ape-claw 0.1.0

package/src/lib/v2-onchain-abi.mjs

@@ -0,0 +1,294 @@
+export const SkillNFT_ABI = [
+  {
+    type: "function",
+    name: "mintSkill",
+    stateMutability: "nonpayable",
+    inputs: [{ name: "parentId", type: "uint256" }],
+    outputs: [{ name: "skillId", type: "uint256" }],
+  },
+  {
+    type: "function",
+    name: "mintSkillWithRoyalty",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "parentId", type: "uint256" },
+      { name: "receiver", type: "address" },
+      { name: "feeBps", type: "uint96" },
+    ],
+    outputs: [{ name: "skillId", type: "uint256" }],
+  },
+  {
+    type: "function",
+    name: "setSkillRoyalty",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "skillId", type: "uint256" },
+      { name: "receiver", type: "address" },
+      { name: "feeBps", type: "uint96" },
+    ],
+    outputs: [],
+  },
+  {
+    type: "function",
+    name: "royaltyInfo",
+    stateMutability: "view",
+    inputs: [
+      { name: "tokenId", type: "uint256" },
+      { name: "salePrice", type: "uint256" },
+    ],
+    outputs: [
+      { name: "receiver", type: "address" },
+      { name: "royaltyAmount", type: "uint256" },
+    ],
+  },
+  {
+    type: "function",
+    name: "nextSkillId",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ type: "uint256" }],
+  },
+];
+
+export const SkillRegistry_ABI = [
+  {
+    type: "function",
+    name: "publishVersion",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "skillId", type: "uint256" },
+      { name: "versionHash", type: "bytes32" },
+      { name: "contentHash", type: "bytes32" },
+      { name: "uri", type: "string" },
+      { name: "riskTier", type: "uint8" },
+    ],
+    outputs: [],
+  },
+  {
+    type: "function",
+    name: "versionCount",
+    stateMutability: "view",
+    inputs: [{ name: "skillId", type: "uint256" }],
+    outputs: [{ type: "uint256" }],
+  },
+];
+
+export const IntentRegistry_ABI = [
+  {
+    type: "function",
+    name: "createIntent",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "intentHash", type: "bytes32" },
+      { name: "expiresAt", type: "uint64" },
+    ],
+    outputs: [{ name: "intentId", type: "uint256" }],
+  },
+  {
+    type: "function",
+    name: "cancelIntent",
+    stateMutability: "nonpayable",
+    inputs: [{ name: "intentId", type: "uint256" }],
+    outputs: [],
+  },
+  {
+    type: "function",
+    name: "isActive",
+    stateMutability: "view",
+    inputs: [{ name: "intentId", type: "uint256" }],
+    outputs: [{ type: "bool" }],
+  },
+];
+
+export const ReceiptRegistry_ABI = [
+  {
+    type: "function",
+    name: "recordReceipt",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "traceIdHash", type: "bytes32" },
+      { name: "contentHash", type: "bytes32" },
+      { name: "subject", type: "bytes32" },
+      { name: "uri", type: "string" },
+    ],
+    outputs: [],
+  },
+  {
+    type: "function",
+    name: "isRecorded",
+    stateMutability: "view",
+    inputs: [{ name: "traceIdHash", type: "bytes32" }],
+    outputs: [{ type: "bool" }],
+  },
+  {
+    type: "function",
+    name: "getReceipt",
+    stateMutability: "view",
+    inputs: [{ name: "traceIdHash", type: "bytes32" }],
+    outputs: [
+      {
+        name: "receipt",
+        type: "tuple",
+        components: [
+          { name: "traceIdHash", type: "bytes32" },
+          { name: "contentHash", type: "bytes32" },
+          { name: "subject", type: "bytes32" },
+          { name: "uri", type: "string" },
+          { name: "recordedAt", type: "uint64" },
+          { name: "recorder", type: "address" },
+        ],
+      },
+    ],
+  },
+];
+
