npm - agentbnb - Versions diffs - 9.0.2 → 9.1.0 - Mend

agentbnb 9.0.2 → 9.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (72) hide show

package/dist/index.js CHANGED Viewed

@@ -1,3 +1,9 @@
+import {
+  __require,
+  createRequestLogTable,
+  insertRequestLog
+} from "./chunk-4HLGFR72.js";
 // src/types/index.ts
 import { z } from "zod";
 var IOSchemaSchema = z.object({
@@ -213,76 +219,6 @@ var AgentBnBError = class extends Error {
 // src/registry/store.ts
 import Database from "better-sqlite3";
-// src/registry/request-log.ts
-function createRequestLogTable(db) {
-  db.exec(`
-    CREATE TABLE IF NOT EXISTS request_log (
-      id TEXT PRIMARY KEY,
-      card_id TEXT NOT NULL,
-      card_name TEXT NOT NULL,
-      requester TEXT NOT NULL,
-      status TEXT NOT NULL CHECK(status IN ('success', 'failure', 'timeout')),
-      latency_ms INTEGER NOT NULL,
-      credits_charged INTEGER NOT NULL,
-      created_at TEXT NOT NULL
-    );
-    CREATE INDEX IF NOT EXISTS request_log_created_at_idx
-      ON request_log (created_at DESC);
-  `);
-  try {
-    db.exec("ALTER TABLE request_log ADD COLUMN skill_id TEXT");
-  } catch {
-  }
-  try {
-    db.exec("ALTER TABLE request_log ADD COLUMN action_type TEXT");
-  } catch {
-  }
-  try {
-    db.exec("ALTER TABLE request_log ADD COLUMN tier_invoked INTEGER");
-  } catch {
-  }
-  try {
-    db.exec("ALTER TABLE request_log ADD COLUMN failure_reason TEXT");
-  } catch {
-  }
-  try {
-    db.exec("ALTER TABLE request_log ADD COLUMN team_id TEXT");
-  } catch {
-  }
-  try {
-    db.exec("ALTER TABLE request_log ADD COLUMN role TEXT");
-  } catch {
-  }
-  try {
-    db.exec("ALTER TABLE request_log ADD COLUMN capability_type TEXT");
-  } catch {
-  }
-}
-function insertRequestLog(db, entry) {
-  const stmt = db.prepare(`
-    INSERT INTO request_log (id, card_id, card_name, requester, status, latency_ms, credits_charged, created_at, skill_id, action_type, tier_invoked, failure_reason, team_id, role, capability_type)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-  `);
-  stmt.run(
-    entry.id,
-    entry.card_id,
-    entry.card_name,
-    entry.requester,
-    entry.status,
-    entry.latency_ms,
-    entry.credits_charged,
-    entry.created_at,
-    entry.skill_id ?? null,
-    entry.action_type ?? null,
-    entry.tier_invoked ?? null,
-    entry.failure_reason ?? null,
-    entry.team_id ?? null,
-    entry.role ?? null,
-    entry.capability_type ?? null
-  );
-}
 // src/feedback/store.ts
 import { randomUUID } from "crypto";
 function initFeedbackTable(db) {
@@ -858,28 +794,57 @@ function getCardsBySkillCapability(db, capabilityType) {
   });
 }
+// src/core-config.ts
+import { readFileSync } from "fs";
+import { join } from "path";
+var coreBasePath = null;
+var coreResolved = false;
+function resolveCoreBase() {
+  if (coreResolved) return coreBasePath;
+  coreResolved = true;
+  try {
+    const pkgPath = __require.resolve("@agentbnb/core/package.json");
+    coreBasePath = join(pkgPath, "..");
+    return coreBasePath;
+  } catch {
+    return null;
+  }
+}
+function loadCoreConfig(configName) {
+  const base = resolveCoreBase();
+  if (!base) return null;
+  try {
+    const filePath = join(base, "config", `${configName}.json`);
+    const raw = readFileSync(filePath, "utf8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
 // src/feedback/reputation.ts
+var coreReputation = loadCoreConfig("reputation");
 var QUALITY_SCORES = {
-  excellent: 1,
-  good: 0.8,
-  acceptable: 0.6,
-  poor: 0.3,
-  failed: 0
+  excellent: coreReputation?.quality_scores?.["excellent"] ?? 1,
+  good: coreReputation?.quality_scores?.["good"] ?? 0.8,
+  acceptable: coreReputation?.quality_scores?.["acceptable"] ?? 0.6,
+  poor: coreReputation?.quality_scores?.["poor"] ?? 0.3,
+  failed: coreReputation?.quality_scores?.["failed"] ?? 0
 };
 var COST_VALUE_SCORES = {
-  great: 1,
-  fair: 0.6,
-  overpriced: 0.2
+  great: coreReputation?.cost_value_scores?.["great"] ?? 1,
+  fair: coreReputation?.cost_value_scores?.["fair"] ?? 0.6,
+  overpriced: coreReputation?.cost_value_scores?.["overpriced"] ?? 0.2
 };
-var DECAY_DAYS = 30;
+var DECAY_DAYS = coreReputation?.decay_days ?? 30;
 var WEIGHTS = {
-  rating: 0.4,
-  quality: 0.3,
-  would_reuse: 0.2,
-  cost_value: 0.1
+  rating: coreReputation?.weights?.["rating"] ?? 0.4,
+  quality: coreReputation?.weights?.["quality"] ?? 0.3,
+  would_reuse: coreReputation?.weights?.["would_reuse"] ?? 0.2,
+  cost_value: coreReputation?.weights?.["cost_value"] ?? 0.1
 };
 function computeReputation(feedbacks) {
-  if (feedbacks.length === 0) return 0.5;
+  if (feedbacks.length === 0) return coreReputation?.cold_start_score ?? 0.5;
   const now = Date.now();
   let weightedSum = 0;
   let totalWeight = 0;
@@ -895,7 +860,7 @@ function computeReputation(feedbacks) {
     weightedSum += recencyWeight * componentScore;
     totalWeight += recencyWeight;
   }
-  if (totalWeight === 0) return 0.5;
+  if (totalWeight === 0) return coreReputation?.cold_start_score ?? 0.5;
   const raw = weightedSum / totalWeight;
   return Math.max(0, Math.min(1, raw));
 }
@@ -1372,7 +1337,8 @@ import { randomUUID as randomUUID5 } from "crypto";
 // src/credit/escrow.ts
 import { randomUUID as randomUUID4 } from "crypto";
-var NETWORK_FEE_RATE = 0.05;
+var coreEconomics = loadCoreConfig("economics");
+var NETWORK_FEE_RATE = coreEconomics?.network_fee_rate ?? 0.05;
 var FINALIZABLE_ESCROW_STATUSES = /* @__PURE__ */ new Set([
   "held",
   "started",
@@ -1559,20 +1525,20 @@ function confirmEscrowDebit(db, escrowId) {
 }
 // src/cli/config.ts
-import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { readFileSync as readFileSync2, writeFileSync, mkdirSync, existsSync } from "fs";
 import { homedir } from "os";
-import { join } from "path";
+import { join as join2 } from "path";
 function getConfigDir() {
-  return process.env["AGENTBNB_DIR"] ?? join(homedir(), ".agentbnb");
+  return process.env["AGENTBNB_DIR"] ?? join2(homedir(), ".agentbnb");
 }
 function getConfigPath() {
-  return join(getConfigDir(), "config.json");
+  return join2(getConfigDir(), "config.json");
 }
 function loadConfig() {
   const configPath = getConfigPath();
   if (!existsSync(configPath)) return null;
   try {
-    const raw = readFileSync(configPath, "utf-8");
+    const raw = readFileSync2(configPath, "utf-8");
     return JSON.parse(raw);
   } catch {
     return null;
@@ -1582,13 +1548,13 @@ function loadConfig() {
 // src/identity/identity.ts
 import { z as z2 } from "zod";
 import { createHash, createPrivateKey as createPrivateKey2, createPublicKey as createPublicKey2 } from "crypto";
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
-import { join as join3 } from "path";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
+import { join as join4 } from "path";
 // src/credit/signing.ts
 import { generateKeyPairSync, sign, verify, createPublicKey, createPrivateKey } from "crypto";
-import { writeFileSync as writeFileSync2, readFileSync as readFileSync2, existsSync as existsSync2, chmodSync } from "fs";
-import { join as join2 } from "path";
+import { writeFileSync as writeFileSync2, readFileSync as readFileSync3, existsSync as existsSync2, chmodSync } from "fs";
