arc402-cli 0.2.0

package/src/config.ts

@@ -0,0 +1,153 @@
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+
+export interface Arc402Config {
+  network: "base-mainnet" | "base-sepolia";
+  rpcUrl: string;
+  privateKey?: string;
+  guardianPrivateKey?: string;
+  guardianAddress?: string;
+  walletConnectProjectId?: string;
+  ownerAddress?: string;
+  agentRegistryAddress?: string;
+  agentRegistryV2Address?: string;
+  serviceAgreementAddress?: string;
+  disputeArbitrationAddress?: string;
+  disputeModuleAddress?: string;
+  trustRegistryAddress: string;
+  trustRegistryV2Address?: string;
+  intentAttestationAddress?: string;
+  settlementCoordinatorAddress?: string;
+  sessionChannelsAddress?: string;
+  reputationOracleAddress?: string;
+  sponsorshipAttestationAddress?: string;
+  capabilityRegistryAddress?: string;
+  governanceAddress?: string;
+  agreementTreeAddress?: string;
+  policyEngineAddress?: string;
+  walletFactoryAddress?: string;
+  walletContractAddress?: string;
+  watchtowerRegistryAddress?: string;
+  governedTokenWhitelistAddress?: string;
+  vouchingRegistryAddress?: string;
+  migrationRegistryAddress?: string;
+  handshakeAddress?: string;
+  paymasterUrl?: string;    // CDP paymaster endpoint
+  cdpKeyName?: string;      // CDP API key name (org/.../apiKeys/...)
+  cdpPrivateKey?: string;   // CDP EC private key — base64 DER SEC1 (store in CDP_PRIVATE_KEY env var)
+  subdomainApi?: string;    // defaults to https://api.arc402.xyz
+  telegramBotToken?: string;
+  telegramChatId?: string;
+  telegramThreadId?: number;
+  wcSession?: {
+    topic: string;
+    expiry: number;    // Unix timestamp
+    account: string;   // Phone wallet address
+    chainId: number;
+  };
+}
+
+const CONFIG_DIR = path.join(os.homedir(), ".arc402");
+const CONFIG_PATH = process.env.ARC402_CONFIG || path.join(CONFIG_DIR, "config.json");
+
+export const getConfigPath = () => CONFIG_PATH;
+
+export function loadConfig(): Arc402Config {
+  if (!fs.existsSync(CONFIG_PATH)) {
+    console.error(`No config found at ${CONFIG_PATH}. Run \`arc402 config init\` to set up your configuration.`);
+    process.exit(1);
+  }
+  return JSON.parse(fs.readFileSync(CONFIG_PATH, "utf-8")) as Arc402Config;
+}
+
+export function saveConfig(config: Arc402Config): void {
+  const configDir = path.dirname(CONFIG_PATH);
+  fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
+  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), { mode: 0o600 });
+}
+
+export const configExists = () => fs.existsSync(CONFIG_PATH);
+
+// Public Base RPC — stale state, do not use for production. Alchemy recommended.
+export const PUBLIC_BASE_RPC = "https://mainnet.base.org";
+export const ALCHEMY_BASE_RPC = "https://base-mainnet.g.alchemy.com/v2/YIA2uRCsFI-j5pqH-aRzflrACSlV1Qrs";
+
+/**
+ * Warn at runtime if the configured RPC is the public Base endpoint.
+ * Public Base RPC has delayed state propagation — use Alchemy for production.