+export const PolicyEngine_ABI = [
+  {
+    type: "function",
+    name: "setMaxValuePerTx",
+    stateMutability: "nonpayable",
+    inputs: [{ name: "v", type: "uint256" }],
+    outputs: [],
+  },
+  {
+    type: "function",
+    name: "setModuleAllowed",
+    stateMutability: "nonpayable",
+    inputs: [{ name: "module", type: "address" }, { name: "allowed", type: "bool" }],
+    outputs: [],
+  },
+  {
+    type: "function",
+    name: "setTargetAllowed",
+    stateMutability: "nonpayable",
+    inputs: [{ name: "target", type: "address" }, { name: "allowed", type: "bool" }],
+    outputs: [],
+  },
+  {
+    type: "function",
+    name: "setSelectorAllowed",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "target", type: "address" },
+      { name: "selector", type: "bytes4" },
+      { name: "allowed", type: "bool" },
+    ],
+    outputs: [],
+  },
+  {
+    type: "function",
+    name: "preCheck",
+    stateMutability: "view",
+    inputs: [
+      { name: "module", type: "address" },
+      { name: "target", type: "address" },
+      { name: "selector", type: "bytes4" },
+      { name: "value", type: "uint256" },
+    ],
+    outputs: [],
+  },
+];
+
+export const AgentAccount_ABI = [
+  {
+    type: "function",
+    name: "executeSkill",
+    stateMutability: "payable",
+    inputs: [
+      { name: "module", type: "address" },
+      { name: "input", type: "bytes" },
+      { name: "value", type: "uint256" },
+      { name: "traceIdHash", type: "bytes32" },
+      { name: "subjectHash", type: "bytes32" },
+      { name: "uri", type: "string" },
+    ],
+    outputs: [{ name: "output", type: "bytes" }],
+  },
+  {
+    type: "function",
+    name: "setPolicyEngine",
+    stateMutability: "nonpayable",
+    inputs: [{ name: "policyEngine", type: "address" }],
+    outputs: [],
+  },
+  {
+    type: "function",
+    name: "setReceiptRegistry",
+    stateMutability: "nonpayable",
+    inputs: [{ name: "receiptRegistry", type: "address" }],
+    outputs: [],
+  },
+];
+
+export const PodVault_ABI = [
+  {
+    type: "function",
+    name: "totalShares",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ name: "", type: "uint256" }],
+  },
+  {
+    type: "function",
+    name: "totalReleasedNative",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ name: "", type: "uint256" }],
+  },
+  {
+    type: "function",
+    name: "memberCount",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ name: "", type: "uint256" }],
+  },
+  {
+    type: "function",
+    name: "memberAt",
+    stateMutability: "view",
+    inputs: [{ name: "idx", type: "uint256" }],
+    outputs: [{ name: "", type: "address" }],
+  },
+  {
+    type: "function",
+    name: "shares",
+    stateMutability: "view",
+    inputs: [{ name: "member", type: "address" }],
+    outputs: [{ name: "", type: "uint256" }],
+  },
+  {
+    type: "function",
+    name: "pendingNative",
+    stateMutability: "view",
+    inputs: [{ name: "member", type: "address" }],
+    outputs: [{ name: "", type: "uint256" }],
+  },
+  {
+    type: "function",
+    name: "releaseNative",
+    stateMutability: "nonpayable",
+    inputs: [{ name: "member", type: "address" }],
+    outputs: [],
+  },
+  {
+    type: "function",
+    name: "pendingToken",
+    stateMutability: "view",
+    inputs: [
+      { name: "token", type: "address" },
+      { name: "member", type: "address" },
+    ],
+    outputs: [{ name: "", type: "uint256" }],
+  },
+  {
+    type: "function",
+    name: "releaseToken",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "token", type: "address" },
+      { name: "member", type: "address" },
+    ],
+    outputs: [],
+  },
+];
+