+import { join as join3 } from "path";
 function generateKeyPair() {
   const { publicKey, privateKey } = generateKeyPairSync("ed25519", {
     publicKeyEncoding: { type: "spki", format: "der" },
@@ -1600,21 +1566,21 @@ function generateKeyPair() {
   };
 }
 function saveKeyPair(configDir, keys) {
-  const privatePath = join2(configDir, "private.key");
-  const publicPath = join2(configDir, "public.key");
+  const privatePath = join3(configDir, "private.key");
+  const publicPath = join3(configDir, "public.key");
   writeFileSync2(privatePath, keys.privateKey);
   chmodSync(privatePath, 384);
   writeFileSync2(publicPath, keys.publicKey);
 }
 function loadKeyPair(configDir) {
-  const privatePath = join2(configDir, "private.key");
-  const publicPath = join2(configDir, "public.key");
+  const privatePath = join3(configDir, "private.key");
+  const publicPath = join3(configDir, "public.key");
   if (!existsSync2(privatePath) || !existsSync2(publicPath)) {
     throw new AgentBnBError("Keypair not found. Run `agentbnb init` to generate one.", "KEYPAIR_NOT_FOUND");
   }
   return {
-    publicKey: readFileSync2(publicPath),
-    privateKey: readFileSync2(privatePath)
+    publicKey: readFileSync3(publicPath),
+    privateKey: readFileSync3(privatePath)
   };
 }
 function canonicalJson(data) {
@@ -1738,10 +1704,10 @@ function createIdentity(configDir, owner) {
   return identity;
 }
 function loadIdentity(configDir) {
-  const filePath = join3(configDir, IDENTITY_FILENAME);
+  const filePath = join4(configDir, IDENTITY_FILENAME);
   if (!existsSync3(filePath)) return null;
   try {
-    const raw = readFileSync3(filePath, "utf-8");
+    const raw = readFileSync4(filePath, "utf-8");
     return AgentIdentitySchema.parse(JSON.parse(raw));
   } catch {
     return null;
@@ -1751,16 +1717,16 @@ function saveIdentity(configDir, identity) {
   if (!existsSync3(configDir)) {
     mkdirSync2(configDir, { recursive: true });
   }
-  const filePath = join3(configDir, IDENTITY_FILENAME);
+  const filePath = join4(configDir, IDENTITY_FILENAME);
   writeFileSync3(filePath, JSON.stringify(identity, null, 2), "utf-8");
 }
 function loadOrRepairIdentity(configDir, ownerHint) {
   if (!existsSync3(configDir)) {
     mkdirSync2(configDir, { recursive: true });
   }
-  const identityPath = join3(configDir, IDENTITY_FILENAME);
-  const privateKeyPath = join3(configDir, PRIVATE_KEY_FILENAME);
-  const publicKeyPath = join3(configDir, PUBLIC_KEY_FILENAME);
+  const identityPath = join4(configDir, IDENTITY_FILENAME);
+  const privateKeyPath = join4(configDir, PRIVATE_KEY_FILENAME);
+  const publicKeyPath = join4(configDir, PUBLIC_KEY_FILENAME);
   const hasIdentity = existsSync3(identityPath);
   const hasPrivateKey = existsSync3(privateKeyPath);
   const hasPublicKey = existsSync3(publicKeyPath);
@@ -2325,6 +2291,26 @@ async function notifyTelegramSkillFailed(opts) {
     body: JSON.stringify({ chat_id: chatId, text })
   });
 }
+async function notifyTelegramSkillReceived(opts) {
+  const cfg = loadConfig();
+  if (cfg?.provider_gate !== "notify") return;
+  const token = cfg.telegram_bot_token ?? process.env["TELEGRAM_BOT_TOKEN"];
+  const chatId = cfg.telegram_chat_id ?? process.env["TELEGRAM_CHAT_ID"];
+  if (!token || !chatId) return;
+  const skillLabel = opts.skillId ? `${opts.skillName} (${opts.skillId})` : opts.skillName;
+  const text = [
+    "\u{1F4E5} [AgentBnB] Incoming rental request",
+    `Skill: ${skillLabel}`,
+    `Requester: ${opts.requester}`,
+    `Cost: ${opts.cost} credits`,
+    `Status: Executing...`
+  ].join("\n");
+  await fetch(`https://api.telegram.org/bot${token}/sendMessage`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ chat_id: chatId, text })
+  });
+}
 async function executeCapabilityRequest(opts) {
   const {
     registryDb,
@@ -2416,6 +2402,41 @@ async function executeCapabilityRequest(opts) {
       return { success: false, error: { code: -32603, message: msg } };
     }
   }
+  const providerCfg = loadConfig();
+  const providerWhitelist = providerCfg?.provider_whitelist ?? [];
+  const isWhitelisted = providerWhitelist.includes(requester);
+  if (providerCfg?.provider_accepting === false && !isWhitelisted) {
+    if (escrowId) releaseEscrow(creditDb, escrowId);
+    return { success: false, error: { code: -32098, message: "Provider is not accepting requests" } };
+  }
+  if (!isWhitelisted) {
+    const blacklist = providerCfg?.provider_blacklist ?? [];
+    if (blacklist.includes(requester)) {
+      if (escrowId) releaseEscrow(creditDb, escrowId);
+      return { success: false, error: { code: -32097, message: "Requester is blocked by provider" } };
+    }
+  }
+  if (!isWhitelisted) {
+    const dailyLimit = providerCfg?.provider_daily_limit ?? 0;
+    if (dailyLimit > 0) {
+      const { countTodayExecutions } = await import("./request-log-SIGTGOFA.js");
+      const todayCount = countTodayExecutions(registryDb);
+      if (todayCount >= dailyLimit) {
+        if (escrowId) releaseEscrow(creditDb, escrowId);
+        return {
+          success: false,
+          error: { code: -32099, message: `Provider daily execution limit reached (${dailyLimit}/day)` }
+        };
+      }
+    }
+  }
+  notifyTelegramSkillReceived({
+    skillName: cardName,
+    skillId: resolvedSkillId ?? null,
+    requester,
+    cost: creditsNeeded
+  }).catch(() => {
+  });
   const startMs = Date.now();
   const handleFailure = (status, latencyMs, message, failureReason = "bad_execution") => {
     if (escrowId) releaseEscrow(creditDb, escrowId);
@@ -3590,9 +3611,42 @@ var PipelineExecutor = class {
 };
 // src/skills/openclaw-bridge.ts
-import { execFileSync } from "child_process";
+import { spawnSync } from "child_process";
 var DEFAULT_BASE_URL = "http://localhost:3000";
 var DEFAULT_TIMEOUT_MS = 6e4;
+function isOpenClawJsonResponse(value) {
+  return typeof value === "object" && value !== null && "payloads" in value && Array.isArray(value.payloads) && "meta" in value;
+}
+function parseOpenClawResponse(raw) {
+  if (!isOpenClawJsonResponse(raw)) {
+    return raw;
+  }
+  const { payloads, meta } = raw;
+  const texts = payloads.map((p) => p.text).filter((t) => typeof t === "string" && t.length > 0);
+  const mediaUrls = payloads.map((p) => p.mediaUrl).filter((u) => typeof u === "string" && u.length > 0);
+  const openclawMeta = {
+    duration_ms: meta.durationMs,
+    model: meta.agentMeta?.model,
+    provider: meta.agentMeta?.provider
+  };
+  if (texts.length === 0) {
+    return { text: "", media_urls: mediaUrls, _openclaw_meta: openclawMeta };
+  }
+  const lastText = texts[texts.length - 1];
+  try {
+    const structured = JSON.parse(lastText);
+    if (typeof structured === "object" && structured !== null) {
+      return { ...structured, _openclaw_meta: openclawMeta };
+    }
+    return { result: structured, _openclaw_meta: openclawMeta };
+  } catch {
+    return {
+      text: texts.join("\n\n"),
+      media_urls: mediaUrls.length > 0 ? mediaUrls : void 0,
+      _openclaw_meta: openclawMeta
+    };
+  }
+}
 function buildPayload(config, params) {
   return {
     task: config.name,
@@ -3659,7 +3713,7 @@ Do NOT include explanations, markdown formatting, or code blocks.
