moltlaunch 2.0.0 → 2.0.2

package/worker/src/index.ts

@@ -1,963 +0,0 @@
-// MANDATE Alpha Worker
-// Task queue API with quote-based flow + ERC-8004 Agent Discovery
-
-import type { Env, Task, TaskFile } from './types';
-import {
-  createTask,
-  getTask,
-  getAgentInbox,
-  getAgentTasks,
-  getClientTasks,
-  getRecentTasks,
-  quoteTask,
-  declineTask,
-  acceptQuote,
-  submitTask,
-  completeTask,
-  disputeTask,
-  resolveTask,
-  rateTask,
-  requestRevision,
-  addMessage,
-  getAgentStats,
-  addFileToTask,
-  refundTask,
-} from './tasks';
-import { getAllAgents, getAgentById } from './agents';
-import { verifySigner, getAgentOwner, verifyEscrowDeposit } from './auth';
-import { checkRateLimit } from './ratelimit';
-import { uploadFile, downloadFile } from './files';
-import { getProfile, updateProfile, getGigs, createGig, updateGig, removeGig } from './profiles';
-
-/** Strip result from tasks that aren't submitted/completed/revision (prevent seeing work before paying) */
-function stripResult(task: Task): Task {
-  if (task.status !== 'completed' && task.status !== 'submitted' && task.status !== 'revision' && task.status !== 'disputed' && task.status !== 'resolved') {
-    const { result: _r, ...safe } = task;
-    return safe as Task;
-  }
-  return task;
-}
-
-export default {
-  async fetch(request: Request, env: Env): Promise<Response> {
-    const url = new URL(request.url);
-    const corsHeaders = {
-      'Access-Control-Allow-Origin': '*',
-      'Access-Control-Allow-Methods': 'GET, POST, PUT, OPTIONS',
-      'Access-Control-Allow-Headers': 'Content-Type',
-    };
-
-    if (request.method === 'OPTIONS') {
-      return new Response(null, { headers: corsHeaders });
-    }
-
-    const path = url.pathname;
-
-    try {
-      // Health check (skip rate limit)
-      if (path === '/health' || path === '/') {
-        return json({ status: 'ok', service: 'mandate-alpha' }, 200, corsHeaders);
-      }
-
-      // POST /api/access/verify — Check access code
-      if (request.method === 'POST' && path === '/api/access/verify') {
-        const body = await request.json() as { code?: string };
-        if (!body.code) return json({ error: 'Missing code' }, 400, corsHeaders);
-        const codesRaw = await env.TASKS_KV.get('access:codes');
-        const codes: string[] = codesRaw ? JSON.parse(codesRaw) : [];
-        const valid = codes.includes(body.code.trim().toUpperCase());
-        return json({ valid }, 200, corsHeaders);
-      }
-
-      // POST /api/access/codes — Admin: set access codes
-      if (request.method === 'POST' && path === '/api/access/codes') {
-        const body = await request.json() as { codes?: string[]; signature?: string; timestamp?: number; nonce?: string };
-        if (!body.codes || !body.signature) return json({ error: 'Missing fields' }, 400, corsHeaders);
-        const signer = await verifySigner(env, 'admin', 'access', body.timestamp!, body.signature!, body.nonce!);
-        if (!signer) return json({ error: 'Invalid signature' }, 401, corsHeaders);
-        // Only admin can set codes (hardcode admin check)
-        const adminAddress = '0xba925f392940F0b82248dA643A5f87373A74FBc7';
-        if (signer.toLowerCase() !== adminAddress.toLowerCase()) return json({ error: 'Not admin' }, 403, corsHeaders);
-        const upperCodes = body.codes.map((c: string) => c.trim().toUpperCase());
-        await env.TASKS_KV.put('access:codes', JSON.stringify(upperCodes));
-        return json({ success: true, count: upperCodes.length }, 200, corsHeaders);
-      }
-
-      // Rate limiting (IP-based, skip for health check above)
-      const ip = request.headers.get('CF-Connecting-IP') || request.headers.get('X-Forwarded-For') || 'unknown';
-      const rateLimit = await checkRateLimit(env, ip, request.method);
-      if (!rateLimit.allowed) {
-        return new Response(JSON.stringify({ error: 'Rate limit exceeded' }), {
-          status: 429,
-          headers: {
-            'Content-Type': 'application/json',
-            'Retry-After': String(rateLimit.resetAt - Math.floor(Date.now() / 1000)),
-            'X-RateLimit-Remaining': '0',
-            'X-RateLimit-Reset': String(rateLimit.resetAt),
-            ...corsHeaders,
-          },
-        });
-      }
-
-      // GET /api/agents — List all Moltlaunch agents (from KV index)
-      if (request.method === 'GET' && path === '/api/agents') {
-        const agents = await getAllAgents(env);
-        // Always use verified KV stats as source of truth for reputation
-        for (const agent of agents) {
-          const stats = await getAgentStats(env, agent.id);
-          agent.reputation = {
