arc402-cli 0.7.0 → 0.7.2

package/src/commands/watch.ts

@@ -1,21 +1,218 @@
 import { Command } from "commander";
-import { c } from "../ui/colors";
+import { ethers } from "ethers";
 import { loadConfig } from "../config";
+import { getClient } from "../client";
+import { c } from "../ui/colors";
+
+// ─── Minimal ABIs for event watching ─────────────────────────────────────────
+
+const AGENT_REGISTRY_WATCH_ABI = [
+  "event AgentRegistered(address indexed wallet, string name, string serviceType, uint256 timestamp)",
+  "event AgentUpdated(address indexed wallet, string name, string serviceType)",
+  "event AgentDeactivated(address indexed wallet)",
+];
+
+const SERVICE_AGREEMENT_WATCH_ABI = [
+  "event AgreementProposed(uint256 indexed id, address indexed client, address indexed provider, string serviceType, uint256 price, address token, uint256 deadline)",
+  "event AgreementAccepted(uint256 indexed id, address indexed provider)",
+  "event AgreementFulfilled(uint256 indexed id, address indexed provider, bytes32 deliverablesHash)",
+  "event AgreementDisputed(uint256 indexed id, address indexed initiator, string reason)",
+  "event AgreementCancelled(uint256 indexed id, address indexed client)",
+];
+
+const HANDSHAKE_WATCH_ABI = [
+  "event HandshakeSent(uint256 indexed handshakeId, address indexed from, address indexed to, uint8 hsType, address token, uint256 amount, string note, uint256 timestamp)",
+];
+
+const DISPUTE_MODULE_WATCH_ABI = [
+  "event DisputeRaised(uint256 indexed agreementId, address indexed initiator, string reason)",
+  "event DisputeResolved(uint256 indexed agreementId, bool favorProvider, string resolution)",
+];
+
+const HS_TYPE_LABELS: Record<number, string> = {
+  0: "Respected",
+  1: "Curious",
+  2: "Endorsed",
+  3: "Thanked",
+  4: "Collaborated",
+  5: "Challenged",
+  6: "Referred",
+  7: "Hello",
+};
+
+function shortAddr(addr: string): string {
+  return addr.length > 10 ? `${addr.slice(0, 6)}...${addr.slice(-4)}` : addr;
+}
+
+function nowHHMM(): string {
+  const d = new Date();
+  const h = d.getHours().toString().padStart(2, "0");
+  const m = d.getMinutes().toString().padStart(2, "0");
+  return `${h}:${m}`;
+}
+
+function printEvent(label: string, detail: string, status?: "ok" | "warn" | "err"): void {
+  const ts = c.dim(`[${nowHHMM()}]`);
+  const col = status === "ok" ? c.green : status === "err" ? c.red : status === "warn" ? c.yellow : c.white;
+  process.stdout.write(`  ${ts}  ${col(label)}  ${c.dim(detail)}\n`);
+}
 