+ */
+export function warnIfPublicRpc(config: Arc402Config): void {
+  if (config.rpcUrl === PUBLIC_BASE_RPC || config.rpcUrl === "https://sepolia.base.org") {
+    console.warn("WARN: Using public Base RPC — state reads may be stale. Set rpcUrl to an Alchemy endpoint for production.");
+    console.warn(`  Recommended: arc402 config set rpcUrl ${ALCHEMY_BASE_RPC}`);
+  }
+}
+
+export const NETWORK_DEFAULTS: Record<string, Partial<Arc402Config> & { usdcAddress: string }> = {
+  "base-mainnet": {
+    rpcUrl: ALCHEMY_BASE_RPC,
+    usdcAddress: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
+    paymasterUrl: "https://api.developer.coinbase.com/rpc/v1/base/dca85088-a2ac-4ec3-8647-5154b150e7a9",
+    // Base Mainnet deployments — v2 deployed 2026-03-15
+    policyEngineAddress:           "0xAA5Ef3489C929bFB3BFf5D5FE15aa62d3763c847",
+    trustRegistryAddress:          "0x22366D6dabb03062Bc0a5E893EfDff15D8E329b1",   // TrustRegistryV3 — v2
+    trustRegistryV2Address:        "0xdA1D377991B2E580991B0DD381CdD635dd71aC39",   // old v2, kept for reference
+    intentAttestationAddress:      "0x7ad8db6C5f394542E8e9658F86C85cC99Cf6D460",
+    settlementCoordinatorAddress: "0xd52d8Be9728976E0D70C89db9F8ACeb5B5e97cA2",  // SettlementCoordinatorV2
+    agentRegistryAddress:          "0xcc0D8731ccCf6CFfF4e66F6d68cA86330Ea8B622",   // ARC402RegistryV2
+    agentRegistryV2Address:        "0xD5c2851B00090c92Ba7F4723FB548bb30C9B6865",   // AgentRegistry
+    walletFactoryAddress:          "0xcB52B5d746eEc05e141039E92e3dBefeAe496051",   // WalletFactoryV5 — redeployed 2026-03-19 (optimized bytecode, FOUNDRY_PROFILE=deploy)
+    sponsorshipAttestationAddress: "0xD6c2edE89Ea71aE19Db2Be848e172b444Ed38f22",
+    serviceAgreementAddress:       "0xC98B402CAB9156da68A87a69E3B4bf167A3CCcF6",
+    sessionChannelsAddress:        "0x578f8d1bd82E8D6268E329d664d663B4d985BE61",
+    disputeModuleAddress:          "0x5ebd301cEF0C908AB17Fd183aD9c274E4B34e9d6",
+    reputationOracleAddress:       "0x359F76a54F9A345546E430e4d6665A7dC9DaECd4",
+    governanceAddress:             "0xE931DD2EEb9Af9353Dd5E2c1250492A0135E0EC4",   // ARC402Governance
+    guardianAddress:               "0xED0A033B79626cdf9570B6c3baC7f699cD0032D8",   // ARC402Guardian
+    walletContractAddress:         "0xfd5C8c0a08fDcdeD2fe03e0DC9FA55595667F313",   // ARC402Wallet instance
+    agreementTreeAddress:          "0x6a82240512619B25583b9e95783410cf782915b1",
+    capabilityRegistryAddress:     "0x7becb642668B80502dD957A594E1dD0aC414c1a3",
+    disputeArbitrationAddress:     "0xF61b75E4903fbC81169FeF8b7787C13cB7750601",
+    governedTokenWhitelistAddress: "0xeB58896337244Bb408362Fea727054f9e7157451",
+    watchtowerRegistryAddress:     "0xbC811d1e3c5C5b67CA57df1DFb08847b1c8c458A",
