agentbnb 6.0.0 → 7.0.0

package/dist/{service-coordinator-CRSE4GWC.js → service-coordinator-WGH6B2VT.js}

@@ -1,10 +1,13 @@
+import {
+  executeCapabilityBatch,
+  executeCapabilityRequest
+} from "./chunk-C537SFHV.js";
 import {
   StructuredFeedbackSchema
 } from "./chunk-AUBHR7HH.js";
 import {
-  executeCapabilityBatch,
-  executeCapabilityRequest
-} from "./chunk-TR6UZDNX.js";
+  RelayMessageSchema
+} from "./chunk-SSK653A6.js";
 import {
   KNOWN_API_KEYS,
   announceGateway,
@@ -12,22 +15,19 @@ import {
   detectApiKeys,
   getPricingStats,
   stopAnnouncement
-} from "./chunk-TQDV254A.js";
+} from "./chunk-FTZTEHYG.js";
 import {
   deriveAgentId
-} from "./chunk-PSQHUZ7X.js";
+} from "./chunk-OH7BP5NP.js";
+import "./chunk-X32NE6V4.js";
 import {
   createLedger,
   identityAuthPlugin
-} from "./chunk-YRRVFTDR.js";
-import "./chunk-OZXCRLP3.js";
+} from "./chunk-5AAFG2V2.js";
 import {
   ApiSkillConfigSchema,
   parseSkillsFile
-} from "./chunk-NQTE577Q.js";
-import {
-  RelayMessageSchema
-} from "./chunk-QT7TEVNV.js";
+} from "./chunk-OCSU2S6W.js";
 import {
   interpolateObject
 } from "./chunk-3MJT4PZG.js";
@@ -37,13 +37,13 @@ import {
   insertAuditEvent,
   listPendingRequests,
   resolvePendingRequest
-} from "./chunk-Y7T6IMM3.js";
+} from "./chunk-GKVTD4EZ.js";
 import {
   buildReputationMap,
   computeReputation,
   filterCards,
   searchCards
-} from "./chunk-574W3HHE.js";
+} from "./chunk-LJM7FHPM.js";
 import {
   bootstrapAgent,
   getBalance,
@@ -53,11 +53,12 @@ import {
   openCreditDb,
   releaseEscrow,
   settleEscrow
-} from "./chunk-RVYQSC6L.js";
+} from "./chunk-D6RKW2XG.js";
+import "./chunk-NWIQJ2CL.js";
 import {
   generateKeyPair,
   verifyEscrowReceipt
-} from "./chunk-F53QQIM2.js";
+} from "./chunk-CUONY5TO.js";
 import {
   getConfigDir
 } from "./chunk-75OC6E4F.js";
@@ -80,11 +81,11 @@ import {
   updateCard,
   updateSkillAvailability,
   updateSkillIdleRate
-} from "./chunk-KA2VIEGM.js";
+} from "./chunk-O2OYBAVR.js";
 import {
   AgentBnBError,
   AnyCardSchema
-} from "./chunk-3CIMVISQ.js";
+} from "./chunk-WVY2W7AA.js";
 
 // src/runtime/agent-runtime.ts
 import { readFileSync, existsSync } from "fs";
@@ -93,13 +94,16 @@ import { readFileSync, existsSync } from "fs";
 var SkillExecutor = class {
   skillMap;
   modeMap;
+  concurrencyGuard;
   /**
    * @param configs - Parsed SkillConfig array (from parseSkillsFile).
    * @param modes - Map from skill type string to its executor implementation.
+   * @param concurrencyGuard - Optional ConcurrencyGuard to enforce max_concurrent limits.
    */
-  constructor(configs, modes) {
+  constructor(configs, modes, concurrencyGuard) {
     this.skillMap = new Map(configs.map((c) => [c.id, c]));
     this.modeMap = modes;
+    this.concurrencyGuard = concurrencyGuard;
   }
   /**
    * Execute a skill by ID with the given input parameters.
