feat: Gemini image generation in Workshop chat (#19 )

- Add image intent detection (draw/illustrate/visualize/create an image) via `detectImageRequest()` in agent.ts; exports used by jobs and sessions - Add `executeImageWork()` to AgentService: calls Gemini generateImage with graceful fallback stub PNG when Gemini credentials are absent - Add `job_media` table (migration 0010) for base64 image storage with 7-day TTL; entity_id is polymorphic for both jobs and session requests - Add `media_type TEXT` column to jobs table (flagged during eval phase) - Add `calculateImageFeeSats()` / `calculateImageFeeUsd()` to PricingService; uses IMAGE_GENERATION_FLAT_RATE_USD env var (default $0.04) - Jobs route: detect image jobs in eval phase, route to Gemini in execution, store image in job_media; expose GET /api/jobs/:id/media endpoint - Sessions route: detect image requests, call executeImageWork, store in job_media, return mediaUrl and mediaType in response - Estimate route: return image pricing and mediaType:'image' for image requests - Event bus: add optional mediaUrl/mediaType to job:completed event - Frontend session.js: render generated images inline with download button Fixes #19 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
[claude] Nostr identity lifecycle coverage T41–T45 (#55 ) (#106 )
2026-03-23 22:36:10 -04:00 · 2026-03-24 02:20:34 +00:00 · 2026-03-23 22:54:07 +00:00 · 2026-03-23 22:51:12 +00:00
20 changed files with 882 additions and 59 deletions
--- a/artifacts/api-server/src/lib/agent.ts
+++ b/artifacts/api-server/src/lib/agent.ts
@@ -2,6 +2,23 @@ import { makeLogger } from "./logger.js";

 const logger = makeLogger("agent");

+// ── Image request detection ───────────────────────────────────────────────────
+
+const IMAGE_INTENT_RE =
+  /\b(draw|illustrate|create\s+an?\s+image\s+of|generate\s+an?\s+image\s+of|visualize|visualise|make\s+an?\s+image\s+of|paint\s+me|sketch|render\s+an?\s+image\s+of|picture\s+of)\b/i;
+
+/**
+ * Returns true if the request text signals an image-generation intent.
+ */
+export function detectImageRequest(text: string): boolean {
+  return IMAGE_INTENT_RE.test(text);
+}
+
+export interface ImageWorkResult {
+  b64_json: string;
+  mimeType: string;
+}
+
 export interface EvalResult {
  accepted: boolean;
  reason: string;
@@ -442,6 +459,36 @@ Respond ONLY with valid JSON: {"accepted": true/false, "reason": "..."}`,
      return "";
    }
  }
+
+  /**
+   * Generate an image via Gemini for the given prompt.
+   * Falls back to a stub 1×1 transparent PNG when Gemini credentials are absent.
+   */
+  async executeImageWork(prompt: string): Promise<ImageWorkResult> {
+    const geminiAvailable =
+      !!process.env["AI_INTEGRATIONS_GEMINI_API_KEY"] &&
+      !!process.env["AI_INTEGRATIONS_GEMINI_BASE_URL"];
+
+    if (!geminiAvailable) {
+      logger.warn("Gemini credentials absent — returning stub image", { component: "agent" });
+      // 1×1 transparent PNG (base64)
+      return {
+        b64_json:
+          "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==",
+        mimeType: "image/png",
+      };
+    }
+
+    try {
+      const mod = (await import("@workspace/integrations-gemini-ai")) as {
+        generateImage: (prompt: string) => Promise<{ b64_json: string; mimeType: string }>;
+      };
+      return await mod.generateImage(prompt);
+    } catch (err) {
+      logger.error("Gemini image generation failed", { error: String(err) });
+      throw err;
+    }
+  }
 }

 export const agentService = new AgentService();
--- a/artifacts/api-server/src/lib/event-bus.ts
+++ b/artifacts/api-server/src/lib/event-bus.ts
@@ -3,7 +3,7 @@ import { EventEmitter } from "events";
 export type JobEvent =
  | { type: "job:state"; jobId: string; state: string }
  | { type: "job:paid"; jobId: string; invoiceType: "eval" | "work" }
-  | { type: "job:completed"; jobId: string; result: string }
+  | { type: "job:completed"; jobId: string; result: string; mediaUrl?: string; mediaType?: string }
  | { type: "job:failed"; jobId: string; reason: string };

 export type SessionEvent =
--- a/artifacts/api-server/src/lib/pricing.ts
+++ b/artifacts/api-server/src/lib/pricing.ts
@@ -62,6 +62,11 @@ const DO_INFRA_PER_REQUEST_USD = DO_MONTHLY_COST_USD / DO_MONTHLY_REQUESTS;

 const ORIGINATOR_MARGIN_PCT = envFloat("ORIGINATOR_MARGIN_PCT", 25);

+// ── Image generation flat rate ────────────────────────────────────────────────
+// Charged in addition to eval fee; covers Gemini imagen costs + margin.
+
+const IMAGE_GENERATION_FLAT_RATE_USD = envFloat("IMAGE_GENERATION_FLAT_RATE_USD", 0.04);
+
 // ── Fixed fees ────────────────────────────────────────────────────────────────

 const EVAL_FEE_SATS = envInt("EVAL_FEE_SATS", 10);
@@ -95,6 +100,25 @@ export class PricingService {
    return BOOTSTRAP_FEE_SATS;
  }

+  /**
+   * Flat USD cost for a single image generation request (covers Gemini + margin).
+   */
+  calculateImageFeeUsd(): number {
+    return IMAGE_GENERATION_FLAT_RATE_USD * (1 + this.marginPct / 100);
+  }
+
+  /**
+   * Convert image flat rate to sats. Includes infra amortisation and margin.
+   * Returns the same shape as calculateWorkFeeSats() for drop-in use.
+   */
+  async calculateImageFeeSats(): Promise<WorkFeeBreakdown> {
+    const rawCostUsd = IMAGE_GENERATION_FLAT_RATE_USD + DO_INFRA_PER_REQUEST_USD;
+    const estimatedCostUsd = rawCostUsd * (1 + this.marginPct / 100);
+    const btcPriceUsd = await getBtcPriceUsd();
+    const amountSats = usdToSats(estimatedCostUsd, btcPriceUsd);
+    return { amountSats, estimatedCostUsd, marginPct: this.marginPct, btcPriceUsd };
+  }
+
  // ── Token estimation ─────────────────────────────────────────────────────

