leak-cli 2026.2.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/.env.example ADDED
@@ -0,0 +1,23 @@
1
+ # Server
2
+ PORT=4021
3
+
4
+ # x402
5
+ FACILITATOR_MODE=testnet # testnet | cdp_mainnet
6
+ FACILITATOR_URL=https://x402.org/facilitator
7
+ SELLER_PAY_TO=0xYourAddress
8
+ PRICE_USD=0.01
9
+ CHAIN_ID=eip155:84532
10
+ WINDOW_SECONDS=3600
11
+
12
+ # Required when FACILITATOR_MODE=cdp_mainnet (Base mainnet path)
13
+ # FACILITATOR_URL=https://api.cdp.coinbase.com/platform/v2/x402
14
+ CDP_API_KEY_ID=
15
+ CDP_API_KEY_SECRET=
16
+
17
+ # Settlement / confirmation policy
18
+ CONFIRMATION_POLICY=confirmed # optimistic|confirmed
19
+ CONFIRMATIONS_REQUIRED=1
20
+
21
+ # Artifact to serve
22
+ ARTIFACT_PATH=./protected/asset.bin
23
+ PROTECTED_MIME=application/octet-stream
package/LICENSE ADDED
@@ -0,0 +1,15 @@
1
+ ISC License
2
+
3
+ Copyright (c) 2026 leak contributors
4
+
5
+ Permission to use, copy, modify, and/or distribute this software for any
6
+ purpose with or without fee is hereby granted, provided that the above
7
+ copyright notice and this permission notice appear in all copies.
8
+
9
+ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
10
+ REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11
+ AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
12
+ INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13
+ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
14
+ OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15
+ PERFORMANCE OF THIS SOFTWARE.
package/README.md ADDED
@@ -0,0 +1,492 @@
1
+ # leak
2
+
3
+ - `there is no platform\n<beautiful_milady.jpg>\ni love you`
4
+ - cutting-edge architecture with dial-up sensibilities
5
+ - "For a limited time only."
6
+
7
+ **Leak** is a content creator tool that can set up a time-boxed online store hosted straight from your computer. It leverages open source tools, the x402 protocol, and AI assistants (like OpenClaw) to make selling digital goods as easy as asking your agent about the weather. Leak is for fans too; buying content is easy as giving your agent the download link shared by your favorite creators and funding your agent with USDC -- installing the leak skill makes all of this a breeze.
8
+
9
+ ## Quick Start
10
+
11
+ ### Install
12
+
13
+ ```bash
14
+ npm i -g leak-cli
15
+ ```
16
+
17
+ Package name: `leak-cli`
18
+
19
+ Command: `leak`
20
+
21
+ OpenClaw skill docs live in this repo at [`/skills/leak`](https://github.com/eucalyptus-viminalis/leak/tree/main/skills/leak); Clawhub listing coming soon.
22
+
23
+ ### Config
24
+
25
+ ```bash
26
+ leak config
27
+ ```
28
+
29
+ Configure defaults to avoid managing multiple flags when using leak subcommands.
30
+
31
+ Once `leak` is configured, commands become very simple to use:
32
+
33
+ **Selling**:
34
+
35
+ ```bash
36
+ leak --file ./your-file.bin --public
37
+ ```
38
+
39
+ **Buying**:
40
+
41
+ ```bash
42
+ leak buy <buy_link> --buyer-private-key <private_key>
43
+ ```
44
+
45
+ ### Seller Quickstart 1: Local testnet sale (fastest path)
46
+
47
+ Goal: run a local sale and verify the x402 flow end to end.
48
+
49
+ Prereqs: fund a buyer test wallet on Base Sepolia ([Circle Faucet](https://faucet.circle.com)); no CDP mainnet setup is needed.