@@ -132,6 +136,18 @@ var SkillExecutor = class {
         latency_ms: Date.now() - startTime
       };
     }
+    const maxConcurrent = config.capacity?.max_concurrent ?? Infinity;
+    if (this.concurrencyGuard && maxConcurrent !== Infinity) {
+      if (!this.concurrencyGuard.canAccept(skillId, maxConcurrent)) {
+        return {
+          success: false,
+          error: `Skill ${skillId} at capacity (${maxConcurrent} concurrent max)`,
+          latency_ms: Date.now() - startTime,
+          failure_reason: "overload"
+        };
+      }
+      this.concurrencyGuard.acquire(skillId);
+    }
     try {
       const modeResult = await mode.execute(config, params, onProgress);
       return {
@@ -145,6 +161,10 @@ var SkillExecutor = class {
         error: message,
         latency_ms: Date.now() - startTime
       };
+    } finally {
+      if (this.concurrencyGuard && maxConcurrent !== Infinity) {
+        this.concurrencyGuard.release(skillId);
+      }
     }
   }
   /**
@@ -165,8 +185,8 @@ var SkillExecutor = class {
     return this.skillMap.get(skillId);
   }
 };
-function createSkillExecutor(configs, modes) {
-  return new SkillExecutor(configs, modes);
+function createSkillExecutor(configs, modes, concurrencyGuard) {
+  return new SkillExecutor(configs, modes, concurrencyGuard);
 }
 
 // src/skills/api-executor.ts
@@ -584,7 +604,8 @@ var OpenClawBridge = class {
 };
 
 // src/skills/command-executor.ts
-import { execFile as execFile2 } from "child_process";
+import { spawn } from "child_process";
+var KILL_GRACE_MS = 5e3;
 function shellEscape2(value) {
   return "'" + value.replace(/'/g, "'\\''") + "'";
 }
@@ -610,29 +631,89 @@ function safeInterpolateCommand2(template, context) {
     return shellEscape2(String(current));
   });
 }
-function execFileAsync2(file, args, options) {
+function spawnWithKill(command, options, registry) {
   return new Promise((resolve2, reject) => {
-    execFile2(file, args, options, (error, stdout, stderr) => {
-      const stdoutStr = typeof stdout === "string" ? stdout : stdout.toString();
-      const stderrStr = typeof stderr === "string" ? stderr : stderr.toString();
-      if (error) {
-        const enriched = Object.assign(error, { stderr: stderrStr });
-        reject(enriched);
+    const child = spawn("/bin/sh", ["-c", `${command} < /dev/null`], {
+      cwd: options.cwd,
+      env: options.env,
+      stdio: ["ignore", "pipe", "pipe"],
+      detached: true
+    });
+    registry.add(child);
+    let stdout = "";
+    let stderr = "";
+    let timedOut = false;
+    let killed = false;
+    let killTimer;
+    child.stdout.on("data", (chunk) => {
+      if (stdout.length < options.maxBuffer) {
+        stdout += chunk.toString();
+      }
+    });
+    child.stderr.on("data", (chunk) => {
+      if (stderr.length < options.maxBuffer) {
+        stderr += chunk.toString();
+      }
+    });
+    const killGroup = (signal) => {
+      try {
+        process.kill(-child.pid, signal);
+      } catch {
+        try {
+          child.kill(signal);
+        } catch {
+        }
+      }
+    };
+    const timeoutId = setTimeout(() => {
+      timedOut = true;
+      killGroup("SIGTERM");
+      killTimer = setTimeout(() => {
+        if (!killed) {
+          killGroup("SIGKILL");
+        }
+      }, KILL_GRACE_MS);
+      killTimer.unref();
+    }, options.timeout);
+    child.on("close", (_code, _signal) => {
+      killed = true;
+      clearTimeout(timeoutId);
+      if (killTimer) clearTimeout(killTimer);
+      registry.delete(child);
+      if (timedOut) {
+        const err = new Error(`Command timed out after ${options.timeout}ms`);
+        err.code = "ETIMEDOUT";
+        reject(err);
+      } else if (_code !== 0) {
+        const err = new Error(stderr.trim() || `Process exited with code ${_code}`);
+        Object.assign(err, { stderr: stderr.trim() });
+        reject(err);
       } else {
-        resolve2({ stdout: stdoutStr, stderr: stderrStr });
+        resolve2({ stdout, stderr });
       }
     });
+    child.on("error", (err) => {
+      killed = true;
+      clearTimeout(timeoutId);
+      registry.delete(child);
+      reject(err);
+    });
   });
 }
 var CommandExecutor = class {
+  /** Active child processes — killed on shutdown(). */
+  activeProcesses = /* @__PURE__ */ new Set();
+  /** In-flight execution count per skill ID for concurrency limiting. */
+  inflight = /* @__PURE__ */ new Map();
   /**
    * Execute a command skill with the provided parameters.
    *
    * Steps:
-   * 1. Security check: base command must be in `allowed_commands` if set.
-   * 2. Interpolate `config.command` using `{ params }` context.
-   * 3. Run via `child_process.exec` with timeout and cwd.
-   * 4. Parse stdout based on `output_type`: text | json | file.
+   * 1. Concurrency check: reject if at capacity.max_concurrent limit.
+   * 2. Security check: base command must be in `allowed_commands` if set.
+   * 3. Interpolate `config.command` using `{ params }` context.
+   * 4. Run via spawn with SIGTERM→SIGKILL timeout handling.
+   * 5. Parse stdout based on `output_type`: text | json | file.
    *
    * @param config - Validated CommandSkillConfig.
    * @param params - Input parameters passed by the caller.