-            count: stats.ratingCount,
-            summaryValue: stats.ratingCount > 0 ? Math.round(stats.ratingSum / stats.ratingCount) : 0,
-            summaryValueDecimals: 0,
-          };
-        }
-        return json({ agents, total: agents.length }, 200, corsHeaders);
-      }
-
-      // POST /api/agents/register — Register agent ID in our index (AUTHENTICATED: agent owner)
-      if (request.method === 'POST' && path === '/api/agents/register') {
-        const body = await request.json() as { agentId: string; signature: string; timestamp: number; nonce: string };
-        if (!body.agentId) {
-          return json({ error: 'Missing agentId' }, 400, corsHeaders);
-        }
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        // Verify signer is the on-chain agent owner
-        try {
-          const signer = await verifySigner(env, 'register', body.agentId, body.timestamp, body.signature, body.nonce);
-          const owner = await getAgentOwner(env, body.agentId);
-          if (signer !== owner) {
-            return json({ error: 'Unauthorized: signer is not the agent owner' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        // Store in KV index
-        const indexKey = 'moltlaunch:agents';
-        const existingRaw = await env.TASKS_KV.get(indexKey);
-        const existing: string[] = existingRaw ? JSON.parse(existingRaw) : [];
-
-        if (!existing.includes(body.agentId)) {
-          existing.push(body.agentId);
-          await env.TASKS_KV.put(indexKey, JSON.stringify(existing));
-        }
-
-        return json({ success: true, agentId: body.agentId }, 200, corsHeaders);
-      }
-
-      // GET /api/agents/:id/stats — Agent performance stats
-      const statsMatch = path.match(/^\/api\/agents\/([a-zA-Z0-9x]+)\/stats$/);
-      if (request.method === 'GET' && statsMatch) {
-        const stats = await getAgentStats(env, statsMatch[1]);
-        return json(stats, 200, corsHeaders);
-      }
-
-      // GET /api/agents/:id/reviews — Agent verified reviews from rated tasks
-      const reviewsMatch = path.match(/^\/api\/agents\/([a-zA-Z0-9x]+)\/reviews$/);
-      if (request.method === 'GET' && reviewsMatch) {
-        const tasks = await getAgentTasks(env, reviewsMatch[1]);
-        const stats = await getAgentStats(env, reviewsMatch[1]);
-        const reviews = tasks
-          .filter((t: Task) => t.ratedAt)
-          .map((t: Task) => ({
-            taskId: t.id,
-            score: t.ratedScore ?? null,
-            comment: t.ratedComment ?? null,
-            reviewer: t.clientAddress,
-            ratedAt: t.ratedAt,
-            ratedTxHash: t.ratedTxHash,
-          }))
-          .sort((a, b) => (b.ratedAt || 0) - (a.ratedAt || 0));
-        const avgScore = stats.ratingCount > 0 ? Math.round(stats.ratingSum / stats.ratingCount) : null;
-        return json({ reviews, total: reviews.length, avgScore, reviewCount: stats.ratingCount }, 200, corsHeaders);
-      }
-
-      // GET /api/agents/:id — Get single agent by ID
-      const agentMatch = path.match(/^\/api\/agents\/([a-zA-Z0-9x]+)$/);
-      if (request.method === 'GET' && agentMatch) {
-        const agent = await getAgentById(env, agentMatch[1]);
-        if (!agent) {
-          return json({ error: 'Agent not found' }, 404, corsHeaders);
-        }
-        // Always use verified KV stats as source of truth for reputation
-        const stats = await getAgentStats(env, agentMatch[1]);
-        agent.reputation = {
-          count: stats.ratingCount,
-          summaryValue: stats.ratingCount > 0 ? Math.round(stats.ratingSum / stats.ratingCount) : 0,
-          summaryValueDecimals: 0,
-        };
-        return json({ agent }, 200, corsHeaders);
-      }
-
-      // GET /api/tasks/disputed — All disputed tasks (for admin)
-      if (request.method === 'GET' && path === '/api/tasks/disputed') {
-        const result = await getRecentTasks(env, 100);
-        const disputed = result.tasks.filter((t: Task) => t.status === 'disputed');
-        return json({ tasks: disputed, total: disputed.length }, 200, corsHeaders);
-      }
-
-      // GET /api/tasks/recent — Recent tasks across all agents
-      if (request.method === 'GET' && path === '/api/tasks/recent') {
-        const limit = Math.min(parseInt(url.searchParams.get('limit') || '10', 10), 50);
-        const result = await getRecentTasks(env, limit);
-        result.tasks = result.tasks.map(stripResult);
-        return json(result, 200, corsHeaders);
-      }
-
-      // POST /api/tasks — Create a task request (no price)
-      if (request.method === 'POST' && path === '/api/tasks') {
-        const body = await request.json() as {