 export function registerWatchCommand(program: Command): void {
   program
     .command("watch")
-    .description("Watch wallet activity in real-time")
+    .description("Watch wallet activity in real-time (live onchain event feed)")
     .action(async () => {
       const config = loadConfig();
-      const wallet = config.walletContractAddress ?? "(no wallet)";
-      const shortWallet = wallet.length > 10
-        ? `${wallet.slice(0, 6)}...${wallet.slice(-4)}`
-        : wallet;
-      const line = "─".repeat(20);
-
-      console.log(`${c.mark}  ARC-402  Watching ${c.white(shortWallet)} ${c.dim(line)}`);
-      console.log(`${c.dim("···")}  ${c.dim("waiting")}`);
+      const { provider } = await getClient(config);
+      const myWallet = (config.walletContractAddress ?? "").toLowerCase();
+      const shortMe = myWallet ? shortAddr(config.walletContractAddress!) : "(no wallet)";
+
+      const line = "─".repeat(22);
+      console.log(`\n  ${c.mark} ${c.white("ARC-402  Live Feed")}  ${c.dim(line)}`);
+      console.log(`  ${c.dim("Watching")} ${c.brightCyan(shortMe)} ${c.dim("on")} ${c.dim(config.network)}`);
+      console.log(`  ${c.dim("Ctrl+C to exit")}\n`);
+
+      // ── Build contract instances ───────────────────────────────────────────
+
+      const contractLabels: string[] = [];
+
+      if (config.agentRegistryAddress) contractLabels.push("AgentRegistry");
+      if (config.serviceAgreementAddress) contractLabels.push("ServiceAgreement");
+      if (config.handshakeAddress) contractLabels.push("Handshake");
+      if (config.disputeModuleAddress) contractLabels.push("DisputeModule");
+
+      if (contractLabels.length === 0) {
+        console.log(`  ${c.warning} No contract addresses configured. Run arc402 config init.`);
+        process.exit(1);
+      }
+
+      console.log(`  ${c.dim(`Monitoring ${contractLabels.length} contract${contractLabels.length !== 1 ? "s" : ""}: ${contractLabels.join(", ")}`)}\n`);
+
+      // ── Helpers ────────────────────────────────────────────────────────────
+
+      function isMe(addr: string): boolean {
+        return myWallet !== "" && addr.toLowerCase() === myWallet;
+      }
+
+      function fmtAddr(addr: string): string {
+        return isMe(addr) ? c.brightCyan("you") : c.dim(shortAddr(addr));
+      }
+
+      // ── AgentRegistry ──────────────────────────────────────────────────────
+
+      if (config.agentRegistryAddress) {
+        const reg = new ethers.Contract(config.agentRegistryAddress, AGENT_REGISTRY_WATCH_ABI, provider);
+
+        reg.on("AgentRegistered", (wallet: string, name: string, serviceType: string) => {
+          printEvent(`Agent registered: ${name}`, `${fmtAddr(wallet)}  ${c.dim(serviceType)}`, "ok");
+        });
+
+        reg.on("AgentUpdated", (wallet: string, name: string, serviceType: string) => {
+          printEvent(`Agent updated: ${name}`, `${fmtAddr(wallet)}  ${c.dim(serviceType)}`);
+        });
+
+        reg.on("AgentDeactivated", (wallet: string) => {
+          printEvent(`Agent deactivated`, fmtAddr(wallet), "warn");
+        });
+      }
+
+      // ── ServiceAgreement ───────────────────────────────────────────────────
+
+      if (config.serviceAgreementAddress) {
+        const sa = new ethers.Contract(config.serviceAgreementAddress, SERVICE_AGREEMENT_WATCH_ABI, provider);
+
+        sa.on("AgreementProposed", (id: bigint, client: string, agentProvider: string, serviceType: string) => {
+          const involved = isMe(client) || isMe(agentProvider);
+          printEvent(
+            `Agreement #${id} proposed`,
+            `${fmtAddr(client)} → ${fmtAddr(agentProvider)}  ${c.dim(serviceType)}`,
+            involved ? "ok" : undefined
+          );
+        });
+
+        sa.on("AgreementAccepted", (id: bigint, agentProvider: string) => {
+          printEvent(`Agreement #${id} → ${c.green("ACCEPTED")}`, fmtAddr(agentProvider));
+        });
+
+        sa.on("AgreementFulfilled", (id: bigint, agentProvider: string, deliverablesHash: string) => {
+          printEvent(
+            `Agreement #${id} → ${c.green("DELIVERED")}`,
+            `${fmtAddr(agentProvider)}  ${c.dim(deliverablesHash.slice(0, 10) + "...")}`,
+            "ok"
+          );
+        });
+
+        sa.on("AgreementDisputed", (id: bigint, initiator: string, reason: string) => {
+          printEvent(
+            `Agreement #${id} → ${c.red("DISPUTED")}`,
+            `${fmtAddr(initiator)}  ${c.dim(reason.slice(0, 40))}`,
+            "err"
+          );
+        });
+
+        sa.on("AgreementCancelled", (id: bigint, client: string) => {
+          printEvent(`Agreement #${id} → ${c.yellow("CANCELLED")}`, fmtAddr(client), "warn");
+        });
+      }
+
+      // ── Handshake ──────────────────────────────────────────────────────────
+
+      if (config.handshakeAddress) {
+        const hs = new ethers.Contract(config.handshakeAddress, HANDSHAKE_WATCH_ABI, provider);
+
+        hs.on("HandshakeSent", (_id: bigint, from: string, to: string, hsType: number, _token: string, _amount: bigint, note: string) => {
+          const typeLabel = HS_TYPE_LABELS[hsType] ?? `type ${hsType}`;
+          const toMe = isMe(to);
+          const noteStr = note ? `  ${c.dim(`(${note.slice(0, 30)})`)}` : "";
+          printEvent(
+            `Handshake from ${fmtAddr(from)} → ${fmtAddr(to)}`,
+            `${c.dim(typeLabel)}${noteStr}`,
+            toMe ? "ok" : undefined
+          );
+        });
+      }
+
+      // ── DisputeModule ──────────────────────────────────────────────────────
+
+      if (config.disputeModuleAddress) {
+        const dm = new ethers.Contract(config.disputeModuleAddress, DISPUTE_MODULE_WATCH_ABI, provider);
+
+        dm.on("DisputeRaised", (agreementId: bigint, initiator: string, reason: string) => {
+          printEvent(
+            `Dispute raised on #${agreementId}`,
+            `${fmtAddr(initiator)}  ${c.dim(reason.slice(0, 40))}`,
+            "err"
+          );
+        });
+
+        dm.on("DisputeResolved", (agreementId: bigint, favorProvider: boolean, resolution: string) => {
+          printEvent(
+            `Dispute #${agreementId} → ${c.green("RESOLVED")}`,
+            `${c.dim(favorProvider ? "provider wins" : "client wins")}  ${c.dim(resolution.slice(0, 30))}`,
+            "ok"
+          );
+        });
+      }
+
+      // ── Block heartbeat (shows feed is alive) ──────────────────────────────
+
+      let lastBlock = 0;
+      provider.on("block", (blockNumber: number) => {
+        if (blockNumber > lastBlock) {
+          lastBlock = blockNumber;
+          if (blockNumber % 10 === 0) {
+            process.stdout.write(`  ${c.dim(`· block ${blockNumber}`)}\n`);
+          }
+        }
+      });
+
+      // ── Clean exit ─────────────────────────────────────────────────────────
+
+      process.on("SIGINT", () => {
+        console.log(`\n  ${c.dim("Feed stopped.")}`);
+        provider.removeAllListeners();
+        process.exit(0);
+      });
 