@@ -640,43 +721,73 @@ var CommandExecutor = class {
    */
   async execute(config, params) {
     const cmdConfig = config;
+    const maxConcurrent = cmdConfig.capacity?.max_concurrent;
+    if (maxConcurrent !== void 0) {
+      const current = this.inflight.get(cmdConfig.id) ?? 0;
+      if (current >= maxConcurrent) {
+        return {
+          success: false,
+          error: `Skill "${cmdConfig.id}" at max concurrency (${maxConcurrent}). Try again later.`
+        };
+      }
+    }
     const baseCommand = cmdConfig.command.trim().split(/\s+/)[0] ?? "";
     if (cmdConfig.allowed_commands && cmdConfig.allowed_commands.length > 0) {
-      if (!cmdConfig.allowed_commands.includes(baseCommand)) {
+      const effectiveAllowed = cmdConfig.claude_code ? [.../* @__PURE__ */ new Set([...cmdConfig.allowed_commands, "claude"])] : cmdConfig.allowed_commands;
+      const commandToCheck = cmdConfig.claude_code ? "claude" : baseCommand;
+      if (!effectiveAllowed.includes(commandToCheck)) {
         return {
           success: false,
-          error: `Command not allowed: "${baseCommand}". Allowed: ${cmdConfig.allowed_commands.join(", ")}`
+          error: `Command not allowed: "${commandToCheck}". Allowed: ${effectiveAllowed.join(", ")}`
         };
       }
     }
-    const interpolatedCommand = safeInterpolateCommand2(cmdConfig.command, { params });
+    let interpolatedCommand;
+    if (cmdConfig.claude_code) {
+      const parts = ["claude", "--print"];
+      if (cmdConfig.claude_code.auto_mode) {
+        parts.push("--dangerously-skip-permissions");
+      }
+      if (cmdConfig.claude_code.model) {
+        parts.push("--model", cmdConfig.claude_code.model);
+      }
+      if (cmdConfig.claude_code.system_prompt) {
+        parts.push("-p", shellEscape2(cmdConfig.claude_code.system_prompt));
+      }
+      const interpolatedPrompt = safeInterpolateCommand2(cmdConfig.command, { params });
+      interpolatedCommand = parts.join(" ") + " " + interpolatedPrompt;
+    } else {
+      interpolatedCommand = safeInterpolateCommand2(cmdConfig.command, { params });
+    }
     const timeout = cmdConfig.timeout_ms ?? 3e4;
     const cwd = cmdConfig.working_dir ?? process.cwd();
-    let stdout;
     const env = { ...process.env };
     delete env["CLAUDECODE"];
+    this.inflight.set(cmdConfig.id, (this.inflight.get(cmdConfig.id) ?? 0) + 1);
+    let stdout;
     try {
-      const result = await execFileAsync2("/bin/sh", ["-c", `${interpolatedCommand} < /dev/null`], {
+      const result = await spawnWithKill(interpolatedCommand, {
         timeout,
         cwd,
         env,
         maxBuffer: 10 * 1024 * 1024
         // 10 MB
-      });
+      }, this.activeProcesses);
       stdout = result.stdout;
     } catch (err) {
+      this.decrementInflight(cmdConfig.id);
       if (err instanceof Error) {
-        const message = err.message;
-        const stderrContent = err.stderr ?? "";
-        if (message.includes("timed out") || message.includes("ETIMEDOUT") || err.code === "ETIMEDOUT") {
+        const code = err.code;
+        if (code === "ETIMEDOUT" || err.message.includes("timed out")) {
           return {
             success: false,
             error: `Command timed out after ${timeout}ms`
           };
         }
+        const stderrContent = err.stderr ?? "";
         return {
           success: false,
-          error: stderrContent.trim() || message
+          error: stderrContent.trim() || err.message
         };
       }
       return {
@@ -684,6 +795,7 @@ var CommandExecutor = class {
         error: String(err)
       };
     }
+    this.decrementInflight(cmdConfig.id);
     const rawOutput = stdout.trim();
     switch (cmdConfig.output_type) {
       case "text":
@@ -708,6 +820,48 @@ var CommandExecutor = class {
         };
     }
   }
+  /**
+   * Kill all active child processes. Called during service shutdown
+   * to prevent zombie processes.
+   */
+  shutdown() {
+    for (const child of this.activeProcesses) {
+      try {
+        process.kill(-child.pid, "SIGTERM");
+      } catch {
+        try {
+          child.kill("SIGTERM");
+        } catch {
+        }
+      }
+      const pid = child.pid;
+      const timer = setTimeout(() => {
+        try {
+          process.kill(-pid, "SIGKILL");
+        } catch {
+        }
+      }, KILL_GRACE_MS);
+      timer.unref();
+    }
+    this.activeProcesses.clear();
+  }
+  /** Returns the number of currently active child processes. */
+  get activeCount() {
+    return this.activeProcesses.size;
+  }
+  /** Returns the in-flight count for a specific skill ID. */
+  getInflight(skillId) {
+    return this.inflight.get(skillId) ?? 0;
+  }
+  /** Decrement the inflight counter for a skill ID. */
+  decrementInflight(skillId) {
+    const current = this.inflight.get(skillId) ?? 0;
+    if (current <= 1) {
+      this.inflight.delete(skillId);
+    } else {
+      this.inflight.set(skillId, current - 1);
+    }
+  }
 };
 
 // src/runtime/agent-runtime.ts
@@ -725,6 +879,8 @@ var AgentRuntime = class {
    * Undefined if no skills.yaml was provided or the file does not exist.
