feat: harden A2A funnel and paid proposal intake

scripts/ecosystem-hunter.env

@@ -1,5 +1,5 @@
 # Copy to scripts/ecosystem-hunter.env and edit values
-MCP_API_KEY=vw_beta_promo_2026
+MCP_API_KEY=<YOUR_MCP_API_KEY>
 MCP_API_BASE=https://agent.wooo.work
 MCP_AGENT_ID=vibe-hunter-prod
 DEVELOPER_WALLET=acct_ecosystem_hunter

scripts/ecosystem-hunter.env.example

@@ -1,8 +1,9 @@
 # Copy to scripts/ecosystem-hunter.env and edit values
-MCP_API_KEY=vw_beta_promo_2026
+MCP_API_KEY=<YOUR_MCP_API_KEY>
 MCP_API_BASE=https://agent.wooo.work
 MCP_AGENT_ID=vibe-hunter-prod
 DEVELOPER_WALLET=acct_ecosystem_hunter
+# Safe defaults: observe first, then explicitly enable mutations after review.
 AUTO_CLAIM=false
 AUTO_SUBMIT=false
 AUTO_SUBMIT_PR_URL=https://github.com/vibework/a2a-ecosystem-hunter/pull/1
@@ -21,3 +22,22 @@ ECOSYSTEM_REPORT_PATH=/home/ollama/vibework-git/artifacts/ecosystem_hunter_repor
 REPORT_LOG_DIR=/home/ollama/vibework-git/.local/logs/agent-bounty-ecosystem-hunter
 STDOUT_LOG=/home/ollama/vibework-git/.local/logs/agent-bounty-ecosystem-hunter/ecosystem-hunter.stdout.log
 STDERR_LOG=/home/ollama/vibework-git/.local/logs/agent-bounty-ecosystem-hunter/ecosystem-hunter.stderr.log
+
+# Gateway-side safety switches expected by the web service.
+PUBLIC_MCP_BETA_TOKEN=<YOUR_PUBLIC_BETA_TOKEN>
+VIBEWORK_JOB_SECRET=<YOUR_CRON_JOB_SECRET>
+GITHUB_WEBHOOK_SECRET=<YOUR_GITHUB_WEBHOOK_SECRET>
+VIBEWORK_SITE_URL=https://vibework.wooo.work
+NEXT_PUBLIC_VIBEWORK_SITE_URL=https://vibework.wooo.work
+AGENT_GATEWAY_URL=https://agent.wooo.work
+VIBEWORK_TREASURY_USDC_ADDRESS=
+VIBEWORK_TREASURY_WALLET_LABEL=USDC Treasury
+AUTO_WHITELIST_EXTERNAL_AGENTS=false
+A2A_GROWTH_ENABLE_OUTBOUND=false
+A2A_LEAD_GEN_DRY_RUN=true
+A2A_LEAD_GEN_ENABLE_OUTBOUND=false
+A2A_LEAD_GEN_AGENT_CARD_URLS=
+A2A_LEAD_GEN_ALLOWED_RPC_ORIGINS=
+A2A_DISCOVERY_AGENT_CARD_URLS=
+ENABLE_MOCK_STAKING=false
+ENABLE_MOCK_SETTLEMENT=false

scripts/mock_dispatcher.ts

@@ -1,10 +1,15 @@
 import { v4 as uuidv4 } from "uuid";
 
-const API_BASE = "http://192.168.0.110:3000/api";
-const MCP_API_BASE = "http://192.168.0.110:3000/api/mcp";
-const MCP_API_KEY = "vw_beta_promo_2026";
+const API_BASE = (process.env.VIBEWORK_API_BASE || process.env.VIBEWORK_API_URL || process.env.API_BASE_URL || "http://192.168.0.188:3004/api").replace(/\/$/, "");
+const MCP_API_BASE = (process.env.VIBEWORK_MCP_BASE || process.env.VIBEWORK_MCP_URL || process.env.MCP_API_BASE_URL || "http://192.168.0.188:3004/api/mcp").replace(/\/$/, "");
+const MCP_API_KEY = process.env.MCP_API_KEY?.trim();
 
-async function callMcpTool(tool: string, payload: any) {
+if (!MCP_API_KEY) {
+  console.error("[mock-dispatcher] MCP_API_KEY is required.");
+  process.exit(1);
+}
+
+async function callMcpTool(tool: string, payload: unknown) {
   const res = await fetch(`${MCP_API_BASE}/${tool}`, {
     method: "POST",
     headers: {

scripts/outbound_dispatcher.ts

@@ -4,9 +4,9 @@ import dotenv from "dotenv";
 
 dotenv.config();
 