       // Keep process alive
       process.stdin.resume();

package/src/config.ts

@@ -1,6 +1,7 @@
 import * as fs from "fs";
 import * as path from "path";
 import * as os from "os";
+import { randomUUID } from "crypto";
 
 export interface Arc402Config {
   network: "base-mainnet" | "base-sepolia";
@@ -40,16 +41,25 @@ export interface Arc402Config {
   telegramBotToken?: string;
   telegramChatId?: string;
   telegramThreadId?: number;
+  /** Tracks onboarding progress so `wallet deploy` can resume after interruption. */
+  onboardingProgress?: {
+    walletAddress: string;
+    step: number;          // last completed step number (2=machineKey, 3=passkey, 4=policy, 5=agent)
+    completedSteps: string[];
+  };
   wcSession?: {
     topic: string;
     expiry: number;    // Unix timestamp
     account: string;   // Phone wallet address
     chainId: number;
   };
+  deviceId?: string;        // UUID identifying the device this config was created on
+  lastCliVersion?: string;  // Last CLI version that wrote this config (for upgrade detection)
 }
 
 const CONFIG_DIR = path.join(os.homedir(), ".arc402");
 const CONFIG_PATH = process.env.ARC402_CONFIG || path.join(CONFIG_DIR, "config.json");
+const DEVICE_ID_PATH = path.join(CONFIG_DIR, "device.id");
 
 // WalletConnect project ID — get your own at cloud.walletconnect.com
 const DEFAULT_WC_PROJECT_ID = "455e9425343b9156fce1428250c9a54a";
@@ -57,7 +67,20 @@ export const getWcProjectId = () => process.env.WC_PROJECT_ID ?? DEFAULT_WC_PROJ
 
 export const getConfigPath = () => CONFIG_PATH;
 