 The JSON should contain the output fields specified in your SKILL.md.
 If you cannot complete the task, return: {"error": "reason"}`;
   try {
-    const stdout = execFileSync("openclaw", [
+    const proc = spawnSync("openclaw", [
       "agent",
       "--agent",
       config.agent_name,
@@ -3668,21 +3722,37 @@ If you cannot complete the task, return: {"error": "reason"}`;
       "--json",
       "--local"
     ], {
-      timeout: timeoutMs
+      timeout: timeoutMs,
+      maxBuffer: 10 * 1024 * 1024
+      // 10 MB
     });
-    const text = stdout.toString().trim();
+    if (proc.error) {
+      return { success: false, error: proc.error.message };
+    }
+    const stderrText = proc.stderr?.toString() ?? "";
+    const stdoutText = proc.stdout?.toString() ?? "";
+    const text = (stderrText || stdoutText).trim();
+    if (!text) {
+      return {
+        success: false,
+        error: `OpenClaw process channel returned empty output (exit code ${proc.status})`
+      };
+    }
+    const jsonStart = text.lastIndexOf("\n{");
+    const jsonText = jsonStart >= 0 ? text.slice(jsonStart + 1) : text;
     try {
-      const parsed = JSON.parse(text);
-      return { success: true, result: parsed };
+      const parsed = JSON.parse(jsonText);
+      const result = parseOpenClawResponse(parsed);
+      return { success: true, result };
     } catch {
       return {
         success: false,
-        error: `OpenClaw process channel returned invalid JSON: ${text}`
+        error: `OpenClaw process channel returned invalid JSON: ${jsonText.slice(0, 500)}`
       };
     }
   } catch (err) {
-    const message2 = err instanceof Error ? err.message : String(err);
-    return { success: false, error: message2 };
+    const errMsg = err instanceof Error ? err.message : String(err);
+    return { success: false, error: errMsg };
   }
 }
 async function executeTelegram(config, payload) {
@@ -4446,163 +4516,261 @@ import WebSocket from "ws";
 import { randomUUID as randomUUID10 } from "crypto";
 // src/relay/types.ts
+import { z as z5 } from "zod";
+// src/session/session-types.ts
 import { z as z4 } from "zod";
-var RegisterMessageSchema = z4.object({
-  type: z4.literal("register"),
-  owner: z4.string().min(1),
+var DEFAULT_SESSION_CONFIG = {
+  pricing: {
+    default_model: "per_message",
+    per_message_base_rate: 2,
+    per_minute_base_rate: 1,
+    per_session_flat_rate: 10,
+    max_messages_per_session: 50,
+    max_minutes_per_session: 30
+  },
+  timeouts: {
+    idle_timeout_ms: 12e4,
+    max_session_duration_ms: 18e5,
+    message_timeout_ms: 9e4
+  },
+  abuse: {
+    max_concurrent_sessions_per_agent: 5,
+    max_sessions_per_hour: 20,
+    min_message_interval_ms: 1e3
+  },
+  quality: {
+    min_provider_reputation_for_session: 0.5,
+    auto_refund_on_timeout: true,
+    partial_refund_ratio: 0.5
+  }
+};
+function loadSessionConfig() {
+  const core = loadCoreConfig("session");
+  if (!core) return DEFAULT_SESSION_CONFIG;
+  return {
+    pricing: { ...DEFAULT_SESSION_CONFIG.pricing, ...core.pricing },
+    timeouts: { ...DEFAULT_SESSION_CONFIG.timeouts, ...core.timeouts },
+    abuse: { ...DEFAULT_SESSION_CONFIG.abuse, ...core.abuse },
+    quality: { ...DEFAULT_SESSION_CONFIG.quality, ...core.quality }
+  };
+}
+var SessionPricingModelSchema = z4.enum(["per_message", "per_minute", "per_session"]);
+var SessionOpenMessageSchema = z4.object({
+  type: z4.literal("session_open"),
+  session_id: z4.string().uuid(),
+  requester_id: z4.string().min(1),
+  provider_id: z4.string().min(1),
+  card_id: z4.string().min(1),
+  skill_id: z4.string().min(1),
+  budget: z4.number().positive(),
+  pricing_model: SessionPricingModelSchema.default("per_message"),
+  initial_message: z4.string().min(1),
+  ucan_token: z4.string().optional()
+});
+var SessionAckMessageSchema = z4.object({
+  type: z4.literal("session_ack"),
+  session_id: z4.string(),
+  escrow_id: z4.string(),
+  status: z4.literal("open")
+});
+var SessionMessageMessageSchema = z4.object({
+  type: z4.literal("session_message"),
+  session_id: z4.string().uuid(),
+  sender: z4.enum(["requester", "provider"]),
+  content: z4.string().min(1),
+  metadata: z4.object({
+    model: z4.string().optional(),
+    latency_ms: z4.number().optional(),
+    tokens_used: z4.number().optional()
+  }).optional()
+});
+var SessionEndMessageSchema = z4.object({
+  type: z4.literal("session_end"),
+  session_id: z4.string().uuid(),
+  reason: z4.enum(["completed", "timeout", "budget_exhausted", "error", "cancelled"]).default("completed"),
+  summary: z4.string().optional()
+});
+var SessionSettledMessageSchema = z4.object({
+  type: z4.literal("session_settled"),
+  session_id: z4.string(),
+  total_cost: z4.number(),
+  messages_count: z4.number(),
+  duration_seconds: z4.number(),
+  refunded: z4.number()
+});
+var SessionErrorMessageSchema = z4.object({
+  type: z4.literal("session_error"),
+  session_id: z4.string(),
+  code: z4.string(),
+  message: z4.string()
+});
+var SESSION_MESSAGE_TYPES = /* @__PURE__ */ new Set([
+  "session_open",
+  "session_ack",
+  "session_message",
+  "session_end",
+  "session_settled",
+  "session_error"
+]);
+// src/relay/types.ts
+var RegisterMessageSchema = z5.object({
+  type: z5.literal("register"),
+  owner: z5.string().min(1),
   /** V8: Cryptographic agent identity. When present, used as the canonical key. */
-  agent_id: z4.string().optional(),
+  agent_id: z5.string().optional(),
   /** V8 Phase 3: Server identifier for multi-agent delegation. */
-  server_id: z4.string().optional(),
-  token: z4.string().min(1),
-  card: z4.record(z4.unknown()),
+  server_id: z5.string().optional(),
+  token: z5.string().min(1),
+  card: z5.record(z5.unknown()),
   // CapabilityCard (validated separately)
-  cards: z4.array(z4.record(z4.unknown())).optional(),
+  cards: z5.array(z5.record(z5.unknown())).optional(),
   // Additional cards (e.g., conductor card)
   /** V8 Phase 3: Additional agents served by this server (multi-agent registration). */
-  agents: z4.array(z4.object({
-    agent_id: z4.string().min(1),
-    display_name: z4.string().min(1),
-    cards: z4.array(z4.record(z4.unknown())),
-    delegation_token: z4.record(z4.unknown()).optional()
+  agents: z5.array(z5.object({
+    agent_id: z5.string().min(1),
+    display_name: z5.string().min(1),
+    cards: z5.array(z5.record(z5.unknown())),
+    delegation_token: z5.record(z5.unknown()).optional()
