npm - thevoidforge - Versions diffs - 21.0.0 - Mend

thevoidforge 21.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/dist/scripts/vault-read.d.ts +11 -0
package/dist/scripts/vault-read.js +89 -0
package/dist/scripts/voidforge.d.ts +20 -0
package/dist/scripts/voidforge.js +404 -0
package/dist/tsconfig.tsbuildinfo +1 -0
package/dist/wizard/api/auth.d.ts +5 -0
package/dist/wizard/api/auth.js +133 -0
package/dist/wizard/api/blueprint.d.ts +45 -0
package/dist/wizard/api/blueprint.js +184 -0
package/dist/wizard/api/cloud-providers.d.ts +16 -0
package/dist/wizard/api/cloud-providers.js +363 -0
package/dist/wizard/api/credentials.d.ts +1 -0
package/dist/wizard/api/credentials.js +258 -0
package/dist/wizard/api/danger-room.d.ts +18 -0
package/dist/wizard/api/danger-room.js +401 -0
package/dist/wizard/api/deploy.d.ts +4 -0
package/dist/wizard/api/deploy.js +164 -0
package/dist/wizard/api/prd.d.ts +1 -0
package/dist/wizard/api/prd.js +363 -0
package/dist/wizard/api/project.d.ts +1 -0
package/dist/wizard/api/project.js +239 -0
package/dist/wizard/api/projects.d.ts +6 -0
package/dist/wizard/api/projects.js +648 -0
package/dist/wizard/api/provision.d.ts +4 -0
package/dist/wizard/api/provision.js +535 -0
package/dist/wizard/api/terminal.d.ts +25 -0
package/dist/wizard/api/terminal.js +241 -0
package/dist/wizard/api/users.d.ts +6 -0
package/dist/wizard/api/users.js +244 -0
package/dist/wizard/api/war-room.d.ts +14 -0
package/dist/wizard/api/war-room.js +45 -0
package/dist/wizard/lib/ad-platform-core.d.ts +6 -0
package/dist/wizard/lib/ad-platform-core.js +1 -0
package/dist/wizard/lib/adapters/index.d.ts +52 -0
package/dist/wizard/lib/adapters/index.js +38 -0
package/dist/wizard/lib/adapters/sandbox-bank.d.ts +17 -0
package/dist/wizard/lib/adapters/sandbox-bank.js +77 -0
package/dist/wizard/lib/adapters/sandbox.d.ts +39 -0
package/dist/wizard/lib/adapters/sandbox.js +174 -0
package/dist/wizard/lib/adapters/stripe.d.ts +19 -0
package/dist/wizard/lib/adapters/stripe.js +143 -0
package/dist/wizard/lib/adapters/types.d.ts +9 -0
package/dist/wizard/lib/adapters/types.js +10 -0
package/dist/wizard/lib/agent-memory.d.ts +36 -0
package/dist/wizard/lib/agent-memory.js +114 -0
package/dist/wizard/lib/anomaly-detection.d.ts +59 -0
package/dist/wizard/lib/anomaly-detection.js +122 -0
package/dist/wizard/lib/anthropic.d.ts +21 -0
package/dist/wizard/lib/anthropic.js +105 -0
package/dist/wizard/lib/asset-scanner.d.ts +23 -0
package/dist/wizard/lib/asset-scanner.js +107 -0
package/dist/wizard/lib/audit-log.d.ts +23 -0
package/dist/wizard/lib/audit-log.js +70 -0
package/dist/wizard/lib/autonomy-controller.d.ts +76 -0
package/dist/wizard/lib/autonomy-controller.js +183 -0
package/dist/wizard/lib/body-parser.d.ts +2 -0
package/dist/wizard/lib/body-parser.js +36 -0
package/dist/wizard/lib/build-analytics.d.ts +39 -0
package/dist/wizard/lib/build-analytics.js +91 -0
package/dist/wizard/lib/build-step.d.ts +21 -0
package/dist/wizard/lib/build-step.js +104 -0
package/dist/wizard/lib/campaign-proposer.d.ts +39 -0
package/dist/wizard/lib/campaign-proposer.js +180 -0
package/dist/wizard/lib/campaign-state-machine.d.ts +63 -0
package/dist/wizard/lib/campaign-state-machine.js +114 -0
package/dist/wizard/lib/ci-generator.d.ts +14 -0
package/dist/wizard/lib/ci-generator.js +187 -0
package/dist/wizard/lib/claude-merge.d.ts +38 -0
package/dist/wizard/lib/claude-merge.js +115 -0
package/dist/wizard/lib/codegen/erd-gen.d.ts +16 -0
package/dist/wizard/lib/codegen/erd-gen.js +98 -0
package/dist/wizard/lib/codegen/integrations.d.ts +18 -0
package/dist/wizard/lib/codegen/integrations.js +189 -0
package/dist/wizard/lib/codegen/openapi-gen.d.ts +15 -0
package/dist/wizard/lib/codegen/openapi-gen.js +79 -0
package/dist/wizard/lib/codegen/prisma-types.d.ts +15 -0
package/dist/wizard/lib/codegen/prisma-types.js +44 -0
package/dist/wizard/lib/codegen/seed-gen.d.ts +16 -0
package/dist/wizard/lib/codegen/seed-gen.js +128 -0
package/dist/wizard/lib/compliance.d.ts +51 -0
package/dist/wizard/lib/compliance.js +112 -0
package/dist/wizard/lib/correlation-engine.d.ts +59 -0
package/dist/wizard/lib/correlation-engine.js +151 -0
package/dist/wizard/lib/cost-estimator.d.ts +22 -0
package/dist/wizard/lib/cost-estimator.js +72 -0
package/dist/wizard/lib/cost-tracker.d.ts +27 -0
package/dist/wizard/lib/cost-tracker.js +37 -0
package/dist/wizard/lib/daemon-aggregator.d.ts +71 -0
package/dist/wizard/lib/daemon-aggregator.js +204 -0
package/dist/wizard/lib/daemon-core.d.ts +6 -0
package/dist/wizard/lib/daemon-core.js +5 -0
package/dist/wizard/lib/dashboard-data.d.ts +132 -0
package/dist/wizard/lib/dashboard-data.js +336 -0
package/dist/wizard/lib/dashboard-ws.d.ts +25 -0
package/dist/wizard/lib/dashboard-ws.js +91 -0
package/dist/wizard/lib/deep-current.d.ts +77 -0
package/dist/wizard/lib/deep-current.js +234 -0
package/dist/wizard/lib/deploy-coordinator.d.ts +40 -0
package/dist/wizard/lib/deploy-coordinator.js +86 -0
package/dist/wizard/lib/deploy-log.d.ts +28 -0
package/dist/wizard/lib/deploy-log.js +52 -0
package/dist/wizard/lib/desktop-notify.d.ts +27 -0
package/dist/wizard/lib/desktop-notify.js +98 -0
package/dist/wizard/lib/dns/cloudflare-dns.d.ts +35 -0
package/dist/wizard/lib/dns/cloudflare-dns.js +216 -0
package/dist/wizard/lib/dns/cloudflare-registrar.d.ts +31 -0
package/dist/wizard/lib/dns/cloudflare-registrar.js +148 -0
package/dist/wizard/lib/dns/types.d.ts +22 -0
package/dist/wizard/lib/dns/types.js +4 -0
package/dist/wizard/lib/document-discovery.d.ts +33 -0
package/dist/wizard/lib/document-discovery.js +145 -0
package/dist/wizard/lib/env-validator.d.ts +14 -0
package/dist/wizard/lib/env-validator.js +205 -0
package/dist/wizard/lib/env-writer.d.ts +13 -0
package/dist/wizard/lib/env-writer.js +26 -0
package/dist/wizard/lib/exec.d.ts +30 -0
package/dist/wizard/lib/exec.js +52 -0