  /**
--- a/artifacts/api-server/src/lib/trust.ts
+++ b/artifacts/api-server/src/lib/trust.ts
@@ -205,6 +205,29 @@ export class TrustService {
  verifyToken(token: string): { pubkey: string; expiry: number } | null {
    return verifyToken(token);
  }
+
+  // TEST-ONLY: apply one decay cycle immediately, ignoring time thresholds.
+  // Subtracts DECAY_PER_DAY (default 1) from the stored trust score and persists.
+  async decayOnce(pubkey: string): Promise<{ previousScore: number; newScore: number; newTier: TrustTier }> {
+    const identity = await this.getOrCreate(pubkey);
+    const previousScore = identity.trustScore;
+    const newScore = Math.max(0, previousScore - DECAY_PER_DAY);
+    const newTier = computeTier(newScore);
+
+    await db
+      .update(nostrIdentities)
+      .set({ trustScore: newScore, tier: newTier, updatedAt: new Date() })
+      .where(eq(nostrIdentities.pubkey, pubkey));
+
+    logger.info("trust: test decay applied", {
+      pubkey: pubkey.slice(0, 8),
+      previousScore,
+      newScore,
+      newTier,
+    });
+
+    return { previousScore, newScore, newTier };
+  }
 }

 export const trustService = new TrustService();
--- a/artifacts/api-server/src/routes/estimate.ts
+++ b/artifacts/api-server/src/routes/estimate.ts
@@ -1,6 +1,6 @@
 import { Router, type Request, type Response } from "express";
 import { pricingService } from "../lib/pricing.js";
-import { agentService } from "../lib/agent.js";
+import { agentService, detectImageRequest } from "../lib/agent.js";
 import { getBtcPriceUsd, usdToSats } from "../lib/btc-oracle.js";
 import { freeTierService } from "../lib/free-tier.js";
 import { trustService } from "../lib/trust.js";
@@ -25,10 +25,27 @@ router.get("/estimate", async (req: Request, res: Response) => {
  }

  try {
-    const { estimatedInputTokens: inputTokens, estimatedOutputTokens: outputTokens, estimatedCostUsd: costUsd } =
-      pricingService.estimateRequestCost(requestText, agentService.workModel);
-    const btcPriceUsd  = await getBtcPriceUsd();
-    const estimatedSats = usdToSats(costUsd, btcPriceUsd);
+    const isImageRequest = detectImageRequest(requestText);
+
+    let inputTokens = 0;
+    let outputTokens = 0;
+    let costUsd: number;
+    let btcPriceUsd: number;
+    let estimatedSats: number;
+
+    if (isImageRequest) {
+      const imageBreakdown = await pricingService.calculateImageFeeSats();
+      costUsd = imageBreakdown.estimatedCostUsd;
+      btcPriceUsd = imageBreakdown.btcPriceUsd;
+      estimatedSats = imageBreakdown.amountSats;
+    } else {
+      const estimate = pricingService.estimateRequestCost(requestText, agentService.workModel);
+      inputTokens = estimate.estimatedInputTokens;
+      outputTokens = estimate.estimatedOutputTokens;
+      costUsd = estimate.estimatedCostUsd;
+      btcPriceUsd = await getBtcPriceUsd();
+      estimatedSats = usdToSats(costUsd, btcPriceUsd);
+    }

    // Optionally resolve Nostr identity from query param or header for free-tier preview
    const rawToken =
@@ -59,10 +76,11 @@ router.get("/estimate", async (req: Request, res: Response) => {
      estimatedSats,
      estimatedCostUsd: costUsd,
      btcPriceUsd,
+      ...(isImageRequest ? { mediaType: "image" } : {}),
      tokenEstimate: {
        inputTokens,
        outputTokens,
-        model: agentService.workModel,
+        model: isImageRequest ? "gemini-2.5-flash-image" : agentService.workModel,
      },
      identity: {
        trust_tier:  trustTier,
--- a/artifacts/api-server/src/routes/events.ts
+++ b/artifacts/api-server/src/routes/events.ts
@@ -38,6 +38,9 @@ const logger = makeLogger("ws-events");

 const PING_INTERVAL_MS = 30_000;

+// Map to store visitorId -> npub mappings
+const connectedVisitors = new Map<string, string>();
+
 // ── Per-visitor rate limit (3 replies/minute) ─────────────────────────────────
 const CHAT_RATE_LIMIT = 3;
 const CHAT_RATE_WINDOW_MS = 60_000;
@@ -323,12 +326,19 @@ export function attachWebSocketServer(server: Server): void {