+/** Returns this device's stable UUID, creating it on first call. */
+function getOrCreateDeviceId(): string {
+  if (fs.existsSync(DEVICE_ID_PATH)) {
+    return fs.readFileSync(DEVICE_ID_PATH, "utf-8").trim();
+  }
+  const id = randomUUID();
+  fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  fs.writeFileSync(DEVICE_ID_PATH, id, { mode: 0o600 });
+  return id;
+}
+
 export function loadConfig(): Arc402Config {
+  const thisDeviceId = getOrCreateDeviceId();
+
   if (!fs.existsSync(CONFIG_PATH)) {
     // Auto-create with Base Mainnet defaults — zero friction
     const defaults = NETWORK_DEFAULTS["base-mainnet"] ?? {};
@@ -78,13 +101,28 @@ export function loadConfig(): Arc402Config {
       walletFactoryAddress: defaults.walletFactoryAddress,
       sessionChannelsAddress: defaults.sessionChannelsAddress,
       disputeModuleAddress: defaults.disputeModuleAddress,
+      deviceId: thisDeviceId,
     };
     saveConfig(autoConfig);
     console.log(`◈ Config auto-created at ${CONFIG_PATH} (Base Mainnet)`);
     console.log("⚠ Base Mainnet — real funds at risk. Use arc402 config init for testnet.");
     return autoConfig;
   }
-  return JSON.parse(fs.readFileSync(CONFIG_PATH, "utf-8")) as Arc402Config;
+
+  const config = JSON.parse(fs.readFileSync(CONFIG_PATH, "utf-8")) as Arc402Config;
+
+  // Multi-device awareness: warn if config was created on a different device
+  if (config.deviceId && config.deviceId !== thisDeviceId) {
+    console.warn("⚠ This config was created on a different device. Some keys may not work.");
+  }
+
+  // Backfill deviceId if missing (older config)
+  if (!config.deviceId) {
+    config.deviceId = thisDeviceId;
+    saveConfig(config);
+  }
+
+  return config;
 }
 
 export function saveConfig(config: Arc402Config): void {

package/src/daemon/config.ts

@@ -68,6 +68,9 @@ export interface DaemonConfig {
     notify_on_channel_challenge: boolean;
     notify_on_low_balance: boolean;
     low_balance_threshold_eth: string;
+    discord: { webhook_url: string };
+    webhook: { url: string; headers: Record<string, string> };
+    email: { smtp_host: string; smtp_port: number; smtp_user: string; smtp_pass: string; to: string };
   };
   work: {
     handler: "exec" | "http" | "noop";
@@ -114,6 +117,9 @@ function withDefaults(raw: Record<string, unknown>): DaemonConfig {
   const wt = (raw.watchtower as Record<string, unknown>) ?? {};
   const p = (raw.policy as Record<string, unknown>) ?? {};
   const notif = (raw.notifications as Record<string, unknown>) ?? {};
+  const notifDiscord = (notif.discord as Record<string, unknown>) ?? {};
+  const notifWebhook = (notif.webhook as Record<string, unknown>) ?? {};
+  const notifEmail = (notif.email as Record<string, unknown>) ?? {};
   const work = (raw.work as Record<string, unknown>) ?? {};
 
   return {
@@ -169,6 +175,18 @@ function withDefaults(raw: Record<string, unknown>): DaemonConfig {
       notify_on_channel_challenge: bool(notif.notify_on_channel_challenge, true),
       notify_on_low_balance: bool(notif.notify_on_low_balance, true),
       low_balance_threshold_eth: str(notif.low_balance_threshold_eth, "0.005"),
+      discord: { webhook_url: str(notifDiscord.webhook_url) },
+      webhook: {
+        url: str(notifWebhook.url),
+        headers: (notifWebhook.headers as Record<string, string>) ?? {},
+      },
+      email: {
+        smtp_host: str(notifEmail.smtp_host),
+        smtp_port: num(notifEmail.smtp_port, 587),
+        smtp_user: str(notifEmail.smtp_user),
+        smtp_pass: str(notifEmail.smtp_pass, "env:SMTP_PASS"),
+        to: str(notifEmail.to),
+      },
     },
     work: {
       handler: (str(work.handler, "noop")) as "exec" | "http" | "noop",
@@ -213,6 +231,9 @@ export function loadDaemonConfig(configPath = DAEMON_TOML): DaemonConfig {
   // Resolve optional env: values silently (missing = disabled feature)
   config.notifications.telegram_bot_token = tryResolveEnvValue(config.notifications.telegram_bot_token);
   config.notifications.telegram_chat_id = tryResolveEnvValue(config.notifications.telegram_chat_id);
+  config.notifications.discord.webhook_url = tryResolveEnvValue(config.notifications.discord.webhook_url);
+  config.notifications.webhook.url = tryResolveEnvValue(config.notifications.webhook.url);
+  config.notifications.email.smtp_pass = tryResolveEnvValue(config.notifications.email.smtp_pass);
   config.work.http_auth_token = tryResolveEnvValue(config.work.http_auth_token);
 
   return config;
@@ -300,6 +321,20 @@ notify_on_channel_challenge = true  # Notify when watchtower submits a channel c
 notify_on_low_balance = false    # Disabled by default — enable if you want balance alerts
 low_balance_threshold_eth = "0.005"  # Balance alert threshold
 