   })).optional()
 });
-var RegisteredMessageSchema = z4.object({
-  type: z4.literal("registered"),
-  agent_id: z4.string()
+var RegisteredMessageSchema = z5.object({
+  type: z5.literal("registered"),
+  agent_id: z5.string()
 });
-var RelayRequestMessageSchema = z4.object({
-  type: z4.literal("relay_request"),
-  id: z4.string().uuid(),
-  target_owner: z4.string().min(1),
+var RelayRequestMessageSchema = z5.object({
+  type: z5.literal("relay_request"),
+  id: z5.string().uuid(),
+  target_owner: z5.string().min(1),
   /** V8: Target agent's cryptographic identity. Preferred over target_owner. */
-  target_agent_id: z4.string().optional(),
-  card_id: z4.string(),
-  skill_id: z4.string().optional(),
-  params: z4.record(z4.unknown()).default({}),
-  requester: z4.string().optional(),
-  escrow_receipt: z4.record(z4.unknown()).optional(),
+  target_agent_id: z5.string().optional(),
+  card_id: z5.string(),
+  skill_id: z5.string().optional(),
+  params: z5.record(z5.unknown()).default({}),
+  requester: z5.string().optional(),
+  escrow_receipt: z5.record(z5.unknown()).optional(),
   /** Optional UCAN token for capability delegation. */
-  ucan_token: z4.string().optional()
+  ucan_token: z5.string().optional()
 });
-var IncomingRequestMessageSchema = z4.object({
-  type: z4.literal("incoming_request"),
-  id: z4.string().uuid(),
-  from_owner: z4.string().min(1),
-  card_id: z4.string(),
-  skill_id: z4.string().optional(),
-  params: z4.record(z4.unknown()).default({}),
-  requester: z4.string().optional(),
-  escrow_receipt: z4.record(z4.unknown()).optional(),
+var IncomingRequestMessageSchema = z5.object({
+  type: z5.literal("incoming_request"),
+  id: z5.string().uuid(),
+  from_owner: z5.string().min(1),
+  card_id: z5.string(),
+  skill_id: z5.string().optional(),
+  params: z5.record(z5.unknown()).default({}),
+  requester: z5.string().optional(),
+  escrow_receipt: z5.record(z5.unknown()).optional(),
   /** Optional UCAN token for capability delegation. */
-  ucan_token: z4.string().optional()
+  ucan_token: z5.string().optional()
 });
-var RelayResponseMessageSchema = z4.object({
-  type: z4.literal("relay_response"),
-  id: z4.string().uuid(),
-  result: z4.unknown().optional(),
-  error: z4.object({
-    code: z4.number(),
-    message: z4.string()
+var RelayResponseMessageSchema = z5.object({
+  type: z5.literal("relay_response"),
+  id: z5.string().uuid(),
+  result: z5.unknown().optional(),
+  error: z5.object({
+    code: z5.number(),
+    message: z5.string()
   }).optional()
 });
-var ResponseMessageSchema = z4.object({
-  type: z4.literal("response"),
-  id: z4.string().uuid(),
-  result: z4.unknown().optional(),
-  error: z4.object({
-    code: z4.number(),
-    message: z4.string()
+var ResponseMessageSchema = z5.object({
+  type: z5.literal("response"),
+  id: z5.string().uuid(),
+  result: z5.unknown().optional(),
+  error: z5.object({
+    code: z5.number(),
+    message: z5.string()
   }).optional()
 });
-var ErrorMessageSchema = z4.object({
-  type: z4.literal("error"),
-  code: z4.string(),
-  message: z4.string(),
-  request_id: z4.string().optional()
+var ErrorMessageSchema = z5.object({
+  type: z5.literal("error"),
+  code: z5.string(),
+  message: z5.string(),
+  request_id: z5.string().optional()
 });
-var RelayProgressMessageSchema = z4.object({
-  type: z4.literal("relay_progress"),
-  id: z4.string().uuid(),
+var RelayProgressMessageSchema = z5.object({
+  type: z5.literal("relay_progress"),
+  id: z5.string().uuid(),
   // request ID this progress relates to
-  progress: z4.number().min(0).max(100).optional(),
+  progress: z5.number().min(0).max(100).optional(),
   // optional percentage
-  message: z4.string().optional()
+  message: z5.string().optional()
   // optional status message
 });
-var RelayStartedMessageSchema = z4.object({
-  type: z4.literal("relay_started"),
-  id: z4.string().uuid(),
-  message: z4.string().optional()
+var RelayStartedMessageSchema = z5.object({
+  type: z5.literal("relay_started"),
+  id: z5.string().uuid(),
+  message: z5.string().optional()
 });
-var HeartbeatMessageSchema = z4.object({
-  type: z4.literal("heartbeat"),
-  owner: z4.string().min(1),
-  capacity: z4.object({
-    current_load: z4.number(),
-    max_concurrent: z4.number(),
-    queue_depth: z4.number()
+var HeartbeatMessageSchema = z5.object({
+  type: z5.literal("heartbeat"),
+  owner: z5.string().min(1),
+  capacity: z5.object({
+    current_load: z5.number(),
+    max_concurrent: z5.number(),
+    queue_depth: z5.number()
   }),
-  self_summary: z4.object({
-    capabilities: z4.array(z4.string()),
-    success_rate: z4.number(),
-    credit_balance: z4.number(),
-    total_completed: z4.number(),
-    provider_number: z4.number(),
-    reliability: z4.object({
-      current_streak: z4.number(),
-      repeat_hire_rate: z4.number(),
-      avg_feedback: z4.number()
+  self_summary: z5.object({
+    capabilities: z5.array(z5.string()),
+    success_rate: z5.number(),
+    credit_balance: z5.number(),
+    total_completed: z5.number(),
+    provider_number: z5.number(),
+    reliability: z5.object({
+      current_streak: z5.number(),
+      repeat_hire_rate: z5.number(),
+      avg_feedback: z5.number()
     })
   })
 });
-var EscrowHoldMessageSchema = z4.object({
-  type: z4.literal("escrow_hold"),
-  consumer_agent_id: z4.string().min(1),
-  provider_agent_id: z4.string().min(1),
-  skill_id: z4.string().min(1),
-  amount: z4.number().positive(),
-  request_id: z4.string().uuid(),
-  signature: z4.string().optional(),
-  public_key: z4.string().optional()
+var EscrowHoldMessageSchema = z5.object({
+  type: z5.literal("escrow_hold"),
+  consumer_agent_id: z5.string().min(1),
+  provider_agent_id: z5.string().min(1),
+  skill_id: z5.string().min(1),
+  amount: z5.number().positive(),
+  request_id: z5.string().uuid(),
+  signature: z5.string().optional(),
+  public_key: z5.string().optional()
 });
-var EscrowHoldConfirmedMessageSchema = z4.object({
-  type: z4.literal("escrow_hold_confirmed"),
-  request_id: z4.string(),
-  escrow_id: z4.string(),
-  hold_amount: z4.number(),
-  consumer_remaining: z4.number()
+var EscrowHoldConfirmedMessageSchema = z5.object({
+  type: z5.literal("escrow_hold_confirmed"),
+  request_id: z5.string(),
+  escrow_id: z5.string(),
+  hold_amount: z5.number(),
+  consumer_remaining: z5.number()
 });
-var EscrowSettleMessageSchema = z4.object({
-  type: z4.literal("escrow_settle"),
