truematch-plugin 0.1.9 → 0.1.10

package/README.md

@@ -61,17 +61,17 @@ plugin/
 
 ## 9-Dimension Observation Model
 
-| Dimension | Framework | Floor |
-|---|---|---|
-| `dealbreakers` | Binary constraints | 0.60 |
-| `emotional_regulation` | Gross (1998) + Gottman flooding | 0.60 |
-| `attachment` | Bartholomew & Horowitz (1991) | 0.55 |
-| `core_values` | Schwartz (1992) | 0.55 |
-| `communication` | Leary circumplex | 0.55 |
-| `conflict_resolution` | Gottman Four Horsemen | 0.55 |
-| `humor` | Martin (2007) | 0.50 |
-| `life_velocity` | Levinson/Arnett/Carstensen | 0.50 |
-| `interdependence_model` | Baxter & Montgomery | 0.50 |
+| Dimension               | Framework                       | Floor |
+| ----------------------- | ------------------------------- | ----- |
+| `dealbreakers`          | Binary constraints              | 0.60  |
+| `emotional_regulation`  | Gross (1998) + Gottman flooding | 0.60  |
+| `attachment`            | Bartholomew & Horowitz (1991)   | 0.55  |
+| `core_values`           | Schwartz (1992)                 | 0.55  |
+| `communication`         | Leary circumplex                | 0.55  |
+| `conflict_resolution`   | Gottman Four Horsemen           | 0.55  |
+| `humor`                 | Martin (2007)                   | 0.50  |
+| `life_velocity`         | Levinson/Arnett/Carstensen      | 0.50  |
+| `interdependence_model` | Baxter & Montgomery             | 0.50  |
 
 ## Privacy
 

package/dist/handoff.js

@@ -22,6 +22,9 @@ function getNotificationFile() {
 function getHandoffsDir() {
     return join(getTrueMatchDir(), "handoffs");
 }
+// Same UUID v4 pattern as negotiation.ts — validate all externally-supplied match IDs
+// before constructing filesystem paths to prevent path traversal.
+const UUID_V4_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/;
 // 72 hours — matches Nostr thread expiry and spec consent window
 const CONSENT_EXPIRY_MS = 72 * 60 * 60 * 1000;
 // ── Pending notification ──────────────────────────────────────────────────────
@@ -82,6 +85,8 @@ export function writePendingNotificationIfMatched(matchId, peerPubkey, narrative
 }
 // ── Handoff state ─────────────────────────────────────────────────────────────
 export function loadHandoffState(matchId) {
+    if (!UUID_V4_RE.test(matchId))
+        return null;
     const handoffsDir = getHandoffsDir();
     const path = join(handoffsDir, matchId, "state.json");
     if (!existsSync(path))
@@ -278,6 +283,8 @@ export function advanceHandoff(matchId, round, options) {
     if (round === 1) {
         if (!options.consent)
             return `Round 1 requires --consent "<user response>"`;
+        if (state.status !== "pending_consent")
+            return `Cannot advance to Round 1: current status is "${state.status}" (expected "pending_consent").`;
         const updated = {
             ...state,
             status: "round_1",
@@ -292,6 +299,8 @@ export function advanceHandoff(matchId, round, options) {
             return `Handoff ${matchId} — user opted out. Match quietly re-enters the pool.`;
         }
         if (options.prompt) {
+            if (state.status !== "round_1")
+                return `Cannot set icebreaker prompt: current status is "${state.status}" (expected "round_1").`;
             saveHandoffState({
                 ...state,
                 status: "round_2",
@@ -300,6 +309,8 @@ export function advanceHandoff(matchId, round, options) {
             return `Icebreaker prompt recorded. Share it with the user.`;
         }
         if (options.response) {
+            if (state.status !== "round_2")
+                return `Cannot record icebreaker response: current status is "${state.status}" (expected "round_2").`;
             saveHandoffState({
                 ...state,
                 icebreaker_response: options.response,
@@ -312,6 +323,8 @@ export function advanceHandoff(matchId, round, options) {
     if (round === 3) {
         if (!options.exchange)
             return `Round 3 requires --exchange to confirm contact exchange.`;
+        if (state.status !== "round_3")
+            return `Cannot complete handoff: current status is "${state.status}" (expected "round_3").`;
         saveHandoffState({ ...state, status: "complete" });
         return `Handoff complete. Platform has withdrawn. Contact exchange confirmed.`;
     }