package/src/lib/v2-skillcard.mjs

@@ -0,0 +1,27 @@
+import fs from "node:fs";
+import { keccak256, toHex } from "viem";
+
+export function stableJsonStringify(obj) {
+  if (obj === null || typeof obj !== "object") return JSON.stringify(obj);
+  if (Array.isArray(obj)) return `[${obj.map(stableJsonStringify).join(",")}]`;
+  const keys = Object.keys(obj).sort();
+  return `{${keys.map((k) => `${JSON.stringify(k)}:${stableJsonStringify(obj[k])}`).join(",")}}`;
+}
+
+export function computeSkillcardContentHash(skillcardObj) {
+  const canon = stableJsonStringify(skillcardObj);
+  return keccak256(toHex(canon));
+}
+
+export function computeSkillVersionHash(versionString) {
+  const v = String(versionString || "").trim() || "0.0.0";
+  return keccak256(toHex(v));
+}
+
+export function readSkillcardJson(filePath) {
+  const raw = fs.readFileSync(filePath, "utf8");
+  const obj = JSON.parse(raw);
+  if (!obj || typeof obj !== "object") throw new Error("invalid skillcard json");
+  return obj;
+}
+

package/src/server/index.mjs

@@ -0,0 +1,169 @@
+/**
+ * ApeClaw telemetry server -- modular entry point.
+ *
+ * Replaces the monolithic telemetry-server.mjs.
+ * All route logic lives in routes/, middleware in middleware/, storage in storage/.
+ */
+
+import http from "node:http";
+import fs from "node:fs";
+import { POLICY_PATH } from "../lib/paths.mjs";
+import { initStorage } from "./storage/index.mjs";
+import { initSseBroadcast, closeAllClients } from "./sse.mjs";
+import { handleCorsPreflightOrSetHeaders } from "./middleware/cors.mjs";
+import { checkRateLimit } from "./middleware/rate-limit.mjs";
+import logger from "./logger.mjs";
+
+import { handleHealth } from "./routes/health.mjs";
+import { handleEventsSse, handleEventsBacklog, handlePostEvent } from "./routes/events.mjs";
+import {
+  handleSkillsSearch, handleSkillsGet, handleSkillsStats,
+  handleSkillcardsUserGet, handleSkillcardsAuthCheck,
+  handleSkillcardsUserAdd, handleSkillcardsUserDelete,
+  handleSkillcardsUserMarkOnchain, handleSkillcardFile,
+} from "./routes/skills.mjs";
+import {
+  handleClawbotsList, handleClawbotsVerify,
+  handleInviteCreate, handleClawbotsRegister,
+} from "./routes/clawbots.mjs";
+import {
+  handleChatStream, handleChatGet, handleChatRooms,
+  handleChatPost, handleChatReact,
+} from "./routes/chat.mjs";
+import { handleV2ReceiptGet, handleV2Config } from "./routes/v2.mjs";
+import { handlePodStatus, handlePodStop } from "./routes/pod.mjs";
+import {
+  handleCreateQuote, handleGetQuote, handlePatchQuote, handleQuotesSpendToday,
+  handleCreateBridgeRequest, handleGetBridgeRequest, handlePatchBridgeRequest, handleBridgeSpendToday,
+} from "./routes/quotes.mjs";
+import {
+  handleAllowlist, handlePolicy, handleRewrite,
+  handleIndex, handleStaticFile,
+} from "./routes/static.mjs";
+
+const PORT = Number(process.env.APE_CLAW_UI_PORT || 8787);
+const BIND_HOST = String(process.env.APE_CLAW_BIND_HOST || "").trim();
+
+const RL_READ = { limit: 60, windowMs: 60_000, keyPrefix: "read" };
+const RL_WRITE = { limit: 10, windowMs: 60_000, keyPrefix: "write" };
+const RL_AUTH = { limit: 5, windowMs: 60_000, keyPrefix: "auth" };
+
+// ── Startup validation ──
+if (!fs.existsSync(POLICY_PATH)) {
+  logger.warn({ path: POLICY_PATH }, "config/policy.json not found — some features may not work");
+}
+if (!process.env.OPENSEA_API_KEY) {
+  logger.info("OPENSEA_API_KEY not set — allowlist icons will be unavailable");
+}
+
+initStorage();
