agentbnb 8.4.4 → 8.4.7

package/dist/index.js

@@ -1251,11 +1251,47 @@ function openCreditDb(path = ":memory:") {
   ensureAgentsTable(db);
   return db;
 }
+function bootstrapAgent(db, owner, amount = 100) {
+  const canonicalOwner = canonicalizeCreditOwner(db, owner);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  let isNew = false;
+  db.transaction(() => {
+    const result = db.prepare("INSERT OR IGNORE INTO credit_balances (owner, balance, updated_at) VALUES (?, ?, ?)").run(canonicalOwner, amount, now);
+    if (result.changes > 0) {
+      isNew = true;
+      db.prepare(
+        "INSERT INTO credit_transactions (id, owner, amount, reason, reference_id, created_at) VALUES (?, ?, ?, ?, ?, ?)"
+      ).run(randomUUID3(), canonicalOwner, amount, "bootstrap", null, now);
+    }
+  })();
+  if (isNew) {
+    issueVoucher(db, canonicalOwner, 50, 30);
+  }
+}
 function getBalance(db, owner) {
   const canonicalOwner = canonicalizeCreditOwner(db, owner);
   const row = db.prepare("SELECT balance FROM credit_balances WHERE owner = ?").get(canonicalOwner);
   return row?.balance ?? 0;
 }
+function getTransactions(db, owner, opts = 100) {
+  const canonicalOwner = canonicalizeCreditOwner(db, owner);
+  const page = typeof opts === "number" ? { limit: opts } : opts;
+  const limit = page.limit ?? 100;
+  const conditions = ["owner = ?"];
+  const params = [canonicalOwner];
+  if (page.before) {
+    conditions.push("created_at < ?");
+    params.push(page.before);
+  }
+  if (page.after) {
+    conditions.push("created_at > ?");
+    params.push(page.after);
+  }
+  params.push(limit);
+  return db.prepare(
+    `SELECT id, owner, amount, reason, reference_id, created_at FROM credit_transactions WHERE ${conditions.join(" AND ")} ORDER BY created_at DESC LIMIT ?`
+  ).all(...params);
+}
 function registerProvider(db, owner) {
   const canonicalOwner = canonicalizeCreditOwner(db, owner);
   const now = (/* @__PURE__ */ new Date()).toISOString();
@@ -1275,6 +1311,16 @@ function getProviderBonus(providerNumber) {
   if (providerNumber <= 200) return 1.5;
   return 1;
 }
+function issueVoucher(db, owner, amount = 50, daysValid = 30) {
+  const canonicalOwner = canonicalizeCreditOwner(db, owner);
+  const id = randomUUID3();
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(now.getTime() + daysValid * 24 * 60 * 60 * 1e3);
+  db.prepare(
+    "INSERT INTO demand_vouchers (id, owner, amount, remaining, created_at, expires_at, is_active) VALUES (?, ?, ?, ?, ?, ?, 1)"
+  ).run(id, canonicalOwner, amount, amount, now.toISOString(), expiresAt.toISOString());
+  return id;
+}
 function getActiveVoucher(db, owner) {
   const canonicalOwner = canonicalizeCreditOwner(db, owner);
   const now = (/* @__PURE__ */ new Date()).toISOString();
@@ -1307,6 +1353,11 @@ function recordEarning(db, owner, amount, _cardId, receiptNonce) {
     ).run(randomUUID3(), canonicalOwner, amount, "remote_earning", receiptNonce, now);
   })();
 }
+function migrateOwner(db, oldOwner, newOwner) {
+  if (oldOwner === newOwner) return;
+  const canonicalNewOwner = canonicalizeCreditOwner(db, newOwner);
+  migrateCreditOwnerData(db, oldOwner, canonicalNewOwner);
+}
 
 // src/gateway/server.ts
 import Fastify from "fastify";
@@ -1524,6 +1575,629 @@ function loadConfig() {
   }
 }
 
+// src/identity/identity.ts
+import { z as z2 } from "zod";
+import { createHash, createPrivateKey as createPrivateKey2, createPublicKey as createPublicKey2 } from "crypto";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
+import { join as join3 } from "path";
+
+// src/credit/signing.ts
+import { generateKeyPairSync, sign, verify, createPublicKey, createPrivateKey } from "crypto";
+import { writeFileSync as writeFileSync2, readFileSync as readFileSync2, existsSync as existsSync2, chmodSync } from "fs";
+import { join as join2 } from "path";
+function generateKeyPair() {
+  const { publicKey, privateKey } = generateKeyPairSync("ed25519", {
+    publicKeyEncoding: { type: "spki", format: "der" },
+    privateKeyEncoding: { type: "pkcs8", format: "der" }
+  });
+  return {
+    publicKey: Buffer.from(publicKey),
+    privateKey: Buffer.from(privateKey)
+  };
+}
+function saveKeyPair(configDir, keys) {
+  const privatePath = join2(configDir, "private.key");
+  const publicPath = join2(configDir, "public.key");
+  writeFileSync2(privatePath, keys.privateKey);
+  chmodSync(privatePath, 384);
+  writeFileSync2(publicPath, keys.publicKey);
+}
+function loadKeyPair(configDir) {
+  const privatePath = join2(configDir, "private.key");
+  const publicPath = join2(configDir, "public.key");
+  if (!existsSync2(privatePath) || !existsSync2(publicPath)) {
+    throw new AgentBnBError("Keypair not found. Run `agentbnb init` to generate one.", "KEYPAIR_NOT_FOUND");
+  }
+  return {
+    publicKey: readFileSync2(publicPath),
+    privateKey: readFileSync2(privatePath)
+  };
+}
+function canonicalJson(data) {
+  return JSON.stringify(sortForCanonicalJson(data));
+}
+function sortForCanonicalJson(value) {
+  if (Array.isArray(value)) {
+    return value.map((item) => sortForCanonicalJson(item));
+  }
+  if (value !== null && typeof value === "object") {
+    const proto = Object.getPrototypeOf(value);
+    if (proto === Object.prototype || proto === null) {
+      const input = value;
+      const output = {};
+      const sortedKeys = Object.keys(input).sort();
+      for (const key of sortedKeys) {
+        output[key] = sortForCanonicalJson(input[key]);
+      }
+      return output;
+    }
+  }
+  return value;
+}
+function signEscrowReceipt(data, privateKey) {
+  const message = Buffer.from(canonicalJson(data), "utf-8");
+  const keyObject = createPrivateKey({ key: privateKey, format: "der", type: "pkcs8" });
+  const signature = sign(null, message, keyObject);
+  return signature.toString("base64url");
+}
+function verifyEscrowReceipt(data, signature, publicKey) {
+  try {
+    const message = Buffer.from(canonicalJson(data), "utf-8");
+    const keyObject = createPublicKey({ key: publicKey, format: "der", type: "spki" });
+    const sigBuffer = Buffer.from(signature, "base64url");
+    return verify(null, message, keyObject, sigBuffer);
+  } catch {
+    return false;
+  }
+}
+
+// src/identity/identity.ts
+var AgentIdentitySchema = z2.object({
+  /** Deterministic ID derived from public key: sha256(hex).slice(0, 16). */
+  agent_id: z2.string().min(1),
+  /** Human-readable owner name (from config or init). */
+  owner: z2.string().min(1),
+  /** Hex-encoded Ed25519 public key. */
+  public_key: z2.string().min(1),
+  /** ISO 8601 timestamp of identity creation. */
+  created_at: z2.string().datetime(),
+  /** Optional guarantor info if linked to a human. */
+  guarantor: z2.object({
+    github_login: z2.string().min(1),
+    verified_at: z2.string().datetime()
+  }).optional()
+});
+var AgentCertificateSchema = z2.object({
+  identity: AgentIdentitySchema,
+  /** ISO 8601 timestamp of certificate issuance. */
+  issued_at: z2.string().datetime(),
+  /** ISO 8601 timestamp of certificate expiry. */
+  expires_at: z2.string().datetime(),
+  /** Hex-encoded public key of the issuer (same as identity for self-signed). */
+  issuer_public_key: z2.string().min(1),
+  /** Base64url Ed25519 signature over { identity, issued_at, expires_at, issuer_public_key }. */
+  signature: z2.string().min(1)
+});
+var IDENTITY_FILENAME = "identity.json";
+var PRIVATE_KEY_FILENAME = "private.key";
+var PUBLIC_KEY_FILENAME = "public.key";
+function derivePublicKeyFromPrivate(privateKey) {
+  const privateKeyObject = createPrivateKey2({ key: privateKey, format: "der", type: "pkcs8" });