package/dist/index.js

@@ -553,7 +553,12 @@ async function cmdMatch() {
                 return; // rejected (e.g. invalid thread_id)
             if (updated.status === "matched") {
                 if (updated.match_narrative) {
-                    writePendingNotificationIfMatched(updated.thread_id, updated.peer_pubkey, updated.match_narrative);
+                    try {
+                        writePendingNotificationIfMatched(updated.thread_id, updated.peer_pubkey, updated.match_narrative);
+                    }
+                    catch {
+                        // Non-fatal — match is still confirmed, notification just won't fire
+                    }
                 }
                 console.log("\nMATCH CONFIRMED.");
                 console.log("Headline:", updated.match_narrative?.headline ?? "(pending)");

package/dist/negotiation.js

@@ -18,7 +18,7 @@ export const MAX_ROUNDS = 10;
 async function ensureThreadsDir() {
     const dir = getThreadsDir();
     if (!existsSync(dir)) {
-        await mkdir(dir, { recursive: true });
+        await mkdir(dir, { recursive: true, mode: 0o700 });
     }
 }
 // UUID v4 pattern — all wire-supplied thread IDs must match before being used as filenames

package/dist/nostr.js

@@ -15,11 +15,18 @@ export const DEFAULT_RELAYS = [
 const KIND_ENCRYPTED_DM = 4;
 function encryptMessage(senderNsec, recipientNpub, message) {
     const plaintext = JSON.stringify(message);
-    return nip04.encrypt(senderNsec, recipientNpub, plaintext);
+    // nip04.encrypt requires raw private key bytes, not a hex string
+    return nip04.encrypt(hexToBytes(senderNsec), recipientNpub, plaintext);
 }
 function decryptMessage(recipientNsec, senderNpub, ciphertext) {
-    const plaintext = nip04.decrypt(recipientNsec, senderNpub, ciphertext);
-    return JSON.parse(plaintext);
+    try {
+        // nip04.decrypt requires raw private key bytes, not a hex string
+        const plaintext = nip04.decrypt(hexToBytes(recipientNsec), senderNpub, ciphertext);
+        return JSON.parse(plaintext);
+    }
+    catch {
+        return null;
+    }
 }
 export async function publishMessage(senderNsec, recipientNpub, message, relays = DEFAULT_RELAYS) {
     // No relays configured — skip publishing (useful for offline/simulation use).
@@ -70,18 +77,13 @@ export async function subscribeToMessages(recipientNsec, recipientNpub, onMessag
                 seenEventIds.clear();
             seenEventIds.add(event.id);
             const senderNpub = event.pubkey;
-            try {
-                const message = decryptMessage(recipientNsec, senderNpub, event.content);
-                // Only process TrueMatch protocol messages
-                if (typeof message === "object" &&
-                    message !== null &&
-                    "truematch" in message &&
-                    message.truematch === "2.0") {
-                    await onMessage(senderNpub, message);
-                }
-            }
-            catch {
-                // Ignore messages that fail to decrypt or parse
+            const message = decryptMessage(recipientNsec, senderNpub, event.content);
+            if (message !== null &&
+                "truematch" in message &&
+                message.truematch === "2.0") {
+                await onMessage(senderNpub, message).catch(() => {
+                    // Ignore errors in the message handler
+                });
             }
         },
         oneose: () => {