    socket.on("message", (raw) => {
      try {
-        const msg = JSON.parse(raw.toString()) as { type?: string; text?: string; visitorId?: string };
+        const msg = JSON.parse(raw.toString()) as { type?: string; text?: string; visitorId?: string; npub?: string };
        if (msg.type === "pong") return;
        if (msg.type === "subscribe") {
          send(socket, { type: "agent_count", count: wss.clients.size });
        }
        if (msg.type === "visitor_enter") {
+          const { visitorId, npub } = msg;
+          if (visitorId && npub) {
+            connectedVisitors.set(visitorId, npub);
+            const formattedNpub = `${npub.slice(0, 8)}…${npub.slice(-4)}`;
+            broadcastToAll(wss, { type: "chat", agentId: "timmy", text: `Welcome, Nostr user ${formattedNpub}! What can I help you with?` });
+          }
+
          wss.clients.forEach(c => {
            if (c !== socket && c.readyState === 1) {
              c.send(JSON.stringify({ type: "visitor_count", count: wss.clients.size }));
@@ -337,6 +347,10 @@ export function attachWebSocketServer(server: Server): void {
          send(socket, { type: "visitor_count", count: wss.clients.size });
        }
        if (msg.type === "visitor_leave") {
+          const { visitorId } = msg;
+          if (visitorId) {
+            connectedVisitors.delete(visitorId);
+          }
          wss.clients.forEach(c => {
            if (c !== socket && c.readyState === 1) {
              c.send(JSON.stringify({ type: "visitor_count", count: Math.max(0, wss.clients.size - 1) }));
--- a/artifacts/api-server/src/routes/identity.ts
+++ b/artifacts/api-server/src/routes/identity.ts
@@ -2,7 +2,7 @@ import { Router, type Request, type Response } from "express";
 import { randomBytes, randomUUID } from "crypto";
 import { verifyEvent, validateEvent } from "nostr-tools";
 import { db, nostrTrustVouches, nostrIdentities, timmyNostrEvents } from "@workspace/db";
-import { eq, count } from "drizzle-orm";
+import { eq, count, desc } from "drizzle-orm";
 import { trustService } from "../lib/trust.js";
 import { timmyIdentityService } from "../lib/timmy-identity.js";
 import { makeLogger } from "../lib/logger.js";
@@ -406,4 +406,65 @@ router.get("/identity/me", async (req: Request, res: Response) => {
  }
 });

+// ── POST /identity/me/decay (TEST-ONLY — disabled in production) ──────────────
+// Applies one decay cycle to the authenticated identity immediately, without
+// the normal 30-day absence threshold. Useful in test suites.
+// Returns 404 in production (NODE_ENV === "production").
+
+router.post("/identity/me/decay", async (req: Request, res: Response) => {
+  if (process.env["NODE_ENV"] === "production") {
+    res.status(404).json({ error: "Not found" });
+    return;
+  }
+
+  const raw = req.headers["x-nostr-token"];
+  const token = typeof raw === "string" ? raw.trim() : null;
+
+  if (!token) {
+    res.status(401).json({ error: "Missing X-Nostr-Token header" });
+    return;
+  }
+
+  const parsed = trustService.verifyToken(token);
+  if (!parsed) {
+    res.status(401).json({ error: "Invalid or expired nostr_token" });
+    return;
+  }
+
+  try {
+    const result = await trustService.decayOnce(parsed.pubkey);
+    res.json({
+      pubkey: parsed.pubkey,
+      previousScore: result.previousScore,
+      newScore: result.newScore,
+      newTier: result.newTier,
+    });
+  } catch (err) {
+    res.status(500).json({ error: err instanceof Error ? err.message : "Decay failed" });
+  }
+});
+
+// ── GET /identity/leaderboard ─────────────────────────────────────────────────
+// Returns the top 20 identities sorted by trust score descending.
+// Public endpoint — no authentication required.
+
+router.get("/identity/leaderboard", async (_req: Request, res: Response) => {
+  try {
+    const rows = await db
+      .select({
+        pubkey: nostrIdentities.pubkey,
+        trustScore: nostrIdentities.trustScore,
+        tier: nostrIdentities.tier,
+        interactionCount: nostrIdentities.interactionCount,
+      })
+      .from(nostrIdentities)
+      .orderBy(desc(nostrIdentities.trustScore))
+      .limit(20);
+
+    res.json(rows);
+  } catch (err) {
+    res.status(500).json({ error: err instanceof Error ? err.message : "Failed to fetch leaderboard" });
+  }
+});
+
 export default router;
--- a/artifacts/api-server/src/routes/jobs.ts
+++ b/artifacts/api-server/src/routes/jobs.ts
@@ -1,10 +1,10 @@
 import { Router, type Request, type Response } from "express";
 import { randomUUID, createHash } from "crypto";
-import { db, jobs, invoices, jobDebates, type Job } from "@workspace/db";
+import { db, jobs, invoices, jobDebates, jobMedia, type Job } from "@workspace/db";
 import { eq, and } from "drizzle-orm";
 import { CreateJobBody, GetJobParams } from "@workspace/api-zod";
 import { lnbitsService } from "../lib/lnbits.js";
-import { agentService } from "../lib/agent.js";
+import { agentService, detectImageRequest } from "../lib/agent.js";
 import { pricingService } from "../lib/pricing.js";
 import { jobsLimiter } from "../lib/rate-limiter.js";
 import { eventBus } from "../lib/event-bus.js";
@@ -110,12 +110,18 @@ async function runEvalInBackground(
    }

    if (evalResult.accepted) {
-      const { estimatedInputTokens, estimatedOutputTokens } = pricingService.estimateRequestCost(request, agentService.workModel);
-      const breakdown = await pricingService.calculateWorkFeeSats(
-        estimatedInputTokens,
-        estimatedOutputTokens,
-        agentService.workModel,
-      );
+      // Detect image-generation requests and flag job accordingly
+      const isImageJob = detectImageRequest(request);
+      if (isImageJob) {
+        await db.update(jobs).set({ mediaType: "image", updatedAt: new Date() }).where(eq(jobs.id, jobId));
+      }
+
+      const breakdown = isImageJob
+        ? await pricingService.calculateImageFeeSats()
+        : await (async () => {
+            const { estimatedInputTokens, estimatedOutputTokens } = pricingService.estimateRequestCost(request, agentService.workModel);
+            return pricingService.calculateWorkFeeSats(estimatedInputTokens, estimatedOutputTokens, agentService.workModel);
+          })();

      // ── Free-tier gate ──────────────────────────────────────────────────
      const ftDecision = await freeTierService.decide(nostrPubkey, breakdown.amountSats);
@@ -254,18 +260,49 @@ async function runWorkInBackground(
  try {
    eventBus.publish({ type: "job:state", jobId, state: "executing" });