+  const publicKeyObject = createPublicKey2(privateKeyObject);
+  const publicKey = publicKeyObject.export({ format: "der", type: "spki" });
+  return Buffer.from(publicKey);
+}
+function buildIdentityFromPublicKey(publicKey, owner, createdAt) {
+  const publicKeyHex = publicKey.toString("hex");
+  return {
+    agent_id: deriveAgentId(publicKeyHex),
+    owner,
+    public_key: publicKeyHex,
+    created_at: createdAt ?? (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function generateFreshIdentity(configDir, owner) {
+  const keys = generateKeyPair();
+  saveKeyPair(configDir, keys);
+  const identity = buildIdentityFromPublicKey(keys.publicKey, owner);
+  saveIdentity(configDir, identity);
+  return { identity, keys, status: "generated" };
+}
+function deriveAgentId(publicKeyHex) {
+  return createHash("sha256").update(publicKeyHex, "hex").digest("hex").slice(0, 16);
+}
+function createIdentity(configDir, owner) {
+  if (!existsSync3(configDir)) {
+    mkdirSync2(configDir, { recursive: true });
+  }
+  let keys;
+  try {
+    keys = loadKeyPair(configDir);
+  } catch {
+    keys = generateKeyPair();
+    saveKeyPair(configDir, keys);
+  }
+  const publicKeyHex = keys.publicKey.toString("hex");
+  const agentId = deriveAgentId(publicKeyHex);
+  const identity = {
+    agent_id: agentId,
+    owner,
+    public_key: publicKeyHex,
+    created_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  saveIdentity(configDir, identity);
+  return identity;
+}
+function loadIdentity(configDir) {
+  const filePath = join3(configDir, IDENTITY_FILENAME);
+  if (!existsSync3(filePath)) return null;
+  try {
+    const raw = readFileSync3(filePath, "utf-8");
+    return AgentIdentitySchema.parse(JSON.parse(raw));
+  } catch {
+    return null;
+  }
+}
+function saveIdentity(configDir, identity) {
+  if (!existsSync3(configDir)) {
+    mkdirSync2(configDir, { recursive: true });
+  }
+  const filePath = join3(configDir, IDENTITY_FILENAME);
+  writeFileSync3(filePath, JSON.stringify(identity, null, 2), "utf-8");
+}
+function loadOrRepairIdentity(configDir, ownerHint) {
+  if (!existsSync3(configDir)) {
+    mkdirSync2(configDir, { recursive: true });
+  }
+  const identityPath = join3(configDir, IDENTITY_FILENAME);
+  const privateKeyPath = join3(configDir, PRIVATE_KEY_FILENAME);
+  const publicKeyPath = join3(configDir, PUBLIC_KEY_FILENAME);
+  const hasIdentity = existsSync3(identityPath);
+  const hasPrivateKey = existsSync3(privateKeyPath);
+  const hasPublicKey = existsSync3(publicKeyPath);
+  if (!hasIdentity || !hasPrivateKey || !hasPublicKey) {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let keys;
+  try {
+    keys = loadKeyPair(configDir);
+  } catch {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let derivedPublicKey;
+  try {
+    derivedPublicKey = derivePublicKeyFromPrivate(keys.privateKey);
+  } catch {
+    return generateFreshIdentity(configDir, ownerHint ?? "agent");
+  }
+  let keypairRepaired = false;
+  if (!keys.publicKey.equals(derivedPublicKey)) {
+    keypairRepaired = true;
+    keys = { privateKey: keys.privateKey, publicKey: derivedPublicKey };
+    saveKeyPair(configDir, keys);
+  }
+  const loadedIdentity = loadIdentity(configDir);
+  const expectedAgentId = deriveAgentId(derivedPublicKey.toString("hex"));
+  const expectedPublicKeyHex = derivedPublicKey.toString("hex");
+  const identityMismatch = !loadedIdentity || loadedIdentity.public_key !== expectedPublicKeyHex || loadedIdentity.agent_id !== expectedAgentId;
+  if (identityMismatch) {
+    const repairedIdentity = buildIdentityFromPublicKey(
+      derivedPublicKey,
+      loadedIdentity?.owner ?? ownerHint ?? "agent",
+      loadedIdentity?.created_at
+    );
+    saveIdentity(configDir, repairedIdentity);
+    return { identity: repairedIdentity, keys, status: "repaired" };
+  }
+  if (ownerHint && loadedIdentity.owner !== ownerHint) {
+    const updatedIdentity = { ...loadedIdentity, owner: ownerHint };
+    saveIdentity(configDir, updatedIdentity);
+    return { identity: updatedIdentity, keys, status: "repaired" };
+  }
+  return { identity: loadedIdentity, keys, status: keypairRepaired ? "repaired" : "existing" };
+}
+function issueAgentCertificate(identity, privateKey) {
+  const issuedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const expiresAt = new Date(Date.now() + 365 * 24 * 60 * 60 * 1e3).toISOString();
+  const payload = {
+    identity,
+    issued_at: issuedAt,
+    expires_at: expiresAt,
+    issuer_public_key: identity.public_key
+  };
+  const signature = signEscrowReceipt(payload, privateKey);
+  return {
+    identity,
+    issued_at: issuedAt,
+    expires_at: expiresAt,
+    issuer_public_key: identity.public_key,
+    signature
+  };
+}
+function verifyAgentCertificate(cert) {
+  if (new Date(cert.expires_at) < /* @__PURE__ */ new Date()) {
+    return false;
+  }
+  const publicKeyHex = cert.issuer_public_key;
+  const publicKeyBuf = Buffer.from(publicKeyHex, "hex");
+  const payload = {
+    identity: cert.identity,
+    issued_at: cert.issued_at,
+    expires_at: cert.expires_at,
+    issuer_public_key: cert.issuer_public_key
+  };
+  return verifyEscrowReceipt(payload, cert.signature, publicKeyBuf);
+}
+function ensureIdentity(configDir, owner) {
+  return loadOrRepairIdentity(configDir, owner).identity;
+}
+
+// src/credit/local-credit-ledger.ts
+var LocalCreditLedger = class {
+  constructor(db) {
+    this.db = db;
+  }
+  /**
+   * Holds credits in escrow during capability execution.
+   *
+   * @param owner - Agent identifier (requester).
+   * @param amount - Number of credits to hold.
+   * @param cardId - Capability Card ID being requested.
+   * @returns EscrowResult with the new escrowId.
+   * @throws {AgentBnBError} with code 'INSUFFICIENT_CREDITS' if balance < amount.
+   */
+  async hold(owner, amount, cardId) {
+    const escrowId = holdEscrow(this.db, owner, amount, cardId);
+    return { escrowId };
+  }
+  /**
+   * Settles an escrow — transfers held credits to the capability provider.
+   *
+   * @param escrowId - The escrow ID to settle.
+   * @param recipientOwner - Agent identifier who will receive the credits.
+   * @throws {AgentBnBError} with code 'ESCROW_NOT_FOUND' if escrow does not exist.
+   * @throws {AgentBnBError} with code 'ESCROW_ALREADY_SETTLED' if escrow is not in 'held' status.
+   */
+  async settle(escrowId, recipientOwner) {
+    settleEscrow(this.db, escrowId, recipientOwner);
+  }
+  /**
+   * Releases an escrow — refunds credits back to the requester.
+   *
+   * @param escrowId - The escrow ID to release.
+   * @throws {AgentBnBError} with code 'ESCROW_NOT_FOUND' if escrow does not exist.
+   * @throws {AgentBnBError} with code 'ESCROW_ALREADY_SETTLED' if escrow is not in 'held' status.
+   */
+  async release(escrowId) {
+    releaseEscrow(this.db, escrowId);
+  }
+  /**
+   * Returns the current credit balance for an agent.
+   *
+   * @param owner - Agent identifier.
+   * @returns Current balance in credits (0 if agent is unknown).
+   */
+  async getBalance(owner) {
+    return getBalance(this.db, owner);
+  }
+  /**
+   * Returns the transaction history for an agent, newest first.
+   *
+   * @param owner - Agent identifier.
+   * @param limit - Maximum number of transactions to return. Defaults to 100.
+   * @returns Array of credit transactions ordered newest first.
+   */
+  async getHistory(owner, limit) {
+    return getTransactions(this.db, owner, limit);
+  }
+  /**
+   * Grants initial credits to an agent (bootstrap grant).