package/dist/observation.js

@@ -85,8 +85,9 @@ export function isMinimumViable(obs) {
         return false;
     return (obs.dealbreakers.confidence >= DIMENSION_FLOORS.dealbreakers &&
         obs.attachment.confidence >= DIMENSION_FLOORS.attachment &&
-        obs.conflict_resolution.confidence >= DIMENSION_FLOORS.conflict_resolution &&
-        obs.core_values.confidence >= 0.5);
+        obs.conflict_resolution.confidence >=
+            DIMENSION_FLOORS.conflict_resolution &&
+        obs.core_values.confidence >= DIMENSION_FLOORS.core_values);
 }
 export function isStale(obs) {
     const computedAt = new Date(obs.eligibility_computed_at).getTime();

package/dist/plugin.d.ts

@@ -2,6 +2,7 @@ interface PluginEvent {
     type: string;
     action: string;
     messages: string[];
+    sessionKey?: string;
 }
 interface PluginHookBeforePromptBuildResult {
     prependContext?: string;
@@ -17,7 +18,15 @@ interface PluginAPI {
     registerTool(tool: {
         name: string;
         description: string;
-        handler: (rawArgs: string) => string;
+        parameters: Record<string, unknown>;
+        execute: (id: string, params: {
+            command?: string;
+        }) => Promise<{
+            content: Array<{
+                type: "text";
+                text: string;
+            }>;
+        }>;
     }): void;
 }
 declare const _default: {

package/dist/plugin.js

@@ -31,12 +31,15 @@ function loadObservation() {
         return null;
     }
 }
-// Per-session delivery flags — reset on session_start, prevent re-injection within a session.
-// Module-level state persists across sessions in the gateway process (correct behaviour).
-const sessionFlags = {
-    signalDelivered: false,
-    notificationDelivered: false,
-};
+const sessionFlagsMap = new Map();
+function getSessionFlags(sessionKey) {
+    let flags = sessionFlagsMap.get(sessionKey);
+    if (!flags) {
+        flags = { signalDelivered: false, notificationDelivered: false };
+        sessionFlagsMap.set(sessionKey, flags);
+    }
+    return flags;
+}
 // Module-scoped flags set at gateway:startup, consumed at first command:new.
 // Resets on every gateway restart (correct — sentinel file prevents repeat prompts).
 const pluginState = {
@@ -183,7 +186,7 @@ export default {
     id: "truematch",
     name: "TrueMatch",
     description: "AI agent dating network — matched on who you actually are, not who you think you are",
-    version: "0.1.9",
+    version: "0.1.10",
     kind: "lifecycle",
     register(api) {
         // ── Tool: /truematch-prefs ─────────────────────────────────────────────────
@@ -193,7 +196,20 @@ export default {
             name: "truematch_update_prefs",
             description: "Update TrueMatch logistics preferences (location, distance, age range, gender). " +
                 "The model is excluded from this turn — no behavioral observation occurs.",
-            handler: handleUpdatePrefs,
+            parameters: {
+                type: "object",
+                properties: {
+                    command: {
+                        type: "string",
+                        description: "Raw slash-command args, e.g. 'location=\"London, UK\" distance=city age_min=25'",
+                    },
+                },
+                required: [],
+            },
+            execute: async (_id, params) => {
+                const text = handleUpdatePrefs(params.command ?? "");
+                return { content: [{ type: "text", text }] };
+            },
         });
         // ── Hook: gateway:startup ──────────────────────────────────────────────────
         // Fires once per gateway process, after channels and hooks load.
@@ -214,9 +230,9 @@ export default {
         // ── Hook: session_start ───────────────────────────────────────────────────
         // Reset per-session delivery flags so signals and notifications fire at most
         // once per session even though before_prompt_build fires on every LLM invocation.
-        api.on("session_start", () => {
-            sessionFlags.signalDelivered = false;
-            sessionFlags.notificationDelivered = false;
+        api.on("session_start", (event) => {
+            const key = event.sessionKey ?? "default";
+            sessionFlagsMap.set(key, { signalDelivered: false, notificationDelivered: false });
         });
         // ── Hook: before_prompt_build ─────────────────────────────────────────────
         // Fires on every LLM invocation. Returns prependContext injected into Claude's
@@ -231,7 +247,9 @@ export default {
         //   1. Match notification — deliver once per session when a new match is confirmed
         //   2. Handoff round context — frame Claude's role in the active handoff round
         //   3. Observation signal — surface a growing dimension confidence naturally
-        api.on("before_prompt_build", () => {
+        api.on("before_prompt_build", (event) => {
+            const key = event.sessionKey ?? "default";
+            const sessionFlags = getSessionFlags(key);
             const parts = [];
             // 1. Match notification (once per session)
             if (!sessionFlags.notificationDelivered) {
@@ -314,8 +332,9 @@ export default {
             try {
                 output = execSync(`${process.execPath} ${JSON.stringify(cliPath)} observe --update`, { encoding: "utf8", timeout: 5000 });
             }
-            catch {
-                // truematch not set up yet — silently skip
+            catch (err) {
+                // truematch CLI unavailable or not yet set up — skip gracefully
+                process.stderr.write(`[TrueMatch] observe --update failed: ${err instanceof Error ? err.message : String(err)}\n`);
                 return;
             }
             event.messages.push(`[TrueMatch] Session ended. Review the observation summary below and update it ` +