50
+
51
+ ```bash
52
+ leak --file ./your-file.bin --pay-to 0xYOUR_ADDRESS --price 0.01 --window 15m --network eip155:84532
53
+ ```
54
+
55
+ Expected output:
56
+ - server URLs for `/`, `/health`, and `/download`
57
+ - `/download` is x402-protected
58
+
59
+ Verification:
60
+
61
+ ```bash
62
+ curl -i http://127.0.0.1:4021/download
63
+ ```
64
+
65
+ Expected result: `402` plus a `PAYMENT-REQUIRED` header.
66
+
67
+ ### Seller Quickstart 2: Public testnet sale (shareable link)
68
+
69
+ Goal: create a public share link for social posting.
70
+
71
+ ```bash
72
+ brew install cloudflared
73
+ ```
74
+
75
+ ```bash
76
+ leak --file ./your-file.bin --pay-to 0xYOUR_ADDRESS --price 0.01 --window 30m --network eip155:84532 --public --og-title "Your Release Title" --og-description "Limited release. Agent-assisted purchase."
77
+ ```
78
+
79
+ Use the output URLs like this:
80
+ - share `https://<tunnel>/` as your promo URL (optimized for OpenGraph metadata on feeds and chats)
81
+ - agents will use `https://<tunnel>/download` to buy (x402-protected link)
82
+ - open the promo URL in a browser and confirm title, description, and image render correctly for social cards
83
+ - while the tunnel is still running, run the Buyer section below to validate payment + download end-to-end
84
+
85
+ ### Buyer Skeleton (pre-Clawhub)
86
+
87
+ Use the direct CLI buy flow for now.
88
+
89
+ ```bash
90
+ leak buy "https://xxxx.trycloudflare.com/download" --buyer-private-key 0xYOUR_BUYER_KEY
91
+ ```
92
+
93
+ By default, the file is saved to your current directory using the server-provided filename; use `--out` or `--basename` to control naming.
94
+ When settlement metadata is returned, `leak buy` also prints a receipt block with network + transaction hash (and Basescan link on Base networks).
95
+
96
+ Security note: use a dedicated buyer key with limited funds.
97
+
98
+ ### Buyer Skeleton (post-Clawhub, placeholder)
99
+
100
+ To be finalized after Clawhub skill publish.
101
+
102
+ - install the leak skill from Clawhub
103
+ - give your agent the `/download` URL
104
+ - let the agent handle payment and save flow through the skill
105
+
106
+ ### Next: Mainnet checklist (optional)
107
+
108
+ Warning: switching only `CHAIN_ID` to mainnet is not sufficient.
109
+
110
+ Required:
111
+ - `FACILITATOR_MODE=cdp_mainnet`
112
+ - `CHAIN_ID=eip155:8453`
113
+ - `CDP_API_KEY_ID` and `CDP_API_KEY_SECRET`
114
+ - recommended: `CONFIRMATION_POLICY=confirmed`
115
+
116
+ Reference: see [Testnet vs Mainnet facilitator setup](#testnet-vs-mainnet-facilitator-setup) below.
117
+
118
+ ---
119
+
120
+ ## User Archetypes
121
+
122
+ **Seller**:
123
+ - publish payment-gated content straight from your computer
124
+ - set your own price 💸
125
+ - set available window 🪟
126
+ - tell your agent what you b *leakin'* 🤤
127
+ - `💦 on-demand + one-shot + ephemeral ✨ -- store for your digital goods`
128
+ - yes, install the `leak` 🦞 `OpenClaw` 🦞 `SKILL` and you can tell your agent to do all the above for you 🪬
129
+
130
+ **Buyer**:
131
+ - download cool sh!t straight to your device
132
+ - skip the bad 🤓 guys 😤
133
+ - NO MORE SUBSCRIPTIONS PLEASE (hehe)
134
+ - platform resi-. there is not platform, i love you.
135
+
136
+ **U MAD?**:
137
+ - Spotify
138
+ - OnlyFans
139
+ - BandCamp
140
+ - SoundCloud
141
+
142
+ ## Leak CLI (recommended)
143
+
144
+ The easiest way to run the server is the `leak` CLI, which prompts for missing info (price + duration) and auto-stops after the sale window (or `window + ended-window`, if configured).
