feat(docs): launch landing/docs site with skill + installer publishing

.github/AGENTS.md

@@ -37,6 +37,26 @@
 - Use workflow concurrency groups to prevent overlapping deploys for the same environment.
 - Run Wrangler through workspace tooling (`pnpm exec wrangler`) in CI so commands work without a global Wrangler install on GitHub runners.
 
+## Deployment Rules (Landing)
+- `deploy-landing-develop.yml` deploys landing docs/asset output from `develop` to the Pages `develop` branch.
+- `deploy-landing.yml` deploys landing docs/asset output from `main` to the Pages `main` branch.
+- Both landing deploy workflows must trigger on:
+  - `apps/landing/**`
+  - `apps/openclaw-skill/skill/**`
+  - `apps/landing/scripts/**`
+  - `.github/workflows/deploy-landing*.yml`
+- Landing workflows must bootstrap Cloudflare Pages project `clawdentity-site` if missing before deploy.
+- Landing workflows must assert generated artifacts exist before invoking `pages deploy`:
+  - `apps/landing/dist/skill.md`
+  - `apps/landing/dist/install.sh`
+  - `apps/landing/dist/install.ps1`
+
+## Release Rules (Rust)
+- `publish-rust.yml` must publish six binary archives per release (Linux x86_64/aarch64, macOS x86_64/aarch64, Windows x86_64/aarch64).
+- Rust release assets must always include:
+  - `clawdentity-<version>-windows-aarch64.zip`
+  - installer scripts copied from `apps/landing/public/install.sh` and `apps/landing/public/install.ps1`
+
 ## Release Rules (CLI)
 - `publish-cli.yml` is manual (`workflow_dispatch`) and must accept `release_type` (`patch`/`minor`/`major`) + `dist_tag` inputs.
 - Compute the next CLI version in CI from the currently published npm `clawdentity` version (fallback `0.0.0` if first publish), then bump `apps/cli/package.json` in the workflow.
@@ -67,7 +87,7 @@
   - `Workers Scripts:Edit`
   - `Workers Routes:Edit` (zone-level, custom domains)
   - `D1:Edit`
-  - add `Cloudflare Pages:Edit` only when Pages deploy workflow is introduced.
+  - `Cloudflare Pages:Edit`
 
 ## Migration Rollback Strategy (Develop)
 - Capture pre-deploy artifacts:

.github/workflows/AGENTS.md

@@ -13,8 +13,10 @@
   - `x86_64-apple-darwin`
   - `aarch64-apple-darwin`
   - `x86_64-pc-windows-msvc`
+  - `aarch64-pc-windows-msvc`
 - Use only supported runner labels; avoid deprecated/unsupported macOS labels (for example `macos-13` if unavailable in project settings).
 - Smoke-test binaries only on native runner/target pairs.
+- Skip smoke execution for `aarch64-pc-windows-msvc` on `windows-latest` because the hosted runner is x64.
 - Do not execute cross-built `linux-aarch64` artifacts on `ubuntu-latest` x86 runners; this must be skipped (exec format mismatch).
 - When `x86_64-apple-darwin` is built on Apple Silicon runners, skip smoke execution unless a native Intel runner is configured.
 - Keep binary naming stable in packaged archives:
@@ -26,10 +28,21 @@
   - `clawdentity-<version>-macos-x86_64.tar.gz`
   - `clawdentity-<version>-macos-aarch64.tar.gz`
   - `clawdentity-<version>-windows-x86_64.zip`
+  - `clawdentity-<version>-windows-aarch64.zip`
+  - `install.sh`
+  - `install.ps1`
   - `clawdentity-<version>-checksums.txt`
+- Installer script assets in Rust releases must be sourced from `apps/landing/public/install.sh` and `apps/landing/public/install.ps1`.
 - Always generate and publish SHA256 checksums.
 - Keep release uploads idempotent (`overwrite_files` / clobber-safe behavior) so reruns replace assets cleanly.
 
