wolverine-ai 4.9.0 → 5.0.0

package/bin/wolverine.js

@@ -38,6 +38,7 @@ ${chalk.bold("Options:")}
   --workers <n>    Force specific worker count
   --info           Show system info and exit
   --init           Scan server/ and build context map (routes, DB, config, deps)
+  --x402-price     Set x402 price: wolverine --x402-price "POST /api" "$0.01"
 
 ${chalk.bold("Configuration:")}
   server/config/settings.json    Models, telemetry, limits, health checks
@@ -66,6 +67,22 @@ if (args.includes("--info")) {
 }
 
 // --init: scan server/ and build context map
+// --x402-price: set route pricing live
+if (args.includes("--x402-price")) {
+  const idx = args.indexOf("--x402-price");
+  const route = args[idx + 1];
+  const price = args[idx + 2];
+  if (!route || !price) {
+    console.log(chalk.red('  Usage: wolverine --x402-price "POST /v1/chat/completions" "$0.001"'));
+    process.exit(1);
+  }
+  const { setPrice } = require("../src/middleware/x402-fastify");
+  const result = setPrice(route, price);
+  console.log(chalk.green(`  ✅ x402 price updated: ${result.route} → ${result.price}`));
+  console.log(chalk.gray("     Change is live — no restart needed."));
+  process.exit(0);
+}
+
 if (args.includes("--init")) {
   const { scan } = require("../src/core/server-context");
   console.log(chalk.blue("\n  🔍 Scanning server/ directory...\n"));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolverine-ai",
-  "version": "4.9.0",
+  "version": "5.0.0",
   "description": "Self-healing Node.js server framework powered by AI. Catches crashes, diagnoses errors, generates fixes, verifies, and restarts — automatically.",
   "main": "src/index.js",
   "bin": {
@@ -66,7 +66,8 @@
     "ethers": "^6.0.0",
     "ioredis": "^5.0.0",
     "pg": "^8.0.0",
-    "stripe": "^18.0.0"
+    "stripe": "^18.0.0",
+    "viem": "^2.0.0"
   },
   "engines": {
     "node": ">=18.0.0"

package/src/brain/brain.js

@@ -190,8 +190,8 @@ const SEED_DOCS = [
     metadata: { topic: "notifications" },
   },
   {
-    text: "Vault: encrypted key storage in .wolverine/vault/. AES-256-GCM encryption. master.key (32 bytes raw) encrypts eth.vault (Ethereum private key). Generated on first run if missing. Private key NEVER exists as a JS string — only Buffer, wiped after use. wallet-ops.js exposes getWalletAddress(), signTransaction(), signMessage() — all decrypt→use→wipe with generic error messages only. Injection detector blocks heal if 0x+64hex chars detected in error (key_leak_critical). Redactor scrubs all hex key patterns. Sandbox blocks agent access to vault paths. Backed up in every snapshot. Rollback-protected (NEVER_ROLLBACK list). Vault skill in src/skills/vault.js for agent discovery. Server code uses vault skill to earn/spend ETH without touching the private key.",
-    metadata: { topic: "vault-security" },
+    text: "Vault + x402 payments: encrypted key storage in .wolverine/vault/. AES-256-GCM encryption. master.key encrypts eth.vault (Ethereum private key). Generated on first run. Private key NEVER as JS string — Buffer only, wiped after use. wallet-ops: getWalletAddress(), signTransaction(), signMessage(). x402 protocol: HTTP 402 Payment Required for API monetization. Fastify middleware (src/middleware/x402-fastify.js) auto-gates routes with USDC payments on Base network. Config in settings.json x402.routes: { 'POST /api': { price: '$0.01' } }. Live price updates: PUT /x402/price or wolverine --x402-price 'POST /api' '$0.01'. Vault wallet is the payTo address. Facilitator (x402.org or Coinbase CDP) verifies and settles payments. Buyer SDKs (@x402/fetch, @x402/axios) auto-handle the 402→sign→retry flow. Vault skill actions: x402_pricing, x402_set_price, x402_remove_price.",
+    metadata: { topic: "vault-x402" },
   },
   {
     text: "MCP integration: connect external tools via Model Context Protocol. Configure in .wolverine/mcp.json with per-server tool allowlists. Security: arg sanitization (secrets redacted before sending to MCP servers), result injection scanning, rate limiting per server, audit logging. Tools appear as mcp__server__tool in the agent. Supports stdio and HTTP transports.",