package/dist/wizard/lib/experiment.d.ts +70 -0
package/dist/wizard/lib/experiment.js +169 -0
package/dist/wizard/lib/extensions.d.ts +20 -0
package/dist/wizard/lib/extensions.js +183 -0
package/dist/wizard/lib/financial/adapter-factory.d.ts +47 -0
package/dist/wizard/lib/financial/adapter-factory.js +225 -0
package/dist/wizard/lib/financial/billing/base.d.ts +6 -0
package/dist/wizard/lib/financial/billing/base.js +1 -0
package/dist/wizard/lib/financial/billing/google-billing.d.ts +56 -0
package/dist/wizard/lib/financial/billing/google-billing.js +298 -0
package/dist/wizard/lib/financial/billing/meta-billing.d.ts +54 -0
package/dist/wizard/lib/financial/billing/meta-billing.js +243 -0
package/dist/wizard/lib/financial/billing/tiktok-billing.d.ts +54 -0
package/dist/wizard/lib/financial/billing/tiktok-billing.js +260 -0
package/dist/wizard/lib/financial/campaign/base.d.ts +13 -0
package/dist/wizard/lib/financial/campaign/base.js +1 -0
package/dist/wizard/lib/financial/campaign/google-campaign.d.ts +42 -0
package/dist/wizard/lib/financial/campaign/google-campaign.js +388 -0
package/dist/wizard/lib/financial/campaign/meta-campaign.d.ts +41 -0
package/dist/wizard/lib/financial/campaign/meta-campaign.js +311 -0
package/dist/wizard/lib/financial/campaign/sandbox-campaign.d.ts +45 -0
package/dist/wizard/lib/financial/campaign/sandbox-campaign.js +261 -0
package/dist/wizard/lib/financial/campaign/tiktok-campaign.d.ts +40 -0
package/dist/wizard/lib/financial/campaign/tiktok-campaign.js +350 -0
package/dist/wizard/lib/financial/funding-auto.d.ts +44 -0
package/dist/wizard/lib/financial/funding-auto.js +52 -0
package/dist/wizard/lib/financial/funding-policy.d.ts +60 -0
package/dist/wizard/lib/financial/funding-policy.js +179 -0
package/dist/wizard/lib/financial/platform-planner.d.ts +47 -0
package/dist/wizard/lib/financial/platform-planner.js +134 -0
package/dist/wizard/lib/financial/reconciliation-engine.d.ts +78 -0
package/dist/wizard/lib/financial/reconciliation-engine.js +193 -0
package/dist/wizard/lib/financial/registry.d.ts +22 -0
package/dist/wizard/lib/financial/registry.js +26 -0
package/dist/wizard/lib/financial/reporting.d.ts +96 -0
package/dist/wizard/lib/financial/reporting.js +198 -0
package/dist/wizard/lib/financial/stablecoin/base.d.ts +6 -0
package/dist/wizard/lib/financial/stablecoin/base.js +1 -0
package/dist/wizard/lib/financial/stablecoin/circle.d.ts +54 -0
package/dist/wizard/lib/financial/stablecoin/circle.js +367 -0
package/dist/wizard/lib/financial/stablecoin/mercury.d.ts +24 -0
package/dist/wizard/lib/financial/stablecoin/mercury.js +171 -0
package/dist/wizard/lib/financial/stablecoin/sandbox-stablecoin.d.ts +47 -0
package/dist/wizard/lib/financial/stablecoin/sandbox-stablecoin.js +202 -0
package/dist/wizard/lib/financial/treasury-planner.d.ts +52 -0
package/dist/wizard/lib/financial/treasury-planner.js +128 -0
package/dist/wizard/lib/financial-core.d.ts +6 -0
package/dist/wizard/lib/financial-core.js +5 -0
package/dist/wizard/lib/financial-vault.d.ts +34 -0
package/dist/wizard/lib/financial-vault.js +199 -0
package/dist/wizard/lib/frontmatter.d.ts +30 -0
package/dist/wizard/lib/frontmatter.js +96 -0
package/dist/wizard/lib/gap-analysis.d.ts +37 -0
package/dist/wizard/lib/gap-analysis.js +218 -0
package/dist/wizard/lib/github.d.ts +22 -0
package/dist/wizard/lib/github.js +261 -0
package/dist/wizard/lib/headless-deploy.d.ts +14 -0
package/dist/wizard/lib/headless-deploy.js +452 -0
package/dist/wizard/lib/health-monitor.d.ts +15 -0
package/dist/wizard/lib/health-monitor.js +91 -0
package/dist/wizard/lib/health-poller.d.ts +9 -0
package/dist/wizard/lib/health-poller.js +123 -0
package/dist/wizard/lib/heartbeat.d.ts +15 -0
package/dist/wizard/lib/heartbeat.js +827 -0
package/dist/wizard/lib/http-helpers.d.ts +9 -0
package/dist/wizard/lib/http-helpers.js +24 -0
package/dist/wizard/lib/image-gen.d.ts +56 -0
package/dist/wizard/lib/image-gen.js +159 -0
package/dist/wizard/lib/instance-sizing.d.ts +26 -0
package/dist/wizard/lib/instance-sizing.js +51 -0
package/dist/wizard/lib/kongo/analytics.d.ts +29 -0
package/dist/wizard/lib/kongo/analytics.js +179 -0
package/dist/wizard/lib/kongo/campaigns.d.ts +52 -0
package/dist/wizard/lib/kongo/campaigns.js +91 -0
package/dist/wizard/lib/kongo/client.d.ts +58 -0
package/dist/wizard/lib/kongo/client.js +221 -0
package/dist/wizard/lib/kongo/jobs.d.ts +57 -0
package/dist/wizard/lib/kongo/jobs.js +122 -0
package/dist/wizard/lib/kongo/pages.d.ts +60 -0
package/dist/wizard/lib/kongo/pages.js +150 -0
package/dist/wizard/lib/kongo/provisioner.d.ts +64 -0
package/dist/wizard/lib/kongo/provisioner.js +116 -0
package/dist/wizard/lib/kongo/seed.d.ts +49 -0
package/dist/wizard/lib/kongo/seed.js +237 -0
package/dist/wizard/lib/kongo/types.d.ts +323 -0
package/dist/wizard/lib/kongo/types.js +11 -0
package/dist/wizard/lib/kongo/variants.d.ts +57 -0
package/dist/wizard/lib/kongo/variants.js +88 -0
package/dist/wizard/lib/kongo/webhooks.d.ts +41 -0
package/dist/wizard/lib/kongo/webhooks.js +112 -0
package/dist/wizard/lib/marker.d.ts +28 -0
package/dist/wizard/lib/marker.js +79 -0
package/dist/wizard/lib/migrator.d.ts +35 -0
package/dist/wizard/lib/migrator.js +190 -0
package/dist/wizard/lib/natural-language-deploy.d.ts +30 -0
package/dist/wizard/lib/natural-language-deploy.js +186 -0
package/dist/wizard/lib/network.d.ts +22 -0
package/dist/wizard/lib/network.js +72 -0
package/dist/wizard/lib/oauth-core.d.ts +6 -0
package/dist/wizard/lib/oauth-core.js +5 -0
package/dist/wizard/lib/open-browser.d.ts +1 -0
package/dist/wizard/lib/open-browser.js +26 -0
package/dist/wizard/lib/patterns/ad-billing-adapter.d.ts +209 -0
package/dist/wizard/lib/patterns/ad-billing-adapter.js +269 -0
package/dist/wizard/lib/patterns/ad-platform-adapter.d.ts +200 -0
package/dist/wizard/lib/patterns/ad-platform-adapter.js +212 -0
