agentbnb 2.2.0 → 3.1.0

package/dist/index.js

@@ -432,6 +432,30 @@ function getCard(db, id) {
   if (!row) return null;
   return JSON.parse(row.data);
 }
+function updateCard(db, id, owner, updates) {
+  const existing = getCard(db, id);
+  if (!existing) {
+    throw new AgentBnBError(`Card not found: ${id}`, "NOT_FOUND");
+  }
+  if (existing.owner !== owner) {
+    throw new AgentBnBError("Forbidden: you do not own this card", "FORBIDDEN");
+  }
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const merged = { ...existing, ...updates, updated_at: now };
+  const parsed = CapabilityCardSchema.safeParse(merged);
+  if (!parsed.success) {
+    throw new AgentBnBError(
+      `Card validation failed: ${parsed.error.message}`,
+      "VALIDATION_ERROR"
+    );
+  }
+  const stmt = db.prepare(`
+    UPDATE capability_cards
+    SET data = ?, updated_at = ?
+    WHERE id = ?
+  `);
+  stmt.run(JSON.stringify(parsed.data), now, id);
+}
 function updateReputation(db, cardId, success, latencyMs) {
   const existing = getCard(db, cardId);
   if (!existing) return;
@@ -458,7 +482,7 @@ function updateReputation(db, cardId, success, latencyMs) {
 
 // src/registry/matcher.ts
 function searchCards(db, query, filters = {}) {
-  const words = query.trim().split(/\s+/).map((w) => w.replace(/"/g, "")).filter((w) => w.length > 0);
+  const words = query.trim().split(/\s+/).map((w) => w.replace(/["*^{}():]/g, "")).filter((w) => w.length > 0);
   if (words.length === 0) return [];
   const ftsQuery = words.map((w) => `"${w}"`).join(" OR ");
   const conditions = [];
@@ -537,9 +561,29 @@ function getBalance(db, owner) {
   const row = db.prepare("SELECT balance FROM credit_balances WHERE owner = ?").get(owner);
   return row?.balance ?? 0;
 }
+function recordEarning(db, owner, amount, _cardId, receiptNonce) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  db.transaction(() => {
+    const existing = db.prepare(
+      "SELECT id FROM credit_transactions WHERE reference_id = ? AND reason = 'remote_earning'"
+    ).get(receiptNonce);
+    if (existing) return;
+    db.prepare(
+      "INSERT OR IGNORE INTO credit_balances (owner, balance, updated_at) VALUES (?, 0, ?)"
+    ).run(owner, now);
+    db.prepare(
+      "UPDATE credit_balances SET balance = balance + ?, updated_at = ? WHERE owner = ?"
+    ).run(amount, now, owner);
+    db.prepare(
+      "INSERT INTO credit_transactions (id, owner, amount, reason, reference_id, created_at) VALUES (?, ?, ?, ?, ?, ?)"
+    ).run(randomUUID(), owner, amount, "remote_earning", receiptNonce, now);
+  })();
+}
 
 // src/gateway/server.ts
 import Fastify from "fastify";
+
+// src/gateway/execute.ts
 import { randomUUID as randomUUID3 } from "crypto";
 
 // src/credit/escrow.ts
@@ -618,6 +662,256 @@ function releaseEscrow(db, escrowId) {
   });
   release();
 }
+function confirmEscrowDebit(db, escrowId) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const confirm = db.transaction(() => {
+    const escrow = db.prepare("SELECT id, owner, amount, status FROM credit_escrow WHERE id = ?").get(escrowId);
+    if (!escrow) {
+      throw new AgentBnBError(`Escrow not found: ${escrowId}`, "ESCROW_NOT_FOUND");
+    }
+    if (escrow.status !== "held") {
+      throw new AgentBnBError(
+        `Escrow ${escrowId} is already ${escrow.status}`,
+        "ESCROW_ALREADY_SETTLED"
+      );
+    }
+    db.prepare(
+      "UPDATE credit_escrow SET status = ?, settled_at = ? WHERE id = ?"
+    ).run("settled", now, escrowId);
+    db.prepare(
+      "INSERT INTO credit_transactions (id, owner, amount, reason, reference_id, created_at) VALUES (?, ?, ?, ?, ?, ?)"
+    ).run(randomUUID2(), escrow.owner, 0, "remote_settlement_confirmed", escrowId, now);
+  });
+  confirm();
+}
+
+// src/credit/signing.ts
+import { generateKeyPairSync, sign, verify, createPublicKey, createPrivateKey } from "crypto";
+import { writeFileSync, readFileSync, existsSync, chmodSync } from "fs";
+import { join } from "path";
+function generateKeyPair() {
+  const { publicKey, privateKey } = generateKeyPairSync("ed25519", {
+    publicKeyEncoding: { type: "spki", format: "der" },
+    privateKeyEncoding: { type: "pkcs8", format: "der" }
+  });
+  return {
+    publicKey: Buffer.from(publicKey),
+    privateKey: Buffer.from(privateKey)
+  };
+}
+function saveKeyPair(configDir, keys) {
+  const privatePath = join(configDir, "private.key");
+  const publicPath = join(configDir, "public.key");
+  writeFileSync(privatePath, keys.privateKey);
+  chmodSync(privatePath, 384);
+  writeFileSync(publicPath, keys.publicKey);
+}
+function loadKeyPair(configDir) {
+  const privatePath = join(configDir, "private.key");
+  const publicPath = join(configDir, "public.key");
+  if (!existsSync(privatePath) || !existsSync(publicPath)) {
+    throw new AgentBnBError("Keypair not found. Run `agentbnb init` to generate one.", "KEYPAIR_NOT_FOUND");
+  }
+  return {
+    publicKey: readFileSync(publicPath),
+    privateKey: readFileSync(privatePath)
+  };
+}
+function canonicalJson(data) {
+  return JSON.stringify(data, Object.keys(data).sort());
+}
+function signEscrowReceipt(data, privateKey) {
+  const message = Buffer.from(canonicalJson(data), "utf-8");
+  const keyObject = createPrivateKey({ key: privateKey, format: "der", type: "pkcs8" });
+  const signature = sign(null, message, keyObject);
+  return signature.toString("base64url");
+}
+function verifyEscrowReceipt(data, signature, publicKey) {
+  try {
+    const message = Buffer.from(canonicalJson(data), "utf-8");
+    const keyObject = createPublicKey({ key: publicKey, format: "der", type: "spki" });
+    const sigBuffer = Buffer.from(signature, "base64url");
+    return verify(null, message, keyObject, sigBuffer);
+  } catch {
+    return false;
+  }
+}
+
+// src/credit/settlement.ts
+function settleProviderEarning(providerDb, providerOwner, receipt) {
+  recordEarning(
+    providerDb,
+    providerOwner,
+    receipt.amount,
+    receipt.card_id,
+    receipt.nonce
+  );
+  return { settled: true };
+}
+function settleRequesterEscrow(requesterDb, escrowId) {
+  confirmEscrowDebit(requesterDb, escrowId);
+}
+function releaseRequesterEscrow(requesterDb, escrowId) {
+  releaseEscrow(requesterDb, escrowId);
+}
+
+// src/gateway/execute.ts
+async function executeCapabilityRequest(opts) {
+  const {
+    registryDb,
+    creditDb,
+    cardId,
+    skillId,
+    params,
+    requester,
+    escrowReceipt: receipt,
+    skillExecutor,
+    handlerUrl,
+    timeoutMs = 3e4
+  } = opts;
+  const card = getCard(registryDb, cardId);
+  if (!card) {
+    return { success: false, error: { code: -32602, message: `Card not found: ${cardId}` } };
+  }
+  let creditsNeeded;
+  let cardName;
+  let resolvedSkillId;
+  const rawCard = card;
+  if (Array.isArray(rawCard["skills"])) {
+    const v2card = card;
+    const skill = skillId ? v2card.skills.find((s) => s.id === skillId) : v2card.skills[0];
+    if (!skill) {
+      return { success: false, error: { code: -32602, message: `Skill not found: ${skillId}` } };
+    }
+    creditsNeeded = skill.pricing.credits_per_call;
+    cardName = skill.name;
+    resolvedSkillId = skill.id;
+  } else {
+    creditsNeeded = card.pricing.credits_per_call;
+    cardName = card.name;
+  }
+  let escrowId = null;
+  let isRemoteEscrow = false;
+  if (receipt) {
+    const { signature, ...receiptData2 } = receipt;
+    const publicKeyBuf = Buffer.from(receipt.requester_public_key, "hex");
+    const valid = verifyEscrowReceipt(receiptData2, signature, publicKeyBuf);
+    if (!valid) {
+      return { success: false, error: { code: -32603, message: "Invalid escrow receipt signature" } };
+    }
+    if (receipt.amount < creditsNeeded) {
+      return { success: false, error: { code: -32603, message: "Insufficient escrow amount" } };
+    }
+    const receiptAge = Date.now() - new Date(receipt.timestamp).getTime();
+    if (receiptAge > 5 * 60 * 1e3) {
+      return { success: false, error: { code: -32603, message: "Escrow receipt expired" } };
+    }
+    isRemoteEscrow = true;
+  } else {
+    try {
+      const balance = getBalance(creditDb, requester);
+      if (balance < creditsNeeded) {
+        return { success: false, error: { code: -32603, message: "Insufficient credits" } };
+      }
+      escrowId = holdEscrow(creditDb, requester, creditsNeeded, cardId);
+    } catch (err) {
+      const msg = err instanceof AgentBnBError ? err.message : "Failed to hold escrow";
+      return { success: false, error: { code: -32603, message: msg } };
+    }
+  }
+  const startMs = Date.now();
+  const receiptData = isRemoteEscrow ? { receipt_released: true } : void 0;
+  const handleFailure = (status, latencyMs, message) => {
+    if (!isRemoteEscrow && escrowId) releaseEscrow(creditDb, escrowId);
+    updateReputation(registryDb, cardId, false, latencyMs);
+    try {
+      insertRequestLog(registryDb, {
+        id: randomUUID3(),
+        card_id: cardId,
+        card_name: cardName,
+        skill_id: resolvedSkillId,
+        requester,
+        status,
+        latency_ms: latencyMs,
+        credits_charged: 0,
+        created_at: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    } catch {
+    }
+    return {
+      success: false,
+      error: { code: -32603, message, ...receiptData ? { data: receiptData } : {} }
+    };
+  };
+  const handleSuccess = (result, latencyMs) => {
+    if (isRemoteEscrow && receipt) {
+      settleProviderEarning(creditDb, card.owner, receipt);
+    } else if (escrowId) {
+      settleEscrow(creditDb, escrowId, card.owner);
+    }
+    updateReputation(registryDb, cardId, true, latencyMs);
+    try {
+      insertRequestLog(registryDb, {
+        id: randomUUID3(),
+        card_id: cardId,
+        card_name: cardName,
+        skill_id: resolvedSkillId,
+        requester,
+        status: "success",
+        latency_ms: latencyMs,
+        credits_charged: creditsNeeded,
+        created_at: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    } catch {
+    }
+    const successResult = isRemoteEscrow ? {
+      ...typeof result === "object" && result !== null ? result : { data: result },
+      receipt_settled: true,
+      receipt_nonce: receipt.nonce
+    } : result;
+    return { success: true, result: successResult };
+  };
+  if (skillExecutor) {
+    const targetSkillId = resolvedSkillId ?? skillId ?? cardId;
+    try {
+      const execResult = await skillExecutor.execute(targetSkillId, params);
+      if (!execResult.success) {
+        return handleFailure("failure", execResult.latency_ms, execResult.error ?? "Execution failed");
+      }
+      return handleSuccess(execResult.result, execResult.latency_ms);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Execution error";
+      return handleFailure("failure", Date.now() - startMs, message);
+    }
+  }
+  if (!handlerUrl) {
+    return handleFailure("failure", Date.now() - startMs, "No skill executor or handler URL configured");
+  }
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(handlerUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ card_id: cardId, skill_id: resolvedSkillId, params }),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!response.ok) {