-          agentId: string;
-          clientAddress: string;
-          task: string;
-        };
-
-        if (!body.agentId || !body.clientAddress || !body.task) {
-          return json({ error: 'Missing required fields: agentId, clientAddress, task' }, 400, corsHeaders);
-        }
-
-        const task = await createTask(env, body.agentId, body.clientAddress, body.task);
-        return json({ task }, 201, corsHeaders);
-      }
-
-      // GET /api/tasks/inbox?agent=<id>
-      if (request.method === 'GET' && path === '/api/tasks/inbox') {
-        const agentId = url.searchParams.get('agent');
-        if (!agentId) {
-          return json({ error: 'Missing agent parameter' }, 400, corsHeaders);
-        }
-
-        const tasks = await getAgentInbox(env, agentId);
-        return json({ tasks, total: tasks.length }, 200, corsHeaders);
-      }
-
-      // GET /api/tasks/agent?id=<id> — Full task history for an agent
-      if (request.method === 'GET' && path === '/api/tasks/agent') {
-        const agentId = url.searchParams.get('id');
-        if (!agentId) {
-          return json({ error: 'Missing id parameter' }, 400, corsHeaders);
-        }
-
-        const tasks = await getAgentTasks(env, agentId);
-        return json({ tasks, total: tasks.length }, 200, corsHeaders);
-      }
-
-      // GET /api/tasks/client?address=<addr>
-      if (request.method === 'GET' && path === '/api/tasks/client') {
-        const address = url.searchParams.get('address');
-        if (!address) {
-          return json({ error: 'Missing address parameter' }, 400, corsHeaders);
-        }
-
-        const tasks = await getClientTasks(env, address);
-        return json({ tasks, total: tasks.length }, 200, corsHeaders);
-      }
-
-      // GET /api/tasks/:id
-      const taskMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)$/);
-      if (request.method === 'GET' && taskMatch) {
-        const task = await getTask(env, taskMatch[1]);
-        if (!task) {
-          return json({ error: 'Task not found' }, 404, corsHeaders);
-        }
-        return json({ task: stripResult(task) }, 200, corsHeaders);
-      }
-
-      // POST /api/tasks/:id/quote — Agent quotes a price (AUTHENTICATED: agent owner)
-      const quoteMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/quote$/);
-      if (request.method === 'POST' && quoteMatch) {
-        const body = await request.json() as {
-          priceWei: string;
-          message?: string;
-          signature: string;
-          timestamp: number;
-          nonce: string;
-        };
-        if (!body.priceWei) {
-          return json({ error: 'Missing priceWei' }, 400, corsHeaders);
-        }
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        const taskId = quoteMatch[1];
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-
-        try {
-          const signer = await verifySigner(env, 'quote', taskId, body.timestamp, body.signature, body.nonce);
-          const owner = await getAgentOwner(env, task.agentId);
-          if (signer !== owner) {
-            return json({ error: 'Unauthorized: signer is not the agent owner' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        const result = await quoteTask(env, taskId, body.priceWei, body.message);
-        if ('error' in result) {
-          return json(result, 400, corsHeaders);
-        }
-        return json({ task: result }, 200, corsHeaders);
-      }
-
-      // POST /api/tasks/:id/decline — Agent declines (AUTHENTICATED: agent owner)
-      const declineMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/decline$/);
-      if (request.method === 'POST' && declineMatch) {
-        const taskId = declineMatch[1];
-        const body = await request.json() as { signature: string; timestamp: number; nonce: string };
-
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-
-        try {
-          const signer = await verifySigner(env, 'decline', taskId, body.timestamp, body.signature, body.nonce);
-          const owner = await getAgentOwner(env, task.agentId);
-          if (signer !== owner) {
-            return json({ error: 'Unauthorized: signer is not the agent owner' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        const result = await declineTask(env, taskId);
-        if ('error' in result) {
-          return json(result, 400, corsHeaders);
-        }
-        return json({ task: result }, 200, corsHeaders);
-      }
-
-      // POST /api/tasks/:id/accept — Client accepts quote (AUTHENTICATED: task client)
-      const acceptMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/accept$/);
-      if (request.method === 'POST' && acceptMatch) {
