const members = await listMemberSummariesForTeam(state.profile.slug);
+        const docker = await getDockerAccess();
+        const membersWithRuntime = await Promise.all(members.map(async (member) => {
+            const policy = state.memberPolicies.find((entry) => entry.memberId === member.id) ?? null;
+            return {
+                ...member,
+                policy,
+                runtime: await getMemberRuntimeStatus(state.profile.slug, member.id, policy, docker)
+            };
+        }));
+        const overview = {
+            profile: state.profile,
+            modelGateway: state.modelGateway,
+            members: membersWithRuntime,
+            invitations: [...state.invitations].sort((left, right) => right.createdAt.localeCompare(left.createdAt)),
+            assets: {
+                records: [...state.assets].sort((left, right) => right.updatedAt.localeCompare(left.updatedAt)),
+                summary: {
+                    draftCount: state.assets.filter((asset) => asset.status === "draft").length,
+                    pendingApprovalCount: state.assets.filter((asset) => asset.status === "pending_approval").length,
+                    publishedCount: state.assets.filter((asset) => asset.status === "published").length
+                }
+            },
+            summary: {
+                memberCount: members.length,
+                activeMemberCount: members.length,
+                pendingInvitationCount: state.invitations.filter((invitation) => invitation.status === "pending").length,
+                assetDraftCount: state.assets.filter((asset) => asset.status === "draft").length,
+                assetPendingApprovalCount: state.assets.filter((asset) => asset.status === "pending_approval").length,
+                assetPublishedCount: state.assets.filter((asset) => asset.status === "published").length
+            }
+        };
+        teamOverviewCache.set(teamSlug, {
+            expiresAt: Date.now() + TEAM_OVERVIEW_CACHE_TTL_MS,
+            value: overview
+        });
+        return overview;
+    })();
+    teamOverviewInflight.set(teamSlug, compute);
+    try {
+        return await compute;
+    }
+    finally {
+        teamOverviewInflight.delete(teamSlug);
+    }
+}
+export async function getTeamOverview() {
+    const root = await readTeamsState();
+    return getTeamOverviewBySlug(resolveDefaultTeamSlug(root));
+}
+export async function getTeamSummaryBySlug(teamSlugRaw) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const root = await readTeamsState();
+    const state = findTeamBySlugOrThrow(root, teamSlug);
+    const members = await listMemberSummariesForTeam(state.profile.slug);
+    return {
+        profile: state.profile,
+        modelGateway: state.modelGateway,
+        summary: {
+            memberCount: members.length,
+            activeMemberCount: members.length,
+            pendingInvitationCount: state.invitations.filter((invitation) => invitation.status === "pending").length,
+            assetDraftCount: state.assets.filter((asset) => asset.status === "draft").length,
+            assetPendingApprovalCount: state.assets.filter((asset) => asset.status === "pending_approval").length,
+            assetPublishedCount: state.assets.filter((asset) => asset.status === "published").length
+        }
+    };
+}
+export async function getTeamRuntimeOverviewBySlug(teamSlugRaw) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const root = await readTeamsState();
+    const state = findTeamBySlugOrThrow(root, teamSlug);
+    const members = await listMemberSummariesForTeam(state.profile.slug);
+    const docker = await getDockerAccess();
+    const membersWithRuntime = await Promise.all(members.map(async (member) => {
+        const policy = state.memberPolicies.find((entry) => entry.memberId === member.id) ?? null;
+        return {
+            ...member,
+            policy,
+            runtime: await getMemberRuntimeStatus(state.profile.slug, member.id, policy, docker)
+        };
+    }));
+    return {
+        profile: state.profile,
+        modelGateway: state.modelGateway,
+        summary: {
+            memberCount: members.length,
+            activeMemberCount: members.length,
+            pendingInvitationCount: state.invitations.filter((invitation) => invitation.status === "pending").length,
+            assetDraftCount: state.assets.filter((asset) => asset.status === "draft").length,
+            assetPendingApprovalCount: state.assets.filter((asset) => asset.status === "pending_approval").length,
+            assetPublishedCount: state.assets.filter((asset) => asset.status === "published").length
+        },
+        members: membersWithRuntime
+    };
+}
+export async function getTeamPageOverviewBySlug(teamSlugRaw, options) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const root = await readTeamsState();
+    const state = findTeamBySlugOrThrow(root, teamSlug);
+    const memberQuery = options?.memberQuery?.trim().toLowerCase() || "";
