onboarding: add daemon lifecycle flow and align docs

Author: novatechflow

docs/operations-admin/maintenance.md

@@ -73,7 +73,14 @@ Guided alternative:
 
 ## Service Operation (Linux systemd)
 
-If installed as system service:
+Preferred (CLI-managed):
+
+```bash
+sudo ./kafclaw daemon status
+sudo ./kafclaw daemon restart
+```
+
+Direct `systemctl` fallback:
 
 ```bash
 sudo systemctl daemon-reload

docs/operations-admin/manage-kafclaw.md

@@ -18,14 +18,15 @@ Operator-focused guide for managing KafClaw from CLI and runtime endpoints.
 | `kafclaw security` | Unified security checks/audit/fix (`check`, `audit --deep`, `fix --yes`) |
 | `kafclaw config` | Low-level dotted-path config read/write/unset |
 | `kafclaw configure` | Guided/non-interactive config updates (subagents, skills, Kafka group security) |
-| `kafclaw skills` | Skills lifecycle (`enable/disable/list/status/verify/install/update/auth/prereq`) |
+| `kafclaw skills` | Skills lifecycle (`enable/disable/list/status/enable-skill/disable-skill/verify/install/update/exec/auth/prereq`) |
 | `kafclaw group` | Join/leave/status/members for Kafka collaboration group |
 | `kafclaw kshark` | Kafka connectivity and protocol diagnostics |
 | `kafclaw agent -m` | Single-shot direct CLI interaction with agent loop |
 | `kafclaw pairing` | Approve/deny pending Slack/Teams sender pairings |
 | `kafclaw whatsapp-setup` | Configure WhatsApp auth and initial lists |
 | `kafclaw whatsapp-auth` | Approve/deny/list WhatsApp JIDs |
 | `kafclaw install` | Install local binary (`/usr/local/bin` as root, `~/.local/bin` as non-root) |
+| `kafclaw daemon` | Manage systemd service lifecycle (`install`, `uninstall`, `start`, `stop`, `restart`, `status`) |
 | `kafclaw update` | Update lifecycle (`plan`, `apply`, `backup`, `rollback`) |
 | `kafclaw completion` | Generate shell completion scripts (`bash|zsh|fish|powershell`) |
 | `kafclaw version` | Print build version |
@@ -191,6 +192,41 @@ Onboarding also scaffolds workspace files:
 
 Use `--force` to overwrite existing config and scaffold files.
 
+Lifecycle flags (operator-focused):
+
+```bash
+./kafclaw onboard --reset-scope config --non-interactive --accept-risk --profile local --llm skip
+./kafclaw onboard --wait-for-gateway --health-timeout 20s
+./kafclaw onboard --skip-healthcheck
+./kafclaw onboard --daemon-runtime native
+```
+
+If onboarding installs systemd (`--systemd`), service activation is automatic by default.
+Disable auto-activation with `--systemd-activate=false`.
+
+## 4.1 Daemon / Service Lifecycle (Linux systemd)
+
+Install service and activate immediately:
+
+```bash
+sudo ./kafclaw daemon install --activate
+```
+
+Service operations:
+
+```bash
+sudo ./kafclaw daemon status
+sudo ./kafclaw daemon restart
+sudo ./kafclaw daemon stop
+sudo ./kafclaw daemon start
+```
+
+Uninstall service:
+
+```bash
+sudo ./kafclaw daemon uninstall
+```
+
 ## 5. Daily Health Checks
 
 ### Status snapshot

docs/reference/cli-reference.md

@@ -10,15 +10,19 @@ Primary command groups:
 - `kafclaw gateway` - start API + dashboard + runtime services
 - `kafclaw status` - runtime/config health snapshot
 - `kafclaw doctor` - diagnostics and setup checks
+- `kafclaw security` - security checks, deep audit, and safe remediation (`check|audit|fix`)
 - `kafclaw config` / `kafclaw configure` - low-level and guided config changes
 - `kafclaw agent -m` - one-shot interaction
+- `kafclaw skills` - bundled/external skill lifecycle and auth/prereq flows (`enable|disable|list|status|enable-skill|disable-skill|verify|install|update|exec|prereq|auth`)
 - `kafclaw install` - install local built binary (`/usr/local/bin` root, `~/.local/bin` non-root)
 - `kafclaw update` - update lifecycle (`plan`, `apply`, `backup`, `rollback`)
+- `kafclaw daemon` - system service lifecycle (`install`, `uninstall`, `start`, `stop`, `restart`, `status`)
 - `kafclaw completion` - generate shell completion scripts
 - `kafclaw whatsapp-setup` / `kafclaw whatsapp-auth` - WhatsApp setup and auth controls
 - `kafclaw pairing` - Slack/Teams pairing approvals
 - `kafclaw group` - group collaboration controls
 - `kafclaw kshark` - Kafka diagnostics
+- `kafclaw version` - print build version
 
 Automation-friendly lifecycle output:
 - `kafclaw onboard --json`
@@ -27,8 +31,12 @@ Automation-friendly lifecycle output:
 - `kafclaw doctor --json`
 - `kafclaw security <check|audit|fix> --json`
 - `kafclaw update <plan|backup|apply|rollback> --json`
+- `kafclaw daemon <install|uninstall|start|stop|restart|status> --json`
 
 Detailed command examples:
 - [Getting Started](../start-here/getting-started/)
 - [User Manual - CLI Reference section](../start-here/user-manual/#3-cli-reference)
 - [Manage KafClaw](../operations-admin/manage-kafclaw/)
+
+Skills execution example:
+- `kafclaw skills exec <skill-id> --input '{"text":"..."}'`

docs/start-here/getting-started.md

@@ -204,6 +204,13 @@ To reconfigure provider/token later, run onboarding again (interactive) or use:
 - Use `--force` to overwrite existing config and identity templates
 - Gateway also auto-scaffolds missing identity files at startup if workspace is incomplete
 
+Minimal lifecycle flags:
+
+```bash
+./kafclaw onboard --reset-scope config --non-interactive --accept-risk --profile local --llm skip
+./kafclaw onboard --wait-for-gateway --health-timeout 20s
+```
+
 ## 5. Verify
 