+[notifications.discord]
+webhook_url = ""                 # Discord channel webhook URL (leave empty to disable)
+
+[notifications.webhook]
+url = ""                         # POST JSON {title, body, timestamp} to this URL (leave empty to disable)
+# headers = { Authorization = "Bearer ..." }  # Optional headers
+
+[notifications.email]
+smtp_host = ""                   # SMTP server hostname (leave empty to disable)
+smtp_port = 587
+smtp_user = ""                   # SMTP login / from address
+smtp_pass = "env:SMTP_PASS"      # Load from env, not hardcoded
+to = ""                          # Recipient address
+
 [work]
 handler = "noop"               # exec | http | noop
 exec_command = ""              # called with agreementId and spec as args (exec mode)

package/src/daemon/index.ts

@@ -27,7 +27,7 @@ import {
   type DaemonConfig,
 } from "./config";
 import { verifyWallet, getWalletBalance } from "./wallet-monitor";
-import { Notifier } from "./notify";
+import { buildNotifier } from "./notify";
 import { HireListener } from "./hire-listener";
 import { UserOpsManager, buildAcceptCalldata } from "./userops";
 import { generateReceipt, extractLearnings, createJobDirectory, cleanJobDirectory } from "./job-lifecycle";
@@ -188,6 +188,9 @@ function checkRateLimit(ip: string): boolean {
   return bucket.count <= RATE_LIMIT;
 }
 
+// Cleanup stale rate limit entries every 5 minutes to prevent unbounded growth
+let rateLimitCleanupInterval: ReturnType<typeof setInterval> | null = null;
+
 // ─── Body size limit ──────────────────────────────────────────────────────────
 
 const MAX_BODY_SIZE = 1024 * 1024; // 1 MB
@@ -516,19 +519,7 @@ export async function runDaemon(foreground = false): Promise<void> {
   }
 
   // ── Setup notifier ───────────────────────────────────────────────────────
-  const notifier = new Notifier(
-    config.notifications.telegram_bot_token,
-    config.notifications.telegram_chat_id,
-    {
-      hire_request: config.notifications.notify_on_hire_request,
-      hire_accepted: config.notifications.notify_on_hire_accepted,
-      hire_rejected: config.notifications.notify_on_hire_rejected,
-      delivery: config.notifications.notify_on_delivery,
-      dispute: config.notifications.notify_on_dispute,
-      channel_challenge: config.notifications.notify_on_channel_challenge,
-      low_balance: config.notifications.notify_on_low_balance,
-    }
-  );
+  const notifier = buildNotifier(config);
 
   // ── Step 10: Start relay listener ───────────────────────────────────────
   const hireListener = new HireListener(config, db, notifier, config.wallet.contract_address);
@@ -588,6 +579,14 @@ export async function runDaemon(foreground = false): Promise<void> {
     }
   }, 30_000);
 
+  // Rate limit map cleanup — every 5 minutes (prevents unbounded growth)
+  rateLimitCleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [ip, bucket] of rateLimitMap) {
+      if (bucket.resetTime < now) rateLimitMap.delete(ip);
+    }
+  }, 5 * 60 * 1000);
+
   // Balance monitor — every 5 minutes
   const balanceInterval = setInterval(async () => {
     try {
@@ -617,6 +616,26 @@ export async function runDaemon(foreground = false): Promise<void> {
   // ── Start HTTP relay server (public endpoint) ────────────────────────────
   const httpPort = config.relay.listen_port ?? 4402;
 
+  /**
+   * Optionally verifies X-ARC402-Signature against the request body.
+   * Logs the result but never rejects — unsigned requests are accepted for backwards compat.
+   */
+  function verifyRequestSignature(body: string, req: http.IncomingMessage): void {
+    const sig = req.headers["x-arc402-signature"] as string | undefined;
+    if (!sig) return;
+    const claimedSigner = req.headers["x-arc402-signer"] as string | undefined;
+    try {
+      const recovered = ethers.verifyMessage(body, sig);
+      if (claimedSigner && recovered.toLowerCase() !== claimedSigner.toLowerCase()) {
+        log({ event: "sig_mismatch", claimed: claimedSigner, recovered });
+      } else {
+        log({ event: "sig_verified", signer: recovered });
+      }
+    } catch {
+      log({ event: "sig_invalid" });
+    }
+  }
+
   /**
    * Read request body with a size cap. Destroys the request and sends 413
    * if the body exceeds MAX_BODY_SIZE. Returns null in that case.
@@ -643,11 +662,22 @@ export async function runDaemon(foreground = false): Promise<void> {
 
   const PUBLIC_GET_PATHS = new Set(["/", "/health", "/agent", "/capabilities", "/status"]);
 