+## Landing Deploy Rules
+- `deploy-landing-develop.yml` and `deploy-landing.yml` must keep Cloudflare Pages bootstrap behavior before deploy.
+- Both landing deploy workflows must assert these built artifacts before running `pages deploy`:
+  - `apps/landing/dist/skill.md`
+  - `apps/landing/dist/install.sh`
+  - `apps/landing/dist/install.ps1`
+
 ## Rust Crate Publish Rules
 - Resolve next version from crates metadata using `cargo info` and bump both crate manifests consistently:
   - `crates/clawdentity-core/Cargo.toml`

.github/workflows/deploy-landing-develop.yml

@@ -0,0 +1,94 @@
+name: Deploy Landing Site (Develop)
+
+on:
+  push:
+    branches: [develop]
+    paths:
+      - "apps/landing/**"
+      - "apps/openclaw-skill/skill/**"
+      - "apps/landing/scripts/**"
+      - ".github/workflows/deploy-landing*.yml"
+  workflow_dispatch:
+
+concurrency:
+  group: deploy-landing-develop
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      deployments: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10.23.0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - name: Install D2 CLI
+        run: curl -fsSL https://d2lang.com/install.sh | sh -s --
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: Verify Cloudflare secrets
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+        run: |
+          set -euo pipefail
+
+          if [ -z "${CLOUDFLARE_API_TOKEN:-}" ]; then
+            echo "Missing required secret: CLOUDFLARE_API_TOKEN"
+            exit 1
+          fi
+
+          if [ -z "${CLOUDFLARE_ACCOUNT_ID:-}" ]; then
+            echo "Missing required secret: CLOUDFLARE_ACCOUNT_ID"
+            exit 1
+          fi
+
+      - name: Bootstrap Cloudflare Pages project
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+        run: |
+          set -euo pipefail
+
+          PROJECT_NAME="clawdentity-site"
+
+          PROJECTS_JSON="$(pnpm dlx wrangler@4 pages project list --json)"
+          if PROJECTS_JSON="${PROJECTS_JSON}" node - "${PROJECT_NAME}" <<'NODE'
+          const projectName = process.argv[2];
+          const projects = JSON.parse(process.env.PROJECTS_JSON ?? "[]");
+          const exists = Array.isArray(projects) && projects.some((project) => project?.name === projectName);
+          process.exit(exists ? 0 : 1);
+          NODE
+          then
+            echo "Cloudflare Pages project '${PROJECT_NAME}' already exists"
+          else
+            echo "Creating Cloudflare Pages project '${PROJECT_NAME}' with production branch 'main'"
+            pnpm dlx wrangler@4 pages project create "${PROJECT_NAME}" --production-branch main
+          fi
+
+      - run: pnpm --filter @clawdentity/landing build
+
+      - name: Assert landing artifacts exist
+        run: |
+          set -euo pipefail
+          test -f apps/landing/dist/skill.md
+          test -f apps/landing/dist/install.sh
+          test -f apps/landing/dist/install.ps1
+
+      - name: Deploy to Cloudflare Pages (develop)
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: pages deploy apps/landing/dist --project-name=clawdentity-site --branch=develop

