clawpowers 2.0.0 → 2.2.1

package/dist/index.js

@@ -448,7 +448,7 @@ import { z } from "zod";
 // src/constants.ts
 import { join } from "path";
 import { homedir } from "os";
-var VERSION = "2.0.0";
+var VERSION = "2.2.0";
 var PACKAGE_NAME = "clawpowers";
 var CLAWPOWERS_HOME = join(homedir(), ".clawpowers");
 var CONFIG_PATH = join(CLAWPOWERS_HOME, "config.json");
@@ -632,6 +632,294 @@ function coerceValue(existing, value) {
   return value;
 }
 
+// src/native/index.ts
+import { createRequire } from "module";
+import { fileURLToPath } from "url";
+import { dirname as dirname2, join as join2 } from "path";
+var __dirname = dirname2(fileURLToPath(import.meta.url));
+var require2 = createRequire(import.meta.url);
+var _native = null;
+var _wasm = null;
+var _activeTier = "typescript";
+var _attempted = false;
+function tryLoadNative() {
+  const candidates = [
+    join2(__dirname, "../../native/ffi/index.node"),
+    join2(__dirname, "../../native/ffi/clawpowers_ffi.node"),
+    join2(__dirname, "../../../native/ffi/index.node"),
+    join2(__dirname, "../../../native/ffi/clawpowers_ffi.node"),
+    join2(__dirname, "../native/ffi/index.node"),
+    join2(__dirname, "../native/ffi/clawpowers_ffi.node")
+  ];
+  for (const p of candidates) {
+    try {
+      const mod = require2(p);
+      console.log(`[clawpowers] Tier 1: Native acceleration enabled (${p})`);
+      return mod;
+    } catch {
+    }
+  }
+  return null;
+}
+function tryLoadWasm() {
+  const wasmCandidates = [
+    join2(__dirname, "../native/wasm/pkg-node/clawpowers_wasm.js"),
+    join2(__dirname, "../native/wasm/pkg/clawpowers_wasm.js"),
+    join2(__dirname, "../../native/wasm/pkg-node/clawpowers_wasm.js"),
+    join2(__dirname, "../../native/wasm/pkg/clawpowers_wasm.js")
+  ];
+  for (const p of wasmCandidates) {
+    try {
+      const mod = require2(p);
+      console.log(`[clawpowers] Tier 2: WASM module loaded (${p})`);
+      return mod;
+    } catch {
+    }
+  }
+  return null;
+}
+function loadAll() {
+  if (_attempted) return;
+  _attempted = true;
+  _native = tryLoadNative();
+  if (_native) {
+    _activeTier = "native";
+    _wasm = tryLoadWasm();
+    return;
+  }
+  _wasm = tryLoadWasm();
+  if (_wasm) {
+    _activeTier = "wasm";
+    return;
+  }
+  _activeTier = "typescript";
+  console.log("[clawpowers] Tier 3: TypeScript fallback active (no native or WASM)");
+}
+function getNative() {
+  loadAll();
+  return _native;
+}
+function getWasm() {
+  loadAll();
+  return _wasm;
+}
+function isNativeAvailable() {
+  loadAll();
+  return _native !== null;
+}
+function isWasmAvailable() {
+  loadAll();
+  return _wasm !== null;
+}
+function getActiveTier() {
+  loadAll();
+  return _activeTier;
+}
+function getCapabilitySummary() {
+  loadAll();
+  const nativeModules = _native ? ["wallet", "fee", "x402", "canonical", "compression", "verification", "security"] : [];
+  let wasmModules = [];
+  if (_wasm) {
+    try {
+      wasmModules = JSON.parse(_wasm.getAvailableModules());
+    } catch {
+      wasmModules = ["tokens", "fee", "compression", "canonical", "verification", "security", "index"];
+    }
+  }
+  const typescriptFallback = [
+    "wallet",
+    // ethers.js / viem
+    "x402",
+    // fetch()-based HTTP client
+    "tokens",
+    // Pure TS decimal math
+    "fee",
+    // Pure TS fee calculation
+    "policy"
+    // Pure TS policy engine
+  ];
+  return {
+    tier: _activeTier,
+    nativeModules,
+    wasmModules,
+    typescriptFallback
+  };
+}
+function computeSha256(content) {
+  loadAll();
+  if (_wasm) {
+    return _wasm.computeSha256(content);
+  }
+  const { createHash } = require2("node:crypto");
+  return createHash("sha256").update(content).digest("hex");
+}
+function digestForWalletAddress(keyMaterial) {
+  loadAll();
+  if (_native && typeof _native.keccak256Bytes === "function") {
+    try {
+      return _native.keccak256Bytes(keyMaterial);
+    } catch {
+    }
+  }
+  if (_wasm && typeof _wasm.computeKeccak256 === "function") {
+    try {
+      return _wasm.computeKeccak256(new Uint8Array(keyMaterial));
+    } catch {
+    }
+  }
+  const { createHash } = require2("node:crypto");
+  return "0x" + createHash("sha256").update(keyMaterial).digest("hex");
+}
+function keccak256Digest(data) {
+  loadAll();
+  if (_native && typeof _native.keccak256Bytes === "function") {
+    try {
+      const hex = _native.keccak256Bytes(data);
+      return Buffer.from(hex.replace(/^0x/i, ""), "hex");
+    } catch {
+    }
+  }
+  if (_wasm && typeof _wasm.computeKeccak256 === "function") {
+    try {
+      const hex = _wasm.computeKeccak256(new Uint8Array(data));
+      return Buffer.from(hex.replace(/^0x/i, ""), "hex");
+    } catch {
+    }
+  }
+  return null;
+}
+function deriveEthereumAddress(privateKey) {
+  loadAll();
+  if (_native && typeof _native.deriveEthereumAddress === "function") {
+    try {
+      return _native.deriveEthereumAddress(privateKey);
+    } catch {
+    }
+  }
+  if (_wasm && typeof _wasm.deriveEthereumAddress === "function") {
+    try {
+      return _wasm.deriveEthereumAddress(new Uint8Array(privateKey));
+    } catch {
+    }
+  }
+  return null;
+}
+function derivePublicKey(privateKey) {
+  loadAll();
+  if (_native && typeof _native.derivePublicKey === "function") {
+    try {
+      return Buffer.from(_native.derivePublicKey(privateKey));
+    } catch {
+    }
+  }
