spendos 0.1.0

package/setup.sh

@@ -0,0 +1,278 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ── SpendOS Setup ──────────────────────────────────────
+# One command to provision your autonomous agent economy.
+# Usage: ./setup.sh [--deploy --provider railway]
+
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+RED='\033[0;31m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+BOLD='\033[1m'
+
+log()  { echo -e "${GREEN}[SpendOS]${NC} $1"; }
+warn() { echo -e "${YELLOW}[SpendOS]${NC} $1"; }
+err()  { echo -e "${RED}[SpendOS]${NC} $1"; }
+info() { echo -e "${CYAN}[SpendOS]${NC} $1"; }
+
+echo ""
+echo -e "${BOLD}  ╔═══════════════════════════════════════════════╗${NC}"
+echo -e "${BOLD}  ║   SpendOS — Autonomous Agent Economy          ║${NC}"
+echo -e "${BOLD}  ║   The first agent that governs its own spend  ║${NC}"
+echo -e "${BOLD}  ╚═══════════════════════════════════════════════╝${NC}"
+echo ""
+
+# ── Check prerequisites ───────────────────────────────
+
+command -v node >/dev/null 2>&1 || { err "Node.js required (22+). Install: https://nodejs.org"; exit 1; }
+NODE_V=$(node -v | sed 's/v//' | cut -d. -f1)
+if [ "$NODE_V" -lt 22 ]; then
+  err "Node.js 22+ required (found v$NODE_V)"
+  exit 1
+fi
+log "Node.js $(node -v)"
+
+# ── Install dependencies ──────────────────────────────
+
+log "Installing dependencies..."
+npm install --legacy-peer-deps 2>&1 | tail -3
+
+# ── Auto-provision everything ─────────────────────────
+
+if [ ! -f .env ]; then
+  log "Provisioning your SpendOS instance..."
+  cp .env.example .env
+
+  # ── 1. Admin token (auto) ──
+  ADMIN_TOKEN=$(openssl rand -hex 32)
+  sed -i.bak "s/generate-with-openssl-rand-hex-32/$ADMIN_TOKEN/" .env && rm -f .env.bak
+  log "Admin token: ${CYAN}$ADMIN_TOKEN${NC}"
+
+  # ── 2. OWS passphrase (auto) ──
+  OWS_PASS=$(openssl rand -base64 32)
+  sed -i.bak "s|your-vault-passphrase|$OWS_PASS|" .env && rm -f .env.bak
+  log "OWS vault passphrase: generated"
+
+  # ── 3. OWS wallet mnemonic (auto-generate via viem) ──
+  log "Generating OWS wallet..."
+  MNEMONIC=$(node --input-type=module -e "
+    import { generateMnemonic, english } from 'viem/accounts';
+    console.log(generateMnemonic(english));
+  " 2>/dev/null || echo "")
+
+  if [ -n "$MNEMONIC" ]; then
+    ESCAPED=$(echo "$MNEMONIC" | sed 's/[&/\]/\\&/g')
+    sed -i.bak "s/your twelve word mnemonic phrase here/$ESCAPED/" .env && rm -f .env.bak
+    # Derive the wallet address
+    WALLET_ADDR=$(node --input-type=module -e "
+      import { mnemonicToAccount } from 'viem/accounts';
+      const a = mnemonicToAccount('$MNEMONIC');
+      console.log(a.address);
+    " 2>/dev/null || echo "unknown")
+    log "OWS wallet created: ${CYAN}$WALLET_ADDR${NC}"
+    echo ""
+    echo -e "  ${YELLOW}IMPORTANT: Save this mnemonic somewhere safe!${NC}"
+    echo -e "  ${BOLD}$MNEMONIC${NC}"
+    echo ""
+  else
+    warn "Could not auto-generate wallet. Add mnemonic manually to .env"
+  fi
+
+  # ── 4. Deployer key (auto-generate for audit contract) ──
+  DEPLOYER_KEY=$(node --input-type=module -e "
+    import { generatePrivateKey, privateKeyToAccount } from 'viem/accounts';
+    const key = generatePrivateKey();
+    const acc = privateKeyToAccount(key);
+    console.log(key + ' ' + acc.address);
+  " 2>/dev/null || echo "")
+
+  if [ -n "$DEPLOYER_KEY" ]; then
+    DKEY=$(echo "$DEPLOYER_KEY" | cut -d' ' -f1)