+initSseBroadcast();
+logger.info("Storage initialized, SSE broadcast active");
+
+function safeHandler(fn) {
+  return (req, res, ...args) => {
+    try {
+      const result = fn(req, res, ...args);
+      if (result && typeof result.catch === "function") {
+        result.catch((err) => {
+          logger.error({ err, url: req.url, method: req.method }, "Unhandled route error");
+          if (!res.headersSent) { res.writeHead(500, { "content-type": "application/json" }); }
+          if (!res.writableEnded) { res.end(JSON.stringify({ error: "internal server error" })); }
+        });
+      }
+    } catch (err) {
+      logger.error({ err, url: req.url, method: req.method }, "Sync route error");
+      if (!res.headersSent) { res.writeHead(500, { "content-type": "application/json" }); }
+      if (!res.writableEnded) { res.end(JSON.stringify({ error: "internal server error" })); }
+    }
+  };
+}
+
+const server = http.createServer((req, res) => {
+  if (!req.url) return res.end("bad request");
+  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
+  const pathname = reqUrl.pathname;
+
+  if (handleCorsPreflightOrSetHeaders(req, res)) return;
+
+  if (pathname.startsWith("/api/")) {
+    const isAuth = pathname.startsWith("/api/clawbots/register") || pathname.startsWith("/api/clawbots/verify");
+    const isWrite = req.method === "POST" || req.method === "PATCH";
+    const rl = isAuth ? RL_AUTH : isWrite ? RL_WRITE : RL_READ;
+    if (checkRateLimit(req, res, rl)) return;
+  }
+
+  // ── SSE streams ──
+  if (pathname === "/events") return safeHandler(handleEventsSse)(req, res);
+  if (pathname === "/events/backlog") return safeHandler(handleEventsBacklog)(req, res, reqUrl);
+
+  // ── API routes ──
+  if (pathname === "/api/health") return safeHandler(handleHealth)(req, res);
+  if (pathname === "/api/allowlist") return safeHandler(handleAllowlist)(req, res);
+  if (pathname === "/api/policy") return safeHandler(handlePolicy)(req, res);
+  if (pathname === "/api/skillcards/user" && req.method === "GET") return safeHandler(handleSkillcardsUserGet)(req, res);
+  if (pathname === "/api/skills/search" && req.method === "GET") return safeHandler(handleSkillsSearch)(req, res, reqUrl);
+  if (pathname === "/api/skills/get" && req.method === "GET") return safeHandler(handleSkillsGet)(req, res, reqUrl);
+  if (pathname === "/api/skills/stats" && req.method === "GET") return safeHandler(handleSkillsStats)(req, res);
+  if (pathname === "/api/skillcards/user/auth-check" && req.method === "GET") return safeHandler(handleSkillcardsAuthCheck)(req, res);
+  if (pathname === "/api/skillcards/user/add" && req.method === "POST") return safeHandler(handleSkillcardsUserAdd)(req, res);
+  if (pathname === "/api/skillcards/user/delete" && req.method === "POST") return safeHandler(handleSkillcardsUserDelete)(req, res);
+  if (pathname === "/api/skillcards/user/mark-onchain" && req.method === "POST") return safeHandler(handleSkillcardsUserMarkOnchain)(req, res);
+  if (pathname.startsWith("/skillcards/") && req.method === "GET") return safeHandler(handleSkillcardFile)(req, res, pathname);
+  if (pathname === "/api/clawbots" && req.method === "GET") return safeHandler(handleClawbotsList)(req, res);
+  if (pathname === "/api/clawbots/verify" && req.method === "POST") return safeHandler(handleClawbotsVerify)(req, res);
+  if (pathname === "/api/invites/create" && req.method === "POST") return safeHandler(handleInviteCreate)(req, res);