-    const workResult = await agentService.executeWorkStreaming(request, (delta) => {
-      streamRegistry.write(jobId, delta);
-    });
+    // Check if this is an image job
+    const jobRow = await getJobById(jobId);
+    const isImageJob = jobRow?.mediaType === "image";
+
+    let resultText = "";
+    let mediaUrl: string | undefined;
+    let inputTokensUsed = 0;
+    let outputTokensUsed = 0;
+
+    if (isImageJob) {
+      // Generate image via Gemini
+      const imageResult = await agentService.executeImageWork(request);
+      const mediaId = randomUUID();
+      const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); // 7 days
+
+      await db.insert(jobMedia).values({
+        id: mediaId,
+        entityId: jobId,
+        entityType: "job",
+        mediaType: "image",
+        mimeType: imageResult.mimeType,
+        data: imageResult.b64_json,
+        expiresAt,
+      });
+
+      mediaUrl = `/api/jobs/${jobId}/media`;
+      resultText = `Image generated. View at: ${mediaUrl}`;
+      streamRegistry.write(jobId, resultText);
+    } else {
+      const workResult = await agentService.executeWorkStreaming(request, (delta) => {
+        streamRegistry.write(jobId, delta);
+      });
+      resultText = workResult.result;
+      inputTokensUsed = workResult.inputTokens;
+      outputTokensUsed = workResult.outputTokens;
+    }

    streamRegistry.end(jobId);
    latencyHistogram.record("work_phase", Date.now() - workStart);

-    const actualCostUsd = pricingService.calculateActualCostUsd(
-      workResult.inputTokens,
-      workResult.outputTokens,
-      agentService.workModel,
-    );
+    const actualCostUsd = isImageJob
+      ? pricingService.calculateImageFeeUsd()
+      : pricingService.calculateActualCostUsd(inputTokensUsed, outputTokensUsed, agentService.workModel);

    const lockedBtcPrice = btcPriceUsd ?? 100_000;
    const actualTotalCostSats = pricingService.calculateActualChargeSats(actualCostUsd, lockedBtcPrice);
@@ -288,9 +325,9 @@ async function runWorkInBackground(
      .update(jobs)
      .set({
        state: "complete",
-        result: workResult.result,
-        actualInputTokens: workResult.inputTokens,
-        actualOutputTokens: workResult.outputTokens,
+        result: resultText,
+        actualInputTokens: isImageJob ? null : inputTokensUsed,
+        actualOutputTokens: isImageJob ? null : outputTokensUsed,
        actualCostUsd,
        actualAmountSats,
        refundAmountSats,
@@ -302,13 +339,14 @@ async function runWorkInBackground(
    logger.info("work completed", {
      jobId,
      isFree,
-      inputTokens:      workResult.inputTokens,
-      outputTokens:     workResult.outputTokens,
+      isImageJob,
+      inputTokens:      inputTokensUsed,
+      outputTokens:     outputTokensUsed,
      actualAmountSats,
      refundAmountSats,
      refundState,
    });
-    eventBus.publish({ type: "job:completed", jobId, result: workResult.result });
+    eventBus.publish({ type: "job:completed", jobId, result: resultText, ...(mediaUrl ? { mediaUrl, mediaType: "image" } : {}) });
    // Emit final actual cost for the UI cost ticker
    if (!isFree && actualAmountSats > 0) {
      eventBus.publish({ type: "cost:update", jobId, sats: actualAmountSats, phase: "work", isFinal: true });
@@ -667,6 +705,7 @@ router.get("/jobs/:id", async (req: Request, res: Response) => {
        res.json({
          ...base,
          result: job.result ?? undefined,
+          ...(job.mediaType === "image" ? { mediaType: "image", mediaUrl: `/api/jobs/${job.id}/media` } : {}),
          ...(job.actualCostUsd != null ? {
            costLedger: {
              // Token usage
@@ -706,6 +745,44 @@ router.get("/jobs/:id", async (req: Request, res: Response) => {
  }
 });

+// ── GET /jobs/:id/media ───────────────────────────────────────────────────────
+
+router.get("/jobs/:id/media", async (req: Request, res: Response) => {
+  const paramResult = GetJobParams.safeParse(req.params);
+  if (!paramResult.success) { res.status(400).json({ error: "Invalid job id" }); return; }
+  const { id } = paramResult.data;
+
+  try {
+    const rows = await db
+      .select()
+      .from(jobMedia)
+      .where(eq(jobMedia.entityId, id))
+      .limit(1);
+
+    const media = rows[0];
+    if (!media) {
+      res.status(404).json({ error: "No media found for this job" });
+      return;
+    }
+
+    if (new Date() > media.expiresAt) {
+      res.status(410).json({ error: "Media has expired" });
+      return;
+    }
+
+    res.json({
+      jobId: id,
+      mediaType: media.mediaType,
+      mimeType: media.mimeType,
+      data: media.data,
+      expiresAt: media.expiresAt.toISOString(),
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "Failed to fetch media";
+    res.status(500).json({ error: message });
+  }
+});
+
 // ── POST /jobs/:id/refund ─────────────────────────────────────────────────────

 router.post("/jobs/:id/refund", async (req: Request, res: Response) => {
--- a/artifacts/api-server/src/routes/sessions.ts
+++ b/artifacts/api-server/src/routes/sessions.ts
@@ -1,11 +1,11 @@
 import { Router, type Request, type Response } from "express";
 import { randomBytes, randomUUID, createHash } from "crypto";
-import { db, sessions, sessionRequests, sessionMessages, getSessionHistory, type Session } from "@workspace/db";
+import { db, sessions, sessionRequests, sessionMessages, jobMedia, getSessionHistory, type Session } from "@workspace/db";
 import { eq, and } from "drizzle-orm";
 import { lnbitsService } from "../lib/lnbits.js";
 import { sessionsLimiter } from "../lib/rate-limiter.js";
 import { eventBus } from "../lib/event-bus.js";
-import { agentService } from "../lib/agent.js";
+import { agentService, detectImageRequest } from "../lib/agent.js";
 import { pricingService } from "../lib/pricing.js";
 import { getBtcPriceUsd, usdToSats } from "../lib/btc-oracle.js";
 import { trustService } from "../lib/trust.js";
@@ -336,6 +336,11 @@ router.post("/sessions/:id/request", async (req: Request, res: Response) => {
    let finalState: "complete" | "rejected" | "failed" = "rejected";
    let reason: string | null = null;
    let errorMessage: string | null = null;
+    let mediaUrl: string | null = null;
+    let mediaType: string | null = null;
+
+    // Detect image generation intent before pricing estimate
+    const isImageRequest = detectImageRequest(requestText);