+      return handleFailure("failure", Date.now() - startMs, `Handler returned ${response.status}`);
+    }
+    const result = await response.json();
+    return handleSuccess(result, Date.now() - startMs);
+  } catch (err) {
+    clearTimeout(timer);
+    const isTimeout = err instanceof Error && err.name === "AbortError";
+    return handleFailure(
+      isTimeout ? "timeout" : "failure",
+      Date.now() - startMs,
+      isTimeout ? "Execution timeout" : "Handler error"
+    );
+  }
+}
 
 // src/gateway/server.ts
 var VERSION = "0.0.1";
@@ -683,212 +977,2167 @@ function createGatewayServer(opts) {
         error: { code: -32602, message: "Invalid params: card_id required" }
       });
     }
-    const card = getCard(registryDb, cardId);
-    if (!card) {
-      return reply.send({
-        jsonrpc: "2.0",
-        id,
-        error: { code: -32602, message: `Card not found: ${cardId}` }
-      });
-    }
     const requester = params.requester ?? "unknown";
-    let creditsNeeded;
-    let cardName;
-    let resolvedSkillId;
-    const rawCard = card;
-    if (Array.isArray(rawCard["skills"])) {
-      const v2card = card;
-      const skill = skillId ? v2card.skills.find((s) => s.id === skillId) : v2card.skills[0];
-      if (!skill) {
-        return reply.send({
-          jsonrpc: "2.0",
-          id,
-          error: { code: -32602, message: `Skill not found: ${skillId}` }
-        });
-      }
-      creditsNeeded = skill.pricing.credits_per_call;
-      cardName = skill.name;
-      resolvedSkillId = skill.id;
+    const receipt = params.escrow_receipt;
+    const result = await executeCapabilityRequest({
+      registryDb,
+      creditDb,
+      cardId,
+      skillId,
+      params,
+      requester,
+      escrowReceipt: receipt,
+      skillExecutor,
+      handlerUrl,
+      timeoutMs
+    });
+    if (result.success) {
+      return reply.send({ jsonrpc: "2.0", id, result: result.result });
     } else {
-      creditsNeeded = card.pricing.credits_per_call;
-      cardName = card.name;
+      return reply.send({ jsonrpc: "2.0", id, error: result.error });
+    }
+  });
+  return fastify;
+}
+
+// src/skills/executor.ts
+var SkillExecutor = class {
+  skillMap;
+  modeMap;
+  /**
+   * @param configs - Parsed SkillConfig array (from parseSkillsFile).
+   * @param modes - Map from skill type string to its executor implementation.
+   */
+  constructor(configs, modes) {
+    this.skillMap = new Map(configs.map((c) => [c.id, c]));
+    this.modeMap = modes;
+  }
+  /**
+   * Execute a skill by ID with the given input parameters.
+   *
+   * Dispatch order:
+   * 1. Look up skill config by skillId.
+   * 2. Find executor mode by config.type.
+   * 3. Invoke mode.execute(), wrap with latency timing.
+   * 4. Catch any thrown errors and return as ExecutionResult with success:false.
+   *
+   * @param skillId - The ID of the skill to execute.
+   * @param params - Input parameters for the skill.
+   * @returns ExecutionResult including success, result/error, and latency_ms.
+   */
+  async execute(skillId, params) {
+    const startTime = Date.now();
+    const config = this.skillMap.get(skillId);
+    if (!config) {
+      return {
+        success: false,
+        error: `Skill not found: "${skillId}"`,
+        latency_ms: Date.now() - startTime
+      };
+    }
+    const mode = this.modeMap.get(config.type);
+    if (!mode) {
+      return {
+        success: false,
+        error: `No executor registered for skill type "${config.type}" (skill: "${skillId}")`,
+        latency_ms: Date.now() - startTime
+      };
     }
-    let escrowId;
     try {
-      const balance = getBalance(creditDb, requester);
-      if (balance < creditsNeeded) {
-        return reply.send({
-          jsonrpc: "2.0",
-          id,
-          error: { code: -32603, message: "Insufficient credits" }
-        });
-      }
-      escrowId = holdEscrow(creditDb, requester, creditsNeeded, cardId);
+      const modeResult = await mode.execute(config, params);
+      return {
+        ...modeResult,
+        latency_ms: Date.now() - startTime
+      };
     } catch (err) {
-      const msg = err instanceof AgentBnBError ? err.message : "Failed to hold escrow";
-      return reply.send({
-        jsonrpc: "2.0",
-        id,
-        error: { code: -32603, message: msg }
-      });
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        success: false,
+        error: message,
+        latency_ms: Date.now() - startTime
+      };
+    }
+  }
+  /**
+   * Returns the IDs of all registered skills.
+   *
+   * @returns Array of skill ID strings.
+   */
+  listSkills() {
+    return Array.from(this.skillMap.keys());
+  }
+  /**
+   * Returns the SkillConfig for a given skill ID, or undefined if not found.
+   *
+   * @param skillId - The skill ID to look up.
+   * @returns The SkillConfig or undefined.
+   */
+  getSkillConfig(skillId) {
+    return this.skillMap.get(skillId);
+  }
+};
+function createSkillExecutor(configs, modes) {
+  return new SkillExecutor(configs, modes);
+}
+
+// src/skills/skill-config.ts
+import { z as z2 } from "zod";
+import yaml from "js-yaml";
+var PricingSchema = z2.object({
+  credits_per_call: z2.number().nonnegative(),
+  credits_per_minute: z2.number().nonnegative().optional(),
+  free_tier: z2.number().nonnegative().optional()
+});
+var ApiAuthSchema = z2.discriminatedUnion("type", [
+  z2.object({
+    type: z2.literal("bearer"),
+    token: z2.string()
+  }),
+  z2.object({
+    type: z2.literal("apikey"),
+    header: z2.string().default("X-API-Key"),
+    key: z2.string()
+  }),
+  z2.object({
+    type: z2.literal("basic"),
+    username: z2.string(),
+    password: z2.string()
+  })
+]);
+var ApiSkillConfigSchema = z2.object({
+  id: z2.string().min(1),
+  type: z2.literal("api"),
+  name: z2.string().min(1),
+  endpoint: z2.string().min(1),
+  method: z2.enum(["GET", "POST", "PUT", "DELETE"]),
+  auth: ApiAuthSchema.optional(),
+  input_mapping: z2.record(z2.string()).default({}),
+  output_mapping: z2.record(z2.string()).default({}),
+  pricing: PricingSchema,
+  timeout_ms: z2.number().positive().default(3e4),
+  retries: z2.number().nonnegative().int().default(0),
+  provider: z2.string().optional()
+});
+var PipelineStepSchema = z2.union([
+  z2.object({
+    skill_id: z2.string().min(1),
+    input_mapping: z2.record(z2.string()).default({})
+  }),
+  z2.object({
+    command: z2.string().min(1),
+    input_mapping: z2.record(z2.string()).default({})
+  })
+]);
+var PipelineSkillConfigSchema = z2.object({
+  id: z2.string().min(1),
+  type: z2.literal("pipeline"),
+  name: z2.string().min(1),
+  steps: z2.array(PipelineStepSchema).min(1),
+  pricing: PricingSchema,
+  timeout_ms: z2.number().positive().optional()
+});
+var OpenClawSkillConfigSchema = z2.object({
+  id: z2.string().min(1),
+  type: z2.literal("openclaw"),
+  name: z2.string().min(1),
+  agent_name: z2.string().min(1),
+  channel: z2.enum(["telegram", "webhook", "process"]),
+  pricing: PricingSchema,
+  timeout_ms: z2.number().positive().optional()
+});
+var CommandSkillConfigSchema = z2.object({
+  id: z2.string().min(1),
+  type: z2.literal("command"),
+  name: z2.string().min(1),
+  command: z2.string().min(1),
+  output_type: z2.enum(["json", "text", "file"]),
+  allowed_commands: z2.array(z2.string()).optional(),
+  working_dir: z2.string().optional(),
+  timeout_ms: z2.number().positive().default(3e4),
+  pricing: PricingSchema
+});
+var ConductorSkillConfigSchema = z2.object({
+  id: z2.string().min(1),
+  type: z2.literal("conductor"),
+  name: z2.string().min(1),
+  conductor_skill: z2.enum(["orchestrate", "plan"]),
+  pricing: PricingSchema,
+  timeout_ms: z2.number().positive().optional()
+});
+var SkillConfigSchema = z2.discriminatedUnion("type", [
+  ApiSkillConfigSchema,
+  PipelineSkillConfigSchema,
+  OpenClawSkillConfigSchema,
+  CommandSkillConfigSchema,
+  ConductorSkillConfigSchema
+]);
+var SkillsFileSchema = z2.object({
+  skills: z2.array(SkillConfigSchema)
+});
+function expandEnvVars(value) {
+  return value.replace(/\$\{([^}]+)\}/g, (_match, varName) => {
+    if (/[.a-z]/.test(varName)) {
+      return _match;
+    }
+    const envValue = process.env[varName];
+    if (envValue === void 0) {
+      throw new Error(`Environment variable "${varName}" is not defined`);
+    }
+    return envValue;
+  });
+}
+function expandEnvVarsDeep(value) {
+  if (typeof value === "string") {
+    return expandEnvVars(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map(expandEnvVarsDeep);
+  }
+  if (value !== null && typeof value === "object") {
+    const result = {};
+    for (const [k, v] of Object.entries(value)) {
+      result[k] = expandEnvVarsDeep(v);
+    }
+    return result;
+  }
+  return value;
+}
+function parseSkillsFile(yamlContent) {
+  const raw = yaml.load(yamlContent);
+  const expanded = expandEnvVarsDeep(raw);
+  const result = SkillsFileSchema.parse(expanded);
+  return result.skills;
+}
+
+// src/skills/api-executor.ts
+function parseMappingTarget(mapping) {
+  const dotIndex = mapping.indexOf(".");
+  if (dotIndex < 0) {
+    throw new Error(`Invalid input_mapping format: "${mapping}" (expected "target.key")`);
+  }
+  const target = mapping.slice(0, dotIndex);
+  const key = mapping.slice(dotIndex + 1);
+  if (!["body", "query", "path", "header"].includes(target)) {
+    throw new Error(
+      `Invalid mapping target "${target}" in "${mapping}" (must be body|query|path|header)`
+    );
+  }
+  return { target, key };
+}
+function extractByPath(obj, dotPath) {
+  const normalizedPath = dotPath.startsWith("response.") ? dotPath.slice("response.".length) : dotPath;
+  const parts = normalizedPath.split(".");
+  let current = obj;
+  for (const part of parts) {
+    if (current === null || typeof current !== "object") {
+      return void 0;
+    }
+    current = current[part];
+  }
+  return current;
+}
+function buildAuthHeaders(auth) {
+  if (!auth) return {};
+  switch (auth.type) {
+    case "bearer":
+      return { Authorization: `Bearer ${auth.token}` };
+    case "apikey":
+      return { [auth.header]: auth.key };
+    case "basic": {
+      const encoded = Buffer.from(`${auth.username}:${auth.password}`).toString("base64");
+      return { Authorization: `Basic ${encoded}` };
+    }
+  }
+}
+function applyInputMapping(params, mapping) {
+  const body = {};
+  const query = {};
+  const pathParams = {};
+  const headers = {};
+  for (const [paramName, mappingValue] of Object.entries(mapping)) {
+    const value = params[paramName];
+    if (value === void 0) continue;
+    const { target, key } = parseMappingTarget(mappingValue);
+    switch (target) {
+      case "body":
+        body[key] = value;
+        break;
+      case "query":
+        query[key] = String(value);
+        break;
+      case "path":
+        pathParams[key] = String(value);
+        break;
+      case "header":
+        headers[key] = String(value).replace(/[\r\n]/g, "");
+        break;
+    }
+  }
+  return { body, query, pathParams, headers };
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+var RETRYABLE_STATUSES = /* @__PURE__ */ new Set([429, 500, 503]);
+var ApiExecutor = class {
+  /**
+   * Execute an API call described by the given skill config.
