arc402-cli 1.0.0-rc.1 → 1.1.0

package/dist/daemon/index.js

@@ -52,12 +52,18 @@ const net = __importStar(require("net"));
 const http = __importStar(require("http"));
 const ethers_1 = require("ethers");
 const better_sqlite3_1 = __importDefault(require("better-sqlite3"));
+const crypto = __importStar(require("crypto"));
 const config_1 = require("./config");
+const compute_metering_1 = require("./compute-metering");
+const compute_session_1 = require("./compute-session");
 const wallet_monitor_1 = require("./wallet-monitor");
 const notify_1 = require("./notify");
 const hire_listener_1 = require("./hire-listener");
 const userops_1 = require("./userops");
 const job_lifecycle_1 = require("./job-lifecycle");
+const file_delivery_1 = require("./file-delivery");
+const delivery_client_1 = require("./delivery-client");
+const abis_1 = require("../abis");
 function openStateDB(dbPath) {
     const db = new better_sqlite3_1.default(dbPath);
     db.pragma("journal_mode = WAL");
@@ -114,6 +120,7 @@ function openStateDB(dbPath) {
       (@id, @agreement_id, @hirer_address, @capability, @price_eth, @deadline_unix, @spec_hash, @status, @created_at, @updated_at, @reject_reason)
   `);
     const getHireRequest = db.prepare(`SELECT * FROM hire_requests WHERE id = ?`);
+    const getHireRequestByAgreementId = db.prepare(`SELECT * FROM hire_requests WHERE agreement_id = ? ORDER BY created_at DESC LIMIT 1`);
     const updateStatus = db.prepare(`UPDATE hire_requests SET status = ?, reject_reason = ?, updated_at = ? WHERE id = ?`);
     const listPending = db.prepare(`SELECT * FROM hire_requests WHERE status = 'pending_approval' ORDER BY created_at ASC`);
     const listActive = db.prepare(`SELECT * FROM hire_requests WHERE status IN ('accepted', 'delivered') ORDER BY created_at ASC`);
@@ -126,6 +133,9 @@ function openStateDB(dbPath) {
         getHireRequest(id) {
             return getHireRequest.get(id);
         },
+        getHireRequestByAgreementId(agreementId) {
+            return getHireRequestByAgreementId.get(agreementId);
+        },
         updateHireRequestStatus(id, status, rejectReason) {
             updateStatus.run(status, rejectReason ?? null, Date.now(), id);
         },
@@ -144,6 +154,40 @@ function openStateDB(dbPath) {
         },
     };
 }
+// ─── Auth token ───────────────────────────────────────────────────────────────
+const DAEMON_TOKEN_FILE = path.join(path.dirname(config_1.DAEMON_SOCK), "daemon.token");
+function generateApiToken() {
+    return crypto.randomBytes(32).toString("hex");
+}
+function saveApiToken(token) {
+    fs.mkdirSync(path.dirname(DAEMON_TOKEN_FILE), { recursive: true, mode: 0o700 });
+    fs.writeFileSync(DAEMON_TOKEN_FILE, token, { mode: 0o600 });
+}
+function loadApiToken() {
+    try {
+        return fs.readFileSync(DAEMON_TOKEN_FILE, "utf-8").trim();
+    }
+    catch {
+        return null;
+    }
+}
+const rateLimitMap = new Map();
+const RATE_LIMIT = 30;
+const RATE_WINDOW_MS = 60000;
+function checkRateLimit(ip) {
+    const now = Date.now();
+    let bucket = rateLimitMap.get(ip);
+    if (!bucket || now >= bucket.resetTime) {
+        bucket = { count: 0, resetTime: now + RATE_WINDOW_MS };
+        rateLimitMap.set(ip, bucket);
+    }
+    bucket.count++;
+    return bucket.count <= RATE_LIMIT;
+}
+// Cleanup stale rate limit entries every 5 minutes to prevent unbounded growth
+let rateLimitCleanupInterval = null;
+// ─── Body size limit ──────────────────────────────────────────────────────────
+const MAX_BODY_SIZE = 1024 * 1024; // 1 MB
 // ─── Logger ───────────────────────────────────────────────────────────────────
 function openLogger(logPath, foreground) {
     let stream = null;
@@ -161,13 +205,14 @@ function openLogger(logPath, foreground) {
         }
     };
 }
-function startIpcServer(ctx, log) {
+function startIpcServer(ctx, log, apiToken) {
     // Remove stale socket
     if (fs.existsSync(config_1.DAEMON_SOCK)) {
         fs.unlinkSync(config_1.DAEMON_SOCK);
     }
     const server = net.createServer((socket) => {
         let buf = "";
+        let authenticated = false;
         socket.on("data", (data) => {
             buf += data.toString();
             const lines = buf.split("\n");
@@ -183,6 +228,19 @@ function startIpcServer(ctx, log) {
                     socket.write(JSON.stringify({ ok: false, error: "invalid_json" }) + "\n");
                     continue;
                 }
+                // First message must be auth
+                if (!authenticated) {
+                    if (cmd.auth === apiToken) {
+                        authenticated = true;
+                        socket.write(JSON.stringify({ ok: true, authenticated: true }) + "\n");
+                    }
+                    else {
+                        log({ event: "ipc_auth_failed" });
+                        socket.write(JSON.stringify({ ok: false, error: "unauthorized" }) + "\n");
+                        socket.destroy();
+                    }
+                    continue;
+                }
                 const response = handleIpcCommand(cmd, ctx, log);
                 socket.write(JSON.stringify(response) + "\n");
             }