+    const assetQuery = options?.assetQuery?.trim().toLowerCase() || "";
+    const pagedInvitations = paginateItems([...state.invitations].sort((left, right) => right.createdAt.localeCompare(left.createdAt)), options?.invitePage, options?.invitePageSize, 12);
+    const allMembers = await listMemberSummariesForTeam(state.profile.slug);
+    const filteredMembers = memberQuery
+        ? allMembers.filter((member) => member.id.toLowerCase().includes(memberQuery) || member.path.toLowerCase().includes(memberQuery))
+        : allMembers;
+    const pagedMembers = paginateItems(filteredMembers, options?.memberPage, options?.memberPageSize, 20);
+    pagedMembers.query = options?.memberQuery?.trim() || "";
+    const docker = await getDockerAccess();
+    const membersWithRuntime = await Promise.all(pagedMembers.items.map(async (member) => {
+        const policy = state.memberPolicies.find((entry) => entry.memberId === member.id) ?? null;
+        return {
+            ...member,
+            policy,
+            runtime: await getMemberRuntimeStatus(state.profile.slug, member.id, policy, docker)
+        };
+    }));
+    const filteredAssets = assetQuery
+        ? state.assets.filter((asset) => {
+            const haystack = [asset.title, asset.filename, asset.category, asset.submittedBy, asset.status, asset.sourceZone].join(" ").toLowerCase();
+            return haystack.includes(assetQuery);
+        })
+        : [...state.assets];
+    const pagedAssets = paginateItems([...filteredAssets].sort((left, right) => right.updatedAt.localeCompare(left.updatedAt)), options?.assetPage, options?.assetPageSize, 12);
+    pagedAssets.query = options?.assetQuery?.trim() || "";
+    return {
+        profile: state.profile,
+        modelGateway: state.modelGateway,
+        summary: {
+            memberCount: allMembers.length,
+            activeMemberCount: allMembers.length,
+            pendingInvitationCount: state.invitations.filter((invitation) => invitation.status === "pending").length,
+            assetDraftCount: state.assets.filter((asset) => asset.status === "draft").length,
+            assetPendingApprovalCount: state.assets.filter((asset) => asset.status === "pending_approval").length,
+            assetPublishedCount: state.assets.filter((asset) => asset.status === "published").length
+        },
+        invitations: pagedInvitations,
+        members: {
+            ...pagedMembers,
+            items: membersWithRuntime
+        },
+        assets: {
+            records: pagedAssets,
+            summary: {
+                draftCount: state.assets.filter((asset) => asset.status === "draft").length,
+                pendingApprovalCount: state.assets.filter((asset) => asset.status === "pending_approval").length,
+                publishedCount: state.assets.filter((asset) => asset.status === "published").length
+            }
+        }
+    };
+}
+export async function getTeamMemberWorkspaceById(teamSlugRaw, memberIdRaw) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const memberId = validateMemberId(memberIdRaw);
+    const root = await readTeamsState();
+    const state = findTeamBySlugOrThrow(root, teamSlug);
+    const member = await getMemberByIdForTeam(teamSlug, memberId);
+    if (!member) {
+        throw new HttpError(404, `member not found in team ${teamSlug}: ${memberId}`);
+    }
+    const allMembers = await listMemberSummariesForTeam(state.profile.slug);
+    const policy = state.memberPolicies.find((entry) => entry.memberId === memberId) ?? null;
+    const docker = await getDockerAccess();
+    const runtime = await getMemberRuntimeStatus(state.profile.slug, memberId, policy, docker);
+    return {
+        profile: state.profile,
+        modelGateway: state.modelGateway,
+        summary: {
+            memberCount: allMembers.length,
+            activeMemberCount: allMembers.length,
+            pendingInvitationCount: state.invitations.filter((invitation) => invitation.status === "pending").length,
+            assetDraftCount: state.assets.filter((asset) => asset.status === "draft").length,
+            assetPendingApprovalCount: state.assets.filter((asset) => asset.status === "pending_approval").length,
+            assetPublishedCount: state.assets.filter((asset) => asset.status === "published").length
+        },
+        member,
+        policy,
+        runtime
+    };
+}
+export async function getTeamAssetWorkspaceById(teamSlugRaw, assetId) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const root = await readTeamsState();
+    const state = findTeamBySlugOrThrow(root, teamSlug);
+    const asset = state.assets.find((entry) => entry.id === assetId);
+    if (!asset) {
+        throw new HttpError(404, `asset not found: ${assetId}`);
+    }
+    const allMembers = await listMemberSummariesForTeam(state.profile.slug);
+    const sourceContent = await readText(path.join(ROOT, asset.sourcePath));
+    const publishedContent = asset.publishedPath ? await readText(path.join(ROOT, asset.publishedPath)) : undefined;