+    DADDR=$(echo "$DEPLOYER_KEY" | cut -d' ' -f2)
+    sed -i.bak "s|0x...your-deployer-private-key|$DKEY|" .env && rm -f .env.bak
+    log "Deployer wallet: ${CYAN}$DADDR${NC}"
+    info "Fund this with a tiny amount of ETH on Base for audit gas"
+  fi
+
+  # ── 5. Optional: CDP keys (user provides) ──
+  echo ""
+  echo -e "${BOLD}Optional — x402 payments (skip with Enter):${NC}"
+  echo -e "  Get keys at: https://docs.cdp.coinbase.com"
+  echo ""
+
+  if [ -t 0 ]; then
+    read -p "  CDP API Key ID: " CDP_ID
+    if [ -n "$CDP_ID" ]; then
+      sed -i.bak "s/your-cdp-key-id/$CDP_ID/" .env && rm -f .env.bak
+      read -p "  CDP API Key Secret: " CDP_SECRET
+      if [ -n "$CDP_SECRET" ]; then
+        sed -i.bak "s/your-cdp-key-secret/$CDP_SECRET/" .env && rm -f .env.bak
+        log "CDP x402 payments configured"
+      fi
+    else
+      info "Skipped — endpoints will run without payment gate (free mode)"
+    fi
+
+    echo ""
+    echo -e "${BOLD}Optional — Twitter/X (agent can post and interact):${NC}"
+    echo -e "  The agent uses a visual browser to log into X."
+    echo -e "  Credentials are stored securely (never in git, env var only)."
+    echo ""
+    read -p "  Twitter/X username (or Enter to skip): " TWITTER_USER
+    if [ -n "$TWITTER_USER" ]; then
+      read -sp "  Twitter/X password: " TWITTER_PASS
+      echo ""
+      echo "TWITTER_USERNAME=$TWITTER_USER" >> .env
+      echo "TWITTER_PASSWORD=$TWITTER_PASS" >> .env
+      log "Twitter configured — agent will log in via browser on first boot"
+      info "Credentials stored in .env only (never committed to git)"
+    else
+      info "Skipped — agent runs without Twitter access"
+    fi
+
+    echo ""
+    echo -e "${BOLD}Optional — MoonPay (agent gets market data, quotes, balances):${NC}"
+    echo -e "  Get key at: https://dashboard.moonpay.com"
+    echo ""
+    read -p "  MoonPay API Key (or Enter to skip): " MOONPAY_KEY
+    if [ -n "$MOONPAY_KEY" ]; then
+      echo "MOONPAY_API_KEY=$MOONPAY_KEY" >> .env
+      log "MoonPay connected — agent can view quotes, balances, token data"
+      info "Signing/sending tools are blocked — transactions require delegation approval"
+    else
+      info "Skipped — agent runs without MoonPay market data"
+    fi
+  fi
+
+else
+  log ".env already exists, skipping provisioning"
+fi
+
+# ── Create local data directories ─────────────────────
+
+DATA_DIR="${SPENDOS_DATA_DIR:-./data}"
+mkdir -p "$DATA_DIR" 2>/dev/null || mkdir -p /tmp/spendos-data
+
+# ── Summary ───────────────────────────────────────────
+
+# ── ACP Agent Commerce setup ──────────────────────
+
+if [ -d "acp-seller" ] && [ -t 0 ]; then
+  echo ""
+  echo -e "${BOLD}ACP — Agent Commerce Protocol (earn from other agents):${NC}"
+  echo ""
+
+  if [ -f "acp-seller/config.json" ] && node -e "const c=JSON.parse(require('fs').readFileSync('acp-seller/config.json'));process.exit(c.LITE_AGENT_API_KEY?0:1)" 2>/dev/null; then
+    log "ACP already configured"
+    ACP_AGENT=$(node -e "const c=JSON.parse(require('fs').readFileSync('acp-seller/config.json'));console.log(c.agents?.find(a=>a.active)?.name||'unknown')" 2>/dev/null)
+    info "Active agent: ${ACP_AGENT}"
+  else
+    read -p "  Connect to ACP marketplace? (Y/n): " ACP_CONNECT
+    if [ "${ACP_CONNECT,,}" != "n" ]; then
+      log "Opening browser for ACP login..."