.github/workflows/deploy-landing.yml

@@ -0,0 +1,94 @@
+name: Deploy Landing Site
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "apps/landing/**"
+      - "apps/openclaw-skill/skill/**"
+      - "apps/landing/scripts/**"
+      - ".github/workflows/deploy-landing*.yml"
+  workflow_dispatch:
+
+concurrency:
+  group: deploy-landing-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      deployments: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10.23.0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - name: Install D2 CLI
+        run: curl -fsSL https://d2lang.com/install.sh | sh -s --
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: Verify Cloudflare secrets
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+        run: |
+          set -euo pipefail
+
+          if [ -z "${CLOUDFLARE_API_TOKEN:-}" ]; then
+            echo "Missing required secret: CLOUDFLARE_API_TOKEN"
+            exit 1
+          fi
+
+          if [ -z "${CLOUDFLARE_ACCOUNT_ID:-}" ]; then
+            echo "Missing required secret: CLOUDFLARE_ACCOUNT_ID"
+            exit 1
+          fi
+
+      - name: Bootstrap Cloudflare Pages project
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+        run: |
+          set -euo pipefail
+
+          PROJECT_NAME="clawdentity-site"
+
+          PROJECTS_JSON="$(pnpm dlx wrangler@4 pages project list --json)"
+          if PROJECTS_JSON="${PROJECTS_JSON}" node - "${PROJECT_NAME}" <<'NODE'
+          const projectName = process.argv[2];
+          const projects = JSON.parse(process.env.PROJECTS_JSON ?? "[]");
+          const exists = Array.isArray(projects) && projects.some((project) => project?.name === projectName);
+          process.exit(exists ? 0 : 1);
+          NODE
+          then
+            echo "Cloudflare Pages project '${PROJECT_NAME}' already exists"
+          else
+            echo "Creating Cloudflare Pages project '${PROJECT_NAME}' with production branch 'main'"
+            pnpm dlx wrangler@4 pages project create "${PROJECT_NAME}" --production-branch main
+          fi
+
+      - run: pnpm --filter @clawdentity/landing build
+
+      - name: Assert landing artifacts exist
+        run: |
+          set -euo pipefail
+          test -f apps/landing/dist/skill.md
+          test -f apps/landing/dist/install.sh
+          test -f apps/landing/dist/install.ps1
+
+      - name: Deploy to Cloudflare Pages (main)
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: pages deploy apps/landing/dist --project-name=clawdentity-site --branch=main

.github/workflows/publish-rust.yml

@@ -293,6 +293,12 @@ jobs:
             archive_ext: zip
             use_cross: "false"
             smoke_test: "true"
+          - os: windows-latest
+            platform: windows-aarch64
+            target: aarch64-pc-windows-msvc
+            archive_ext: zip
+            use_cross: "false"
+            smoke_test: "false"
     steps:
       - name: Checkout release tag
         uses: actions/checkout@v4
@@ -395,13 +401,27 @@ jobs:
     permissions:
       contents: write
     steps:
+      - name: Checkout release tag
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.publish.outputs.tag }}
+          fetch-depth: 0
+
       - name: Download packaged artifacts
         uses: actions/download-artifact@v4
         with:
           pattern: release-*
           path: dist
           merge-multiple: true
 
+      - name: Stage installer scripts
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p dist
+          install -m 0755 apps/landing/public/install.sh dist/install.sh
+          install -m 0644 apps/landing/public/install.ps1 dist/install.ps1
+
       - name: Verify assets and generate checksums
         shell: bash
         run: |
@@ -413,8 +433,8 @@ jobs:
             \( -name "clawdentity-${VERSION}-*.tar.gz" -o -name "clawdentity-${VERSION}-*.zip" \) \
             | sort)
 
-          if [[ "${#ARCHIVES[@]}" -ne 5 ]]; then
-            echo "Expected 5 release archives, found ${#ARCHIVES[@]}"
+          if [[ "${#ARCHIVES[@]}" -ne 6 ]]; then
+            echo "Expected 6 release archives, found ${#ARCHIVES[@]}"
             ls -lah dist
             exit 1
           fi
@@ -432,7 +452,8 @@ jobs:
           Assets in this release:
           - Linux: x86_64 and aarch64
           - macOS: x86_64 and aarch64
-          - Windows: x86_64 (`clawdentity.exe`)
+          - Windows: x86_64 and aarch64 (`clawdentity.exe`)
+          - Installers: `install.sh` and `install.ps1`
           - SHA256 checksums: `clawdentity-<version>-checksums.txt`
 
           Windows install example (PowerShell + `irm`):
@@ -475,4 +496,7 @@ jobs:
             dist/clawdentity-${{ needs.publish.outputs.next_version }}-macos-x86_64.tar.gz
             dist/clawdentity-${{ needs.publish.outputs.next_version }}-macos-aarch64.tar.gz
             dist/clawdentity-${{ needs.publish.outputs.next_version }}-windows-x86_64.zip
+            dist/clawdentity-${{ needs.publish.outputs.next_version }}-windows-aarch64.zip
             dist/clawdentity-${{ needs.publish.outputs.next_version }}-checksums.txt
+            dist/install.sh
+            dist/install.ps1