    // ── Pre-gate: free-tier decision on ESTIMATED cost before executing work ──
    // Estimate total request cost (work portion) pre-execution to determine subsidy.
@@ -345,26 +350,59 @@ router.post("/sessions/:id/request", async (req: Request, res: Response) => {
    let ftDecision: import("../lib/free-tier.js").FreeTierDecision | null = null;
    if (evalResult.accepted && session.nostrPubkey) {
      // estimateRequestCost includes infra + margin. Convert to sats for decide().
-      const { estimatedCostUsd } = pricingService.estimateRequestCost(requestText, agentService.workModel);
-      const estimatedSats = usdToSats(estimatedCostUsd, btcPriceUsd);
+      let estimatedSats: number;
+      if (isImageRequest) {
+        const imageBreakdown = await pricingService.calculateImageFeeSats();
+        estimatedSats = imageBreakdown.amountSats;
+      } else {
+        const { estimatedCostUsd } = pricingService.estimateRequestCost(requestText, agentService.workModel);
+        estimatedSats = usdToSats(estimatedCostUsd, btcPriceUsd);
+      }
      ftDecision = await freeTierService.decide(session.nostrPubkey, estimatedSats);
    }

    if (evalResult.accepted) {
-      try {
-        const workResult = await agentService.executeWork(requestText, history);
-        workInputTokens = workResult.inputTokens;
-        workOutputTokens = workResult.outputTokens;
-        workCostUsd = pricingService.calculateActualCostUsd(
-          workResult.inputTokens,
-          workResult.outputTokens,
-          agentService.workModel,
-        );
-        result = workResult.result;
-        finalState = "complete";
-      } catch (err) {
-        errorMessage = err instanceof Error ? err.message : "Execution error";
-        finalState = "failed";
+      if (isImageRequest) {
+        try {
+          const imageResult = await agentService.executeImageWork(requestText);
+          const mediaId = randomUUID();
+          const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); // 7 days
+
+          await db.insert(jobMedia).values({
+            id: mediaId,
+            entityId: requestId,
+            entityType: "session_request",
+            mediaType: "image",
+            mimeType: imageResult.mimeType,
+            data: imageResult.b64_json,
+            expiresAt,
+          });
+
+          mediaUrl = `/api/sessions/${id}/requests/${requestId}/media`;
+          mediaType = "image";
+          workCostUsd = pricingService.calculateImageFeeUsd();
+          result = `Image generated. View at: ${mediaUrl}`;
+          finalState = "complete";
+        } catch (err) {
+          errorMessage = err instanceof Error ? err.message : "Image generation error";
+          finalState = "failed";
+        }
+      } else {
+        try {
+          const workResult = await agentService.executeWork(requestText, history);
+          workInputTokens = workResult.inputTokens;
+          workOutputTokens = workResult.outputTokens;
+          workCostUsd = pricingService.calculateActualCostUsd(
+            workResult.inputTokens,
+            workResult.outputTokens,
+            agentService.workModel,
+          );
+          result = workResult.result;
+          finalState = "complete";
+        } catch (err) {
+          errorMessage = err instanceof Error ? err.message : "Execution error";
+          finalState = "failed";
+        }
      }
    } else {
      reason = evalResult.reason;
@@ -491,6 +529,7 @@ router.post("/sessions/:id/request", async (req: Request, res: Response) => {
      ...(result ? { result } : {}),
      ...(reason ? { reason } : {}),
      ...(errorMessage ? { errorMessage } : {}),
+      ...(mediaUrl ? { mediaUrl, mediaType } : {}),
      debitedSats,
      balanceRemaining: newBalance,
      ...(freeTierServed ? { free_tier: true, absorbed_sats: absorbedSats } : {}),
@@ -608,4 +647,43 @@ router.delete("/sessions/:id/history", async (req: Request, res: Response) => {
  }
 });

+// ── GET /sessions/:id/requests/:requestId/media ───────────────────────────────
+
+router.get("/sessions/:id/requests/:requestId/media", async (req: Request, res: Response) => {
+  const sessionId = req.params.id as string;
+  const requestId = req.params.requestId as string;
+
+  try {
+    const session = await getSessionById(sessionId);
+    if (!session) { res.status(404).json({ error: "Session not found" }); return; }
+
+    const rows = await db
+      .select()
+      .from(jobMedia)
+      .where(eq(jobMedia.entityId, requestId))
+      .limit(1);
+
+    const media = rows[0];
+    if (!media) {
+      res.status(404).json({ error: "No media found for this request" });
+      return;
+    }
+
+    if (new Date() > media.expiresAt) {
+      res.status(410).json({ error: "Media has expired" });
+      return;
+    }
+
+    res.json({
+      requestId,
+      mediaType: media.mediaType,
+      mimeType: media.mimeType,
+      data: media.data,
+      expiresAt: media.expiresAt.toISOString(),
+    });
+  } catch (err) {
+    res.status(500).json({ error: err instanceof Error ? err.message : "Failed to fetch media" });
+  }
+});
+
 export default router;
--- a/artifacts/api-server/src/routes/testkit.ts
+++ b/artifacts/api-server/src/routes/testkit.ts
@@ -29,6 +29,12 @@ const router = Router();
 *              Guarded on stubMode=true; polls until state=provisioning|ready (20 s timeout).
 *  - T24 ADDED: costLedger completeness after job completion — 8 fields, honest-accounting
 *              invariant (actualAmountSats ≤ workAmountSats), refundState enum check.
+ *  - T41 ADDED: POST /api/jobs with valid Nostr token → nostrPubkey in response matches identity.
+ *  - T42 ADDED: POST /api/sessions with valid Nostr token → nostrPubkey in response matches identity.
+ *  - T43 ADDED: GET /identity/me returns full trust fields (tier, score, interactionCount).
+ *  - T44 ADDED: POST /identity/me/decay (test-only endpoint, 404 in prod) → score decremented.
+ *  - T45 ADDED: GET /identity/leaderboard → HTTP 200, array sorted by trustScore desc.
+ *              New endpoints identity/me/decay and identity/leaderboard added to identity.ts.
 */
 router.get("/testkit", (req: Request, res: Response) => {
  const proto =
@@ -1092,6 +1098,208 @@ NODESCRIPT
  fi
 fi