-        const body = await request.json() as {
-          clientAddress: string;
-          signature: string;
-          timestamp: number;
-          nonce: string;
-        };
-        if (!body.clientAddress) {
-          return json({ error: 'Missing clientAddress' }, 400, corsHeaders);
-        }
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        const taskId = acceptMatch[1];
-
-        try {
-          const signer = await verifySigner(env, 'accept', taskId, body.timestamp, body.signature, body.nonce);
-          if (signer !== body.clientAddress.toLowerCase()) {
-            return json({ error: 'Unauthorized: signature does not match clientAddress' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        // Verify escrow deposit exists on-chain before accepting
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-
-        const depositedWei = await verifyEscrowDeposit(env, taskId);
-        const quotedWei = BigInt(task.quotedPriceWei || '0');
-        if (depositedWei < quotedWei) {
-          return json({
-            error: `Escrow deposit insufficient. Quoted: ${quotedWei} wei, deposited: ${depositedWei} wei. Deposit funds first.`,
-          }, 402, corsHeaders);
-        }
-
-        const result = await acceptQuote(env, taskId, body.clientAddress);
-        if ('error' in result) {
-          return json(result, 400, corsHeaders);
-        }
-        return json({ task: result }, 200, corsHeaders);
-      }
-
-      // POST /api/tasks/:id/submit — Agent submits work (AUTHENTICATED: agent owner)
-      const submitMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/submit$/);
-      if (request.method === 'POST' && submitMatch) {
-        const body = await request.json() as {
-          result: string;
-          files?: TaskFile[];
-          signature: string;
-          timestamp: number;
-          nonce: string;
-        };
-        if (!body.result) {
-          return json({ error: 'Missing result' }, 400, corsHeaders);
-        }
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        const taskId = submitMatch[1];
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-
-        try {
-          const signer = await verifySigner(env, 'submit', taskId, body.timestamp, body.signature, body.nonce);
-          const owner = await getAgentOwner(env, task.agentId);
-          if (signer !== owner) {
-            return json({ error: 'Unauthorized: signer is not the agent owner' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        const result = await submitTask(env, taskId, body.result, body.files);
-        if ('error' in result) {
-          return json(result, 400, corsHeaders);
-        }
-        return json({ task: result }, 200, corsHeaders);
-      }
-
-      // POST /api/tasks/:id/complete — Mark completed after payment (AUTHENTICATED: task client)
-      const completeMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/complete$/);
-      if (request.method === 'POST' && completeMatch) {
-        const body = await request.json() as {
-          txHash: string;
-          signature: string;
-          timestamp: number;
-          nonce: string;
-        };
-        if (!body.txHash) {
-          return json({ error: 'Missing txHash' }, 400, corsHeaders);
-        }
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        const taskId = completeMatch[1];
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-
-        try {
-          const signer = await verifySigner(env, 'complete', taskId, body.timestamp, body.signature, body.nonce);
-          if (signer !== task.clientAddress.toLowerCase()) {
-            return json({ error: 'Unauthorized: signer is not the task client' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        const result = await completeTask(env, taskId, body.txHash);
-        if ('error' in result) {
-          return json(result, 400, corsHeaders);
-        }
-        return json({ task: result }, 200, corsHeaders);
-      }
-
-      // POST /api/tasks/:id/refund — Mark task as refunded (AUTHENTICATED: task client)
-      const refundMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/refund$/);
-      if (request.method === 'POST' && refundMatch) {
-        const body = await request.json() as {
-          txHash: string;
-          signature: string;
-          timestamp: number;
-          nonce: string;
-        };
-        if (!body.txHash) {
-          return json({ error: 'Missing txHash' }, 400, corsHeaders);
-        }
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        const taskId = refundMatch[1];
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-
-        try {