+      cd acp-seller
+      npx tsx bin/acp.ts setup 2>&1
+      if [ $? -eq 0 ]; then
+        log "ACP connected! Registering SpendOS offerings..."
+        # Create agent named spendos
+        npx tsx bin/acp.ts agent create spendos 2>&1 || true
+        npx tsx bin/acp.ts profile update description "Autonomous AI agent — URL summarization, tweet generation, translation. Pay-per-call via USDC." 2>&1 || true
+        # Register offerings
+        for offering in src/seller/offerings/spendos/spendos_*/; do
+          name=$(basename "$offering")
+          npx tsx bin/acp.ts sell create "$name" 2>&1 || true
+        done
+        log "ACP offerings registered"
+      fi
+      cd ..
+    else
+      info "Skipped — run 'cd acp-seller && npx tsx bin/acp.ts setup' later"
+    fi
+  fi
+fi
+
+echo ""
+echo -e "${GREEN}══════════════════════════════════════════════════${NC}"
+echo -e "${GREEN}  Setup complete!${NC}"
+echo -e "${GREEN}══════════════════════════════════════════════════${NC}"
+echo ""
+echo -e "  ${BOLD}Run locally:${NC}"
+echo -e "    npx tsx src/server.ts"
+echo ""
+ENVTOKEN=$(grep SPENDOS_ADMIN_TOKEN .env 2>/dev/null | cut -d= -f2 || echo "YOUR_TOKEN")
+echo -e "  ${BOLD}Dashboard:${NC}"
+echo -e "    http://localhost:3030/?token=${ENVTOKEN}"
+echo ""
+echo -e "  ${BOLD}Deploy to Railway:${NC}"
+echo -e "    ./setup.sh --deploy --provider railway"
+echo ""
+
+# ── Deploy to Railway ─────────────────────────────────
+
+DEPLOY=false
+PROVIDER=""
+
+for arg in "$@"; do
+  case $arg in
+    --deploy) DEPLOY=true ;;
+    railway)  PROVIDER="railway" ;;
+  esac
+done
+
+if [ "$DEPLOY" = true ] && [ "$PROVIDER" = "railway" ]; then
+  echo ""
+  log "Deploying to Railway..."
+
+  command -v railway >/dev/null 2>&1 || {
+    log "Installing Railway CLI..."
+    npm install -g @railway/cli
+  }
+
+  # Login check
+  railway whoami >/dev/null 2>&1 || {
+    warn "Not logged in to Railway"
+    railway login
+  }
+
+  # Init project if needed
+  if ! railway status >/dev/null 2>&1; then
+    log "Creating Railway project..."
+    railway init
+  fi
+
+  # Push all env vars
+  log "Setting environment variables on Railway..."
+  while IFS= read -r line; do
+    [[ "$line" =~ ^[[:space:]]*# ]] && continue
+    [[ -z "${line// }" ]] && continue
+    key="${line%%=*}"
+    value="${line#*=}"
+    key=$(echo "$key" | xargs)
+    [ -z "$key" ] && continue
+    railway variables --set "$key=$value" 2>/dev/null || true
+  done < .env
+
+  # Inject ACP config (base64 encoded — no secrets in plain text)
+  if [ -f "acp-seller/config.json" ]; then
+    ACP_CONFIG_B64=$(base64 < acp-seller/config.json | tr -d '\n')
+    railway variables --set "ACP_CONFIG_B64=$ACP_CONFIG_B64" 2>/dev/null || true
+    log "ACP config injected (base64)"
+  fi
+
+  # Deploy
+  log "Building and deploying..."
+  railway up --detach
+
+  echo ""
+  echo -e "${GREEN}══════════════════════════════════════════════════${NC}"
+  echo -e "${GREEN}  Deployed to Railway!${NC}"
+  echo -e "${GREEN}══════════════════════════════════════════════════${NC}"
+  echo ""
+  echo -e "  ${BOLD}Next steps:${NC}"
+  echo -e "  1. Add a persistent volume mounted at ${CYAN}/data${NC} in Railway dashboard"
+  echo -e "  2. Your URL will appear in Railway once the build completes"
+  echo -e "  3. Append ${CYAN}?token=$ENVTOKEN${NC} to access the dashboard"
+  echo ""
+fi

package/skills/spendos/skill.md

@@ -0,0 +1,26 @@
+# SpendOS Governance Skill
+
+You have access to the SpendOS governance system via MCP tools. Use these to manage your finances autonomously.