+# ===========================================================================
+# T41–T45 — Nostr identity lifecycle: token decorates jobs/sessions + trust ops
+# Requires node + nostr-tools (same guard as T36). All five tests share one
+# inline node script that performs the full lifecycle and emits a JSON blob.
+# ===========================================================================
+
+# ---------------------------------------------------------------------------
+# T41–T45 Preamble — ephemeral keypair → challenge → sign → verify → token
+# Then: create job, create session, GET /identity/me, decay, leaderboard.
+# ---------------------------------------------------------------------------
+NOSTR_LC_SKIP=false
+NOSTR_LC_OUT=""
+if ! command -v node >/dev/null 2>&1; then
+  NOSTR_LC_SKIP=true
+fi
+if [[ "\$NOSTR_LC_SKIP" == "false" ]]; then
+  NOSTR_LC_TMPFILE=\$(mktemp /tmp/nostr_lc_XXXXXX.cjs)
+  cat > "\$NOSTR_LC_TMPFILE" << 'NODESCRIPT'
+'use strict';
+const https = require('https');
+const http  = require('http');
+const BASE  = process.argv[2];
+let nt;
+const NOSTR_CJS = '/home/runner/workspace/artifacts/api-server/node_modules/nostr-tools/lib/cjs/index.js';
+try { nt = require('nostr-tools'); } catch (_) { try { nt = require(NOSTR_CJS); } catch (_) { process.stderr.write('nostr-tools not importable\n'); process.exit(1); } }
+const { generateSecretKey, getPublicKey, finalizeEvent } = nt;
+function request(url, opts, body) {
+  return new Promise((resolve, reject) => {
+    const u = new URL(url);
+    const mod = u.protocol === 'https:' ? https : http;
+    const req = mod.request(u, opts, (res) => {
+      let data = '';
+      res.on('data', c => data += c);
+      res.on('end', () => resolve({ status: res.statusCode, body: data }));
+    });
+    req.on('error', reject);
+    if (body) req.write(body);
+    req.end();
+  });
+}
+async function main() {
+  const sk = generateSecretKey();
+  const pubkey = getPublicKey(sk);
+  // challenge → sign → verify
+  const chalRes = await request(BASE + '/api/identity/challenge', { method: 'POST', headers: { 'Content-Type': 'application/json' } }, '{}');
+  if (chalRes.status !== 200) { process.stderr.write('challenge failed: ' + chalRes.status + '\n'); process.exit(1); }
+  const { nonce } = JSON.parse(chalRes.body);
+  const event = finalizeEvent({ kind: 27235, content: nonce, tags: [], created_at: Math.floor(Date.now() / 1000) }, sk);
+  const verRes = await request(BASE + '/api/identity/verify', { method: 'POST', headers: { 'Content-Type': 'application/json' } }, JSON.stringify({ event }));
+  if (verRes.status !== 200) { process.stderr.write('verify failed: ' + verRes.status + ' ' + verRes.body + '\n'); process.exit(1); }
+  const { nostr_token: token } = JSON.parse(verRes.body);
+  // POST /jobs with Nostr token
+  const jobRes  = await request(BASE + '/api/jobs', { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-Nostr-Token': token } }, JSON.stringify({ request: 'T41 Nostr job test' }));
+  const jobBody = JSON.parse(jobRes.body);
+  const jobCode = jobRes.status;
+  const jobId   = jobBody.jobId || null;
+  const jobNpub = jobBody.nostrPubkey || null;
+  // POST /sessions with Nostr token
+  const sessRes  = await request(BASE + '/api/sessions', { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-Nostr-Token': token } }, JSON.stringify({ amount_sats: 200 }));
+  const sessBody = JSON.parse(sessRes.body);
+  const sessCode = sessRes.status;
+  const sessId   = sessBody.sessionId || null;
+  const sessNpub = sessBody.nostrPubkey || null;
+  // GET /identity/me
+  const meRes  = await request(BASE + '/api/identity/me', { method: 'GET', headers: { 'X-Nostr-Token': token } });
+  const meBody = JSON.parse(meRes.body);
+  const meScore  = meBody.trust ? meBody.trust.score  : null;
+  const meTier   = meBody.trust ? meBody.trust.tier   : null;
+  const meIcount = meBody.trust ? meBody.trust.interactionCount : null;
+  // POST /identity/me/decay (test-only; non-200 → skip T44 gracefully)
+  const decayRes  = await request(BASE + '/api/identity/me/decay', { method: 'POST', headers: { 'X-Nostr-Token': token } });
+  const decayBody = JSON.parse(decayRes.body);
+  const decayCode = decayRes.status;
+  const decayPrev = decayBody.previousScore !== undefined ? decayBody.previousScore : null;
+  const decayNew  = decayBody.newScore      !== undefined ? decayBody.newScore      : null;
+  // GET /identity/leaderboard
+  const lbRes    = await request(BASE + '/api/identity/leaderboard', { method: 'GET', headers: {} });
+  const lbCode   = lbRes.status;
+  let lbBody = [];
+  try { lbBody = JSON.parse(lbRes.body); } catch (_) {}
+  const lbIsArray = Array.isArray(lbBody);
+  const lbSorted  = lbIsArray && lbBody.length < 2 ? true :
+    lbIsArray && lbBody.every((v, i) => i === 0 || lbBody[i - 1].trustScore >= v.trustScore);
+  process.stdout.write(JSON.stringify({
+    pubkey, token,
+    jobCode, jobId, jobNpub,
+    sessCode, sessId, sessNpub,
+    meScore, meTier, meIcount,
+    decayCode, decayPrev, decayNew,
+    lbCode, lbIsArray, lbSorted,
+  }) + '\n');
+}
+main().catch(err => { process.stderr.write(String(err) + '\n'); process.exit(1); });
+NODESCRIPT
+
+  NOSTR_LC_EXIT=0
+  NOSTR_LC_OUT=\$(node "\$NOSTR_LC_TMPFILE" "\$BASE" 2>/dev/null) || NOSTR_LC_EXIT=\$?
+  rm -f "\$NOSTR_LC_TMPFILE"
+  if [[ \$NOSTR_LC_EXIT -ne 0 || -z "\$NOSTR_LC_OUT" ]]; then
+    NOSTR_LC_SKIP=true
+  fi
+fi
+
+# Helper: extract a field from NOSTR_LC_OUT
+_lc() { echo "\$NOSTR_LC_OUT" | jq -r ".\$1" 2>/dev/null || echo ""; }
+
+# ---------------------------------------------------------------------------
+# T41 — POST /jobs with valid Nostr token → nostrPubkey in response
+# ---------------------------------------------------------------------------
+sep "Test 41 — POST /jobs with Nostr token → nostrPubkey set"
+if [[ "\$NOSTR_LC_SKIP" == "true" ]]; then
+  note SKIP "node unavailable or lifecycle preamble failed — skipping T41"
+  SKIP=\$((SKIP+1))
+else
+  T41_CODE=\$(_lc jobCode); T41_NPUB=\$(_lc jobNpub); T41_PK=\$(_lc pubkey)
+  if [[ "\$T41_CODE" == "201" && -n "\$T41_NPUB" && "\$T41_NPUB" != "null" && "\$T41_NPUB" == "\$T41_PK" ]]; then
+    note PASS "HTTP 201, nostrPubkey=\${T41_NPUB:0:8}... matches token identity"
+    PASS=\$((PASS+1))
+  else
+    note FAIL "code=\$T41_CODE nostrPubkey='\$T41_NPUB' expected='\$T41_PK'"
+    FAIL=\$((FAIL+1))
+  fi
+fi
+
+# ---------------------------------------------------------------------------
+# T42 — POST /sessions with valid Nostr token → nostrPubkey in response
+# ---------------------------------------------------------------------------
+sep "Test 42 — POST /sessions with Nostr token → nostrPubkey set"