+  if (pathname === "/api/clawbots/register" && req.method === "POST") return safeHandler(handleClawbotsRegister)(req, res);
+  if (pathname === "/api/events" && req.method === "POST") return safeHandler(handlePostEvent)(req, res);
+  if (pathname === "/api/chat/stream") return safeHandler(handleChatStream)(req, res, reqUrl);
+  if (pathname === "/api/chat" && req.method === "GET") return safeHandler(handleChatGet)(req, res, reqUrl);
+  if (pathname === "/api/chat/rooms" && req.method === "GET") return safeHandler(handleChatRooms)(req, res, reqUrl);
+  if (pathname === "/api/chat" && req.method === "POST") return safeHandler(handleChatPost)(req, res, reqUrl);
+  if (pathname === "/api/chat/react" && req.method === "POST") return safeHandler(handleChatReact)(req, res, reqUrl);
+  if (pathname === "/api/v2/receipt/get" && req.method === "GET") return safeHandler(handleV2ReceiptGet)(req, res, reqUrl);
+  if (pathname === "/api/v2/config" && req.method === "GET") return safeHandler(handleV2Config)(req, res);
+  if (pathname === "/api/pod/status" && req.method === "GET") return safeHandler(handlePodStatus)(req, res);
+  if (pathname === "/api/pod/stop" && req.method === "POST") return safeHandler(handlePodStop)(req, res);
+
+  // ── Quote & bridge-request state APIs (M2) ──
+  if (pathname === "/api/quotes" && req.method === "POST") return safeHandler(handleCreateQuote)(req, res);
+  if (pathname === "/api/quotes/spend-today" && req.method === "GET") return safeHandler(handleQuotesSpendToday)(req, res);
+  if (pathname.startsWith("/api/quotes/") && req.method === "GET") return safeHandler(handleGetQuote)(req, res, reqUrl);
+  if (pathname.startsWith("/api/quotes/") && req.method === "PATCH") return safeHandler(handlePatchQuote)(req, res, reqUrl);
+  if (pathname === "/api/bridge-requests" && req.method === "POST") return safeHandler(handleCreateBridgeRequest)(req, res);
+  if (pathname === "/api/bridge-requests/spend-today" && req.method === "GET") return safeHandler(handleBridgeSpendToday)(req, res);
+  if (pathname.startsWith("/api/bridge-requests/") && req.method === "GET") return safeHandler(handleGetBridgeRequest)(req, res, reqUrl);
+  if (pathname.startsWith("/api/bridge-requests/") && req.method === "PATCH") return safeHandler(handlePatchBridgeRequest)(req, res, reqUrl);
+
+  // ── Static / rewrite ──
+  if (handleRewrite(req, res, pathname)) return;
+  if (pathname === "/" || pathname === "/index.html") return safeHandler(handleIndex)(req, res);
+  if (handleStaticFile(req, res, pathname)) return;
+
+  res.writeHead(404);
+  res.end("not found");
+});
+
+// ── Graceful shutdown ──
+let shuttingDown = false;
+function shutdown(signal) {
+  if (shuttingDown) return;
+  shuttingDown = true;
+  logger.info({ signal }, "Shutting down...");
+  closeAllClients();
+  server.close(() => {
+    logger.info("Server closed.");
+    process.exit(0);
+  });
+  setTimeout(() => { logger.warn("Forceful shutdown after timeout."); process.exit(1); }, 10_000).unref();
+}
+process.on("SIGTERM", () => shutdown("SIGTERM"));
+process.on("SIGINT", () => shutdown("SIGINT"));
+
+server.listen(PORT, BIND_HOST || undefined, () => {
+  logger.info({ port: PORT, bind: BIND_HOST || "0.0.0.0", corsOrigins: process.env.APE_CLAW_CORS_ORIGINS || "(default)" }, "Server listening");
+  console.log(`ape-claw telemetry server listening on http://localhost:${PORT}`);
+  console.log(`SSE stream: http://localhost:${PORT}/events`);
+});
+
+export { server };