-  escrow_id: z4.string().min(1),
-  request_id: z4.string().uuid(),
-  success: z4.boolean(),
-  failure_reason: z4.enum(["bad_execution", "overload", "timeout", "auth_error", "not_found"]).optional(),
-  result_hash: z4.string().optional(),
-  signature: z4.string().optional(),
-  public_key: z4.string().optional(),
-  consumer_agent_id: z4.string().optional()
+var EscrowSettleMessageSchema = z5.object({
+  type: z5.literal("escrow_settle"),
+  escrow_id: z5.string().min(1),
+  request_id: z5.string().uuid(),
+  success: z5.boolean(),
+  failure_reason: z5.enum(["bad_execution", "overload", "timeout", "auth_error", "not_found"]).optional(),
+  result_hash: z5.string().optional(),
+  signature: z5.string().optional(),
+  public_key: z5.string().optional(),
+  consumer_agent_id: z5.string().optional()
 });
-var EscrowSettledMessageSchema = z4.object({
-  type: z4.literal("escrow_settled"),
-  escrow_id: z4.string(),
-  request_id: z4.string(),
-  provider_earned: z4.number(),
-  network_fee: z4.number(),
-  consumer_remaining: z4.number(),
-  provider_balance: z4.number()
+var EscrowSettledMessageSchema = z5.object({
+  type: z5.literal("escrow_settled"),
+  escrow_id: z5.string(),
+  request_id: z5.string(),
+  provider_earned: z5.number(),
+  network_fee: z5.number(),
+  consumer_remaining: z5.number(),
+  provider_balance: z5.number()
 });
-var BalanceSyncMessageSchema = z4.object({
-  type: z4.literal("balance_sync"),
-  agent_id: z4.string().min(1)
+var BalanceSyncMessageSchema = z5.object({
+  type: z5.literal("balance_sync"),
+  agent_id: z5.string().min(1)
 });
-var BalanceSyncResponseMessageSchema = z4.object({
-  type: z4.literal("balance_sync_response"),
-  agent_id: z4.string(),
-  balance: z4.number()
+var BalanceSyncResponseMessageSchema = z5.object({
+  type: z5.literal("balance_sync_response"),
+  agent_id: z5.string(),
+  balance: z5.number()
 });
-var RelayMessageSchema = z4.discriminatedUnion("type", [
+var RelayMessageSchema = z5.discriminatedUnion("type", [
   RegisterMessageSchema,
   RegisteredMessageSchema,
   RelayRequestMessageSchema,
@@ -4618,7 +4786,13 @@ var RelayMessageSchema = z4.discriminatedUnion("type", [
   EscrowSettleMessageSchema,
   EscrowSettledMessageSchema,
   BalanceSyncMessageSchema,
-  BalanceSyncResponseMessageSchema
+  BalanceSyncResponseMessageSchema,
+  SessionOpenMessageSchema,
+  SessionAckMessageSchema,
+  SessionMessageMessageSchema,
+  SessionEndMessageSchema,
+  SessionSettledMessageSchema,
+  SessionErrorMessageSchema
 ]);
 // src/relay/websocket-client.ts
@@ -5005,8 +5179,8 @@ import { randomUUID as randomUUID12 } from "crypto";
 import { randomUUID as randomUUID13 } from "crypto";
 // src/cli/peers.ts
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, existsSync as existsSync4, mkdirSync as mkdirSync3 } from "fs";
-import { join as join4 } from "path";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync4, existsSync as existsSync4, mkdirSync as mkdirSync3 } from "fs";
+import { join as join5 } from "path";
 // src/autonomy/auto-request.ts
 function minMaxNormalize(values) {
@@ -5123,7 +5297,8 @@ async function matchSubTasks(opts) {
 }
 // src/conductor/budget-controller.ts
-var ORCHESTRATION_FEE = 5;
+var coreConductor = loadCoreConfig("economics");
+var ORCHESTRATION_FEE = coreConductor?.conductor?.orchestration_fee ?? 5;
 var BudgetController = class {
   /**
    * Creates a new BudgetController.
@@ -5539,8 +5714,9 @@ async function orchestrate(opts) {
 }
 // src/credit/budget.ts
+var coreBudget = loadCoreConfig("economics");
 var DEFAULT_BUDGET_CONFIG = {
-  reserve_credits: 20
+  reserve_credits: coreBudget?.budget_reserve_credits ?? 20
 };
 var BudgetManager = class {
   /**
@@ -5978,18 +6154,18 @@ var ConductorMode = class {
 };
 // src/credit/escrow-receipt.ts
-import { z as z5 } from "zod";
+import { z as z6 } from "zod";
 import { randomUUID as randomUUID15 } from "crypto";
-var EscrowReceiptSchema = z5.object({
-  requester_owner: z5.string().min(1),
-  requester_agent_id: z5.string().optional(),
-  requester_public_key: z5.string().min(1),
-  amount: z5.number().positive(),
-  card_id: z5.string().min(1),
-  skill_id: z5.string().optional(),
-  timestamp: z5.string(),
-  nonce: z5.string().uuid(),
-  signature: z5.string().min(1)
+var EscrowReceiptSchema = z6.object({
+  requester_owner: z6.string().min(1),
+  requester_agent_id: z6.string().optional(),
+  requester_public_key: z6.string().min(1),
+  amount: z6.number().positive(),
+  card_id: z6.string().min(1),
+  skill_id: z6.string().optional(),
+  timestamp: z6.string(),
+  nonce: z6.string().uuid(),
+  signature: z6.string().min(1)
 });
 function createSignedEscrowReceipt(db, privateKey, publicKey, opts) {
   const escrowId = holdEscrow(db, opts.owner, opts.amount, opts.cardId);
@@ -6310,16 +6486,16 @@ var AgentBnBProvider = class {
 };
 // src/identity/guarantor.ts
-import { z as z6 } from "zod";
+import { z as z7 } from "zod";
 import { randomUUID as randomUUID16 } from "crypto";
 var MAX_AGENTS_PER_GUARANTOR = 10;
 var GUARANTOR_CREDIT_POOL = 50;
-var GuarantorRecordSchema = z6.object({
-  id: z6.string().uuid(),
-  github_login: z6.string().min(1),
-  agent_count: z6.number().int().nonnegative(),
-  credit_pool: z6.number().int().nonnegative(),
-  created_at: z6.string().datetime()
+var GuarantorRecordSchema = z7.object({
+  id: z7.string().uuid(),
+  github_login: z7.string().min(1),
+  agent_count: z7.number().int().nonnegative(),
+  credit_pool: z7.number().int().nonnegative(),
+  created_at: z7.string().datetime()
 });
 var GUARANTOR_SCHEMA = `
   CREATE TABLE IF NOT EXISTS guarantors (
@@ -6429,9 +6605,10 @@ function initiateGithubAuth() {
 }
 // src/relay/websocket-relay.ts
-import { randomUUID as randomUUID19 } from "crypto";
+import { randomUUID as randomUUID20 } from "crypto";
 // src/relay/relay-credit.ts
+var coreConductorFee = loadCoreConfig("economics");
 function lookupCardPrice(registryDb, cardId, skillId) {
   const row = registryDb.prepare("SELECT data FROM capability_cards WHERE id = ?").get(cardId);
   if (!row) return null;
@@ -6478,8 +6655,11 @@ function settleForRelay(creditDb, escrowId, recipientOwner) {
 }
 function calculateConductorFee(totalSubTaskCost) {
   if (totalSubTaskCost <= 0) return 0;
-  const fee = Math.ceil(totalSubTaskCost * 0.1);
-  return Math.max(1, Math.min(20, fee));
+  const rate = coreConductorFee?.conductor?.sub_task_fee_rate ?? 0.1;
+  const min = coreConductorFee?.conductor?.sub_task_fee_min ?? 1;