+    vouchingRegistryAddress:       "0x94519194Bf17865770faD59eF581feC512Ae99c9",
+    migrationRegistryAddress:      "0xb60B62357b90F254f555f03B162a30E22890e3B5",
+    handshakeAddress:              "0x4F5A38Bb746d7E5d49d8fd26CA6beD141Ec2DDb3",
+  },
+  "base-sepolia": {
+    rpcUrl: "https://sepolia.base.org",
+    usdcAddress: "0x036CbD53842c5426634e7929541eC2318f3dCF7e",
+    // v2 deployment — Base Sepolia (chain 84532) — deployed 2026-03-15
+    // Unchanged v1 contracts:
+    policyEngineAddress:          "0x44102e70c2A366632d98Fe40d892a2501fC7fFF2",
+    intentAttestationAddress:     "0x942c807Cc6E0240A061e074b61345618aBadc457",
+    settlementCoordinatorAddress: "0x52b565797975781f069368Df40d6633b2aD03390",
+    agentRegistryV2Address:       "0x07D526f8A8e148570509aFa249EFF295045A0cc9", // AgentRegistry
+    reputationOracleAddress:      "0x410e650113fd163389C956BC7fC51c5642617187",
+    walletFactoryAddress:         "0xD560C22aD5372Aa830ee5ffBFa4a5D9f528e7B87",
+    sponsorshipAttestationAddress:"0xc0d927745AcF8DEeE551BE11A12c97c492DDC989",
+    governanceAddress:            "0x504b3D73A8dFbcAB9551d8a11Bb0B07C90C4c926",
+    guardianAddress:              "0x5c1D2cD6B9B291b436BF1b109A711F0E477EB6fe",
+    walletContractAddress:        "0xc77854f9091A25eD1f35EA24E9bdFb64d0850E45",
+    agreementTreeAddress:         "0x8F46F31FcEbd60f526308AD20e4a008887709720",
+    capabilityRegistryAddress:    "0x6a413e74b65828A014dD8DA61861Bf9E1b6372D2",
+    governedTokenWhitelistAddress:"0x64C15CA701167C7c901a8a5575a5232b37CAF213",
+    watchtowerRegistryAddress:    "0x70c4E53E3A916eB8A695630f129B943af9C61C57",
+    // v2 contracts (new/redeployed 2026-03-15):
+    trustRegistryAddress:         "0xf2aE072BB8575c23B0efbF44bDc8188aA900cA7a", // TrustRegistryV3
+    agentRegistryAddress:         "0x0461b2b7A1E50866962CB07326000A94009c58Ff", // ARC402RegistryV2
+    serviceAgreementAddress:      "0xbbb1DA355D810E9baEF1a7D072B2132E4755976B",
+    sessionChannelsAddress:       "0x5EF144AE2C8456d014e6E3F293c162410C043564",
+    disputeModuleAddress:         "0x01866144495fBBbBB7aaD81605de051B2A62594A",
+    disputeArbitrationAddress:    "0xa4f6F77927Da53a25926A5f0bffBEB0210108cA8",
+    vouchingRegistryAddress:      "0x96432aDc7aC06256297AdF11B94C47f68b2F13A2",
+    migrationRegistryAddress:     "0x3aeAaD32386D6fC40eeb5c2C27a5aCFE6aDf9ABD",
+  },
+};
+
+export const getUsdcAddress = (config: Arc402Config) => NETWORK_DEFAULTS[config.network]?.usdcAddress ?? "";
+
+export function getSubdomainApi(config: Arc402Config): string {
+  return config.subdomainApi ?? "https://api.arc402.xyz";
+}

package/src/daemon/config.ts

@@ -0,0 +1,308 @@
+/**
+ * Daemon configuration loader.
+ * Parses ~/.arc402/daemon.toml, enforces env: prefix for secrets,
+ * resolves env: values from the environment.