+    const currentContent = asset.currentPath ? await readText(path.join(ROOT, asset.currentPath)) : undefined;
+    const { content: _content, ...assetRegistryEntry } = await getTeamAssetServerItemById(teamSlug, assetId);
+    return {
+        profile: state.profile,
+        modelGateway: state.modelGateway,
+        summary: {
+            memberCount: allMembers.length,
+            activeMemberCount: allMembers.length,
+            pendingInvitationCount: state.invitations.filter((invitation) => invitation.status === "pending").length,
+            assetDraftCount: state.assets.filter((entry) => entry.status === "draft").length,
+            assetPendingApprovalCount: state.assets.filter((entry) => entry.status === "pending_approval").length,
+            assetPublishedCount: state.assets.filter((entry) => entry.status === "published").length
+        },
+        asset,
+        assetRegistryEntry,
+        sourceContent,
+        publishedContent,
+        currentContent
+    };
+}
+export async function getMemberRuntimeStatus(teamSlugRaw, memberIdRaw, policyOverride, dockerOverride) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const trimmedMemberId = memberIdRaw.trim().toLowerCase();
+    const memberId = trimmedMemberId === MEMBER_TEMPLATE_ID ? MEMBER_TEMPLATE_ID : validateMemberId(memberIdRaw);
+    const member = memberId === MEMBER_TEMPLATE_ID
+        ? {
+            id: MEMBER_TEMPLATE_ID,
+            path: path.relative(ROOT, path.join(MEMBERS_ROOT, MEMBER_TEMPLATE_ID)),
+            hasRuntime: true,
+            hasComposeFile: true,
+            hasConfigFile: true,
+            buckets: []
+        }
+        : await getMemberByIdForTeam(teamSlug, memberId);
+    if (!member) {
+        throw new HttpError(404, `member not found in team ${teamSlug}: ${memberId}`);
+    }
+    const runtimeDir = memberId === MEMBER_TEMPLATE_ID ? path.join(MEMBERS_ROOT, MEMBER_TEMPLATE_ID, "runtime") : memberRuntimeRoot(teamSlug, memberId);
+    const composePath = path.join(runtimeDir, "docker-compose.yml");
+    const configDir = path.join(runtimeDir, "config");
+    const secretsDir = path.join(runtimeDir, "secrets");
+    const teamPolicyPath = path.join(configDir, "team-policy.json");
+    const quotaPluginPath = path.join(configDir, "local-plugins", "member-quota-guard", "index.js");
+    const telegramTokenPath = path.join(secretsDir, "telegram-bot-token");
+    const whatsappCredsPath = path.join(configDir, "credentials", "whatsapp", "default", "creds.json");
+    const rawConfig = (await fileExists(path.join(configDir, "openclaw.json"))) ? await readText(path.join(configDir, "openclaw.json")) : "";
+    const parsedConfig = rawConfig ? JSON.parse(rawConfig) : {};
+    const channels = parsedConfig.channels ?? {};
+    const channelKind = channels.telegram ? "telegram" : channels.discord ? "discord" : channels.whatsapp ? "whatsapp" : undefined;
+    const composeText = (await fileExists(composePath)) ? await readText(composePath) : "";
+    const publishedPort = composeText ? parsePublishedPort(composeText) : null;
+    const containerName = composeText
+        ? parseContainerName(teamSlug, memberId, composeText)
+        : containerNameForMember(teamSlug, memberId);
+    const commands = buildRuntimeCommands(runtimeDir, composePath, composeProjectNameForMember(teamSlug, memberId));
+    const hasTelegramToken = Boolean((await safeStat(telegramTokenPath))?.size);
+    const hasDiscordToken = typeof channels.discord?.token === "string" && channels.discord.token.trim().length > 0;
+    const hasWhatsappCreds = Boolean((await safeStat(whatsappCredsPath))?.size);
+    const hasTeamPolicy = await fileExists(teamPolicyPath);
+    const hasQuotaPlugin = await fileExists(quotaPluginPath);
+    const docker = dockerOverride ?? (await getDockerAccess());
+    const policy = policyOverride ?? ((await readTeamsState()).teams.find((entry) => entry.profile.slug === teamSlug)?.memberPolicies.find((entry) => entry.memberId === memberId) ?? null);
+    if (memberId === MEMBER_TEMPLATE_ID) {
+        return {
+            state: "template",
+            label: "Template",
+            channelKind,
+            channelReady: false,
+            containerName,
+            runtimePath: path.relative(ROOT, runtimeDir),
+            composePath: path.relative(ROOT, composePath),
+            publishedPort,
+            dockerAvailable: docker.available,
+            dockerError: docker.available ? undefined : docker.error,
+            hasTelegramToken,
+            hasTeamPolicy,
+            hasQuotaPlugin,
+            quotaStatus: policy?.quota.status,
+            container: { exists: false, running: false },
+            commands
+        };
+    }
+    let container = { exists: false, running: false };
+    let state = "ready";
+    let label = "Ready to launch";
+    let dockerError;
+    let channelReady = channelKind === "discord" ? hasDiscordToken : channelKind === "whatsapp" ? hasWhatsappCreds : hasTelegramToken;
+    if (!docker.available) {