+   *
+   * @param config - The validated SkillConfig (must be ApiSkillConfig).
+   * @param params - Input parameters to map to the HTTP request.
+   * @returns Partial ExecutionResult (without latency_ms — added by SkillExecutor).
+   */
+  async execute(config, params) {
+    const apiConfig = config;
+    const { body, query, pathParams, headers: mappedHeaders } = applyInputMapping(
+      params,
+      apiConfig.input_mapping
+    );
+    let url = apiConfig.endpoint;
+    for (const [key, value] of Object.entries(pathParams)) {
+      url = url.replace(`{${key}}`, encodeURIComponent(value));
+    }
+    if (Object.keys(query).length > 0) {
+      const qs = new URLSearchParams(query).toString();
+      url = `${url}?${qs}`;
+    }
+    const authHeaders = buildAuthHeaders(apiConfig.auth);
+    const requestHeaders = {
+      ...authHeaders,
+      ...mappedHeaders
+    };
+    const hasBody = ["POST", "PUT"].includes(apiConfig.method);
+    if (hasBody) {
+      requestHeaders["Content-Type"] = "application/json";
     }
-    const startMs = Date.now();
-    if (skillExecutor) {
-      const targetSkillId = resolvedSkillId ?? skillId ?? cardId;
-      let execResult;
+    const maxAttempts = (apiConfig.retries ?? 0) + 1;
+    for (let attempt = 0; attempt < maxAttempts; attempt++) {
+      if (attempt > 0) {
+        await sleep(100 * Math.pow(2, attempt - 1));
+      }
+      const controller = new AbortController();
+      const timeoutId = setTimeout(
+        () => controller.abort(),
+        apiConfig.timeout_ms ?? 3e4
+      );
+      let response;
       try {
-        execResult = await skillExecutor.execute(targetSkillId, params);
-      } catch (err) {
-        releaseEscrow(creditDb, escrowId);
-        updateReputation(registryDb, cardId, false, Date.now() - startMs);
-        try {
-          insertRequestLog(registryDb, {
-            id: randomUUID3(),
-            card_id: cardId,
-            card_name: cardName,
-            skill_id: resolvedSkillId,
-            requester,
-            status: "failure",
-            latency_ms: Date.now() - startMs,
-            credits_charged: 0,
-            created_at: (/* @__PURE__ */ new Date()).toISOString()
-          });
-        } catch {
-        }
-        const message = err instanceof Error ? err.message : "Execution error";
-        return reply.send({
-          jsonrpc: "2.0",
-          id,
-          error: { code: -32603, message }
+        response = await fetch(url, {
+          method: apiConfig.method,
+          headers: requestHeaders,
+          body: hasBody ? JSON.stringify(body) : void 0,
+          signal: controller.signal
         });
-      }
-      if (!execResult.success) {
-        releaseEscrow(creditDb, escrowId);
-        updateReputation(registryDb, cardId, false, execResult.latency_ms);
-        try {
-          insertRequestLog(registryDb, {
-            id: randomUUID3(),
-            card_id: cardId,
-            card_name: cardName,
-            skill_id: resolvedSkillId,
-            requester,
-            status: "failure",
-            latency_ms: execResult.latency_ms,
-            credits_charged: 0,
-            created_at: (/* @__PURE__ */ new Date()).toISOString()
-          });
-        } catch {
+      } catch (err) {
+        clearTimeout(timeoutId);
+        const message = err instanceof Error ? err.message : String(err);
+        const isAbort = err instanceof Error && err.name === "AbortError" || message.toLowerCase().includes("abort");
+        if (isAbort) {
+          return { success: false, error: `Request timeout after ${apiConfig.timeout_ms}ms` };
         }
-        return reply.send({
-          jsonrpc: "2.0",
-          id,
-          error: { code: -32603, message: execResult.error ?? "Execution failed" }
-        });
+        return { success: false, error: message };
+      } finally {
+        clearTimeout(timeoutId);
       }
-      settleEscrow(creditDb, escrowId, card.owner);
-      updateReputation(registryDb, cardId, true, execResult.latency_ms);
-      try {
-        insertRequestLog(registryDb, {
-          id: randomUUID3(),
-          card_id: cardId,
-          card_name: cardName,
-          skill_id: resolvedSkillId,
-          requester,
-          status: "success",
-          latency_ms: execResult.latency_ms,
-          credits_charged: creditsNeeded,
-          created_at: (/* @__PURE__ */ new Date()).toISOString()
-        });
-      } catch {
+      if (!response.ok && RETRYABLE_STATUSES.has(response.status) && attempt < maxAttempts - 1) {
+        continue;
       }
-      return reply.send({ jsonrpc: "2.0", id, result: execResult.result });
-    }
-    const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), timeoutMs);
-    try {
-      const response = await fetch(handlerUrl, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ card_id: cardId, skill_id: resolvedSkillId, params }),
-        signal: controller.signal
-      });
-      clearTimeout(timer);
       if (!response.ok) {
-        releaseEscrow(creditDb, escrowId);
-        updateReputation(registryDb, cardId, false, Date.now() - startMs);
-        try {
-          insertRequestLog(registryDb, {
-            id: randomUUID3(),
-            card_id: cardId,
-            card_name: cardName,
-            skill_id: resolvedSkillId,
-            requester,
-            status: "failure",
-            latency_ms: Date.now() - startMs,
-            credits_charged: 0,
-            created_at: (/* @__PURE__ */ new Date()).toISOString()
-          });
-        } catch {
-        }
-        return reply.send({
-          jsonrpc: "2.0",
-          id,
-          error: { code: -32603, message: `Handler returned ${response.status}` }
-        });
+        return {
+          success: false,
+          error: `HTTP ${response.status} from ${apiConfig.endpoint}`
+        };
       }
-      const result = await response.json();
-      settleEscrow(creditDb, escrowId, card.owner);
-      updateReputation(registryDb, cardId, true, Date.now() - startMs);
-      try {
-        insertRequestLog(registryDb, {
-          id: randomUUID3(),
-          card_id: cardId,
-          card_name: cardName,
-          skill_id: resolvedSkillId,
-          requester,
-          status: "success",
-          latency_ms: Date.now() - startMs,
-          credits_charged: creditsNeeded,
-          created_at: (/* @__PURE__ */ new Date()).toISOString()
-        });
-      } catch {
+      const responseBody = await response.json();
+      const outputMapping = apiConfig.output_mapping;
+      if (Object.keys(outputMapping).length === 0) {
+        return { success: true, result: responseBody };
       }
-      return reply.send({ jsonrpc: "2.0", id, result });
-    } catch (err) {
-      clearTimeout(timer);
-      releaseEscrow(creditDb, escrowId);
-      updateReputation(registryDb, cardId, false, Date.now() - startMs);
-      const isTimeout = err instanceof Error && err.name === "AbortError";
-      try {
-        insertRequestLog(registryDb, {
-          id: randomUUID3(),
-          card_id: cardId,
-          card_name: cardName,
-          skill_id: resolvedSkillId,
-          requester,
-          status: isTimeout ? "timeout" : "failure",
-          latency_ms: Date.now() - startMs,
-          credits_charged: 0,
-          created_at: (/* @__PURE__ */ new Date()).toISOString()
-        });
-      } catch {
+      const mappedOutput = {};
+      for (const [outputKey, path] of Object.entries(outputMapping)) {
+        mappedOutput[outputKey] = extractByPath(responseBody, path);
       }
-      return reply.send({
-        jsonrpc: "2.0",
-        id,
-        error: { code: -32603, message: isTimeout ? "Execution timeout" : "Handler error" }
-      });
+      return { success: true, result: mappedOutput };
+    }
+    return { success: false, error: "Unexpected: retry loop exhausted" };
+  }
+};
+
+// src/skills/pipeline-executor.ts
+import { execFile } from "child_process";
+import { promisify } from "util";
+
+// src/utils/interpolation.ts
+function resolvePath(obj, path) {
+  const segments = path.replace(/\[(\d+)\]/g, ".$1").split(".").filter((s) => s.length > 0);
+  let current = obj;
+  for (const segment of segments) {
+    if (current === null || current === void 0) {
+      return void 0;
+    }
+    if (typeof current !== "object") {
+      return void 0;
+    }
+    current = current[segment];
+  }
+  return current;
+}
+function interpolate(template, context) {
+  return template.replace(/\$\{([^}]+)\}/g, (_match, expression) => {
+    const resolved = resolvePath(context, expression.trim());
+    if (resolved === void 0 || resolved === null) {
+      return "";
+    }
+    if (typeof resolved === "object") {
+      return JSON.stringify(resolved);
     }
+    return String(resolved);
+  });
+}
+function interpolateObject(obj, context) {
+  const result = {};
+  for (const [key, value] of Object.entries(obj)) {
+    result[key] = interpolateValue(value, context);
+  }
+  return result;
+}
+function interpolateValue(value, context) {
+  if (typeof value === "string") {
+    return interpolate(value, context);
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => interpolateValue(item, context));
+  }
+  if (value !== null && typeof value === "object") {
+    return interpolateObject(value, context);
+  }
+  return value;
+}
+
+// src/skills/pipeline-executor.ts
+var execFileAsync = promisify(execFile);
+function shellEscape(value) {
+  return "'" + value.replace(/'/g, "'\\''") + "'";
+}
+function safeInterpolateCommand(template, context) {
+  return template.replace(/\$\{([^}]+)\}/g, (_match, expr) => {
+    const parts = expr.split(".");
+    let current = context;
+    for (const part of parts) {
+      if (current === null || typeof current !== "object") return "";
+      const bracketMatch = part.match(/^(\w+)\[(\d+)\]$/);
+      if (bracketMatch) {
+        current = current[bracketMatch[1]];
+        if (Array.isArray(current)) {
+          current = current[parseInt(bracketMatch[2], 10)];
+        } else {
+          return "";
+        }
+      } else {
+        current = current[part];
+      }
+    }
+    if (current === void 0 || current === null) return "";
+    return shellEscape(String(current));
   });
-  return fastify;
 }
+var PipelineExecutor = class {
+  /**
+   * @param skillExecutor - The parent SkillExecutor used to dispatch sub-skill calls.