.gitignore

@@ -12,6 +12,7 @@ nx.bat
 .dev.vars
 .pnpm-store/
 target/
+.astro/
 
 # Working docs (plans, reviews, research — keep local)
 **/PLAN.md

AGENTS.md

@@ -38,7 +38,7 @@ Run from `crates/`:
 ### Apps (deployable services)
 - `apps/registry` - Cloudflare Worker HTTP API for humans, agents, invites, API keys, and revocation data.
 - `apps/proxy` - Cloudflare Worker relay/proxy that verifies Clawdentity auth headers and enforces trust policy.
-- `apps/cli` - TypeScript CLI package (`clawdentity`) for onboarding, identity ops, provider setup, and skill install.
+- `apps/cli` - TypeScript CLI compatibility package (`clawdentity`); Rust CLI is the canonical operator surface.
 - `apps/openclaw-skill` - OpenClaw skill package and relay transform artifacts used by CLI install flow.
 
 ### Packages (shared libraries)
@@ -49,7 +49,7 @@ Run from `crates/`:
 
 ### Rust workspace crates
 - `crates/clawdentity-core` - Core Rust library for identity, registry clients, connector/runtime, providers, pairing, and persistence.
-- `crates/clawdentity-cli` - Rust CLI binary and command surface replacing the legacy TypeScript CLI over time.
+- `crates/clawdentity-cli` - Rust CLI binary and command surface for current operator workflows.
 
 ### Rust local test services
 - `crates/tests/local/mock-registry` - Local mock registry used for integration and harness-style flows.
@@ -59,11 +59,11 @@ Run from `crates/`:
 
 ### TypeScript CLI (`apps/cli`)
 - Build/package: `pnpm -F clawdentity build`
-- Common ops: `clawdentity config init`, `clawdentity invite redeem <code>`, `clawdentity agent create <name>`, `clawdentity openclaw setup <name>`, `clawdentity skill install`, `clawdentity connector start <name>`
+- Treat command docs here as compatibility guidance, not canonical runtime surface.
 
 ### Rust CLI (`crates/clawdentity-cli`)
 - Help: `cargo run -p clawdentity-cli -- --help`
-- Common ops: `cargo run -p clawdentity-cli -- init`, `whoami`, `agent create <name>`, `invite redeem <code> --display-name <name>`, `connector start <agent>`, `provider doctor --for openclaw`
+- Common ops: `cargo run -p clawdentity-cli -- init`, `register`, `whoami`, `agent create <name>`, `agent auth revoke <name>`, `provider setup --for <platform> --agent-name <name>`, `provider doctor --for <platform>`, `connector start <agent>`
 
 ## 5) Deeper Docs
 Use `docs/` as system of record:
@@ -79,6 +79,7 @@ Use `docs/` as system of record:
 - Favor actionable errors and stable machine-readable outputs.
 - Run relevant TypeScript and Rust checks before commit (`pnpm build` and `cargo check` are baseline gates).
 - Keep docs synchronized with implementation changes, especially when changing CLI flows or skill behavior.
+- Keep user onboarding docs prompt-first (`/skill.md` canonical); treat command-by-command and Rust toolchain flows as advanced fallback guidance only.
 
 ## 7) Release Automation
 - Keep Rust release automation in `.github/workflows/publish-rust.yml` as the single canonical path for version bump + crates.io publish + tag creation + binary release.
@@ -92,6 +93,7 @@ Use `docs/` as system of record:
   - `clawdentity-<version>-macos-x86_64.tar.gz`
   - `clawdentity-<version>-macos-aarch64.tar.gz`
   - `clawdentity-<version>-windows-x86_64.zip`
+  - `clawdentity-<version>-windows-aarch64.zip`
   - `clawdentity-<version>-checksums.txt`
 - Binary naming contract for release artifacts:
   - Unix binary is `clawdentity`