+  if (_wasm && typeof _wasm.derivePublicKey === "function") {
+    try {
+      return Buffer.from(_wasm.derivePublicKey(new Uint8Array(privateKey)));
+    } catch {
+    }
+  }
+  return null;
+}
+function signEcdsa(privateKey, messageHash) {
+  loadAll();
+  if (_native && typeof _native.signEcdsa === "function") {
+    try {
+      return Buffer.from(_native.signEcdsa(privateKey, messageHash));
+    } catch {
+    }
+  }
+  if (_wasm && typeof _wasm.signEcdsa === "function") {
+    try {
+      return Buffer.from(_wasm.signEcdsa(new Uint8Array(privateKey), new Uint8Array(messageHash)));
+    } catch {
+    }
+  }
+  return null;
+}
+function verifyEcdsa(publicKey, messageHash, signature) {
+  loadAll();
+  try {
+    if (_native && typeof _native.verifyEcdsa === "function") {
+      return _native.verifyEcdsa(publicKey, messageHash, signature);
+    }
+    if (_wasm && typeof _wasm.verifyEcdsa === "function") {
+      return _wasm.verifyEcdsa(
+        new Uint8Array(publicKey),
+        new Uint8Array(messageHash),
+        new Uint8Array(signature)
+      );
+    }
+  } catch {
+    return false;
+  }
+  return false;
+}
+function tokenAmountFromHuman(human, decimals) {
+  loadAll();
+  if (_wasm) {
+    return JSON.parse(_wasm.tokenAmountFromHuman(human, decimals));
+  }
+  const multiplier = Math.pow(10, decimals);
+  const raw = Math.floor(human * multiplier);
+  return { raw: raw.toString(), decimals };
+}
+function calculateFee(amountHuman, decimals, feeType, txFeeBps, swapFeeBps) {
+  loadAll();
+  if (_wasm) {
+    const amountJson = _wasm.tokenAmountFromHuman(amountHuman, decimals);
+    const result = _wasm.calculateFee(
+      amountJson,
+      feeType,
+      txFeeBps !== void 0 ? BigInt(txFeeBps) : void 0,
+      swapFeeBps !== void 0 ? BigInt(swapFeeBps) : void 0
+    );
+    return JSON.parse(result);
+  }
+  const bps = feeType === "transaction" ? txFeeBps ?? 77 : feeType === "swap" ? swapFeeBps ?? 30 : parseInt(feeType.replace("custom:", ""), 10) || 0;
+  const feeAmount = amountHuman * bps / 1e4;
+  return {
+    gross_amount: amountHuman,
+    fee_amount: feeAmount,
+    net_amount: amountHuman - feeAmount
+  };
+}
+function evaluateWriteFirewall(request) {
+  loadAll();
+  if (_wasm) {
+    return JSON.parse(_wasm.evaluateWriteFirewall(JSON.stringify(request)));
+  }
+  if (request.allowed_namespaces && request.allowed_namespaces.length > 0 && !request.allowed_namespaces.includes(request.namespace)) {
+    return {
+      decision: "deny",
+      reason: `namespace '${request.namespace}' is not in the allow-list`
+    };
+  }
+  const maxLen = request.max_content_length ?? 1024 * 1024;
+  if (request.content.length > maxLen) {
+    return {
+      decision: "deny",
+      reason: `content length ${request.content.length} exceeds maximum ${maxLen}`
+    };
+  }
+  if (request.blocked_patterns) {
+    for (const pattern of request.blocked_patterns) {
+      if (request.content.includes(pattern)) {
+        if (request.trust_level === "system" || request.trust_level === "agent") {
+          return {
+            decision: "deny",
+            reason: `content contains blocked pattern '${pattern}'`
+          };
+        }
+        return {
+          decision: "sanitize",
+          sanitized: request.content.replaceAll(pattern, "")
+        };
+      }
+    }
+  }
+  return { decision: "allow" };
+}
+
 // src/payments/discovery.ts
 var REQUIRED_HEADERS = [
   "x-payment-amount",
@@ -877,6 +1165,72 @@ var PaymentExecutor = class {
   }
 };
 
+// src/payments/native-bridge.ts
+import { randomBytes } from "crypto";
+function calculateTransactionFee(amount, decimals = 6) {
+  const native = getNative();
+  if (native) {
+    try {
+      const schedule = native.JsFeeSchedule.withDefaults();
+      const raw = JSON.parse(schedule.calculate(amount, decimals, "transaction"));
+      return {
+        gross: raw.gross,
+        fee: raw.fee,
+        net: raw.net,
+        feeRecipient: raw.feeRecipient ?? raw.fee_recipient ?? "0x0000000000000000000000000000000000000000"
+      };
+    } catch {
+    }
+  }
+  const wasm = getWasm();
+  if (wasm) {
+    try {
+      const result = calculateFee(amount, decimals, "transaction");
+      return {
+        gross: result.gross_amount,
+        fee: result.fee_amount,
+        net: result.net_amount,
+        feeRecipient: "0x0000000000000000000000000000000000000000"
+      };
+    } catch {
+    }
+  }
+  const fee = amount * 77e-4;
+  return {
+    gross: amount,
+    fee,
+    net: amount - fee,
+    feeRecipient: "0x0000000000000000000000000000000000000000"
+  };
+}
+function createPaymentHeader(paymentJson, signature) {
+  const native = getNative();
+  if (native) {
+    try {
+      const client = new native.JsX402Client();
+      return client.createPaymentHeader(paymentJson, signature);
+    } catch {
+    }
+  }
+  return Buffer.from(JSON.stringify({ payment: JSON.parse(paymentJson), signature })).toString("base64");
+}
+function generateWalletAddress() {
+  const native = getNative();
+  if (native) {
+    try {
+      return native.JsAgentWallet.generate().address();
+    } catch {
+    }
+  }
+  const address = deriveEthereumAddress(randomBytes(32));
+  if (address) {
+    return address;
+  }
+  throw new Error(
+    "Unable to derive a real Ethereum address. Native or WASM wallet support is required for generateWalletAddress()."