145
+
146
+ ```bash
147
+ cd ~/leak
148
+ npm run leak -- --file /path/to/vape.jpg
149
+ ```
150
+
151
+ If you install this package globally / as a dependency, you can run:
152
+
153
+ ```bash
154
+ leak --file /path/to/vape.jpg
155
+ ```
156
+
157
+ Backward-compatible form still supported:
158
+
159
+ ```bash
160
+ leak leak --file /path/to/vape.jpg
161
+ ```
162
+
163
+ It will ask:
164
+ - **How much (USDC)?** (e.g. `0.01`)
165
+ - **How long?** (e.g. `15m`, `1h`)
166
+
167
+ Optional flags:
168
+ - `--price 0.01` (USDC)
169
+ - `--window 1h` (or seconds)
170
+ - `--confirmed` (settle on-chain before issuing token)
171
+ - `--public` (start a temporary Cloudflare Tunnel and print a public URL; requires `cloudflared`)
172
+ - `--og-title "My Drop"`
173
+ - `--og-description "Agent-assisted purchase"`
174
+ - `--og-image-url https://...` (absolute `http(s)` URL) or `--og-image-url ./cover.png` (local image path)
175
+ - `--ended-window-seconds 86400` (keep ended promo page online before auto-stop)
176
+ - `--network eip155:84532`
177
+ - `--pay-to 0x...`
178
+ - `--port 4021`
179
+
180
+ ### Persistent config (`leak config`)
181
+
182
+ To avoid passing the same seller/facilitator flags every run, configure defaults once:
183
+
184
+ ```bash
185
+ leak config
186
+ ```
187
+
188
+ Inspect saved values (secrets redacted):
189
+
190
+ ```bash
191
+ leak config show
192
+ ```
193
+
194
+ Optionally scaffold a project `.env` from saved defaults:
195
+
196
+ ```bash
197
+ leak config --write-env
198
+ ```
199
+
200
+ Config file location:
201
+ - `~/.leak/config.json`
202
+
203
+ Precedence for launch values:
204
+ - CLI flags
205
+ - environment variables
206
+ - `~/.leak/config.json`
207
+ - built-in defaults
208
+
209
+ Manual editing is supported. Keep `CDP_API_KEY_SECRET` private and avoid committing generated `.env` files.
210
+
211
+ ### Install `cloudflared` for `--public`
212
+
213
+ `--public` needs the Cloudflare Tunnel binary on your PATH.
214
+
215
+ ```bash
216
+ # macOS (Homebrew)
217
+ brew install cloudflared
218
+
219
+ # Windows (winget)
220
+ winget install --id Cloudflare.cloudflared
221
+ ```
222
+
223
+ Linux packages/docs:
224
+ `https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/`
225
+
226
+ If you don't need a public URL, run without `--public` for local-only mode.
227
+
228
+ For now, Cloudflare quick tunnel (`--public`) is supported for both dev and early production rollout.
229
+ Custom-domain ingress can be added later.
230
+
231
+ ### Tweeting/sharing a release
232
+
233
+ When using `--public`, share the **promo URL** (`/`) in your tweet/chat message.
234
+
235
+ - `https://<tunnel>/` → promo page with OG/Twitter card metadata
236
+ - `https://<tunnel>/download` → x402 endpoint for agents
237
+
238
+ Example:
239
+
240
+ ```bash
241
+ npm run leak -- --file ./song.mp3 --pay-to 0x... --price 1 --window 1h --public \
242
+ --og-title "New Single: Nightwire" \
243
+ --og-description "Limited release. Agent-assisted purchase." \
244
+ --og-image-url ./nightwire-cover.jpg
245
+ ```
246
+
247
+ When a local image path is used for `--og-image-url`, leak serves it from `/og-image` and points OG/Twitter metadata at that endpoint.
248
+
249
+ This mirrors the behavior of the original Python scaffold implementation:
250
+
251
+ - `GET /download` without payment → **402** with `PAYMENT-REQUIRED` header
252
+ - `GET /download` with valid payment headers → returns a **time-limited token** JSON
253
+ - `GET /download?token=...` → streams the artifact
254
+
255
+ ### Testnet vs Mainnet facilitator setup
256
+
257
+ `CHAIN_ID=eip155:8453` by itself is **not enough** for production.
