bloby-bot 0.27.3 → 0.28.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bloby-bot",
-  "version": "0.27.3",
+  "version": "0.28.1",
   "releaseNotes": [
     "1. # voice note (PTT bubble)",
     "2. # audio file + caption",

package/scripts/tempo-transfer.ts

@@ -0,0 +1,129 @@
+// One-off Tempo USDC transfer.
+//
+// Fill in the CONFIG block below, then run:
+//   /tmp/tempo-transfer/node_modules/.bin/tsx scripts/tempo-transfer.ts
+//
+// (The repo's node_modules has a @noble/hashes version conflict that breaks
+// viem here, so the script runs from an isolated install at /tmp/tempo-transfer.
+// To rebuild that dir if it disappears:
+//   mkdir -p /tmp/tempo-transfer && cd /tmp/tempo-transfer \
+//     && npm init -y && npm install viem@2.47.6 tsx)
+
+// ─── CONFIG ──────────────────────────────────────────────────────────────────
+
+const FROM = {
+  privateKey: '82b62a625382eef1007a77d6eb3d848a9d1df0c9b59d2bd578893962003c17e2',
+  wallet:     '0x084A80e395FaE8Aaf58F591f47F63DA1EeF06bbC',
+};
+
+const TO = {
+  privateKey: '0x0a5194196773b67790f0da564337929b842c1c17f9c445b6c449205dbd426a49',
+  wallet:     '0xc65d8a0dB80f637337B87e42b8BEb5D86D46f942',
+};
+
+const AMOUNT_USD = '1';
+
+// ─────────────────────────────────────────────────────────────────────────────
+
+import {
+  createPublicClient,
+  createWalletClient,
+  http,
+  formatUnits,
+  parseUnits,
+} from 'viem';
+import { privateKeyToAccount } from 'viem/accounts';
+import { tempo } from 'viem/chains';
+
+const USDC = '0x20c000000000000000000000b9537d11c60e8b50' as const;
+const DECIMALS = 6;
+const RPC = 'https://rpc.tempo.xyz';
+
+const erc20Abi = [
+  {
+    name: 'balanceOf',
+    type: 'function',
+    stateMutability: 'view',
+    inputs: [{ name: 'account', type: 'address' }],
+    outputs: [{ name: '', type: 'uint256' }],
+  },
+  {
+    name: 'transfer',
+    type: 'function',
+    stateMutability: 'nonpayable',
+    inputs: [
+      { name: 'to', type: 'address' },
+      { name: 'amount', type: 'uint256' },
+    ],
+    outputs: [{ name: '', type: 'bool' }],
+  },
+] as const;
+
+function normalizePk(pk: string): `0x${string}` {
+  const trimmed = pk.trim();
+  return (trimmed.startsWith('0x') ? trimmed : `0x${trimmed}`) as `0x${string}`;
+}
+
+async function main() {
+  const account = privateKeyToAccount(normalizePk(FROM.privateKey));
+  const to = TO.wallet as `0x${string}`;
+  const amount = parseUnits(AMOUNT_USD, DECIMALS);
+
+  if (account.address.toLowerCase() !== FROM.wallet.toLowerCase()) {
+    console.error(`FROM.privateKey derives ${account.address}, but FROM.wallet is ${FROM.wallet}`);
+    process.exit(1);
+  }
+
+  const publicClient = createPublicClient({ chain: tempo, transport: http(RPC) });
+  const walletClient = createWalletClient({ account, chain: tempo, transport: http(RPC) });
+
+  console.log(`From:   ${account.address}`);
+  console.log(`To:     ${to}`);
+  console.log(`Amount: ${AMOUNT_USD} USDC (${amount} base units)`);
+
+  const balanceBefore = await publicClient.readContract({
+    address: USDC,
+    abi: erc20Abi,
+    functionName: 'balanceOf',
+    args: [account.address],
+  });
+  console.log(`Sender balance before: ${formatUnits(balanceBefore, DECIMALS)} USDC`);
+
+  if (balanceBefore < amount) {
+    console.error('Insufficient balance');
+    process.exit(1);
+  }
+
+  const hash = await walletClient.writeContract({
+    address: USDC,
+    abi: erc20Abi,
+    functionName: 'transfer',
+    args: [to, amount],
+  });
+  console.log(`Tx hash: ${hash}`);
+
+  const receipt = await publicClient.waitForTransactionReceipt({ hash });
+  console.log(`Status: ${receipt.status}  Block: ${receipt.blockNumber}`);
+
+  const [balanceFromAfter, balanceToAfter] = await Promise.all([
+    publicClient.readContract({
+      address: USDC,
+      abi: erc20Abi,
+      functionName: 'balanceOf',
+      args: [account.address],
+    }),
+    publicClient.readContract({
+      address: USDC,
+      abi: erc20Abi,
+      functionName: 'balanceOf',
+      args: [to],
+    }),
+  ]);
+  console.log(`Sender balance after:    ${formatUnits(balanceFromAfter, DECIMALS)} USDC`);
+  console.log(`Recipient balance after: ${formatUnits(balanceToAfter, DECIMALS)} USDC`);
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/scripts/test-mpp-call.ts