+   * Idempotent — calling multiple times has no additional effect on balance.
+   *
+   * @param owner - Agent identifier.
+   * @param amount - Number of credits to grant. Defaults to 100.
+   */
+  async grant(owner, amount) {
+    bootstrapAgent(this.db, owner, amount);
+  }
+  async rename(oldOwner, newOwner) {
+    migrateOwner(this.db, oldOwner, newOwner);
+  }
+};
+
+// src/registry/identity-auth.ts
+var MAX_REQUEST_AGE_MS = 5 * 60 * 1e3;
+function normalizeSignedParams(body) {
+  return body === void 0 ? null : body;
+}
+function buildIdentityPayload(method, path, timestamp, publicKeyHex, agentId, params) {
+  return {
+    method,
+    path,
+    timestamp,
+    publicKey: publicKeyHex,
+    agentId,
+    params: normalizeSignedParams(params)
+  };
+}
+function signRequest(method, path, body, privateKey, publicKeyHex, agentIdOverride) {
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const agentId = agentIdOverride ?? deriveAgentId(publicKeyHex);
+  const payload = buildIdentityPayload(method, path, timestamp, publicKeyHex, agentId, body);
+  const signature = signEscrowReceipt(payload, privateKey);
+  return {
+    "X-Agent-Id": agentId,
+    "X-Agent-PublicKey": publicKeyHex,
+    "X-Agent-Signature": signature,
+    "X-Agent-Timestamp": timestamp
+  };
+}
+
+// src/credit/registry-credit-ledger.ts
+var HTTP_TIMEOUT_MS = 1e4;
+var RegistryCreditLedger = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Holds credits in escrow during capability execution.
+   *
+   * @param owner - Agent identifier (requester).
+   * @param amount - Number of credits to hold.
+   * @param cardId - Capability Card ID being requested.
+   * @returns EscrowResult with the new escrowId.
+   * @throws {AgentBnBError} with code 'INSUFFICIENT_CREDITS' if balance < amount.
+   */
+  async hold(owner, amount, cardId) {
+    if (this.config.mode === "direct") {
+      const escrowId = holdEscrow(this.config.db, owner, amount, cardId);
+      return { escrowId };
+    }
+    const data = await this.post("/api/credits/hold", owner, {
+      owner,
+      amount,
+      cardId
+    });
+    return { escrowId: data.escrowId };
+  }
+  /**
+   * Settles an escrow — transfers held credits to the capability provider.
+   *
+   * @param escrowId - The escrow ID to settle.
+   * @param recipientOwner - Agent identifier who will receive the credits.
+   * @throws {AgentBnBError} with code 'ESCROW_NOT_FOUND' if escrow does not exist.
+   * @throws {AgentBnBError} with code 'ESCROW_ALREADY_SETTLED' if escrow is not in 'held' status.
+   */
+  async settle(escrowId, recipientOwner) {
+    if (this.config.mode === "direct") {
+      settleEscrow(this.config.db, escrowId, recipientOwner);
+      return;
+    }
+    await this.post("/api/credits/settle", null, { escrowId, recipientOwner });
+  }
+  /**
+   * Releases an escrow — refunds credits back to the requester.
+   *
+   * @param escrowId - The escrow ID to release.
+   * @throws {AgentBnBError} with code 'ESCROW_NOT_FOUND' if escrow does not exist.
+   * @throws {AgentBnBError} with code 'ESCROW_ALREADY_SETTLED' if escrow is not in 'held' status.
+   */
+  async release(escrowId) {
+    if (this.config.mode === "direct") {
+      releaseEscrow(this.config.db, escrowId);
+      return;
+    }
+    await this.post("/api/credits/release", null, { escrowId });
+  }
+  /**
+   * Returns the current credit balance for an agent.
+   *
+   * @param owner - Agent identifier.
+   * @returns Current balance in credits (0 if agent is unknown).
+   */
+  async getBalance(owner) {
+    if (this.config.mode === "direct") {
+      return getBalance(this.config.db, owner);
+    }
+    const data = await this.get(`/api/credits/${owner}`, owner);
+    return data.balance;
+  }
+  /**
+   * Returns the transaction history for an agent, newest first.
+   *
+   * @param owner - Agent identifier.
+   * @param limit - Maximum number of transactions to return. Defaults to 100.
+   * @returns Array of credit transactions ordered newest first.
+   */
+  async getHistory(owner, limit = 100) {
+    if (this.config.mode === "direct") {
+      return getTransactions(this.config.db, owner, limit);
+    }
+    const data = await this.get(
+      `/api/credits/${owner}/history?limit=${limit}`,
+      owner
+    );
+    return data.transactions;
+  }
+  /**
+   * Grants initial credits to an agent (bootstrap grant).
+   * Idempotent — calling multiple times has no additional effect on balance.
+   *
+   * @param owner - Agent identifier.
+   * @param amount - Number of credits to grant. Defaults to 100.
+   */
+  async grant(owner, amount = 100) {
+    if (this.config.mode === "direct") {
+      bootstrapAgent(this.config.db, owner, amount);
+      return;
+    }
+    await this.post("/api/credits/grant", owner, { owner, amount });
+  }
+  /**
+   * Renames an owner — migrates balance, transactions, and escrows.
+   */
+  async rename(oldOwner, newOwner) {
+    if (oldOwner === newOwner) return;
+    if (this.config.mode === "direct") {
+      migrateOwner(this.config.db, oldOwner, newOwner);
+      return;
+    }
+    await this.post("/api/credits/rename", null, { oldOwner, newOwner });
+  }
+  // ─── Private HTTP helpers ─────────────────────────────────────────────────
+  /**
+   * Makes an authenticated POST request to the Registry HTTP API.
+   * Includes a 10s timeout via AbortController.
+   *
+   * @param path - API path (e.g., '/api/credits/hold').
+   * @param ownerForHeader - Agent owner identifier for X-Agent-Owner header, or null to omit.
+   * @param body - JSON body to send.
+   * @returns Parsed JSON response body.
+   * @throws {AgentBnBError} on non-2xx responses or network errors.
+   */
+  async post(path, ownerForHeader, body) {
+    const cfg = this.config;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), HTTP_TIMEOUT_MS);
+    try {
+      const authHeaders = signRequest("POST", path, body, cfg.privateKey, cfg.ownerPublicKey);
+      const headers = {
+        "Content-Type": "application/json",
+        ...authHeaders
+      };
+      void ownerForHeader;
+      const res = await fetch(`${cfg.registryUrl}${path}`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body),
+        signal: controller.signal
+      });
+      return await this.handleResponse(res);
+    } catch (err) {
+      if (err instanceof AgentBnBError) throw err;
+      throw new AgentBnBError(
+        `Registry unreachable: ${err.message}`,
+        "REGISTRY_UNREACHABLE"
+      );
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  }
+  /**
+   * Makes an authenticated GET request to the Registry HTTP API.
+   * Includes a 10s timeout via AbortController.
+   *
+   * @param path - API path (e.g., '/api/credits/owner-id').
+   * @param owner - Agent owner identifier for X-Agent-Owner header.
+   * @returns Parsed JSON response body.
+   * @throws {AgentBnBError} on non-2xx responses or network errors.
+   */
+  async get(path, owner) {
+    const cfg = this.config;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), HTTP_TIMEOUT_MS);
+    try {
+      const authHeaders = signRequest("GET", path, null, cfg.privateKey, cfg.ownerPublicKey);
+      void owner;
+      const res = await fetch(`${cfg.registryUrl}${path}`, {
+        method: "GET",
+        headers: {
+          "Content-Type": "application/json",
+          ...authHeaders
+        },
+        signal: controller.signal
+      });
+      return await this.handleResponse(res);
+    } catch (err) {
+      if (err instanceof AgentBnBError) throw err;
+      throw new AgentBnBError(
+        `Registry unreachable: ${err.message}`,
+        "REGISTRY_UNREACHABLE"
+      );
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  }
+  /**
+   * Handles an HTTP response — returns parsed JSON on 2xx, throws AgentBnBError on error.