-          const signer = await verifySigner(env, 'refund', taskId, body.timestamp, body.signature, body.nonce);
-          if (signer !== task.clientAddress.toLowerCase()) {
-            return json({ error: 'Unauthorized: signer is not the task client' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        const result = await refundTask(env, taskId, body.txHash);
-        if ('error' in result) {
-          return json(result, 400, corsHeaders);
-        }
-        return json({ task: result }, 200, corsHeaders);
-      }
-
-      // POST /api/tasks/:id/rate — Mark task as rated (AUTHENTICATED: task client)
-      const rateMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/rate$/);
-      if (request.method === 'POST' && rateMatch) {
-        const body = await request.json() as {
-          txHash: string;
-          score?: number;
-          comment?: string;
-          signature: string;
-          timestamp: number;
-          nonce: string;
-        };
-        if (!body.txHash) {
-          return json({ error: 'Missing txHash' }, 400, corsHeaders);
-        }
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        const taskId = rateMatch[1];
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-
-        try {
-          const signer = await verifySigner(env, 'rate', taskId, body.timestamp, body.signature, body.nonce);
-          if (signer !== task.clientAddress.toLowerCase()) {
-            return json({ error: 'Unauthorized: only the task client can rate' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        const result = await rateTask(env, taskId, body.txHash, body.score, body.comment);
-        if ('error' in result) {
-          return json(result, 400, corsHeaders);
-        }
-        return json({ task: result }, 200, corsHeaders);
-      }
-
-      // POST /api/tasks/:id/revise — Client requests revision (AUTHENTICATED: task client)
-      const reviseMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/revise$/);
-      if (request.method === 'POST' && reviseMatch) {
-        const body = await request.json() as {
-          reason: string;
-          signature: string;
-          timestamp: number;
-          nonce: string;
-        };
-        if (!body.reason) {
-          return json({ error: 'Missing reason' }, 400, corsHeaders);
-        }
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        const taskId = reviseMatch[1];
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-
-        try {
-          const signer = await verifySigner(env, 'revise', taskId, body.timestamp, body.signature, body.nonce);
-          if (signer !== task.clientAddress.toLowerCase()) {
-            return json({ error: 'Unauthorized: only the task client can request revision' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        const result = await requestRevision(env, taskId, body.reason, task.clientAddress);
-        if ('error' in result) {
-          return json(result, 400, corsHeaders);
-        }
-        return json({ task: result }, 200, corsHeaders);
-      }
-
-      // POST /api/tasks/:id/message — Send a message on a task (AUTHENTICATED: client or agent owner)
-      const messageMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/message$/);
-      if (request.method === 'POST' && messageMatch) {
-        const body = await request.json() as {
-          content: string;
-          signature: string;
-          timestamp: number;
-          nonce: string;
-        };
-        if (!body.content) {
-          return json({ error: 'Missing content' }, 400, corsHeaders);
-        }
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        const taskId = messageMatch[1];
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-
-        // Verify signer is either client or agent owner
-        let role: 'client' | 'agent';
-        let senderAddress: string;
-        try {
-          const signer = await verifySigner(env, 'message', taskId, body.timestamp, body.signature, body.nonce);
-          if (signer === task.clientAddress.toLowerCase()) {
-            role = 'client';
-            senderAddress = signer;
-          } else {
-            const owner = await getAgentOwner(env, task.agentId);
-            if (signer === owner) {
-              role = 'agent';
-              senderAddress = signer;
-            } else {
-              return json({ error: 'Unauthorized: signer is not the client or agent owner' }, 403, corsHeaders);
-            }
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        const result = await addMessage(env, taskId, senderAddress, role, body.content);
-        if ('error' in result) {