+        state = "docker-error";
+        label = "Docker control unavailable";
+        dockerError = docker.error;
+    }
+    else {
+        try {
+            container = docker.containersByName.get(containerName) ?? { exists: false, running: false };
+            if (container.exists && container.running) {
+                state = "running";
+                label = container.health === "healthy" ? "Running" : container.health ? `Running (${container.health})` : "Running";
+            }
+            else if (container.exists) {
+                state = "stopped";
+                label = `Container ${container.status ?? "stopped"}`;
+            }
+        }
+        catch (error) {
+            state = "docker-error";
+            label = "Docker inspect failed";
+            dockerError = error instanceof Error ? error.message : String(error);
+        }
+    }
+    if (state !== "running" && state !== "stopped" && state !== "docker-error") {
+        if (!hasTeamPolicy || !hasTelegramToken) {
+            state = "needs-secrets";
+            if (!hasTeamPolicy) {
+                label = "Needs manager policy";
+            }
+            else if (channelKind === "discord") {
+                label = hasDiscordToken ? "Ready to launch" : "Needs Discord bot token";
+            }
+            else if (channelKind === "whatsapp") {
+                label = hasWhatsappCreds ? "Ready to launch" : "Needs WhatsApp QR login";
+            }
+            else {
+                label = hasTelegramToken ? "Ready to launch" : "Needs Telegram bot token";
+            }
+            if ((channelKind === "discord" && hasDiscordToken) || (channelKind === "whatsapp" && hasWhatsappCreds) || (!channelKind && hasTelegramToken)) {
+                state = "ready";
+            }
+        }
+    }
+    return {
+        state,
+        label,
+        channelKind,
+        channelReady,
+        containerName,
+        runtimePath: path.relative(ROOT, runtimeDir),
+        composePath: path.relative(ROOT, composePath),
+        publishedPort,
+        dockerAvailable: docker.available,
+        dockerError,
+        hasTelegramToken,
+        hasTeamPolicy,
+        hasQuotaPlugin,
+        quotaStatus: policy?.quota.status,
+        container,
+        commands
+    };
+}
+export async function runMemberRuntimeAction(memberIdRaw, action) {
+    const root = await readTeamsState();
+    return runMemberRuntimeActionForTeam(resolveDefaultTeamSlug(root), memberIdRaw, action);
+}
+export async function runMemberRuntimeActionForTeam(teamSlugRaw, memberIdRaw, action) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const memberId = validateMemberId(memberIdRaw);
+    if (memberId === MEMBER_TEMPLATE_ID) {
+        throw new HttpError(400, "cannot manage runtime actions for the member template");
+    }
+    const member = await getMemberByIdForTeam(teamSlug, memberId);
+    if (!member) {
+        throw new HttpError(404, `member not found in team ${teamSlug}: ${memberId}`);
+    }
+    const runtimeDir = path.join(memberRoot(teamSlug, memberId), "runtime");
+    const composePath = path.join(runtimeDir, "docker-compose.yml");
+    if (!(await fileExists(composePath))) {
+        throw new HttpError(404, `compose file missing for member: ${memberId}`);
+    }
+    await ensureMemberRuntimeComposeDefaults(teamSlug, memberId);
+    await syncMemberGeneratedWorkspaceViews(teamSlug, memberId);
+    const composeProjectName = composeProjectNameForMember(teamSlug, memberId);
+    const argsByAction = {
+        start: ["-n", "docker", "compose", "-p", composeProjectName, "-f", composePath, "up", "-d"],
+        stop: ["-n", "docker", "compose", "-p", composeProjectName, "-f", composePath, "stop"],
+        restart: ["-n", "docker", "compose", "-p", composeProjectName, "-f", composePath, "restart"]
+    };
+    const result = await runHostCommand("sudo", argsByAction[action], runtimeDir);
+    invalidateTeamOverviewCache(teamSlug);
+    const runtime = await getMemberRuntimeStatus(teamSlug, memberId);
+    return {
+        memberId,
+        action,
+        ok: result.ok,
+        stdout: result.stdout,
+        stderr: result.stderr,
+        runtime
+    };
+}
+async function performMemberRuntimeUpgradeForTeam(teamSlugRaw, memberIdRaw) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const memberId = validateMemberId(memberIdRaw);
+    const member = await getMemberByIdForTeam(teamSlug, memberId);
+    if (!member) {
+        throw new HttpError(404, `member not found in team ${teamSlug}: ${memberId}`);
+    }
+    const root = await readTeamsState();
+    const team = findTeamBySlugOrThrow(root, teamSlug);
+    const policy = team.memberPolicies.find((entry) => entry.memberId === memberId) ?? null;
+    const invitationCode = policy?.invitationId
+        ? team.invitations.find((entry) => entry.id === policy.invitationId)?.code
+        : undefined;
+    if (policy) {
+        await writeMemberPolicyFile(team.profile, teamSlug, memberId, policy, invitationCode);