+ */
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { parse as parseToml } from "smol-toml";
+
+export const DAEMON_DIR = path.join(os.homedir(), ".arc402");
+export const DAEMON_TOML = path.join(DAEMON_DIR, "daemon.toml");
+export const DAEMON_PID = path.join(DAEMON_DIR, "daemon.pid");
+export const DAEMON_LOG = path.join(DAEMON_DIR, "daemon.log");
+export const DAEMON_DB = path.join(DAEMON_DIR, "daemon.db");
+export const DAEMON_SOCK = path.join(DAEMON_DIR, "daemon.sock");
+
+export interface DaemonConfig {
+  wallet: {
+    contract_address: string;
+    owner_address: string;
+    machine_key: string; // must be "env:VAR_NAME"
+  };
+  network: {
+    rpc_url: string;
+    chain_id: number;
+    entry_point: string;
+  };
+  bundler: {
+    mode: "external" | "arc402" | "self";
+    endpoint: string;
+    earn_fees: boolean;
+    eth_float: string;
+    sweep_threshold: string;
+    sweep_to: string;
+    rpc_url: string;
+  };
+  relay: {
+    enabled: boolean;
+    listen_port: number;
+    endpoint: string;
+    max_concurrent_agreements: number;
+    poll_interval_seconds: number;
+    relay_url: string;
+  };
+  watchtower: {
+    enabled: boolean;
+    poll_interval_seconds: number;
+    challenge_confirmation_blocks: number;
+    external_watchtower_url: string;
+    update_interval_states: number;
+  };
+  policy: {
+    auto_accept: boolean;
+    max_price_eth: string;
+    allowed_capabilities: string[];
+    require_min_trust_score: number;
+    min_hire_lead_time_seconds: number;
+  };
+  notifications: {
+    telegram_bot_token: string;
+    telegram_chat_id: string;
+    notify_on_hire_request: boolean;
+    notify_on_hire_accepted: boolean;
+    notify_on_hire_rejected: boolean;
+    notify_on_delivery: boolean;
+    notify_on_dispute: boolean;
+    notify_on_channel_challenge: boolean;
+    notify_on_low_balance: boolean;
+    low_balance_threshold_eth: string;
+  };
+  work: {
+    handler: "exec" | "http" | "noop";
+    exec_command: string;
+    http_url: string;
+    http_auth_token: string;
+  };
+}
+
+function resolveEnvValue(value: string, field: string): string {
+  if (!value.startsWith("env:")) return value;
+  const varName = value.slice(4);
+  const resolved = process.env[varName];
+  if (!resolved) {
+    throw new Error(`Environment variable ${varName} is not set (required for ${field})`);
+  }
+  return resolved;
+}
+
+function tryResolveEnvValue(value: string): string {
+  if (!value.startsWith("env:")) return value;
+  const varName = value.slice(4);
+  return process.env[varName] ?? "";
+}
+
+function str(v: unknown, def = ""): string {
+  return typeof v === "string" ? v : def;
+}
+function num(v: unknown, def: number): number {
+  return typeof v === "number" ? v : def;
+}
+function bool(v: unknown, def: boolean): boolean {
+  return typeof v === "boolean" ? v : def;
+}
+function strArr(v: unknown): string[] {
+  return Array.isArray(v) ? (v as string[]) : [];
+}
+
+function withDefaults(raw: Record<string, unknown>): DaemonConfig {
+  const w = (raw.wallet as Record<string, unknown>) ?? {};
+  const n = (raw.network as Record<string, unknown>) ?? {};
+  const b = (raw.bundler as Record<string, unknown>) ?? {};
+  const r = (raw.relay as Record<string, unknown>) ?? {};
+  const wt = (raw.watchtower as Record<string, unknown>) ?? {};
+  const p = (raw.policy as Record<string, unknown>) ?? {};
+  const notif = (raw.notifications as Record<string, unknown>) ?? {};
+  const work = (raw.work as Record<string, unknown>) ?? {};
+
+  return {
+    wallet: {
+      contract_address: str(w.contract_address),
+      owner_address: str(w.owner_address),
+      machine_key: str(w.machine_key, "env:ARC402_MACHINE_KEY"),
+    },
+    network: {
+      rpc_url: str(n.rpc_url, "https://base-mainnet.g.alchemy.com/v2/YIA2uRCsFI-j5pqH-aRzflrACSlV1Qrs"),
+      chain_id: num(n.chain_id, 8453),
+      entry_point: str(n.entry_point, "0x0000000071727De22E5E9d8BAf0edAc6f37da032"),
+    },
+    bundler: {
+      mode: (str(b.mode, "external")) as "external" | "arc402" | "self",
+      endpoint: str(b.endpoint),
+      earn_fees: bool(b.earn_fees, false),
+      eth_float: str(b.eth_float, "0.01"),
+      sweep_threshold: str(b.sweep_threshold, "0.005"),
+      sweep_to: str(b.sweep_to),
+      rpc_url: str(b.rpc_url),
+    },
+    relay: {
+      enabled: bool(r.enabled, true),