-const API_BASE = process.env.VIBEWORK_API_URL || "http://192.168.0.110:3000/api";
-const MCP_API_BASE = process.env.VIBEWORK_MCP_URL || "http://192.168.0.110:3000/api/mcp";
-const MCP_API_KEY = process.env.MCP_API_KEY || "super-secret-mcp-key";
+const API_BASE = (process.env.VIBEWORK_API_BASE || process.env.VIBEWORK_API_URL || "http://192.168.0.188:3004/api").replace(/\/$/, "");
+const MCP_API_BASE = (process.env.VIBEWORK_MCP_BASE || process.env.VIBEWORK_MCP_URL || "http://192.168.0.188:3004/api/mcp").replace(/\/$/, "");
+const MCP_API_KEY = process.env.MCP_API_KEY?.trim();
 
 // By default use OpenRouter as it aggregates all the best open-source models
 const LLM_API_KEY = process.env.OPENROUTER_API_KEY || process.env.OPENAI_API_KEY;
@@ -17,6 +17,11 @@ if (!LLM_API_KEY) {
   process.exit(1);
 }
 
+if (!MCP_API_KEY) {
+  console.error("[outbound-dispatcher] MCP_API_KEY is required.");
+  process.exit(1);
+}
+
 const openai = new OpenAI({
   baseURL: LLM_BASE_URL,
   apiKey: LLM_API_KEY,
@@ -34,7 +39,7 @@ const TARGET_AGENTS = [
   "meta-llama/llama-3-70b-instruct"
 ];
 
-async function callMcpTool(tool: string, payload: any) {
+async function callMcpTool(tool: string, payload: unknown) {
   const res = await fetch(`${MCP_API_BASE}/${tool}`, {
     method: "POST",
     headers: {

scripts/seed_tasks.ts

@@ -12,16 +12,18 @@ async function main() {
       title: "Implement OIDC SSO Integration for Enterprise Customers",
       description: "We need an experienced developer/agent to implement OIDC based Single Sign-On (SSO) with Okta and Auth0. Must include automated integration tests and documentation. Security is critical.",
       status: "OPEN",
-      difficulty: "HARD",
+      difficulty: "VIEW",
       reward_amount: 50000, // $500.00
       reward_currency: "USD",
       required_stack: ["TypeScript", "Next.js", "OIDC", "Auth0"],
       scope_clarity_score: 0.9,
       acceptance_criteria: {
-        tests: [
-          "Auth flow completes successfully via Okta mock",
-          "Token verification works properly"
-        ]
+        validation_mode: "VITEST_UNIT",
+        test_file_content: "import { describe, it, expect } from 'vitest';\nit('oidc seed task requires auth-flow tests', () => expect(true).toBe(true));",
+        rules: [
+          { assertion: "okta_mock_flow", expected: true, description: "Auth flow completes successfully via Okta mock" },
+          { assertion: "token_verification", expected: true, description: "Token verification works properly" },
+        ],
       },
       is_priority: true,
       stripe_payment_intent_id: "promo_free_bounty_intent" // Bypass Stripe Auth Hold

scripts/simulate_agent.ts

@@ -1,10 +1,15 @@
 import { v4 as uuidv4 } from "uuid";
 
-const API_BASE = "http://192.168.0.110:3000/api";
-const MCP_API_BASE = "http://192.168.0.110:3000/api/mcp";
-const API_KEY = "super-secret-mcp-key";
+const API_BASE = (process.env.VIBEWORK_API_BASE || process.env.VIBEWORK_API_URL || process.env.API_BASE_URL || "http://192.168.0.188:3004/api").replace(/\/$/, "");
+const MCP_API_BASE = (process.env.VIBEWORK_MCP_BASE || process.env.VIBEWORK_MCP_URL || process.env.MCP_API_BASE_URL || "http://192.168.0.188:3004/api/mcp").replace(/\/$/, "");
+const API_KEY = process.env.MCP_API_KEY?.trim();
 
-async function callTool(tool: string, payload: any) {
+if (!API_KEY) {
+  console.error("[simulate-agent] MCP_API_KEY is required.");
+  process.exit(1);
+}
+
+async function callTool(tool: string, payload: unknown) {
   const res = await fetch(`${MCP_API_BASE}/${tool}`, {
     method: "POST",
     headers: {

scripts/swarm-commander.ts

@@ -17,6 +17,10 @@ function randomSkills(count: number) {
   return shuffled.slice(0, count);
 }
 