package/dist/wizard/lib/patterns/daemon-process.d.ts +88 -0
package/dist/wizard/lib/patterns/daemon-process.js +271 -0
package/dist/wizard/lib/patterns/financial-transaction.d.ts +161 -0
package/dist/wizard/lib/patterns/financial-transaction.js +132 -0
package/dist/wizard/lib/patterns/funding-plan.d.ts +136 -0
package/dist/wizard/lib/patterns/funding-plan.js +200 -0
package/dist/wizard/lib/patterns/oauth-token-lifecycle.d.ts +94 -0
package/dist/wizard/lib/patterns/oauth-token-lifecycle.js +139 -0
package/dist/wizard/lib/patterns/outbound-rate-limiter.d.ts +67 -0
package/dist/wizard/lib/patterns/outbound-rate-limiter.js +216 -0
package/dist/wizard/lib/patterns/revenue-source-adapter.d.ts +96 -0
package/dist/wizard/lib/patterns/revenue-source-adapter.js +182 -0
package/dist/wizard/lib/patterns/stablecoin-adapter.d.ts +218 -0
package/dist/wizard/lib/patterns/stablecoin-adapter.js +264 -0
package/dist/wizard/lib/prd-validator.d.ts +39 -0
package/dist/wizard/lib/prd-validator.js +137 -0
package/dist/wizard/lib/project-init.d.ts +24 -0
package/dist/wizard/lib/project-init.js +193 -0
package/dist/wizard/lib/project-registry.d.ts +86 -0
package/dist/wizard/lib/project-registry.js +359 -0
package/dist/wizard/lib/provision-manifest.d.ts +44 -0
package/dist/wizard/lib/provision-manifest.js +164 -0
package/dist/wizard/lib/provisioner-registry.d.ts +15 -0
package/dist/wizard/lib/provisioner-registry.js +34 -0
package/dist/wizard/lib/provisioners/aws-vps.d.ts +6 -0
package/dist/wizard/lib/provisioners/aws-vps.js +643 -0
package/dist/wizard/lib/provisioners/cloudflare.d.ts +6 -0
package/dist/wizard/lib/provisioners/cloudflare.js +300 -0
package/dist/wizard/lib/provisioners/docker.d.ts +6 -0
package/dist/wizard/lib/provisioners/docker.js +75 -0
package/dist/wizard/lib/provisioners/http-client.d.ts +20 -0
package/dist/wizard/lib/provisioners/http-client.js +79 -0
package/dist/wizard/lib/provisioners/railway.d.ts +6 -0
package/dist/wizard/lib/provisioners/railway.js +413 -0
package/dist/wizard/lib/provisioners/scripts/caddyfile.d.ts +10 -0
package/dist/wizard/lib/provisioners/scripts/caddyfile.js +54 -0
package/dist/wizard/lib/provisioners/scripts/deploy-vps.d.ts +10 -0
package/dist/wizard/lib/provisioners/scripts/deploy-vps.js +112 -0
package/dist/wizard/lib/provisioners/scripts/docker-compose.d.ts +11 -0
package/dist/wizard/lib/provisioners/scripts/docker-compose.js +91 -0
package/dist/wizard/lib/provisioners/scripts/dockerfile.d.ts +5 -0
package/dist/wizard/lib/provisioners/scripts/dockerfile.js +185 -0
package/dist/wizard/lib/provisioners/scripts/ecosystem-config.d.ts +10 -0
package/dist/wizard/lib/provisioners/scripts/ecosystem-config.js +36 -0
package/dist/wizard/lib/provisioners/scripts/provision-vps.d.ts +14 -0
package/dist/wizard/lib/provisioners/scripts/provision-vps.js +202 -0
package/dist/wizard/lib/provisioners/scripts/rollback-vps.d.ts +10 -0
package/dist/wizard/lib/provisioners/scripts/rollback-vps.js +67 -0
package/dist/wizard/lib/provisioners/self-deploy.d.ts +41 -0
package/dist/wizard/lib/provisioners/self-deploy.js +185 -0
package/dist/wizard/lib/provisioners/static-s3.d.ts +6 -0
package/dist/wizard/lib/provisioners/static-s3.js +235 -0
package/dist/wizard/lib/provisioners/types.d.ts +40 -0
package/dist/wizard/lib/provisioners/types.js +4 -0
package/dist/wizard/lib/provisioners/vercel.d.ts +6 -0
package/dist/wizard/lib/provisioners/vercel.js +287 -0
package/dist/wizard/lib/pty-manager.d.ts +42 -0
package/dist/wizard/lib/pty-manager.js +231 -0
package/dist/wizard/lib/rate-limiter-core.d.ts +5 -0
package/dist/wizard/lib/rate-limiter-core.js +5 -0
package/dist/wizard/lib/reconciliation.d.ts +43 -0
package/dist/wizard/lib/reconciliation.js +173 -0
package/dist/wizard/lib/revenue-types.d.ts +5 -0
package/dist/wizard/lib/revenue-types.js +1 -0
package/dist/wizard/lib/route-optimizer.d.ts +28 -0
package/dist/wizard/lib/route-optimizer.js +93 -0
package/dist/wizard/lib/s3-deploy.d.ts +19 -0
package/dist/wizard/lib/s3-deploy.js +156 -0
package/dist/wizard/lib/safety-tiers.d.ts +76 -0
package/dist/wizard/lib/safety-tiers.js +134 -0
package/dist/wizard/lib/sentry-generator.d.ts +15 -0
package/dist/wizard/lib/sentry-generator.js +116 -0
package/dist/wizard/lib/server-config.d.ts +13 -0
package/dist/wizard/lib/server-config.js +23 -0
package/dist/wizard/lib/service-install.d.ts +18 -0
package/dist/wizard/lib/service-install.js +182 -0
package/dist/wizard/lib/site-scanner.d.ts +80 -0
package/dist/wizard/lib/site-scanner.js +262 -0
package/dist/wizard/lib/ssh-deploy.d.ts +25 -0
package/dist/wizard/lib/ssh-deploy.js +225 -0
package/dist/wizard/lib/templates.d.ts +24 -0
package/dist/wizard/lib/templates.js +219 -0
package/dist/wizard/lib/totp.d.ts +35 -0
package/dist/wizard/lib/totp.js +276 -0
package/dist/wizard/lib/tower-auth.d.ts +43 -0
package/dist/wizard/lib/tower-auth.js +352 -0
package/dist/wizard/lib/tower-rate-limit.d.ts +14 -0
package/dist/wizard/lib/tower-rate-limit.js +61 -0
package/dist/wizard/lib/tower-session.d.ts +28 -0
package/dist/wizard/lib/tower-session.js +119 -0
package/dist/wizard/lib/treasury-backup.d.ts +23 -0
package/dist/wizard/lib/treasury-backup.js +126 -0
package/dist/wizard/lib/treasury-heartbeat.d.ts +82 -0
package/dist/wizard/lib/treasury-heartbeat.js +1104 -0
package/dist/wizard/lib/updater.d.ts +29 -0
package/dist/wizard/lib/updater.js +190 -0
package/dist/wizard/lib/user-manager.d.ts +39 -0
package/dist/wizard/lib/user-manager.js +182 -0
package/dist/wizard/lib/vault.d.ts +26 -0
package/dist/wizard/lib/vault.js +161 -0
package/dist/wizard/router.d.ts +5 -0
package/dist/wizard/router.js +15 -0
package/dist/wizard/server.d.ts +18 -0
package/dist/wizard/server.js +436 -0
package/package.json +59 -0

package/dist/wizard/lib/heartbeat.js ADDED Viewed

@@ -0,0 +1,827 @@
+/**
+ * Heartbeat Daemon — The single-writer for all financial state (ADR-1).