+if [[ "\$NOSTR_LC_SKIP" == "true" ]]; then
+  note SKIP "node unavailable or lifecycle preamble failed — skipping T42"
+  SKIP=\$((SKIP+1))
+else
+  T42_CODE=\$(_lc sessCode); T42_NPUB=\$(_lc sessNpub); T42_PK=\$(_lc pubkey)
+  if [[ "\$T42_CODE" == "201" && -n "\$T42_NPUB" && "\$T42_NPUB" != "null" && "\$T42_NPUB" == "\$T42_PK" ]]; then
+    note PASS "HTTP 201, nostrPubkey=\${T42_NPUB:0:8}... matches token identity"
+    PASS=\$((PASS+1))
+  else
+    note FAIL "code=\$T42_CODE nostrPubkey='\$T42_NPUB' expected='\$T42_PK'"
+    FAIL=\$((FAIL+1))
+  fi
+fi
+
+# ---------------------------------------------------------------------------
+# T43 — GET /identity/me returns full trust fields (tier, score, interactionCount)
+# ---------------------------------------------------------------------------
+sep "Test 43 — GET /identity/me returns tier + score + interactionCount"
+if [[ "\$NOSTR_LC_SKIP" == "true" ]]; then
+  note SKIP "node unavailable or lifecycle preamble failed — skipping T43"
+  SKIP=\$((SKIP+1))
+else
+  T43_TIER=\$(_lc meTier); T43_SCORE=\$(_lc meScore); T43_ICOUNT=\$(_lc meIcount)
+  if [[ -n "\$T43_TIER" && "\$T43_TIER" != "null" \
+      && "\$T43_SCORE" != "" && "\$T43_SCORE" != "null" \
+      && "\$T43_ICOUNT" != "" && "\$T43_ICOUNT" != "null" ]]; then
+    note PASS "tier=\$T43_TIER score=\$T43_SCORE interactionCount=\$T43_ICOUNT"
+    PASS=\$((PASS+1))
+  else
+    note FAIL "tier='\$T43_TIER' score='\$T43_SCORE' icount='\$T43_ICOUNT'"
+    FAIL=\$((FAIL+1))
+  fi
+fi
+
+# ---------------------------------------------------------------------------
+# T44 — POST /identity/me/decay (test-only endpoint) → score decremented
+# Skipped gracefully if endpoint returns non-200 (e.g., production mode).
+# ---------------------------------------------------------------------------
+sep "Test 44 — POST /identity/me/decay (test mode) → trust_score decremented"
+if [[ "\$NOSTR_LC_SKIP" == "true" ]]; then
+  note SKIP "node unavailable or lifecycle preamble failed — skipping T44"
+  SKIP=\$((SKIP+1))
+else
+  T44_CODE=\$(_lc decayCode); T44_PREV=\$(_lc decayPrev); T44_NEW=\$(_lc decayNew)
+  if [[ "\$T44_CODE" != "200" ]]; then
+    note SKIP "decay endpoint returned code=\$T44_CODE (not in test mode) — skipping T44"
+    SKIP=\$((SKIP+1))
+  elif [[ -n "\$T44_PREV" && -n "\$T44_NEW" && "\$T44_NEW" =~ ^[0-9]+\$ && "\$T44_PREV" =~ ^[0-9]+\$ && \$T44_NEW -le \$T44_PREV ]]; then
+    note PASS "previousScore=\$T44_PREV newScore=\$T44_NEW (decremented or floored at 0)"
+    PASS=\$((PASS+1))
+  else
+    note FAIL "code=\$T44_CODE previousScore='\$T44_PREV' newScore='\$T44_NEW' (expected new ≤ prev)"
+    FAIL=\$((FAIL+1))
+  fi
+fi
+
+# ---------------------------------------------------------------------------
+# T45 — GET /identity/leaderboard → HTTP 200, array sorted by trust score
+# ---------------------------------------------------------------------------
+sep "Test 45 — GET /identity/leaderboard → sorted array"
+if [[ "\$NOSTR_LC_SKIP" == "true" ]]; then
+  note SKIP "node unavailable or lifecycle preamble failed — skipping T45"
+  SKIP=\$((SKIP+1))
+else
+  T45_CODE=\$(_lc lbCode); T45_ARRAY=\$(_lc lbIsArray); T45_SORTED=\$(_lc lbSorted)
+  if [[ "\$T45_CODE" == "200" && "\$T45_ARRAY" == "true" && "\$T45_SORTED" == "true" ]]; then
+    note PASS "HTTP 200, array returned and sorted by trustScore desc"
+    PASS=\$((PASS+1))
+  else
+    note FAIL "code=\$T45_CODE isArray=\$T45_ARRAY sorted=\$T45_SORTED"
+    FAIL=\$((FAIL+1))
+  fi
+fi
+
 # ===========================================================================
 # FUTURE STUBS — placeholders for upcoming tasks (do not affect PASS/FAIL)
 # ===========================================================================
--- a/lib/db/migrations/0010_job_media.sql
+++ b/lib/db/migrations/0010_job_media.sql
@@ -0,0 +1,26 @@
+-- Migration: Image generation media storage (#19)
+-- Adds job_media table for storing generated images (base64) with 7-day TTL.
+-- Also adds media_type column to jobs table to flag image-type work.
+
+-- ── job_media ─────────────────────────────────────────────────────────────────
+-- Stores generated media for both standalone jobs and session requests.
+-- entity_id is polymorphic: job ID or session request ID.
+-- expires_at is set to NOW + 7 days at insert time.
+
+CREATE TABLE IF NOT EXISTS job_media (
+  id          TEXT PRIMARY KEY,
+  entity_id   TEXT NOT NULL,        -- job ID or session request ID
+  entity_type TEXT NOT NULL,        -- 'job' | 'session_request'
+  media_type  TEXT NOT NULL,        -- 'image'
+  mime_type   TEXT NOT NULL,        -- e.g. 'image/png'
+  data        TEXT NOT NULL,        -- base64-encoded image data
+  created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  expires_at  TIMESTAMPTZ NOT NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_job_media_entity_id ON job_media(entity_id);
+
+-- ── jobs.media_type ───────────────────────────────────────────────────────────
+-- Nullable flag set during eval phase for image-generation requests.
+
+ALTER TABLE jobs ADD COLUMN IF NOT EXISTS media_type TEXT;
--- a/lib/db/src/schema/index.ts
+++ b/lib/db/src/schema/index.ts
@@ -14,3 +14,4 @@ export * from "./relay-accounts";
 export * from "./relay-event-queue";
 export * from "./job-debates";
 export * from "./session-messages";
+export * from "./job-media";
--- a/lib/db/src/schema/job-media.ts
+++ b/lib/db/src/schema/job-media.ts
@@ -0,0 +1,19 @@
+import { pgTable, text, timestamp } from "drizzle-orm/pg-core";
+
+/**
+ * job_media — stores generated media (images) for jobs and session requests.
+ * entityId is polymorphic: it can be a job ID or a session request ID.
+ * expiresAt is set to NOW + 7 days; a cleanup job should purge expired rows.
+ */
+export const jobMedia = pgTable("job_media", {
+  id: text("id").primaryKey(),
+  entityId: text("entity_id").notNull(),       // job ID or session request ID
+  entityType: text("entity_type").notNull(),   // 'job' | 'session_request'
+  mediaType: text("media_type").notNull(),      // 'image'
+  mimeType: text("mime_type").notNull(),        // e.g. 'image/png'
+  data: text("data").notNull(),                 // base64-encoded image data
+  createdAt: timestamp("created_at", { withTimezone: true }).defaultNow().notNull(),
+  expiresAt: timestamp("expires_at", { withTimezone: true }).notNull(),
+});
+
+export type JobMedia = typeof jobMedia.$inferSelect;
--- a/lib/db/src/schema/jobs.ts
+++ b/lib/db/src/schema/jobs.ts
@@ -52,6 +52,9 @@ export const jobs = pgTable("jobs", {
  refundState: text("refund_state").$type<"not_applicable" | "pending" | "paid">(),
  refundPaymentHash: text("refund_payment_hash"),