+  const max = coreConductorFee?.conductor?.sub_task_fee_max ?? 20;
+  const fee = Math.ceil(totalSubTaskCost * rate);
+  return Math.max(min, Math.min(max, fee));
 }
 function releaseForRelay(creditDb, escrowId) {
   if (escrowId === void 0) return;
@@ -6533,10 +6713,9 @@ function processEscrowSettle(creditDb, escrowId, success, providerAgentId, signa
   if (!escrowRow) {
     throw new Error(`Escrow not found or already settled: ${escrowId}`);
   }
-  const NETWORK_FEE_RATE2 = 0.05;
   if (success) {
     settleEscrow(creditDb, escrowId, providerAgentId);
-    const networkFee = Math.floor(escrowRow.amount * NETWORK_FEE_RATE2);
+    const networkFee = Math.floor(escrowRow.amount * NETWORK_FEE_RATE);
     const providerAmount = escrowRow.amount - networkFee;
     return {
       escrow_id: escrowId,
@@ -6601,12 +6780,413 @@ function handleJobRelayResponse(opts) {
   }
 }
+// src/session/session-manager.ts
+import { randomUUID as randomUUID19 } from "crypto";
+// src/session/session-escrow.ts
+var SessionEscrow = class {
+  constructor(creditDb) {
+    this.creditDb = creditDb;
+  }
+  /** escrowId → { budget, spent } */
+  tracking = /* @__PURE__ */ new Map();
+  /**
+   * Hold the full session budget in escrow.
+   * @returns The escrow ID for tracking.
+   */
+  holdBudget(owner, budget, cardId) {
+    const escrowId = holdEscrow(this.creditDb, owner, budget, cardId);
+    this.tracking.set(escrowId, { budget, spent: 0 });
+    return escrowId;
+  }
+  /**
+   * Record a per-message deduction against the session budget.
+   * Does not touch the DB — tracking is in-memory until settle.
+   */
+  deductMessage(escrowId, rate) {
+    return this.deduct(escrowId, rate);
+  }
+  /**
+   * Record a per-minute deduction against the session budget.
+   */
+  deductMinute(escrowId, rate) {
+    return this.deduct(escrowId, rate);
+  }
+  /**
+   * Settle the session escrow. Pays the provider the actual cost and
+   * refunds the remainder to the requester.
+   */
+  settle(escrowId, providerOwner) {
+    const t = this.tracking.get(escrowId);
+    if (!t) {
+      settleEscrow(this.creditDb, escrowId, providerOwner);
+      return;
+    }
+    if (t.spent <= 0) {
+      releaseEscrow(this.creditDb, escrowId);
+    } else {
+      settleEscrow(this.creditDb, escrowId, providerOwner);
+    }
+    this.tracking.delete(escrowId);
+  }
+  /**
+   * Release the escrow entirely — full refund to requester.
+   */
+  refund(escrowId) {
+    releaseEscrow(this.creditDb, escrowId);
+    this.tracking.delete(escrowId);
+  }
+  /**
+   * Get remaining budget for a session escrow.
+   */
+  getRemainingBudget(escrowId) {
+    const t = this.tracking.get(escrowId);
+    if (!t) return 0;
+    return t.budget - t.spent;
+  }
+  /**
+   * Get total spent for a session escrow.
+   */
+  getSpent(escrowId) {
+    return this.tracking.get(escrowId)?.spent ?? 0;
+  }
+  /**
+   * Check if the budget is exhausted.
+   */
+  isBudgetExhausted(escrowId) {
+    return this.getRemainingBudget(escrowId) <= 0;
+  }
+  /**
+   * Calculate the cost for a single interaction based on pricing model.
+   */
+  calculateCost(pricingModel, rate, durationMinutes) {
+    switch (pricingModel) {
+      case "per_message":
+        return rate;
+      case "per_minute":
+        return Math.ceil(durationMinutes ?? 1) * rate;
+      case "per_session":
+        return rate;
+    }
+  }
+  deduct(escrowId, amount) {
+    const t = this.tracking.get(escrowId);
+    if (!t) {
+      throw new Error(`No session escrow tracking for ${escrowId}`);
+    }
+    t.spent += amount;
+    return { spent: t.spent, remaining: t.budget - t.spent };
+  }
+};
+// src/session/session-manager.ts
+var SessionManager = class {
+  sessions = /* @__PURE__ */ new Map();
+  idleTimers = /* @__PURE__ */ new Map();
+  durationTimers = /* @__PURE__ */ new Map();
+  escrow;
+  config;
+  sendToAgent;
+  /** Maps agent connection key → set of session IDs they participate in. */
+  agentSessions = /* @__PURE__ */ new Map();
+  constructor(opts) {
+    this.escrow = new SessionEscrow(opts.creditDb);
+    this.config = opts.config ?? loadSessionConfig();
+    this.sendToAgent = opts.sendToAgent;
+  }
+  /**
+   * Open a new session between requester and provider.
+   */
+  openSession(msg, requesterKey) {
+    const requesterSessions = this.agentSessions.get(requesterKey);
+    if (requesterSessions && requesterSessions.size >= this.config.abuse.max_concurrent_sessions_per_agent) {
+      this.sendToAgent(requesterKey, {
+        type: "session_error",
+        session_id: msg.session_id,
+        code: "MAX_CONCURRENT_SESSIONS",
+        message: `Maximum concurrent sessions (${this.config.abuse.max_concurrent_sessions_per_agent}) reached`
+      });
+      throw new Error("Max concurrent sessions reached");
+    }
+    const escrowId = this.escrow.holdBudget(msg.requester_id, msg.budget, msg.card_id);
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const session = {
+      id: msg.session_id,
+      requester_id: msg.requester_id,
+      provider_id: msg.provider_id,
+      skill_id: msg.skill_id,
+      card_id: msg.card_id,
+      status: "open",
+      escrow_id: escrowId,
+      budget: msg.budget,
+      spent: 0,
+      pricing_model: msg.pricing_model,
+      messages: [],
+      created_at: now,
+      updated_at: now
+    };
+    this.sessions.set(session.id, session);
+    this.trackAgentSession(requesterKey, session.id);
+    this.trackAgentSession(msg.provider_id, session.id);
+    this.sendToAgent(requesterKey, {
+      type: "session_ack",
+      session_id: session.id,
+      escrow_id: escrowId,
+      status: "open"
+    });
+    const initialMsg = this.createMessage(session.id, "requester", msg.initial_message);
+    session.messages.push(initialMsg);
+    session.status = "active";
+    session.updated_at = (/* @__PURE__ */ new Date()).toISOString();
+    this.sendToAgent(msg.provider_id, {
+      type: "session_message",
+      session_id: session.id,
+      sender: "requester",
+      content: msg.initial_message
+    });
+    if (session.pricing_model === "per_session") {
+      const cost = this.config.pricing.per_session_flat_rate;
+      this.escrow.deductMessage(escrowId, cost);
+      session.spent = cost;
+    }
+    this.resetIdleTimer(session.id);
+    this.startDurationTimer(session.id);
+    return session;
+  }
+  /**
+   * Route a message within an active session.
