fix(whatsapp): upgrade Baileys 6.7→6.17, fix proto import and 515 restart

Baileys 6.7.21 silently failed the pairing handshake. Upgrade to 6.17.16
which fixes this. Three related issues:

1. proto is no longer a named ESM export in 6.17.x — use createRequire
   to import via CJS (matching the proven v1 pattern).
2. Setup auth script didn't handle the 515 stream restart that WhatsApp
   sends after successful pairing. Refactored to reconnect (matching v1's
   connectSocket(isReconnect) pattern) instead of hanging until timeout.
3. Added succeeded guard and process.exit(0) to prevent timeout race
   after successful auth.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.claude/skills/add-whatsapp-v2/SKILL.md

@@ -46,74 +46,112 @@ npm run build
 
 WhatsApp uses linked-device authentication — no API key, just a one-time pairing from your phone.
 
+### Check current state
+
+Check if WhatsApp is already authenticated. If `store/auth/creds.json` exists, skip to "Shared vs dedicated number".
+
+```bash
+test -f store/auth/creds.json && echo "WhatsApp auth exists" || echo "No WhatsApp auth"
+```
+
 ### Detect environment
 
+Check whether the environment is headless (no display server):
+
 ```bash
 [[ -z "$DISPLAY" && -z "$WAYLAND_DISPLAY" && "$OSTYPE" != darwin* ]] && echo "IS_HEADLESS=true" || echo "IS_HEADLESS=false"
 ```
 
 ### Ask the user
 
-AskUserQuestion: How do you want to authenticate WhatsApp?
-- **Pairing code** (Recommended for headless/VM) — enter a numeric code on your phone, requires phone number
-- **QR code in terminal** — displays QR code in the terminal
+Use `AskUserQuestion` to collect configuration. **Adapt auth options based on environment:**
 
-If pairing code:
+If IS_HEADLESS=true AND not WSL → AskUserQuestion: How do you want to authenticate WhatsApp?
+- **Pairing code** (Recommended) - Enter a numeric code on your phone (no camera needed, requires phone number)
+- **QR code in terminal** - Displays QR code in the terminal (can be too small on some displays)
 
-AskUserQuestion: What is your phone number? (Digits only — country code + number, no + prefix, spaces, or dashes. Example: 14155551234 where 1 is the US country code and 4155551234 is the phone number.)
+Otherwise (macOS, desktop Linux, or WSL) → AskUserQuestion: How do you want to authenticate WhatsApp?
+- **QR code in browser** (Recommended) - Opens a browser window with a large, scannable QR code
+- **Pairing code** - Enter a numeric code on your phone (no camera needed, requires phone number)
+- **QR code in terminal** - Displays QR code in the terminal (can be too small on some displays)
 
-### Configure auth method
+If they chose pairing code:
 
-For **pairing code**, set the phone number in `.env`:
+AskUserQuestion: What is your phone number? (Digits only — country code followed by your 10-digit number, no + prefix, spaces, or dashes. Example: 14155551234 where 1 is the US country code and 4155551234 is the phone number.)
+
+### Clean previous auth state (if re-authenticating)
 
 ```bash
-grep -q WHATSAPP_PHONE_NUMBER .env 2>/dev/null || echo "WHATSAPP_PHONE_NUMBER=<their-number>" >> .env
+rm -rf store/auth/
 ```
 
-For **QR code**, ensure WHATSAPP_PHONE_NUMBER is NOT set (comment it out if present).
+### Run WhatsApp authentication
 
-### Authenticate
-
-The adapter authenticates on first startup. Restart the service:
+For QR code in browser (recommended):
 
 ```bash
-# Linux
-systemctl --user restart nanoclaw
-
-# macOS
-launchctl kickstart -k gui/$(id -u)/com.nanoclaw
+npx tsx setup/index.ts --step whatsapp-auth -- --method qr-browser
 ```
 
-**Pairing code flow** — poll for the code:
-
-```bash
-for i in $(seq 1 30); do [ -f data/whatsapp-pairing-code.txt ] && cat data/whatsapp-pairing-code.txt && break; sleep 1; done
-```
+(Bash timeout: 150000ms)
 
 Tell the user:
 
+> A browser window will open with a QR code.
+>
+> 1. Open WhatsApp > **Settings** > **Linked Devices** > **Link a Device**
+> 2. Scan the QR code in the browser
+> 3. The page will show "Authenticated!" when done
+
+For QR code in terminal:
+
+```bash
+npx tsx setup/index.ts --step whatsapp-auth -- --method qr-terminal
+```
+
+(Bash timeout: 150000ms)
+
+Tell the user:
+
+> 1. Open WhatsApp > **Settings** > **Linked Devices** > **Link a Device**
+> 2. Scan the QR code displayed in the terminal
+
+For pairing code:
+
+Tell the user to have WhatsApp open on **Settings > Linked Devices > Link a Device**, ready to tap **"Link with phone number instead"** — the code expires in ~60 seconds and must be entered immediately.
+
+Run the auth process in the background and poll `store/pairing-code.txt` for the code:
+
+```bash
+rm -f store/pairing-code.txt && npx tsx setup/index.ts --step whatsapp-auth -- --method pairing-code --phone <their-phone-number> > /tmp/wa-auth.log 2>&1 &
+```
+
+Then immediately poll for the code (do NOT wait for the background command to finish):
+
+```bash
+for i in $(seq 1 20); do [ -f store/pairing-code.txt ] && cat store/pairing-code.txt && break; sleep 1; done
+```
+
+Display the code to the user the moment it appears. Tell them:
+
 > **Enter this code now** — it expires in ~60 seconds.
 >
 > 1. Open WhatsApp > **Settings** > **Linked Devices** > **Link a Device**
 > 2. Tap **Link with phone number instead**
 > 3. Enter the code immediately
 
-**QR code flow** — watch logs:
+After the user enters the code, poll for authentication to complete:
 
 ```bash
-tail -f logs/nanoclaw.log | grep -A 30 "WhatsApp QR code"
+for i in $(seq 1 60); do grep -q 'STATUS: authenticated' /tmp/wa-auth.log 2>/dev/null && echo "authenticated" && break; grep -q 'STATUS: failed' /tmp/wa-auth.log 2>/dev/null && echo "failed" && break; sleep 2; done
 ```
 
-Tell the user:
+**If failed:** logged_out → delete `store/auth/` and re-run. timeout → ask user, offer retry.
 