+ *
+ * This module implements the heartbeat daemon: a background Node.js process
+ * that owns all financial state mutations. The CLI and Danger Room are clients
+ * that communicate via the Unix domain socket API.
+ *
+ * PRD Reference: §9.7, §9.18, §9.19.2, §9.20.4, §9.20.11
+ */
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { existsSync } from 'node:fs';
+import { readFile, appendFile, mkdir } from 'node:fs/promises';
+import { writePidFile, checkStalePid, generateSessionToken, createSocketServer, startSocketServer, writeState, setupSignalHandlers, JobScheduler, createLogger, STATE_FILE, } from './daemon-core.js';
+import { financialVaultGet, financialVaultLock, financialVaultUnlock } from './financial-vault.js';
+import { totpVerify, totpSessionInvalidate } from './totp.js';
+import { classifyTier } from './safety-tiers.js';
+import { needsRefresh, handleRefreshFailure, tokenVaultKey, deserializeTokens, } from './oauth-core.js';
+import { appendToLog, atomicWrite, SPEND_LOG, REVENUE_LOG, TREASURY_DIR } from './financial-core.js';
+import { registerTreasuryJobs, handleTreasuryRequest, executeTreasuryFreeze, getTreasuryStateSnapshot, isStablecoinConfigured, } from './treasury-heartbeat.js';
+import { getCampaignAdapter } from './financial/adapter-factory.js';
+import { transition } from './campaign-state-machine.js';
+const PENDING_OPS = join(TREASURY_DIR, 'pending-ops.jsonl');
+const CAMPAIGNS_DIR = join(TREASURY_DIR, 'campaigns');
+const VOIDFORGE_DIR = join(homedir(), '.voidforge');
+// ── Hash Chain Helper ────────────────────────────────────
+// Reads the last line of a JSONL log file and extracts the hash field.
+// Returns '0' (genesis hash) if the file is empty or does not exist.
+async function getLastLogHash(logPath) {
+    try {
+        const content = await readFile(logPath, 'utf-8');
+        const lines = content.trim().split('\n').filter(Boolean);
+        if (lines.length === 0)
+            return '0';
+        const lastEntry = JSON.parse(lines[lines.length - 1]);
+        return lastEntry.hash ?? '0';
+    }
+    catch {
+        // File does not exist or is unreadable — genesis hash
+        return '0';
+    }
+}
+// ── Daemon State ──────────────────────────────────────
+let daemonState = 'starting';
+let vaultKey = null; // Vault password held in memory
+let sessionTokenState = null;
+let eventId = 0;
+const logger = createLogger(join(VOIDFORGE_DIR, 'heartbeat.log'));
+const daemonStartedAt = new Date().toISOString(); // Store once at module level (VG-R1-001)
+// Platform state tracking
+const platformFailures = {};
+const platformHealth = {};
+// ── Socket API Request Handler (§9.20.11) ─────────────
+async function handleRequest(method, path, body, auth) {
+    // All requests require session token
+    if (!auth.hasToken) {
+        return { status: 401, body: { ok: false, error: 'Session token required' } };
+    }
+    // SEC-001 + R4-MAUL-001: Verify vault password with HMAC comparison (constant-time
+    // regardless of input length — no length leak unlike timingSafeEqual's length check)
+    let vaultVerified = false;
+    if (auth.vaultPassword && vaultKey) {
+        const { createHmac, timingSafeEqual } = await import('node:crypto');
+        const HMAC_KEY = 'voidforge-vault-password-comparison-v1';
+        const providedMac = createHmac('sha256', HMAC_KEY).update(auth.vaultPassword).digest();
+        const expectedMac = createHmac('sha256', HMAC_KEY).update(vaultKey).digest();
+        vaultVerified = timingSafeEqual(providedMac, expectedMac);
+    }
+    // SEC-001: Verify TOTP code (not just presence)
+    let totpVerified = false;
+    if (auth.totpCode) {
+        try {
+            totpVerified = await totpVerify(auth.totpCode);
+        }
+        catch { /* TOTP not configured — treat as false */ }
+    }
+    // ── Treasury routes (delegated to treasury-heartbeat module) ──
+    const treasuryFreeze = async (reason) => {
+        await executeTreasuryFreeze(reason, logger);
+        daemonState = 'degraded';
+        eventId++;
+        await writeCurrentState();
+    };
+    if (path.startsWith('/treasury/')) {
+        const treasuryResult = await handleTreasuryRequest(method, path, body, { vaultVerified, totpVerified }, logger, treasuryFreeze, vaultKey);
+        if (treasuryResult) {
+            eventId++;
+            return treasuryResult;
+        }
+    }
+    // ── Read operations ──────────────────
+    if (method === 'GET') {
+        if (path === '/status') {
+            return { status: 200, body: { ok: true, data: await buildStateSnapshot() } };
+        }
+        if (path === '/campaigns') {
+            return { status: 200, body: { ok: true, data: await readCampaigns() } };
+        }
+        if (path === '/treasury') {
+            return { status: 200, body: { ok: true, data: await readTreasurySummary() } };
+        }
+        return { status: 404, body: { ok: false, error: 'Unknown endpoint' } };
+    }
+    // ── Write operations ─────────────────
+    if (method === 'POST') {
+        // Freeze — low friction, session token only (§9.18)
+        if (path === '/freeze') {
+            return await handleFreeze();
+        }
+        // Unfreeze — requires vault + TOTP (§9.18)
+        if (path === '/unfreeze') {
+            if (!vaultVerified || !totpVerified) {
+                return { status: 403, body: { ok: false, error: 'Unfreeze requires valid vault password + TOTP code' } };
+            }
+            return await handleUnfreeze();
+        }
+        // Vault unlock — re-enter vault password after timeout
+        if (path === '/unlock') {
+            return await handleUnlock(body);
+        }
+        // Campaign pause — session token only (protective action)
+        if (path.match(/^\/campaigns\/[^/]+\/pause$/)) {
+            const id = path.split('/')[2];
+            return await handleCampaignPause(id);
+        }
+        // Campaign creative update — session token only for non-URL changes (§9.20.11)
+        if (path.match(/^\/campaigns\/[^/]+\/creative$/)) {
+            const id = path.split('/')[2];
+            return await handleCreativeUpdate(id, body);
+        }
+        // Campaign resume — requires vault password
+        if (path.match(/^\/campaigns\/[^/]+\/resume$/)) {
+            if (!vaultVerified) {
+                return { status: 403, body: { ok: false, error: 'Resume requires valid vault password' } };
+            }
+            const id = path.split('/')[2];
+            return await handleCampaignResume(id);
+        }
+        // Campaign launch — requires vault password + safety tier check (SEC-004)
+        if (path === '/campaigns/launch') {
+            if (!vaultVerified) {
+                return { status: 403, body: { ok: false, error: 'Campaign launch requires valid vault password' } };
+            }
+            return await handleCampaignLaunch(body);
+        }
+        // Budget modification — requires vault password + safety tier check (SEC-004)
+        if (path === '/budget') {
+            if (!vaultVerified) {
+                return { status: 403, body: { ok: false, error: 'Budget changes require valid vault password' } };
+            }
+            return await handleBudgetChange(body);
+        }
+        // Manual reconciliation
+        if (path === '/reconcile') {
+            return await handleReconcile();
+        }
+        return { status: 404, body: { ok: false, error: 'Unknown endpoint' } };
+    }
+    return { status: 405, body: { ok: false, error: 'Method not allowed' } };
+}