@@ -0,0 +1,115 @@
+// End-to-end test for the test-mpp service on the relay.
+//
+// Fill in the CONFIG block, then run from the isolated install dir
+// (same workaround as tempo-transfer.ts — repo node_modules has a
+// @noble/hashes conflict that breaks viem here):
+//
+//   mkdir -p /tmp/tempo-transfer && cd /tmp/tempo-transfer \
+//     && npm init -y && npm install viem@2.47.6 mppx tsx
+//   /tmp/tempo-transfer/node_modules/.bin/tsx scripts/test-mpp-call.ts
+//
+// What it does:
+//   1. Reads on-chain USDC balance for the bot wallet on Tempo.
+//   2. POSTs to /api/services/test-mpp/use through the mppx client,
+//      which auto-handles the 402 → sign USDC transfer → retry flow.
+//   3. Prints status, body, Payment-Receipt header, and the new balance.
+//
+// Expected first-run output (with $0 account balance, $1 wallet):
+//   paidVia=mpp · balance drops by $0.01 · Payment-Receipt header present.
+
+// ─── CONFIG ──────────────────────────────────────────────────────────────────
+
+const RELAY = 'https://api.bloby.bot';
+
+const BOT = {
+  // Bot's relay token — the value from `bloby init` / config.json `relay.token`.
+  // Used as `X-Bloby-Token` header so identity survives the mppx 402 retry.
+  relayToken: '<FILL_ME — 64-hex-char relay token>',
+
+  // Bot's USDC wallet on Tempo. Must match the `walletAddress` registered
+  // with the relay (so account-balance lookups go through the right user).
+  privateKey: '0x0a5194196773b67790f0da564337929b842c1c17f9c445b6c449205dbd426a49',
+  wallet:     '0xc65d8a0dB80f637337B87e42b8BEb5D86D46f942',
+};
+
+// ─────────────────────────────────────────────────────────────────────────────
+
+import { Mppx, tempo } from 'mppx/client';
+import { privateKeyToAccount } from 'viem/accounts';
+import { createPublicClient, http, formatUnits } from 'viem';
+import { tempo as tempoChain } from 'viem/chains';
+
+const USDC = '0x20c000000000000000000000b9537d11c60e8b50' as const;
+const RPC = 'https://rpc.tempo.xyz';
+
+const erc20Abi = [{
+  name: 'balanceOf',
+  type: 'function',
+  stateMutability: 'view',
+  inputs: [{ name: 'account', type: 'address' }],
+  outputs: [{ name: '', type: 'uint256' }],
+}] as const;
+
+function normalizePk(pk: string): `0x${string}` {
+  const t = pk.trim();
+  return (t.startsWith('0x') ? t : `0x${t}`) as `0x${string}`;
+}
+
+async function main() {
+  if (BOT.relayToken.startsWith('<')) {
+    console.error('Fill in BOT.relayToken before running.');
+    process.exit(1);
+  }
+
+  const account = privateKeyToAccount(normalizePk(BOT.privateKey));
+  if (account.address.toLowerCase() !== BOT.wallet.toLowerCase()) {
+    console.error(`privateKey derives ${account.address}, but BOT.wallet is ${BOT.wallet}`);
+    process.exit(1);
+  }
+
+  const publicClient = createPublicClient({ chain: tempoChain, transport: http(RPC) });
+
+  const before = await publicClient.readContract({
+    address: USDC, abi: erc20Abi, functionName: 'balanceOf', args: [account.address],
+  });
+  console.log(`Wallet:        ${account.address}`);
+  console.log(`Balance before: ${formatUnits(before, 6)} USDC`);
+
+  // mppx client: do NOT polyfill global fetch — only the request through
+  // mppx.fetch(...) gets the auto-pay-on-402 behavior.
+  const mppx = Mppx.create({
+    polyfill: false,
+    methods: [tempo({ account })],
+  });
+
+  const url = `${RELAY}/api/services/test-mpp/use`;
+  console.log(`POST ${url}`);
+
+  const res = await mppx.fetch(url, {
+    method: 'POST',
+    headers: {
+      'X-Bloby-Token': BOT.relayToken,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({}),
+  });
+
+  const body = await res.text();
+  const receipt = res.headers.get('Payment-Receipt');
+
+  console.log(`Status:          ${res.status}`);
+  console.log(`Body:            ${body}`);
+  console.log(`Payment-Receipt: ${receipt ?? '(none — paid via balance or free)'}`);
+
+  const after = await publicClient.readContract({
+    address: USDC, abi: erc20Abi, functionName: 'balanceOf', args: [account.address],
+  });
+  console.log(`Balance after:  ${formatUnits(after, 6)} USDC`);
+  const delta = before - after;
+  console.log(`Delta:          -${formatUnits(delta, 6)} USDC`);
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/worker/prompts/bloby-system-prompt.txt