+  );
+}
+
 // src/memory/working.ts
 function estimateTokens(text) {
   return Math.ceil(text.length / 4);
@@ -966,14 +1320,14 @@ var WorkingMemoryManager = class {
 // src/memory/episodic.ts
 import { readFile, appendFile, writeFile, mkdir } from "fs/promises";
 import { existsSync as existsSync2 } from "fs";
-import { dirname as dirname2 } from "path";
+import { dirname as dirname3 } from "path";
 var EpisodicMemory = class {
   filePath;
   constructor(filePath) {
     this.filePath = filePath;
   }
   async ensureDir() {
-    const dir = dirname2(this.filePath);
+    const dir = dirname3(this.filePath);
     if (!existsSync2(dir)) {
       await mkdir(dir, { recursive: true });
     }
@@ -1058,7 +1412,7 @@ var EpisodicMemory = class {
 // src/memory/procedural.ts
 import { readFile as readFile2, writeFile as writeFile2, rename, mkdir as mkdir2, copyFile } from "fs/promises";
 import { existsSync as existsSync3 } from "fs";
-import { dirname as dirname3 } from "path";
+import { dirname as dirname4 } from "path";
 var ProceduralMemory = class {
   filePath;
   cache = null;
@@ -1066,7 +1420,7 @@ var ProceduralMemory = class {
     this.filePath = filePath;
   }
   async ensureDir() {
-    const dir = dirname3(this.filePath);
+    const dir = dirname4(this.filePath);
     if (!existsSync3(dir)) {
       await mkdir2(dir, { recursive: true });
     }
@@ -1202,7 +1556,7 @@ var ProceduralMemory = class {
 // src/memory/checkpoint.ts
 import { readFile as readFile3, writeFile as writeFile3, rename as rename2, unlink, readdir, mkdir as mkdir3 } from "fs/promises";
 import { existsSync as existsSync4 } from "fs";
-import { join as join2 } from "path";
+import { join as join3 } from "path";
 var DEFAULT_MAX_AGE_MS = 24 * 60 * 60 * 1e3;
 var CheckpointManager = class {
   dir;
@@ -1215,7 +1569,7 @@ var CheckpointManager = class {
     }
   }
   filePath(taskId) {
-    return join2(this.dir, `${taskId}.json`);
+    return join3(this.dir, `${taskId}.json`);
   }
   async save(taskId, state) {
     await this.ensureDir();
@@ -1244,7 +1598,7 @@ var CheckpointManager = class {
     const results = [];
     for (const file of files) {
       if (!file.endsWith(".json")) continue;
-      const path = join2(this.dir, file);
+      const path = join3(this.dir, file);
       try {
         const content = await readFile3(path, "utf-8");
         const state = JSON.parse(content);
@@ -1341,10 +1695,131 @@ var ContextInjector = class {
   }
 };
 
+// src/memory/native-store.ts
+function getNativeCanonicalStore(dbPath) {
+  const native = getNative();
+  if (!native) return null;
+  try {
+    return native.JsCanonicalStore.open(dbPath);
+  } catch {
+    return null;
+  }
+}
+function getNativeCanonicalStoreInMemory() {
+  const native = getNative();
+  if (!native) return null;
+  try {
+    return native.JsCanonicalStore.inMemory();
+  } catch {
+    return null;
+  }
+}
+function getWasmCanonicalStore() {
+  const wasm = getWasm();
+  if (!wasm) return null;
+  try {
+    return new wasm.WasmCanonicalStore();
+  } catch {
+    return null;
+  }
+}
+function getBestCanonicalStore() {
+  return getNativeCanonicalStoreInMemory() ?? getWasmCanonicalStore();
+}
+function compressVector(vector, bits = 8) {
+  const native = getNative();
+  if (native) {
+    try {
+      const compressor = new native.JsTurboCompressor(vector.length, bits);
+      const compressed = compressor.compress(vector);
+      return {
+        compressed,
+        originalSize: vector.length * 4,
+        compressedSize: compressed.length
+      };
+    } catch {
+    }
+  }
+  const wasm = getWasm();
+  if (wasm) {
+    try {
+      const vectorJson = JSON.stringify(Array.from(vector));
+      const compressed = wasm.compressVector(vectorJson, vector.length);
+      return {
+        compressed,
+        originalSize: vector.length * 4,
+        compressedSize: compressed.length
+      };
+    } catch {
+    }
+  }
+  return null;
+}
+function decompressVector(compressedJson, dimensions, bits = 8) {
+  const native = getNative();
+  if (native) {
+    try {
+      const compressor = new native.JsTurboCompressor(dimensions, bits);
