spendos 0.1.0

package/src/server.ts

@@ -0,0 +1,870 @@
+import express from 'express';
+import cors from 'cors';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+import {
+  initWallet,
+  getTreasuryAddress,
+  getTreasuryWallet,
+  createDelegation,
+  approveDelegation,
+  rejectDelegation,
+  revokeDelegation,
+  expireStale,
+  getDelegations,
+  getActiveDelegations,
+  getPendingDelegations,
+  getDelegation,
+  getPnL,
+  generateHeuristicInterpretation,
+  recordEarning,
+  recordSpending,
+  resetPnL,
+} from './governance.js';
+import { summarizeUrl, configureAgent, configureApiKey, getVeniceBalance, getInferenceMode } from './agent.js';
+import { logAuditEvent, getAuditLog } from './audit.js';
+import { exportWallet } from '@open-wallet-standard/core';
+import { loadJobs, registerJobRoutes } from './job-registry.js';
+import { mnemonicToAccount } from 'viem/accounts';
+import { initXmtp, notifyDelegationRequest, notifyDelegationDecision, getXmtpAddress } from './xmtp.js';
+// Scanner removed — OpenClaw cron jobs handle opportunity discovery via AI reasoning
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const app = express();
+const PORT = parseInt(process.env.PORT ?? '3030', 10);
+
+app.use(cors());
+app.use(express.json({ limit: '2mb' }));
+
+// ── Init wallet first ──────────────────────────────────
+
+const wallet = initWallet();
+
+// Configure Venice inference
+try {
+  const { OWS_VAULT } = await import('./governance.js');
+  const mnemonic = exportWallet('spendos-treasury', process.env.OWS_PASSPHRASE ?? 'spendos-demo', OWS_VAULT);
+  const account = mnemonicToAccount(mnemonic);
+  configureAgent(
+    account.getHdKey().privateKey
+      ? `0x${Buffer.from(account.getHdKey().privateKey!).toString('hex')}`
+      : '',
+    account.address,
+  );
+  console.log(`[SpendOS] Venice x402 wallet auth: ${account.address}`);
+} catch (err) {
+  console.log(`[SpendOS] Venice x402 wallet auth failed: ${err}`);
+  configureApiKey();
+}
+
+// ── XMTP Notifications ────────────────────────────────
+initXmtp().catch(err => console.log(`[SpendOS] XMTP init skipped: ${err}`));
+
+// ── x402 Sell-Side (MUST register before routes) ───────
+
+const X402_FACILITATOR = process.env.X402_FACILITATOR_URL;
+if (X402_FACILITATOR) {
+  // Catch ALL async x402 errors (RouteConfigurationError, facilitator 401, JWT failures)
+  // These fire after middleware registers — must not crash the server
+  const origListeners = process.listeners('uncaughtException');
+  process.once('uncaughtException', (err: Error) => {
+    const msg = String(err.message ?? err);
+    if (msg.includes('RouteConfiguration') || msg.includes('facilitator') || msg.includes('Facilitator') || msg.includes('x402') || msg.includes('supported payment kinds')) {
+      console.log(`[SpendOS] x402 init error (non-fatal): ${msg}`);
+      console.log(`[SpendOS] Running WITHOUT x402 payment gate — endpoints are free`);
+      return; // swallow — don't crash
+    }
+    // Re-throw non-x402 errors
+    for (const l of origListeners) (l as (err: Error) => void)(err);
+    if (origListeners.length === 0) { throw err; }
+  });
+
+  try {
+    const { HTTPFacilitatorClient, x402ResourceServer } = await import('@x402/core/server');
+    const { ExactEvmScheme } = await import('@x402/evm/exact/server');
+    const { paymentMiddleware } = await import('@x402/express');
+
+    // Use official @coinbase/x402 package for CDP auth if API keys are present
+    const CDP_KEY_ID = process.env.CDP_API_KEY_ID;
+    const CDP_KEY_SECRET = process.env.CDP_API_KEY_SECRET;
+    let facilitatorConfig: { url: string; createAuthHeaders?: any } = { url: X402_FACILITATOR };
+
+    if (CDP_KEY_ID && CDP_KEY_SECRET && X402_FACILITATOR.includes('cdp.coinbase.com')) {
+      const { createFacilitatorConfig } = await import('@coinbase/x402');
+      facilitatorConfig = createFacilitatorConfig(CDP_KEY_ID, CDP_KEY_SECRET);
+      console.log(`[SpendOS] CDP auth configured via @coinbase/x402 (mainnet)`);