+   */
+  routeMessage(msg, senderKey) {
+    const session = this.sessions.get(msg.session_id);
+    if (!session) {
+      this.sendToAgent(senderKey, {
+        type: "session_error",
+        session_id: msg.session_id,
+        code: "SESSION_NOT_FOUND",
+        message: "Session not found"
+      });
+      return;
+    }
+    if (session.status !== "active") {
+      this.sendToAgent(senderKey, {
+        type: "session_error",
+        session_id: msg.session_id,
+        code: "SESSION_NOT_ACTIVE",
+        message: `Session is ${session.status}, not active`
+      });
+      return;
+    }
+    if (session.messages.length >= this.config.pricing.max_messages_per_session) {
+      this.endSessionInternal(session, "budget_exhausted");
+      return;
+    }
+    if (session.pricing_model === "per_message" && msg.sender === "provider") {
+      const rate = this.config.pricing.per_message_base_rate;
+      const { remaining } = this.escrow.deductMessage(session.escrow_id, rate);
+      session.spent += rate;
+      if (remaining <= 0) {
+        const record2 = this.createMessage(session.id, msg.sender, msg.content, msg.metadata);
+        session.messages.push(record2);
+        session.updated_at = (/* @__PURE__ */ new Date()).toISOString();
+        const targetKey2 = this.getCounterpartyKey(session, msg.sender);
+        this.sendToAgent(targetKey2, {
+          type: "session_message",
+          session_id: session.id,
+          sender: msg.sender,
+          content: msg.content,
+          metadata: msg.metadata
+        });
+        this.endSessionInternal(session, "budget_exhausted");
+        return;
+      }
+    }
+    const record = this.createMessage(session.id, msg.sender, msg.content, msg.metadata);
+    session.messages.push(record);
+    session.updated_at = (/* @__PURE__ */ new Date()).toISOString();
+    const targetKey = this.getCounterpartyKey(session, msg.sender);
+    this.sendToAgent(targetKey, {
+      type: "session_message",
+      session_id: session.id,
+      sender: msg.sender,
+      content: msg.content,
+      metadata: msg.metadata
+    });
+    this.resetIdleTimer(session.id);
+  }
+  /**
+   * End a session at the request of either party.
+   */
+  endSession(msg, _senderKey) {
+    const session = this.sessions.get(msg.session_id);
+    if (!session) return;
+    if (session.status === "settled" || session.status === "closed") return;
+    this.endSessionInternal(session, msg.reason);
+  }
+  /**
+   * Handle agent disconnection — end all their active sessions.
+   */
+  handleDisconnect(agentKey) {
+    const sessionIds = this.agentSessions.get(agentKey);
+    if (!sessionIds) return;
+    for (const sessionId of sessionIds) {
+      const session = this.sessions.get(sessionId);
+      if (session && session.status !== "settled" && session.status !== "closed") {
+        this.endSessionInternal(session, "error");
+      }
+    }
+  }
+  /** Get a session by ID. */
+  getSession(sessionId) {
+    return this.sessions.get(sessionId);
+  }
+  /** List sessions, optionally filtered by agent. */
+  listSessions(agentId) {
+    if (!agentId) return Array.from(this.sessions.values());
+    return Array.from(this.sessions.values()).filter(
+      (s) => s.requester_id === agentId || s.provider_id === agentId
+    );
+  }
+  /** Clean up all timers (for graceful shutdown). */
+  shutdown() {
+    for (const timer of this.idleTimers.values()) clearTimeout(timer);
+    for (const timer of this.durationTimers.values()) clearTimeout(timer);
+    this.idleTimers.clear();
+    this.durationTimers.clear();
+  }
+  // -------------------------------------------------------------------------
+  // Internal helpers
+  // -------------------------------------------------------------------------
+  endSessionInternal(session, reason) {
+    session.status = "closing";
+    session.end_reason = reason;
+    session.ended_at = (/* @__PURE__ */ new Date()).toISOString();
+    this.clearTimers(session.id);
+    if (session.spent > 0) {
+      this.escrow.settle(session.escrow_id, session.provider_id);
+    } else {
+      this.escrow.refund(session.escrow_id);
+    }
+    const durationMs = Date.now() - new Date(session.created_at).getTime();
+    const settledMsg = {
+      type: "session_settled",
+      session_id: session.id,
+      total_cost: session.spent,
+      messages_count: session.messages.length,
+      duration_seconds: Math.round(durationMs / 1e3),
+      refunded: session.budget - session.spent
+    };
+    session.status = "settled";
+    session.updated_at = (/* @__PURE__ */ new Date()).toISOString();
+    this.sendToAgent(session.requester_id, settledMsg);
+    this.sendToAgent(session.provider_id, settledMsg);
+    session.status = "closed";
+    this.untrackAgentSession(session.requester_id, session.id);
+    this.untrackAgentSession(session.provider_id, session.id);
+  }
+  resetIdleTimer(sessionId) {
+    const existing = this.idleTimers.get(sessionId);
+    if (existing) clearTimeout(existing);
+    const timer = setTimeout(() => {
+      const session = this.sessions.get(sessionId);
+      if (session && session.status === "active") {
+        this.endSessionInternal(session, "timeout");
+      }
+    }, this.config.timeouts.idle_timeout_ms);
+    this.idleTimers.set(sessionId, timer);
+  }
+  startDurationTimer(sessionId) {
+    const timer = setTimeout(() => {
+      const session = this.sessions.get(sessionId);
+      if (session && session.status !== "settled" && session.status !== "closed") {
+        this.endSessionInternal(session, "timeout");
+      }
+    }, this.config.timeouts.max_session_duration_ms);
+    this.durationTimers.set(sessionId, timer);
+  }
+  clearTimers(sessionId) {
+    const idle = this.idleTimers.get(sessionId);
+    if (idle) {
+      clearTimeout(idle);
+      this.idleTimers.delete(sessionId);
+    }
+    const dur = this.durationTimers.get(sessionId);
+    if (dur) {
+      clearTimeout(dur);
+      this.durationTimers.delete(sessionId);
+    }
+  }
+  createMessage(sessionId, sender, content, metadata) {
+    return {
+      id: randomUUID19(),
+      session_id: sessionId,
+      sender,
+      content,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      metadata
+    };
+  }
+  getCounterpartyKey(session, sender) {
+    return sender === "requester" ? session.provider_id : session.requester_id;
+  }
+  trackAgentSession(agentKey, sessionId) {
+    let set = this.agentSessions.get(agentKey);
+    if (!set) {
+      set = /* @__PURE__ */ new Set();