package/src/server/logger.mjs

@@ -0,0 +1,21 @@
+/**
+ * Structured logger for the ApeClaw server.
+ *
+ * Uses pino for JSON output in production and pretty-print in dev.
+ * CLI keeps using console (pino would interfere with --json output).
+ */
+
+import pino from "pino";
+
+const isDev = String(process.env.NODE_ENV || "").toLowerCase() !== "production";
+
+const logger = pino({
+  level: process.env.LOG_LEVEL || (isDev ? "debug" : "info"),
+  ...(isDev ? { transport: { target: "pino/file", options: { destination: 1 } } } : {}),
+});
+
+export default logger;
+
+export function childLogger(bindings) {
+  return logger.child(bindings);
+}

package/src/server/middleware/auth.mjs

@@ -0,0 +1,90 @@
+/**
+ * Auth middleware for route handlers.
+ *
+ * Provides two auth modes:
+ * - requireSkillWriteAuth: admin key OR authenticated clawbot
+ * - resolveChatAuth: clawbot auth OR Moltbook identity verification
+ */
+
+import { verifyClawbot } from "../../lib/clawbots.mjs";
+
+const MOLTBOOK_API_BASE = String(process.env.MOLTBOOK_API_BASE || "https://www.moltbook.com/api/v1").replace(/\/+$/, "");
+const MOLTBOOK_APP_KEY = String(process.env.MOLTBOOK_APP_KEY || "").trim();
+const REGISTRATION_KEY = String(process.env.APE_CLAW_REGISTRATION_KEY || "").trim();
+
+export function getRegistrationKey() { return REGISTRATION_KEY; }
+export function getMoltbookAppKey() { return MOLTBOOK_APP_KEY; }
+export function getMoltbookApiBase() { return MOLTBOOK_API_BASE; }
+
+export function requireSkillWriteAuth(req) {
+  const adminKey = String(req.headers["x-registration-key"] || "").trim();
+  if (adminKey && REGISTRATION_KEY && adminKey === REGISTRATION_KEY) {
+    return { ok: true, mode: "admin", agentId: null };
+  }
+  const agentId = String(req.headers["x-agent-id"] || "").trim();
+  const agentToken = String(req.headers["x-agent-token"] || "").trim();
+  if (agentId && agentToken) {
+    try {
+      const v = verifyClawbot({ agentId, agentToken });
+      if (v?.verified) return { ok: true, mode: "agent", agentId };
+    } catch {}
+  }
+  return { ok: false, mode: "none", agentId: null };
+}
+
+export async function verifyMoltbookIdentity(identityToken) {
+  const token = String(identityToken || "").trim();
+  if (!token) return { verified: false, reason: "missing identity token" };
+  if (!MOLTBOOK_APP_KEY) return { verified: false, reason: "MOLTBOOK_APP_KEY not configured on backend" };
+  try {
+    const r = await fetch(`${MOLTBOOK_API_BASE}/agents/verify-identity`, {
+      method: "POST",
+      headers: { "content-type": "application/json", "x-moltbook-app-key": MOLTBOOK_APP_KEY },
+      body: JSON.stringify({ token }),
+    });
+    const data = await r.json().catch(() => ({}));
+    if (!r.ok) return { verified: false, reason: data?.error || `identity verify failed (${r.status})` };
+    if (!data?.valid || !data?.agent) return { verified: false, reason: "identity token invalid" };
+    return { verified: true, agent: data.agent };
+  } catch (err) {
+    return { verified: false, reason: err.message || "identity verification request failed" };
+  }
+}
+
+export async function resolveChatAuth(req, body) {
+  const agentId = body.agentId || req.headers["x-agent-id"] || "";
+  const agentToken = body.agentToken || req.headers["x-agent-token"] || "";
+  const identityToken = body.identityToken || req.headers["x-moltbook-identity"] || "";
+
+  if (identityToken) {
+    const identity = await verifyMoltbookIdentity(identityToken);
+    if (!identity.verified) return { ok: false, status: 403, error: "identity verify failed", reason: identity.reason };
+    const agent = identity.agent || {};
+    return {
+      ok: true,
+      auth: {
+        id: String(agent.name || agent.id || "moltbook-agent"),
+        name: String(agent.name || agent.id || "Moltbook Agent"),
+        provider: "moltbook",
+        meta: { karma: Number(agent.karma || 0), claimed: Boolean(agent.is_claimed) },
+      },
+    };
+  }
+
+  if (!agentId || !agentToken) {
+    return { ok: false, status: 401, error: "missing credentials: provide agentId+agentToken or identityToken" };
+  }
+  const verification = verifyClawbot({ agentId, agentToken });
+  if (!verification.verified) {
+    return { ok: false, status: 403, error: "not verified", reason: verification.reason };
+  }
+  return {
+    ok: true,
+    auth: {
+      id: agentId,
+      name: verification.agent?.name || agentId,
+      provider: "clawbot",
+      meta: {},
+    },
+  };
+}