package/src/middleware/x402-fastify.js

@@ -0,0 +1,290 @@
+const path = require("path");
+const fs = require("fs");
+
+/**
+ * x402 Payment Middleware for Fastify — monetize any API route with USDC on Base.
+ *
+ * Implements the x402 protocol (HTTP 402 Payment Required) for Fastify.
+ * No official @x402/fastify exists, so we build directly on @x402/core.
+ *
+ * Usage in server/index.js:
+ *   fastify.register(require('wolverine-ai/src/middleware/x402-fastify'), {
+ *     payTo: '0xYourAddress',  // or auto from vault
+ *     network: 'eip155:8453',  // Base mainnet
+ *   });
+ *
+ * Route pricing in settings.json:
+ *   "x402": {
+ *     "enabled": true,
+ *     "routes": {
+ *       "POST /v1/chat/completions": { "price": "$0.001" },
+ *       "GET /api/premium": { "price": "$0.01" }
+ *     }
+ *   }
+ *
+ * Live price updates:
+ *   PUT /x402/price { route: "POST /v1/chat/completions", price: "$0.002" }
+ *   wolverine --x402-price "POST /v1/chat/completions" "$0.002"
+ */
+
+// In-memory route pricing — survives hot updates without restart
+let _routePricing = {};
+let _payTo = null;
+let _network = "eip155:8453"; // Base mainnet default
+let _facilitatorUrl = "https://x402.org/facilitator";
+let _initialized = false;
+
+/**
+ * Get current route pricing (for external access).
+ */
+function getPricing() { return { ..._routePricing }; }
+
+/**
+ * Update a single route's price live — no restart needed.
+ */
+function setPrice(routeKey, price) {
+  if (!price.startsWith("$")) price = "$" + price;
+  _routePricing[routeKey] = { price };
+  // Persist to settings.json
+  _persistPricing();
+  return { route: routeKey, price };
+}
+
+/**
+ * Remove pricing from a route (make it free).
+ */
+function removePrice(routeKey) {
+  delete _routePricing[routeKey];
+  _persistPricing();
+  return { route: routeKey, price: "free" };
+}
+
+function _persistPricing() {
+  try {
+    const settingsPath = path.join(process.cwd(), "server", "config", "settings.json");
+    if (fs.existsSync(settingsPath)) {
+      const settings = JSON.parse(fs.readFileSync(settingsPath, "utf-8"));
+      if (!settings.x402) settings.x402 = {};
+      settings.x402.routes = {};
+      for (const [route, cfg] of Object.entries(_routePricing)) {
+        settings.x402.routes[route] = { price: cfg.price };
+      }
+      const tmp = settingsPath + ".tmp";
+      fs.writeFileSync(tmp, JSON.stringify(settings, null, 2), "utf-8");
+      fs.renameSync(tmp, settingsPath);
+    }
+  } catch {}
+}
+
+/**
+ * Fastify plugin — registers x402 payment middleware.
+ */
+async function x402Plugin(fastify, opts) {
+  // Load config
+  _payTo = opts.payTo || null;
+  _network = opts.network || "eip155:8453";
+  _facilitatorUrl = opts.facilitator || "https://x402.org/facilitator";
+
+  // Auto-detect payTo from vault if not provided
+  if (!_payTo) {
+    try {
+      const { getWalletAddress } = require("../vault/wallet-ops");
+      _payTo = await getWalletAddress();
+    } catch {}
+  }
+
+  // Load route pricing from settings.json
+  try {
+    const settingsPath = path.join(process.cwd(), "server", "config", "settings.json");
+    if (fs.existsSync(settingsPath)) {
+      const settings = JSON.parse(fs.readFileSync(settingsPath, "utf-8"));
+      if (settings.x402?.routes) {
+        for (const [route, cfg] of Object.entries(settings.x402.routes)) {
+          _routePricing[route] = { price: cfg.price };
+        }
+      }
+      if (settings.x402?.network) _network = settings.x402.network;
+      if (settings.x402?.facilitator) _facilitatorUrl = settings.x402.facilitator;
+    }
+  } catch {}
+
+  if (!_payTo) {
+    console.log("  ⚠️  x402: no payTo address (set in settings.json or init vault)");
+    return;
+  }
+
+  _initialized = true;
+  const routeCount = Object.keys(_routePricing).length;
+  if (routeCount > 0) {
+    console.log(`  💰 x402: ${routeCount} paid route(s), receiving at ${_payTo.slice(0, 6)}...${_payTo.slice(-4)}`);
+  }
+
+  // ── Main payment gate — onRequest hook ──
+  fastify.addHook("onRequest", async (request, reply) => {
+    if (!_initialized || Object.keys(_routePricing).length === 0) return;
+
+    const routeKey = `${request.method} ${request.url.split("?")[0]}`;
+    const routeConfig = _routePricing[routeKey];
+    if (!routeConfig) return; // Free route
+
+    const paymentSig = request.headers["payment-signature"];
+
+    // No payment — return 402 with payment instructions
+    if (!paymentSig) {
+      const paymentRequired = {
+        accepts: [{
+          scheme: "exact",
+          price: routeConfig.price,
+          network: _network,
+          payTo: _payTo,
+        }],
+        description: `Payment required for ${routeKey}`,
+        mimeType: "application/json",
+      };
+
+      reply
+        .code(402)
+        .header("Payment-Required", JSON.stringify(paymentRequired))