+   */
+  constructor(skillExecutor) {
+    this.skillExecutor = skillExecutor;
+  }
+  /**
+   * Execute a pipeline skill config sequentially.
+   *
+   * Algorithm:
+   * 1. Initialise context: { params, steps: [], prev: { result: null } }
+   * 2. For each step:
+   *    a. Resolve input_mapping keys against current context via interpolateObject.
+   *    b. If step has `skill_id`: dispatch via skillExecutor.execute(). On failure → stop.
+   *    c. If step has `command`: interpolate command string, run via exec(). On non-zero exit → stop.
+   *    d. Store step result in context.steps[i] and context.prev.
+   * 3. Return success with final step result (or null for empty pipeline).
+   *
+   * @param config - The PipelineSkillConfig for this skill.
+   * @param params - Input parameters from the caller.
+   * @returns Partial ExecutionResult (without latency_ms — added by SkillExecutor wrapper).
+   */
+  async execute(config, params) {
+    const pipelineConfig = config;
+    const steps = pipelineConfig.steps ?? [];
+    if (steps.length === 0) {
+      return { success: true, result: null };
+    }
+    const context = {
+      params,
+      steps: [],
+      prev: { result: null }
+    };
+    for (let i = 0; i < steps.length; i++) {
+      const step = steps[i];
+      if (step === void 0) {
+        return {
+          success: false,
+          error: `Step ${i} failed: step definition is undefined`
+        };
+      }
+      const resolvedInputs = interpolateObject(
+        step.input_mapping,
+        context
+      );
+      let stepResult;
+      if ("skill_id" in step && step.skill_id) {
+        const subResult = await this.skillExecutor.execute(
+          step.skill_id,
+          resolvedInputs
+        );
+        if (!subResult.success) {
+          return {
+            success: false,
+            error: `Step ${i} failed: ${subResult.error ?? "unknown error"}`
+          };
+        }
+        stepResult = subResult.result;
+      } else if ("command" in step && step.command) {
+        const interpolatedCommand = safeInterpolateCommand(
+          step.command,
+          context
+        );
+        try {
+          const { stdout } = await execFileAsync("/bin/sh", ["-c", interpolatedCommand], { timeout: 3e4 });
+          stepResult = stdout.trim();
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          return {
+            success: false,
+            error: `Step ${i} failed: ${message}`
+          };
+        }
+      } else {
+        return {
+          success: false,
+          error: `Step ${i} failed: step must have either "skill_id" or "command"`
+        };
+      }
+      context.steps.push({ result: stepResult });
+      context.prev = { result: stepResult };
+    }
+    const lastStep = context.steps[context.steps.length - 1];
+    return {
+      success: true,
+      result: lastStep !== void 0 ? lastStep.result : null
+    };
+  }
+};
+
+// src/skills/openclaw-bridge.ts
+import { execFileSync } from "child_process";
+var DEFAULT_BASE_URL = "http://localhost:3000";
+var DEFAULT_TIMEOUT_MS = 6e4;
+function buildPayload(config, params) {
+  return {
+    task: config.name,
+    params,
+    source: "agentbnb",
+    skill_id: config.id
+  };
+}
+async function executeWebhook(config, payload) {
+  const baseUrl = process.env["OPENCLAW_BASE_URL"] ?? DEFAULT_BASE_URL;
+  const url = `${baseUrl}/openclaw/${config.agent_name}/task`;
+  const timeoutMs = config.timeout_ms ?? DEFAULT_TIMEOUT_MS;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(payload),
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      return {
+        success: false,
+        error: `Webhook returned HTTP ${response.status}: ${response.statusText}`
+      };
+    }
+    const result = await response.json();
+    return { success: true, result };
+  } catch (err) {
+    if (err instanceof Error && err.name === "AbortError") {
+      return {
+        success: false,
+        error: `OpenClaw webhook timed out after ${timeoutMs}ms`
+      };
+    }
+    const message = err instanceof Error ? err.message : String(err);
+    return { success: false, error: message };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function validateAgentName(name) {
+  return /^[a-zA-Z0-9._-]+$/.test(name);
+}
+function executeProcess(config, payload) {
+  const timeoutMs = config.timeout_ms ?? DEFAULT_TIMEOUT_MS;
+  if (!validateAgentName(config.agent_name)) {
+    return {
+      success: false,
+      error: `Invalid agent name: "${config.agent_name}" (only alphanumeric, hyphens, underscores, dots allowed)`
+    };
+  }
+  const inputJson = JSON.stringify(payload);
+  try {
+    const stdout = execFileSync("openclaw", ["run", config.agent_name, "--input", inputJson], {
+      timeout: timeoutMs
+    });
+    const text = stdout.toString().trim();
+    const result = JSON.parse(text);
+    return { success: true, result };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { success: false, error: message };
+  }
+}
+async function executeTelegram(config, payload) {
+  const token = process.env["TELEGRAM_BOT_TOKEN"];
+  if (!token) {
+    return {
+      success: false,
+      error: "TELEGRAM_BOT_TOKEN environment variable is not set"
+    };
+  }
+  const chatId = process.env["TELEGRAM_CHAT_ID"];
+  if (!chatId) {
+    return {
+      success: false,
+      error: "TELEGRAM_CHAT_ID environment variable is not set"
+    };
+  }
+  const text = `[AgentBnB] Skill: ${config.name} (${config.id})
+Agent: ${config.agent_name}
+Params: ${JSON.stringify(payload.params ?? {})}`;
+  const url = `https://api.telegram.org/bot${token}/sendMessage`;
+  try {
+    await fetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ chat_id: chatId, text })
+    });
+    return {
+      success: true,
+      result: { sent: true, channel: "telegram" }
+    };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { success: false, error: message };
+  }
+}
+var OpenClawBridge = class {
+  /**
+   * Execute a skill with the given config and input parameters.
+   *
+   * @param config - The SkillConfig for this skill (must be type 'openclaw').
+   * @param params - Input parameters passed by the caller.
+   * @returns Partial ExecutionResult without latency_ms.
+   */
+  async execute(config, params) {
+    const ocConfig = config;
+    const payload = buildPayload(ocConfig, params);
+    switch (ocConfig.channel) {
+      case "webhook":
+        return executeWebhook(ocConfig, payload);
+      case "process":
+        return executeProcess(ocConfig, payload);
+      case "telegram":
+        return executeTelegram(ocConfig, payload);
+      default: {
+        const unknownChannel = ocConfig.channel;
+        return {
+          success: false,
+          error: `Unknown OpenClaw channel: "${String(unknownChannel)}"`
+        };
+      }
+    }
+  }
+};
+
+// src/skills/command-executor.ts
+import { execFile as execFile2 } from "child_process";
+function shellEscape2(value) {
+  return "'" + value.replace(/'/g, "'\\''") + "'";
+}
+function safeInterpolateCommand2(template, context) {
+  return template.replace(/\$\{([^}]+)\}/g, (_match, expr) => {
+    const parts = expr.split(".");
+    let current = context;
+    for (const part of parts) {
+      if (current === null || typeof current !== "object") return "";
+      const bracketMatch = part.match(/^(\w+)\[(\d+)\]$/);
+      if (bracketMatch) {
+        current = current[bracketMatch[1]];
+        if (Array.isArray(current)) {
+          current = current[parseInt(bracketMatch[2], 10)];
+        } else {
+          return "";
+        }
+      } else {
+        current = current[part];
+      }
+    }
+    if (current === void 0 || current === null) return "";
+    return shellEscape2(String(current));
+  });
+}
+function execFileAsync2(file, args, options) {
+  return new Promise((resolve, reject) => {
+    execFile2(file, args, options, (error, stdout, stderr) => {
+      const stdoutStr = typeof stdout === "string" ? stdout : stdout.toString();
+      const stderrStr = typeof stderr === "string" ? stderr : stderr.toString();
+      if (error) {
+        const enriched = Object.assign(error, { stderr: stderrStr });
+        reject(enriched);
+      } else {
+        resolve({ stdout: stdoutStr, stderr: stderrStr });
+      }
+    });
+  });
+}
+var CommandExecutor = class {
+  /**
+   * Execute a command skill with the provided parameters.
+   *
+   * Steps:
+   * 1. Security check: base command must be in `allowed_commands` if set.
+   * 2. Interpolate `config.command` using `{ params }` context.
+   * 3. Run via `child_process.exec` with timeout and cwd.
+   * 4. Parse stdout based on `output_type`: text | json | file.
+   *
+   * @param config - Validated CommandSkillConfig.
+   * @param params - Input parameters passed by the caller.
+   * @returns Partial ExecutionResult (without latency_ms).