+        await syncMemberRuntimeConfigFromPolicy(team, memberId, policy);
+    }
+    else {
+        await syncManagedMemberLocalPlugins(teamSlug, memberId);
+        await ensureMemberRuntimeComposeDefaults(teamSlug, memberId);
+    }
+    const runtimeDir = path.join(memberRoot(teamSlug, memberId), "runtime");
+    const composePath = path.join(runtimeDir, "docker-compose.yml");
+    const composeProjectName = composeProjectNameForMember(teamSlug, memberId);
+    const result = await runHostCommand("sudo", ["-n", "docker", "compose", "-p", composeProjectName, "-f", composePath, "up", "-d", "--pull", "always", "--force-recreate"], runtimeDir);
+    invalidateTeamOverviewCache(teamSlug);
+    if (!result.ok) {
+        throw new HttpError(502, result.stderr || result.error || `upgrade failed for ${memberId}`);
+    }
+}
+export async function scheduleMemberRuntimeUpgradeForTeam(teamSlugRaw, memberIdRaw, notificationTarget) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const memberId = validateMemberId(memberIdRaw);
+    const startedAt = nowIso();
+    const key = `${teamSlug}:${memberId}`;
+    const existing = memberRuntimeUpgradeInflight.get(key);
+    if (existing) {
+        return {
+            memberId,
+            queued: false,
+            status: "already_in_progress",
+            startedAt: existing.startedAt
+        };
+    }
+    const task = (async () => {
+        try {
+            await new Promise((resolve) => setTimeout(resolve, MEMBER_UPGRADE_SCHEDULE_DELAY_MS));
+            await performMemberRuntimeUpgradeForTeam(teamSlug, memberId);
+            await notifyMemberUpgradeResult(teamSlug, memberId, notificationTarget, { ok: true });
+        }
+        catch (error) {
+            await notifyMemberUpgradeResult(teamSlug, memberId, notificationTarget, {
+                ok: false,
+                detail: error instanceof Error ? error.message : String(error)
+            });
+            throw error;
+        }
+        finally {
+            memberRuntimeUpgradeInflight.delete(key);
+        }
+    })().catch((error) => {
+        console.error("[member-upgrade] background upgrade failed:", error instanceof Error ? error.message : String(error));
+    });
+    memberRuntimeUpgradeInflight.set(key, { startedAt, task });
+    return {
+        memberId,
+        queued: true,
+        status: "scheduled",
+        startedAt
+    };
+}
+export async function setMemberTelegramBotToken(memberIdRaw, rawToken) {
+    const root = await readTeamsState();
+    return setMemberTelegramBotTokenForTeam(resolveDefaultTeamSlug(root), memberIdRaw, rawToken);
+}
+export async function setMemberTelegramBotTokenForTeam(teamSlugRaw, memberIdRaw, rawToken) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const memberId = validateMemberId(memberIdRaw);
+    const member = await getMemberByIdForTeam(teamSlug, memberId);
+    if (!member) {
+        throw new HttpError(404, `member not found in team ${teamSlug}: ${memberId}`);
+    }
+    const token = validateTelegramBotToken(rawToken);
+    const secretPath = path.join(memberRoot(teamSlug, memberId), "runtime", "secrets", "telegram-bot-token");
+    await writeSecretText(secretPath, `${token}\n`);
+    invalidateTeamOverviewCache(teamSlug);
+    const runtime = await getMemberRuntimeStatus(teamSlug, memberId);
+    return {
+        memberId,
+        secretPath: path.relative(ROOT, secretPath),
+        runtime
+    };
+}
+export async function onboardMemberRuntime(memberIdRaw, params) {
+    const root = await readTeamsState();
+    return onboardMemberRuntimeForTeam(resolveDefaultTeamSlug(root), memberIdRaw, params);
+}
+export async function onboardMemberRuntimeForTeam(teamSlugRaw, memberIdRaw, params) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const memberId = validateMemberId(memberIdRaw);
+    let secret;
+    if (params.telegramBotToken?.trim()) {
+        secret = await setMemberTelegramBotTokenForTeam(teamSlug, memberId, params.telegramBotToken);
+    }
+    let action;
+    if (params.start) {
+        action = await runMemberRuntimeActionForTeam(teamSlug, memberId, "start");
+    }
+    const runtime = await getMemberRuntimeStatus(teamSlug, memberId);
+    return {
+        memberId,
+        secret,
+        action,
+        runtime
+    };
+}
+export async function updateTeamProfile(input) {
+    const root = await readTeamsState();
+    return updateTeamProfileBySlug(resolveDefaultTeamSlug(root), input);
+}
+export async function updateTeamProfileBySlug(teamSlug, input) {
+    teamSlug = slugifyTeamLabel(teamSlug);
+    const name = input.name.trim();
+    if (!name) {
+        throw new HttpError(400, "team name is required");
+    }
+    const slugSource = input.slug?.trim() || name;
+    const slug = slugifyTeamLabel(slugSource);
+    if (!slug) {
+        throw new HttpError(400, "team slug cannot be empty after normalization");
+    }
+    return mutateTeamsState(async (root) => {
+        const state = findTeamBySlugOrThrow(root, teamSlug);