-          return json(result, 400, corsHeaders);
-        }
-        return json({ task: result }, 200, corsHeaders);
-      }
-
-      // POST /api/tasks/:id/upload — Upload file for a task (AUTHENTICATED: agent owner)
-      const uploadMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/upload$/);
-      if (request.method === 'POST' && uploadMatch) {
-        const taskId = uploadMatch[1];
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-        if (task.status !== 'accepted' && task.status !== 'revision') {
-          return json({ error: `Task is ${task.status}, can only upload when accepted or in revision` }, 400, corsHeaders);
-        }
-
-        // Auth: verify agent owner via query params (since body is file data)
-        const signature = url.searchParams.get('signature');
-        const timestamp = url.searchParams.get('timestamp');
-        const nonce = url.searchParams.get('nonce');
-        const filename = url.searchParams.get('filename') || 'file';
-
-        if (!signature || !timestamp) {
-          return json({ error: 'Missing signature or timestamp query params' }, 401, corsHeaders);
-        }
-
-        try {
-          const signer = await verifySigner(env, 'upload', taskId, parseInt(timestamp, 10), signature, nonce || '');
-          const owner = await getAgentOwner(env, task.agentId);
-          if (signer !== owner) {
-            return json({ error: 'Unauthorized: signer is not the agent owner' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        const contentType = request.headers.get('Content-Type') || 'application/octet-stream';
-        const contentLength = parseInt(request.headers.get('Content-Length') || '0', 10);
-
-        if (contentLength > 25 * 1024 * 1024) {
-          return json({ error: 'File too large (max 25MB)' }, 413, corsHeaders);
-        }
-
-        if (!request.body) {
-          return json({ error: 'Missing file body' }, 400, corsHeaders);
-        }
-
-        try {
-          const file = await uploadFile(env, taskId, filename, request.body, contentType, contentLength);
-          await addFileToTask(env, taskId, file);
-          return json({ file }, 200, corsHeaders);
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Upload failed' }, 500, corsHeaders);
-        }
-      }
-
-      // POST /api/tasks/:id/client-upload — Upload file for a task (AUTHENTICATED: task client)
-      const clientUploadMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/client-upload$/);
-      if (request.method === 'POST' && clientUploadMatch) {
-        const taskId = clientUploadMatch[1];
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-
-        const terminalStatuses = ['completed', 'declined', 'expired'];
-        if (terminalStatuses.includes(task.status)) {
-          return json({ error: `Task is ${task.status}, cannot upload files` }, 400, corsHeaders);
-        }
-
-        const signature = url.searchParams.get('signature');
-        const timestamp = url.searchParams.get('timestamp');
-        const nonce = url.searchParams.get('nonce');
-        const filename = url.searchParams.get('filename') || 'file';
-
-        if (!signature || !timestamp) {
-          return json({ error: 'Missing signature or timestamp query params' }, 401, corsHeaders);
-        }
-
-        try {
-          const signer = await verifySigner(env, 'client-upload', taskId, parseInt(timestamp, 10), signature, nonce || '');
-          if (signer !== task.clientAddress.toLowerCase()) {
-            return json({ error: 'Unauthorized: signer is not the task client' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        const contentType = request.headers.get('Content-Type') || 'application/octet-stream';
-        const contentLength = parseInt(request.headers.get('Content-Length') || '0', 10);
-
-        if (contentLength > 25 * 1024 * 1024) {
-          return json({ error: 'File too large (max 25MB)' }, 413, corsHeaders);
-        }
-
-        if (!request.body) {
-          return json({ error: 'Missing file body' }, 400, corsHeaders);
-        }
-
-        try {
-          const file = await uploadFile(env, taskId, filename, request.body, contentType, contentLength);
-          await addFileToTask(env, taskId, file);
-          return json({ file }, 200, corsHeaders);
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Upload failed' }, 500, corsHeaders);
-        }
-      }
-
-      // GET /api/tasks/:id/files/:key — Download a task file
-      const fileMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/files\/(.+)$/);
-      if (request.method === 'GET' && fileMatch) {
-        const taskId = fileMatch[1];
-        const fileKey = decodeURIComponent(fileMatch[2]);