+   */
+  async execute(config, params) {
+    const cmdConfig = config;
+    const baseCommand = cmdConfig.command.trim().split(/\s+/)[0] ?? "";
+    if (cmdConfig.allowed_commands && cmdConfig.allowed_commands.length > 0) {
+      if (!cmdConfig.allowed_commands.includes(baseCommand)) {
+        return {
+          success: false,
+          error: `Command not allowed: "${baseCommand}". Allowed: ${cmdConfig.allowed_commands.join(", ")}`
+        };
+      }
+    }
+    const interpolatedCommand = safeInterpolateCommand2(cmdConfig.command, { params });
+    const timeout = cmdConfig.timeout_ms ?? 3e4;
+    const cwd = cmdConfig.working_dir ?? process.cwd();
+    let stdout;
+    try {
+      const result = await execFileAsync2("/bin/sh", ["-c", interpolatedCommand], {
+        timeout,
+        cwd,
+        maxBuffer: 10 * 1024 * 1024
+        // 10 MB
+      });
+      stdout = result.stdout;
+    } catch (err) {
+      if (err instanceof Error) {
+        const message = err.message;
+        const stderrContent = err.stderr ?? "";
+        if (message.includes("timed out") || message.includes("ETIMEDOUT") || err.code === "ETIMEDOUT") {
+          return {
+            success: false,
+            error: `Command timed out after ${timeout}ms`
+          };
+        }
+        return {
+          success: false,
+          error: stderrContent.trim() || message
+        };
+      }
+      return {
+        success: false,
+        error: String(err)
+      };
+    }
+    const rawOutput = stdout.trim();
+    switch (cmdConfig.output_type) {
+      case "text":
+        return { success: true, result: rawOutput };
+      case "json": {
+        try {
+          const parsed = JSON.parse(rawOutput);
+          return { success: true, result: parsed };
+        } catch {
+          return {
+            success: false,
+            error: `Failed to parse JSON output: ${rawOutput.slice(0, 100)}`
+          };
+        }
+      }
+      case "file":
+        return { success: true, result: { file_path: rawOutput } };
+      default:
+        return {
+          success: false,
+          error: `Unknown output_type: ${String(cmdConfig.output_type)}`
+        };
+    }
+  }
+};
+
+// src/conductor/task-decomposer.ts
+import { randomUUID as randomUUID4 } from "crypto";
+var TEMPLATES = {
+  "video-production": {
+    keywords: ["video", "demo", "clip", "animation"],
+    steps: [
+      {
+        description: "Generate script from task description",
+        required_capability: "text_gen",
+        estimated_credits: 2,
+        depends_on_indices: []
+      },
+      {
+        description: "Generate voiceover from script",
+        required_capability: "tts",
+        estimated_credits: 3,
+        depends_on_indices: [0]
+      },
+      {
+        description: "Generate video visuals from script",
+        required_capability: "video_gen",
+        estimated_credits: 5,
+        depends_on_indices: [0]
+      },
+      {
+        description: "Composite voiceover and video into final output",
+        required_capability: "video_edit",
+        estimated_credits: 3,
+        depends_on_indices: [1, 2]
+      }
+    ]
+  },
+  "deep-analysis": {
+    keywords: ["analyze", "analysis", "research", "report", "evaluate"],
+    steps: [
+      {
+        description: "Research and gather relevant data",
+        required_capability: "web_search",
+        estimated_credits: 2,
+        depends_on_indices: []
+      },
+      {
+        description: "Analyze gathered data",
+        required_capability: "text_gen",
+        estimated_credits: 3,
+        depends_on_indices: [0]
+      },
+      {
+        description: "Summarize analysis findings",
+        required_capability: "text_gen",
+        estimated_credits: 2,
+        depends_on_indices: [1]
+      },
+      {
+        description: "Format into final report",
+        required_capability: "text_gen",
+        estimated_credits: 1,
+        depends_on_indices: [2]
+      }
+    ]
+  },
+  "content-generation": {
+    keywords: ["write", "blog", "article", "content", "post", "essay"],
+    steps: [
+      {
+        description: "Create content outline",
+        required_capability: "text_gen",
+        estimated_credits: 1,
+        depends_on_indices: []
+      },
+      {
+        description: "Draft content from outline",
+        required_capability: "text_gen",
+        estimated_credits: 3,
+        depends_on_indices: [0]
+      },
+      {
+        description: "Review and refine draft",
+        required_capability: "text_gen",
+        estimated_credits: 2,
+        depends_on_indices: [1]
+      },
+      {
+        description: "Finalize and polish content",
+        required_capability: "text_gen",
+        estimated_credits: 1,
+        depends_on_indices: [2]
+      }
+    ]
+  }
+};
+function decompose(task, _availableCapabilities) {
+  const lower = task.toLowerCase();
+  for (const template of Object.values(TEMPLATES)) {
+    const matched = template.keywords.some((kw) => lower.includes(kw));
+    if (!matched) continue;
+    const ids = template.steps.map(() => randomUUID4());
+    return template.steps.map((step, i) => ({
+      id: ids[i],
+      description: step.description,
+      required_capability: step.required_capability,
+      params: {},
+      depends_on: step.depends_on_indices.map((idx) => ids[idx]),
+      estimated_credits: step.estimated_credits
+    }));
+  }
+  return [];
+}
+
+// src/gateway/client.ts
+import { randomUUID as randomUUID5 } from "crypto";
+async function requestCapability(opts) {
+  const { gatewayUrl, token, cardId, params = {}, timeoutMs = 3e4, escrowReceipt } = opts;
+  const id = randomUUID5();
+  const payload = {
+    jsonrpc: "2.0",
+    id,
+    method: "capability.execute",
+    params: {
+      card_id: cardId,
+      ...params,
+      ...escrowReceipt ? { escrow_receipt: escrowReceipt } : {}
+    }
+  };
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  let response;
+  try {
+    response = await fetch(`${gatewayUrl}/rpc`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${token}`
+      },
+      body: JSON.stringify(payload),
+      signal: controller.signal
+    });
+  } catch (err) {
+    clearTimeout(timer);
+    const isTimeout = err instanceof Error && err.name === "AbortError";
+    throw new AgentBnBError(
+      isTimeout ? "Request timed out" : `Network error: ${String(err)}`,
+      isTimeout ? "TIMEOUT" : "NETWORK_ERROR"
+    );
+  } finally {
+    clearTimeout(timer);
+  }
+  const body = await response.json();
+  if (body.error) {
+    throw new AgentBnBError(body.error.message, `RPC_ERROR_${body.error.code}`);
+  }
+  return body.result;
+}
+async function requestViaRelay(relay, opts) {
+  try {
+    return await relay.request({
+      targetOwner: opts.targetOwner,
+      cardId: opts.cardId,
+      skillId: opts.skillId,
+      params: opts.params ?? {},
+      escrowReceipt: opts.escrowReceipt,
+      timeoutMs: opts.timeoutMs
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    if (message.includes("timeout")) {
+      throw new AgentBnBError(message, "TIMEOUT");
+    }
+    if (message.includes("offline")) {
+      throw new AgentBnBError(message, "AGENT_OFFLINE");
+    }
+    throw new AgentBnBError(message, "RELAY_ERROR");
+  }
+}
+
+// src/autonomy/tiers.ts
+import { randomUUID as randomUUID6 } from "crypto";
+
+// src/autonomy/pending-requests.ts
+import { randomUUID as randomUUID7 } from "crypto";
+
+// src/cli/peers.ts
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
+import { join as join3 } from "path";
+
+// src/cli/config.ts
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync, existsSync as existsSync2 } from "fs";
+import { homedir } from "os";
+import { join as join2 } from "path";
+
+// src/autonomy/auto-request.ts
+function minMaxNormalize(values) {
+  if (values.length === 0) return [];
+  if (values.length === 1) return [1];
+  const min = Math.min(...values);
+  const max = Math.max(...values);
+  if (max === min) {
+    return values.map(() => 1);
+  }
+  return values.map((v) => (v - min) / (max - min));
+}
+function scorePeers(candidates, selfOwner) {
+  const eligible = candidates.filter((c) => c.card.owner !== selfOwner);
+  if (eligible.length === 0) return [];
+  const successRates = eligible.map((c) => c.card.metadata?.success_rate ?? 0.5);
+  const costEfficiencies = eligible.map((c) => c.cost === 0 ? 1 : 1 / c.cost);
+  const idleRates = eligible.map((c) => {
+    const internal = c.card._internal;
+    const idleRate = internal?.idle_rate;
+    return typeof idleRate === "number" ? idleRate : 1;
+  });
+  const normSuccess = minMaxNormalize(successRates);
+  const normCost = minMaxNormalize(costEfficiencies);
+  const normIdle = minMaxNormalize(idleRates);
+  const scored = eligible.map((c, i) => ({
+    ...c,
+    rawScore: (normSuccess[i] ?? 0) * (normCost[i] ?? 0) * (normIdle[i] ?? 0)
+  }));
+  scored.sort((a, b) => b.rawScore - a.rawScore);
+  return scored;
+}
+
+// src/conductor/capability-matcher.ts
+var MAX_ALTERNATIVES = 2;
+function matchSubTasks(opts) {
+  const { db, subtasks, conductorOwner } = opts;
+  return subtasks.map((subtask) => {
+    const cards = searchCards(db, subtask.required_capability, { online: true });
+    const candidates = [];
+    for (const card of cards) {
+      const cardAsV2 = card;
+      if (Array.isArray(cardAsV2.skills)) {
+        for (const skill of cardAsV2.skills) {
+          candidates.push({
+            card,
+            cost: skill.pricing.credits_per_call,
+            skillId: skill.id
+          });
+        }
+      } else {
+        candidates.push({
+          card,
+          cost: card.pricing.credits_per_call,
+          skillId: void 0
+        });
+      }
+    }
+    const scored = scorePeers(candidates, conductorOwner);
+    if (scored.length === 0) {
+      return {
+        subtask_id: subtask.id,
+        selected_agent: "",
+        selected_skill: "",
+        score: 0,
+        credits: 0,
+        alternatives: []
+      };
+    }
+    const top = scored[0];
+    const alternatives = scored.slice(1, 1 + MAX_ALTERNATIVES).map((s) => ({
+      agent: s.card.owner,
+      skill: s.skillId ?? "",
+      score: s.rawScore,
+      credits: s.cost
+    }));
+    return {
+      subtask_id: subtask.id,
+      selected_agent: top.card.owner,
+      selected_skill: top.skillId ?? "",
+      score: top.rawScore,
+      credits: top.cost,
+      alternatives
+    };
+  });
+}
+
+// src/conductor/budget-controller.ts
+var ORCHESTRATION_FEE = 5;
+var BudgetController = class {
+  /**
+   * Creates a new BudgetController.
+   *
+   * @param budgetManager - Underlying BudgetManager for reserve floor enforcement.
+   * @param maxBudget - Hard ceiling for the orchestration run.
+   */
+  constructor(budgetManager, maxBudget) {
+    this.budgetManager = budgetManager;
+    this.maxBudget = maxBudget;
+  }
+  /**
+   * Pre-calculates the total budget for an orchestration run.
+   *
+   * Sums all matched sub-task credits, adds the orchestration fee,
+   * and determines whether approval is required (estimated > max).
+   *
+   * @param matches - MatchResult[] from the CapabilityMatcher.
+   * @returns An ExecutionBudget with cost breakdown and approval status.
+   */
+  calculateBudget(matches) {
+    const perTaskSpending = /* @__PURE__ */ new Map();
+    let subTotal = 0;
+    for (const match of matches) {
+      perTaskSpending.set(match.subtask_id, match.credits);
+      subTotal += match.credits;
+    }
+    const estimatedTotal = subTotal + ORCHESTRATION_FEE;
+    return {
+      estimated_total: estimatedTotal,
+      max_budget: this.maxBudget,
+      orchestration_fee: ORCHESTRATION_FEE,
+      per_task_spending: perTaskSpending,
+      requires_approval: estimatedTotal > this.maxBudget
+    };
+  }
+  /**
+   * Checks whether orchestration can proceed without explicit approval.
+   *
+   * Returns true only when:
+   * 1. The budget does NOT require approval (estimated_total <= max_budget)
+   * 2. The BudgetManager confirms sufficient credits (respecting reserve floor)
+   *
+   * @param budget - ExecutionBudget from calculateBudget().
+   * @returns true if execution can proceed autonomously.