@@ -404,15 +462,34 @@ async function runDaemon(foreground = false) {
         process.exit(1);
     }
     // ── Setup notifier ───────────────────────────────────────────────────────
-    const notifier = new notify_1.Notifier(config.notifications.telegram_bot_token, config.notifications.telegram_chat_id, {
-        hire_request: config.notifications.notify_on_hire_request,
-        hire_accepted: config.notifications.notify_on_hire_accepted,
-        hire_rejected: config.notifications.notify_on_hire_rejected,
-        delivery: config.notifications.notify_on_delivery,
-        dispute: config.notifications.notify_on_dispute,
-        channel_challenge: config.notifications.notify_on_channel_challenge,
-        low_balance: config.notifications.notify_on_low_balance,
+    const notifier = (0, notify_1.buildNotifier)(config);
+    // ── File delivery subsystem ──────────────────────────────────────────────
+    const fileDelivery = new file_delivery_1.FileDeliveryManager({
+        maxFileSizeMb: config.delivery.max_file_size_mb,
+        maxJobSizeMb: config.delivery.max_job_size_mb,
     });
+    fileDelivery.setPartyResolver((agreementId) => {
+        const row = db.getHireRequestByAgreementId(agreementId);
+        if (!row)
+            return null;
+        return {
+            hirerAddress: row.hirer_address,
+            providerAddress: config.wallet.contract_address,
+        };
+    });
+    const deliveryClient = new delivery_client_1.DeliveryClient({ autoDownload: config.delivery.auto_download });
+    deliveryClient.log = log;
+    log({ event: "file_delivery_ready", serve_files: config.delivery.serve_files, auto_download: config.delivery.auto_download });
+    // ── Compute rental subsystem ─────────────────────────────────────────────
+    let computeMetering = null;
+    let computeSessions = null;
+    // Machine key signer — used for on-chain compute contract calls
+    const machineKeySigner = new ethers_1.ethers.Wallet(machinePrivateKey, provider);
+    if (config.compute.enabled) {
+        computeMetering = new compute_metering_1.ComputeMetering(machinePrivateKey, config.network.chain_id, config.compute.compute_agreement_address || config.wallet.contract_address, config.compute.metering_interval_seconds, config.compute.report_interval_minutes, config.compute.compute_agreement_address ? provider : undefined);
+        computeSessions = new compute_session_1.ComputeSessionManager(computeMetering);
+        log({ event: "compute_enabled", gpu_spec: config.compute.gpu_spec, rate_wei: config.compute.rate_per_hour_wei });
+    }
     // ── Step 10: Start relay listener ───────────────────────────────────────
     const hireListener = new hire_listener_1.HireListener(config, db, notifier, config.wallet.contract_address);
     const ipcCtx = {
@@ -464,6 +541,14 @@ async function runDaemon(foreground = false) {
             }
         }
     }, 30000);
+    // Rate limit map cleanup — every 5 minutes (prevents unbounded growth)
+    rateLimitCleanupInterval = setInterval(() => {
+        const now = Date.now();
+        for (const [ip, bucket] of rateLimitMap) {
+            if (bucket.resetTime < now)
+                rateLimitMap.delete(ip);
+        }
+    }, 5 * 60 * 1000);
     // Balance monitor — every 5 minutes
     const balanceInterval = setInterval(async () => {
         try {
@@ -481,15 +566,76 @@ async function runDaemon(foreground = false) {
         fs.writeFileSync(config_1.DAEMON_PID, String(process.pid), { mode: 0o600 });
         log({ event: "pid_written", pid: process.pid, path: config_1.DAEMON_PID });
     }
+    // ── Generate and save API token ──────────────────────────────────────────
+    const apiToken = generateApiToken();
+    saveApiToken(apiToken);
+    log({ event: "auth_token_saved", path: DAEMON_TOKEN_FILE });
     // ── Start IPC socket ─────────────────────────────────────────────────────
-    const ipcServer = startIpcServer(ipcCtx, log);
+    const ipcServer = startIpcServer(ipcCtx, log, apiToken);
     // ── Start HTTP relay server (public endpoint) ────────────────────────────
     const httpPort = config.relay.listen_port ?? 4402;
+    /**
+     * Optionally verifies X-ARC402-Signature against the request body.
+     * Logs the result but never rejects — unsigned requests are accepted for backwards compat.
+     */
+    function verifyRequestSignature(body, req) {
+        const sig = req.headers["x-arc402-signature"];
+        if (!sig)
+            return;
+        const claimedSigner = req.headers["x-arc402-signer"];
+        try {
+            const recovered = ethers_1.ethers.verifyMessage(body, sig);
+            if (claimedSigner && recovered.toLowerCase() !== claimedSigner.toLowerCase()) {
+                log({ event: "sig_mismatch", claimed: claimedSigner, recovered });
+            }
+            else {
+                log({ event: "sig_verified", signer: recovered });
+            }
+        }
+        catch {
+            log({ event: "sig_invalid" });
+        }
+    }
+    /**
+     * Read request body with a size cap. Destroys the request and sends 413
+     * if the body exceeds MAX_BODY_SIZE. Returns null in that case.