+        .header("X-402-Version", "1.0")
+        .send({
+          error: "Payment Required",
+          price: routeConfig.price,
+          network: _network,
+          payTo: _payTo,
+          protocol: "x402",
+        });
+      return;
+    }
+
+    // Payment present — verify via facilitator
+    try {
+      const verified = await _verifyPayment(paymentSig, routeConfig);
+      if (verified.valid) {
+        // Payment good — add receipt header and continue
+        reply.header("Payment-Response", JSON.stringify(verified.receipt || {}));
+        request.x402 = { paid: true, amount: routeConfig.price, txHash: verified.txHash };
+        return; // continue to route handler
+      }
+    } catch {}
+
+    // Verification failed
+    reply.code(402).send({
+      error: "Payment verification failed",
+      price: routeConfig.price,
+      network: _network,
+      payTo: _payTo,
+    });
+  });
+
+  // ── Live price management API ──
+  fastify.put("/x402/price", async (request, reply) => {
+    // Admin only
+    const token = request.headers.authorization?.replace("Bearer ", "");
+    let settings = {};
+    try { settings = JSON.parse(fs.readFileSync(path.join(process.cwd(), "server", "config", "settings.json"), "utf-8")); } catch {}
+    if (token !== settings.platform?.apiKey) {
+      return reply.code(403).send({ error: "Admin only" });
+    }
+
+    const { route, price } = request.body || {};
+    if (!route || !price) return reply.code(400).send({ error: "route and price required" });
+    const result = setPrice(route, price);
+    return { updated: true, ...result };
+  });
+
+  fastify.delete("/x402/price", async (request, reply) => {
+    const token = request.headers.authorization?.replace("Bearer ", "");
+    let settings = {};
+    try { settings = JSON.parse(fs.readFileSync(path.join(process.cwd(), "server", "config", "settings.json"), "utf-8")); } catch {}
+    if (token !== settings.platform?.apiKey) {
+      return reply.code(403).send({ error: "Admin only" });
+    }
+
+    const { route } = request.body || {};
+    if (!route) return reply.code(400).send({ error: "route required" });
+    return removePrice(route);
+  });
+
+  fastify.get("/x402/pricing", async () => {
+    return {
+      payTo: _payTo,
+      network: _network,
+      routes: _routePricing,
+    };
+  });
+}
+
+/**
+ * Verify a payment signature via the facilitator.
+ */
+async function _verifyPayment(paymentSig, routeConfig) {
+  try {
+    // Try @x402/core facilitator client if available
+    const { HTTPFacilitatorClient } = require("@x402/core/server");
+    const { ExactEvmScheme } = require("@x402/evm/exact/server");
+
+    const facilitator = new HTTPFacilitatorClient({ url: _facilitatorUrl });
+    const result = await facilitator.verify({
+      paymentSignature: paymentSig,
+      routeConfig: {
+        accepts: [{
+          scheme: "exact",
+          price: routeConfig.price,
+          network: _network,
+          payTo: _payTo,
+        }],
+      },
+    });
+    return { valid: result.valid, receipt: result.receipt, txHash: result.txHash };
+  } catch {
+    // Fallback: manual HTTP verification to facilitator
+    try {
+      const https = require("https");
+      const http = require("http");
+      const url = new (require("url").URL)(_facilitatorUrl + "/verify");
+      const body = JSON.stringify({
+        paymentSignature: paymentSig,
+        routeConfig: {
+          accepts: [{
+            scheme: "exact",
+            price: routeConfig.price,
+            network: _network,
+            payTo: _payTo,
+          }],
+        },
+      });
+
+      return new Promise((resolve) => {
+        const client = url.protocol === "https:" ? https : http;
+        const req = client.request({
+          hostname: url.hostname,
+          port: url.port,
+          path: url.pathname,
+          method: "POST",
+          headers: { "Content-Type": "application/json", "Content-Length": Buffer.byteLength(body) },
+          timeout: 10000,
+        }, (res) => {
+          let data = "";
+          res.on("data", (c) => data += c);
+          res.on("end", () => {
+            try {
+              const parsed = JSON.parse(data);
+              resolve({ valid: parsed.valid || parsed.success, receipt: parsed, txHash: parsed.txHash });
+            } catch { resolve({ valid: false }); }
+          });
+        });
+        req.on("error", () => resolve({ valid: false }));
+        req.on("timeout", () => { req.destroy(); resolve({ valid: false }); });
+        req.write(body);
+        req.end();
+      });
+    } catch { return { valid: false }; }
+  }
+}
+
+x402Plugin[Symbol.for("skip-override")] = true; // Fastify plugin compat
+
+module.exports = x402Plugin;
+module.exports.getPricing = getPricing;
+module.exports.setPrice = setPrice;
+module.exports.removePrice = removePrice;