+      listen_port: num(r.listen_port, 4402),
+      endpoint: str(r.endpoint),
+      max_concurrent_agreements: num(r.max_concurrent_agreements, 10),
+      poll_interval_seconds: num(r.poll_interval_seconds, 2),
+      relay_url: str(r.relay_url),
+    },
+    watchtower: {
+      enabled: bool(wt.enabled, true),
+      poll_interval_seconds: num(wt.poll_interval_seconds, 60),
+      challenge_confirmation_blocks: num(wt.challenge_confirmation_blocks, 2),
+      external_watchtower_url: str(wt.external_watchtower_url),
+      update_interval_states: num(wt.update_interval_states, 10),
+    },
+    policy: {
+      auto_accept: bool(p.auto_accept, false),
+      max_price_eth: str(p.max_price_eth, "0.1"),
+      allowed_capabilities: strArr(p.allowed_capabilities),
+      require_min_trust_score: num(p.require_min_trust_score, 50),
+      min_hire_lead_time_seconds: num(p.min_hire_lead_time_seconds, 300),
+    },
+    notifications: {
+      telegram_bot_token: str(notif.telegram_bot_token, "env:TELEGRAM_BOT_TOKEN"),
+      telegram_chat_id: str(notif.telegram_chat_id, "env:TELEGRAM_CHAT_ID"),
+      notify_on_hire_request: bool(notif.notify_on_hire_request, true),
+      notify_on_hire_accepted: bool(notif.notify_on_hire_accepted, true),
+      notify_on_hire_rejected: bool(notif.notify_on_hire_rejected, true),
+      notify_on_delivery: bool(notif.notify_on_delivery, true),
+      notify_on_dispute: bool(notif.notify_on_dispute, true),
+      notify_on_channel_challenge: bool(notif.notify_on_channel_challenge, true),
+      notify_on_low_balance: bool(notif.notify_on_low_balance, true),
+      low_balance_threshold_eth: str(notif.low_balance_threshold_eth, "0.005"),
+    },
+    work: {
+      handler: (str(work.handler, "noop")) as "exec" | "http" | "noop",
+      exec_command: str(work.exec_command),
+      http_url: str(work.http_url),
+      http_auth_token: str(work.http_auth_token),
+    },
+  };
+}
+
+export function loadDaemonConfig(configPath = DAEMON_TOML): DaemonConfig {
+  if (!fs.existsSync(configPath)) {
+    throw new Error(`daemon.toml not found at ${configPath}. Run: arc402 daemon init`);
+  }
+
+  const raw = fs.readFileSync(configPath, "utf-8");
+  let parsed: Record<string, unknown>;
+  try {
+    parsed = parseToml(raw) as Record<string, unknown>;
+  } catch (err) {
+    throw new Error(`Failed to parse daemon.toml: ${err instanceof Error ? err.message : String(err)}`);
+  }
+
+  const config = withDefaults(parsed);
+
+  // Required fields
+  if (!config.wallet.contract_address) {
+    throw new Error("daemon.toml: wallet.contract_address is required");
+  }
+  if (!config.network.rpc_url) {
+    throw new Error("daemon.toml: network.rpc_url is required");
+  }
+  if (!config.network.chain_id) {
+    throw new Error("daemon.toml: network.chain_id is required");
+  }
+
+  // Machine key MUST use env: prefix — never hardcoded
+  if (!config.wallet.machine_key.startsWith("env:")) {
+    throw new Error("ERROR: machine_key must use env: prefix — never hardcode keys");
+  }
+
+  // Resolve optional env: values silently (missing = disabled feature)
+  config.notifications.telegram_bot_token = tryResolveEnvValue(config.notifications.telegram_bot_token);
+  config.notifications.telegram_chat_id = tryResolveEnvValue(config.notifications.telegram_chat_id);
+  config.work.http_auth_token = tryResolveEnvValue(config.work.http_auth_token);
+
+  return config;
+}
+
+export function loadMachineKey(config: DaemonConfig): { privateKey: string; address: string } {
+  const envVarName = config.wallet.machine_key.startsWith("env:")
+    ? config.wallet.machine_key.slice(4)
+    : "ARC402_MACHINE_KEY";
+
+  const privateKey = process.env[envVarName];
+  if (!privateKey) {
+    throw new Error(`Machine key not found. Set environment variable: ${envVarName}`);
+  }
+
+  const { ethers } = require("ethers") as typeof import("ethers");
+  let address: string;
+  try {
+    const w = new ethers.Wallet(privateKey);
+    address = w.address;
+  } catch {
+    throw new Error(`Invalid machine key format in ${envVarName}`);
+  }
+
+  return { privateKey, address };
+}
+
+export const TEMPLATE_DAEMON_TOML = `# ~/.arc402/daemon.toml
+# ARC-402 Daemon Configuration
+# Generated by: arc402 daemon init
+#
+# SECURITY: Never put private keys here. Use environment variables.