+   */
+  canExecute(budget) {
+    if (budget.requires_approval) return false;
+    return this.budgetManager.canSpend(budget.estimated_total);
+  }
+  /**
+   * Checks budget after explicit user/agent approval.
+   *
+   * Ignores the requires_approval flag — used when the caller has already
+   * obtained explicit approval for the over-budget orchestration.
+   * Still enforces the reserve floor via BudgetManager.canSpend().
+   *
+   * @param budget - ExecutionBudget from calculateBudget().
+   * @returns true if the agent has sufficient credits (reserve floor check only).
+   */
+  approveAndCheck(budget) {
+    return this.budgetManager.canSpend(budget.estimated_total);
+  }
+};
+
+// src/conductor/card.ts
+var CONDUCTOR_OWNER = "agentbnb-conductor";
+var CONDUCTOR_CARD_ID = "00000000-0000-4000-8000-000000000001";
+function buildConductorCard() {
+  const card = {
+    spec_version: "2.0",
+    id: CONDUCTOR_CARD_ID,
+    owner: CONDUCTOR_OWNER,
+    agent_name: "AgentBnB Conductor",
+    skills: [
+      {
+        id: "orchestrate",
+        name: "Task Orchestration",
+        description: "Decomposes complex tasks and coordinates multi-agent execution",
+        level: 3,
+        inputs: [
+          {
+            name: "task",
+            type: "text",
+            description: "Natural language task description"
+          }
+        ],
+        outputs: [
+          {
+            name: "result",
+            type: "json",
+            description: "Aggregated execution results"
+          }
+        ],
+        pricing: { credits_per_call: 5 }
+      },
+      {
+        id: "plan",
+        name: "Execution Planning",
+        description: "Returns an execution plan with cost estimate without executing",
+        level: 1,
+        inputs: [
+          {
+            name: "task",
+            type: "text",
+            description: "Natural language task description"
+          }
+        ],
+        outputs: [
+          {
+            name: "plan",
+            type: "json",
+            description: "Execution plan with cost breakdown"
+          }
+        ],
+        pricing: { credits_per_call: 1 }
+      }
+    ],
+    availability: { online: true }
+  };
+  return CapabilityCardV2Schema.parse(card);
+}
+function registerConductorCard(db) {
+  const card = buildConductorCard();
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const existing = db.prepare("SELECT id FROM capability_cards WHERE id = ?").get(card.id);
+  if (existing) {
+    db.prepare(
+      "UPDATE capability_cards SET data = ?, updated_at = ? WHERE id = ?"
+    ).run(JSON.stringify(card), now, card.id);
+  } else {
+    db.prepare(
+      "INSERT INTO capability_cards (id, owner, data, created_at, updated_at) VALUES (?, ?, ?, ?, ?)"
+    ).run(card.id, card.owner, JSON.stringify(card), now, now);
+  }
+  return card;
+}
+
+// src/conductor/pipeline-orchestrator.ts
+function computeWaves(subtasks) {
+  const waves = [];
+  const completed = /* @__PURE__ */ new Set();
+  const remaining = new Map(subtasks.map((s) => [s.id, s]));
+  while (remaining.size > 0) {
+    const wave = [];
+    for (const [id, task] of remaining) {
+      const depsResolved = task.depends_on.every((dep) => completed.has(dep));
+      if (depsResolved) {
+        wave.push(id);
+      }
+    }
+    if (wave.length === 0) {
+      break;
+    }
+    for (const id of wave) {
+      remaining.delete(id);
+      completed.add(id);
+    }
+    waves.push(wave);
+  }
+  return waves;
+}
+async function orchestrate(opts) {
+  const { subtasks, matches, gatewayToken, resolveAgentUrl, timeoutMs = 3e4, maxBudget } = opts;
+  const startTime = Date.now();
+  if (subtasks.length === 0) {
+    return {
+      success: true,
+      results: /* @__PURE__ */ new Map(),
+      total_credits: 0,
+      latency_ms: Date.now() - startTime
+    };
+  }
+  const results = /* @__PURE__ */ new Map();
+  const errors = [];
+  let totalCredits = 0;
+  const waves = computeWaves(subtasks);
+  const subtaskMap = new Map(subtasks.map((s) => [s.id, s]));
+  for (const wave of waves) {
+    if (maxBudget !== void 0 && totalCredits >= maxBudget) {
+      errors.push(`Budget exceeded: spent ${totalCredits} cr, max ${maxBudget} cr`);
+      break;
+    }
+    const executableIds = [];
+    for (const taskId of wave) {
+      const m = matches.get(taskId);
+      if (maxBudget !== void 0 && m && totalCredits + m.credits > maxBudget) {
+        errors.push(`Skipping task ${taskId}: would exceed budget (${totalCredits} + ${m.credits} > ${maxBudget})`);
+        continue;
+      }
+      executableIds.push(taskId);
+    }
+    const waveResults = await Promise.allSettled(
+      executableIds.map(async (taskId) => {
+        const subtask = subtaskMap.get(taskId);
+        const m = matches.get(taskId);
+        if (!m) {
+          throw new Error(`No match found for subtask ${taskId}`);
+        }
+        const stepsContext = {};
+        for (const [id, val] of results) {
+          stepsContext[id] = val;
+        }
+        const interpContext = { steps: stepsContext, prev: void 0 };
+        if (subtask.depends_on.length > 0) {
+          const lastDep = subtask.depends_on[subtask.depends_on.length - 1];
+          interpContext.prev = results.get(lastDep);
+        }
+        const interpolatedParams = interpolateObject(
+          subtask.params,
+          interpContext
+        );
+        const primary = resolveAgentUrl(m.selected_agent);
+        try {
+          const res = await requestCapability({
+            gatewayUrl: primary.url,
+            token: gatewayToken,
+            cardId: primary.cardId,
+            params: interpolatedParams,
+            timeoutMs
+          });
+          return { taskId, result: res, credits: m.credits };
+        } catch (primaryErr) {
+          if (m.alternatives.length > 0) {
+            const alt = m.alternatives[0];
+            const altAgent = resolveAgentUrl(alt.agent);
+            try {
+              const altRes = await requestCapability({
+                gatewayUrl: altAgent.url,
+                token: gatewayToken,
+                cardId: altAgent.cardId,
+                params: interpolatedParams,
+                timeoutMs
+              });
+              return { taskId, result: altRes, credits: alt.credits };
+            } catch (altErr) {
+              throw new Error(
+                `Task ${taskId}: primary (${m.selected_agent}) failed: ${primaryErr instanceof Error ? primaryErr.message : String(primaryErr)}; alternative (${alt.agent}) failed: ${altErr instanceof Error ? altErr.message : String(altErr)}`
+              );
+            }
+          }
+          throw new Error(
+            `Task ${taskId}: ${primaryErr instanceof Error ? primaryErr.message : String(primaryErr)}`
+          );
+        }
+      })
+    );
+    for (const settlement of waveResults) {
+      if (settlement.status === "fulfilled") {
+        const { taskId, result, credits } = settlement.value;
+        results.set(taskId, result);
+        totalCredits += credits;
+      } else {
+        errors.push(settlement.reason instanceof Error ? settlement.reason.message : String(settlement.reason));
+      }
+    }
+  }
+  return {
+    success: errors.length === 0,
+    results,
+    total_credits: totalCredits,
+    latency_ms: Date.now() - startTime,
+    errors: errors.length > 0 ? errors : void 0
+  };
+}
+
+// src/credit/budget.ts
+var DEFAULT_BUDGET_CONFIG = {
+  reserve_credits: 20
+};
+var BudgetManager = class {
+  /**
+   * Creates a new BudgetManager.
+   *
+   * @param creditDb - The credit SQLite database instance.
+   * @param owner - Agent owner identifier.
+   * @param config - Budget configuration. Defaults to DEFAULT_BUDGET_CONFIG (20 credit reserve).
+   */
+  constructor(creditDb, owner, config = DEFAULT_BUDGET_CONFIG) {
+    this.creditDb = creditDb;
+    this.owner = owner;
+    this.config = config;
+  }
+  /**
+   * Returns the number of credits available for spending.
+   * Computed as: max(0, balance - reserve_credits).
+   * Always returns a non-negative number — never goes below zero.
+   *
+   * @returns Available credits (balance minus reserve, floored at 0).
+   */
+  availableCredits() {
+    const balance = getBalance(this.creditDb, this.owner);
+    return Math.max(0, balance - this.config.reserve_credits);
+  }
+  /**
+   * Returns true if spending `amount` credits is permitted by budget rules.
+   *
+   * Rules:
+   * - Zero-cost calls (amount <= 0) always return true.
+   * - Any positive amount requires availableCredits() >= amount.
+   * - If balance is at or below the reserve floor, all positive-cost calls return false.
+   *
+   * @param amount - Number of credits to spend.
+   * @returns true if the spend is allowed, false if it would breach the reserve floor.
+   */
+  canSpend(amount) {
+    if (amount <= 0) return true;
+    return this.availableCredits() >= amount;
+  }
+};
+
+// src/conductor/conductor-mode.ts
+var ConductorMode = class {
+  db;
+  creditDb;
+  conductorOwner;
+  gatewayToken;
+  resolveAgentUrl;
+  maxBudget;
+  constructor(opts) {
+    this.db = opts.db;
+    this.creditDb = opts.creditDb;
+    this.conductorOwner = opts.conductorOwner;
+    this.gatewayToken = opts.gatewayToken;
+    this.resolveAgentUrl = opts.resolveAgentUrl;
+    this.maxBudget = opts.maxBudget ?? 100;
+  }
+  /**
+   * Execute a conductor skill with the given config and params.
+   *
+   * @param config - SkillConfig with type 'conductor' and conductor_skill field.
+   * @param params - Must include `task` string.
+   * @returns Execution result without latency_ms (added by SkillExecutor).