+  // CORS whitelist — localhost for local tooling, arc402.xyz for the web app
+  const CORS_WHITELIST = new Set(["localhost", "127.0.0.1", "arc402.xyz", "app.arc402.xyz"]);
+
   const httpServer = http.createServer(async (req, res) => {
-    // CORS headers
-    res.setHeader("Access-Control-Allow-Origin", "*");
-    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
-    res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+    // CORS — only reflect origin header if it's in the whitelist
+    const origin = (req.headers["origin"] ?? "") as string;
+    if (origin) {
+      try {
+        const { hostname } = new URL(origin);
+        if (CORS_WHITELIST.has(hostname)) {
+          res.setHeader("Access-Control-Allow-Origin", origin);
+          res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+          res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+        }
+      } catch { /* ignore invalid origin */ }
+    }
     if (req.method === "OPTIONS") { res.writeHead(204); res.end(); return; }
 
     const url = new URL(req.url || "/", `http://localhost:${httpPort}`);
@@ -707,6 +737,7 @@ export async function runDaemon(foreground = false): Promise<void> {
     if (pathname === "/hire" && req.method === "POST") {
       const body = await readBody(req, res);
       if (body === null) return;
+      verifyRequestSignature(body, req);
       try {
           const msg = JSON.parse(body) as Record<string, unknown>;
 
@@ -787,6 +818,7 @@ export async function runDaemon(foreground = false): Promise<void> {
     if (pathname === "/handshake" && req.method === "POST") {
       const body = await readBody(req, res);
       if (body === null) return;
+      verifyRequestSignature(body, req);
       try {
           const msg = JSON.parse(body);
           log({ event: "handshake_received", from: msg.from, type: msg.type, note: msg.note });
@@ -824,6 +856,7 @@ export async function runDaemon(foreground = false): Promise<void> {
     if (pathname === "/message" && req.method === "POST") {
       const body = await readBody(req, res);
       if (body === null) return;
+      verifyRequestSignature(body, req);
       try {
         const msg = JSON.parse(body) as Record<string, unknown>;
         const from = String(msg.from ?? "");
@@ -844,6 +877,7 @@ export async function runDaemon(foreground = false): Promise<void> {
     if (pathname === "/delivery" && req.method === "POST") {
       const body = await readBody(req, res);
       if (body === null) return;
+      verifyRequestSignature(body, req);
       try {
         const msg = JSON.parse(body) as Record<string, unknown>;
         const agreementId = String(msg.agreementId ?? msg.agreement_id ?? "");
@@ -961,21 +995,25 @@ export async function runDaemon(foreground = false): Promise<void> {
       return;
     }
 
-    // GET /status — health with active agreement count
+    // GET /status — health with active agreement count (sensitive counts only for authenticated)
     if (pathname === "/status" && req.method === "GET") {
-      const activeList = db.listActiveHireRequests();
-      const pendingList = db.listPendingHireRequests();
-      res.writeHead(200, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({
+      const statusAuth = (req.headers["authorization"] ?? "") as string;
+      const statusToken = statusAuth.startsWith("Bearer ") ? statusAuth.slice(7) : "";
+      const statusAuthed = statusToken === apiToken;
+      const statusPayload: Record<string, unknown> = {
         protocol: "arc-402",
         version: "0.3.0",
         agent: config.wallet.contract_address,
         status: "online",
         uptime: Math.floor((Date.now() - ipcCtx.startTime) / 1000),
-        active_agreements: activeList.length,
-        pending_approval: pendingList.length,
         capabilities: config.policy.allowed_capabilities,
-      }));
+      };
+      if (statusAuthed) {
+        statusPayload.active_agreements = db.listActiveHireRequests().length;
+        statusPayload.pending_approval = db.listPendingHireRequests().length;
+      }
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify(statusPayload));
       return;
     }
 
@@ -1011,6 +1049,7 @@ export async function runDaemon(foreground = false): Promise<void> {
     if (relayInterval) clearInterval(relayInterval);
     clearInterval(timeoutInterval);
     clearInterval(balanceInterval);
+    if (rateLimitCleanupInterval) clearInterval(rateLimitCleanupInterval);
 
     // Close HTTP + IPC
     httpServer.close();