    */
   skillExecutor;
+  /** Reference to CommandExecutor for shutdown cleanup of child processes. */
+  commandExecutor;
   draining = false;
   orphanedEscrowAgeMinutes;
   skillsYamlPath;
@@ -790,8 +946,8 @@ var AgentRuntime = class {
     }
     const modes = /* @__PURE__ */ new Map();
     if (this.conductorEnabled) {
-      const { ConductorMode } = await import("./conductor-mode-YQ6QSPPT.js");
-      const { registerConductorCard, CONDUCTOR_OWNER } = await import("./card-REW7BSWW.js");
+      const { ConductorMode } = await import("./conductor-mode-AKREGDIU.js");
+      const { registerConductorCard, CONDUCTOR_OWNER } = await import("./card-EX2EYGCZ.js");
       const { loadPeers } = await import("./peers-K7FSHPN3.js");
       registerConductorCard(this.registryDb);
       const resolveAgentUrl = (owner) => {
@@ -838,10 +994,11 @@ var AgentRuntime = class {
     const executor = createSkillExecutor(configs, modes);
     if (hasSkillsYaml) {
       const pipelineExecutor = new PipelineExecutor(executor);
+      this.commandExecutor = new CommandExecutor();
       modes.set("api", new ApiExecutor());
       modes.set("pipeline", pipelineExecutor);
       modes.set("openclaw", new OpenClawBridge());
-      modes.set("command", new CommandExecutor());
+      modes.set("command", this.commandExecutor);
     }
     this.skillExecutor = executor;
   }
@@ -874,6 +1031,9 @@ var AgentRuntime = class {
       return;
     }
     this.draining = true;
+    if (this.commandExecutor) {
+      this.commandExecutor.shutdown();
+    }
     for (const job of this.jobs) {
       job.stop();
     }
@@ -1114,6 +1274,78 @@ function releaseForRelay(creditDb, escrowId) {
   releaseEscrow(creditDb, escrowId);
 }
 
+// src/relay/relay-escrow.ts
+function verifyRelaySignature(data, signature, publicKeyHex) {
+  try {
+    const publicKeyBuf = Buffer.from(publicKeyHex, "hex");
+    return verifyEscrowReceipt(data, signature, publicKeyBuf);
+  } catch {
+    return false;
+  }
+}
+function processEscrowHold(creditDb, consumerAgentId, providerAgentId, skillId, amount, requestId, signature, publicKeyHex) {
+  if (signature && publicKeyHex) {
+    const signData = {
+      consumer_agent_id: consumerAgentId,
+      provider_agent_id: providerAgentId,
+      skill_id: skillId,
+      amount,
+      request_id: requestId
+    };
+    if (!verifyRelaySignature(signData, signature, publicKeyHex)) {
+      throw new Error("Invalid consumer signature on escrow hold");
+    }
+  }
+  const escrowId = holdEscrow(creditDb, consumerAgentId, amount, `${providerAgentId}:${skillId}`);
+  const remaining = getBalance(creditDb, consumerAgentId);
+  return {
+    escrow_id: escrowId,
+    hold_amount: amount,
+    consumer_remaining: remaining
+  };
+}
+function processEscrowSettle(creditDb, escrowId, success, providerAgentId, signature, publicKeyHex, consumerAgentId) {
+  if (signature && publicKeyHex && consumerAgentId) {
+    const signData = {
+      escrow_id: escrowId,
+      success,
+      consumer_agent_id: consumerAgentId
+    };
+    if (!verifyRelaySignature(signData, signature, publicKeyHex)) {
+      throw new Error("Invalid consumer signature on escrow settle");
+    }
+  }
+  const escrowRow = creditDb.prepare("SELECT amount, owner FROM credit_escrow WHERE id = ? AND status = ?").get(escrowId, "held");
+  if (!escrowRow) {
+    throw new Error(`Escrow not found or already settled: ${escrowId}`);
+  }
+  const NETWORK_FEE_RATE = 0.05;
+  if (success) {
+    settleEscrow(creditDb, escrowId, providerAgentId);
+    const networkFee = Math.floor(escrowRow.amount * NETWORK_FEE_RATE);
+    const providerAmount = escrowRow.amount - networkFee;
+    return {
+      escrow_id: escrowId,
+      provider_earned: providerAmount,
+      network_fee: networkFee,
+      consumer_remaining: getBalance(creditDb, escrowRow.owner),
+      provider_balance: getBalance(creditDb, providerAgentId)
+    };
+  } else {
+    releaseEscrow(creditDb, escrowId);
+    return {
+      escrow_id: escrowId,
+      provider_earned: 0,
+      network_fee: 0,
+      consumer_remaining: getBalance(creditDb, escrowRow.owner),
+      provider_balance: getBalance(creditDb, providerAgentId)
+    };
+  }
+}
+function settleWithNetworkFee(creditDb, escrowId, providerOwner) {
+  return processEscrowSettle(creditDb, escrowId, true, providerOwner);
+}
+
 // src/hub-agent/relay-bridge.ts
 import { randomUUID as randomUUID3 } from "crypto";
 
@@ -1417,9 +1649,17 @@ var RATE_LIMIT_WINDOW_MS = 6e4;
 var RELAY_TIMEOUT_MS = 3e5;
 function registerWebSocketRelay(server, db, creditDb) {
   const connections = /* @__PURE__ */ new Map();
+  const agentIdToOwner = /* @__PURE__ */ new Map();
   const pendingRequests = /* @__PURE__ */ new Map();
   const rateLimits = /* @__PURE__ */ new Map();
+  const agentCapacities = /* @__PURE__ */ new Map();
   let onAgentOnlineCallback;
+  function resolveConnectionKey(target) {
+    const ownerFromAgentId = agentIdToOwner.get(target);
+    if (ownerFromAgentId && connections.has(ownerFromAgentId)) return ownerFromAgentId;
+    if (connections.has(target)) return target;