 ```bash
@@ -248,6 +255,13 @@ sudo ./kafclaw onboard --systemd
 
 This can create service user, install unit files, and write runtime env file.
 
+After onboarding, manage service state with:
+
+```bash
+sudo ./kafclaw daemon status
+sudo ./kafclaw daemon restart
+```
+
 ## 8. Where Config Lives
 
 - Main config: `~/.kafclaw/config.json`

docs/start-here/user-manual.md

@@ -128,7 +128,7 @@ Once the gateway is running:
 ## 3. CLI Reference
 
 KafClaw provides the following CLI commands. Run `kafclaw --help` for the full list.
-Core startup commands: `onboard`, `doctor`, `status`, `gateway`, `agent`, `config`.
+Core startup commands: `onboard`, `doctor`, `status`, `gateway`, `daemon`, `agent`, `config`.
 
 ### 3.1 `gateway`
 
@@ -174,9 +174,21 @@ Common onboarding profiles:
 
 Useful onboarding flags:
 - `--systemd` to install service/override/env (Linux)
+- `--reset-scope` (`none|config|full`) for deterministic reset behavior
+- `--wait-for-gateway` and `--health-timeout` for post-onboard health gating
+- `--skip-healthcheck` to bypass readiness checks in constrained automation
+- `--daemon-runtime` to persist daemon runtime label in config
 - `--subagents-max-spawn-depth`, `--subagents-max-children`, `--subagents-max-concurrent`
 - `--subagents-archive-minutes`, `--subagents-model`, `--subagents-thinking`
 
+Service lifecycle commands:
+
+```bash
+sudo kafclaw daemon install --activate
+sudo kafclaw daemon status
+sudo kafclaw daemon restart
+```
+
 Subagent runtime notes:
 - `sessions_spawn` accepts `runTimeoutSeconds` for per-run hard timeout
 - `subagents` supports selectors (`last`, numeric index, runId prefix, label prefix, child session key)