+    }
+
+    const facilitator = new HTTPFacilitatorClient(facilitatorConfig);
+    const x402Server = new x402ResourceServer(facilitator)
+      .register('eip155:*', new ExactEvmScheme());
+
+    const payTo = getTreasuryAddress();
+
+    app.use(paymentMiddleware({
+      'POST /api/summarize': {
+        accepts: [{
+          scheme: 'exact',
+          price: '$0.01',
+          network: process.env.X402_NETWORK ?? 'eip155:84532',
+          payTo,
+        }],
+        description: 'AI-powered URL summarization',
+        mimeType: 'application/json',
+      },
+      'POST /api/generate-image': {
+        accepts: [{
+          scheme: 'exact',
+          price: '$0.05',
+          network: process.env.X402_NETWORK ?? 'eip155:84532',
+          payTo,
+        }],
+        description: 'AI image generation (1024x1024)',
+        mimeType: 'application/json',
+      },
+    }, x402Server));
+
+    console.log(`[SpendOS] x402 sell-side: $0.01/query → ${payTo} (network: ${process.env.X402_NETWORK ?? 'eip155:84532'})`);
+  } catch (err) {
+    console.log(`[SpendOS] x402 sell-side failed: ${err}`);
+    console.log(`[SpendOS] Running WITHOUT x402 payment gate — endpoints are free`);
+  }
+}
+
+// ── Auth tokens (must be declared before middleware) ───
+const ADMIN_TOKEN = process.env.SPENDOS_ADMIN_TOKEN ?? '';
+
+// ── Auth gate for entire dashboard ─────────────────────
+// Everything except /health and /api/summarize (x402-gated) requires auth
+
+app.use((req, res, next) => {
+  // ── Always tag auth level first (downstream handlers need this) ──
+  const DEMO_TOKEN = process.env.SPENDOS_DEMO_TOKEN ?? '';
+  const isAdmin = (req.query.token === ADMIN_TOKEN) ||
+    (req.headers.authorization === `Bearer ${ADMIN_TOKEN}`);
+  const isDemo = DEMO_TOKEN && (
+    (req.query.token === DEMO_TOKEN) ||
+    (req.headers.authorization === `Bearer ${DEMO_TOKEN}`)
+  );
+  const isAuthed = isAdmin || isDemo;
+  (req as any).isAdmin = isAdmin;
+  (req as any).isDemo = isDemo;
+
+  // ── Public endpoints (exact match only — no startsWith for /api/requests) ──
+  const publicExact = ['/health', '/api/pnl', '/api/audit', '/api/wallet', '/api/jobs', '/api/delegations', '/favicon.ico', '/skill.md', '/api/skill'];
+  const publicPrefix = ['/api/summarize', '/api/generate-image', '/api/delegate', '/api/internal', '/api/jobs/'];
+  if (publicExact.includes(req.path) || publicPrefix.some(p => req.path.startsWith(p))) { next(); return; }
+
+  // Venice proxy — allow OpenClaw (localhost only) or gateway token
+  if (req.path === '/v1/chat/completions') {
+    const gwToken = process.env.OPENCLAW_GATEWAY_TOKEN;
+    const auth = req.headers.authorization;
+    // OpenClaw model provider uses apiKey "spendos" from localhost
+    if (auth === 'Bearer spendos') { next(); return; }
+    if (gwToken && auth === `Bearer ${gwToken}`) { next(); return; }
+  }
+
+  // Landing page for unauthenticated root access
+  if (req.path === '/' && !isAuthed && ADMIN_TOKEN) {
+    res.sendFile(join(__dirname, '..', 'public', 'landing.html'));
+    return;
+  }
+
+  // All other routes require auth
+  if (!isAuthed && ADMIN_TOKEN) {
+    res.status(401).json({ error: 'Unauthorized' });
+    return;
+  }
+
+  next();
+});
+
+// ── Static files ───────────────────────────────────────
+
+app.use(express.static(join(__dirname, '..', 'public')));
+
+// ── Job Registry (agent can create new paid endpoints) ─
+
+const loadedJobs = loadJobs();
+registerJobRoutes(app);
+console.log(`[SpendOS] Job registry: ${loadedJobs.length} jobs loaded`);
+
+// ── Auth middleware for governance endpoints ───────────
+
+function requireAuth(req: express.Request, res: express.Response, next: express.NextFunction): void {
+  if (!ADMIN_TOKEN) { next(); return; } // No token set = open (dev mode)
+  if ((req as any).isAdmin) { next(); return; }
+  // Demo users can chat but can't approve/reject/revoke
+  if ((req as any).isDemo) {
+    res.status(403).json({ error: 'Demo mode — view only. Deploy your own SpendOS to manage delegations.' });