-> 1. Open WhatsApp > **Settings** > **Linked Devices** > **Link a Device**
-> 2. Scan the QR code displayed in the logs
-
-### Verify authentication
+### Verify authentication succeeded
 
 ```bash
-test -f data/whatsapp-auth/creds.json && echo "Authentication successful" || echo "Authentication failed"
-grep "Connected to WhatsApp" logs/nanoclaw.log | tail -1
+test -f store/auth/creds.json && echo "Authentication successful" || echo "Authentication failed"
 ```
 
 ### Shared vs dedicated number
@@ -138,7 +176,7 @@ Otherwise, run `/manage-channels` to wire this channel to an agent group.
 
 - **type**: `whatsapp`
 - **terminology**: WhatsApp calls them "groups" and "chats." A "chat" is a 1:1 DM; a "group" has multiple members.
-- **how-to-find-id**: DMs use `<phone>@s.whatsapp.net` (e.g. `14155551234@s.whatsapp.net`). Groups use `<id>@g.us`. To find your number: `node -e "const c=JSON.parse(require('fs').readFileSync('data/whatsapp-auth/creds.json','utf-8'));console.log(c.me?.id?.split(':')[0]+'@s.whatsapp.net')"`. Groups are auto-discovered — check `sqlite3 data/v2.db "SELECT platform_id, name FROM messaging_groups WHERE channel_type='whatsapp' AND is_group=1"`.
+- **how-to-find-id**: DMs use `<phone>@s.whatsapp.net` (e.g. `14155551234@s.whatsapp.net`). Groups use `<id>@g.us`. To find your number: `node -e "const c=JSON.parse(require('fs').readFileSync('store/auth/creds.json','utf-8'));console.log(c.me?.id?.split(':')[0]+'@s.whatsapp.net')"`. Groups are auto-discovered — check `sqlite3 data/v2.db "SELECT platform_id, name FROM messaging_groups WHERE channel_type='whatsapp' AND is_group=1"`.
 - **supports-threads**: no
 - **typical-use**: Interactive chat — direct messages or small groups
 - **default-isolation**: Same agent group if you're the only participant across multiple chats. Separate agent group if different people are in different groups.
@@ -156,29 +194,43 @@ Not supported (WhatsApp linked device limitation): edit messages, delete message
 
 ## Troubleshooting
 
+### QR code expired
+
+QR codes expire after ~60 seconds. Re-run the auth command:
+
+```bash
+rm -rf store/auth/ && npx tsx setup/index.ts --step whatsapp-auth -- --method qr-browser
+```
+
 ### Pairing code not working
 
 Codes expire in ~60 seconds. Delete auth and retry:
 
 ```bash
-rm -rf data/whatsapp-auth/ && systemctl --user restart nanoclaw
+rm -rf store/auth/ && npx tsx setup/index.ts --step whatsapp-auth -- --method pairing-code --phone <phone>
 ```
 
 Ensure: digits only (no `+`), phone has internet, WhatsApp is updated.
 
+If pairing code keeps failing, switch to QR-browser auth instead:
+
+```bash
+rm -rf store/auth/ && npx tsx setup/index.ts --step whatsapp-auth -- --method qr-browser
+```
+
 ### "waiting for this message" on reactions
 
 Signal sessions corrupted from rapid restarts. Clear sessions:
 
 ```bash
 systemctl --user stop nanoclaw
-rm data/whatsapp-auth/session-*.json
+rm store/auth/session-*.json
 systemctl --user start nanoclaw
 ```
 
 ### Bot not responding
 
-1. Auth exists: `test -f data/whatsapp-auth/creds.json`
+1. Auth exists: `test -f store/auth/creds.json`
 2. Connected: `grep "Connected to WhatsApp" logs/nanoclaw.log | tail -1`
 3. Channel wired: `sqlite3 data/v2.db "SELECT mg.platform_id, mg.name FROM messaging_groups mg JOIN messaging_group_agents mga ON mg.id=mga.messaging_group_id WHERE mg.channel_type='whatsapp'"`
 4. Service running: `systemctl --user status nanoclaw`

.claude/skills/setup/SKILL.md

@@ -15,7 +15,7 @@ Use `AskUserQuestion` with these options:
 2. **No thanks** — description: "I'll approve each command individually as it comes up."
 3. **Show me the list first** — description: "Show me exactly which commands will be pre-approved before I decide."
 
-If they pick option 1: read `.claude/skills/setup/setup-permissions.json` and use the Skill tool to invoke `update-config` with: "Add these permissions to the project settings allow list: <paste the JSON array>".
+If they pick option 1: read `.claude/skills/setup/setup-permissions.json`, then read the project settings file at `.claude/settings.json` (create it if it doesn't exist with `{}`), and directly edit it to add/merge the permissions into the `permissions.allow` array. Do NOT use the `update-config` skill.
 
 If they pick option 3: read and display `.claude/skills/setup/setup-permissions.json`, then re-ask with just options 1 and 2.