+
+[wallet]
+contract_address = ""        # ARC402Wallet contract address (required)
+owner_address = ""           # Owner EOA address — for display and verification only
+machine_key = "env:ARC402_MACHINE_KEY"  # Machine key loaded from environment. NEVER hardcode here.
+
+[network]
+rpc_url = "https://base-mainnet.g.alchemy.com/v2/YIA2uRCsFI-j5pqH-aRzflrACSlV1Qrs"  # Alchemy Base RPC (recommended)
+chain_id = 8453                          # Base mainnet. Use 84532 for Base Sepolia.
+entry_point = "0x0000000071727De22E5E9d8BAf0edAc6f37da032"  # ERC-4337 EntryPoint v0.7
+
+[bundler]
+mode = "external"                # external | arc402 | self
+endpoint = ""                    # Required when mode = external. Pimlico, Alchemy, etc.
+earn_fees = false                # self mode only: bundle for other network agents
+eth_float = "0.01"               # Minimum ETH to maintain in bundler EOA for gas fronting
+sweep_threshold = "0.005"        # Sweep fees to wallet when bundler EOA exceeds this (ETH)
+sweep_to = ""                    # Sweep destination. Defaults to wallet.contract_address.
+rpc_url = ""                     # self mode: private RPC. Defaults to network.rpc_url if empty.
+
+[relay]
+enabled = true
+listen_port = 4402               # Port for incoming relay messages
+endpoint = ""                    # Your public URL — run: arc402 setup endpoint
+                                 # Example: https://gigabrain.arc402.xyz
+max_concurrent_agreements = 10   # Refuse new hire requests when this many are in-flight
+poll_interval_seconds = 2        # How often to poll relay for incoming messages
+relay_url = ""                   # The relay to poll. Defaults to agent metadata relay if empty.
+
+[watchtower]
+enabled = true
+poll_interval_seconds = 60       # How often to poll chain for stale-close events
+challenge_confirmation_blocks = 2  # Wait N block confirmations before accepting close as final
+external_watchtower_url = ""     # Register open channels here as backup (Tier 2 watchtower)
+update_interval_states = 10      # Forward state to external watchtower every N state changes
+
+[policy]
+auto_accept = false              # If true: auto-accept all hire requests within policy bounds
+max_price_eth = "0.1"           # Refuse any hire priced above this (ETH)
+allowed_capabilities = []        # Empty list = accept any capability. Non-empty = whitelist.
+require_min_trust_score = 50    # Refuse hirers whose wallet trust score is below this (0–100)
+min_hire_lead_time_seconds = 300  # Refuse hires with delivery deadline < this many seconds away
+
+[notifications]
+telegram_bot_token = "env:TELEGRAM_BOT_TOKEN"   # Load from env, not hardcoded
+telegram_chat_id = "env:TELEGRAM_CHAT_ID"        # Load from env, not hardcoded
+notify_on_hire_request = true    # Notify when a hire request arrives (pending approval)
+notify_on_hire_accepted = true   # Notify when daemon accepts a hire
+notify_on_hire_rejected = true   # Notify when daemon rejects a hire
+notify_on_delivery = true        # Notify when work is delivered and fulfill() submitted
+notify_on_dispute = true         # Notify when a dispute is raised (by either party)
+notify_on_channel_challenge = true  # Notify when watchtower submits a channel challenge
+notify_on_low_balance = false    # Disabled by default — enable if you want balance alerts
+low_balance_threshold_eth = "0.005"  # Balance alert threshold
+
+[work]
+handler = "noop"               # exec | http | noop
+exec_command = ""              # called with agreementId and spec as args (exec mode)
+http_url = ""                  # POST {agreementId, specHash, deadline} as JSON (http mode)
+http_auth_token = "env:WORKER_AUTH_TOKEN"
+`;

package/src/daemon/hire-listener.ts

@@ -0,0 +1,226 @@
+/**
+ * Hire listener — polls relay for incoming hire proposals,
+ * evaluates against policy, and queues for approval or auto-accepts.