+   */
+  async handleResponse(res) {
+    const json = await res.json();
+    if (!res.ok) {
+      const code = typeof json["code"] === "string" ? json["code"] : "REGISTRY_ERROR";
+      const message = typeof json["error"] === "string" ? json["error"] : `HTTP ${res.status}`;
+      throw new AgentBnBError(message, code);
+    }
+    return json;
+  }
+};
+
+// src/credit/create-ledger.ts
+function createLedger(opts) {
+  if ("registryUrl" in opts && opts.registryUrl !== void 0) {
+    return new RegistryCreditLedger({
+      mode: "http",
+      registryUrl: opts.registryUrl,
+      ownerPublicKey: opts.ownerPublicKey,
+      privateKey: opts.privateKey
+    });
+  }
+  if ("db" in opts && opts.db !== void 0) {
+    return new RegistryCreditLedger({
+      mode: "direct",
+      db: opts.db
+    });
+  }
+  const db = openCreditDb(opts.creditDbPath);
+  return new LocalCreditLedger(db);
+}
+
+// src/credit/registry-sync.ts
+async function syncCreditsFromRegistry(config, localDb) {
+  if (!config.registry) {
+    return { synced: false, error: "no registry configured" };
+  }
+  try {
+    const configDir = getConfigDir();
+    const { identity, keys } = loadOrRepairIdentity(configDir, config.owner);
+    const ledger = createLedger({
+      registryUrl: config.registry,
+      ownerPublicKey: identity.public_key,
+      privateKey: keys.privateKey
+    });
+    const [remoteBalance, remoteHistory] = await Promise.all([
+      ledger.getBalance(config.owner),
+      ledger.getHistory(config.owner, 50)
+    ]);
+    const localWas = getBalance(localDb, config.owner);
+    localDb.transaction(() => {
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      const canonicalOwner = canonicalizeCreditOwner(localDb, config.owner);
+      localDb.prepare(
+        "INSERT OR REPLACE INTO credit_balances (owner, balance, updated_at) VALUES (?, ?, ?)"
+      ).run(canonicalOwner, remoteBalance, now);
+      const insertTxn = localDb.prepare(
+        "INSERT OR IGNORE INTO credit_transactions (id, owner, amount, reason, reference_id, created_at) VALUES (?, ?, ?, ?, ?, ?)"
+      );
+      for (const txn of remoteHistory) {
+        insertTxn.run(
+          txn.id,
+          txn.owner,
+          txn.amount,
+          txn.reason,
+          txn.reference_id,
+          txn.created_at
+        );
+      }
+    })();
+    return { synced: true, remoteBalance, localWas };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { synced: false, error: message };
+  }
+}
+
 // src/cli/remote-registry.ts
 var RegistryTimeoutError = class extends AgentBnBError {
   constructor(url) {
@@ -1705,6 +2379,18 @@ async function executeCapabilityRequest(opts) {
       };
     }
   } else {
+    const cfg = loadConfig();
+    if (cfg?.registry) {
+      try {
+        await Promise.race([
+          syncCreditsFromRegistry(cfg, creditDb),
+          new Promise(
+            (_, reject) => setTimeout(() => reject(new Error("sync timeout")), 2e3)
+          )
+        ]);
+      } catch {
+      }
+    }
     try {
       const balance = getBalance(creditDb, requester);
       if (balance < creditsNeeded) {
@@ -1785,125 +2471,55 @@ async function executeCapabilityRequest(opts) {
     let targetSkillId = resolvedSkillId ?? skillId;
     if (!targetSkillId) {
       const available = skillExecutor.listSkills();
-      if (available.length > 0) {
-        targetSkillId = available[0];
-      } else {
-        return handleFailure(
-          "failure",
-          Date.now() - startMs,
-          "No skill_id specified and no skills registered on this provider.",
-          "not_found"
-        );
-      }
-    }
-    try {
-      const execResult = await skillExecutor.execute(targetSkillId, params, onProgress);
-      if (!execResult.success) {
-        return handleFailure("failure", execResult.latency_ms, execResult.error ?? "Execution failed", "bad_execution");
-      }
-      return handleSuccess(execResult.result, execResult.latency_ms);
-    } catch (err) {
-      const message = err instanceof Error ? err.message : "Execution error";
-      return handleFailure("failure", Date.now() - startMs, message, "bad_execution");
-    }
-  }
-  if (!handlerUrl) {
-    return handleFailure("failure", Date.now() - startMs, "No skill executor or handler URL configured", "bad_execution");
-  }
-  const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), timeoutMs);
-  try {
-    const response = await fetch(handlerUrl, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ card_id: cardId, skill_id: resolvedSkillId, params }),
-      signal: controller.signal
-    });
-    clearTimeout(timer);
-    if (!response.ok) {
-      return handleFailure("failure", Date.now() - startMs, `Handler returned ${response.status}`, "bad_execution");
-    }
-    const result = await response.json();
-    return handleSuccess(result, Date.now() - startMs);
-  } catch (err) {
-    clearTimeout(timer);
-    const isTimeout = err instanceof Error && err.name === "AbortError";
-    return handleFailure(
-      isTimeout ? "timeout" : "failure",
-      Date.now() - startMs,
-      isTimeout ? "Execution timeout" : "Handler error",
-      isTimeout ? "timeout" : "bad_execution"
-    );
-  }
-}
-
-// src/credit/signing.ts
-import { generateKeyPairSync, sign, verify, createPublicKey, createPrivateKey } from "crypto";
-import { writeFileSync as writeFileSync2, readFileSync as readFileSync2, existsSync as existsSync2, chmodSync } from "fs";
-import { join as join2 } from "path";
-function generateKeyPair() {
-  const { publicKey, privateKey } = generateKeyPairSync("ed25519", {
-    publicKeyEncoding: { type: "spki", format: "der" },
-    privateKeyEncoding: { type: "pkcs8", format: "der" }
-  });
-  return {
-    publicKey: Buffer.from(publicKey),
-    privateKey: Buffer.from(privateKey)
-  };
-}
-function saveKeyPair(configDir, keys) {
-  const privatePath = join2(configDir, "private.key");
-  const publicPath = join2(configDir, "public.key");
-  writeFileSync2(privatePath, keys.privateKey);
-  chmodSync(privatePath, 384);
-  writeFileSync2(publicPath, keys.publicKey);
-}
-function loadKeyPair(configDir) {
-  const privatePath = join2(configDir, "private.key");
-  const publicPath = join2(configDir, "public.key");
-  if (!existsSync2(privatePath) || !existsSync2(publicPath)) {
-    throw new AgentBnBError("Keypair not found. Run `agentbnb init` to generate one.", "KEYPAIR_NOT_FOUND");
-  }
-  return {
-    publicKey: readFileSync2(publicPath),
-    privateKey: readFileSync2(privatePath)
-  };
-}
-function canonicalJson(data) {
-  return JSON.stringify(sortForCanonicalJson(data));
-}
-function sortForCanonicalJson(value) {
-  if (Array.isArray(value)) {
-    return value.map((item) => sortForCanonicalJson(item));
-  }
-  if (value !== null && typeof value === "object") {
-    const proto = Object.getPrototypeOf(value);
-    if (proto === Object.prototype || proto === null) {
-      const input = value;
-      const output = {};
-      const sortedKeys = Object.keys(input).sort();
-      for (const key of sortedKeys) {
-        output[key] = sortForCanonicalJson(input[key]);
+      if (available.length > 0) {
+        targetSkillId = available[0];
+      } else {
+        return handleFailure(
+          "failure",
+          Date.now() - startMs,
+          "No skill_id specified and no skills registered on this provider.",
+          "not_found"
+        );
       }
-      return output;
+    }
+    try {
+      const execResult = await skillExecutor.execute(targetSkillId, params, onProgress);
+      if (!execResult.success) {