+      return compressor.decompress(compressedJson);
+    } catch {
+    }
+  }
+  const wasm = getWasm();
+  if (wasm) {
+    try {
+      const arrayJson = wasm.decompressVector(compressedJson, dimensions);
+      const arr = JSON.parse(arrayJson);
+      return new Float32Array(arr);
+    } catch {
+    }
+  }
+  return null;
+}
+function approximateDistance(aJson, bJson, dimensions) {
+  const wasm = getWasm();
+  if (wasm) {
+    try {
+      return wasm.approximateDistance(aJson, bJson, dimensions);
+    } catch {
+    }
+  }
+  return null;
+}
+function evaluateWriteSecurity(namespace, content, allowedNamespaces, source = "agent", trustLevel = "agent") {
+  const native = getNative();
+  if (native) {
+    try {
+      const firewall = new native.JsWriteFirewall(
+        JSON.stringify({ allowed_namespaces: allowedNamespaces })
+      );
+      const result = JSON.parse(
+        firewall.evaluate(JSON.stringify({ namespace, content, trust_level: trustLevel }))
+      );
+      return result;
+    } catch {
+    }
+  }
+  try {
+    const result = evaluateWriteFirewall({
+      namespace,
+      content,
+      trust_level: trustLevel,
+      source,
+      allowed_namespaces: allowedNamespaces.length > 0 ? allowedNamespaces : void 0
+    });
+    return {
+      allowed: result.decision === "allow" || result.decision === "sanitize",
+      reason: result.reason
+    };
+  } catch {
+    return { allowed: true };
+  }
+}
+
 // src/rsi/metrics.ts
 import { readFile as readFile4, appendFile as appendFile2, mkdir as mkdir4 } from "fs/promises";
 import { existsSync as existsSync5 } from "fs";
-import { dirname as dirname4 } from "path";
+import { dirname as dirname5 } from "path";
 var MetricsCollector = class {
   taskMetricsPath;
   skillMetricsPath;
@@ -1353,7 +1828,7 @@ var MetricsCollector = class {
     this.skillMetricsPath = skillMetricsPath;
   }
   async ensureDir(filePath) {
-    const dir = dirname4(filePath);
+    const dir = dirname5(filePath);
     if (!existsSync5(dir)) {
       await mkdir4(dir, { recursive: true });
     }
@@ -1569,7 +2044,7 @@ var HypothesisEngine = class {
 // src/rsi/mutation.ts
 import { readFile as readFile5, appendFile as appendFile3, mkdir as mkdir5 } from "fs/promises";
 import { existsSync as existsSync6 } from "fs";
-import { dirname as dirname5 } from "path";
+import { dirname as dirname6 } from "path";
 import { randomUUID as randomUUID2 } from "crypto";
 var MutationEngine = class {
   historyPath;
@@ -1577,7 +2052,7 @@ var MutationEngine = class {
     this.historyPath = historyPath;
   }
   async ensureDir() {
-    const dir = dirname5(this.historyPath);
+    const dir = dirname6(this.historyPath);
     if (!existsSync6(dir)) {
       await mkdir5(dir, { recursive: true });
     }
@@ -1769,14 +2244,14 @@ var ABTestManager = class {
 // src/rsi/audit.ts
 import { readFile as readFile6, appendFile as appendFile4, mkdir as mkdir6 } from "fs/promises";
 import { existsSync as existsSync7 } from "fs";
-import { dirname as dirname6 } from "path";
+import { dirname as dirname7 } from "path";
 var RSIAuditLog = class {
   filePath;
   constructor(filePath) {
     this.filePath = filePath;
   }
   async ensureDir() {
-    const dir = dirname6(this.filePath);
+    const dir = dirname7(this.filePath);
     if (!existsSync7(dir)) {
       await mkdir6(dir, { recursive: true });
     }
@@ -1814,7 +2289,7 @@ var RSIAuditLog = class {
 import { randomUUID as randomUUID4 } from "crypto";
 import { execSync } from "child_process";
 import { mkdirSync as mkdirSync2, existsSync as existsSync8, writeFileSync as writeFileSync2 } from "fs";
-import { join as join3 } from "path";
+import { join as join4 } from "path";
 import { tmpdir } from "os";
 var MIN_CONFIDENCE = 0.3;
 var REQUIRED_PASSING_RUNS = 3;
@@ -1857,7 +2332,7 @@ function scoreConfidence(candidate, failure) {
 var AutoResearcher = class {
   skillsDir;
   constructor(skillsDir) {
-    this.skillsDir = skillsDir ?? join3(tmpdir(), "clawpowers-promoted-skills");
+    this.skillsDir = skillsDir ?? join4(tmpdir(), "clawpowers-promoted-skills");
   }
   /**
    * Search for candidate solutions to a failure.