258
+
259
+ Base Sepolia / testnet:
260
+
261
+ ```bash
262
+ FACILITATOR_MODE=testnet
263
+ FACILITATOR_URL=https://x402.org/facilitator
264
+ CHAIN_ID=eip155:84532
265
+ ```
266
+
267
+ Base mainnet (CDP facilitator auth required):
268
+
269
+ ```bash
270
+ FACILITATOR_MODE=cdp_mainnet
271
+ FACILITATOR_URL=https://api.cdp.coinbase.com/platform/v2/x402
272
+ CHAIN_ID=eip155:8453
273
+ CDP_API_KEY_ID=...
274
+ CDP_API_KEY_SECRET=...
275
+ ```
276
+
277
+ Recommended for production-like behavior:
278
+
279
+ ```bash
280
+ CONFIRMATION_POLICY=confirmed
281
+ ```
282
+
283
+ ---
284
+
285
+ ## Quickstart (local)
286
+
287
+ ### 1) Install
288
+
289
+ ```bash
290
+ cd ~/leak
291
+ npm install
292
+ ```
293
+
294
+ ### 2) Configure
295
+
296
+ ```bash
297
+ cp .env.example .env
298
+ # edit .env
299
+ ```
300
+
301
+ Minimum you must set:
302
+ - `SELLER_PAY_TO` (the address that receives USDC)
303
+ - `ARTIFACT_PATH` (the file you want to serve)
304
+
305
+ Example artifact:
306
+ ```bash
307
+ mkdir -p protected
308
+ printf "hello" > protected/asset.bin
309
+ # then set ARTIFACT_PATH=./protected/asset.bin
310
+ ```
311
+
312
+ ### 3) Run
313
+
314
+ Dev (auto-reload):
315
+ ```bash
316
+ npm run dev
317
+ ```
318
+
319
+ Prod:
320
+ ```bash
321
+ npm start
322
+ ```
323
+
324
+ Server will print:
325
+ - `http://localhost:4021/` (promo page)
326
+ - `http://localhost:4021/info` (machine-readable info)
327
+ - `http://localhost:4021/health`
328
+ - `http://localhost:4021/download` (x402-protected)
329
+
330
+ ---
331
+
332
+ ## How the flow works
333
+
334
+ ### A) Unpaid request
335
+
336
+ ```bash
337
+ curl -i http://localhost:4021/download
338
+ ```
339
+
340
+ You should get `402` and a `PAYMENT-REQUIRED` header.
341
+
342
+ ### B) Paid request → token
343
+
344
+ A buyer/agent should retry with a payment header:
345
+ - v2: `PAYMENT-SIGNATURE: <base64-json>`
346
+ - legacy: `X-PAYMENT: <base64-json>` (accepted by this server)
347
+
348
+ If valid, the server responds `200` JSON:
349
+ ```json
350
+ {
351
+ "ok": true,
352
+ "token": "...",
353
+ "expires_in": 3600,
354
+ "download_url": "/download?token=...",
355
+ "filename": "myfile.mp3",
356
+ "mime_type": "audio/mpeg"
357
+ }
358
+ ```
359
+
360
+ #### Node buyer test script
361
+
362
+ There’s a Node buyer test script that does the whole 3-step flow (402 → pay → token → download).
363
+
364
+ ## Buyer CLI (new)
365
+
366
+ There is now a proper buyer CLI that takes the link directly (no `BASE_URL` env):
367
+
368
+ ```bash
369
+ leak buy "https://xxxx.trycloudflare.com/download" --buyer-private-key 0x...
370
+ ```
371
+
372
+ When available, it prints payment receipt metadata including transaction hash and network before saving the file.