+        const currentSlug = state.profile.slug;
+        if (slug !== currentSlug && root.teams.some((team) => team.profile.slug === slug)) {
+            throw new HttpError(409, `team already exists: ${slug}`);
+        }
+        if (slug !== currentSlug) {
+            const from = teamMembersRoot(currentSlug);
+            const to = teamMembersRoot(slug);
+            if (await safeStat(from)) {
+                if (await safeStat(to)) {
+                    throw new HttpError(409, `team member directory already exists: ${slug}`);
+                }
+                await fs.rename(from, to);
+            }
+        }
+        state.profile = {
+            ...state.profile,
+            name,
+            slug,
+            description: input.description?.trim() || state.profile.description,
+            managerLabel: input.managerLabel?.trim() || state.profile.managerLabel,
+            updatedAt: nowIso()
+        };
+        return state.profile;
+    });
+}
+export async function getTeamModelGatewayBySlug(teamSlug) {
+    const root = await readTeamsState();
+    return findTeamBySlugOrThrow(root, teamSlug).modelGateway;
+}
+export async function updateTeamModelGatewayBySlug(teamSlugRaw, input) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    return mutateNamedTeamState(teamSlug, async (state) => {
+        const nextAllowed = Array.isArray(input.allowedModelIds) && input.allowedModelIds.length > 0
+            ? Array.from(new Set(input.allowedModelIds.map((entry) => entry.trim()).filter(Boolean)))
+            : state.modelGateway.allowedModelIds;
+        const nextDefault = (input.defaultModelId?.trim() || state.modelGateway.defaultModelId);
+        if (!nextAllowed.includes(nextDefault)) {
+            throw new HttpError(400, "defaultModelId must be included in allowedModelIds");
+        }
+        state.modelGateway = {
+            ...state.modelGateway,
+            enabled: input.enabled ?? state.modelGateway.enabled,
+            defaultModelId: nextDefault,
+            allowedModelIds: nextAllowed
+        };
+        return state.modelGateway;
+    });
+}
+export async function createInvitation(input) {
+    const root = await readTeamsState();
+    return createInvitationForTeam(resolveDefaultTeamSlug(root), input);
+}
+export async function createInvitationForTeam(teamSlug, input) {
+    teamSlug = slugifyTeamLabel(teamSlug);
+    const inviteeLabel = input.inviteeLabel.trim();
+    if (!inviteeLabel) {
+        throw new HttpError(400, "inviteeLabel is required");
+    }
+    const rawMemberId = input.memberId?.trim() || "";
+    const rawMemberEmail = input.memberEmail?.trim() || "";
+    const memberEmail = rawMemberEmail
+        ? validateMemberEmail(rawMemberEmail)
+        : rawMemberId.includes("@")
+            ? validateMemberEmail(rawMemberId)
+            : undefined;
+    const memberId = memberEmail ? deriveRuntimeMemberIdFromEmail(memberEmail) : validateMemberId(rawMemberId);
+    const role = input.role?.trim() || "member";
+    const note = input.note?.trim() || "";
+    const createdBy = input.createdBy?.trim() || "operator";
+    const quota = normalizeQuota(role, input.quota);
+    const existingMember = await getMemberByIdForTeam(teamSlug, memberId);
+    if (existingMember) {
+        throw new HttpError(409, `member already exists: ${memberId}`);
+    }
+    return mutateNamedTeamState(teamSlug, async (state) => {
+        const conflictingInvite = state.invitations.find((invitation) => invitation.memberId === memberId && invitation.status === "pending");
+        if (conflictingInvite) {
+            throw new HttpError(409, `pending invitation already exists for memberId: ${memberId}`);
+        }
+        const invitation = {
+            id: crypto.randomUUID(),
+            code: crypto.randomBytes(8).toString("hex"),
+            teamSlug,
+            status: "pending",
+            inviteeLabel,
+            memberId,
+            memberEmail,
+            role,
+            note,
+            quota,
+            createdAt: nowIso(),
+            createdBy
+        };
+        state.invitations.unshift(invitation);
+        return invitation;
+    });
+}
+export async function revokeInvitation(invitationId) {
+    const root = await readTeamsState();
+    return revokeInvitationForTeam(resolveDefaultTeamSlug(root), invitationId);
+}
+export async function revokeInvitationForTeam(teamSlug, invitationId) {
+    teamSlug = slugifyTeamLabel(teamSlug);
+    return mutateNamedTeamState(teamSlug, async (state) => {
+        const invitation = findInvitationByIdOrThrow(state, invitationId);
+        if (invitation.status !== "pending") {
+            throw new HttpError(409, `invitation is not pending: ${invitationId}`);
+        }
+        invitation.status = "revoked";
+        invitation.revokedAt = nowIso();
+        return invitation;
+    });
+}
+export async function getInvitationByCode(code) {
+    const state = await readTeamsState();
+    for (const team of state.teams) {