+     */
+    function readBody(req, res) {
+        return new Promise((resolve) => {
+            let body = "";
+            let size = 0;
+            req.on("data", (chunk) => {
+                size += chunk.length;
+                if (size > MAX_BODY_SIZE) {
+                    req.destroy();
+                    res.writeHead(413, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "payload_too_large" }));
+                    resolve(null);
+                    return;
+                }
+                body += chunk.toString();
+            });
+            req.on("end", () => { resolve(body); });
+            req.on("error", () => { resolve(null); });
+        });
+    }
+    const PUBLIC_GET_PATHS = new Set(["/", "/health", "/agent", "/capabilities", "/status"]);
+    // CORS whitelist — localhost for local tooling, arc402.xyz for the web app
+    const CORS_WHITELIST = new Set(["localhost", "127.0.0.1", "arc402.xyz", "app.arc402.xyz"]);
     const httpServer = http.createServer(async (req, res) => {
-        // CORS headers
-        res.setHeader("Access-Control-Allow-Origin", "*");
-        res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
-        res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+        // CORS — only reflect origin header if it's in the whitelist
+        const origin = (req.headers["origin"] ?? "");
+        if (origin) {
+            try {
+                const { hostname } = new URL(origin);
+                if (CORS_WHITELIST.has(hostname)) {
+                    res.setHeader("Access-Control-Allow-Origin", origin);
+                    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+                    res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+                }
+            }
+            catch { /* ignore invalid origin */ }
+        }
         if (req.method === "OPTIONS") {
             res.writeHead(204);
             res.end();
@@ -497,6 +643,26 @@ async function runDaemon(foreground = false) {
         }
         const url = new URL(req.url || "/", `http://localhost:${httpPort}`);
         const pathname = url.pathname;
+        // Rate limiting (all endpoints)
+        const clientIp = (req.socket.remoteAddress ?? "unknown").replace(/^::ffff:/, "");
+        if (!checkRateLimit(clientIp)) {
+            log({ event: "rate_limited", ip: clientIp, path: pathname });
+            res.writeHead(429, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: "too_many_requests" }));
+            return;
+        }
+        // Auth required on all POST endpoints (GET public paths are open).
+        // /job/* GET routes use party auth (verifyPartyAccess) instead of daemon bearer token.
+        if (req.method === "POST" || (req.method === "GET" && !PUBLIC_GET_PATHS.has(pathname) && !pathname.startsWith("/job/"))) {
+            const authHeader = req.headers["authorization"] ?? "";
+            const token = authHeader.startsWith("Bearer ") ? authHeader.slice(7) : "";
+            if (token !== apiToken) {
+                log({ event: "http_unauthorized", ip: clientIp, path: pathname });
+                res.writeHead(401, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "unauthorized" }));
+                return;
+            }
+        }
         // Health / info
         if (pathname === "/" || pathname === "/health") {
             const info = {
@@ -526,51 +692,36 @@ async function runDaemon(foreground = false) {
         }
         // Receive hire proposal
         if (pathname === "/hire" && req.method === "POST") {
-            let body = "";
-            req.on("data", (chunk) => { body += chunk.toString(); });
-            req.on("end", async () => {
-                try {
-                    const msg = JSON.parse(body);
-                    // Feed into the hire listener's message handler
-                    const proposal = {
-                        messageId: String(msg.messageId ?? msg.id ?? `http_${Date.now()}`),
-                        hirerAddress: String(msg.hirerAddress ?? msg.hirer_address ?? msg.from ?? ""),
-                        capability: String(msg.capability ?? ""),
-                        priceEth: String(msg.priceEth ?? msg.price_eth ?? "0"),
-                        deadlineUnix: Number(msg.deadlineUnix ?? msg.deadline ?? 0),
-                        specHash: String(msg.specHash ?? msg.spec_hash ?? ""),
-                        agreementId: msg.agreementId ? String(msg.agreementId) : undefined,
-                        signature: msg.signature ? String(msg.signature) : undefined,
-                    };
-                    // Dedup
-                    const existing = db.getHireRequest(proposal.messageId);
-                    if (existing) {
-                        res.writeHead(200, { "Content-Type": "application/json" });
-                        res.end(JSON.stringify({ status: existing.status, id: proposal.messageId }));
-                        return;
-                    }
-                    // Policy check
-                    const { evaluatePolicy } = await Promise.resolve().then(() => __importStar(require("./hire-listener")));
-                    const activeCount = db.countActiveHireRequests();
-                    const policyResult = evaluatePolicy(proposal, config, activeCount);
-                    if (!policyResult.allowed) {
-                        db.insertHireRequest({
-                            id: proposal.messageId,
-                            agreement_id: proposal.agreementId ?? null,
-                            hirer_address: proposal.hirerAddress,
-                            capability: proposal.capability,
-                            price_eth: proposal.priceEth,
-                            deadline_unix: proposal.deadlineUnix,
-                            spec_hash: proposal.specHash,
-                            status: "rejected",
-                            reject_reason: policyResult.reason ?? "policy_violation",
-                        });
-                        log({ event: "http_hire_rejected", id: proposal.messageId, reason: policyResult.reason });
-                        res.writeHead(200, { "Content-Type": "application/json" });
-                        res.end(JSON.stringify({ status: "rejected", reason: policyResult.reason, id: proposal.messageId }));
-                        return;
-                    }
-                    const status = config.policy.auto_accept ? "accepted" : "pending_approval";
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            verifyRequestSignature(body, req);
+            try {
+                const msg = JSON.parse(body);
+                // Feed into the hire listener's message handler
+                const proposal = {
+                    messageId: String(msg.messageId ?? msg.id ?? `http_${Date.now()}`),
+                    hirerAddress: String(msg.hirerAddress ?? msg.hirer_address ?? msg.from ?? ""),
+                    capability: String(msg.capability ?? ""),
+                    priceEth: String(msg.priceEth ?? msg.price_eth ?? "0"),
+                    deadlineUnix: Number(msg.deadlineUnix ?? msg.deadline ?? 0),
+                    specHash: String(msg.specHash ?? msg.spec_hash ?? ""),
+                    agreementId: msg.agreementId ? String(msg.agreementId) : undefined,
+                    signature: msg.signature ? String(msg.signature) : undefined,
+                };
+                // Dedup
+                const existing = db.getHireRequest(proposal.messageId);
+                if (existing) {
+                    log({ event: "hire_duplicate", id: proposal.messageId, status: existing.status });
+                    res.writeHead(200, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ status: existing.status, id: proposal.messageId }));