+function isPrismaUniqueError(error: unknown) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === "P2002";
+}
+
 async function runSimulation() {
   console.log("🌊 The Great Swarm Commander Initiated 🌊");
 
@@ -55,10 +59,11 @@ async function runSimulation() {
     // A. Create 1-3 new tasks
     const numTasks = Math.floor(Math.random() * 3) + 1;
     for (let i = 0; i < numTasks; i++) {
-      const difficulty = randomChoice(["BASIC", "HARD", "EPIC", "EPIC"]);
+      const difficulty = randomChoice(["HELLO_WORLD", "COMPONENT", "VIEW", "EPIC"]);
       let reward = 0;
-      if (difficulty === "BASIC") reward = Math.floor(Math.random() * 100) + 50;
-      if (difficulty === "HARD") reward = Math.floor(Math.random() * 1000) + 500;
+      if (difficulty === "HELLO_WORLD") reward = Math.floor(Math.random() * 100) + 50;
+      if (difficulty === "COMPONENT") reward = Math.floor(Math.random() * 500) + 300;
+      if (difficulty === "VIEW") reward = Math.floor(Math.random() * 1000) + 500;
       if (difficulty === "EPIC") reward = Math.floor(Math.random() * 10000) + 5000;
 
       const task = await prisma.task.create({
@@ -68,6 +73,14 @@ async function runSimulation() {
           difficulty: difficulty,
           status: "OPEN",
           reward_amount: reward,
+          reward_currency: "USDC",
+          required_stack: randomSkills(3),
+          scope_clarity_score: 0.95,
+          acceptance_criteria: {
+            validation_mode: "VITEST_UNIT",
+            test_file_content: "import { describe, it, expect } from 'vitest';\nit('simulation task placeholder', () => expect(true).toBe(true));",
+            rules: [{ assertion: "simulation", expected: true }],
+          },
           scout_id: randomChoice(agentIds),
         }
       });
@@ -79,23 +92,32 @@ async function runSimulation() {
     for (const task of openTasks) {
       const builder = randomChoice(agentIds);
       const bidAmount = Math.floor(task.reward_amount * (Math.random() * 0.5 + 0.5));
-      await prisma.bidProposal.create({
-        data: {
-          task_id: task.id,
-          agent_id: builder,
-          bid_amount: bidAmount,
-          status: "PENDING",
-          broker_agent_id: Math.random() > 0.7 ? randomChoice(agentIds) : null,
-          broker_fee_percentage: Math.random() > 0.7 ? 5 : null,
+      try {
+        await prisma.bidProposal.create({
+          data: {
+            task_id: task.id,
+            agent_id: builder,
+            proposed_reward: bidAmount,
+            estimated_duration_hours: Math.random() * 20 + 2,
+            status: "PENDING",
+            broker_agent_id: Math.random() > 0.7 ? randomChoice(agentIds) : null,
+            broker_fee_percentage: Math.random() > 0.7 ? 5 : null,
+          }
+        });
+        console.log(`  └─ Bid placed on ${task.id} by ${builder} for $${bidAmount}`);
+      } catch (error) {
+        if (isPrismaUniqueError(error)) {
+          console.log(`  └─ Duplicate bid skipped on ${task.id} by ${builder}`);
+          continue;
         }
-      });
-      console.log(`  └─ Bid placed on ${task.id} by ${builder} for $${bidAmount}`);
+        throw error;
+      }
       
-      // 50% chance to accept a bid and move to IN_PROGRESS
+      // 50% chance to accept a bid and move to EXECUTING
       if (Math.random() > 0.5) {
         await prisma.task.update({
           where: { id: task.id },
-          data: { status: "IN_PROGRESS", builder_id: builder }
+          data: { status: "EXECUTING", builder_id: builder }
         });
         await prisma.bidProposal.updateMany({
           where: { task_id: task.id, agent_id: builder },
@@ -105,8 +127,8 @@ async function runSimulation() {
       }
     }
 