+ */
+import * as http from "http";
+import * as https from "https";
+import { ethers } from "ethers";
+import type { DaemonConfig } from "./config";
+import type { DaemonDB } from "./index";
+import type { Notifier } from "./notify";
+
+export interface HireProposal {
+  messageId: string;
+  hirerAddress: string;
+  capability: string;
+  priceEth: string;
+  deadlineUnix: number;
+  specHash: string;
+  agreementId?: string;
+  signature?: string;
+}
+
+export interface PolicyResult {
+  allowed: boolean;
+  reason?: string;
+}
+
+function relayGet(
+  relayUrl: string,
+  urlPath: string
+): Promise<{ status: number; data: unknown }> {
+  return new Promise((resolve, reject) => {
+    const parsed = new URL(urlPath, relayUrl);
+    const isHttps = parsed.protocol === "https:";
+    const mod = isHttps ? https : http;
+    const options: http.RequestOptions = {
+      hostname: parsed.hostname,
+      port: parsed.port || (isHttps ? 443 : 80),
+      path: parsed.pathname + (parsed.search || ""),
+      method: "GET",
+      headers: { "Content-Type": "application/json" },
+    };
+    const req = mod.request(options, (res) => {
+      let raw = "";
+      res.on("data", (c: Buffer) => { raw += c.toString(); });
+      res.on("end", () => {
+        try {
+          resolve({ status: res.statusCode ?? 0, data: JSON.parse(raw) });
+        } catch {
+          resolve({ status: res.statusCode ?? 0, data: raw });
+        }
+      });
+    });
+    req.on("error", reject);
+    req.end();
+  });
+}
+
+export function evaluatePolicy(
+  proposal: HireProposal,
+  config: DaemonConfig,
+  activeCount: number
+): PolicyResult {
+  const policy = config.policy;
+
+  // Concurrency check
+  if (activeCount >= config.relay.max_concurrent_agreements) {
+    return { allowed: false, reason: "at_capacity" };
+  }
+
+  // Price check
+  try {
+    const priceWei = ethers.parseEther(proposal.priceEth || "0");
+    const maxWei = ethers.parseEther(policy.max_price_eth);
+    if (priceWei > maxWei) {
+      return { allowed: false, reason: "price_exceeds_policy" };
+    }
+  } catch {
+    return { allowed: false, reason: "invalid_price" };
+  }
+
+  // Capability check (empty list = accept all)
+  if (policy.allowed_capabilities.length > 0 && proposal.capability) {
+    if (!policy.allowed_capabilities.includes(proposal.capability)) {
+      return { allowed: false, reason: "capability_not_allowed" };
+    }
+  }
+
+  // Deadline check
+  const now = Math.floor(Date.now() / 1000);
+  if (proposal.deadlineUnix > 0) {
+    if (proposal.deadlineUnix < now + policy.min_hire_lead_time_seconds) {
+      return { allowed: false, reason: "deadline_too_soon" };
+    }
+  }
+
+  return { allowed: true };
+}
+
+function parseProposal(msg: Record<string, unknown>): HireProposal | null {
+  const payload = (msg.payload ?? msg) as Record<string, unknown>;
+  if (!payload.hirerAddress && !payload.hirer_address && !payload.from) return null;
+
+  return {
+    messageId: String(msg.messageId ?? msg.id ?? `msg_${Date.now()}`),
+    hirerAddress: String(payload.hirerAddress ?? payload.hirer_address ?? msg.from ?? ""),
+    capability: String(payload.capability ?? ""),
+    priceEth: String(payload.priceEth ?? payload.price_eth ?? "0"),
+    deadlineUnix: Number(payload.deadlineUnix ?? payload.deadline ?? 0),
+    specHash: String(payload.specHash ?? payload.spec_hash ?? ""),
+    agreementId: payload.agreementId ? String(payload.agreementId) : undefined,
+    signature: payload.signature ? String(payload.signature) : undefined,