package/src/server/middleware/body-limit.mjs

@@ -0,0 +1,35 @@
+const MAX_BODY_BYTES = 1024 * 1024; // 1 MB
+
+/**
+ * Collects the full request body up to MAX_BODY_BYTES.
+ * Returns the raw string, or null if the body exceeds the limit
+ * (in which case a 413 response is sent automatically).
+ */
+export function collectBody(req, res, maxBytes = MAX_BODY_BYTES) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let size = 0;
+
+    req.on("data", (chunk) => {
+      size += chunk.length;
+      if (size > maxBytes) {
+        req.destroy();
+        if (!res.headersSent) {
+          res.writeHead(413, { "content-type": "application/json" });
+          res.end(JSON.stringify({ error: "request body too large" }));
+        }
+        resolve(null);
+        return;
+      }
+      chunks.push(chunk);
+    });
+
+    req.on("end", () => {
+      resolve(Buffer.concat(chunks).toString("utf8"));
+    });
+
+    req.on("error", (err) => {
+      reject(err);
+    });
+  });
+}

package/src/server/middleware/cors.mjs

@@ -0,0 +1,33 @@
+const ALLOWED_ORIGINS = new Set([
+  "https://apeclaw.ai",
+  "https://www.apeclaw.ai",
+  "http://localhost:8787",
+  "http://localhost:3000",
+  "http://127.0.0.1:8787",
+]);
+
+function originAllowed(origin) {
+  if (!origin) return true;
+  if (ALLOWED_ORIGINS.has(origin)) return true;
+  if (/^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin)) return true;
+  if (/\.vercel\.app$/.test(origin)) return true;
+  return false;
+}
+
+export function handleCorsPreflightOrSetHeaders(req, res) {
+  const origin = String(req.headers.origin || "").trim();
+  const allowed = originAllowed(origin);
+  const reflect = allowed && origin ? origin : "*";
+
+  res.setHeader("access-control-allow-origin", reflect);
+  res.setHeader("access-control-allow-methods", "GET, POST, PATCH, OPTIONS");
+  res.setHeader("access-control-allow-headers", "content-type, x-agent-id, x-agent-token, x-registration-key, x-moltbook-identity, x-api-key");
+  res.setHeader("access-control-max-age", "86400");
+
+  if (req.method === "OPTIONS") {
+    res.writeHead(204);
+    res.end();
+    return true;
+  }
+  return false;
+}