+    return;
+  }
+  res.status(401).json({ error: 'Unauthorized. Set Authorization: Bearer <token> header.' });
+}
+
+// ── Agent execution trigger ────────────────────────────
+
+async function triggerAgentExecution(d: any): Promise<void> {
+  const OPENCLAW_URL = process.env.OPENCLAW_INTERNAL_URL ?? 'http://localhost:18789';
+  const OPENCLAW_TOKEN = process.env.OPENCLAW_GATEWAY_TOKEN ?? '';
+
+  // Short, directive prompt — no open-ended tool exploration
+  const prompt = `DELEGATION APPROVED: "${d.reason}"
+Session key: ${d.sessionKeyId}, expires: ${d.expiresAt}
+Policy: chains=${d.chains?.join(',')}, ops=${d.operations?.join(',')}
+
+Acknowledge this approval in ONE short sentence. Do NOT search for transaction hashes. Do NOT retry any tool calls. Just confirm you received the delegation and state what you would do with it.`;
+
+  try {
+    const headers: Record<string, string> = { 'Content-Type': 'application/json' };
+    if (OPENCLAW_TOKEN) headers['Authorization'] = `Bearer ${OPENCLAW_TOKEN}`;
+    // Isolated session — don't load 97KB of chat history
+    headers['X-Session-Id'] = `delegation-${d.id}`;
+
+    const res = await fetch(`${OPENCLAW_URL}/v1/chat/completions`, {
+      method: 'POST',
+      headers,
+      body: JSON.stringify({
+        model: 'openclaw',
+        messages: [{ role: 'user', content: prompt }],
+        max_tokens: 200,
+        stream: false,
+      }),
+      signal: AbortSignal.timeout(30000), // 30s hard cap
+    });
+
+    if (res.ok) {
+      const data = await res.json() as any;
+      const reply = data.choices?.[0]?.message?.content ?? '';
+      console.log(`[Agent] Delegation ${d.id} acknowledged: ${reply.slice(0, 100)}`);
+      await logAuditEvent('executed', d.id, `Agent: ${reply.slice(0, 200)}`, 0);
+    } else {
+      console.log(`[Agent] Trigger failed: ${res.status}`);
+    }
+  } catch (err) {
+    console.log(`[Agent] Trigger error: ${err}`);
+  }
+}
+
+// ── Health check ───────────────────────────────────────
+
+app.get('/health', (_req, res) => {
+  res.json({ ok: true, wallet: getTreasuryAddress(), mode: getInferenceMode() });
+});
+
+// ── Auto-generated skill manifest for other agents ───
+
+app.get('/skill.md', async (_req, res) => {
+  const { getJobs } = await import('./job-registry.js');
+  let allJobs: any[];
+  try { allJobs = getJobs(); } catch { allJobs = []; }
+  const baseUrl = `https://${_req.hostname}`;
+  const wallet = getTreasuryAddress();
+
+  const md = `# SpendOS Agent Skills
+
+## Identity
+- **Wallet:** ${wallet}
+- **Network:** Base mainnet (eip155:8453)
+- **Payment:** x402 (USDC micropayments)
+- **Base URL:** ${baseUrl}
+
+## Available Services
+
+${allJobs.map(j => `### ${j.name}
+- **Endpoint:** \`POST ${baseUrl}/api/jobs/${j.name}\`
+- **Price:** ${j.price} USDC
+- **Description:** ${j.description || j.name}
+- **Inputs:** ${j.inputs.map((i: string) => `\`${i}\``).join(', ')}
+- **Payment:** Send x402 payment header with request
+
+\`\`\`bash
+curl -X POST ${baseUrl}/api/jobs/${j.name} \\
+  -H "Content-Type: application/json" \\
+  -d '{${j.inputs.map((i: string) => `"${i}":"your-value"`)}}}'
+\`\`\`
+`).join('\n')}
+### summarize
+- **Endpoint:** \`POST ${baseUrl}/api/summarize\`
+- **Price:** $0.01 USDC
+- **Description:** AI-powered URL summarization
+- **Inputs:** \`url\`
+
+### generate-image
+- **Endpoint:** \`POST ${baseUrl}/api/generate-image\`
+- **Price:** $0.05 USDC
+- **Description:** AI image generation (1024x1024)
+- **Inputs:** \`prompt\`
+
+## How to Pay
+All endpoints use the x402 payment protocol. Send a request without payment to get a 402 response with payment instructions. Include the \`X-402-Payment\` header with your signed USDC payment to access the service.
+
+## Governance
+This agent's spending is governed by OWS delegations. All decisions are audited on Base mainnet at [${wallet.slice(0,6)}...${wallet.slice(-4)}](https://basescan.org/address/0xF74b481c9f196b5988cAA28Fb1452338597670B6).