+                    return;
+                }
+                // Policy check
+                const { evaluatePolicy } = await Promise.resolve().then(() => __importStar(require("./hire-listener")));
+                const activeCount = db.countActiveHireRequests();
+                const policyResult = evaluatePolicy(proposal, config, activeCount);
+                if (!policyResult.allowed) {
                     db.insertHireRequest({
                         id: proposal.messageId,
                         agreement_id: proposal.agreementId ?? null,
@@ -579,206 +730,227 @@ async function runDaemon(foreground = false) {
                         price_eth: proposal.priceEth,
                         deadline_unix: proposal.deadlineUnix,
                         spec_hash: proposal.specHash,
-                        status,
-                        reject_reason: null,
+                        status: "rejected",
+                        reject_reason: policyResult.reason ?? "policy_violation",
                     });
-                    log({ event: "http_hire_received", id: proposal.messageId, hirer: proposal.hirerAddress, status });
-                    if (config.notifications.notify_on_hire_request) {
-                        await notifier.notifyHireRequest(proposal.messageId, proposal.hirerAddress, proposal.priceEth, proposal.capability);
-                    }
+                    log({ event: "http_hire_rejected", id: proposal.messageId, reason: policyResult.reason });
                     res.writeHead(200, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ status, id: proposal.messageId }));
+                    res.end(JSON.stringify({ status: "rejected", reason: policyResult.reason, id: proposal.messageId }));
+                    return;
                 }
-                catch (err) {
-                    log({ event: "http_hire_error", error: String(err) });
-                    res.writeHead(400, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ error: "invalid_request" }));
+                const status = config.policy.auto_accept ? "accepted" : "pending_approval";
+                db.insertHireRequest({
+                    id: proposal.messageId,
+                    agreement_id: proposal.agreementId ?? null,
+                    hirer_address: proposal.hirerAddress,
+                    capability: proposal.capability,
+                    price_eth: proposal.priceEth,
+                    deadline_unix: proposal.deadlineUnix,
+                    spec_hash: proposal.specHash,
+                    status,
+                    reject_reason: null,
+                });
+                log({ event: "http_hire_received", id: proposal.messageId, hirer: proposal.hirerAddress, status });
+                if (config.notifications.notify_on_hire_request) {
+                    await notifier.notifyHireRequest(proposal.messageId, proposal.hirerAddress, proposal.priceEth, proposal.capability);
                 }
-            });
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ status, id: proposal.messageId }));
+            }
+            catch (err) {
+                log({ event: "http_hire_error", error: String(err) });
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
             return;
         }
         // Handshake acknowledgment endpoint
         if (pathname === "/handshake" && req.method === "POST") {
-            let body = "";
-            req.on("data", (chunk) => { body += chunk.toString(); });
-            req.on("end", () => {
-                try {
-                    const msg = JSON.parse(body);
-                    log({ event: "handshake_received", from: msg.from, type: msg.type, note: msg.note });
-                    res.writeHead(200, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
-                }
-                catch {
-                    res.writeHead(400, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ error: "invalid_request" }));
-                }
-            });
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            verifyRequestSignature(body, req);
+            try {
+                const msg = JSON.parse(body);
+                log({ event: "handshake_received", from: msg.from, type: msg.type, note: msg.note });
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
+            }
+            catch {
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
             return;
         }
         // POST /hire/accepted — provider accepted, client notified
         if (pathname === "/hire/accepted" && req.method === "POST") {
-            let body = "";
-            req.on("data", (chunk) => { body += chunk.toString(); });
-            req.on("end", async () => {
-                try {
-                    const msg = JSON.parse(body);
-                    const agreementId = String(msg.agreementId ?? msg.agreement_id ?? "");
-                    const from = String(msg.from ?? "");
-                    log({ event: "hire_accepted_inbound", agreementId, from });
-                    if (config.notifications.notify_on_hire_accepted) {
-                        await notifier.notifyHireAccepted(agreementId, agreementId);
-                    }
-                    res.writeHead(200, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            try {
+                const msg = JSON.parse(body);
+                const agreementId = String(msg.agreementId ?? msg.agreement_id ?? "");
+                const from = String(msg.from ?? "");
+                log({ event: "hire_accepted_inbound", agreementId, from });
+                if (config.notifications.notify_on_hire_accepted) {
+                    await notifier.notifyHireAccepted(agreementId, agreementId);
                 }
-                catch {
-                    res.writeHead(400, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ error: "invalid_request" }));
-                }
-            });
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
+            }
+            catch {
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
             return;
         }
         // POST /message — off-chain negotiation message
         if (pathname === "/message" && req.method === "POST") {
-            let body = "";
-            req.on("data", (chunk) => { body += chunk.toString(); });
-            req.on("end", () => {
-                try {
-                    const msg = JSON.parse(body);
-                    const from = String(msg.from ?? "");
-                    const to = String(msg.to ?? "");
-                    const content = String(msg.content ?? "");
-                    const timestamp = Number(msg.timestamp ?? Date.now());
-                    log({ event: "message_received", from, to, timestamp, content_len: content.length });
-                    res.writeHead(200, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
-                }
-                catch {
-                    res.writeHead(400, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ error: "invalid_request" }));
-                }
-            });
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            verifyRequestSignature(body, req);
+            try {
+                const msg = JSON.parse(body);
+                const from = String(msg.from ?? "");
+                const to = String(msg.to ?? "");
+                const content = String(msg.content ?? "");
+                const timestamp = Number(msg.timestamp ?? Date.now());
+                log({ event: "message_received", from, to, timestamp, content_len: content.length });
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
+            }
+            catch {
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
             return;
         }