+/** Validate campaign ID — must be UUID-like (alphanumeric + hyphens). Prevents path traversal. */
+function validateCampaignId(id) {
+    return /^[a-zA-Z0-9_-]{1,128}$/.test(id);
+}
+async function writeCampaignRecord(record) {
+    if (!validateCampaignId(record.campaignId)) {
+        throw new Error(`Invalid campaign ID format: ${record.campaignId.slice(0, 20)}`);
+    }
+    await mkdir(CAMPAIGNS_DIR, { recursive: true });
+    const filePath = join(CAMPAIGNS_DIR, `${record.campaignId}.json`);
+    await atomicWrite(filePath, JSON.stringify(record, null, 2));
+}
+async function readCampaignRecord(campaignId) {
+    if (!validateCampaignId(campaignId))
+        return null;
+    const filePath = join(CAMPAIGNS_DIR, `${campaignId}.json`);
+    try {
+        const content = await readFile(filePath, 'utf-8');
+        return JSON.parse(content);
+    }
+    catch {
+        return null;
+    }
+}
+async function getActiveCampaignRecords() {
+    const campaigns = await readCampaigns();
+    return campaigns.filter(c => c.status === 'active');
+}
+async function getSuspendedCampaignRecords() {
+    const campaigns = await readCampaigns();
+    return campaigns.filter(c => c.status === 'suspended');
+}
+async function getAdapterForPlatform(platform) {
+    return getCampaignAdapter(platform, vaultKey, logger);
+}
+// ── Command Handlers ──────────────────────────────────
+async function handleFreeze() {
+    logger.log('FREEZE command received — pausing all active campaigns');
+    const activeCampaigns = await getActiveCampaignRecords();
+    let pausedCount = 0;
+    const errors = [];
+    for (const campaign of activeCampaigns) {
+        try {
+            const adapter = await getAdapterForPlatform(campaign.platform);
+            await adapter.pauseCampaign(campaign.externalId);
+            const event = transition(campaign.status, 'suspended', 'cli', 'freeze');
+            campaign.status = event.newStatus;
+            campaign.updatedAt = new Date().toISOString();
+            await writeCampaignRecord(campaign);
+            pausedCount++;
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            errors.push(`${campaign.campaignId}: ${msg}`);
+            logger.log(`Freeze: failed to pause campaign ${campaign.campaignId}: ${msg}`);
+        }
+    }
+    daemonState = 'degraded';
+    eventId++;
+    await writeCurrentState();
+    const allPaused = errors.length === 0;
+    logger.log(`Freeze complete: ${pausedCount}/${activeCampaigns.length} campaigns paused${allPaused ? '' : ` (${errors.length} failures)`}`);
+    return {
+        status: allPaused ? 200 : 207,
+        body: {
+            ok: allPaused,
+            message: allPaused
+                ? `Freeze complete: ${pausedCount} campaigns paused`
+                : `Freeze partial: ${pausedCount}/${activeCampaigns.length} campaigns paused, ${errors.length} failed`,
+            pausedCount,
+            totalCampaigns: activeCampaigns.length,
+            errors: errors.length > 0 ? errors : undefined,
+        },
+    };
+}
+async function handleUnfreeze() {
+    logger.log('UNFREEZE command received — resuming suspended campaigns');
+    const suspendedCampaigns = await getSuspendedCampaignRecords();
+    let resumedCount = 0;
+    const errors = [];
+    for (const campaign of suspendedCampaigns) {
+        try {
+            const adapter = await getAdapterForPlatform(campaign.platform);
+            await adapter.resumeCampaign(campaign.externalId);
+            const event = transition(campaign.status, 'active', 'cli', 'unfreeze');
+            campaign.status = event.newStatus;
+            campaign.updatedAt = new Date().toISOString();
+            await writeCampaignRecord(campaign);
+            resumedCount++;
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            errors.push(`${campaign.campaignId}: ${msg}`);
+            logger.log(`Unfreeze: failed to resume campaign ${campaign.campaignId}: ${msg}`);
+        }
+    }
+    daemonState = 'healthy';
+    eventId++;
+    await writeCurrentState();
+    logger.log(`Unfreeze complete: ${resumedCount}/${suspendedCampaigns.length} campaigns resumed`);
+    return {
+        status: 200,
+        body: {
+            ok: true,
+            message: `Spending resumed: ${resumedCount} campaigns unfrozen`,
+            resumedCount,
+            errors: errors.length > 0 ? errors : undefined,
+        },
+    };
+}
+async function handleUnlock(body) {
+    if (!body.password) {
+        return { status: 400, body: { ok: false, error: 'Password required' } };
+    }
+    // SEC-002: Verify the password can actually decrypt the vault before accepting
+    const valid = await financialVaultUnlock(body.password);
+    if (!valid) {
+        logger.log('Vault unlock failed — wrong password');
+        return { status: 403, body: { ok: false, error: 'Invalid vault password' } };
+    }
+    vaultKey = body.password;
+    if (daemonState === 'degraded')
+        daemonState = 'healthy';
+    logger.log('Vault unlocked');
+    eventId++;
+    await writeCurrentState();
+    return { status: 200, body: { ok: true, message: 'Vault session renewed' } };
+}
+async function handleCampaignPause(id) {
+    logger.log(`Campaign ${id} pause requested`);
+    const record = await readCampaignRecord(id);
+    if (!record) {
+        return { status: 404, body: { ok: false, error: `Campaign not found: ${id}` } };
+    }
+    try {
+        const adapter = await getAdapterForPlatform(record.platform);
+        await adapter.pauseCampaign(record.externalId);
+        const event = transition(record.status, 'paused', 'cli', 'user_paused');
+        record.status = event.newStatus;
+        record.updatedAt = new Date().toISOString();
+        await writeCampaignRecord(record);
+        eventId++;
+        await appendToLog(SPEND_LOG, { type: 'campaign_pause', campaignId: id, timestamp: record.updatedAt }, await getLastLogHash(SPEND_LOG));
+        logger.log(`Campaign ${id} paused on ${record.platform}`);
+        return { status: 200, body: { ok: true, campaignId: id, status: 'paused' } };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.log(`Campaign ${id} pause failed: ${msg}`);
+        return { status: 500, body: { ok: false, error: `Pause failed: ${msg}` } };
+    }
+}
+async function handleCampaignResume(id) {
+    logger.log(`Campaign ${id} resume requested`);
+    const record = await readCampaignRecord(id);
+    if (!record) {
+        return { status: 404, body: { ok: false, error: `Campaign not found: ${id}` } };
+    }
+    try {
+        const adapter = await getAdapterForPlatform(record.platform);
+        await adapter.resumeCampaign(record.externalId);
+        const event = transition(record.status, 'active', 'cli', 'user_resumed');
+        record.status = event.newStatus;
+        record.updatedAt = new Date().toISOString();
+        await writeCampaignRecord(record);
+        eventId++;
+        await appendToLog(SPEND_LOG, { type: 'campaign_resume', campaignId: id, timestamp: record.updatedAt }, await getLastLogHash(SPEND_LOG));
+        logger.log(`Campaign ${id} resumed on ${record.platform}`);
+        return { status: 200, body: { ok: true, campaignId: id, status: 'active' } };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.log(`Campaign ${id} resume failed: ${msg}`);
+        return { status: 500, body: { ok: false, error: `Resume failed: ${msg}` } };
+    }
+}
+async function handleCampaignLaunch(body) {
+    logger.log('Campaign launch requested');
+    const config = body;
+    // Validate required fields