+   */
+  async execute(config, params) {
+    const conductorSkill = config.conductor_skill;
+    if (conductorSkill !== "orchestrate" && conductorSkill !== "plan") {
+      return {
+        success: false,
+        error: `Unknown conductor skill: "${conductorSkill}"`
+      };
+    }
+    const task = params.task;
+    if (typeof task !== "string" || task.length === 0) {
+      return {
+        success: false,
+        error: 'Missing or empty "task" parameter'
+      };
+    }
+    const subtasks = decompose(task);
+    if (subtasks.length === 0) {
+      return {
+        success: false,
+        error: "No template matches task"
+      };
+    }
+    const matchResults = matchSubTasks({
+      db: this.db,
+      subtasks,
+      conductorOwner: this.conductorOwner
+    });
+    const budgetManager = new BudgetManager(this.creditDb, this.conductorOwner);
+    const budgetController = new BudgetController(budgetManager, this.maxBudget);
+    const executionBudget = budgetController.calculateBudget(matchResults);
+    if (!budgetController.canExecute(executionBudget)) {
+      return {
+        success: false,
+        error: `Budget exceeded: estimated ${executionBudget.estimated_total} cr, max ${this.maxBudget} cr`
+      };
+    }
+    if (conductorSkill === "plan") {
+      return {
+        success: true,
+        result: {
+          subtasks,
+          matches: matchResults,
+          budget: executionBudget
+        }
+      };
+    }
+    const matchMap = new Map(
+      matchResults.map((m) => [m.subtask_id, m])
+    );
+    const orchResult = await orchestrate({
+      subtasks,
+      matches: matchMap,
+      gatewayToken: this.gatewayToken,
+      resolveAgentUrl: this.resolveAgentUrl,
+      maxBudget: this.maxBudget
+    });
+    const resultObj = {};
+    for (const [key, value] of orchResult.results) {
+      resultObj[key] = value;
+    }
+    return {
+      success: orchResult.success,
+      result: {
+        plan: subtasks,
+        execution: resultObj,
+        total_credits: orchResult.total_credits,
+        latency_ms: orchResult.latency_ms,
+        errors: orchResult.errors
+      },
+      error: orchResult.success ? void 0 : orchResult.errors?.join("; ")
+    };
+  }
+};
+
+// src/credit/escrow-receipt.ts
+import { z as z3 } from "zod";
+import { randomUUID as randomUUID8 } from "crypto";
+var EscrowReceiptSchema = z3.object({
+  requester_owner: z3.string().min(1),
+  requester_public_key: z3.string().min(1),
+  amount: z3.number().positive(),
+  card_id: z3.string().min(1),
+  skill_id: z3.string().optional(),
+  timestamp: z3.string(),
+  nonce: z3.string().uuid(),
+  signature: z3.string().min(1)
+});
+function createSignedEscrowReceipt(db, privateKey, publicKey, opts) {
+  const escrowId = holdEscrow(db, opts.owner, opts.amount, opts.cardId);
+  const receiptData = {
+    requester_owner: opts.owner,
+    requester_public_key: publicKey.toString("hex"),
+    amount: opts.amount,
+    card_id: opts.cardId,
+    ...opts.skillId ? { skill_id: opts.skillId } : {},
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    nonce: randomUUID8()
+  };
+  const signature = signEscrowReceipt(receiptData, privateKey);
+  const receipt = {
+    ...receiptData,
+    signature
+  };
+  return { escrowId, receipt };
+}
+
+// src/relay/types.ts
+import { z as z4 } from "zod";
+var RegisterMessageSchema = z4.object({
+  type: z4.literal("register"),
+  owner: z4.string().min(1),
+  token: z4.string().min(1),
+  card: z4.record(z4.unknown())
+  // CapabilityCard (validated separately)
+});
+var RegisteredMessageSchema = z4.object({
+  type: z4.literal("registered"),
+  agent_id: z4.string()
+});
+var RelayRequestMessageSchema = z4.object({
+  type: z4.literal("relay_request"),
+  id: z4.string().uuid(),
+  target_owner: z4.string().min(1),
+  card_id: z4.string(),
+  skill_id: z4.string().optional(),
+  params: z4.record(z4.unknown()).default({}),
+  requester: z4.string().optional(),
+  escrow_receipt: z4.record(z4.unknown()).optional()
+});
+var IncomingRequestMessageSchema = z4.object({
+  type: z4.literal("incoming_request"),
+  id: z4.string().uuid(),
+  from_owner: z4.string().min(1),
+  card_id: z4.string(),
+  skill_id: z4.string().optional(),
+  params: z4.record(z4.unknown()).default({}),
+  requester: z4.string().optional(),
+  escrow_receipt: z4.record(z4.unknown()).optional()
+});
+var RelayResponseMessageSchema = z4.object({
+  type: z4.literal("relay_response"),
+  id: z4.string().uuid(),
+  result: z4.unknown().optional(),
+  error: z4.object({
+    code: z4.number(),
+    message: z4.string()
+  }).optional()
+});
+var ResponseMessageSchema = z4.object({
+  type: z4.literal("response"),
+  id: z4.string().uuid(),
+  result: z4.unknown().optional(),
+  error: z4.object({
+    code: z4.number(),
+    message: z4.string()
+  }).optional()
+});
+var ErrorMessageSchema = z4.object({
+  type: z4.literal("error"),
+  code: z4.string(),
+  message: z4.string(),
+  request_id: z4.string().optional()
+});
+var RelayMessageSchema = z4.discriminatedUnion("type", [
+  RegisterMessageSchema,
+  RegisteredMessageSchema,
+  RelayRequestMessageSchema,
+  IncomingRequestMessageSchema,
+  RelayResponseMessageSchema,
+  ResponseMessageSchema,
+  ErrorMessageSchema
+]);
+
+// src/relay/websocket-relay.ts
+import { randomUUID as randomUUID9 } from "crypto";
+var RATE_LIMIT_MAX = 60;
+var RATE_LIMIT_WINDOW_MS = 6e4;
+var RELAY_TIMEOUT_MS = 3e4;
+function registerWebSocketRelay(server, db) {
+  const connections = /* @__PURE__ */ new Map();
+  const pendingRequests = /* @__PURE__ */ new Map();
+  const rateLimits = /* @__PURE__ */ new Map();
+  function checkRateLimit(owner) {
+    const now = Date.now();
+    const entry = rateLimits.get(owner);
+    if (!entry || now >= entry.resetTime) {
+      rateLimits.set(owner, { count: 1, resetTime: now + RATE_LIMIT_WINDOW_MS });
+      return true;
+    }
+    if (entry.count >= RATE_LIMIT_MAX) {
+      return false;
+    }
+    entry.count++;
+    return true;
+  }
+  function markOwnerOffline(owner) {
+    try {
+      const stmt = db.prepare("SELECT id, data FROM capability_cards WHERE owner = ?");
+      const rows = stmt.all(owner);
+      for (const row of rows) {
+        try {
+          const card = JSON.parse(row.data);
+          if (card.availability?.online) {
+            card.availability.online = false;
+            card.updated_at = (/* @__PURE__ */ new Date()).toISOString();
+            const updateStmt = db.prepare("UPDATE capability_cards SET data = ?, updated_at = ? WHERE id = ?");
+            updateStmt.run(JSON.stringify(card), card.updated_at, row.id);
+          }
+        } catch {
+        }
+      }
+    } catch {
+    }
+  }
+  function markOwnerOnline(owner) {
+    try {
+      const stmt = db.prepare("SELECT id, data FROM capability_cards WHERE owner = ?");
+      const rows = stmt.all(owner);
+      for (const row of rows) {
+        try {
+          const card = JSON.parse(row.data);
+          card.availability = { ...card.availability, online: true };
+          card.updated_at = (/* @__PURE__ */ new Date()).toISOString();
+          const updateStmt = db.prepare("UPDATE capability_cards SET data = ?, updated_at = ? WHERE id = ?");
+          updateStmt.run(JSON.stringify(card), card.updated_at, row.id);
+        } catch {
+        }
+      }
+    } catch {
+    }
+  }
+  function upsertCard(cardData, owner) {
+    const cardId = cardData.id;
+    const existing = getCard(db, cardId);
+    if (existing) {
+      const updates = { ...cardData, availability: { ...cardData.availability ?? {}, online: true } };
+      updateCard(db, cardId, owner, updates);
+    } else {
+      const card = { ...cardData, availability: { ...cardData.availability ?? {}, online: true } };
+      insertCard(db, card);
+    }
+    return cardId;
+  }
+  function logAgentJoined(owner, cardName, cardId) {
+    try {
+      insertRequestLog(db, {
+        id: randomUUID9(),
+        card_id: cardId,
+        card_name: cardName,
+        requester: owner,
+        status: "success",
+        latency_ms: 0,
+        credits_charged: 0,
+        created_at: (/* @__PURE__ */ new Date()).toISOString(),
+        action_type: "agent_joined"
+      });
+    } catch {
+    }
+  }
+  function sendMessage(ws, msg) {
+    if (ws.readyState === 1) {
+      ws.send(JSON.stringify(msg));
+    }
+  }
+  function handleRegister(ws, msg) {
+    const { owner, card } = msg;
+    const existing = connections.get(owner);
+    if (existing && existing !== ws) {
+      try {
+        existing.close(1e3, "Replaced by new connection");
+      } catch {
+      }
+    }
+    connections.set(owner, ws);
+    const cardId = upsertCard(card, owner);
+    const cardName = card.name ?? card.agent_name ?? owner;
+    logAgentJoined(owner, cardName, cardId);
+    markOwnerOnline(owner);
+    sendMessage(ws, { type: "registered", agent_id: cardId });
+  }
+  function handleRelayRequest(ws, msg, fromOwner) {
+    if (!checkRateLimit(fromOwner)) {
+      sendMessage(ws, {
+        type: "error",
+        code: "rate_limited",
+        message: `Rate limit exceeded: max ${RATE_LIMIT_MAX} requests per minute`,
+        request_id: msg.id
+      });
+      return;
+    }
+    const targetWs = connections.get(msg.target_owner);
+    if (!targetWs || targetWs.readyState !== 1) {
+      sendMessage(ws, {
+        type: "response",
+        id: msg.id,
+        error: { code: -32603, message: `Agent offline: ${msg.target_owner}` }
+      });
+      return;
+    }
+    const timeout = setTimeout(() => {
+      pendingRequests.delete(msg.id);
+      sendMessage(ws, {
+        type: "response",
+        id: msg.id,
+        error: { code: -32603, message: "Relay request timeout" }
+      });
+    }, RELAY_TIMEOUT_MS);
+    pendingRequests.set(msg.id, { originOwner: fromOwner, timeout });
+    sendMessage(targetWs, {
+      type: "incoming_request",
+      id: msg.id,
+      from_owner: fromOwner,
+      card_id: msg.card_id,
+      skill_id: msg.skill_id,
+      params: msg.params,
+      requester: msg.requester ?? fromOwner,
+      escrow_receipt: msg.escrow_receipt
+    });
+  }
+  function handleRelayResponse(msg) {
+    const pending = pendingRequests.get(msg.id);
+    if (!pending) return;
+    clearTimeout(pending.timeout);
+    pendingRequests.delete(msg.id);
+    const originWs = connections.get(pending.originOwner);
+    if (originWs && originWs.readyState === 1) {
+      sendMessage(originWs, {
+        type: "response",
+        id: msg.id,
+        result: msg.result,
+        error: msg.error
+      });
+    }
+  }
+  function handleDisconnect(owner) {
+    if (!owner) return;
+    connections.delete(owner);
+    rateLimits.delete(owner);
+    markOwnerOffline(owner);
+    for (const [reqId, pending] of pendingRequests) {
+      if (pending.originOwner === owner) {
+        clearTimeout(pending.timeout);
+        pendingRequests.delete(reqId);
+      }
+    }
+  }
+  server.get("/ws", { websocket: true }, (socket) => {
+    let registeredOwner;
+    socket.on("message", (raw) => {
+      let data;
+      try {
+        data = JSON.parse(typeof raw === "string" ? raw : raw.toString("utf-8"));
+      } catch {
+        sendMessage(socket, { type: "error", code: "invalid_json", message: "Invalid JSON" });
+        return;
+      }
+      const parsed = RelayMessageSchema.safeParse(data);
+      if (!parsed.success) {
+        sendMessage(socket, {
+          type: "error",
+          code: "invalid_message",
+          message: `Invalid message: ${parsed.error.issues[0]?.message ?? "unknown error"}`
+        });
+        return;
+      }
+      const msg = parsed.data;
+      switch (msg.type) {
+        case "register":
+          registeredOwner = msg.owner;
+          handleRegister(socket, msg);
+          break;
+        case "relay_request":
+          if (!registeredOwner) {
+            sendMessage(socket, {
+              type: "error",
+              code: "not_registered",
+              message: "Must send register message before relay requests"
+            });
+            return;
+          }
+          handleRelayRequest(socket, msg, registeredOwner);
+          break;
+        case "relay_response":
+          handleRelayResponse(msg);
+          break;
+        default:
+          break;
+      }
+    });
+    socket.on("close", () => {
+      handleDisconnect(registeredOwner);
+    });
+    socket.on("error", () => {
+      handleDisconnect(registeredOwner);
+    });
+  });
+  return {
+    getOnlineCount: () => connections.size,
+    getOnlineOwners: () => Array.from(connections.keys()),
+    shutdown: () => {
+      for (const [, ws] of connections) {
+        try {
+          ws.close(1001, "Server shutting down");
+        } catch {
+        }
+      }
+      connections.clear();
+      for (const [, pending] of pendingRequests) {
+        clearTimeout(pending.timeout);
+      }
+      pendingRequests.clear();
+      rateLimits.clear();
+    }
+  };
+}
+
+// src/relay/websocket-client.ts
+import WebSocket from "ws";
+import { randomUUID as randomUUID10 } from "crypto";
+var RelayClient = class {
+  ws = null;
+  opts;
+  pendingRequests = /* @__PURE__ */ new Map();
+  reconnectAttempts = 0;
+  reconnectTimer = null;
+  intentionalClose = false;
+  registered = false;
+  pongTimeout = null;
+  pingInterval = null;
+  constructor(opts) {
+    this.opts = opts;
+  }
+  /**
+   * Connect to the registry relay and register.