         // POST /delivery — provider committed a deliverable
         if (pathname === "/delivery" && req.method === "POST") {
-            let body = "";
-            req.on("data", (chunk) => { body += chunk.toString(); });
-            req.on("end", async () => {
-                try {
-                    const msg = JSON.parse(body);
-                    const agreementId = String(msg.agreementId ?? msg.agreement_id ?? "");
-                    const deliverableHash = String(msg.deliverableHash ?? msg.deliverable_hash ?? "");
-                    const from = String(msg.from ?? "");
-                    log({ event: "delivery_received", agreementId, deliverableHash, from });
-                    // Update DB: mark delivered
-                    const active = db.listActiveHireRequests();
-                    const found = active.find(r => r.agreement_id === agreementId);
-                    if (found)
-                        db.updateHireRequestStatus(found.id, "delivered");
-                    if (config.notifications.notify_on_delivery) {
-                        await notifier.notifyDelivery(agreementId, deliverableHash, "");
-                    }
-                    res.writeHead(200, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            verifyRequestSignature(body, req);
+            try {
+                const msg = JSON.parse(body);
+                const agreementId = String(msg.agreementId ?? msg.agreement_id ?? "");
+                const deliverableHash = String(msg.deliverableHash ?? msg.deliverable_hash ?? "");
+                const filesUrl = String(msg.files_url ?? msg.filesUrl ?? "");
+                const from = String(msg.from ?? "");
+                log({ event: "delivery_received", agreementId, deliverableHash, from, has_files_url: !!filesUrl });
+                // Update DB: mark delivered
+                const active = db.listActiveHireRequests();
+                const found = active.find(r => r.agreement_id === agreementId);
+                if (found)
+                    db.updateHireRequestStatus(found.id, "delivered");
+                if (config.notifications.notify_on_delivery) {
+                    await notifier.notifyDelivery(agreementId, deliverableHash, "");
                 }
-                catch {
-                    res.writeHead(400, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ error: "invalid_request" }));
+                // Auto-download and verify if files_url provided and auto_download enabled
+                if (filesUrl && config.delivery.auto_download) {
+                    void deliveryClient.handleDeliveryNotification({ agreementId, deliverableHash, filesUrl })
+                        .then(result => {
+                        if (result)
+                            log({ event: "delivery_auto_downloaded", agreementId, ok: result.ok, root_hash_match: result.rootHashMatch, files: result.fileResults.length });
+                    })
+                        .catch(err => log({ event: "delivery_download_error", agreementId, error: String(err) }));
                 }
-            });
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
+            }
+            catch {
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
             return;
         }
         // POST /delivery/accepted — client accepted delivery, payment releasing
         if (pathname === "/delivery/accepted" && req.method === "POST") {
-            let body = "";
-            req.on("data", (chunk) => { body += chunk.toString(); });
-            req.on("end", () => {
-                try {
-                    const msg = JSON.parse(body);
-                    const agreementId = String(msg.agreementId ?? msg.agreement_id ?? "");
-                    const from = String(msg.from ?? "");
-                    log({ event: "delivery_accepted_inbound", agreementId, from });
-                    // Update DB: mark complete
-                    const all = db.listActiveHireRequests();
-                    const found = all.find(r => r.agreement_id === agreementId);
-                    if (found)
-                        db.updateHireRequestStatus(found.id, "complete");
-                    res.writeHead(200, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
-                }
-                catch {
-                    res.writeHead(400, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ error: "invalid_request" }));
-                }
-            });
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            try {
+                const msg = JSON.parse(body);
+                const agreementId = String(msg.agreementId ?? msg.agreement_id ?? "");
+                const from = String(msg.from ?? "");
+                log({ event: "delivery_accepted_inbound", agreementId, from });
+                // Update DB: mark complete
+                const all = db.listActiveHireRequests();
+                const found = all.find(r => r.agreement_id === agreementId);
+                if (found)
+                    db.updateHireRequestStatus(found.id, "complete");
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
+            }
+            catch {
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
             return;
         }
         // POST /dispute — dispute raised against this agent
         if (pathname === "/dispute" && req.method === "POST") {
-            let body = "";
-            req.on("data", (chunk) => { body += chunk.toString(); });
-            req.on("end", async () => {
-                try {
-                    const msg = JSON.parse(body);
-                    const agreementId = String(msg.agreementId ?? msg.agreement_id ?? "");
-                    const reason = String(msg.reason ?? "");
-                    const from = String(msg.from ?? "");
-                    log({ event: "dispute_received", agreementId, reason, from });
-                    if (config.notifications.notify_on_dispute) {
-                        await notifier.notifyDispute(agreementId, from);
-                    }
-                    res.writeHead(200, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            try {
+                const msg = JSON.parse(body);
+                const agreementId = String(msg.agreementId ?? msg.agreement_id ?? "");
+                const reason = String(msg.reason ?? "");
+                const from = String(msg.from ?? "");
+                log({ event: "dispute_received", agreementId, reason, from });
+                if (config.notifications.notify_on_dispute) {
+                    await notifier.notifyDispute(agreementId, from);
                 }
-                catch {
-                    res.writeHead(400, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ error: "invalid_request" }));
-                }
-            });
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
+            }
+            catch {
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
             return;
         }
         // POST /dispute/resolved — dispute resolved by arbitrator
         if (pathname === "/dispute/resolved" && req.method === "POST") {
-            let body = "";
-            req.on("data", (chunk) => { body += chunk.toString(); });
-            req.on("end", () => {
-                try {
-                    const msg = JSON.parse(body);
-                    const agreementId = String(msg.agreementId ?? msg.agreement_id ?? "");
-                    const outcome = String(msg.outcome ?? "");
-                    const from = String(msg.from ?? "");
-                    log({ event: "dispute_resolved_inbound", agreementId, outcome, from });
-                    res.writeHead(200, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
-                }
-                catch {