@@ -1886,11 +2361,11 @@ var AutoResearcher = class {
    */
   async testCandidate(candidate, task) {
     const startMs = Date.now();
-    const sandboxDir = join3(tmpdir(), `clawpowers-sandbox-${randomUUID4()}`);
+    const sandboxDir = join4(tmpdir(), `clawpowers-sandbox-${randomUUID4()}`);
     try {
       mkdirSync2(sandboxDir, { recursive: true });
       const testScript = this.buildTestScript(candidate, task, sandboxDir);
-      const scriptPath = join3(sandboxDir, "test.sh");
+      const scriptPath = join4(sandboxDir, "test.sh");
       writeFileSync2(scriptPath, testScript, { mode: 493 });
       const output = execSync(`bash "${scriptPath}"`, {
         cwd: sandboxDir,
@@ -1958,12 +2433,12 @@ var AutoResearcher = class {
       promotedAt: (/* @__PURE__ */ new Date()).toISOString(),
       testResults
     };
-    const skillDir = join3(this.skillsDir, skillName);
+    const skillDir = join4(this.skillsDir, skillName);
     if (!existsSync8(skillDir)) {
       mkdirSync2(skillDir, { recursive: true });
     }
     const skillMd = this.renderSkillMd(definition);
-    writeFileSync2(join3(skillDir, "SKILL.md"), skillMd, "utf-8");
+    writeFileSync2(join4(skillDir, "SKILL.md"), skillMd, "utf-8");
     return definition;
   }
   // ─── Private Methods ───────────────────────────────────────────────────────
@@ -2140,7 +2615,7 @@ async function runAutoResearch(failure, task, skillsDir) {
 
 // src/skills/loader.ts
 import { readdirSync, readFileSync as readFileSync2, existsSync as existsSync9, statSync } from "fs";
-import { join as join4 } from "path";
+import { join as join5 } from "path";
 function parseFrontmatter(content) {
   const match = content.match(/^---\n([\s\S]*?)\n---/);
   if (!match?.[1]) {
@@ -2206,7 +2681,7 @@ function parseFrontmatter(content) {
   return result;
 }
 function loadSkillManifest(skillDir) {
-  const skillMdPath = join4(skillDir, "SKILL.md");
+  const skillMdPath = join5(skillDir, "SKILL.md");
   if (!existsSync9(skillMdPath)) {
     return null;
   }
@@ -2238,7 +2713,7 @@ function discoverSkills(skillsDir) {
   const entries = readdirSync(skillsDir);
   const manifests = [];
   for (const entry of entries) {
-    const fullPath = join4(skillsDir, entry);
+    const fullPath = join5(skillsDir, entry);
     if (!statSync(fullPath).isDirectory()) continue;
     const manifest = loadSkillManifest(fullPath);
     if (manifest) {
@@ -2301,21 +2776,24 @@ var SkillExecutor = class {
 // src/wallet/manager.ts
 import { readdir as readdir2, readFile as readFile8 } from "fs/promises";
 import { existsSync as existsSync11 } from "fs";
-import { join as join6 } from "path";
+import { join as join7 } from "path";
 
 // src/wallet/crypto.ts
-import { randomBytes, createCipheriv, createDecipheriv, scryptSync, createHash } from "crypto";
+import { randomBytes as randomBytes2, createCipheriv, createDecipheriv, scryptSync } from "crypto";
+import { debuglog } from "util";
 import { writeFile as writeFile4, readFile as readFile7, mkdir as mkdir7 } from "fs/promises";
 import { existsSync as existsSync10 } from "fs";
-import { join as join5 } from "path";
+import { join as join6 } from "path";
+var dlog = debuglog("clawpowers:wallet");
 var SCRYPT_N = 16384;
 var SCRYPT_R = 8;
 var SCRYPT_P = 1;
 var KEY_LENGTH = 32;
 var IV_LENGTH = 12;
 var AUTH_TAG_LENGTH = 16;
-function addressHash(publicKeyBytes) {
-  const hash = createHash("sha256").update(publicKeyBytes).digest();
+function addressFromKeyMaterial(keyMaterial) {
+  const digestHex = digestForWalletAddress(keyMaterial);
+  const hash = Buffer.from(digestHex.replace(/^0x/, ""), "hex");
   return "0x" + hash.subarray(hash.length - 20).toString("hex");
 }
 function deriveKey(passphrase, salt) {
@@ -2326,9 +2804,9 @@ function deriveKey(passphrase, salt) {
   });
 }
 function encryptPrivateKey(privateKey, passphrase) {
-  const salt = randomBytes(32);
+  const salt = randomBytes2(32);
   const key = deriveKey(passphrase, salt);
-  const iv = randomBytes(IV_LENGTH);
+  const iv = randomBytes2(IV_LENGTH);
   const cipher = createCipheriv("aes-256-gcm", key, iv, { authTagLength: AUTH_TAG_LENGTH });
   const encrypted = Buffer.concat([cipher.update(privateKey), cipher.final()]);
   const authTag = cipher.getAuthTag();
@@ -2352,20 +2830,75 @@ function decryptPrivateKey(ciphertext, iv, authTag, salt, passphrase) {
   return decrypted;
 }
 function generateAddress(privateKeyHex) {
-  const privBuf = Buffer.from(privateKeyHex, "hex");
-  return addressHash(privBuf);
+  const cleaned = privateKeyHex.replace(/^0x/i, "");
+  const privBuf = Buffer.from(cleaned, "hex");
+  const eth = deriveEthereumAddress(privBuf);
+  if (eth) {
+    dlog("address derivation: secp256k1+keccak (tier %s)", getActiveTier());
+    return eth;
+  }
+  dlog("address derivation: tier3 legacy digest (tier %s)", getActiveTier());
+  return addressFromKeyMaterial(privBuf);
 }
 async function ensureDir(dir) {
   if (!existsSync10(dir)) {
     await mkdir7(dir, { recursive: true });
   }
 }
+async function signMessageFromKeyFile(message, keyFile, passphrase) {
+  const content = await readFile7(keyFile, "utf-8");
+  const keyFileData = JSON.parse(content);
+  const privateKey = decryptPrivateKey(
+    keyFileData.crypto.ciphertext,
+    keyFileData.crypto.iv,
+    keyFileData.crypto.authTag,
+    keyFileData.crypto.salt,
+    passphrase
+  );
+  const msgBuf = Buffer.from(message, "utf8");
+  const hash = keccak256Digest(msgBuf);
+  const sigEcdsa = hash ? signEcdsa(privateKey, hash) : null;
+  if (sigEcdsa) {
+    dlog("signMessage (keyfile): secp256k1 ECDSA (tier %s)", getActiveTier());
+    return {
+      message,
+      signature: "0x" + sigEcdsa.toString("hex"),
+      address: keyFileData.address
+    };
+  }
+  const { createHmac } = await import("crypto");
+  dlog("signMessage (keyfile): HMAC-SHA256 legacy (no secp256k1/keccak tier)");
+  const signature = createHmac("sha256", privateKey).update(message).digest("hex");
+  return {
+    message,
+    signature: "0x" + signature,
+    address: keyFileData.address
+  };
+}
+async function signMessageFromPrivateKey(privateKeyHex, message) {
+  const cleaned = privateKeyHex.replace(/^0x/i, "");
+  if (cleaned.length !== 64 || !/^[0-9a-fA-F]+$/.test(cleaned)) {
+    throw new Error("Invalid private key: must be 32 bytes (64 hex characters)");
+  }
+  const priv = Buffer.from(cleaned, "hex");
+  const hash = keccak256Digest(Buffer.from(message, "utf8"));
+  if (!hash) {
+    throw new Error(
+      "Ethereum signing requires Keccak-256 (Tier 1 native or Tier 2 WASM). Pure TypeScript tier has no Keccak."