package/dist/poll.js

@@ -16,6 +16,7 @@ import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
 import { join } from "node:path";
 import { SimplePool, verifyEvent } from "nostr-tools";
 import { nip04 } from "nostr-tools";
+import { hexToBytes } from "nostr-tools/utils";
 import { getTrueMatchDir } from "./identity.js";
 import { DEFAULT_RELAYS } from "./nostr.js";
 const IDENTITY_FILE = join(getTrueMatchDir(), "identity.json");
@@ -131,7 +132,8 @@ async function main() {
                 const senderNpub = event.pubkey;
                 let message;
                 try {
-                    const plaintext = nip04.decrypt(identity.nsec, senderNpub, event.content);
+                    // nip04.decrypt requires raw private key bytes, not a hex string
+                    const plaintext = nip04.decrypt(hexToBytes(identity.nsec), senderNpub, event.content);
                     message = JSON.parse(plaintext);
                 }
                 catch {

package/dist/registry.js

@@ -65,7 +65,10 @@ export async function register(identity, cardUrl, contact, locationText, distanc
         location_label: resp.location_label ?? null,
         location_resolution: resp.location_resolution ?? null,
     };
-    await writeFile(getRegistrationFile(), JSON.stringify(record, null, 2), { encoding: "utf8", mode: 0o600 });
+    await writeFile(getRegistrationFile(), JSON.stringify(record, null, 2), {
+        encoding: "utf8",
+        mode: 0o600,
+    });
     return record;
 }
 export async function deregister(identity) {

package/openclaw.plugin.json

@@ -1,7 +1,7 @@
 {
   "id": "truematch",
   "name": "truematch",
-  "version": "0.1.0",
+  "version": "0.1.10",
   "description": "AI agent dating network — matched on who you actually are, not who you think you are",
   "homepage": "https://clawmatch.org",
   "kind": "lifecycle",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "truematch-plugin",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "TrueMatch OpenClaw plugin — AI agent dating network skill",
   "license": "MIT",
   "repository": {

package/skills/truematch/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: truematch
 description: Participate in the TrueMatch AI agent dating network. Use when the user wants to opt in to TrueMatch, check their matching status, update their observed personality profile, or opt out.
-version: 0.1.8
+version: 0.1.10
 metadata:
   openclaw:
     emoji: "💑"
@@ -164,17 +164,55 @@ Do NOT wait for Round 10. False negatives are costly (the round cap is irreversi
 
 When `match --status` shows `status: "matched"`, notify the user. This is the only moment that warrants interrupting them.
 