+`;
+
+  res.setHeader('Content-Type', 'text/markdown');
+  res.send(md);
+});
+
+// JSON version for programmatic access
+app.get('/api/skill', async (_req, res) => {
+  const { getJobs } = await import('./job-registry.js');
+  let allJobs: any[];
+  try { allJobs = getJobs(); } catch { allJobs = []; }
+  const baseUrl = `https://${_req.hostname}`;
+
+  res.json({
+    name: 'SpendOS',
+    wallet: getTreasuryAddress(),
+    network: 'eip155:8453',
+    payment: 'x402',
+    baseUrl,
+    services: [
+      ...allJobs.map(j => ({
+        name: j.name,
+        endpoint: `${baseUrl}/api/jobs/${j.name}`,
+        price: j.price,
+        description: j.description,
+        inputs: j.inputs,
+      })),
+      { name: 'summarize', endpoint: `${baseUrl}/api/summarize`, price: '$0.01', description: 'AI URL summarization', inputs: ['url'] },
+      { name: 'generate-image', endpoint: `${baseUrl}/api/generate-image`, price: '$0.05', description: 'AI image generation', inputs: ['prompt'] },
+    ],
+    audit: 'https://basescan.org/address/0xF74b481c9f196b5988cAA28Fb1452338597670B6',
+  });
+});
+
+// Auth level check — frontend uses this to show/hide admin controls
+app.get('/api/auth', (req, res) => {
+  res.json({ role: (req as any).isAdmin ? 'admin' : (req as any).isDemo ? 'demo' : 'none' });
+});
+
+// ── Expiry check ───────────────────────────────────────
+
+setInterval(expireStale, 10_000);
+
+// ── Internal tool endpoints (no x402 gate — for agent self-testing) ──
+
+app.post('/api/internal/summarize', async (req, res) => {
+  const { url } = req.body;
+  if (!url || typeof url !== 'string') { res.status(400).json({ error: 'Missing "url"' }); return; }
+  try {
+    const result = await summarizeUrl(url);
+    res.json(result);
+  } catch (err) { res.status(500).json({ error: String(err) }); }
+});
+
+app.post('/api/internal/generate-image', async (req, res) => {
+  const { prompt } = req.body;
+  if (!prompt || typeof prompt !== 'string') { res.status(400).json({ error: 'Missing "prompt"' }); return; }
+  try {
+    const { buildSiweHeader } = await import('./venice-x402.js');
+    const uri = 'https://outerface.venice.ai/api/v1/image/generate';
+    const siweHeader = await buildSiweHeader(uri);
+    const veniceRes = await fetch('https://api.venice.ai/api/v1/image/generate', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'X-Sign-In-With-X': siweHeader },
+      body: JSON.stringify({ model: 'fluently-xl', prompt }),
+    });
+    if (!veniceRes.ok) { res.status(veniceRes.status).json({ error: await veniceRes.text() }); return; }
+    const data = await veniceRes.json() as any;
+    recordSpending(0.01);
+    res.json({ images: data.data, cost: { inference: 0.01 } });
+  } catch (err) { res.status(500).json({ error: String(err) }); }
+});
+
+// ── MVAE: summarization endpoint ───────────────────────
+
+app.post('/api/summarize', async (req, res) => {
+  const { url } = req.body;
+  if (!url || typeof url !== 'string') {
+    res.status(400).json({ error: 'Missing or invalid "url" field' });
+    return;
+  }
+
+  try {
+    const result = await summarizeUrl(url);
+    await logAuditEvent('earned', 'mvae', `Summarized: ${url}`, result.cost.earned);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: String(err) });
+  }
+});
+
+// ── Image generation endpoint ──────────────────────────
+
+app.post('/api/generate-image', async (req, res) => {
+  const { prompt } = req.body;
+  if (!prompt || typeof prompt !== 'string') {
+    res.status(400).json({ error: 'Missing "prompt" field' });
+    return;
+  }
+
+  try {
+    const { buildSiweHeader } = await import('./venice-x402.js');
+    const siweHeader = await buildSiweHeader('https://outerface.venice.ai/api/v1/image/generate');
+    const headers: Record<string, string> = { 'Content-Type': 'application/json', 'X-Sign-In-With-X': siweHeader };
+
+    const veniceRes = await fetch('https://api.venice.ai/api/v1/image/generate', {
+      method: 'POST',
+      headers,
+      body: JSON.stringify({ model: 'fluently-xl', prompt }),
+    });
+
+    if (!veniceRes.ok) {
+      const text = await veniceRes.text();
+      res.status(veniceRes.status).json({ error: text });
+      return;
+    }
+
+    const data = await veniceRes.json() as any;
+    recordEarning(0.05);
+    recordSpending(0.01);