+      this.agentSessions.set(agentKey, set);
+    }
+    set.add(sessionId);
+  }
+  untrackAgentSession(agentKey, sessionId) {
+    const set = this.agentSessions.get(agentKey);
+    if (set) {
+      set.delete(sessionId);
+      if (set.size === 0) this.agentSessions.delete(agentKey);
+    }
+  }
+};
+// src/session/session-relay.ts
+function attachSessionHandler(opts) {
+  const { sessionManager } = opts;
+  return {
+    handleSessionMessage(msg, senderKey) {
+      if (!SESSION_MESSAGE_TYPES.has(msg.type)) return false;
+      switch (msg.type) {
+        case "session_open": {
+          const parsed = SessionOpenMessageSchema.parse(msg);
+          sessionManager.openSession(parsed, senderKey);
+          return true;
+        }
+        case "session_message": {
+          const parsed = SessionMessageMessageSchema.parse(msg);
+          sessionManager.routeMessage(parsed, senderKey);
+          return true;
+        }
+        case "session_end": {
+          const parsed = SessionEndMessageSchema.parse(msg);
+          sessionManager.endSession(parsed, senderKey);
+          return true;
+        }
+        // session_ack, session_settled, session_error are relay→agent only
+        // They should not arrive from agents, but we silently absorb them
+        case "session_ack":
+        case "session_settled":
+        case "session_error":
+          return true;
+        default:
+          return false;
+      }
+    }
+  };
+}
 // src/relay/websocket-relay.ts
-var RATE_LIMIT_MAX = 60;
-var RATE_LIMIT_WINDOW_MS = 6e4;
-var RELAY_IDLE_TIMEOUT_MS = 3e4;
-var RELAY_HARD_TIMEOUT_MS = 3e5;
-var RELAY_DISCONNECT_GRACE_MS = RELAY_HARD_TIMEOUT_MS + 3e4;
+var coreRelay = loadCoreConfig("relay");
+var RATE_LIMIT_MAX = coreRelay?.rate_limit_max ?? 60;
+var RATE_LIMIT_WINDOW_MS = coreRelay?.rate_limit_window_ms ?? 6e4;
+var RELAY_IDLE_TIMEOUT_MS = coreRelay?.relay_idle_timeout_ms ?? 3e4;
+var RELAY_HARD_TIMEOUT_MS = coreRelay?.relay_hard_timeout_ms ?? 3e5;
+var RELAY_DISCONNECT_GRACE_MS = coreRelay?.relay_disconnect_grace_ms ?? RELAY_HARD_TIMEOUT_MS + 3e4;
 function readTimeoutOverride(envKey, fallbackMs) {
   const raw = process.env[envKey];
   if (!raw) return fallbackMs;
@@ -6837,7 +7417,7 @@ function registerWebSocketRelay(server, db, creditDb) {
   function logAgentJoined(owner, cardName, cardId) {
     try {
       insertRequestLog(db, {
-        id: randomUUID19(),
+        id: randomUUID20(),
         card_id: cardId,
         card_name: cardName,
         requester: owner,
@@ -6855,6 +7435,19 @@ function registerWebSocketRelay(server, db, creditDb) {
       ws.send(JSON.stringify(msg));
     }
   }
+  function sendToAgentByKey(agentKey, msg) {
+    const connKey = resolveConnectionKey(agentKey);
+    const ws = connKey ? connections.get(connKey) : void 0;
+    if (ws && ws.readyState === 1) {
+      ws.send(JSON.stringify(msg));
+    }
+  }
+  const sessionManager = creditDb ? new SessionManager({
+    creditDb,
+    sendToAgent: sendToAgentByKey,
+    isAgentOnline: (key) => !!resolveConnectionKey(key)
+  }) : void 0;
+  const sessionHandler = sessionManager ? attachSessionHandler({ sessionManager }) : void 0;
   function handleRegister(ws, msg) {
     const { owner, card } = msg;
     const existing = connections.get(owner);
@@ -7074,6 +7667,9 @@ function registerWebSocketRelay(server, db, creditDb) {
       }
     }
     markOwnerOffline(owner);
+    if (sessionManager) {
+      sessionManager.handleDisconnect(owner);
+    }
     for (const [reqId, pending] of pendingRequests) {
       if (pending.targetOwner === owner) {
         clearPendingTimers(pending);
@@ -7268,6 +7864,13 @@ function registerWebSocketRelay(server, db, creditDb) {
               handleBalanceSync(socket, msg);
               break;
             default:
+              if (sessionHandler && registeredOwner) {
+                const handled = sessionHandler.handleSessionMessage(
+                  msg,
+                  registeredOwner
+                );
+                if (handled) break;
+              }
               break;
           }
         })();
@@ -7302,6 +7905,7 @@ function registerWebSocketRelay(server, db, creditDb) {
       pendingRequests.clear();
       rateLimits.clear();
       agentCapacities.clear();
+      if (sessionManager) sessionManager.shutdown();
     },
     setOnAgentOnline: (cb) => {
       onAgentOnlineCallback = cb;
@@ -7317,12 +7921,12 @@ function registerWebSocketRelay(server, db, creditDb) {
 }
 // src/onboarding/index.ts
-import { randomUUID as randomUUID21 } from "crypto";
-import { existsSync as existsSync5, readFileSync as readFileSync5 } from "fs";
-import { join as join5 } from "path";
+import { randomUUID as randomUUID22 } from "crypto";
+import { existsSync as existsSync5, readFileSync as readFileSync6 } from "fs";
+import { join as join6 } from "path";
 // src/cli/onboarding.ts
-import { randomUUID as randomUUID20 } from "crypto";
+import { randomUUID as randomUUID21 } from "crypto";
 import { createConnection } from "net";
 var KNOWN_API_KEYS = [
   "OPENAI_API_KEY",
@@ -7418,9 +8022,9 @@ var DOC_FILES = ["SOUL.md", "CLAUDE.md", "AGENTS.md", "README.md"];
 function detectCapabilities(opts = {}) {
   const cwd = opts.cwd ?? process.cwd();
   if (opts.fromFile) {
-    const filePath = opts.fromFile.startsWith("/") ? opts.fromFile : join5(cwd, opts.fromFile);
+    const filePath = opts.fromFile.startsWith("/") ? opts.fromFile : join6(cwd, opts.fromFile);
     if (existsSync5(filePath)) {
-      const content = readFileSync5(filePath, "utf-8");
+      const content = readFileSync6(filePath, "utf-8");
       const capabilities = detectFromDocs(content);
       if (capabilities.length > 0) {
         return { source: "docs", capabilities, sourceFile: filePath };
@@ -7429,9 +8033,9 @@ function detectCapabilities(opts = {}) {
     return { source: "none", capabilities: [] };
   }
   for (const fileName of DOC_FILES) {
-    const filePath = join5(cwd, fileName);
+    const filePath = join6(cwd, fileName);
     if (!existsSync5(filePath)) continue;
-    const content = readFileSync5(filePath, "utf-8");
+    const content = readFileSync6(filePath, "utf-8");
     if (fileName === "SOUL.md") {
       return { source: "soul", capabilities: [], soulContent: content, sourceFile: filePath };
     }
@@ -7464,7 +8068,7 @@ function capabilitiesToV2Card(capabilities, owner, agentName) {
   }));
   const card = {
     spec_version: "2.0",
-    id: randomUUID21(),
+    id: randomUUID22(),
     owner,
     agent_name: agentName ?? owner,
     skills,