+    );
+  }
+  const sig = signEcdsa(priv, hash);
+  if (!sig) {
+    throw new Error("Ethereum signing requires secp256k1 (Tier 1 native or Tier 2 WASM).");
+  }
+  return "0x" + sig.toString("hex");
+}
 async function generateWallet(config) {
-  const privateKey = randomBytes(32);
+  const privateKey = randomBytes2(32);
   const privateKeyHex = privateKey.toString("hex");
   const address = generateAddress(privateKeyHex);
   const createdAt = (/* @__PURE__ */ new Date()).toISOString();
-  const passphrase = randomBytes(16).toString("hex");
+  const passphrase = randomBytes2(16).toString("hex");
   const encrypted = encryptPrivateKey(privateKey, passphrase);
   const keyFileData = {
     version: 1,
@@ -2383,7 +2916,7 @@ async function generateWallet(config) {
   };
   await ensureDir(config.dataDir);
   const keyFileName = `${address.slice(2, 10)}-${Date.now()}.json`;
-  const keyFilePath = join5(config.dataDir, keyFileName);
+  const keyFilePath = join6(config.dataDir, keyFileName);
   await writeFile4(keyFilePath, JSON.stringify(keyFileData, null, 2) + "\n", "utf-8");
   return {
     address,
@@ -2393,14 +2926,14 @@ async function generateWallet(config) {
   };
 }
 async function importWallet(privateKeyHex, config) {
-  const cleaned = privateKeyHex.replace(/^0x/, "");
+  const cleaned = privateKeyHex.replace(/^0x/i, "");
   if (cleaned.length !== 64 || !/^[0-9a-fA-F]+$/.test(cleaned)) {
     throw new Error("Invalid private key: must be 32 bytes (64 hex characters)");
   }
   const privateKey = Buffer.from(cleaned, "hex");
   const address = generateAddress(cleaned);
   const createdAt = (/* @__PURE__ */ new Date()).toISOString();
-  const passphrase = randomBytes(16).toString("hex");
+  const passphrase = randomBytes2(16).toString("hex");
   const encrypted = encryptPrivateKey(privateKey, passphrase);
   const keyFileData = {
     version: 1,
@@ -2418,7 +2951,7 @@ async function importWallet(privateKeyHex, config) {
   };
   await ensureDir(config.dataDir);
   const keyFileName = `${address.slice(2, 10)}-${Date.now()}.json`;
-  const keyFilePath = join5(config.dataDir, keyFileName);
+  const keyFilePath = join6(config.dataDir, keyFileName);
   await writeFile4(keyFilePath, JSON.stringify(keyFileData, null, 2) + "\n", "utf-8");
   return {
     address,
@@ -2427,23 +2960,11 @@ async function importWallet(privateKeyHex, config) {
     keyFile: keyFilePath
   };
 }
-async function signMessage(message, keyFile, passphrase) {
-  const content = await readFile7(keyFile, "utf-8");
-  const keyFileData = JSON.parse(content);
-  const privateKey = decryptPrivateKey(
-    keyFileData.crypto.ciphertext,
-    keyFileData.crypto.iv,
-    keyFileData.crypto.authTag,
-    keyFileData.crypto.salt,
-    passphrase
-  );
-  const { createHmac } = await import("crypto");
-  const signature = createHmac("sha256", privateKey).update(message).digest("hex");
-  return {
-    message,
-    signature: "0x" + signature,
-    address: keyFileData.address
-  };
+async function signMessage(a, b, c) {
+  if (c !== void 0) {
+    return signMessageFromKeyFile(a, b, c);
+  }
+  return signMessageFromPrivateKey(a, b);
 }
 
 // src/wallet/manager.ts
@@ -2471,7 +2992,7 @@ var WalletManager = class {
     for (const file of files) {
       if (!file.endsWith(".json")) continue;
       try {
-        const filePath = join6(this.config.dataDir, file);
+        const filePath = join7(this.config.dataDir, file);
         const content = await readFile8(filePath, "utf-8");
         const data = JSON.parse(content);
         wallets.push({
@@ -2486,11 +3007,382 @@ var WalletManager = class {
     return wallets;
   }
 };
+
+// src/itp/index.ts
+var ITP_BASE_URL = "http://localhost:8100";
+var TIMEOUT_MS = 3e3;
+async function encode(message, sourceAgent) {
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), TIMEOUT_MS);
+    const response = await fetch(`${ITP_BASE_URL}/tools/encode`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        message,
+        source_agent: sourceAgent ?? "unknown",
+        target_agent: "unknown"
+      }),
+      signal: controller.signal
+    });
+    clearTimeout(timeout);
+    if (!response.ok) {
+      return { encoded: message, wasCompressed: false, savingsPct: 0 };
+    }
+    const data = await response.json();
+    return {
+      encoded: data.encoded ?? message,
+      wasCompressed: Boolean(data.was_compressed),
+      savingsPct: typeof data.savings_pct === "number" ? data.savings_pct : 0
+    };
+  } catch {
+    return { encoded: message, wasCompressed: false, savingsPct: 0 };
+  }
+}
+async function decode(message) {
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), TIMEOUT_MS);
+    const response = await fetch(`${ITP_BASE_URL}/tools/decode`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ message }),
+      signal: controller.signal
+    });
+    clearTimeout(timeout);
+    if (!response.ok) {
+      return { decoded: message, wasItp: false };
+    }
+    const data = await response.json();
+    return {
+      decoded: data.decoded ?? message,
+      wasItp: Boolean(data.was_itp)