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-
-        // Only block download for declined/expired tasks
-        if (task.status === 'declined' || task.status === 'expired') {
-          return json({ error: 'Files not available for this task' }, 403, corsHeaders);
-        }
-
-        // Reconstruct full R2 key
-        const fullKey = `tasks/${taskId}/${fileKey}`;
-        const object = await downloadFile(env, fullKey);
-        if (!object) {
-          return json({ error: 'File not found' }, 404, corsHeaders);
-        }
-
-        return new Response(object.body, {
-          headers: {
-            'Content-Type': object.httpMetadata?.contentType || 'application/octet-stream',
-            'Content-Length': String(object.size),
-            'Content-Disposition': `attachment; filename="${fileKey.split('/').pop() || 'file'}"`,
-            ...corsHeaders,
-          },
-        });
-      }
-
-      // GET /api/agents/:id/profile — Fetch agent profile (public)
-      const profileGetMatch = path.match(/^\/api\/agents\/([a-zA-Z0-9x]+)\/profile$/);
-      if (request.method === 'GET' && profileGetMatch) {
-        const profile = await getProfile(env, profileGetMatch[1]);
-        return json({ profile: profile || { agentId: profileGetMatch[1], updatedAt: 0 } }, 200, corsHeaders);
-      }
-
-      // PUT /api/agents/:id/profile — Update agent profile (AUTHENTICATED: agent owner)
-      if (request.method === 'PUT' && profileGetMatch) {
-        const agentId = profileGetMatch[1];
-        const body = await request.json() as {
-          tagline?: string;
-          longDescription?: string;
-          languages?: string[];
-          responseTime?: string;
-          website?: string;
-          twitter?: string;
-          github?: string;
-          signature: string;
-          timestamp: number;
-          nonce: string;
-        };
-
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        try {
-          const signer = await verifySigner(env, 'profile', agentId, body.timestamp, body.signature, body.nonce);
-          const owner = await getAgentOwner(env, agentId);
-          if (signer !== owner) {
-            return json({ error: 'Unauthorized: signer is not the agent owner' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        const { signature: _s, timestamp: _t, nonce: _n, ...updates } = body;
-        const profile = await updateProfile(env, agentId, updates);
-        return json({ profile }, 200, corsHeaders);
-      }
-
-      // GET /api/agents/:id/gigs — List agent's gigs (public)
-      const gigsGetMatch = path.match(/^\/api\/agents\/([a-zA-Z0-9x]+)\/gigs$/);
-      if (request.method === 'GET' && gigsGetMatch) {
-        const gigs = await getGigs(env, gigsGetMatch[1]);
-        return json({ gigs }, 200, corsHeaders);
-      }
-
-      // POST /api/agents/:id/gigs — Create/update/delete gigs (AUTHENTICATED: agent owner)
-      if (request.method === 'POST' && gigsGetMatch) {
-        const agentId = gigsGetMatch[1];
-        const body = await request.json() as {
-          action: 'create' | 'update' | 'remove';
-          // For create
-          title?: string;
-          description?: string;
-          priceWei?: string;
-          deliveryTime?: string;
-          category?: string;
-          // For remove
-          gigId?: string;
-          // Auth
-          signature: string;
-          timestamp: number;
-          nonce: string;
-        };
-
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        try {
-          const signer = await verifySigner(env, 'gig', agentId, body.timestamp, body.signature, body.nonce);
-          const owner = await getAgentOwner(env, agentId);
-          if (signer !== owner) {
-            return json({ error: 'Unauthorized: signer is not the agent owner' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        if (body.action === 'create') {
-          if (!body.title || !body.description || !body.priceWei || !body.deliveryTime || !body.category) {
-            return json({ error: 'Missing required gig fields: title, description, priceWei, deliveryTime, category' }, 400, corsHeaders);
-          }
-          const gig = await createGig(env, agentId, {
-            title: body.title,
-            description: body.description,
-            priceWei: body.priceWei,
-            deliveryTime: body.deliveryTime,
-            category: body.category,
-          });
-          return json({ gig }, 201, corsHeaders);
-        }
-
-        if (body.action === 'update') {
-          if (!body.gigId) {
-            return json({ error: 'Missing gigId' }, 400, corsHeaders);
-          }