internal/cli/daemon.go

@@ -0,0 +1,226 @@
+package cli
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	"github.com/KafClaw/KafClaw/internal/config"
+	"github.com/KafClaw/KafClaw/internal/onboarding"
+	"github.com/spf13/cobra"
+)
+
+var daemonCmd = &cobra.Command{
+	Use:   "daemon",
+	Short: "Manage gateway daemon service lifecycle",
+}
+
+var daemonInstallCmd = &cobra.Command{
+	Use:   "install",
+	Short: "Install and optionally activate systemd service (Linux)",
+	RunE:  runDaemonInstall,
+}
+
+var daemonUninstallCmd = &cobra.Command{
+	Use:   "uninstall",
+	Short: "Disable and remove systemd service (Linux)",
+	RunE:  runDaemonUninstall,
+}
+
+var daemonStartCmd = &cobra.Command{
+	Use:   "start",
+	Short: "Start systemd service (Linux)",
+	RunE:  runDaemonStart,
+}
+
+var daemonStopCmd = &cobra.Command{
+	Use:   "stop",
+	Short: "Stop systemd service (Linux)",
+	RunE:  runDaemonStop,
+}
+
+var daemonRestartCmd = &cobra.Command{
+	Use:   "restart",
+	Short: "Restart systemd service (Linux)",
+	RunE:  runDaemonRestart,
+}
+
+var daemonStatusCmd = &cobra.Command{
+	Use:   "status",
+	Short: "Show systemd service status (Linux)",
+	RunE:  runDaemonStatus,
+}
+
+var daemonServiceUser string
+var daemonServiceBinary string
+var daemonServicePort int
+var daemonInstallRoot string
+var daemonRuntimeLabel string
+var daemonActivate bool
+var daemonJSON bool
+
+var daemonExecFn = func(name string, args ...string) ([]byte, error) {
+	return exec.Command(name, args...).CombinedOutput()
+}
+var daemonOS = runtime.GOOS
+var daemonCurrentEUID = os.Geteuid
+var daemonSetupSystemdFn = onboarding.SetupSystemdGateway
+var daemonActivateSystemdFn = onboarding.ActivateSystemdGateway
+
+func init() {
+	daemonInstallCmd.Flags().StringVar(&daemonServiceUser, "service-user", "kafclaw", "Service user for systemd unit")
+	daemonInstallCmd.Flags().StringVar(&daemonServiceBinary, "service-binary", "/usr/local/bin/kafclaw", "kafclaw binary path in ExecStart")
+	daemonInstallCmd.Flags().IntVar(&daemonServicePort, "service-port", 18790, "Gateway port for systemd ExecStart")
+	daemonInstallCmd.Flags().StringVar(&daemonInstallRoot, "service-install-root", "/", "Root path for systemd files (testing/packaging)")
+	daemonInstallCmd.Flags().StringVar(&daemonRuntimeLabel, "daemon-runtime", "native", "Daemon runtime label persisted in config")
+	daemonInstallCmd.Flags().BoolVar(&daemonActivate, "activate", true, "Run daemon-reload and enable --now after install")
+	daemonInstallCmd.Flags().BoolVar(&daemonJSON, "json", false, "Output machine-readable JSON")
+	_ = daemonInstallCmd.Flags().MarkHidden("service-install-root")
+
+	daemonUninstallCmd.Flags().BoolVar(&daemonJSON, "json", false, "Output machine-readable JSON")
+	daemonStartCmd.Flags().BoolVar(&daemonJSON, "json", false, "Output machine-readable JSON")
+	daemonStopCmd.Flags().BoolVar(&daemonJSON, "json", false, "Output machine-readable JSON")
+	daemonRestartCmd.Flags().BoolVar(&daemonJSON, "json", false, "Output machine-readable JSON")
+	daemonStatusCmd.Flags().BoolVar(&daemonJSON, "json", false, "Output machine-readable JSON")
+
+	daemonCmd.AddCommand(daemonInstallCmd, daemonUninstallCmd, daemonStartCmd, daemonStopCmd, daemonRestartCmd, daemonStatusCmd)
+	rootCmd.AddCommand(daemonCmd)
+}
+
+func runDaemonInstall(cmd *cobra.Command, args []string) error {
+	if daemonOS != "linux" {
+		return daemonResult(cmd, "error", "install", map[string]any{"os": daemonOS}, "daemon install currently supports Linux systemd only")
+	}
+	cfg, err := config.Load()
+	if err != nil {
+		return daemonResult(cmd, "error", "install", nil, fmt.Sprintf("load config: %v", err))
+	}
+	if daemonServicePort <= 0 {
+		if cfg.Gateway.Port > 0 {
+			daemonServicePort = cfg.Gateway.Port
+		} else {
+			daemonServicePort = 18790
+		}
+	}
+	cfg.Gateway.DaemonRuntime = strings.TrimSpace(daemonRuntimeLabel)
+	if cfg.Gateway.DaemonRuntime == "" {
+		cfg.Gateway.DaemonRuntime = "native"
+	}
+	if err := config.Save(cfg); err != nil {
+		return daemonResult(cmd, "error", "install", nil, fmt.Sprintf("save config: %v", err))
+	}
+
+	result, err := daemonSetupSystemdFn(onboarding.SetupOptions{
+		ServiceUser: daemonServiceUser,