-                    res.writeHead(400, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ error: "invalid_request" }));
-                }
-            });
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            try {
+                const msg = JSON.parse(body);
+                const agreementId = String(msg.agreementId ?? msg.agreement_id ?? "");
+                const outcome = String(msg.outcome ?? "");
+                const from = String(msg.from ?? "");
+                log({ event: "dispute_resolved_inbound", agreementId, outcome, from });
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
+            }
+            catch {
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
             return;
         }
         // POST /workroom/status — workroom lifecycle events
         if (pathname === "/workroom/status" && req.method === "POST") {
-            let body = "";
-            req.on("data", (chunk) => { body += chunk.toString(); });
-            req.on("end", () => {
-                try {
-                    const msg = JSON.parse(body);
-                    const event = String(msg.event ?? "");
-                    const agentAddress = String(msg.agentAddress ?? config.wallet.contract_address);
-                    const jobId = msg.jobId ? String(msg.jobId) : undefined;
-                    const timestamp = Number(msg.timestamp ?? Date.now());
-                    log({ event: "workroom_lifecycle", workroom_event: event, agentAddress, jobId, timestamp });
-                    res.writeHead(200, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
-                }
-                catch {
-                    res.writeHead(400, { "Content-Type": "application/json" });
-                    res.end(JSON.stringify({ error: "invalid_request" }));
-                }
-            });
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            try {
+                const msg = JSON.parse(body);
+                const event = String(msg.event ?? "");
+                const agentAddress = String(msg.agentAddress ?? config.wallet.contract_address);
+                const jobId = msg.jobId ? String(msg.jobId) : undefined;
+                const timestamp = Number(msg.timestamp ?? Date.now());
+                log({ event: "workroom_lifecycle", workroom_event: event, agentAddress, jobId, timestamp });
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ received: true, agent: config.wallet.contract_address }));
+            }
+            catch {
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
             return;
         }
         // GET /capabilities — agent capabilities from config
@@ -792,23 +964,415 @@ async function runDaemon(foreground = false) {
             }));
             return;
         }
-        // GET /status — health with active agreement count
+        // GET /status — health with active agreement count (sensitive counts only for authenticated)
         if (pathname === "/status" && req.method === "GET") {
-            const activeList = db.listActiveHireRequests();
-            const pendingList = db.listPendingHireRequests();
-            res.writeHead(200, { "Content-Type": "application/json" });
-            res.end(JSON.stringify({
+            const statusAuth = (req.headers["authorization"] ?? "");
+            const statusToken = statusAuth.startsWith("Bearer ") ? statusAuth.slice(7) : "";
+            const statusAuthed = statusToken === apiToken;
+            const statusPayload = {
                 protocol: "arc-402",
                 version: "0.3.0",
                 agent: config.wallet.contract_address,
                 status: "online",
                 uptime: Math.floor((Date.now() - ipcCtx.startTime) / 1000),
-                active_agreements: activeList.length,
-                pending_approval: pendingList.length,
                 capabilities: config.policy.allowed_capabilities,
-            }));
+            };
+            if (statusAuthed) {
+                statusPayload.active_agreements = db.listActiveHireRequests().length;
+                statusPayload.pending_approval = db.listPendingHireRequests().length;
+                if (config.delivery.serve_files) {
+                    const deliveriesDir = path.join(config_1.DAEMON_DIR, "deliveries");
+                    let totalDeliveries = 0, totalFiles = 0;
+                    if (fs.existsSync(deliveriesDir)) {
+                        const entries = fs.readdirSync(deliveriesDir);
+                        totalDeliveries = entries.length;
+                        for (const entry of entries) {
+                            const entryPath = path.join(deliveriesDir, entry);
+                            if (fs.statSync(entryPath).isDirectory()) {
+                                totalFiles += fs.readdirSync(entryPath).filter(f => f !== "_manifest.json").length;
+                            }
+                        }
+                    }
+                    statusPayload.file_delivery = { total_deliveries: totalDeliveries, total_files: totalFiles };
+                }
+            }
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify(statusPayload));
+            return;
+        }
+        // ── Compute rental routes ─────────────────────────────────────────────
+        // POST /compute/propose — client proposes a compute session
+        if (pathname === "/compute/propose" && req.method === "POST") {
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            try {
+                const msg = JSON.parse(body);
+                if (!computeSessions) {
+                    res.writeHead(503, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "compute_disabled" }));
+                    return;
+                }
+                const proposal = {
+                    sessionId: String(msg.sessionId ?? ""),
+                    clientAddress: String(msg.clientAddress ?? msg.client ?? ""),
+                    providerAddress: config.wallet.contract_address,
+                    ratePerHourWei: config.compute.rate_per_hour_wei,
+                    maxHours: Number(msg.maxHours ?? 1),
+                    gpuSpecHash: String(msg.gpuSpecHash ?? "0x0000000000000000000000000000000000000000000000000000000000000000"),
+                    workloadDescription: String(msg.workloadDescription ?? ""),
+                    depositAmount: String(msg.depositAmount ?? "0"),
+                    proposedAt: Math.floor(Date.now() / 1000),
+                };
+                if (!proposal.sessionId) {
+                    res.writeHead(400, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "sessionId required" }));
+                    return;
+                }
+                // Check capacity
+                const activeSessions = computeSessions.countByStatus("active");
+                if (activeSessions >= config.compute.max_concurrent_sessions) {
+                    res.writeHead(200, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ status: "rejected", reason: "at_capacity" }));
+                    return;
+                }
+                const result = computeSessions.handleProposal(proposal);
+                if (!result.ok) {
+                    res.writeHead(400, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: result.error }));
+                    return;
+                }
+                log({ event: "compute_proposed", sessionId: proposal.sessionId, client: proposal.clientAddress });
+                // Auto-accept if configured
+                if (config.compute.auto_accept_compute) {
+                    computeSessions.acceptSession(proposal.sessionId);
+                    log({ event: "compute_auto_accepted", sessionId: proposal.sessionId });
+                    // Wire to on-chain: provider calls acceptSession