+    await logAuditEvent('earned', 'mvae-image', `Generated image: ${prompt.slice(0, 50)}`, 0.05);
+
+    res.json({
+      images: data.data,
+      cost: { earned: 0.05, inference: 0.01, profit: 0.04 },
+    });
+  } catch (err) {
+    res.status(500).json({ error: String(err) });
+  }
+});
+
+// ── Delegation Management ──────────────────────────────
+
+app.post('/api/delegate', (req, res) => {
+  const { agentAddress, reason, chains, operations, maxAmountPerAction, totalBudget, allowedRecipients, expiresAt } = req.body;
+
+  if (!agentAddress || !reason || !chains || !expiresAt) {
+    res.status(400).json({ error: 'Missing required fields: agentAddress, reason, chains, expiresAt' });
+    return;
+  }
+
+  const delegation = createDelegation({
+    agentAddress,
+    reason,
+    chains: chains ?? ['eip155:8453'],
+    operations: operations ?? ['sign_message', 'sign_tx'],
+    maxAmountPerAction: maxAmountPerAction ?? '100.00',
+    totalBudget: totalBudget ?? '500.00',
+    allowedRecipients: allowedRecipients ?? [],
+    expiresAt,
+  });
+
+  delegation.aiInterpretation = generateHeuristicInterpretation(delegation);
+
+  logAuditEvent('requested', delegation.id, delegation.reason, 0);
+  notifyDelegationRequest(delegation).catch(() => {});
+  res.status(201).json(delegation);
+});
+
+app.get('/api/requests', (_req, res) => {
+  // Strip session key tokens from response — never expose to clients
+  const safe = getDelegations().map(d => {
+    const { sessionKeyToken, ...rest } = d as any;
+    return rest;
+  });
+  res.json(safe);
+});
+
+app.post('/api/requests/:id/approve', requireAuth, async (req, res) => {
+  try {
+    const d = approveDelegation(req.params.id);
+    await logAuditEvent('approved', d.id, d.reason, parseFloat(d.totalBudget));
+    notifyDelegationDecision(d, 'approved').catch(() => {});
+
+    // Notify agent of approval (isolated session, 200 token cap, 30s timeout — no retry loops)
+    triggerAgentExecution(d).catch(err => console.log(`[Agent trigger] ${err}`));
+
+    res.json(d);
+  } catch (err) {
+    res.status(400).json({ error: String(err) });
+  }
+});
+
+app.post('/api/requests/:id/reject', requireAuth, async (req, res) => {
+  try {
+    const d = rejectDelegation(req.params.id);
+    await logAuditEvent('rejected', d.id, d.reason, 0);
+    notifyDelegationDecision(d, 'rejected').catch(() => {});
+    res.json(d);
+  } catch (err) {
+    res.status(400).json({ error: String(err) });
+  }
+});
+
+app.post('/api/requests/:id/revoke', requireAuth, async (req, res) => {
+  try {
+    const d = revokeDelegation(req.params.id);
+    await logAuditEvent('revoked', d.id, d.reason, 0);
+    res.json(d);
+  } catch (err) {
+    res.status(400).json({ error: String(err) });
+  }
+});
+
+// ── Data Endpoints ─────────────────────────────────────
+
+app.get('/api/pnl', (_req, res) => {
+  res.json(getPnL());
+});
+
+app.get('/api/audit', (_req, res) => {
+  res.json(getAuditLog());
+});
+
+app.get('/api/wallet', (_req, res) => {
+  const w = getTreasuryWallet();
+  res.json({
+    id: w.id,
+    name: w.name,
+    address: getTreasuryAddress(),
+    accounts: w.accounts,
+    createdAt: w.createdAt,
+    inferenceMode: getInferenceMode(),
+    veniceBalance: getVeniceBalance(),
+    xmtpAddress: getXmtpAddress(),
+  });
+});
+
+// Reset P&L (admin only — for switching networks)
+app.post('/api/pnl/reset', requireAuth, (_req, res) => {
+  resetPnL();
+  res.json({ ok: true, message: 'P&L reset to zero' });
+});
+
+app.get('/api/delegations/active', (_req, res) => {
+  res.json(getActiveDelegations());
+});
+
+// ── Chat History (persistent JSONL on volume) ─────────
+
+import { appendFileSync, readFileSync, writeFileSync } from 'node:fs';
+
+const CHAT_HISTORY_FILE = '/data/spendos/chat-history.jsonl';
+const MAX_HISTORY_MESSAGES = 100; // compact after this many
+
+function loadChatHistory(): Array<{ role: string; content: string }> {
+  try {
+    const lines = readFileSync(CHAT_HISTORY_FILE, 'utf-8').trim().split('\n').filter(Boolean);
+    return lines.map(l => JSON.parse(l));
+  } catch { return []; }
+}
+
+function appendChatMessage(msg: { role: string; content: string }): void {
+  appendFileSync(CHAT_HISTORY_FILE, JSON.stringify(msg) + '\n');
+}
+
+function compactChatHistory(): void {
+  const history = loadChatHistory();
+  if (history.length <= MAX_HISTORY_MESSAGES) return;