-          const updates: Record<string, string | undefined> = {};
-          if (body.title) updates.title = body.title;
-          if (body.description) updates.description = body.description;
-          if (body.priceWei) updates.priceWei = body.priceWei;
-          if (body.deliveryTime) updates.deliveryTime = body.deliveryTime;
-          if (body.category) updates.category = body.category;
-          if (Object.keys(updates).length === 0) {
-            return json({ error: 'No fields to update' }, 400, corsHeaders);
-          }
-          const gig = await updateGig(env, agentId, body.gigId, updates);
-          if (!gig) {
-            return json({ error: 'Gig not found' }, 404, corsHeaders);
-          }
-          return json({ gig }, 200, corsHeaders);
-        }
-
-        if (body.action === 'remove') {
-          if (!body.gigId) {
-            return json({ error: 'Missing gigId' }, 400, corsHeaders);
-          }
-          const removed = await removeGig(env, agentId, body.gigId);
-          if (!removed) {
-            return json({ error: 'Gig not found' }, 404, corsHeaders);
-          }
-          return json({ success: true }, 200, corsHeaders);
-        }
-
-        return json({ error: 'Invalid action. Use "create", "update", or "remove"' }, 400, corsHeaders);
-      }
-
-      // POST /api/tasks/:id/dispute — Client disputes submitted work (AUTHENTICATED: task client)
-      const disputeMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/dispute$/);
-      if (request.method === 'POST' && disputeMatch) {
-        const body = await request.json() as {
-          txHash: string;
-          signature: string;
-          timestamp: number;
-          nonce: string;
-        };
-        if (!body.txHash) {
-          return json({ error: 'Missing txHash' }, 400, corsHeaders);
-        }
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        const taskId = disputeMatch[1];
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-
-        try {
-          const signer = await verifySigner(env, 'dispute', taskId, body.timestamp, body.signature, body.nonce);
-          if (signer !== task.clientAddress.toLowerCase()) {
-            return json({ error: 'Unauthorized: signer is not the task client' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        const result = await disputeTask(env, taskId, body.txHash);
-        if ('error' in result) {
-          return json(result, 400, corsHeaders);
-        }
-        return json({ task: result }, 200, corsHeaders);
-      }
-
-      // POST /api/tasks/:id/resolve — Admin resolves dispute (AUTHENTICATED: admin)
-      const resolveMatch = path.match(/^\/api\/tasks\/([a-z0-9-]+)\/resolve$/);
-      if (request.method === 'POST' && resolveMatch) {
-        const body = await request.json() as {
-          resolution: 'client' | 'agent';
-          txHash: string;
-          signature: string;
-          timestamp: number;
-          nonce: string;
-        };
-        if (!body.resolution || !body.txHash) {
-          return json({ error: 'Missing resolution or txHash' }, 400, corsHeaders);
-        }
-        if (!body.signature || !body.timestamp) {
-          return json({ error: 'Missing signature or timestamp' }, 401, corsHeaders);
-        }
-
-        const taskId = resolveMatch[1];
-        const task = await getTask(env, taskId);
-        if (!task) return json({ error: 'Task not found' }, 404, corsHeaders);
-
-        // Verify signer is admin
-        const ADMIN_ADDRESS = '0x49e54d96a6ca6f55dcc85523e47bba563dfff6f6';
-        try {
-          const signer = await verifySigner(env, 'resolve', taskId, body.timestamp, body.signature, body.nonce);
-          if (signer !== ADMIN_ADDRESS) {
-            return json({ error: 'Unauthorized: signer is not admin' }, 403, corsHeaders);
-          }
-        } catch (err) {
-          return json({ error: err instanceof Error ? err.message : 'Auth failed' }, 401, corsHeaders);
-        }
-
-        const result = await resolveTask(env, taskId, body.resolution, body.txHash);
-        if ('error' in result) {
-          return json(result, 400, corsHeaders);
-        }
-        return json({ task: result }, 200, corsHeaders);
-      }
-
-      return json({ error: 'Not found' }, 404, corsHeaders);
-    } catch (err) {
-      console.error('Worker error:', err);
-      return json({ error: 'Internal server error' }, 500, corsHeaders);
-    }
-  },
-};
-
-function json(data: unknown, status: number, headers: Record<string, string> = {}): Response {
-  return new Response(JSON.stringify(data), {
-    status,
-    headers: { 'Content-Type': 'application/json', ...headers },
-  });
-}