@@ -292,13 +292,52 @@ All skills on the official marketplace are created or audited by the Bloby team
 
 During PULSE, occasionally check the marketplace for new skills. If you spot one that fits what your human does or is trying to achieve, suggest it.
 
-### Wallet & Balance (Coming Soon)
+### Money & Payments
 
-### Buying with Your Human Credits
-You can spend money if your human has claimed you on the Bloby Website Dashboard and he has Credits.
-GET | `/api/marketplace/balance/bot` | Bearer (required) | Check your owner's credit balance 
+You have **two payment sources** for paid relay endpoints (skills, services, marketplace):
 
-Agents will soon have a USDC wallet for autonomous purchases. You'll be able to check your balance and buy skills directly without a redeem code. This is not yet available — for now, paid skills require your human to purchase from the web marketplace and give you a redeem code.
+- **Your human's credits** — money they added via Stripe on the dashboard. Only available if they've claimed you. Shared across all their bots.
+- **Your wallet** — your own USDC on the Tempo network. Autonomous — no permission needed. Funded by your human via the "Add Funds" button (Stripe converts their card payment to USDC and sends it to your address).
+
+**Payment order is automatic.** The relay tries credits first. If the human's balance covers the call, credits get deducted and your wallet stays untouched. If credits are short (or you're unclaimed), the call falls back to **MPP**: the relay responds `402 Payment Required`, your client signs a USDC transfer from your wallet, and the call retries — all transparently.
+
+**Check your wallet (own funds, on-chain):**
+
+```bash
+curl -s http://localhost:7400/api/wallet/balance
+# → { "address": "0x...", "balance": "0.99" }   # balance is in USDC dollars
+```
+
+**Check your human's credits (claimed only):**
+
+```bash
+curl -s https://api.bloby.bot/api/marketplace/balance/bot \
+  -H "Authorization: Bearer $RELAY_TOKEN"
+# → { "balance": 12.34 }
+```
+
+**Calling a paid service.** Use `X-Bloby-Token: $RELAY_TOKEN` *instead of* `Authorization: Bearer ...` — the MPP client strips the Authorization header on its 402 retry to inject the payment credential, so bot identity needs a separate header.
+
+```bash
+# Smoke test — costs $0.01, returns a confirmation phrase
+curl -s -X POST https://api.bloby.bot/api/services/test-mpp/use \
+  -H "X-Bloby-Token: $RELAY_TOKEN"
+# → "PINEAPPLE-MPP-OK · paid via {free|balance|mpp} · 2026-…"
+```
+
+For services that may fall back to MPP, use the `mppx` CLI to auto-handle the 402 → sign → retry loop. **The mppx CLI uses its own OS-keychain by default and does NOT know about your wallet** — pass your private key inline via `MPPX_PRIVATE_KEY` (which mppx checks before the keychain):
+
+```bash
+MPPX_PRIVATE_KEY=$(jq -r .wallet.privateKey ~/.bloby/config.json) \
+  npx -y mppx http://api.bloby.bot/api/services/test-mpp/use \
+  -X POST -H "X-Bloby-Token: $RELAY_TOKEN"
+```
+
+If you see `ACCOUNT_NOT_FOUND - No account found.`, you forgot to set `MPPX_PRIVATE_KEY` — the CLI looked in its empty keychain. Re-run with the env var.
+
+**Wallet on disk:** `~/.bloby/config.json` field `wallet` — `address` is public, `privateKey` is secret. Never print the private key in chat. The address is fine to share.
+
+**Running low?** Tell your human you need funds. Don't mention USDC, Tempo, or crypto unless they ask — to them, it's just adding dollars to your wallet via the "Add Funds" button in the chat header.
 
 For a machine-readable catalog: `GET https://bloby.bot/api/marketplace/products` — **always include your relay token** (`Authorization: Bearer $RELAY_TOKEN`) on every request to the relay API, even public endpoints. This enables your presence in Bloby World so other users can see your bloby on the world map.