+  // Keep last 50 messages
+  const compacted = history.slice(-50);
+  writeFileSync(CHAT_HISTORY_FILE, compacted.map(m => JSON.stringify(m)).join('\n') + '\n');
+  console.log(`[Chat] Compacted history: ${history.length} → ${compacted.length} messages`);
+}
+
+app.get('/api/chat/history', (_req, res) => {
+  const history = loadChatHistory();
+  res.json(history);
+});
+
+// ── Chat endpoint (routes to OpenClaw agent) ──────────
+
+// Chat allows both admin and demo users
+function requireAnyAuth(req: express.Request, res: express.Response, next: express.NextFunction): void {
+  if (!ADMIN_TOKEN) { next(); return; }
+  if ((req as any).isAdmin || (req as any).isDemo) { next(); return; }
+  res.status(401).json({ error: 'Unauthorized' });
+}
+
+app.post('/api/chat', requireAnyAuth, async (req, res) => {
+  const { message, history } = req.body;
+  if (!message) { res.status(400).json({ error: 'Missing message' }); return; }
+
+  // Save user message to persistent history
+  appendChatMessage({ role: 'user', content: message });
+
+  // Load full conversation history from disk (last 40 messages for context window)
+  const fullHistory = loadChatHistory();
+  const chatMessages = fullHistory.slice(-40);
+
+  const OPENCLAW_URL = process.env.OPENCLAW_INTERNAL_URL ?? 'http://localhost:18789';
+  const OPENCLAW_TOKEN = process.env.OPENCLAW_GATEWAY_TOKEN ?? '';
+
+  // ── Retry loop protection ──────────────────────────
+  const MAX_RESPONSE_BYTES = 15_000;   // 15KB max response (~4K words)
+  const MAX_STREAM_MS = 120_000;       // 2 minute hard timeout
+  const REPEAT_WINDOW = 5;             // detect if last N chunks are similar
+  const abortController = new AbortController();
+  const streamTimeout = setTimeout(() => {
+    console.log(`[Chat] Stream timeout (${MAX_STREAM_MS / 1000}s) — aborting`);
+    abortController.abort();
+  }, MAX_STREAM_MS);
+  let assistantContent = '';
+
+  try {
+    const headers: Record<string, string> = { 'Content-Type': 'application/json' };
+    if (OPENCLAW_TOKEN) headers['Authorization'] = `Bearer ${OPENCLAW_TOKEN}`;
+
+    // Use a fixed session so the agent maintains memory across messages
+    headers['X-Session-Id'] = 'spendos-dashboard-chat';
+
+    const ocRes = await fetch(`${OPENCLAW_URL}/v1/chat/completions`, {
+      method: 'POST',
+      headers,
+      body: JSON.stringify({
+        model: 'openclaw',
+        messages: chatMessages,
+        max_tokens: 1000,
+        stream: true,
+      }),
+      signal: abortController.signal,
+    });
+
+    if (!ocRes.ok) {
+      clearTimeout(streamTimeout);
+      const errText = await ocRes.text();
+      console.error(`[Chat] OpenClaw error: ${ocRes.status} ${errText.slice(0, 200)}`);
+      res.status(ocRes.status).json({ error: `OpenClaw: ${ocRes.status}` });
+      return;
+    }
+
+    // Stream OpenClaw response with loop protection
+    console.log(`[Chat] OpenClaw streaming response`);
+    res.setHeader('Content-Type', 'text/event-stream');
+    res.setHeader('Cache-Control', 'no-cache');
+    res.setHeader('Connection', 'keep-alive');
+    res.setHeader('X-Accel-Buffering', 'no'); // disable nginx/Railway buffering
+    res.flushHeaders();
+    const reader = ocRes.body?.getReader();
+    if (!reader) { clearTimeout(streamTimeout); res.end(); return; }
+    const decoder = new TextDecoder();
+    let totalBytes = 0;
+    const recentChunks: string[] = [];
+    let abortedReason = '';
+
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      const chunk = decoder.decode(value, { stream: true });
+      totalBytes += chunk.length;
+
+      // ── Guard 1: max response size ──
+      if (totalBytes > MAX_RESPONSE_BYTES) {
+        abortedReason = 'max_size';
+        console.log(`[Chat] Response exceeded ${MAX_RESPONSE_BYTES} bytes — cutting off`);
+        reader.cancel();
+        break;
+      }
+
+      // ── Guard 2: repetition detection ──
+      // Extract text content from this chunk
+      let chunkText = '';
+      for (const line of chunk.split('\n')) {
+        if (!line.startsWith('data: ') || line === 'data: [DONE]') continue;
+        try { const c = JSON.parse(line.slice(6)).choices?.[0]?.delta?.content; if (c) chunkText += c; } catch {}
+      }
+      if (chunkText.length > 20) {
+        recentChunks.push(chunkText.slice(0, 100));