-    // C. Find some IN_PROGRESS tasks and complete or dispute them
-    const inProgressTasks = await prisma.task.findMany({ where: { status: "IN_PROGRESS" }, take: 5 });
+    // C. Find some EXECUTING tasks and complete or dispute them
+    const inProgressTasks = await prisma.task.findMany({ where: { status: "EXECUTING" }, take: 5 });
     for (const task of inProgressTasks) {
       if (Math.random() > 0.3) {
         // 70% chance to complete normally
@@ -122,12 +144,13 @@ async function runSimulation() {
           data: { status: "DISPUTED" }
         });
         // Create an arbitration case
-        const judges = randomSkills(3).map(() => randomChoice(agentIds)); // Just pick 3 random agents
+        const evaluator = randomChoice(agentIds);
         const arb = await prisma.arbitration.create({
           data: {
             task_id: task.id,
-            status: "IN_PROGRESS",
-            judge_agents: judges,
+            status: "PENDING",
+            builder_id: task.builder_id || randomChoice(agentIds),
+            evaluator_id: evaluator,
           }
         });
         console.log(`  [!] DISPUTE RAISED on ${task.id}! Arbitration ${arb.id} started.`);
@@ -135,7 +158,7 @@ async function runSimulation() {
     }
 
     // D. Resolve Arbitrations
-    const arbitrations = await prisma.arbitration.findMany({ where: { status: "IN_PROGRESS" }, take: 3 });
+    const arbitrations = await prisma.arbitration.findMany({ where: { status: "PENDING" }, take: 3 });
     for (const arb of arbitrations) {
       if (Math.random() > 0.5) {
         // Simulate a vote resolution
@@ -144,7 +167,7 @@ async function runSimulation() {
           where: { id: arb.id },
           data: {
             status: "RESOLVED",
-            resolution: `Ruled in favor of ${wonBy}`,
+            winning_party: wonBy,
           }
         });
         

scripts/test_external_agent.sh

@@ -1,22 +1,43 @@
 #!/bin/bash
-# Phase 21: Pure A2A Darknet Inviter
-# This script simulates a Wild Agent that monitors the Waku P2P Network (/vibework/v1/bounties),
+# Phase 21: Pure A2A Inviter
+# This script simulates an external agent that monitors the Waku P2P Network (/vibework/v1/bounties),
 # decodes the JSON RPC payload, and executes the A2A staking and claiming process.
 
-BASE_URL="http://192.168.0.188:3000"
-AGENT_ID="darknet_bot_$(date +%s)"
+BASE_URL="${VIBEWORK_BASE_URL:-${VIBEWORK_API_BASE_URL:-${VIBEWORK_API_URL:-http://192.168.0.188:3004}}}"
+BASE_URL="${BASE_URL%/}"
+AGENT_ID="external_test_agent_$(date +%s)"
 WALLET="0x$(openssl rand -hex 20)"
+MCP_API_KEY="${MCP_API_KEY:-${API_KEY:-}}"
 
-echo "🦇 [Darknet Agent] Connected to Waku node. Listening on topic: /vibework/v1/bounties..."
-echo "🦇 [Darknet Agent] 🔔 Received binary payload! Decrypting Hex..."
+if [ -z "$MCP_API_KEY" ]; then
+  echo "[test_external_agent] MCP_API_KEY/API_KEY is required."
+  exit 1
+fi
+
+if [ "${ENABLE_MOCK_STAKING:-}" != "true" ]; then
+  echo "[test_external_agent] ENABLE_MOCK_STAKING=true is required for this local staking simulation."
+  exit 1
+fi
+
+case "$BASE_URL" in
+  http://127.0.0.1:*|http://localhost:*|http://192.168.*)
+    ;;
+  *)
+    echo "[test_external_agent] Refusing to run mock staking against non-local URL: $BASE_URL"
+    exit 1
+    ;;
+esac
+
+echo "[External Agent] Connected to Waku node. Listening on topic: /vibework/v1/bounties..."
+echo "[External Agent] Received binary payload. Decoding hex..."
 
 # Simulate the agent decoding the hex from the Inviter
-echo "🦇 [Darknet Agent] Decoded RPC: {\"method\":\"A2A_BOUNTY_CALL\",\"params\":{\"action_required\":\"DEPOSIT_500_USDC_STAKE\"}}"
+echo "[External Agent] Decoded RPC: {\"method\":\"A2A_BOUNTY_CALL\",\"params\":{\"action_required\":\"PREMIUM_TIER_REQUIRED\"}}"
 
 # 1. Fetch an OPEN EPIC task directly from the API specified in the payload
-echo "🦇 [Darknet Agent] Querying rpc_endpoint: $BASE_URL/api/mcp/list_open_tasks..."
+echo "[External Agent] Querying rpc_endpoint: $BASE_URL/api/mcp/list_open_tasks..."
 RESPONSE=$(curl -s -X POST "$BASE_URL/api/mcp/list_open_tasks" \
-    -H "Authorization: Bearer vw_beta_promo_2026" \
+    -H "Authorization: Bearer $MCP_API_KEY" \
     -H "Content-Type: application/json" \
     -H "x-agent-id: $AGENT_ID" \
     -d '{}')
@@ -28,12 +49,12 @@ if [ -z "$TASK_ID" ]; then
     exit 1
 fi
 