+
+## Available Tools
+
+- `check_pnl` — Check your earnings, spending, and profit margin
+- `request_delegation` — Request permission to spend your revenue (requires owner approval)
+- `summarize_url` — Earn $0.01 by summarizing a URL (x402-gated)
+- `generate_image` — Earn $0.05 by generating an image (x402-gated)
+
+## Rules
+
+1. **NEVER sign transactions directly.** Always use `request_delegation` first.
+2. Include real contract addresses in `allowedRecipients` for vendor allowlists.
+3. Check your P&L before proposing investments — don't propose more than you've earned.
+4. Every delegation has an expiry. Set `expiresInMinutes` based on urgency.
+5. The wallet owner approves or rejects your proposals in the SpendOS dashboard.
+
+## Investment Strategy
+
+You are NOT limited to specific protocols. Use MoonPay and Zerion MCP tools to discover the best current opportunities. Search for staking, LP, swap, yield farming, and credit top-up opportunities across any protocol on Base. Always include verified contract addresses in your delegation requests.
+
+## Self-Funding
+
+Your inference runs on Venice AI via wallet auth (SIWE). Venice credits are funded from your USDC on Base. When credits run low, propose a Venice top-up delegation. The system auto-tops-up via x402 EIP-3009 when possible.

package/src/agent.ts

@@ -0,0 +1,152 @@
+import { recordEarning, recordSpending } from './governance.js';
+import { initVeniceWallet, walletInference, checkBalance, type VeniceBalance } from './venice-x402.js';
+
+const VENICE_API_KEY = process.env.VENICE_API_KEY ?? '';
+const VENICE_BASE_URL = 'https://api.venice.ai/api/v1';
+// Venice's house model — cheapest and always available
+const VENICE_MODEL = process.env.VENICE_MODEL ?? 'venice-uncensored';
+const EARN_PER_QUERY = 0.01;
+const COST_PER_QUERY = 0.002;
+
+// Venice pricing per 1M tokens (approximate)
+const MODEL_PRICING: Record<string, { input: number; output: number }> = {
+  'venice-uncensored': { input: 0.10, output: 0.25 },
+  'llama-3.3-70b': { input: 0.15, output: 0.60 },
+  'kimi-k2-5': { input: 0.50, output: 1.50 },
+  'deepseek-v3.2': { input: 0.15, output: 0.75 },
+  'qwen3-coder-480b-a35b-instruct': { input: 0.15, output: 0.75 },
+};
+
+function calculateInferenceCost(model: string, promptTokens: number, completionTokens: number): number {
+  const pricing = MODEL_PRICING[model] ?? { input: 0.10, output: 0.25 };
+  return (promptTokens * pricing.input + completionTokens * pricing.output) / 1_000_000;
+}
+
+// Inference mode: 'x402' (wallet auth, self-funding) or 'api_key' (Bearer token)
+let inferenceMode: 'x402' | 'api_key' | 'none' = 'none';
+let lastBalanceCheck: VeniceBalance | null = null;
+
+export function configureAgent(privateKey: string, address: string): void {
+  initVeniceWallet(privateKey, address);
+  inferenceMode = 'x402';
+  console.log(`[Agent] Inference mode: x402 wallet auth (self-funding)`);
+}
+
+export function configureApiKey(): void {
+  if (VENICE_API_KEY) {
+    inferenceMode = 'api_key';
+    console.log(`[Agent] Inference mode: API key (Bearer)`);
+  }
+}
+
+// ── Venice Inference ────────────────────────────────────
+
+async function callVenice(content: string): Promise<{ content: string; cost: number }> {
+  const systemPrompt = 'You are a concise summarizer. Summarize the following web page content in 2-3 sentences.';
+
+  if (inferenceMode === 'x402') {
+    try {
+      const text = await walletInference(VENICE_MODEL, systemPrompt, content, 200);
+      const estPrompt = Math.ceil(content.length / 4);
+      const estCompletion = Math.ceil(text.length / 4);
+      return { content: text, cost: calculateInferenceCost(VENICE_MODEL, estPrompt, estCompletion) };
+    } catch (err) {
+      console.log(`[Agent] x402 inference failed, trying API key fallback: ${err}`);