+        return handleFailure("failure", execResult.latency_ms, execResult.error ?? "Execution failed", "bad_execution");
+      }
+      return handleSuccess(execResult.result, execResult.latency_ms);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Execution error";
+      return handleFailure("failure", Date.now() - startMs, message, "bad_execution");
     }
   }
-  return value;
-}
-function signEscrowReceipt(data, privateKey) {
-  const message = Buffer.from(canonicalJson(data), "utf-8");
-  const keyObject = createPrivateKey({ key: privateKey, format: "der", type: "pkcs8" });
-  const signature = sign(null, message, keyObject);
-  return signature.toString("base64url");
-}
-function verifyEscrowReceipt(data, signature, publicKey) {
+  if (!handlerUrl) {
+    return handleFailure("failure", Date.now() - startMs, "No skill executor or handler URL configured", "bad_execution");
+  }
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
   try {
-    const message = Buffer.from(canonicalJson(data), "utf-8");
-    const keyObject = createPublicKey({ key: publicKey, format: "der", type: "spki" });
-    const sigBuffer = Buffer.from(signature, "base64url");
-    return verify(null, message, keyObject, sigBuffer);
-  } catch {
-    return false;
+    const response = await fetch(handlerUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ card_id: cardId, skill_id: resolvedSkillId, params }),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!response.ok) {
+      return handleFailure("failure", Date.now() - startMs, `Handler returned ${response.status}`, "bad_execution");
+    }
+    const result = await response.json();
+    return handleSuccess(result, Date.now() - startMs);
+  } catch (err) {
+    clearTimeout(timer);
+    const isTimeout = err instanceof Error && err.name === "AbortError";
+    return handleFailure(
+      isTimeout ? "timeout" : "failure",
+      Date.now() - startMs,
+      isTimeout ? "Execution timeout" : "Handler error",
+      isTimeout ? "timeout" : "bad_execution"
+    );
   }
 }
 
@@ -2217,127 +2833,127 @@ function createSkillExecutor(configs, modes, concurrencyGuard) {
 }
 
 // src/skills/skill-config.ts
-import { z as z2 } from "zod";
+import { z as z3 } from "zod";
 import yaml from "js-yaml";
-var CapacitySchema = z2.object({
-  max_concurrent: z2.number().positive().int().optional()
+var CapacitySchema = z3.object({
+  max_concurrent: z3.number().positive().int().optional()
 }).optional();
-var PricingSchema = z2.object({
-  credits_per_call: z2.number().nonnegative(),
-  credits_per_minute: z2.number().nonnegative().optional(),
-  free_tier: z2.number().nonnegative().optional()
+var PricingSchema = z3.object({
+  credits_per_call: z3.number().nonnegative(),
+  credits_per_minute: z3.number().nonnegative().optional(),
+  free_tier: z3.number().nonnegative().optional()
 });
-var ApiAuthSchema = z2.discriminatedUnion("type", [
-  z2.object({
-    type: z2.literal("bearer"),
-    token: z2.string()
+var ApiAuthSchema = z3.discriminatedUnion("type", [
+  z3.object({
+    type: z3.literal("bearer"),
+    token: z3.string()
   }),
-  z2.object({
-    type: z2.literal("apikey"),
-    header: z2.string().default("X-API-Key"),
-    key: z2.string()
+  z3.object({
+    type: z3.literal("apikey"),
+    header: z3.string().default("X-API-Key"),
+    key: z3.string()
   }),
-  z2.object({
-    type: z2.literal("basic"),
-    username: z2.string(),
-    password: z2.string()
+  z3.object({
+    type: z3.literal("basic"),
+    username: z3.string(),
+    password: z3.string()
   })
 ]);
 var CapabilityDeclarationSchema = {
-  description: z2.string().optional(),
-  capability_types: z2.array(z2.string()).optional(),
-  requires_capabilities: z2.array(z2.string()).optional(),
-  visibility: z2.enum(["public", "private"]).optional(),
-  expected_duration_ms: z2.number().positive().optional()
+  description: z3.string().optional(),
+  capability_types: z3.array(z3.string()).optional(),
+  requires_capabilities: z3.array(z3.string()).optional(),
+  visibility: z3.enum(["public", "private"]).optional(),
+  expected_duration_ms: z3.number().positive().optional()
 };
-var ApiSkillConfigSchema = z2.object({
-  id: z2.string().min(1),
-  type: z2.literal("api"),
-  name: z2.string().min(1),
-  endpoint: z2.string().min(1),
-  method: z2.enum(["GET", "POST", "PUT", "DELETE"]),
+var ApiSkillConfigSchema = z3.object({
+  id: z3.string().min(1),
+  type: z3.literal("api"),
+  name: z3.string().min(1),
+  endpoint: z3.string().min(1),
+  method: z3.enum(["GET", "POST", "PUT", "DELETE"]),
   auth: ApiAuthSchema.optional(),
-  input_mapping: z2.record(z2.string()).default({}),
-  output_mapping: z2.record(z2.string()).default({}),
+  input_mapping: z3.record(z3.string()).default({}),
+  output_mapping: z3.record(z3.string()).default({}),
   pricing: PricingSchema,
-  timeout_ms: z2.number().positive().default(3e4),
-  retries: z2.number().nonnegative().int().default(0),
-  provider: z2.string().optional(),
+  timeout_ms: z3.number().positive().default(3e4),
+  retries: z3.number().nonnegative().int().default(0),
+  provider: z3.string().optional(),
   capacity: CapacitySchema,
   ...CapabilityDeclarationSchema
 });
-var PipelineStepSchema = z2.union([
-  z2.object({
-    skill_id: z2.string().min(1),
-    input_mapping: z2.record(z2.string()).default({})
+var PipelineStepSchema = z3.union([
+  z3.object({
+    skill_id: z3.string().min(1),
+    input_mapping: z3.record(z3.string()).default({})
   }),
-  z2.object({
-    command: z2.string().min(1),
-    input_mapping: z2.record(z2.string()).default({})
+  z3.object({
+    command: z3.string().min(1),
+    input_mapping: z3.record(z3.string()).default({})
   })
 ]);
-var PipelineSkillConfigSchema = z2.object({
-  id: z2.string().min(1),
-  type: z2.literal("pipeline"),
-  name: z2.string().min(1),
-  steps: z2.array(PipelineStepSchema).min(1),
+var PipelineSkillConfigSchema = z3.object({
+  id: z3.string().min(1),
+  type: z3.literal("pipeline"),
+  name: z3.string().min(1),
+  steps: z3.array(PipelineStepSchema).min(1),
   pricing: PricingSchema,
-  timeout_ms: z2.number().positive().optional(),
+  timeout_ms: z3.number().positive().optional(),
   capacity: CapacitySchema,
   ...CapabilityDeclarationSchema
 });
-var OpenClawSkillConfigSchema = z2.object({
-  id: z2.string().min(1),
-  type: z2.literal("openclaw"),
-  name: z2.string().min(1),
-  agent_name: z2.string().min(1),
-  channel: z2.enum(["telegram", "webhook", "process"]),
+var OpenClawSkillConfigSchema = z3.object({
+  id: z3.string().min(1),
+  type: z3.literal("openclaw"),
+  name: z3.string().min(1),
+  agent_name: z3.string().min(1),
+  channel: z3.enum(["telegram", "webhook", "process"]),
   pricing: PricingSchema,
-  timeout_ms: z2.number().positive().optional(),
+  timeout_ms: z3.number().positive().optional(),
   capacity: CapacitySchema,
   ...CapabilityDeclarationSchema
 });
-var ClaudeCodeConfigSchema = z2.object({
+var ClaudeCodeConfigSchema = z3.object({
   /** Optional system prompt passed via `-p` flag. */
-  system_prompt: z2.string().optional(),
+  system_prompt: z3.string().optional(),
   /** Model to use (e.g. 'claude-opus-4-6', 'claude-sonnet-4-6'). */
-  model: z2.string().optional(),
+  model: z3.string().optional(),
   /** When true, passes `--dangerously-skip-permissions` to claude CLI. */
-  auto_mode: z2.boolean().default(false)
+  auto_mode: z3.boolean().default(false)
 });
-var CommandSkillConfigSchema = z2.object({
-  id: z2.string().min(1),
-  type: z2.literal("command"),
-  name: z2.string().min(1),
-  command: z2.string().min(1),
-  output_type: z2.enum(["json", "text", "file"]),
-  allowed_commands: z2.array(z2.string()).optional(),