373
+
374
+ Optional save naming:
375
+ - `--out ./some/path.ext`
376
+ - `--basename myname` (keeps the server file extension)
377
+
378
+ ```bash
379
+ cd ~/leak
380
+
381
+ # buyer envs (REQUIRED)
382
+ export BASE_URL=https://xxxx.trycloudflare.com # or http://127.0.0.1:4021 in dev
383
+ export BUYER_PRIVATE_KEY=0x...
384
+
385
+ # optional
386
+ export OUTPUT_PATH=./downloaded.bin
387
+ export OUTPUT_BASENAME=myfilename
388
+
389
+ npm run buyer
390
+ ```
391
+
392
+ Dev convenience (optional):
393
+ ```bash
394
+ export LEAK_DEV=1 # allows BASE_URL to default to http://127.0.0.1:4021
395
+ ```
396
+
397
+ What it does:
398
+ - first `GET /download` expects **402** + `PAYMENT-REQUIRED`
399
+ - creates a payment payload, retries with `PAYMENT-SIGNATURE`
400
+ - receives `{ token, download_url, filename, mime_type }`
401
+ - downloads via `?token=` and saves to disk
402
+
403
+ ### C) Use token → download
404
+
405
+ ```bash
406
+ curl -L -o out.bin "http://localhost:4021/download?token=..."
407
+ ```
408
+
409
+ ---
410
+
411
+ ## Routes
412
+
413
+ - `GET /` promo HTML page with OG/Twitter tags
414
+ - `200` while sale is active
415
+ - `410` once sale has ended
416
+ - `GET /info` machine-readable JSON status (compat endpoint)
417
+ - `GET /og-image` configured OG image file (when using local `--og-image-url` path)
418
+ - `GET /og.svg` fallback OG image (used when `--og-image-url` is not set)
419
+ - `GET /health` free health check
420
+ - `GET /download` x402-protected download endpoint
421
+ - active sale: normal x402/token flow
422
+ - ended sale: `410`
423
+
424
+ ---
425
+
426
+ ## Env vars
427
+
428
+ - `PORT` (default `4021`)
429
+ - `FACILITATOR_MODE`
430
+ - `testnet` (default)
431
+ - `cdp_mainnet` (required for Base mainnet path in this project)
432
+ - `FACILITATOR_URL`
433
+ - default with `FACILITATOR_MODE=testnet`: `https://x402.org/facilitator`
434
+ - default with `FACILITATOR_MODE=cdp_mainnet`: `https://api.cdp.coinbase.com/platform/v2/x402`
435
+ - `SELLER_PAY_TO` receiving address
436
+ - `PRICE_USD` (string like `1.00`)
437
+ - `CHAIN_ID`
438
+ - default: `eip155:84532` (Base Sepolia) for `x402.org/facilitator`
439
+ - Base mainnet: `eip155:8453` (requires `FACILITATOR_MODE=cdp_mainnet` plus CDP keys)
440
+ - `CDP_API_KEY_ID` (required with `FACILITATOR_MODE=cdp_mainnet`)
441
+ - `CDP_API_KEY_SECRET` (required with `FACILITATOR_MODE=cdp_mainnet`)
442
+ - `WINDOW_SECONDS` access token lifetime
443
+ - `SALE_START_TS` sale start (unix seconds; usually set by launcher)
444
+ - `SALE_END_TS` sale end (unix seconds; usually set by launcher)
445
+ - `ENDED_WINDOW_SECONDS`
446
+ - `--public` default in launcher: `86400` (24h)
447
+ - local-only default in launcher: `0`
448
+ - `CONFIRMATION_POLICY`
449
+ - `confirmed` (default): settles via facilitator before issuing token (you should be able to see a tx on Basescan)
450
+ - `optimistic`: verifies payment + issues token, but may not settle on-chain
451
+ - `CONFIRMATIONS_REQUIRED` (currently informational; parity with Python scaffold)
452
+ - `ARTIFACT_PATH` local file path
453
+ - `PROTECTED_MIME` content type (default `application/octet-stream`)
454
+ - `OG_TITLE` optional card/page title (or use `--og-title`)
455
+ - `OG_DESCRIPTION` optional card/page description (or use `--og-description`)
456
+ - `OG_IMAGE_URL` optional absolute `http(s)` card image URL (or use `--og-image-url`)
457
+ - `OG_IMAGE_PATH` optional local card image file path (set automatically by launcher when using local `--og-image-url`)
458
+ - `PUBLIC_BASE_URL` optional absolute base URL for metadata canonicalization
459
+
460
+ ---
461
+
462
+ ## Versioning
463
+
464
+ This package uses **CalVer** in `YYYY.M.P` format (example: `2026.2.11`).