+    return void 0;
+  }
   function checkRateLimit(owner) {
     const now = Date.now();
     const entry = rateLimits.get(owner);
@@ -1523,6 +1763,20 @@ function registerWebSocketRelay(server, db, creditDb) {
       }
     }
     connections.set(owner, ws);
+    if (msg.agent_id) {
+      agentIdToOwner.set(msg.agent_id, owner);
+    }
+    if (msg.agents && msg.agents.length > 0) {
+      for (const agentEntry of msg.agents) {
+        agentIdToOwner.set(agentEntry.agent_id, owner);
+        for (const agentCard of agentEntry.cards) {
+          try {
+            upsertCard(agentCard, owner);
+          } catch {
+          }
+        }
+      }
+    }
     const isEphemeral = owner.includes(":req:");
     if (isEphemeral) {
       const cardId2 = card.id ?? owner;
@@ -1566,12 +1820,13 @@ function registerWebSocketRelay(server, db, creditDb) {
       });
       return;
     }
-    const targetWs = connections.get(msg.target_owner);
+    const targetKey = resolveConnectionKey(msg.target_agent_id ?? msg.target_owner);
+    const targetWs = targetKey ? connections.get(targetKey) : void 0;
     if (!targetWs || targetWs.readyState !== 1) {
       sendMessage(ws, {
         type: "response",
         id: msg.id,
-        error: { code: -32603, message: `Agent offline: ${msg.target_owner}` }
+        error: { code: -32603, message: `Agent offline: ${msg.target_agent_id ?? msg.target_owner}` }
       });
       return;
     }
@@ -1685,7 +1940,7 @@ function registerWebSocketRelay(server, db, creditDb) {
     if (pending.escrowId && creditDb) {
       try {
         if (msg.error === void 0) {
-          settleForRelay(creditDb, pending.escrowId, pending.targetOwner);
+          settleWithNetworkFee(creditDb, pending.escrowId, pending.targetOwner);
         } else {
           releaseForRelay(creditDb, pending.escrowId);
         }
@@ -1722,6 +1977,13 @@ function registerWebSocketRelay(server, db, creditDb) {
     if (!owner) return;
     connections.delete(owner);
     rateLimits.delete(owner);
+    agentCapacities.delete(owner);
+    for (const [agentId, o] of agentIdToOwner) {
+      if (o === owner) {
+        agentIdToOwner.delete(agentId);
+        break;
+      }
+    }
     markOwnerOffline(owner);
     for (const [reqId, pending] of pendingRequests) {
       if (pending.targetOwner === owner) {
@@ -1755,6 +2017,99 @@ function registerWebSocketRelay(server, db, creditDb) {
       }
     }
   }
+  function handleHeartbeat(msg) {
+    agentCapacities.set(msg.owner, msg.capacity);
+  }
+  function handleEscrowHold(ws, msg) {
+    if (!creditDb) {
+      sendMessage(ws, { type: "error", code: "no_credit_db", message: "Credit system not available" });
+      return;
+    }
+    try {
+      const result = processEscrowHold(
+        creditDb,
+        msg.consumer_agent_id,
+        msg.provider_agent_id,
+        msg.skill_id,
+        msg.amount,
+        msg.request_id,
+        msg.signature,
+        msg.public_key
+      );
+      sendMessage(ws, {
+        type: "escrow_hold_confirmed",
+        request_id: msg.request_id,
+        escrow_id: result.escrow_id,
+        hold_amount: result.hold_amount,
+        consumer_remaining: result.consumer_remaining
+      });
+    } catch (err) {
+      const errMsg = err instanceof Error ? err.message : "Escrow hold failed";
+      const code = errMsg.includes("INSUFFICIENT_CREDITS") ? "insufficient_credits" : "escrow_hold_failed";
+      sendMessage(ws, { type: "error", code, message: errMsg, request_id: msg.request_id });
+    }
+  }
+  function handleEscrowSettle(ws, msg) {
+    if (!creditDb) {
+      sendMessage(ws, { type: "error", code: "no_credit_db", message: "Credit system not available" });
+      return;
+    }
+    try {
+      const escrow = creditDb.prepare("SELECT card_id FROM credit_escrow WHERE id = ? AND status = ?").get(msg.escrow_id, "held");
+      if (!escrow) {
+        sendMessage(ws, { type: "error", code: "escrow_not_found", message: `Escrow not found: ${msg.escrow_id}`, request_id: msg.request_id });
+        return;
+      }
+      const providerAgentId = escrow.card_id.split(":")[0];
+      const result = processEscrowSettle(
+        creditDb,
+        msg.escrow_id,
+        msg.success,
+        providerAgentId,
+        msg.signature,
+        msg.public_key,
+        msg.consumer_agent_id
+      );
+      sendMessage(ws, {
+        type: "escrow_settled",
+        escrow_id: result.escrow_id,
+        request_id: msg.request_id,
+        provider_earned: result.provider_earned,
+        network_fee: result.network_fee,
+        consumer_remaining: result.consumer_remaining,
+        provider_balance: result.provider_balance
+      });
+      const providerKey = resolveConnectionKey(providerAgentId);
+      if (providerKey) {
+        const providerWs = connections.get(providerKey);
+        if (providerWs && providerWs.readyState === 1) {
+          sendMessage(providerWs, {
+            type: "escrow_settled",
+            escrow_id: result.escrow_id,
+            request_id: msg.request_id,
+            provider_earned: result.provider_earned,