+        const invitation = team.invitations.find((entry) => entry.code === code);
+        if (invitation)
+            return invitation;
+    }
+    return null;
+}
+export async function acceptInvitationByCode(code, input) {
+    const resolvedChannel = resolveAcceptedInviteChannel(input);
+    return mutateTeamsState(async (root) => {
+        const state = root.teams.find((team) => team.invitations.some((entry) => entry.code === code));
+        if (!state) {
+            throw new HttpError(404, `invitation not found for code: ${code}`);
+        }
+        const invitation = findInvitationByCodeOrThrow(state, code);
+        if (invitation.status !== "pending") {
+            throw new HttpError(409, `invitation is not pending: ${code}`);
+        }
+        const provision = await provisionMemberForTeam(state.profile.slug, {
+            memberId: invitation.memberId,
+            telegramUserId: resolvedChannel.legacyTelegramUserId,
+            identityName: input.identityName?.trim() || `小虾-${invitation.memberId}`
+        });
+        const timestamp = nowIso();
+        const policy = {
+            memberId: invitation.memberId,
+            memberEmail: invitation.memberEmail,
+            role: invitation.role,
+            quota: invitation.quota,
+            assetPermissions: defaultAssetPermissionsForRole(invitation.role, state.assetRolePolicies),
+            createdAt: timestamp,
+            updatedAt: timestamp,
+            invitationId: invitation.id
+        };
+        state.memberPolicies = state.memberPolicies.filter((entry) => entry.memberId !== invitation.memberId);
+        state.memberPolicies.unshift(policy);
+        invitation.status = "accepted";
+        invitation.acceptedAt = timestamp;
+        invitation.acceptedMemberId = provision.member.id;
+        invitation.acceptedTelegramUserId = resolvedChannel.setup?.kind === "telegram" ? resolvedChannel.setup.handle : undefined;
+        await writeMemberPolicyFile(state.profile, state.profile.slug, invitation.memberId, policy, invitation.code);
+        await syncMemberRuntimeConfigFromPolicy(state, invitation.memberId, policy);
+        if (resolvedChannel.setup) {
+            await applyAcceptedInviteChannelConfig(state.profile.slug, invitation.memberId, resolvedChannel.setup, resolvedChannel.botToken);
+        }
+        return { invitation, provision, policy, channel: resolvedChannel.setup };
+    });
+}
+export async function updateMemberQuota(memberIdRaw, input) {
+    const root = await readTeamsState();
+    return updateMemberQuotaForTeam(resolveDefaultTeamSlug(root), memberIdRaw, input);
+}
+export async function updateMemberQuotaForTeam(teamSlugRaw, memberIdRaw, input) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const memberId = validateMemberId(memberIdRaw);
+    const member = await getMemberByIdForTeam(teamSlug, memberId);
+    if (!member) {
+        throw new HttpError(404, `member not found in team ${teamSlug}: ${memberId}`);
+    }
+    return mutateNamedTeamState(teamSlug, async (state) => {
+        const existing = state.memberPolicies.find((policy) => policy.memberId === memberId) ??
+            {
+                memberId,
+                role: "member",
+                quota: defaultQuotaForRole("member"),
+                assetPermissions: defaultAssetPermissionsForRole("member", state.assetRolePolicies),
+                createdAt: nowIso(),
+                updatedAt: nowIso()
+            };
+        const nextRole = input.role?.trim() || existing.role;
+        const updatedPolicy = {
+            ...existing,
+            role: nextRole,
+            quota: normalizeQuota(nextRole, input, existing.quota),
+            assetPermissions: normalizeAssetPermissions(nextRole, void 0, state.assetRolePolicies),
+            updatedAt: nowIso()
+        };
+        state.memberPolicies = state.memberPolicies.filter((policy) => policy.memberId !== memberId);
+        state.memberPolicies.unshift(updatedPolicy);
+        await writeMemberPolicyFile(state.profile, teamSlug, memberId, updatedPolicy);
+        await syncMemberRuntimeConfigFromPolicy(state, memberId, updatedPolicy);
+        return updatedPolicy;
+    });
+}
+export async function getMembers() {
+    const root = await readTeamsState();
+    return getMembersForTeam(resolveDefaultTeamSlug(root));
+}
+export async function getMembersForTeam(teamSlugRaw) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const membersDir = teamMembersRoot(teamSlug);
+    const rootStat = await safeStat(membersDir);
+    if (!rootStat) {
+        return [];
+    }
+    const root = await readTeamsState();
+    const teamState = root.teams.find((team) => team.profile.slug === teamSlug) ?? null;
+    const emailByMemberId = new Map();
+    for (const policy of teamState?.memberPolicies ?? []) {
+        if (policy.memberEmail) {
+            emailByMemberId.set(policy.memberId, policy.memberEmail);
+        }
+    }
+    for (const invitation of teamState?.invitations ?? []) {