465
+
466
+ Release rules:
467
+ - `YYYY` = year
468
+ - `M` = month
469
+ - `P` = release number within that month
470
+ - Pre-release builds use semver-compatible tags, for example `2026.2.11-rc.1`.
471
+
472
+ ---
473
+
474
+ ## Notes
475
+
476
+ ### Legacy header support
477
+
478
+ This server accepts legacy `X-PAYMENT` by aliasing it to `PAYMENT-SIGNATURE`.
479
+
480
+ ### Running under OpenClaw / timeouts
481
+
482
+ If you see a `SIGKILL` after “listening …”, it usually means the command was run with a short timeout during automated testing. Running via `npm run dev` in your own terminal will keep it alive.
483
+
484
+ ### Facilitator troubleshooting
485
+
486
+ - Startup error mentions `does not support scheme` or network mismatch:
487
+ - your `CHAIN_ID` and facilitator mode/url are misaligned.
488
+ - verify testnet vs mainnet settings above.
489
+
490
+ - Startup or runtime error mentions `401`, `403`, `authorization`, or `jwt`:
491
+ - facilitator auth is missing/invalid.
492
+ - for mainnet, ensure `FACILITATOR_MODE=cdp_mainnet` plus valid `CDP_API_KEY_ID` and `CDP_API_KEY_SECRET`.
package/package.json ADDED
@@ -0,0 +1,54 @@
1
+ {
2
+ "name": "leak-cli",
3
+ "version": "2026.2.11",
4
+ "description": "On-demand, self-hosted internet pop-up store builder optimized for AI agents",
5
+ "type": "module",
6
+ "main": "src/index.js",
7
+ "files": [
8
+ "src/",
9
+ "scripts/cli.js",
10
+ "scripts/leak.js",
11
+ "scripts/buy.js",
12
+ "scripts/config.js",
13
+ "scripts/config_store.js",
14
+ "README.md",
15
+ ".env.example",
16
+ "LICENSE"
17
+ ],
18
+ "bin": {
19
+ "leak": "scripts/cli.js"
20
+ },
21
+ "scripts": {
22
+ "start": "node src/index.js",
23
+ "dev": "node --watch src/index.js",
24
+ "cli": "node scripts/cli.js",
25
+ "buyer": "node scripts/buyer_test.js",
26
+ "leak": "node scripts/leak.js",
27
+ "buy": "node scripts/buy.js"
28
+ },
29
+ "keywords": [
30
+ "x402",
31
+ "file-sharing",
32
+ "micropayments",
33
+ "openclaw"
34
+ ],
35
+ "repository": {
36
+ "type": "git",
37
+ "url": "git+https://github.com/eucalyptus-viminalis/leak.git"
38
+ },
39
+ "homepage": "https://github.com/eucalyptus-viminalis/leak#readme",
40
+ "bugs": {
41
+ "url": "https://github.com/eucalyptus-viminalis/leak/issues"
42
+ },
43
+ "license": "ISC",
44
+ "dependencies": {
45
+ "@coinbase/cdp-sdk": "^1.12.0",
46
+ "@x402/core": "^2.3.0",
47
+ "@x402/evm": "^2.3.0",
48
+ "@x402/express": "^2.3.0",
49
+ "dotenv": "^17.2.4",
50
+ "express": "^5.2.1",
51
+ "viem": "^2.45.2"
52
+ },
53
+ "packageManager": "npm@10.9.0"
54
+ }