+                    if (config.compute.compute_agreement_address) {
+                        try {
+                            const caContract = new ethers_1.ethers.Contract(config.compute.compute_agreement_address, abis_1.COMPUTE_AGREEMENT_ABI, machineKeySigner);
+                            const tx = await caContract.acceptSession(proposal.sessionId);
+                            await tx.wait();
+                            log({ event: "compute_accept_onchain", sessionId: proposal.sessionId, txHash: tx.hash });
+                        }
+                        catch (onchainErr) {
+                            log({ event: "compute_accept_onchain_error", sessionId: proposal.sessionId, error: String(onchainErr) });
+                        }
+                    }
+                }
+                const status = config.compute.auto_accept_compute ? "accepted" : "proposed";
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ status, sessionId: proposal.sessionId }));
+            }
+            catch (err) {
+                log({ event: "compute_propose_error", error: String(err) });
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
+            return;
+        }
+        // POST /compute/accept — provider accepts a proposed session
+        if (pathname === "/compute/accept" && req.method === "POST") {
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            try {
+                const msg = JSON.parse(body);
+                const sessionId = String(msg.sessionId ?? "");
+                if (!computeSessions) {
+                    res.writeHead(503, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "compute_disabled" }));
+                    return;
+                }
+                const result = computeSessions.acceptSession(sessionId);
+                if (!result.ok) {
+                    res.writeHead(400, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: result.error }));
+                    return;
+                }
+                log({ event: "compute_accepted", sessionId });
+                // Wire to on-chain: provider calls acceptSession
+                if (config.compute.compute_agreement_address) {
+                    try {
+                        const caContract = new ethers_1.ethers.Contract(config.compute.compute_agreement_address, abis_1.COMPUTE_AGREEMENT_ABI, machineKeySigner);
+                        const tx = await caContract.acceptSession(sessionId);
+                        await tx.wait();
+                        log({ event: "compute_accept_onchain", sessionId, txHash: tx.hash });
+                    }
+                    catch (onchainErr) {
+                        log({ event: "compute_accept_onchain_error", sessionId, error: String(onchainErr) });
+                    }
+                }
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ status: "accepted", sessionId }));
+            }
+            catch (err) {
+                log({ event: "compute_accept_error", error: String(err) });
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
+            return;
+        }
+        // POST /compute/started — provider marks session as started
+        if (pathname === "/compute/started" && req.method === "POST") {
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            try {
+                const msg = JSON.parse(body);
+                const sessionId = String(msg.sessionId ?? "");
+                const accessEndpoint = msg.accessEndpoint ? String(msg.accessEndpoint) : undefined;
+                if (!computeSessions) {
+                    res.writeHead(503, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "compute_disabled" }));
+                    return;
+                }
+                const result = computeSessions.startSession(sessionId, accessEndpoint);
+                if (!result.ok) {
+                    res.writeHead(400, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: result.error }));
+                    return;
+                }
+                log({ event: "compute_started", sessionId });
+                // Wire to on-chain: provider calls startSession
+                if (config.compute.compute_agreement_address) {
+                    try {
+                        const caContract = new ethers_1.ethers.Contract(config.compute.compute_agreement_address, abis_1.COMPUTE_AGREEMENT_ABI, machineKeySigner);
+                        const tx = await caContract.startSession(sessionId);
+                        await tx.wait();
+                        log({ event: "compute_start_onchain", sessionId, txHash: tx.hash });
+                    }
+                    catch (onchainErr) {
+                        log({ event: "compute_start_onchain_error", sessionId, error: String(onchainErr) });
+                    }
+                }
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ status: "active", sessionId }));
+            }
+            catch (err) {
+                log({ event: "compute_started_error", error: String(err) });
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
+            return;
+        }
+        // POST /compute/metrics — get current metrics (polling endpoint)
+        if (pathname === "/compute/metrics" && req.method === "POST") {
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            try {
+                const msg = JSON.parse(body);
+                const sessionId = String(msg.sessionId ?? "");
+                if (!computeMetering || !computeSessions) {
+                    res.writeHead(503, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "compute_disabled" }));
+                    return;
+                }
+                const session = computeSessions.getSession(sessionId);
+                if (!session) {
+                    res.writeHead(404, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "session_not_found" }));
+                    return;
+                }
+                const current = computeMetering.getCurrentMetrics(sessionId);
+                const reports = computeMetering.getUsageReports(sessionId);
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ sessionId, current, reports, consumedMinutes: session.consumedMinutes }));
+            }
+            catch (err) {
+                log({ event: "compute_metrics_error", error: String(err) });
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
+            return;
+        }
+        // POST /compute/end — either party ends the session
+        if (pathname === "/compute/end" && req.method === "POST") {
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            try {
+                const msg = JSON.parse(body);
+                const sessionId = String(msg.sessionId ?? "");
+                if (!computeSessions) {
+                    res.writeHead(503, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "compute_disabled" }));
+                    return;
+                }
+                const endResult = await computeSessions.endSession(sessionId);
+                if (!endResult.ok) {
+                    res.writeHead(400, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: endResult.error }));
+                    return;
+                }
+                const r = endResult.result;
+                log({
+                    event: "compute_ended",
+                    sessionId,
+                    consumedMinutes: r.consumedMinutes,
+                    costWei: r.costWei.toString(),
+                    refundWei: r.refundWei.toString(),
+                });
+                // Wire to on-chain: call endSession
+                if (config.compute.compute_agreement_address) {
+                    try {