+            network_fee: result.network_fee,
+            consumer_remaining: result.consumer_remaining,
+            provider_balance: result.provider_balance
+          });
+        }
+      }
+    } catch (err) {
+      sendMessage(ws, { type: "error", code: "escrow_settle_failed", message: err instanceof Error ? err.message : "Settlement failed", request_id: msg.request_id });
+    }
+  }
+  function handleBalanceSync(ws, msg) {
+    if (!creditDb) {
+      sendMessage(ws, { type: "error", code: "no_credit_db", message: "Credit system not available" });
+      return;
+    }
+    const balance = getBalance(creditDb, msg.agent_id);
+    sendMessage(ws, {
+      type: "balance_sync_response",
+      agent_id: msg.agent_id,
+      balance
+    });
+  }
   void server.register(async (app) => {
     app.get("/ws", { websocket: true }, (rawSocket, _request) => {
       const socket = rawSocket;
@@ -1800,15 +2155,33 @@ function registerWebSocketRelay(server, db, creditDb) {
             case "relay_progress":
               handleRelayProgress(msg);
               break;
+            case "heartbeat":
+              handleHeartbeat(msg);
+              break;
+            // V8 Phase 2: Explicit escrow messages
+            case "escrow_hold":
+              handleEscrowHold(socket, msg);
+              break;
+            case "escrow_settle":
+              handleEscrowSettle(socket, msg);
+              break;
+            case "balance_sync":
+              handleBalanceSync(socket, msg);
+              break;
             default:
               break;
           }
         })();
       });
+      const pingInterval = setInterval(() => {
+        if (socket.readyState === 1) socket.ping();
+      }, 3e4);
       socket.on("close", () => {
+        clearInterval(pingInterval);
         handleDisconnect(registeredOwner);
       });
       socket.on("error", () => {
+        clearInterval(pingInterval);
         handleDisconnect(registeredOwner);
       });
     });
@@ -1829,6 +2202,7 @@ function registerWebSocketRelay(server, db, creditDb) {
       }
       pendingRequests.clear();
       rateLimits.clear();
+      agentCapacities.clear();
     },
     setOnAgentOnline: (cb) => {
       onAgentOnlineCallback = cb;
@@ -1837,7 +2211,9 @@ function registerWebSocketRelay(server, db, creditDb) {
     getPendingRequests: () => pendingRequests,
     sendMessage: (ws, msg) => {
       sendMessage(ws, msg);
-    }
+    },
+    getAgentCapacity: (owner) => agentCapacities.get(owner),
+    getAllCapacities: () => new Map(agentCapacities)
   };
 }
 
@@ -3108,7 +3484,7 @@ function createRegistryServer(opts) {
       openapi: "3.0.3",
       info: {
         title: "AgentBnB Registry API",
-        description: "P2P Agent Capability Sharing Protocol \u2014 discover, publish, and exchange agent capabilities",
+        description: "Where AI agents hire AI agents \u2014 discover, publish, and coordinate agent capabilities",
         version: "3.1.6"
       },
       servers: [{ url: "/", description: "Registry server" }],
@@ -3140,7 +3516,7 @@ function createRegistryServer(opts) {
   });
   void server.register(cors, {
     origin: true,
-    methods: ["GET", "POST", "PATCH", "OPTIONS"],
+    methods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
     allowedHeaders: ["Content-Type", "Authorization", "X-Agent-PublicKey", "X-Agent-Signature", "X-Agent-Timestamp"]
   });
   void server.register(fastifyWebsocket);
@@ -3303,7 +3679,9 @@ function createRegistryServer(opts) {
         const trustStmt = db.prepare(`
         SELECT cc.owner,
           COUNT(rl.id) as total_exec,
-          SUM(CASE WHEN rl.status IN ('success','failure','timeout','refunded') THEN 1 ELSE 0 END) as terminal_exec,
+          SUM(CASE WHEN rl.status IN ('success','failure','timeout','refunded')
+              AND (rl.failure_reason IS NULL OR rl.failure_reason IN ('bad_execution','auth_error'))
+              THEN 1 ELSE 0 END) as terminal_exec,
           SUM(CASE WHEN rl.status = 'success' THEN 1 ELSE 0 END) as success_exec,
           AVG(CASE WHEN rl.status = 'success' THEN rl.latency_ms END) as avg_latency
         FROM capability_cards cc
@@ -3537,21 +3915,32 @@ function createRegistryServer(opts) {
     api.delete("/cards/:id", {
       schema: {
         tags: ["cards"],
-        summary: "Delete a capability card",
+        summary: "Delete a capability card (requires Bearer auth)",
+        security: [{ bearerAuth: [] }],
         params: { type: "object", properties: { id: { type: "string" } }, required: ["id"] },
         response: {
-          200: { type: "object", properties: { ok: { type: "boolean" }, id: { type: "string" } } },
+          204: { type: "null", description: "Card deleted successfully" },
+          401: { type: "object", properties: { error: { type: "string" } } },
+          403: { type: "object", properties: { error: { type: "string" } } },
           404: { type: "object", properties: { error: { type: "string" } } }
         }
       }
     }, async (request, reply) => {
+      const auth = request.headers.authorization;