-  working_dir: z2.string().optional(),
+var CommandSkillConfigSchema = z3.object({
+  id: z3.string().min(1),
+  type: z3.literal("command"),
+  name: z3.string().min(1),
+  command: z3.string().min(1),
+  output_type: z3.enum(["json", "text", "file"]),
+  allowed_commands: z3.array(z3.string()).optional(),
+  working_dir: z3.string().optional(),
   claude_code: ClaudeCodeConfigSchema.optional(),
-  timeout_ms: z2.number().positive().default(3e4),
+  timeout_ms: z3.number().positive().default(3e4),
   pricing: PricingSchema,
   capacity: CapacitySchema,
   ...CapabilityDeclarationSchema
 });
-var ConductorSkillConfigSchema = z2.object({
-  id: z2.string().min(1),
-  type: z2.literal("conductor"),
-  name: z2.string().min(1),
-  conductor_skill: z2.enum(["orchestrate", "plan"]),
+var ConductorSkillConfigSchema = z3.object({
+  id: z3.string().min(1),
+  type: z3.literal("conductor"),
+  name: z3.string().min(1),
+  conductor_skill: z3.enum(["orchestrate", "plan"]),
   pricing: PricingSchema,
-  timeout_ms: z2.number().positive().optional(),
+  timeout_ms: z3.number().positive().optional(),
   capacity: CapacitySchema,
   ...CapabilityDeclarationSchema
 });
-var SkillConfigSchema = z2.discriminatedUnion("type", [
+var SkillConfigSchema = z3.discriminatedUnion("type", [
   ApiSkillConfigSchema,
   PipelineSkillConfigSchema,
   OpenClawSkillConfigSchema,
   CommandSkillConfigSchema,
   ConductorSkillConfigSchema
 ]);
-var SkillsFileSchema = z2.object({
-  skills: z2.array(SkillConfigSchema)
+var SkillsFileSchema = z3.object({
+  skills: z3.array(SkillConfigSchema)
 });
 function expandEnvVars(value) {
   return value.replace(/\$\{([^}]+)\}/g, (_match, varName) => {
@@ -2916,27 +3532,37 @@ var KILL_GRACE_MS = 5e3;
 function shellEscape2(value) {
   return "'" + value.replace(/'/g, "'\\''") + "'";
 }
-function safeInterpolateCommand2(template, context) {
-  return template.replace(/\$\{([^}]+)\}/g, (_match, expr) => {
-    const parts = expr.split(".");
-    let current = context;
-    for (const part of parts) {
-      if (current === null || typeof current !== "object") return "";
-      const bracketMatch = part.match(/^(\w+)\[(\d+)\]$/);
-      if (bracketMatch) {
-        current = current[bracketMatch[1]];
-        if (Array.isArray(current)) {
-          current = current[parseInt(bracketMatch[2], 10)];
-        } else {
-          return "";
-        }
+function resolveExpression(expr, context) {
+  const parts = expr.split(".");
+  let current = context;
+  for (const part of parts) {
+    if (current === null || typeof current !== "object") return void 0;
+    const bracketMatch = part.match(/^(\w+)\[(\d+)\]$/);
+    if (bracketMatch) {
+      current = current[bracketMatch[1]];
+      if (Array.isArray(current)) {
+        current = current[parseInt(bracketMatch[2], 10)];
       } else {
-        current = current[part];
+        return void 0;
+      }
+    } else {
+      current = current[part];
+    }
+  }
+  return current;
+}
+function safeInterpolateCommand2(template, context) {
+  const result = template.replace(
+    /(--[\w-]+\s+)?\$\{([^}]+)\}/g,
+    (_match, flagPrefix, expr) => {
+      const value = resolveExpression(expr, context);
+      if (value === void 0 || value === null) {
+        return "";
       }
+      return (flagPrefix ?? "") + shellEscape2(String(value));
     }
-    if (current === void 0 || current === null) return "";
-    return shellEscape2(String(current));
-  });
+  );
+  return result.replace(/  +/g, " ").trim();
 }
 function spawnWithKill(command, options, registry) {
   return new Promise((resolve, reject) => {
@@ -3598,159 +4224,159 @@ import WebSocket from "ws";
 import { randomUUID as randomUUID9 } from "crypto";
 
 // src/relay/types.ts
-import { z as z3 } from "zod";
-var RegisterMessageSchema = z3.object({
-  type: z3.literal("register"),
-  owner: z3.string().min(1),
+import { z as z4 } from "zod";
+var RegisterMessageSchema = z4.object({
+  type: z4.literal("register"),
+  owner: z4.string().min(1),
   /** V8: Cryptographic agent identity. When present, used as the canonical key. */
-  agent_id: z3.string().optional(),
+  agent_id: z4.string().optional(),
   /** V8 Phase 3: Server identifier for multi-agent delegation. */
-  server_id: z3.string().optional(),
-  token: z3.string().min(1),
-  card: z3.record(z3.unknown()),
+  server_id: z4.string().optional(),
+  token: z4.string().min(1),
+  card: z4.record(z4.unknown()),
   // CapabilityCard (validated separately)
-  cards: z3.array(z3.record(z3.unknown())).optional(),
+  cards: z4.array(z4.record(z4.unknown())).optional(),
   // Additional cards (e.g., conductor card)
   /** V8 Phase 3: Additional agents served by this server (multi-agent registration). */
-  agents: z3.array(z3.object({
-    agent_id: z3.string().min(1),
-    display_name: z3.string().min(1),
-    cards: z3.array(z3.record(z3.unknown())),
-    delegation_token: z3.record(z3.unknown()).optional()
+  agents: z4.array(z4.object({
+    agent_id: z4.string().min(1),
+    display_name: z4.string().min(1),
+    cards: z4.array(z4.record(z4.unknown())),
+    delegation_token: z4.record(z4.unknown()).optional()
   })).optional()
 });
-var RegisteredMessageSchema = z3.object({
-  type: z3.literal("registered"),
-  agent_id: z3.string()
+var RegisteredMessageSchema = z4.object({
+  type: z4.literal("registered"),
+  agent_id: z4.string()
 });
-var RelayRequestMessageSchema = z3.object({
-  type: z3.literal("relay_request"),
-  id: z3.string().uuid(),
-  target_owner: z3.string().min(1),
+var RelayRequestMessageSchema = z4.object({
+  type: z4.literal("relay_request"),
+  id: z4.string().uuid(),
+  target_owner: z4.string().min(1),
   /** V8: Target agent's cryptographic identity. Preferred over target_owner. */
-  target_agent_id: z3.string().optional(),
-  card_id: z3.string(),
-  skill_id: z3.string().optional(),
-  params: z3.record(z3.unknown()).default({}),
-  requester: z3.string().optional(),
-  escrow_receipt: z3.record(z3.unknown()).optional()
+  target_agent_id: z4.string().optional(),
+  card_id: z4.string(),
+  skill_id: z4.string().optional(),
+  params: z4.record(z4.unknown()).default({}),
+  requester: z4.string().optional(),
+  escrow_receipt: z4.record(z4.unknown()).optional()
 });
-var IncomingRequestMessageSchema = z3.object({
-  type: z3.literal("incoming_request"),
-  id: z3.string().uuid(),
-  from_owner: z3.string().min(1),
-  card_id: z3.string(),
-  skill_id: z3.string().optional(),
-  params: z3.record(z3.unknown()).default({}),
-  requester: z3.string().optional(),
-  escrow_receipt: z3.record(z3.unknown()).optional()
+var IncomingRequestMessageSchema = z4.object({
+  type: z4.literal("incoming_request"),
+  id: z4.string().uuid(),
+  from_owner: z4.string().min(1),
+  card_id: z4.string(),
+  skill_id: z4.string().optional(),
+  params: z4.record(z4.unknown()).default({}),
+  requester: z4.string().optional(),
+  escrow_receipt: z4.record(z4.unknown()).optional()
 });
-var RelayResponseMessageSchema = z3.object({
-  type: z3.literal("relay_response"),
-  id: z3.string().uuid(),
-  result: z3.unknown().optional(),
-  error: z3.object({
-    code: z3.number(),
-    message: z3.string()
+var RelayResponseMessageSchema = z4.object({
+  type: z4.literal("relay_response"),
+  id: z4.string().uuid(),
+  result: z4.unknown().optional(),
+  error: z4.object({
+    code: z4.number(),
+    message: z4.string()
   }).optional()
 });
-var ResponseMessageSchema = z3.object({
-  type: z3.literal("response"),
-  id: z3.string().uuid(),
-  result: z3.unknown().optional(),
-  error: z3.object({
-    code: z3.number(),
-    message: z3.string()