+      if (!VENICE_API_KEY) throw err;
+      // Fall through to API key
+    }
+  }
+
+  if (VENICE_API_KEY) {
+    const res = await fetch(`${VENICE_BASE_URL}/chat/completions`, {
+      method: 'POST',
+      headers: {
+        'Authorization': `Bearer ${VENICE_API_KEY}`,
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        model: VENICE_MODEL,
+        messages: [
+          { role: 'system', content: systemPrompt },
+          { role: 'user', content },
+        ],
+        max_tokens: 200,
+      }),
+    });
+
+    if (!res.ok) {
+      const text = await res.text();
+      throw new Error(`Venice API error: ${res.status} ${text}`);
+    }
+
+    const data = await res.json() as any;
+    const usage = data.usage ?? {};
+    const cost = calculateInferenceCost(VENICE_MODEL, usage.prompt_tokens ?? 0, usage.completion_tokens ?? 0);
+    return { content: data.choices?.[0]?.message?.content ?? 'No summary generated.', cost };
+  }
+
+  throw new Error('No Venice inference configured.');
+}
+
+// ── Public API ──────────────────────────────────────────
+
+export async function summarizeUrl(url: string): Promise<{
+  summary: string;
+  inferenceMode: string;
+  veniceBalance?: VeniceBalance;
+  cost: { earned: number; inference: number; profit: number };
+}> {
+  // Fetch URL content
+  let content: string;
+  try {
+    const res = await fetch(url, {
+      headers: { 'User-Agent': 'SpendOS-Agent/1.0' },
+      signal: AbortSignal.timeout(10000),
+    });
+    const text = await res.text();
+    content = text.slice(0, 4000);
+  } catch (err) {
+    content = `Failed to fetch URL: ${url}. Error: ${err}`;
+  }
+
+  // Call Venice
+  let summary: string;
+  let actualCost = 0;
+  try {
+    const result = await callVenice(content);
+    summary = result.content;
+    actualCost = result.cost;
+  } catch (err) {
+    summary = `Summarization failed: ${err}`;
+  }
+
+  // Check Venice balance (best-effort, for dashboard display)
+  if (inferenceMode === 'x402') {
+    try {
+      lastBalanceCheck = await checkBalance();
+    } catch { /* non-critical */ }
+  }
+
+  // Track P&L with REAL inference cost
+  recordEarning(EARN_PER_QUERY);
+  recordSpending(actualCost);
+
+  return {
+    summary,
+    inferenceMode,
+    veniceBalance: lastBalanceCheck ?? undefined,
+    cost: {
+      earned: EARN_PER_QUERY,
+      inference: COST_PER_QUERY,
+      profit: EARN_PER_QUERY - COST_PER_QUERY,
+    },
+  };
+}
+
+export function getVeniceBalance(): VeniceBalance | null {
+  return lastBalanceCheck;
+}
+
+export function getInferenceMode(): string {
+  return inferenceMode;
+}

package/src/audit.ts

@@ -0,0 +1,166 @@
+import { createWalletClient, http, keccak256, toHex } from 'viem';
+import { baseSepolia, base } from 'viem/chains';
+import { privateKeyToAccount } from 'viem/accounts';
+import { writeFileSync, readFileSync, existsSync } from 'node:fs';
+
+// ── Config ─────────────────────────────────────────────
+
+const AUDIT_CONTRACT = process.env.SPENDOS_AUDIT_CONTRACT ?? '0x37a66d3404aDCaf0a558189a338bCeaD3a06A5Ee';
+const DEPLOYER_KEY = process.env.DEPLOYER_PRIVATE_KEY ?? '';
+const CHAIN = process.env.SPENDOS_CHAIN === 'mainnet' ? base : baseSepolia;
+const RPC_URL = process.env.SPENDOS_RPC_URL ?? (process.env.SPENDOS_CHAIN === 'mainnet'
+  ? 'https://mainnet.base.org'
+  : 'https://sepolia.base.org');
+const AUDIT_FILE = './audit.json';
+
+const LOG_ABI = [{
+  name: 'log',
+  type: 'function',
+  inputs: [
+    { name: 'delegationHash', type: 'bytes32' },
+    { name: 'action', type: 'string' },
+    { name: 'details', type: 'string' },
+    { name: 'amount', type: 'uint256' },
+  ],
+  outputs: [],
+  stateMutability: 'nonpayable',
+}] as const;
+
+// ── Types ──────────────────────────────────────────────
+
+interface AuditEntry {
+  timestamp: string;