+      const token = auth?.startsWith("Bearer ") ? auth.slice(7).trim() : null;
+      if (!token || !opts.ownerApiKey || token !== opts.ownerApiKey) {
+        return reply.code(401).send({ error: "Unauthorized" });
+      }
       const { id } = request.params;
       const card = getCard(db, id);
       if (!card) {
         return reply.code(404).send({ error: "Not found" });
       }
+      if (opts.ownerName && card.owner !== opts.ownerName) {
+        return reply.code(403).send({ error: "Forbidden" });
+      }
       db.prepare("DELETE FROM capability_cards WHERE id = ?").run(id);
-      return reply.send({ ok: true, id });
+      return reply.code(204).send();
     });
     api.get("/api/agents", {
       schema: {
@@ -3636,7 +4025,8 @@ function createRegistryServer(opts) {
       const lastActive = lastActiveRow?.last_req ?? memberRow?.latest ?? joinedAt;
       const metricsStmt = db.prepare(`
       SELECT
-        COUNT(*) as total,
+        SUM(CASE WHEN rl.failure_reason IS NULL OR rl.failure_reason IN ('bad_execution','auth_error')
+            THEN 1 ELSE 0 END) as total,
         SUM(CASE WHEN rl.status = 'success' THEN 1 ELSE 0 END) as successes,
         AVG(CASE WHEN rl.status = 'success' THEN rl.latency_ms END) as avg_latency,
         COUNT(DISTINCT rl.requester) as unique_requesters,
@@ -4229,6 +4619,110 @@ function createRegistryServer(opts) {
         });
       });
     }
+    api.get("/api/providers/:owner/reliability", {
+      schema: {
+        tags: ["agents"],
+        summary: "Get provider reliability metrics",
+        params: { type: "object", properties: { owner: { type: "string" } }, required: ["owner"] },
+        response: {
+          200: {
+            type: "object",
+            properties: {
+              current_streak: { type: "integer" },
+              longest_streak: { type: "integer" },
+              total_hires: { type: "integer" },
+              repeat_hires: { type: "integer" },
+              repeat_hire_rate: { type: "number" },
+              avg_feedback_score: { type: "number" },
+              availability_rate: { type: "number" }
+            }
+          },
+          404: { type: "object", properties: { error: { type: "string" } } }
+        }
+      }
+    }, async (request, reply) => {
+      const { owner } = request.params;
+      if (!opts.creditDb) {
+        return reply.code(404).send({ error: "Credit system not enabled" });
+      }
+      const { getReliabilityMetrics } = await import("./reliability-metrics-QG7WC5QK.js");
+      const metrics = getReliabilityMetrics(opts.creditDb, owner);
+      if (!metrics) {
+        return reply.code(404).send({ error: "No reliability data for this provider" });
+      }
+      return reply.send(metrics);
+    });
+    api.get("/api/fleet/:owner", {
+      schema: {
+        tags: ["agents"],
+        summary: "Agent fleet overview for an owner",
+        params: { type: "object", properties: { owner: { type: "string" } }, required: ["owner"] },
+        response: {
+          200: { type: "object", properties: { agents: { type: "array" } } }
+        }
+      }
+    }, async (request, reply) => {
+      const { owner } = request.params;
+      const rows = db.prepare(
+        "SELECT id, data FROM capability_cards WHERE owner = ?"
+      ).all(owner);
+      const agents = [];
+      for (const row of rows) {
+        try {
+          const card = JSON.parse(row.data);
+          let earnings = 0;
+          let spend = 0;
+          if (opts.creditDb) {
+            const earningRow = opts.creditDb.prepare(
+              "SELECT COALESCE(SUM(amount), 0) as total FROM credit_transactions WHERE owner = ? AND reason = 'settlement' AND amount > 0"
+            ).get(owner);
+            earnings = earningRow.total;
+            const spendRow = opts.creditDb.prepare(
+              "SELECT COALESCE(SUM(ABS(amount)), 0) as total FROM credit_transactions WHERE owner = ? AND reason = 'escrow_hold'"
+            ).get(owner);
+            spend = spendRow.total;
+          }
+          const successCount = db.prepare(
+            "SELECT COUNT(*) as cnt FROM request_log WHERE card_id = ? AND status = 'success' AND (action_type IS NULL OR action_type = 'auto_share')"
+          ).get(row.id).cnt;
+          const failureCount = db.prepare(
+            "SELECT COUNT(*) as cnt FROM request_log WHERE card_id = ? AND status IN ('failure', 'timeout', 'refunded') AND (action_type IS NULL OR action_type = 'auto_share')"
+          ).get(row.id).cnt;
+          const totalExec = successCount + failureCount;
+          const successRate = totalExec > 0 ? successCount / totalExec : 0;
+          let failureBreakdown = {};
+          try {
+            const failureRows = db.prepare(
+              "SELECT failure_reason, COUNT(*) as cnt FROM request_log WHERE card_id = ? AND status IN ('failure', 'timeout', 'refunded') AND failure_reason IS NOT NULL GROUP BY failure_reason"
+            ).all(row.id);
+            for (const fr of failureRows) {
+              failureBreakdown[fr.failure_reason] = fr.cnt;