+var ResponseMessageSchema = z4.object({
+  type: z4.literal("response"),
+  id: z4.string().uuid(),
+  result: z4.unknown().optional(),
+  error: z4.object({
+    code: z4.number(),
+    message: z4.string()
   }).optional()
 });
-var ErrorMessageSchema = z3.object({
-  type: z3.literal("error"),
-  code: z3.string(),
-  message: z3.string(),
-  request_id: z3.string().optional()
+var ErrorMessageSchema = z4.object({
+  type: z4.literal("error"),
+  code: z4.string(),
+  message: z4.string(),
+  request_id: z4.string().optional()
 });
-var RelayProgressMessageSchema = z3.object({
-  type: z3.literal("relay_progress"),
-  id: z3.string().uuid(),
+var RelayProgressMessageSchema = z4.object({
+  type: z4.literal("relay_progress"),
+  id: z4.string().uuid(),
   // request ID this progress relates to
-  progress: z3.number().min(0).max(100).optional(),
+  progress: z4.number().min(0).max(100).optional(),
   // optional percentage
-  message: z3.string().optional()
+  message: z4.string().optional()
   // optional status message
 });
-var RelayStartedMessageSchema = z3.object({
-  type: z3.literal("relay_started"),
-  id: z3.string().uuid(),
-  message: z3.string().optional()
+var RelayStartedMessageSchema = z4.object({
+  type: z4.literal("relay_started"),
+  id: z4.string().uuid(),
+  message: z4.string().optional()
 });
-var HeartbeatMessageSchema = z3.object({
-  type: z3.literal("heartbeat"),
-  owner: z3.string().min(1),
-  capacity: z3.object({
-    current_load: z3.number(),
-    max_concurrent: z3.number(),
-    queue_depth: z3.number()
+var HeartbeatMessageSchema = z4.object({
+  type: z4.literal("heartbeat"),
+  owner: z4.string().min(1),
+  capacity: z4.object({
+    current_load: z4.number(),
+    max_concurrent: z4.number(),
+    queue_depth: z4.number()
   }),
-  self_summary: z3.object({
-    capabilities: z3.array(z3.string()),
-    success_rate: z3.number(),
-    credit_balance: z3.number(),
-    total_completed: z3.number(),
-    provider_number: z3.number(),
-    reliability: z3.object({
-      current_streak: z3.number(),
-      repeat_hire_rate: z3.number(),
-      avg_feedback: z3.number()
+  self_summary: z4.object({
+    capabilities: z4.array(z4.string()),
+    success_rate: z4.number(),
+    credit_balance: z4.number(),
+    total_completed: z4.number(),
+    provider_number: z4.number(),
+    reliability: z4.object({
+      current_streak: z4.number(),
+      repeat_hire_rate: z4.number(),
+      avg_feedback: z4.number()
     })
   })
 });
-var EscrowHoldMessageSchema = z3.object({
-  type: z3.literal("escrow_hold"),
-  consumer_agent_id: z3.string().min(1),
-  provider_agent_id: z3.string().min(1),
-  skill_id: z3.string().min(1),
-  amount: z3.number().positive(),
-  request_id: z3.string().uuid(),
-  signature: z3.string().optional(),
-  public_key: z3.string().optional()
+var EscrowHoldMessageSchema = z4.object({
+  type: z4.literal("escrow_hold"),
+  consumer_agent_id: z4.string().min(1),
+  provider_agent_id: z4.string().min(1),
+  skill_id: z4.string().min(1),
+  amount: z4.number().positive(),
+  request_id: z4.string().uuid(),
+  signature: z4.string().optional(),
+  public_key: z4.string().optional()
 });
-var EscrowHoldConfirmedMessageSchema = z3.object({
-  type: z3.literal("escrow_hold_confirmed"),
-  request_id: z3.string(),
-  escrow_id: z3.string(),
-  hold_amount: z3.number(),
-  consumer_remaining: z3.number()
+var EscrowHoldConfirmedMessageSchema = z4.object({
+  type: z4.literal("escrow_hold_confirmed"),
+  request_id: z4.string(),
+  escrow_id: z4.string(),
+  hold_amount: z4.number(),
+  consumer_remaining: z4.number()
 });
-var EscrowSettleMessageSchema = z3.object({
-  type: z3.literal("escrow_settle"),
-  escrow_id: z3.string().min(1),
-  request_id: z3.string().uuid(),
-  success: z3.boolean(),
-  failure_reason: z3.enum(["bad_execution", "overload", "timeout", "auth_error", "not_found"]).optional(),
-  result_hash: z3.string().optional(),
-  signature: z3.string().optional(),
-  public_key: z3.string().optional(),
-  consumer_agent_id: z3.string().optional()
+var EscrowSettleMessageSchema = z4.object({
+  type: z4.literal("escrow_settle"),
+  escrow_id: z4.string().min(1),
+  request_id: z4.string().uuid(),
+  success: z4.boolean(),
+  failure_reason: z4.enum(["bad_execution", "overload", "timeout", "auth_error", "not_found"]).optional(),
+  result_hash: z4.string().optional(),
+  signature: z4.string().optional(),
+  public_key: z4.string().optional(),
+  consumer_agent_id: z4.string().optional()
 });
-var EscrowSettledMessageSchema = z3.object({
-  type: z3.literal("escrow_settled"),
-  escrow_id: z3.string(),
-  request_id: z3.string(),
-  provider_earned: z3.number(),
-  network_fee: z3.number(),
-  consumer_remaining: z3.number(),
-  provider_balance: z3.number()
+var EscrowSettledMessageSchema = z4.object({
+  type: z4.literal("escrow_settled"),
+  escrow_id: z4.string(),
+  request_id: z4.string(),
+  provider_earned: z4.number(),
+  network_fee: z4.number(),
+  consumer_remaining: z4.number(),
+  provider_balance: z4.number()
 });
-var BalanceSyncMessageSchema = z3.object({
-  type: z3.literal("balance_sync"),
-  agent_id: z3.string().min(1)
+var BalanceSyncMessageSchema = z4.object({
+  type: z4.literal("balance_sync"),
+  agent_id: z4.string().min(1)
 });
-var BalanceSyncResponseMessageSchema = z3.object({
-  type: z3.literal("balance_sync_response"),
-  agent_id: z3.string(),
-  balance: z3.number()
+var BalanceSyncResponseMessageSchema = z4.object({
+  type: z4.literal("balance_sync_response"),
+  agent_id: z4.string(),
+  balance: z4.number()
 });
-var RelayMessageSchema = z3.discriminatedUnion("type", [
+var RelayMessageSchema = z4.discriminatedUnion("type", [
   RegisterMessageSchema,
   RegisteredMessageSchema,
   RelayRequestMessageSchema,
@@ -4153,8 +4779,8 @@ import { randomUUID as randomUUID11 } from "crypto";
 import { randomUUID as randomUUID12 } from "crypto";
 
 // src/cli/peers.ts
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
-import { join as join3 } from "path";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, existsSync as existsSync4, mkdirSync as mkdirSync3 } from "fs";
+import { join as join4 } from "path";
 
 // src/autonomy/auto-request.ts
 function minMaxNormalize(values) {
@@ -4338,11 +4964,11 @@ var BudgetController = class {
 };
 
 // src/conductor/card.ts
-import { createHash } from "crypto";
+import { createHash as createHash2 } from "crypto";
 var CONDUCTOR_OWNER = "agentbnb-conductor";
 var CONDUCTOR_CARD_ID = "00000000-0000-4000-8000-000000000001";
 function ownerToCardId(owner) {
-  const hash = createHash("sha256").update(owner).digest("hex").slice(0, 32);
+  const hash = createHash2("sha256").update(owner).digest("hex").slice(0, 32);
   return `${hash.slice(0, 8)}-${hash.slice(8, 12)}-4${hash.slice(13, 16)}-8${hash.slice(17, 20)}-${hash.slice(20, 32)}`;
 }
 function buildConductorCard(owner) {
@@ -4980,18 +5606,18 @@ var ConductorMode = class {
 };
 
 // src/credit/escrow-receipt.ts
-import { z as z4 } from "zod";
+import { z as z5 } from "zod";
 import { randomUUID as randomUUID14 } from "crypto";
-var EscrowReceiptSchema = z4.object({
-  requester_owner: z4.string().min(1),
-  requester_agent_id: z4.string().optional(),
-  requester_public_key: z4.string().min(1),
-  amount: z4.number().positive(),
-  card_id: z4.string().min(1),
-  skill_id: z4.string().optional(),
-  timestamp: z4.string(),
-  nonce: z4.string().uuid(),
-  signature: z4.string().min(1)
+var EscrowReceiptSchema = z5.object({
+  requester_owner: z5.string().min(1),
+  requester_agent_id: z5.string().optional(),
+  requester_public_key: z5.string().min(1),