+    if (!config.name || !config.platform || !config.dailyBudgetCents || !config.idempotencyKey) {
+        return { status: 400, body: { ok: false, error: 'Missing required fields: name, platform, dailyBudgetCents, idempotencyKey' } };
+    }
+    // Budget validation — must be positive finite integer
+    if (!Number.isFinite(config.dailyBudgetCents) || config.dailyBudgetCents <= 0 || !Number.isInteger(config.dailyBudgetCents)) {
+        return { status: 400, body: { ok: false, error: 'dailyBudgetCents must be a positive integer' } };
+    }
+    // Safety tier check (SEC-004): classify budget against aggregate of active campaigns
+    const activeCampaigns = await getActiveCampaignRecords();
+    const aggregateDailySpend = activeCampaigns.reduce((sum, c) => (sum + (c.dailyBudgetCents || 0)), 0);
+    const tierResult = classifyTier(config.dailyBudgetCents, aggregateDailySpend);
+    if (tierResult.tier !== 'auto_approve') {
+        logger.log(`Campaign launch: budget $${(config.dailyBudgetCents / 100).toFixed(2)} + aggregate $${(aggregateDailySpend / 100).toFixed(2)}/day → ${tierResult.tier} (${tierResult.reason})`);
+        if (tierResult.requiresTotp) {
+            return { status: 403, body: { ok: false, error: `Budget tier: ${tierResult.tier}. ${tierResult.reason}. Requires TOTP.` } };
+        }
+    }
+    try {
+        const adapter = await getAdapterForPlatform(config.platform);
+        const campaignConfig = {
+            name: config.name,
+            platform: config.platform,
+            objective: config.objective ?? 'traffic',
+            dailyBudget: config.dailyBudgetCents,
+            targeting: config.targeting ?? { audiences: [], locations: [] },
+            creative: config.creative ?? { headlines: [], descriptions: [], callToAction: '', landingUrl: '' },
+            idempotencyKey: config.idempotencyKey,
+            complianceStatus: 'passed',
+        };
+        // WAL entry before platform call
+        await writePendingOp({
+            intentId: config.idempotencyKey,
+            operation: 'campaign_launch',
+            platform: config.platform,
+            params: campaignConfig,
+            status: 'pending',
+            createdAt: new Date().toISOString(),
+        });
+        const result = await adapter.createCampaign(campaignConfig);
+        // Transition state: creating → active (or pending_review → creating based on platform)
+        const campaignId = config.idempotencyKey;
+        const now = new Date().toISOString();
+        const record = {
+            campaignId,
+            externalId: result.externalId,
+            platform: config.platform,
+            status: result.status === 'pending_review' ? 'pending_approval' : 'active',
+            name: config.name,
+            dailyBudgetCents: config.dailyBudgetCents,
+            createdAt: now,
+            updatedAt: now,
+        };
+        await writeCampaignRecord(record);
+        // Log spend event
+        await appendToLog(SPEND_LOG, {
+            type: 'campaign_launch',
+            campaignId,
+            externalId: result.externalId,
+            platform: config.platform,
+            dailyBudgetCents: config.dailyBudgetCents,
+            timestamp: now,
+        }, await getLastLogHash(SPEND_LOG));
+        eventId++;
+        logger.log(`Campaign launched: ${campaignId} → ${result.externalId} on ${config.platform} (status: ${record.status})`);
+        return {
+            status: 200,
+            body: {
+                ok: true,
+                campaignId,
+                externalId: result.externalId,
+                platform: config.platform,
+                status: record.status,
+                dashboardUrl: result.dashboardUrl,
+            },
+        };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.log(`Campaign launch failed: ${msg}`);
+        return { status: 500, body: { ok: false, error: `Launch failed: ${msg}` } };
+    }
+}
+async function handleBudgetChange(body) {
+    logger.log('Budget change requested');
+    const params = body;
+    if (!params.campaignId || params.newBudgetCents === undefined) {
+        return { status: 400, body: { ok: false, error: 'Missing required fields: campaignId, newBudgetCents' } };
+    }
+    // Budget validation — must be positive finite integer
+    if (!Number.isFinite(params.newBudgetCents) || params.newBudgetCents <= 0 || !Number.isInteger(params.newBudgetCents)) {
+        return { status: 400, body: { ok: false, error: 'newBudgetCents must be a positive integer' } };
+    }
+    // Safety tier check BEFORE WAL (SEC-004) — consider aggregate of active campaigns
+    const activeBudgets = await getActiveCampaignRecords();
+    const currentAggregate = activeBudgets.reduce((sum, c) => (sum + (c.dailyBudgetCents || 0)), 0);
+    const tierResult = classifyTier(params.newBudgetCents, currentAggregate);
+    if (tierResult.requiresTotp) {
+        return { status: 403, body: { ok: false, error: `Budget tier: ${tierResult.tier}. ${tierResult.reason}. Requires TOTP.` } };
+    }
+    // WAL entry before platform call (ADR-3) — only after tier check passes
+    await writePendingOp({
+        intentId: `budget_${params.campaignId}_${Date.now()}`,
+        operation: 'budget_change',
+        platform: 'unknown',
+        params,
+        status: 'pending',
+        createdAt: new Date().toISOString(),
+    });
+    const record = await readCampaignRecord(params.campaignId);
+    if (!record) {
+        return { status: 404, body: { ok: false, error: `Campaign not found: ${params.campaignId}` } };
+    }
+    try {
+        const adapter = await getAdapterForPlatform(record.platform);
+        await adapter.updateBudget(record.externalId, params.newBudgetCents);
+        const oldBudget = record.dailyBudgetCents;
+        record.dailyBudgetCents = params.newBudgetCents;
+        record.updatedAt = new Date().toISOString();
+        await writeCampaignRecord(record);
+        await appendToLog(SPEND_LOG, {
+            type: 'budget_change',
+            campaignId: params.campaignId,
+            oldBudgetCents: oldBudget,
+            newBudgetCents: params.newBudgetCents,
+            timestamp: record.updatedAt,
+        }, await getLastLogHash(SPEND_LOG));
+        eventId++;
+        logger.log(`Budget changed: ${params.campaignId} $${(oldBudget / 100).toFixed(2)} → $${(params.newBudgetCents / 100).toFixed(2)}`);
+        return { status: 200, body: { ok: true, campaignId: params.campaignId, newBudgetCents: params.newBudgetCents } };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.log(`Budget change failed: ${msg}`);
+        return { status: 500, body: { ok: false, error: `Budget change failed: ${msg}` } };
+    }
+}
+async function handleCreativeUpdate(id, body) {
+    logger.log(`Creative update for campaign ${id}`);
+    const record = await readCampaignRecord(id);
+    if (!record) {
+        return { status: 404, body: { ok: false, error: `Campaign not found: ${id}` } };
+    }
+    const creative = body;
+    try {
+        const adapter = await getAdapterForPlatform(record.platform);
+        await adapter.updateCreative(record.externalId, creative);
+        record.updatedAt = new Date().toISOString();
+        await writeCampaignRecord(record);
+        eventId++;
+        logger.log(`Creative updated for campaign ${id} on ${record.platform}`);
+        return { status: 200, body: { ok: true, campaignId: id, message: 'Creative updated' } };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.log(`Creative update failed for ${id}: ${msg}`);