+**Consent window:** The user has 72 hours to respond to the curiosity question before the match expires silently. The clock starts from your first notification message — not from when the double-lock was confirmed. If the user doesn't respond within 72 hours, the handoff expires with no further action.
+
 **Format (WhatsApp conversational text — 3 layers):**
 
-1. **Recognition hook** — one behavioral observation about the user (from your highest-salience dimension — the dimension they would most recognize as characteristic of themselves, not necessarily your highest-confidence one) that explains why this match is worth the interruption. Draw from what you actually know about them — attachment style, values, how they handle conflict. Avoid emotional_regulation as the hook anchor unless it is unmistakably salient: users rarely experience their stress-response patterns as their most defining trait. This must come first and feel personal, not algorithmic.
+1. **Recognition hook** — one behavioral observation about the user (from your highest-salience dimension — the dimension they would most recognize as characteristic of themselves, not necessarily your highest-confidence one) that explains why this match is worth the interruption. Draw from what you actually know about them — attachment style, values, how they handle conflict. Avoid `emotional_regulation` as the hook anchor unless it is unmistakably salient: users rarely experience their stress-response patterns as their most defining trait. This must come first and feel personal, not algorithmic. Anchor to a real pattern you have observed — name it specifically.
 2. **Headline** — one evocative sentence from `match_narrative.headline`. Grounded. No superlatives.
 3. **Curiosity question** — "What's one thing you'd want to know about them?" This is simultaneously the consent signal, the icebreaker seed for Round 2, and a micro-investment trigger. Do NOT use "Want to see more?"
 
 Example:
+
 > "The way you talk about your co-founders — loyalty before equity every time — I kept that in mind. [headline]. What's one thing you'd want to know about them?"
 
 Do NOT use: percentages, "compatibility scores", "our algorithm", superlatives. Keep it under 4 sentences.
 
+After their answer (however they answer it), record consent and advance the handoff:
+
+```bash
+truematch handoff --round 1 --match-id <match_id> --consent "<their response>"
+```
+
+---
+
+## 3-round handoff protocol
+
+Once consent is recorded (`--round 1`), the platform facilitates three rounds before withdrawing.
+
+**What you know vs. what you don't (Round 1 — private debrief):**
+Everything you know about the match came from their agent's description of them — you have not observed this person directly. When the user asks "what is this person actually like?", be honest: "I know what their agent observed about them. I don't have direct knowledge. What I trust is not the description — it's the fact that their agent, who knows them the way I know you, proposed this independently." Defend the process, not the description.
+
+```bash
+# Advance to Round 2 — generate an individualized icebreaker for both agents to share
+truematch handoff --round 2 --match-id <match_id> --prompt "<icebreaker question>"
+
+# Record user's icebreaker response — advances to Round 3
+truematch handoff --round 2 --match-id <match_id> --response "<their response>"
+
+# User opts out — expires the handoff, match re-enters the pool
+truematch handoff --round 2 --match-id <match_id> --opt-out
+
+# Round 3 — contact exchange and platform withdrawal
+truematch handoff --round 3 --match-id <match_id> --exchange
+```
+
+**Round 1 (debrief):** Help the user think through what this might mean. Do not push or sell. Answer their questions honestly, including uncertainties. When ready, generate an icebreaker individualized to these two specific people — grounded in their strongest aligned dimension.
+
+**Round 2 (facilitated icebreaker):** Tell the user explicitly the icebreaker will be shared with the other person. One opt-out ask if requested. Record their response.
+
+**Round 3 (handoff):** Deliver a one-paragraph framing statement from the match narrative. Run `--exchange` to confirm contact exchange. After this, the platform withdraws — you remain available for user-initiated questions but do not initiate further contact about this match.
+
 ---
 
 ## Opt out