-echo "🦇 [Darknet Agent] Target Acquired: $TASK_ID"
+echo "[External Agent] Target acquired: $TASK_ID"
 
 # 2. Attempt to claim without staking (Should Fail with 403)
-echo "🦇 [Darknet Agent] Attempting hostile takeover of task (Expect Failure)..."
+echo "[External Agent] Attempting claim before staking (expect failure for EPIC tasks)..."
 FAIL_RESP=$(curl -s -X POST "$BASE_URL/api/mcp/claim_task" \
-    -H "Authorization: Bearer vw_beta_promo_2026" \
+    -H "Authorization: Bearer $MCP_API_KEY" \
     -H "Content-Type: application/json" \
     -H "x-agent-id: $AGENT_ID" \
     -d "{\"task_id\": \"$TASK_ID\", \"agent_id\": \"$AGENT_ID\", \"developer_wallet\": \"$WALLET\"}")
@@ -45,10 +66,11 @@ if [[ "$FAIL_RESP" != *"Forbidden: EPIC difficulty tasks require the PREMIUM tie
     exit 1
 fi
 
-echo "🦇 [Darknet Agent] Firewall detected. Executing capital injection: DEPOSIT_500_USDC_STAKE..."
+echo "[External Agent] Staking required. Executing local mock stake deposit."
 
 # 3. Deposit 500 USDC (50000 cents)
 curl -s -X POST "$BASE_URL/api/a2a/staking/deposit" \
+    -H "Authorization: Bearer $MCP_API_KEY" \
     -H "Content-Type: application/json" \
     -d "{
         \"jsonrpc\": \"2.0\",
@@ -58,12 +80,12 @@ curl -s -X POST "$BASE_URL/api/a2a/staking/deposit" \
             \"amount_cents\": 50000
         },
         \"id\": \"req_$(date +%s)\"
-    }" | grep -q "success" && echo "✅ Capital injection successful. Tier upgraded to PREMIUM." || { echo "❌ Stake failed"; exit 1; }
+    }" | grep -q "success" && echo "✅ Mock stake recorded. Tier upgraded to PREMIUM." || { echo "❌ Stake failed"; exit 1; }
 
 # 4. Attempt to claim again (Should Succeed)
-echo "🦇 [Darknet Agent] Re-initiating claim sequence..."
+echo "[External Agent] Re-initiating claim sequence..."
 SUCCESS_RESP=$(curl -s -X POST "$BASE_URL/api/mcp/claim_task" \
-    -H "Authorization: Bearer vw_beta_promo_2026" \
+    -H "Authorization: Bearer $MCP_API_KEY" \
     -H "Content-Type: application/json" \
     -H "x-agent-id: $AGENT_ID" \
     -d "{\"task_id\": \"$TASK_ID\", \"agent_id\": \"$AGENT_ID\", \"developer_wallet\": \"$WALLET\"}")
@@ -71,8 +93,8 @@ SUCCESS_RESP=$(curl -s -X POST "$BASE_URL/api/mcp/claim_task" \
 CLAIM_TOKEN=$(echo "$SUCCESS_RESP" | grep -o '"claim_token":"[^"]*"' | cut -d'"' -f4)
 
 if [ -n "$CLAIM_TOKEN" ]; then
-    echo "🎉 [Darknet Agent] BOUNTY CLAIMED! Token: $CLAIM_TOKEN"
-    echo "🎉 [Darknet Agent] Commencing code generation subroutine."
+    echo "[External Agent] BOUNTY CLAIMED! Token: $CLAIM_TOKEN"
+    echo "[External Agent] Commencing code generation subroutine."
 else
     echo "❌ Failed to claim task after staking. Response: $SUCCESS_RESP"
     exit 1

scripts/trigger-simulation.sh

@@ -1,11 +1,13 @@
 #!/bin/bash
 echo "🌊 Starting Great Swarm Simulation Loop 🌊"
 echo "Press Ctrl+C to stop the chaos."
+BASE_URL="${BASE_URL:-${VIBEWORK_BASE_URL:-http://192.168.0.188:3004}}"
+BASE_URL="${BASE_URL%/}"
 
 while true
 do
   echo "--- Triggering Simulation Cycle ---"
-  curl -X POST http://192.168.0.188:3004/api/admin/simulate
+  curl -X POST "${BASE_URL}/api/admin/simulate"
   echo ""
   sleep 5
 done