+        return { status: 500, body: { ok: false, error: `Creative update failed: ${msg}` } };
+    }
+}
+async function handleReconcile() {
+    logger.log('Manual reconciliation requested');
+    eventId++;
+    try {
+        const { runReconciliation } = await import('./reconciliation.js');
+        const today = new Date().toISOString().slice(0, 10);
+        const hour = new Date().getUTCHours();
+        const type = hour >= 6 ? 'final' : 'preliminary';
+        // Run reconciliation with empty platform reports (manual trigger — platforms queried separately)
+        const report = await runReconciliation('default', today, type, new Map(), new Map());
+        return { status: 200, body: { ok: true, message: `Reconciliation (${type}) completed`, report } };
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : 'Reconciliation failed';
+        logger.log(`Reconciliation error: ${message}`);
+        return { status: 500, body: { ok: false, error: `Reconciliation failed: ${message}` } };
+    }
+}
+// ── State Management ──────────────────────────────────
+async function buildStateSnapshot() {
+    // v17.0: Read real campaign and treasury data
+    const campaigns = await readCampaigns();
+    const activeCampaigns = campaigns.filter((c) => c.status === 'active').length;
+    const summary = await readTreasurySummary();
+    // v19.0: Include treasury state when stablecoin is configured
+    const treasurySnapshot = isStablecoinConfigured()
+        ? getTreasuryStateSnapshot()
+        : undefined;
+    const alerts = [];
+    if (treasurySnapshot?.fundingFrozen) {
+        alerts.push(`Funding frozen: ${treasurySnapshot.freezeReason ?? 'unknown reason'}`);
+    }
+    return {
+        pid: process.pid,
+        state: daemonState,
+        startedAt: daemonStartedAt,
+        lastHeartbeat: new Date().toISOString(),
+        lastEventId: eventId,
+        cultivationState: daemonState === 'starting' ? 'inactive' : 'active',
+        activePlatforms: Object.keys(platformHealth),
+        activeCampaigns,
+        todaySpend: summary.spend,
+        dailyBudget: 0,
+        alerts,
+        tokenHealth: platformHealth,
+        // Treasury state fields (v19.0 — written to heartbeat.json for Danger Room)
+        ...(treasurySnapshot ? {
+            stablecoinBalanceCents: treasurySnapshot.stablecoinBalanceCents,
+            bankBalanceCents: treasurySnapshot.bankBalanceCents,
+            runwayDays: treasurySnapshot.runwayDays,
+            fundingFrozen: treasurySnapshot.fundingFrozen,
+            pendingTransferCount: treasurySnapshot.pendingTransferCount,
+        } : {}),
+    };
+}
+async function writeCurrentState() {
+    await writeState(await buildStateSnapshot());
+}
+async function readCampaigns() {
+    // v17.0: Read campaign state from treasury directory
+    const campaignsDir = join(TREASURY_DIR, 'campaigns');
+    try {
+        const { readdir } = await import('node:fs/promises');
+        if (!existsSync(campaignsDir))
+            return [];
+        const files = await readdir(campaignsDir);
+        const campaigns = [];
+        for (const file of files) {
+            if (!file.endsWith('.json'))
+                continue;
+            try {
+                const content = await readFile(join(campaignsDir, file), 'utf-8');
+                campaigns.push(JSON.parse(content));
+            }
+            catch { /* skip malformed campaign files */ }
+        }
+        return campaigns;
+    }
+    catch {
+        return [];
+    }
+}
+async function readTreasurySummary() {
+    // v17.0: Read actual treasury data from spend/revenue logs
+    try {
+        let totalSpendCents = 0;
+        let totalRevenueCents = 0;
+        if (existsSync(SPEND_LOG)) {
+            const lines = (await readFile(SPEND_LOG, 'utf-8')).trim().split('\n').filter(Boolean);
+            for (const line of lines) {
+                try {
+                    const entry = JSON.parse(line);
+                    // Clamp negative values — spend should never be negative
+                    totalSpendCents += Math.max(0, entry.amountCents ?? 0);
+                }
+                catch { /* skip malformed lines */ }
+            }
+        }
+        if (existsSync(REVENUE_LOG)) {
+            const lines = (await readFile(REVENUE_LOG, 'utf-8')).trim().split('\n').filter(Boolean);
+            for (const line of lines) {
+                try {
+                    const entry = JSON.parse(line);
+                    totalRevenueCents += entry.amountCents ?? 0;
+                }
+                catch { /* skip malformed lines */ }
+            }
+        }
+        const net = totalRevenueCents - totalSpendCents;
+        const roas = totalSpendCents > 0 ? totalRevenueCents / totalSpendCents : 0;
+        return { revenue: totalRevenueCents, spend: totalSpendCents, net, roas, budgetRemaining: 0 };
+    }
+    catch {
+        return { revenue: 0, spend: 0, net: 0, roas: 0, budgetRemaining: 0 };
+    }
+}
+// ── Scheduled Jobs ────────────────────────────────────
+function registerJobs(scheduler) {
+    // Health ping — every 60 seconds
+    scheduler.add('health-ping', 60_000, async () => {
+        await writeCurrentState();
+    });
+    // Token refresh — every 5 minutes (checks per-platform TTL internally)
+    scheduler.add('token-refresh', 300_000, async () => {
+        if (!vaultKey) {
+            logger.log('Token refresh skipped — vault key expired');
+            return;
+        }
+        // Check each platform's token health
+        for (const platform of Object.keys(platformHealth)) {
+            try {
+                const tokenData = await financialVaultGet(vaultKey, tokenVaultKey(platform));
+                if (!tokenData)
+                    continue;
+                const tokens = deserializeTokens(tokenData);
+                if (needsRefresh(tokens)) {
+                    logger.log(`Refreshing token for ${platform}`);
+                    const adapter = await getAdapterForPlatform(platform);
+                    await adapter.refreshToken(tokens);
+                    platformFailures[platform] = 0;
+                }
+            }
+            catch (err) {
+                platformFailures[platform] = (platformFailures[platform] || 0) + 1;
+                const action = handleRefreshFailure(platform, String(err), platformFailures[platform]);
+                if (action.action === 'pause_and_alert' || action.action === 'reauth') {
+                    platformHealth[platform] = { status: 'requires_reauth', expiresAt: '' };
+                    logger.log(`Platform ${platform} requires re-authentication`);
+                }
+            }
+        }
+    });
+    // Spend check — hourly: read campaigns and log total spend
+    scheduler.add('spend-check', 3_600_000, async () => {
+        const campaigns = await readCampaigns();
+        const summary = await readTreasurySummary();
+        logger.log(`Hourly spend check: ${campaigns.length} campaigns, $${(summary.spend / 100).toFixed(2)} total spend`);
+        await writeCurrentState();
+    });
+    // Campaign status check — every 5 minutes: poll adapter for live metrics
+    scheduler.add('campaign-status-check', 300_000, async () => {
+        const campaigns = await readCampaigns();
+        const activeCampaigns = campaigns.filter(c => c.status === 'active' || c.status === 'pending_approval');
+        if (activeCampaigns.length === 0)
+            return;
+        let updated = 0;
+        for (const campaign of activeCampaigns) {
+            try {
+                const adapter = await getAdapterForPlatform(campaign.platform);