+                        const caContract = new ethers_1.ethers.Contract(config.compute.compute_agreement_address, abis_1.COMPUTE_AGREEMENT_ABI, machineKeySigner);
+                        const tx = await caContract.endSession(sessionId);
+                        await tx.wait();
+                        log({ event: "compute_end_onchain", sessionId, txHash: tx.hash });
+                    }
+                    catch (onchainErr) {
+                        log({ event: "compute_end_onchain_error", sessionId, error: String(onchainErr) });
+                    }
+                }
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({
+                    status: "completed",
+                    sessionId,
+                    consumedMinutes: r.consumedMinutes,
+                    costWei: r.costWei.toString(),
+                    refundWei: r.refundWei.toString(),
+                    reports: r.reports,
+                }));
+            }
+            catch (err) {
+                log({ event: "compute_end_error", error: String(err) });
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
+            return;
+        }
+        // POST /compute/dispute — client disputes a session
+        if (pathname === "/compute/dispute" && req.method === "POST") {
+            const body = await readBody(req, res);
+            if (body === null)
+                return;
+            try {
+                const msg = JSON.parse(body);
+                const sessionId = String(msg.sessionId ?? "");
+                if (!computeSessions) {
+                    res.writeHead(503, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "compute_disabled" }));
+                    return;
+                }
+                const result = computeSessions.disputeSession(sessionId);
+                if (!result.ok) {
+                    res.writeHead(400, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: result.error }));
+                    return;
+                }
+                log({ event: "compute_disputed", sessionId });
+                if (config.notifications.notify_on_dispute) {
+                    await notifier.notifyDispute(sessionId, String(msg.from ?? "client"));
+                }
+                // Wire to on-chain: call disputeSession
+                if (config.compute.compute_agreement_address) {
+                    try {
+                        const caContract = new ethers_1.ethers.Contract(config.compute.compute_agreement_address, abis_1.COMPUTE_AGREEMENT_ABI, machineKeySigner);
+                        const tx = await caContract.disputeSession(sessionId);
+                        await tx.wait();
+                        log({ event: "compute_dispute_onchain", sessionId, txHash: tx.hash });
+                    }
+                    catch (onchainErr) {
+                        log({ event: "compute_dispute_onchain_error", sessionId, error: String(onchainErr) });
+                    }
+                }
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ status: "disputed", sessionId }));
+            }
+            catch (err) {
+                log({ event: "compute_dispute_error", error: String(err) });
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "invalid_request" }));
+            }
             return;
         }
+        // GET /compute/session/:id — session details
+        if (pathname.startsWith("/compute/session/") && req.method === "GET") {
+            const sessionId = pathname.slice("/compute/session/".length);
+            if (!computeSessions) {
+                res.writeHead(503, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "compute_disabled" }));
+                return;
+            }
+            const session = computeSessions.getSession(sessionId);
+            if (!session) {
+                res.writeHead(404, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "session_not_found" }));
+                return;
+            }
+            const current = computeMetering ? computeMetering.getCurrentMetrics(sessionId) : null;
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ session, current }));
+            return;
+        }
+        // GET /compute/sessions — list all sessions
+        if (pathname === "/compute/sessions" && req.method === "GET") {
+            if (!computeSessions) {
+                res.writeHead(503, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "compute_disabled" }));
+                return;
+            }
+            const sessions = computeSessions.listSessions();
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ sessions, count: sessions.length }));
+            return;
+        }
+        // ── File delivery routes ──────────────────────────────────────────────
+        // POST /job/:id/upload — store a file (daemon auth required via global gate above)
+        if (pathname.startsWith("/job/") && req.method === "POST") {
+            const parts = pathname.split("/");
+            // /job/<id>/upload → ["", "job", "<id>", "upload"]
+            if (parts.length === 4 && parts[3] === "upload") {
+                const agreementId = parts[2];
+                if (!config.delivery.serve_files) {
+                    res.writeHead(503, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "file_delivery_disabled" }));
+                    return;
+                }
+                await fileDelivery.handleUpload(req, res, agreementId, log);
+                return;
+            }
+        }
+        // GET /job/:id/files, GET /job/:id/files/:name, GET /job/:id/manifest — party-gated
+        if (pathname.startsWith("/job/") && req.method === "GET") {
+            const parts = pathname.split("/");
+            // /job/<id>/files/<name> → ["", "job", "<id>", "files", "<name>"]
+            if (parts.length === 5 && parts[3] === "files") {
+                const agreementId = parts[2];
+                const filename = decodeURIComponent(parts[4]);
+                if (!config.delivery.serve_files) {
+                    res.writeHead(503, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "file_delivery_disabled" }));
+                    return;
+                }
+                fileDelivery.handleDownloadFile(req, res, agreementId, filename, apiToken, log);
+                return;
+            }
+            // /job/<id>/files → ["", "job", "<id>", "files"]
+            if (parts.length === 4 && parts[3] === "files") {
+                const agreementId = parts[2];
+                if (!config.delivery.serve_files) {
+                    res.writeHead(503, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "file_delivery_disabled" }));
+                    return;
+                }
+                fileDelivery.handleListFiles(req, res, agreementId, apiToken, log);
+                return;
+            }
+            // /job/<id>/manifest → ["", "job", "<id>", "manifest"]
+            if (parts.length === 4 && parts[3] === "manifest") {
+                const agreementId = parts[2];
+                if (!config.delivery.serve_files) {
+                    res.writeHead(503, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "file_delivery_disabled" }));
+                    return;
+                }
+                fileDelivery.handleManifest(req, res, agreementId, apiToken, log);
+                return;
+            }
+        }
         // 404
         res.writeHead(404, { "Content-Type": "application/json" });
         res.end(JSON.stringify({ error: "not_found" }));
@@ -838,6 +1402,8 @@ async function runDaemon(foreground = false) {
             clearInterval(relayInterval);
         clearInterval(timeoutInterval);
         clearInterval(balanceInterval);
+        if (rateLimitCleanupInterval)
+            clearInterval(rateLimitCleanupInterval);
         // Close HTTP + IPC
         httpServer.close();
         ipcServer.close();