+    };
+  } catch {
+    return { decoded: message, wasItp: false };
+  }
+}
+async function healthCheck() {
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), TIMEOUT_MS);
+    const response = await fetch(`${ITP_BASE_URL}/health`, {
+      signal: controller.signal
+    });
+    clearTimeout(timeout);
+    return response.ok;
+  } catch {
+    return false;
+  }
+}
+
+// src/itp/swarm-bridge.ts
+async function encodeTaskDescription(task) {
+  try {
+    const [descResult, msgResult] = await Promise.all([
+      encode(task.description, "swarm-orchestrator"),
+      encode(task.message, "swarm-orchestrator")
+    ]);
+    return {
+      ...task,
+      description: descResult.encoded,
+      message: msgResult.encoded
+    };
+  } catch {
+    return task;
+  }
+}
+async function decodeSwarmResult(result) {
+  try {
+    if (result.result === null) {
+      return result;
+    }
+    const decoded = await decode(result.result);
+    return {
+      ...result,
+      result: decoded.decoded
+    };
+  } catch {
+    return result;
+  }
+}
+
+// src/swarm/concurrency.ts
+var ConcurrencyManager = class {
+  maxConcurrency;
+  backpressureThreshold;
+  activeCount = 0;
+  throttleDelayMs = 0;
+  lastErrorTime = 0;
+  // Semaphore queue — each entry is a resolver that grants a slot
+  queue = [];
+  constructor(maxConcurrency = 5, backpressureThreshold = 0.8) {
+    this.maxConcurrency = maxConcurrency;
+    this.backpressureThreshold = backpressureThreshold;
+  }
+  /**
+   * Acquire a concurrency slot. Resolves when a slot is available.
+   * Applies throttle delay if rate limits have been hit recently.
+   */
+  async acquire() {
+    if (this.activeCount < this.maxConcurrency) {
+      this.activeCount++;
+    } else {
+      await new Promise((resolve) => {
+        this.queue.push(resolve);
+      });
+      this.activeCount++;
+    }
+    if (this.throttleDelayMs > 0) {
+      await new Promise((resolve) => setTimeout(resolve, this.throttleDelayMs));
+    }
+  }
+  /**
+   * Release a concurrency slot. Unblocks next queued waiter if any.
+   */
+  release() {
+    this.activeCount = Math.max(0, this.activeCount - 1);
+    const next = this.queue.shift();
+    if (next) next();
+  }
+  /**
+   * Number of currently active tasks.
+   */
+  get active() {
+    return this.activeCount;
+  }
+  /**
+   * Number of tasks waiting for a slot.
+   */
+  get pending() {
+    return this.queue.length;
+  }
+  /**
+   * Whether system has capacity for another task.
+   */
+  hasCapacity() {
+    return this.activeCount < this.maxConcurrency;
+  }
+  /**
+   * Increase throttle delay on rate-limit / transient errors.
+   * Multiple errors in quick succession cause exponential backoff.
+   */
+  adaptiveThrottle(_errorType = "rate_limit") {
+    const now = Date.now();
+    if (now - this.lastErrorTime < 5e3) {
+      this.throttleDelayMs = Math.min(this.throttleDelayMs * 2 + 500, 3e4);
+    } else {
+      this.throttleDelayMs = 500;
+    }
+    this.lastErrorTime = now;
+  }
+  /**
+   * Gradually reduce throttle delay after a successful operation.
+   */
+  resetThrottle() {
+    this.throttleDelayMs = Math.max(0, this.throttleDelayMs - 100);
+  }
+  /**
+   * Check if system is above backpressure threshold.
+   */
+  isUnderPressure() {
+    return this.activeCount / this.maxConcurrency >= this.backpressureThreshold;
+  }
+};
+
+// src/swarm/token_pool.ts
+var TokenPool = class {
+  totalBudget;
+  perTaskDefault;
+  allocations = /* @__PURE__ */ new Map();
+  constructor(totalBudget = 1e5, perTaskDefault = 2e4) {
+    this.totalBudget = totalBudget;
+    this.perTaskDefault = perTaskDefault;
+  }
+  /**
+   * Reserve tokens for a task.
+   * Returns false if the pool doesn't have enough remaining budget.
+   */
+  allocate(taskId, budget) {
+    const requested = budget ?? this.perTaskDefault;
+    const currentAllocated = this.totalAllocated();
+    if (currentAllocated + requested > this.totalBudget) {
+      return false;
+    }
+    this.allocations.set(taskId, {
+      task_id: taskId,
+      budget: requested,
+      consumed: 0,
+      allocated_at: Date.now()
+    });
+    return true;
+  }
+  /**
+   * Record actual token usage for a task (cumulative).
+   */
+  consume(taskId, tokens) {
+    const alloc = this.allocations.get(taskId);
+    if (alloc) {
+      alloc.consumed += tokens;
+    }
+  }
+  /**
+   * Free the allocation when a task completes.
+   * Returns tokens consumed by that task.
+   */
+  release(taskId) {
+    const alloc = this.allocations.get(taskId);
+    this.allocations.delete(taskId);
+    return alloc?.consumed ?? 0;
+  }
+  /**
+   * Total remaining budget (total - allocated).
+   */
+  remaining() {
+    return this.totalBudget - this.totalAllocated();
+  }
+  /**
+   * Total tokens consumed across all active tasks.
+   */
+  consumed() {
+    let total = 0;
+    for (const alloc of this.allocations.values()) {
+      total += alloc.consumed;
+    }
+    return total;
+  }
+  /**
+   * Total tokens currently allocated (reserved but not necessarily consumed).
