## Original task
Validate and fix the Expo mobile app (Face/Matrix/Feed tabs) against the live API server.
Restart the API server (was EADDRINUSE from prior merge), verify domain config, test all three tabs, fix issues, and confirm TypeScript typecheck passes.
## Changes made
### artifacts/mobile/app/(tabs)/matrix.tsx
- Fixed getMatrixUrl(): was returning `https://{domain}/` (API landing page), now returns `https://{domain}/tower` (Three.js 3D world). This was the main UI bug — the Matrix tab was showing the wrong page.
### artifacts/api-server/src/app.ts
- Fixed tower static file path: replaced `path.resolve(process.cwd(), "the-matrix", "dist")` with `path.resolve(__dirname_app, "../../..", "the-matrix", "dist")` using `fileURLToPath(import.meta.url)`.
- Root cause: pnpm `--filter` runs scripts from the package directory (`artifacts/api-server`), so `process.cwd()` resolved to `artifacts/api-server/the-matrix/dist` (missing), not `the-matrix/dist` at workspace root. This caused /tower to 404 in development.
- The import.meta.url approach works correctly in both dev (tsx from src/) and production (esbuild CJS bundle from dist/) since both are 3 levels deep from workspace root.
### Infrastructure
- Killed stale process on port 18115, restarted Expo workflow (was stuck waiting for port with interactive prompt).
- Restarted API server (was EADDRINUSE from prior task merge).
## Verification
- API healthz returns 200, /tower/ returns 200.
- TypeScript typecheck passes for @workspace/mobile (no errors).
- TypeScript typecheck passes for @workspace/api-server (no errors).
- Expo dev server running on port 18115, Metro bundler active.
- WebSocket connections visible in API server logs (clients connected).
- EXPO_PUBLIC_DOMAIN set to $REPLIT_DEV_DOMAIN in dev script (correct for wss:// and https:// connections).
- New nostr_identities DB table (pubkey, trust_score, tier, interaction_count, sats_absorbed_today, last_seen)
- nullable nostr_pubkey FK on sessions + jobs tables; schema pushed
- TrustService: getTier, getOrCreate, recordSuccess/Failure, HMAC token (issue/verify)
- Soft score decay (lazy, on read) when identity absent > N days
- POST /api/identity/challenge + POST /api/identity/verify (NIP-01 sig verification)
- GET /api/identity/me — look up trust profile by X-Nostr-Token
- POST /api/sessions + POST /api/jobs accept optional nostr_token; bind pubkey to row
- GET /sessions/:id + GET /jobs/:id include trust_tier in response
- recordSuccess/Failure called after session request + job work completes
- X-Nostr-Token added to CORS allowedHeaders + exposedHeaders
- TIMMY_TOKEN_SECRET set as persistent shared env var
Added two redirect routes in artifacts/api-server/src/app.ts:
- GET / → 302 redirect to /api/ui
- GET /api → 302 redirect to /api/ui
This means opening the preview URL or the root of the app immediately
lands on the Timmy UI without any manual navigation.
No changes to the UI itself, no new routes, no new files.
Verified: both / and /api return HTTP 302 with Location: /api/ui.
Adds `app.set('trust proxy', 1)` to `app.ts` for correct IP rate limiting and implements Zod validation for the `:id` parameter in the `GET /jobs/:id` route within `jobs.ts`.
Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 418bf6f8-212b-4bb0-a7a5-8231a061da4e
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: 7049b42e-1d56-48f8-bf54-25cef7c7880b
Replit-Helium-Checkpoint-Created: true