+            }
+          } catch {
+          }
+          let reliability = null;
+          if (opts.creditDb) {
+            const { getReliabilityMetrics } = await import("./reliability-metrics-QG7WC5QK.js");
+            reliability = getReliabilityMetrics(opts.creditDb, owner);
+          }
+          agents.push({
+            id: row.id,
+            name: card.name ?? card.agent_name ?? owner,
+            online: card.availability?.online ?? false,
+            current_load: 0,
+            // Will be populated from relay heartbeat data in future
+            success_rate: successRate,
+            total_executions: totalExec,
+            earnings,
+            spend,
+            failure_breakdown: failureBreakdown,
+            reliability
+          });
+        } catch {
+        }
+      }
+      return reply.send({ agents });
+    });
   });
   return { server, relayState };
 }
@@ -4327,7 +4821,7 @@ var IdleMonitor = class {
 };
 
 // src/runtime/service-coordinator.ts
-import { spawn } from "child_process";
+import { spawn as spawn2 } from "child_process";
 import { createRequire } from "module";
 import { existsSync as existsSync3, readFileSync as readFileSync2 } from "fs";
 import { fileURLToPath as fileURLToPath2 } from "url";
@@ -4355,10 +4849,14 @@ var ServiceCoordinator = class {
       if (health.ok && health.agentbnb) {
         return "already_running";
       }
-      throw new AgentBnBError(
-        `AgentBnB lock exists but health check failed (pid=${running.pid}, port=${running.port})`,
-        "SERVICE_UNHEALTHY"
-      );
+      if (opts?.foreground) {
+        this.guard.release();
+      } else {
+        throw new AgentBnBError(
+          `AgentBnB lock exists but health check failed (pid=${running.pid}, port=${running.port})`,
+          "SERVICE_UNHEALTHY"
+        );
+      }
     }
     if (opts?.foreground) {
       return this.startInProcess(opts);
@@ -4473,7 +4971,7 @@ var ServiceCoordinator = class {
       console.log("Conductor mode enabled \u2014 orchestrate/plan skills available via gateway");
     }
     if (opts.conductorEnabled && this.config.conductor?.public) {
-      const { buildConductorCard } = await import("./card-REW7BSWW.js");
+      const { buildConductorCard } = await import("./card-EX2EYGCZ.js");
       const conductorCard = buildConductorCard(this.config.owner);
       const now = (/* @__PURE__ */ new Date()).toISOString();
       const existing = this.runtime.registryDb.prepare("SELECT id FROM capability_cards WHERE id = ?").get(conductorCard.id);
@@ -4530,8 +5028,8 @@ var ServiceCoordinator = class {
       }
     }
     if (opts.registryUrl && opts.relay) {
-      const { RelayClient } = await import("./websocket-client-6IIDGXKB.js");
-      const { executeCapabilityRequest: executeCapabilityRequest2 } = await import("./execute-PNJFABVJ.js");
+      const { RelayClient } = await import("./websocket-client-QOVARTRN.js");
+      const { executeCapabilityRequest: executeCapabilityRequest2 } = await import("./execute-AYQWORVH.js");
       const cards = listCards(this.runtime.registryDb, this.config.owner);
       const card = cards[0] ?? {
         id: randomUUID6(),
@@ -4547,7 +5045,7 @@ var ServiceCoordinator = class {
       };
       const additionalCards = [];
       if (this.config.conductor?.public) {
-        const { buildConductorCard } = await import("./card-REW7BSWW.js");
+        const { buildConductorCard } = await import("./card-EX2EYGCZ.js");
         additionalCards.push(
           buildConductorCard(this.config.owner)
         );
@@ -4556,6 +5054,7 @@ var ServiceCoordinator = class {
       this.relayClient = new RelayClient({
         registryUrl: opts.registryUrl,
         owner: this.config.owner,
+        agent_id: this.config.agent_id,
         token: this.config.token,
         card,
         cards: additionalCards.length > 0 ? additionalCards : void 0,
@@ -4638,7 +5137,7 @@ var ServiceCoordinator = class {
     const runtime = loadPersistedRuntime(getConfigDir());
     const nodeExec = resolveNodeExecutable(runtime);
     const cliArgs = resolveCliLaunchArgs(this.buildServeArgs(opts));
-    const child = spawn(nodeExec, cliArgs, {
+    const child = spawn2(nodeExec, cliArgs, {
       detached: true,
       stdio: "ignore",
       env: { ...process.env }
@@ -4797,7 +5296,6 @@ var ServiceCoordinator = class {
     })();
   };
 };
-var require2 = createRequire(import.meta.url);
 function loadPersistedRuntime(configDir) {
   const runtimePath = join2(configDir, "runtime.json");
   if (!existsSync3(runtimePath)) return null;
@@ -4825,6 +5323,12 @@ function resolveNodeExecutable(runtime) {
   return process.execPath;
 }
 function resolveCliLaunchArgs(serveArgs) {
+  const require2 = createRequire(import.meta.url);
+  try {
+    const distCli2 = require2.resolve("agentbnb/dist/cli/index.js");
+    return [distCli2, "serve", ...serveArgs];
+  } catch {
+  }
   const projectRoot = resolve(dirname2(fileURLToPath2(import.meta.url)), "..", "..");
   const distCli = join2(projectRoot, "dist", "cli", "index.js");
   if (existsSync3(distCli)) {