+		BinaryPath:  daemonServiceBinary,
+		Port:        daemonServicePort,
+		Profile:     "default",
+		Version:     version,
+		InstallRoot: daemonInstallRoot,
+	})
+	if err != nil {
+		return daemonResult(cmd, "error", "install", nil, err.Error())
+	}
+	if daemonActivate {
+		if daemonCurrentEUID() != 0 {
+			return daemonResult(cmd, "error", "install", map[string]any{"servicePath": result.ServicePath}, "activation requires root privileges")
+		}
+		if err := daemonActivateSystemdFn(); err != nil {
+			return daemonResult(cmd, "error", "install", map[string]any{"servicePath": result.ServicePath}, err.Error())
+		}
+	}
+	return daemonResult(cmd, "ok", "install", map[string]any{
+		"servicePath":  result.ServicePath,
+		"overridePath": result.OverridePath,
+		"envPath":      result.EnvPath,
+		"userCreated":  result.UserCreated,
+		"activated":    daemonActivate,
+		"runtime":      cfg.Gateway.DaemonRuntime,
+	}, "")
+}
+
+func runDaemonUninstall(cmd *cobra.Command, args []string) error {
+	if daemonOS != "linux" {
+		return daemonResult(cmd, "error", "uninstall", map[string]any{"os": daemonOS}, "daemon uninstall currently supports Linux systemd only")
+	}
+	if daemonCurrentEUID() != 0 {
+		return daemonResult(cmd, "error", "uninstall", nil, "uninstall requires root privileges")
+	}
+	_, _ = daemonExecFn("systemctl", "disable", "--now", "kafclaw-gateway.service")
+	_ = os.Remove(filepath.Join("/", "etc", "systemd", "system", "kafclaw-gateway.service"))
+	_, _ = daemonExecFn("systemctl", "daemon-reload")
+	return daemonResult(cmd, "ok", "uninstall", nil, "")
+}
+
+func runDaemonStart(cmd *cobra.Command, args []string) error {
+	return runDaemonSystemctlAction(cmd, "start")
+}
+
+func runDaemonStop(cmd *cobra.Command, args []string) error {
+	return runDaemonSystemctlAction(cmd, "stop")
+}
+
+func runDaemonRestart(cmd *cobra.Command, args []string) error {
+	return runDaemonSystemctlAction(cmd, "restart")
+}
+
+func runDaemonSystemctlAction(cmd *cobra.Command, action string) error {
+	if daemonOS != "linux" {
+		return daemonResult(cmd, "error", action, map[string]any{"os": daemonOS}, "daemon actions currently support Linux systemd only")
+	}
+	if daemonCurrentEUID() != 0 {
+		return daemonResult(cmd, "error", action, nil, fmt.Sprintf("%s requires root privileges", action))
+	}
+	out, err := daemonExecFn("systemctl", action, "kafclaw-gateway.service")
+	if err != nil {
+		return daemonResult(cmd, "error", action, map[string]any{"output": strings.TrimSpace(string(out))}, err.Error())
+	}
+	return daemonResult(cmd, "ok", action, map[string]any{"output": strings.TrimSpace(string(out))}, "")
+}
+
+func runDaemonStatus(cmd *cobra.Command, args []string) error {
+	if daemonOS != "linux" {
+		return daemonResult(cmd, "error", "status", map[string]any{"os": daemonOS}, "daemon status currently supports Linux systemd only")
+	}
+	enabledOut, enabledErr := daemonExecFn("systemctl", "is-enabled", "kafclaw-gateway.service")
+	activeOut, activeErr := daemonExecFn("systemctl", "is-active", "kafclaw-gateway.service")
+	result := map[string]any{
+		"enabled": strings.TrimSpace(string(enabledOut)),
+		"active":  strings.TrimSpace(string(activeOut)),
+	}
+	if enabledErr != nil || activeErr != nil {
+		return daemonResult(cmd, "error", "status", result, "service not enabled/active")
+	}
+	return daemonResult(cmd, "ok", "status", result, "")
+}
+
+func daemonResult(cmd *cobra.Command, status, action string, result map[string]any, errMsg string) error {
+	if daemonJSON {
+		payload := map[string]any{
+			"status":  strings.TrimSpace(status),
+			"command": "daemon",
+			"action":  strings.TrimSpace(action),
+		}
+		if len(result) > 0 {
+			payload["result"] = result
+		}
+		if strings.TrimSpace(errMsg) != "" {
+			payload["error"] = strings.TrimSpace(errMsg)
+		}
+		b, _ := json.MarshalIndent(payload, "", "  ")
+		fmt.Fprintln(cmd.OutOrStdout(), string(b))
+		if strings.EqualFold(status, "error") {
+			return fmt.Errorf("%s", errMsg)
+		}
+		return nil
+	}
+	if strings.EqualFold(status, "error") {
+		return fmt.Errorf("%s", errMsg)
+	}
+	fmt.Fprintf(cmd.OutOrStdout(), "daemon %s: ok\n", action)
+	return nil
+}