+  action: string;
+  delegationId: string;
+  details: string;
+  amount: number;
+  txHash?: string;
+}
+
+// ── In-Memory + File Store ─────────────────────────────
+
+const entries: AuditEntry[] = [];
+
+function persist(): void {
+  writeFileSync(AUDIT_FILE, JSON.stringify(entries, null, 2));
+}
+
+// Load existing entries on startup
+if (existsSync(AUDIT_FILE)) {
+  try {
+    const content = readFileSync(AUDIT_FILE, 'utf-8').trim();
+    if (content.startsWith('[')) {
+      entries.push(...JSON.parse(content));
+    } else if (content) {
+      // Legacy line-delimited format
+      entries.push(...content.split('\n').map(l => JSON.parse(l)));
+    }
+  } catch { /* start fresh */ }
+}
+
+export function getAuditLog(): AuditEntry[] {
+  return [...entries].reverse();
+}
+
+// ── Nonce Queue ────────────────────────────────────────
+
+const txQueue: Array<() => Promise<void>> = [];
+let processing = false;
+
+async function drainQueue(): Promise<void> {
+  if (processing) return;
+  processing = true;
+  while (txQueue.length > 0) {
+    const fn = txQueue.shift()!;
+    try { await fn(); } catch (e) { console.error('[Audit] Queue tx failed:', e); }
+  }
+  processing = false;
+}
+
+// ── Public API ─────────────────────────────────────────
+
+const ONCHAIN_ACTIONS = new Set(['approved', 'rejected', 'revoked', 'expired']);
+
+export async function logAuditEvent(
+  action: string,
+  delegationId: string,
+  details: string,
+  amount: number,
+): Promise<string | null> {
+  const entry: AuditEntry = {
+    timestamp: new Date().toISOString(),
+    action,
+    delegationId,
+    details,
+    amount,
+  };
+
+  // Add to in-memory store immediately (dashboard sees it right away)
+  entries.push(entry);
+  persist();
+
+  // Only governance events go on-chain
+  if (!AUDIT_CONTRACT || !DEPLOYER_KEY || !ONCHAIN_ACTIONS.has(action)) {
+    console.log(`[Audit] Local: ${action} — ${details}`);
+    return null;
+  }
+
+  // Queue on-chain tx (updates entry.txHash when complete)
+  return new Promise((resolve) => {
+    txQueue.push(async () => {
+      try {
+        const hash = await sendOnChainLog(delegationId, action, details, amount);
+        if (hash) {
+          entry.txHash = hash;
+          persist(); // Re-persist with txHash
+        }
+        resolve(hash);
+      } catch {
+        resolve(null);
+      }
+    });
+    drainQueue();
+  });
+}
+
+// ── On-Chain Sender ────────────────────────────────────
+
+// Track nonce to avoid "replacement transaction underpriced"
+let currentNonce: number | null = null;
+
+async function sendOnChainLog(
+  delegationId: string, action: string, details: string, amount: number
+): Promise<string | null> {
+  try {
+    const account = privateKeyToAccount(DEPLOYER_KEY as `0x${string}`);
+    const client = createWalletClient({
+      account,
+      chain: CHAIN,
+      transport: http(RPC_URL),
+    });
+
+    // Get or increment nonce
+    if (currentNonce === null) {
+      const { createPublicClient } = await import('viem');
+      const pub = createPublicClient({ chain: CHAIN, transport: http(RPC_URL) });
+      currentNonce = await pub.getTransactionCount({ address: account.address });
+    }
+    const nonce = currentNonce++;
+
+    const hash = await client.writeContract({
+      address: AUDIT_CONTRACT as `0x${string}`,
+      abi: LOG_ABI,
+      functionName: 'log',
+      args: [keccak256(toHex(delegationId)), action, details, BigInt(Math.round(amount * 1e6))],
+      nonce,
+    });
+
+    console.log(`[Audit] On-chain: ${action} — tx: ${hash}`);
+    return hash;
+  } catch (err) {
+    // Reset nonce on failure so next tx refetches from chain
+    currentNonce = null;
+    console.error(`[Audit] On-chain failed (${action} for ${delegationId}): ${err}`);
+    return null;
+  }
+}