+        if (recentChunks.length > REPEAT_WINDOW) recentChunks.shift();
+        // If we have enough chunks, check for repetition
+        if (recentChunks.length >= REPEAT_WINDOW) {
+          const unique = new Set(recentChunks.map(c => c.trim().toLowerCase().slice(0, 60)));
+          if (unique.size <= 2) {
+            abortedReason = 'repetition';
+            console.log(`[Chat] Repetition detected (${unique.size} unique in last ${REPEAT_WINDOW} chunks) — cutting off`);
+            reader.cancel();
+            break;
+          }
+        }
+      }
+
+      res.write(chunk);
+      // Extract content from SSE for history
+      if (chunkText) assistantContent += chunkText;
+      else {
+        for (const line of chunk.split('\n')) {
+          if (!line.startsWith('data: ') || line === 'data: [DONE]') continue;
+          try { const c = JSON.parse(line.slice(6)).choices?.[0]?.delta?.content; if (c) assistantContent += c; } catch {}
+        }
+      }
+    }
+
+    clearTimeout(streamTimeout);
+
+    // If we cut off the stream, send a clean termination to the client
+    if (abortedReason) {
+      const cutoffMsg = abortedReason === 'repetition'
+        ? '\n\n[Response cut off — repetitive loop detected]'
+        : '\n\n[Response cut off — max length reached]';
+      const cutoffEvent = `data: ${JSON.stringify({ choices: [{ delta: { content: cutoffMsg }, finish_reason: 'length' }] })}\n\ndata: [DONE]\n\n`;
+      res.write(cutoffEvent);
+      assistantContent += cutoffMsg;
+    }
+
+    // Save assistant response to persistent history
+    if (assistantContent) {
+      appendChatMessage({ role: 'assistant', content: assistantContent });
+      compactChatHistory();
+    }
+    res.end();
+  } catch (err) {
+    clearTimeout(streamTimeout);
+    // AbortError from our own timeout is expected
+    if ((err as Error).name === 'AbortError') {
+      console.log(`[Chat] Stream aborted by timeout`);
+      const cutoffEvent = `data: ${JSON.stringify({ choices: [{ delta: { content: '\n\n[Response cut off — timeout reached]' }, finish_reason: 'length' }] })}\n\ndata: [DONE]\n\n`;
+      try { res.write(cutoffEvent); } catch {}
+      if (assistantContent) {
+        appendChatMessage({ role: 'assistant', content: assistantContent + '\n\n[Response cut off — timeout reached]' });
+      }
+      res.end();
+      return;
+    }
+    console.error(`[Chat] Error: ${err}`);
+    res.status(500).json({ error: String(err) });
+  }
+});
+
+// ── OpenAI-compatible proxy (Venice wallet auth) ───────
+
+app.post('/v1/chat/completions', async (req, res) => {
+  try {
+    const { buildSiweHeader } = await import('./venice-x402.js');
+    const { model, messages, max_tokens, temperature, stream } = req.body;
+    const totalChars = JSON.stringify(messages).length;
+    console.log(`[Proxy] Incoming: model=${model} msgs=${messages?.length} chars=${totalChars}`);
+
+    if (stream) {
+      const uri = 'https://outerface.venice.ai/api/v1/chat/completions';
+      const siweHeader = await buildSiweHeader(uri);
+
+      const veniceRes = await fetch('https://api.venice.ai/api/v1/chat/completions', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'X-Sign-In-With-X': siweHeader },
+        body: JSON.stringify({ model: model ?? 'llama-3.3-70b', messages, max_tokens: max_tokens ?? 4096, temperature: temperature ?? 0.7, stream: true }),
+      });
+
+      if (veniceRes.status === 402) {
+        // Auto top-up Venice credits and retry
+        console.log(`[Proxy] Venice 402 — attempting auto top-up...`);
+        try {
+          const { topUp } = await import('./venice-x402.js');
+          const result = await topUp(5);
+          if (result) {
+            console.log(`[Proxy] Top-up success: $${result.credited} → balance $${result.newBalance}`);
+            // Retry the request with fresh SIWE header
+            const retryHeader = await buildSiweHeader(uri);
+            const retryRes = await fetch('https://api.venice.ai/api/v1/chat/completions', {
+              method: 'POST',
+              headers: { 'Content-Type': 'application/json', 'X-Sign-In-With-X': retryHeader },
+              body: JSON.stringify({ model: model ?? 'llama-3.3-70b', messages, max_tokens: max_tokens ?? 4096, temperature: temperature ?? 0.7, stream: true }),
+            });