+   * Resolves when registration is acknowledged.
+   */
+  async connect() {
+    return new Promise((resolve, reject) => {
+      this.intentionalClose = false;
+      this.registered = false;
+      const wsUrl = this.buildWsUrl();
+      this.ws = new WebSocket(wsUrl);
+      let resolved = false;
+      this.ws.on("open", () => {
+        this.reconnectAttempts = 0;
+        this.startPingInterval();
+        this.send({
+          type: "register",
+          owner: this.opts.owner,
+          token: this.opts.token,
+          card: this.opts.card
+        });
+      });
+      this.ws.on("message", (raw) => {
+        this.handleMessage(raw, (err) => {
+          if (!resolved) {
+            resolved = true;
+            if (err) reject(err);
+            else resolve();
+          }
+        });
+      });
+      this.ws.on("close", () => {
+        this.cleanup();
+        if (!this.intentionalClose) {
+          if (!resolved) {
+            resolved = true;
+            reject(new Error("WebSocket closed before registration"));
+          }
+          this.scheduleReconnect();
+        }
+      });
+      this.ws.on("error", (err) => {
+        if (!resolved) {
+          resolved = true;
+          reject(err);
+        }
+      });
+      setTimeout(() => {
+        if (!resolved) {
+          resolved = true;
+          reject(new Error("Connection timeout"));
+          this.ws?.close();
+        }
+      }, 1e4);
+    });
+  }
+  /**
+   * Disconnect from the registry relay.
+   */
+  disconnect() {
+    this.intentionalClose = true;
+    this.cleanup();
+    if (this.ws) {
+      try {
+        this.ws.close(1e3, "Client disconnect");
+      } catch {
+      }
+      this.ws = null;
+    }
+    for (const [id, pending] of this.pendingRequests) {
+      clearTimeout(pending.timeout);
+      pending.reject(new Error("Client disconnected"));
+      this.pendingRequests.delete(id);
+    }
+  }
+  /**
+   * Send a relay request to another agent via the registry.
+   * @returns The result from the target agent.
+   */
+  async request(opts) {
+    if (!this.ws || this.ws.readyState !== WebSocket.OPEN || !this.registered) {
+      throw new Error("Not connected to registry relay");
+    }
+    const id = randomUUID10();
+    const timeoutMs = opts.timeoutMs ?? 3e4;
+    return new Promise((resolve, reject) => {
+      const timeout = setTimeout(() => {
+        this.pendingRequests.delete(id);
+        reject(new Error("Relay request timeout"));
+      }, timeoutMs);
+      this.pendingRequests.set(id, { resolve, reject, timeout });
+      this.send({
+        type: "relay_request",
+        id,
+        target_owner: opts.targetOwner,
+        card_id: opts.cardId,
+        skill_id: opts.skillId,
+        params: opts.params,
+        requester: opts.requester ?? this.opts.owner,
+        escrow_receipt: opts.escrowReceipt
+      });
+    });
+  }
+  /** Whether the client is connected and registered */
+  get isConnected() {
+    return this.ws !== null && this.ws.readyState === WebSocket.OPEN && this.registered;
+  }
+  // ── Private methods ─────────────────────────────────────────────────────────
+  buildWsUrl() {
+    let url = this.opts.registryUrl;
+    if (url.startsWith("http://")) {
+      url = "ws://" + url.slice(7);
+    } else if (url.startsWith("https://")) {
+      url = "wss://" + url.slice(8);
+    } else if (!url.startsWith("ws://") && !url.startsWith("wss://")) {
+      url = "wss://" + url;
+    }
+    if (!url.endsWith("/ws")) {
+      url = url.replace(/\/$/, "") + "/ws";
+    }
+    return url;
+  }
+  handleMessage(raw, onRegistered) {
+    let data;
+    try {
+      data = JSON.parse(typeof raw === "string" ? raw : raw.toString("utf-8"));
+    } catch {
+      return;
+    }
+    const parsed = RelayMessageSchema.safeParse(data);
+    if (!parsed.success) return;
+    const msg = parsed.data;
+    switch (msg.type) {
+      case "registered":
+        this.registered = true;
+        if (!this.opts.silent) {
+          console.log(`  \u2713 Registered with registry (agent_id: ${msg.agent_id})`);
+        }
+        onRegistered?.();
+        break;
+      case "incoming_request":
+        this.handleIncomingRequest(msg);
+        break;
+      case "response":
+        this.handleResponse(msg);
+        break;
+      case "error":
+        this.handleError(msg);
+        break;
+      default:
+        break;
+    }
+  }
+  async handleIncomingRequest(msg) {
+    try {
+      const result = await this.opts.onRequest(msg);
+      this.send({
+        type: "relay_response",
+        id: msg.id,
+        result: result.result,
+        error: result.error
+      });
+    } catch (err) {
+      this.send({
+        type: "relay_response",
+        id: msg.id,
+        error: {
+          code: -32603,
+          message: err instanceof Error ? err.message : "Internal error"
+        }
+      });
+    }
+  }
+  handleResponse(msg) {
+    const pending = this.pendingRequests.get(msg.id);
+    if (!pending) return;
+    clearTimeout(pending.timeout);
+    this.pendingRequests.delete(msg.id);
+    if (msg.error) {
+      pending.reject(new Error(msg.error.message));
+    } else {
+      pending.resolve(msg.result);
+    }
+  }
+  handleError(msg) {
+    if (msg.request_id) {
+      const pending = this.pendingRequests.get(msg.request_id);
+      if (pending) {
+        clearTimeout(pending.timeout);
+        this.pendingRequests.delete(msg.request_id);
+        pending.reject(new Error(`${msg.code}: ${msg.message}`));
+      }
+    }
+  }
+  send(msg) {
+    if (this.ws && this.ws.readyState === WebSocket.OPEN) {
+      this.ws.send(JSON.stringify(msg));
+    }
+  }
+  startPingInterval() {
+    this.stopPingInterval();
+    this.pingInterval = setInterval(() => {
+      if (this.ws && this.ws.readyState === WebSocket.OPEN) {
+        this.ws.ping();
+        this.pongTimeout = setTimeout(() => {
+          if (!this.opts.silent) {
+            console.log("  \u26A0 Registry pong timeout, reconnecting...");
+          }
+          this.ws?.terminate();
+        }, 15e3);
+      }
+    }, 3e4);
+    this.ws?.on("pong", () => {
+      if (this.pongTimeout) {
+        clearTimeout(this.pongTimeout);
+        this.pongTimeout = null;
+      }
+    });
+  }
+  stopPingInterval() {
+    if (this.pingInterval) {
+      clearInterval(this.pingInterval);
+      this.pingInterval = null;
+    }
+    if (this.pongTimeout) {
+      clearTimeout(this.pongTimeout);
+      this.pongTimeout = null;
+    }
+  }
+  cleanup() {
+    this.stopPingInterval();
+    this.registered = false;
+  }
+  scheduleReconnect() {
+    if (this.intentionalClose) return;
+    if (this.reconnectTimer) return;
+    const delay = Math.min(1e3 * Math.pow(2, this.reconnectAttempts), 3e4);
+    this.reconnectAttempts++;
+    if (!this.opts.silent) {
+      console.log(`  \u21BB Reconnecting to registry in ${delay / 1e3}s...`);
+    }
+    this.reconnectTimer = setTimeout(async () => {
+      this.reconnectTimer = null;
+      try {
+        await this.connect();
+        if (!this.opts.silent) {
+          console.log("  \u2713 Reconnected to registry");
+        }
+      } catch {
+      }
+    }, delay);
+  }
+};
 export {
+  ApiExecutor,
+  ApiSkillConfigSchema,
+  BudgetController,
+  CONDUCTOR_OWNER,
   CapabilityCardSchema,
+  CommandExecutor,
+  CommandSkillConfigSchema,
+  ConductorMode,
+  ConductorSkillConfigSchema,
+  EscrowReceiptSchema,
+  ORCHESTRATION_FEE,
+  OpenClawBridge,
+  OpenClawSkillConfigSchema,
+  PipelineExecutor,
+  PipelineSkillConfigSchema,
+  RelayClient,
+  RelayMessageSchema,
+  SkillConfigSchema,
+  SkillExecutor,
+  SkillsFileSchema,
+  TEMPLATES,
+  applyInputMapping,
+  buildAuthHeaders,
+  buildConductorCard,
   createGatewayServer,
+  createSignedEscrowReceipt,
+  createSkillExecutor,
+  decompose,
+  executeCapabilityRequest,
+  expandEnvVars,
+  extractByPath,
+  generateKeyPair,
   getBalance,
   getCard,
   insertCard,
+  interpolate,
+  interpolateObject,
+  loadKeyPair,
+  matchSubTasks,
   openCreditDb,
   openDatabase,
-  searchCards
+  orchestrate,
+  parseSkillsFile,
+  registerConductorCard,
+  registerWebSocketRelay,
+  releaseRequesterEscrow,
+  requestViaRelay,
+  resolvePath,
+  saveKeyPair,
+  searchCards,
+  settleProviderEarning,
+  settleRequesterEscrow,
+  signEscrowReceipt,
+  verifyEscrowReceipt
 };