+        if (invitation.memberEmail && !emailByMemberId.has(invitation.memberId)) {
+            emailByMemberId.set(invitation.memberId, invitation.memberEmail);
+        }
+    }
+    const entries = await fs.readdir(membersDir, { withFileTypes: true });
+    const memberDirs = entries
+        .filter((entry) => entry.isDirectory() && !entry.name.startsWith(".") && !RESERVED_MEMBER_DIR_NAMES.has(entry.name))
+        .sort((a, b) => a.name.localeCompare(b.name));
+    return Promise.all(memberDirs.map(async (entry) => {
+        const memberPath = path.join(membersDir, entry.name);
+        const runtimePath = path.join(memberPath, "runtime");
+        const composePath = path.join(runtimePath, "docker-compose.yml");
+        const configPath = path.join(runtimePath, "config", "openclaw.json");
+        return {
+            id: entry.name,
+            memberEmail: emailByMemberId.get(entry.name),
+            path: path.relative(ROOT, memberPath),
+            hasRuntime: Boolean(await safeStat(runtimePath)),
+            hasComposeFile: Boolean(await safeStat(composePath)),
+            hasConfigFile: Boolean(await safeStat(configPath)),
+            buckets: await Promise.all(MEMBER_BUCKETS.map(([key, label]) => buildBucket(memberPath, key, label)))
+        };
+    }));
+}
+export async function getMemberById(memberId) {
+    const root = await readTeamsState();
+    return getMemberByIdForTeam(resolveDefaultTeamSlug(root), memberId);
+}
+export async function getMemberByIdForTeam(teamSlugRaw, memberId) {
+    const members = await getMembersForTeam(teamSlugRaw);
+    return members.find((member) => member.id === memberId) ?? null;
+}
+export async function provisionMember(input) {
+    const root = await readTeamsState();
+    return provisionMemberForTeam(resolveDefaultTeamSlug(root), input);
+}
+export async function provisionMemberForTeam(teamSlugRaw, input) {
+    const teamSlug = slugifyTeamLabel(teamSlugRaw);
+    const memberId = validateMemberId(input.memberId);
+    const templatePath = path.join(MEMBERS_ROOT, MEMBER_TEMPLATE_ID);
+    const memberPath = memberRoot(teamSlug, memberId);
+    const existingMember = await safeStat(memberPath);
+    if (existingMember) {
+        throw new HttpError(409, `member already exists: ${memberId}`);
+    }
+    if (!(await safeStat(templatePath))) {
+        throw new HttpError(500, `member template missing: ${path.relative(ROOT, templatePath)}`);
+    }
+    const port = await resolveMemberPort(input.port);
+    const gatewayToken = input.gatewayToken?.trim() || crypto.randomBytes(24).toString("hex");
+    const identityName = input.identityName?.trim() || `小虾-${memberId}`;
+    const telegramUserId = input.telegramUserId?.trim() || "REPLACE_WITH_USER_ID";
+    const pending = [];
+    await fs.mkdir(teamMembersRoot(teamSlug), { recursive: true });
+    await fs.cp(templatePath, memberPath, { recursive: true, errorOnExist: true });
+    const composePath = path.join(memberPath, "runtime", "docker-compose.yml");
+    const configPath = path.join(memberPath, "runtime", "config", "openclaw.json");
+    const secretsPath = path.join(memberPath, "runtime", "secrets");
+    const workspacePath = memberRuntimeWorkspaceRoot(teamSlug, memberId);
+    await writeGitkeep(secretsPath);
+    await writeGitkeep(workspacePath);
+    const compose = await readText(composePath);
+    const updatedCompose = compose
+        .replaceAll("REPLACE_MEMBER_ID", memberId)
+        .replaceAll("REPLACE_CONTAINER_ID", containerNameForMember(teamSlug, memberId))
+        .replaceAll("REPLACE_COMPOSE_PROJECT", composeProjectNameForMember(teamSlug, memberId))
+        .replaceAll("REPLACE_TEAM_SLUG", teamSlug)
+        .replace("127.0.0.1:18800:18789", `127.0.0.1:${port}:18789`);
+    await writeText(composePath, ensureMemberProxyComposeDefaults(updatedCompose, composeProjectNameForMember(teamSlug, memberId), containerNameForMember(teamSlug, memberId)));
+    const config = await readText(configPath);
+    const updatedConfig = config
+        .replace("REPLACE_WITH_RANDOM_GATEWAY_TOKEN", gatewayToken)
+        .replace("REPLACE_WITH_USER_ID", telegramUserId)
+        .replace('"name": "小虾-member"', `"name": ${JSON.stringify(identityName)}`);
+    await writeText(configPath, updatedConfig);
+    await syncMemberGeneratedWorkspaceViews(teamSlug, memberId);
+    invalidateTeamOverviewCache(teamSlug);
+    const member = await getMemberByIdForTeam(teamSlug, memberId);
+    if (!member) {
+        throw new HttpError(500, `member provisioning did not produce a readable member: ${memberId}`);
+    }
+    return {
+        created: true,
+        member,
+        port,
+        gatewayToken,
+        pending,
+        paths: {
+            memberPath: path.relative(ROOT, memberPath),
+            composePath: path.relative(ROOT, composePath),
+            configPath: path.relative(ROOT, configPath),
+            secretsPath: path.relative(ROOT, secretsPath),
+            workspacePath: path.relative(ROOT, workspacePath)
+        }
+    };
+}