+  };
+}
+
+export class HireListener {
+  private config: DaemonConfig;
+  private db: DaemonDB;
+  private notifier: Notifier;
+  private walletAddress: string;
+  private lastSeenMessageId: string | null = null;
+  private onApprove: ((hireId: string) => Promise<void>) | null = null;
+
+  constructor(
+    config: DaemonConfig,
+    db: DaemonDB,
+    notifier: Notifier,
+    walletAddress: string
+  ) {
+    this.config = config;
+    this.db = db;
+    this.notifier = notifier;
+    this.walletAddress = walletAddress;
+  }
+
+  setApproveCallback(cb: (hireId: string) => Promise<void>): void {
+    this.onApprove = cb;
+  }
+
+  async poll(): Promise<void> {
+    const relayUrl = this.config.relay.relay_url;
+    if (!relayUrl) return;
+
+    try {
+      const qs =
+        `?address=${encodeURIComponent(this.walletAddress)}` +
+        (this.lastSeenMessageId ? `&since=${encodeURIComponent(this.lastSeenMessageId)}` : "");
+
+      const result = await relayGet(relayUrl, `/poll${qs}`);
+      const data = result.data as { messages?: Array<Record<string, unknown>> };
+      const messages = data.messages ?? [];
+
+      for (const msg of messages) {
+        this.lastSeenMessageId = String(msg.messageId ?? "");
+        await this.handleMessage(msg);
+      }
+    } catch {
+      // Transient relay failure — retry next poll
+    }
+  }
+
+  private async handleMessage(msg: Record<string, unknown>): Promise<void> {
+    const proposal = parseProposal(msg);
+    if (!proposal) return;
+
+    // Dedup — skip if already in DB
+    const existing = this.db.getHireRequest(proposal.messageId);
+    if (existing) return;
+
+    // Count active agreements
+    const activeCount = this.db.countActiveHireRequests();
+
+    // Policy evaluation
+    const policyResult = evaluatePolicy(proposal, this.config, activeCount);
+
+    if (!policyResult.allowed) {
+      // Reject
+      const hireId = proposal.messageId;
+      this.db.insertHireRequest({
+        id: hireId,
+        agreement_id: proposal.agreementId ?? null,
+        hirer_address: proposal.hirerAddress,
+        capability: proposal.capability,
+        price_eth: proposal.priceEth,
+        deadline_unix: proposal.deadlineUnix,
+        spec_hash: proposal.specHash,
+        status: "rejected",
+        reject_reason: policyResult.reason ?? "policy_violation",
+      });
+
+      if (this.config.notifications.notify_on_hire_rejected) {
+        await this.notifier.notifyHireRejected(hireId, policyResult.reason ?? "policy_violation");
+      }
+      return;
+    }
+
+    // Insert as pending_approval or auto-accept
+    const hireId = proposal.messageId;
+    const status = this.config.policy.auto_accept ? "accepted" : "pending_approval";
+
+    this.db.insertHireRequest({
+      id: hireId,
+      agreement_id: proposal.agreementId ?? null,
+      hirer_address: proposal.hirerAddress,
+      capability: proposal.capability,
+      price_eth: proposal.priceEth,
+      deadline_unix: proposal.deadlineUnix,
+      spec_hash: proposal.specHash,
+      status,
+      reject_reason: null,
+    });
+
+    if (status === "pending_approval") {
+      if (this.config.notifications.notify_on_hire_request) {
+        await this.notifier.notifyHireRequest(
+          hireId,
+          proposal.hirerAddress,
+          proposal.priceEth,
+          proposal.capability
+        );
+      }
+    } else if (status === "accepted" && this.onApprove) {
+      await this.onApprove(hireId);
+    }
+  }
+}