+   */
+  totalAllocated() {
+    let total = 0;
+    for (const alloc of this.allocations.values()) {
+      total += alloc.budget;
+    }
+    return total;
+  }
+  /**
+   * Check if a specific task has exceeded its allocation.
+   */
+  isTaskOverBudget(taskId) {
+    const alloc = this.allocations.get(taskId);
+    if (!alloc) return false;
+    return alloc.consumed >= alloc.budget;
+  }
+  /**
+   * Remaining budget for a specific task.
+   */
+  taskBudgetRemaining(taskId) {
+    const alloc = this.allocations.get(taskId);
+    if (!alloc) return 0;
+    return Math.max(0, alloc.budget - alloc.consumed);
+  }
+  /**
+   * Per-task token consumption summary for observability.
+   */
+  usageReport() {
+    const tasks = {};
+    let totalConsumed = 0;
+    let totalAllocated = 0;
+    for (const [taskId, alloc] of this.allocations.entries()) {
+      tasks[taskId] = {
+        budget: alloc.budget,
+        consumed: alloc.consumed,
+        remaining: Math.max(0, alloc.budget - alloc.consumed),
+        over_budget: alloc.consumed >= alloc.budget
+      };
+      totalConsumed += alloc.consumed;
+      totalAllocated += alloc.budget;
+    }
+    return {
+      total_budget: this.totalBudget,
+      total_allocated: totalAllocated,
+      total_consumed: totalConsumed,
+      total_remaining: this.totalBudget - totalAllocated,
+      tasks
+    };
+  }
+  /**
+   * Clear all allocations (reset between runs).
+   */
+  reset() {
+    this.allocations.clear();
+  }
+};
+
+// src/swarm/model_router.ts
+var DEFAULT_MODELS = {
+  simple: "claude-3-haiku-20240307",
+  moderate: "claude-3-5-sonnet-20241022",
+  complex: "claude-opus-4-5"
+};
+var COMPLEX_KEYWORDS = [
+  "architect",
+  "design",
+  "refactor",
+  "debug complex",
+  "optimize",
+  "cross-domain",
+  "integrate multiple",
+  "security audit",
+  "performance",
+  "distributed",
+  "concurrent requests",
+  "migration",
+  "system design",
+  "multi-step",
+  "synthesize",
+  "reasoning",
+  "trade-off"
+];
+var SIMPLE_KEYWORDS = [
+  "format",
+  "list",
+  "count",
+  "lookup",
+  "translate",
+  "summarize briefly",
+  "extract",
+  "convert",
+  "rename",
+  "simple",
+  "trivial",
+  "basic",
+  "fetch",
+  "get",
+  "retrieve",
+  "find the"
+];
+function classifyHeuristic(description) {
+  const lower = description.toLowerCase();
+  for (const kw of COMPLEX_KEYWORDS) {
+    if (lower.includes(kw)) return "complex";
+  }
+  for (const kw of SIMPLE_KEYWORDS) {
+    if (lower.includes(kw)) return "simple";
+  }
+  const len = description.length;
+  if (len < 100) return "simple";
+  if (len > 500) return "complex";
+  return "moderate";
+}
+function selectModel(complexity, config) {
+  const overrides = config?.models ?? {};
+  return overrides[complexity] ?? DEFAULT_MODELS[complexity];
+}
+function classifyTasks(tasks) {
+  const result = /* @__PURE__ */ new Map();
+  for (const task of tasks) {
+    result.set(task.id, task.complexity ?? classifyHeuristic(task.description));
+  }
+  return result;
+}
 export {
   ABTestManager,
   AutoResearcher,
   CLAWPOWERS_HOME,
   CheckpointManager,
+  ConcurrencyManager,
   ContextInjector,
   DEFAULT_CONFIG,
   EpisodicMemory,
@@ -2503,17 +3395,49 @@ export {
   RSIAuditLog,
   SkillExecutor,
   SpendingPolicy,
+  TokenPool,
   VERSION,
   WalletManager,
   WorkingMemoryManager,
+  approximateDistance,
+  calculateFee,
+  calculateTransactionFee,
+  classifyHeuristic,
+  classifyTasks,
+  compressVector,
+  computeSha256,
+  createPaymentHeader,
+  decodeSwarmResult,
+  decompressVector,
+  deriveEthereumAddress,
+  derivePublicKey,
   detect402,
+  digestForWalletAddress,
   discoverSkills,
+  encodeTaskDescription,
+  evaluateWriteFirewall,
+  evaluateWriteSecurity,
   generateWallet,
+  generateWalletAddress,
   getActiveSkills,
+  getActiveTier,
+  getBestCanonicalStore,
+  getCapabilitySummary,
   getConfigValue,
+  getNative,
+  getNativeCanonicalStore,
+  getNativeCanonicalStoreInMemory,
+  getWasm,
+  getWasmCanonicalStore,
   importWallet,
   initConfig,
+  isNativeAvailable,
   isPaymentRequired,
+  isWasmAvailable,
+  decode as itpDecode,
+  encode as itpEncode,
+  healthCheck as itpHealthCheck,
+  keccak256Digest,
   listSkillsWithStatus,
   loadConfig,
   loadConfigSafe,
@@ -2521,15 +3445,19 @@ export {
   parseFrontmatter,
   runAutoResearch,
   saveConfig,
+  selectModel,
   setConfigValue,
-  signMessage
+  signEcdsa,
+  signMessage,
+  tokenAmountFromHuman,
+  verifyEcdsa
 };
 /**
  * ClawPowers — Skills Library for AI Agents
  * Drop-in capability layer: payments, memory, RSI, wallet.
  * No agent control loop — bring your own agent.
  *
- * @version 2.0.0
+ * @version 2.2.0
  * @license BSL-1.1
  * @patent-pending
  */