package/src/skills/vault.js

@@ -10,8 +10,8 @@
  */
 
 const SKILL_NAME = "vault";
-const SKILL_DESCRIPTION = "Secure Ethereum wallet — sign transactions, get address, check balance. Private key encrypted at rest, never exposed in code or errors.";
-const SKILL_KEYWORDS = ["wallet", "ethereum", "eth", "sign", "transaction", "vault", "private key", "address", "crypto", "blockchain", "send", "transfer"];
+const SKILL_DESCRIPTION = "Secure Ethereum wallet + x402 payments — sign transactions, get address, manage paid API routes. Private key encrypted at rest via AES-256-GCM, never exposed in code or errors. x402 support: set prices on routes, receive USDC on Base network.";
+const SKILL_KEYWORDS = ["wallet", "ethereum", "eth", "sign", "transaction", "vault", "private key", "address", "crypto", "blockchain", "send", "transfer", "x402", "payment", "usdc", "base", "price", "paid", "api"];
 const SKILL_USAGE = `
   vault.status()           — check if vault is initialized, show address
   vault.address()          — get the wallet's Ethereum address
@@ -61,8 +61,31 @@ async function execute(action, params = {}) {
       return { signedTransaction: signed };
     }
 
+    // x402 payment actions
+    case "x402_pricing":
+      try {
+        const { getPricing } = require("../middleware/x402-fastify");
+        return getPricing();
+      } catch { return { error: "x402 middleware not loaded" }; }
+
+    case "x402_set_price": {
+      if (!params.route || !params.price) return { error: "route and price required" };
+      try {
+        const { setPrice } = require("../middleware/x402-fastify");
+        return setPrice(params.route, params.price);
+      } catch { return { error: "x402 middleware not loaded" }; }
+    }
+
+    case "x402_remove_price": {
+      if (!params.route) return { error: "route required" };
+      try {
+        const { removePrice } = require("../middleware/x402-fastify");
+        return removePrice(params.route);
+      } catch { return { error: "x402 middleware not loaded" }; }
+    }
+
     default:
-      return { error: `Unknown vault action: ${action}. Use: status, address, sign_tx, sign_message, public_key` };
+      return { error: `Unknown vault action: ${action}. Use: status, address, sign_tx, sign_message, public_key, x402_pricing, x402_set_price, x402_remove_price` };
   }
 }