+  amount: z5.number().positive(),
+  card_id: z5.string().min(1),
+  skill_id: z5.string().optional(),
+  timestamp: z5.string(),
+  nonce: z5.string().uuid(),
+  signature: z5.string().min(1)
 });
 function createSignedEscrowReceipt(db, privateKey, publicKey, opts) {
   const escrowId = holdEscrow(db, opts.owner, opts.amount, opts.cardId);
@@ -5033,191 +5659,6 @@ function releaseRequesterEscrow(requesterDb, escrowId) {
   releaseEscrow(requesterDb, escrowId);
 }
 
-// src/identity/identity.ts
-import { z as z5 } from "zod";
-import { createHash as createHash2, createPrivateKey as createPrivateKey2, createPublicKey as createPublicKey2 } from "crypto";
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, existsSync as existsSync4, mkdirSync as mkdirSync3 } from "fs";
-import { join as join4 } from "path";
-var AgentIdentitySchema = z5.object({
-  /** Deterministic ID derived from public key: sha256(hex).slice(0, 16). */
-  agent_id: z5.string().min(1),
-  /** Human-readable owner name (from config or init). */
-  owner: z5.string().min(1),
-  /** Hex-encoded Ed25519 public key. */
-  public_key: z5.string().min(1),
-  /** ISO 8601 timestamp of identity creation. */
-  created_at: z5.string().datetime(),
-  /** Optional guarantor info if linked to a human. */
-  guarantor: z5.object({
-    github_login: z5.string().min(1),
-    verified_at: z5.string().datetime()
-  }).optional()
-});
-var AgentCertificateSchema = z5.object({
-  identity: AgentIdentitySchema,
-  /** ISO 8601 timestamp of certificate issuance. */
-  issued_at: z5.string().datetime(),
-  /** ISO 8601 timestamp of certificate expiry. */
-  expires_at: z5.string().datetime(),
-  /** Hex-encoded public key of the issuer (same as identity for self-signed). */
-  issuer_public_key: z5.string().min(1),
-  /** Base64url Ed25519 signature over { identity, issued_at, expires_at, issuer_public_key }. */
-  signature: z5.string().min(1)
-});
-var IDENTITY_FILENAME = "identity.json";
-var PRIVATE_KEY_FILENAME = "private.key";
-var PUBLIC_KEY_FILENAME = "public.key";
-function derivePublicKeyFromPrivate(privateKey) {
-  const privateKeyObject = createPrivateKey2({ key: privateKey, format: "der", type: "pkcs8" });
-  const publicKeyObject = createPublicKey2(privateKeyObject);
-  const publicKey = publicKeyObject.export({ format: "der", type: "spki" });
-  return Buffer.from(publicKey);
-}
-function buildIdentityFromPublicKey(publicKey, owner, createdAt) {
-  const publicKeyHex = publicKey.toString("hex");
-  return {
-    agent_id: deriveAgentId(publicKeyHex),
-    owner,
-    public_key: publicKeyHex,
-    created_at: createdAt ?? (/* @__PURE__ */ new Date()).toISOString()
-  };
-}
-function generateFreshIdentity(configDir, owner) {
-  const keys = generateKeyPair();
-  saveKeyPair(configDir, keys);
-  const identity = buildIdentityFromPublicKey(keys.publicKey, owner);
-  saveIdentity(configDir, identity);
-  return { identity, keys, status: "generated" };
-}
-function deriveAgentId(publicKeyHex) {
-  return createHash2("sha256").update(publicKeyHex, "hex").digest("hex").slice(0, 16);
-}
-function createIdentity(configDir, owner) {
-  if (!existsSync4(configDir)) {
-    mkdirSync3(configDir, { recursive: true });
-  }
-  let keys;
-  try {
-    keys = loadKeyPair(configDir);
-  } catch {
-    keys = generateKeyPair();
-    saveKeyPair(configDir, keys);
-  }
-  const publicKeyHex = keys.publicKey.toString("hex");
-  const agentId = deriveAgentId(publicKeyHex);
-  const identity = {
-    agent_id: agentId,
-    owner,
-    public_key: publicKeyHex,
-    created_at: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  saveIdentity(configDir, identity);
-  return identity;
-}
-function loadIdentity(configDir) {
-  const filePath = join4(configDir, IDENTITY_FILENAME);
-  if (!existsSync4(filePath)) return null;
-  try {
-    const raw = readFileSync4(filePath, "utf-8");
-    return AgentIdentitySchema.parse(JSON.parse(raw));
-  } catch {
-    return null;
-  }
-}
-function saveIdentity(configDir, identity) {
-  if (!existsSync4(configDir)) {
-    mkdirSync3(configDir, { recursive: true });
-  }
-  const filePath = join4(configDir, IDENTITY_FILENAME);
-  writeFileSync4(filePath, JSON.stringify(identity, null, 2), "utf-8");
-}
-function loadOrRepairIdentity(configDir, ownerHint) {
-  if (!existsSync4(configDir)) {
-    mkdirSync3(configDir, { recursive: true });
-  }
-  const identityPath = join4(configDir, IDENTITY_FILENAME);
-  const privateKeyPath = join4(configDir, PRIVATE_KEY_FILENAME);
-  const publicKeyPath = join4(configDir, PUBLIC_KEY_FILENAME);
-  const hasIdentity = existsSync4(identityPath);
-  const hasPrivateKey = existsSync4(privateKeyPath);
-  const hasPublicKey = existsSync4(publicKeyPath);
-  if (!hasIdentity || !hasPrivateKey || !hasPublicKey) {
-    return generateFreshIdentity(configDir, ownerHint ?? "agent");
-  }
-  let keys;
-  try {
-    keys = loadKeyPair(configDir);
-  } catch {
-    return generateFreshIdentity(configDir, ownerHint ?? "agent");
-  }
-  let derivedPublicKey;
-  try {
-    derivedPublicKey = derivePublicKeyFromPrivate(keys.privateKey);
-  } catch {
-    return generateFreshIdentity(configDir, ownerHint ?? "agent");
-  }
-  let keypairRepaired = false;
-  if (!keys.publicKey.equals(derivedPublicKey)) {
-    keypairRepaired = true;
-    keys = { privateKey: keys.privateKey, publicKey: derivedPublicKey };
-    saveKeyPair(configDir, keys);
-  }
-  const loadedIdentity = loadIdentity(configDir);
-  const expectedAgentId = deriveAgentId(derivedPublicKey.toString("hex"));
-  const expectedPublicKeyHex = derivedPublicKey.toString("hex");
-  const identityMismatch = !loadedIdentity || loadedIdentity.public_key !== expectedPublicKeyHex || loadedIdentity.agent_id !== expectedAgentId;
-  if (identityMismatch) {
-    const repairedIdentity = buildIdentityFromPublicKey(
-      derivedPublicKey,
-      loadedIdentity?.owner ?? ownerHint ?? "agent",
-      loadedIdentity?.created_at
-    );
-    saveIdentity(configDir, repairedIdentity);
-    return { identity: repairedIdentity, keys, status: "repaired" };
-  }
-  if (ownerHint && loadedIdentity.owner !== ownerHint) {
-    const updatedIdentity = { ...loadedIdentity, owner: ownerHint };
-    saveIdentity(configDir, updatedIdentity);
-    return { identity: updatedIdentity, keys, status: "repaired" };
-  }
-  return { identity: loadedIdentity, keys, status: keypairRepaired ? "repaired" : "existing" };
-}
-function issueAgentCertificate(identity, privateKey) {
-  const issuedAt = (/* @__PURE__ */ new Date()).toISOString();
-  const expiresAt = new Date(Date.now() + 365 * 24 * 60 * 60 * 1e3).toISOString();
-  const payload = {
-    identity,
-    issued_at: issuedAt,
-    expires_at: expiresAt,
-    issuer_public_key: identity.public_key
-  };
-  const signature = signEscrowReceipt(payload, privateKey);
-  return {
-    identity,
-    issued_at: issuedAt,
-    expires_at: expiresAt,
-    issuer_public_key: identity.public_key,
-    signature
-  };
-}
-function verifyAgentCertificate(cert) {
-  if (new Date(cert.expires_at) < /* @__PURE__ */ new Date()) {
-    return false;
-  }
-  const publicKeyHex = cert.issuer_public_key;
-  const publicKeyBuf = Buffer.from(publicKeyHex, "hex");
-  const payload = {
-    identity: cert.identity,
-    issued_at: cert.issued_at,
-    expires_at: cert.expires_at,
-    issuer_public_key: cert.issuer_public_key
-  };
-  return verifyEscrowReceipt(payload, cert.signature, publicKeyBuf);
-}
-function ensureIdentity(configDir, owner) {
-  return loadOrRepairIdentity(configDir, owner).identity;
-}
-
 // src/sdk/consumer.ts
 var AgentBnBConsumer = class {
   configDir;