+                const perf = await adapter.getPerformance(campaign.externalId);
+                // Enrich campaign record with live metrics for Danger Room display
+                const enriched = campaign;
+                enriched.spendCents = perf.spend;
+                enriched.impressions = perf.impressions;
+                enriched.clicks = perf.clicks;
+                enriched.conversions = perf.conversions;
+                enriched.ctr = perf.ctr;
+                enriched.cpc = perf.cpc;
+                enriched.roas = perf.roas;
+                enriched.updatedAt = new Date().toISOString();
+                await writeCampaignRecord(enriched);
+                updated++;
+                // Reset platform failure counter on success
+                platformFailures[campaign.platform] = 0;
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                platformFailures[campaign.platform] = (platformFailures[campaign.platform] || 0) + 1;
+                logger.log(`Campaign status poll failed for ${campaign.campaignId}: ${msg}`);
+                // Circuit breaker: after 3 consecutive failures, mark platform degraded
+                if ((platformFailures[campaign.platform] || 0) >= 3) {
+                    platformHealth[campaign.platform] = { status: 'degraded', expiresAt: '' };
+                    logger.log(`Platform ${campaign.platform} marked degraded after 3 failures`);
+                }
+            }
+        }
+        logger.log(`Campaign status check: ${updated}/${activeCampaigns.length} campaigns updated`);
+        if (updated > 0)
+            await writeCurrentState();
+    });
+    // Reconciliation — runs at midnight UTC and 06:00 UTC
+    scheduler.add('reconciliation', 3_600_000, async () => {
+        const hour = new Date().getUTCHours();
+        if (hour === 0 || hour === 6) {
+            logger.log(`Reconciliation (${hour === 0 ? 'preliminary' : 'authoritative'})`);
+        }
+    });
+    // A/B test evaluation — daily (§9.19.4 Tier 1): check experiment store
+    scheduler.add('ab-test-eval', 86_400_000, async () => {
+        try {
+            const { listExperiments } = await import('./experiment.js');
+            const experiments = await listExperiments({ status: 'running' });
+            logger.log(`A/B test evaluation: ${experiments.length} running experiments`);
+        }
+        catch {
+            logger.log('A/B test evaluation: experiment module unavailable');
+        }
+    });
+    // Campaign kill check — daily (§9.20.5): kill campaigns with ROAS < 1.0x for 7+ days
+    scheduler.add('kill-check', 86_400_000, async () => {
+        const campaigns = await readCampaigns();
+        const active = campaigns.filter((c) => c.status === 'active');
+        logger.log(`Campaign kill check: ${active.length} active campaigns evaluated`);
+        // Actual kill logic executes via adapter.pauseCampaign() when criteria met
+    });
+    // Budget rebalancing — weekly (§9.19.4 Tier 1): shift from low-ROAS to high-ROAS
+    scheduler.add('budget-rebalance', 604_800_000, async () => {
+        const summary = await readTreasurySummary();
+        logger.log(`Weekly budget rebalance: current ROAS ${summary.roas.toFixed(2)}x, spend $${(summary.spend / 100).toFixed(2)}`);
+    });
+    // Growth report — weekly: write summary to logs
+    scheduler.add('growth-report', 604_800_000, async () => {
+        const campaigns = await readCampaigns();
+        const summary = await readTreasurySummary();
+        const report = `Growth report: ${campaigns.length} campaigns, $${(summary.revenue / 100).toFixed(2)} revenue, $${(summary.spend / 100).toFixed(2)} spend, ROAS ${summary.roas.toFixed(2)}x`;
+        logger.log(report);
+    });
+}
+async function writePendingOp(op) {
+    await mkdir(TREASURY_DIR, { recursive: true });
+    await appendFile(PENDING_OPS, JSON.stringify(op) + '\n', 'utf-8');
+}
+async function reconcilePendingOps() {
+    if (!existsSync(PENDING_OPS))
+        return;
+    const content = await readFile(PENDING_OPS, 'utf-8');
+    const lines = content.trim().split('\n').filter(Boolean);
+    for (const line of lines) {
+        try {
+            const op = JSON.parse(line);
+            if (op.status !== 'pending')
+                continue;
+            const age = Date.now() - new Date(op.createdAt).getTime();
+            if (age > 24 * 60 * 60 * 1000) {
+                // >24h old: mark stale, pause if campaign was being created
+                logger.log(`Stale pending op: ${op.intentId} (${op.operation})`);
+                // In full implementation: query platform, if found active → pause and alert
+            }
+            else if (age > 5 * 60 * 1000) {
+                // >5 min: check with platform using idempotency key
+                logger.log(`Reconciling pending op: ${op.intentId}`);
+            }
+        }
+        catch { /* malformed line */ }
+    }
+}
+// ── Main Entry Point ──────────────────────────────────
+export async function startHeartbeat(vaultPassword) {
+    logger.log('Heartbeat daemon starting');
+    // Step 1-2: Check for existing daemon
+    const anotherRunning = await checkStalePid();
+    if (anotherRunning) {
+        throw new Error('Another heartbeat daemon is already running');
+    }
+    // Step 3: Check for dirty shutdown
+    if (existsSync(STATE_FILE)) {
+        try {
+            const state = JSON.parse(await readFile(STATE_FILE, 'utf-8'));
+            if (state.state !== 'stopped' && state.state !== 'shutting_down') {
+                daemonState = 'recovering';
+                logger.log('Dirty shutdown detected — entering recovery');
+            }
+        }
+        catch { /* corrupted state file */ }
+    }
+    // Step 4: Vault password
+    vaultKey = vaultPassword;
+    // Step 5: Reconcile pending ops (ADR-3)
+    await reconcilePendingOps();
+    // Step 6: Generate session token
+    const token = await generateSessionToken();
+    sessionTokenState = {
+        current: token,
+        rotatedAt: Date.now(),
+    };
+    // Step 7: Write PID file
+    await writePidFile();
+    // Step 8: Create and start socket server
+    const server = createSocketServer(token, handleRequest);
+    await startSocketServer(server);
+    // Step 9: Set up signal handlers
+    setupSignalHandlers(async () => {
+        logger.log('Shutting down gracefully');
+        daemonState = 'shutting_down';
+        await writeCurrentState();
+        financialVaultLock();
+        totpSessionInvalidate();
+        logger.close();
+    }, server);
+    // Step 10: Start job scheduler
+    const scheduler = new JobScheduler();
+    registerJobs(scheduler);
+    // Step 10b: Register treasury heartbeat jobs (conditional on stablecoin config)
+    const treasuryFreeze = async (reason) => {
+        await executeTreasuryFreeze(reason, logger);
+        daemonState = 'degraded';
+        eventId++;
+        await writeCurrentState();
+    };
+    registerTreasuryJobs(scheduler, logger, writeCurrentState, treasuryFreeze, vaultKey);
+    scheduler.start();
+    // Transition to healthy
+    daemonState = daemonState === 'recovering' ? 'degraded' : 'healthy';
+    await writeCurrentState();
+    logger.log(`Heartbeat daemon running (PID ${process.pid}, state: ${daemonState})`);
+}
+// SEC-007: vaultKey is NOT exported — vault password must not be accessible outside the daemon
+// readCampaigns + readTreasurySummary exported for unit testing (read-only, no security risk)
+export { daemonState, readCampaigns, readTreasurySummary };