+            if (retryRes.ok) {
+              // Stream the retry response
+              res.setHeader('Content-Type', 'text/event-stream');
+              res.setHeader('Cache-Control', 'no-cache');
+              res.setHeader('Connection', 'keep-alive');
+              const retryReader = retryRes.body?.getReader();
+              if (!retryReader) { res.end(); return; }
+              const dec = new TextDecoder();
+              try { while (true) { const { done, value } = await retryReader.read(); if (done) break; res.write(dec.decode(value, { stream: true })); } } catch {}
+              res.end();
+              recordSpending(0.002);
+              console.log(`[Proxy] Stream complete after top-up (cost: $0.002)`);
+              return;
+            }
+          }
+        } catch (topUpErr) {
+          console.log(`[Proxy] Auto top-up failed: ${topUpErr}`);
+        }
+        const text = await veniceRes.text();
+        res.status(402).json({ error: { message: text, type: 'insufficient_balance' } });
+        return;
+      }
+
+      if (!veniceRes.ok) {
+        const text = await veniceRes.text();
+        res.status(veniceRes.status).json({ error: { message: text, type: 'upstream_error' } });
+        return;
+      }
+
+      res.setHeader('Content-Type', 'text/event-stream');
+      res.setHeader('Cache-Control', 'no-cache');
+      res.setHeader('Connection', 'keep-alive');
+
+      const reader = veniceRes.body?.getReader();
+      if (!reader) { res.end(); return; }
+
+      const decoder = new TextDecoder();
+      try {
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+          res.write(decoder.decode(value, { stream: true }));
+        }
+      } catch { /* stream closed */ }
+      res.end();
+      // Track inference cost (~$0.002 per request for Kimi K2.5)
+      recordSpending(0.002);
+      console.log(`[Proxy] Stream complete (cost: $0.002)`);
+      return;
+    }
+
+    // Non-streaming
+    const uri = 'https://outerface.venice.ai/api/v1/chat/completions';
+    const siweHeader = await buildSiweHeader(uri);
+
+    let veniceRes = await fetch('https://api.venice.ai/api/v1/chat/completions', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'X-Sign-In-With-X': siweHeader },
+      body: JSON.stringify({ model: model ?? 'llama-3.3-70b', messages, max_tokens: max_tokens ?? 4096, temperature: temperature ?? 0.7, stream: false }),
+    });
+
+    // Auto top-up on 402
+    if (veniceRes.status === 402) {
+      console.log(`[Proxy] Venice 402 (non-stream) — auto top-up...`);
+      try {
+        const { topUp } = await import('./venice-x402.js');
+        const result = await topUp(5);
+        if (result) {
+          console.log(`[Proxy] Top-up: $${result.credited} → $${result.newBalance}`);
+          const retryHeader = await buildSiweHeader(uri);
+          veniceRes = await fetch('https://api.venice.ai/api/v1/chat/completions', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', 'X-Sign-In-With-X': retryHeader },
+            body: JSON.stringify({ model: model ?? 'llama-3.3-70b', messages, max_tokens: max_tokens ?? 4096, temperature: temperature ?? 0.7, stream: false }),
+          });
+        }
+      } catch (e) { console.log(`[Proxy] Top-up failed: ${e}`); }
+    }
+
+    if (!veniceRes.ok) {
+      const text = await veniceRes.text();
+      res.status(veniceRes.status).json({ error: { message: text, type: 'upstream_error' } });
+      return;
+    }
+
+    const data = await veniceRes.json();
+    recordSpending(0.002);
+    console.log(`[Proxy] Venice OK (cost: $0.002): ${(data as any).choices?.[0]?.message?.content?.slice(0, 80) ?? 'no content'}`);
+    res.json(data);
+  } catch (err) {
+    console.error(`[Proxy] Error: ${err}`);
+    res.status(500).json({ error: { message: String(err), type: 'server_error' } });
+  }
+});
+
+// ── Start ──────────────────────────────────────────────
+
+app.listen(PORT, '0.0.0.0', () => {
+  console.log(`[SpendOS] Dashboard: http://localhost:${PORT}`);
+  console.log(`[SpendOS] Treasury: ${getTreasuryAddress()}`);
+  console.log(`[SpendOS] MVAE endpoint: POST http://localhost:${PORT}/api/summarize`);
+
+  // Investment proposals come from OpenClaw cron jobs (agent thinks + uses MCP tools)
+  // No hardcoded scanner — the agent uses MoonPay/Zerion MCP to find opportunities
+});