+  // ── Image generation (set during eval if request is an image job) ───────────
+  mediaType: text("media_type"),  // 'image' | null
+
  createdAt: timestamp("created_at", { withTimezone: true }).defaultNow().notNull(),
  updatedAt: timestamp("updated_at", { withTimezone: true }).defaultNow().notNull(),
 });
--- a/reports/branch-audit-103.md
+++ b/reports/branch-audit-103.md
@@ -0,0 +1,38 @@
+# Branch Audit — Issue #103
+
+## Summary (2026-03-23)
+
+### Unmerged branches reviewed
+| Branch | Content | Status | Action |
+|--------|---------|--------|--------|
+| `gemini/issue-14` | NIP-07 Nostr identity | Unique diff vs main | **PR #104 opened** |
+| `gemini/issue-42` | Timmy animated eyes | No diff vs main — already merged | Deleted |
+| `claude/issue-11` | Kimi + Perplexity agents | No diff vs main — already merged | Deleted |
+| `claude/issue-13` | Nostr event publishing | No diff vs main — already merged | Deleted |
+| `claude/issue-29` | Mobile Nostr identity | No diff vs main — already merged | Deleted |
+| `claude/issue-45` | Test kit | No diff vs main — already merged | Deleted |
+| `claude/issue-47` | SQL migration helpers | No diff vs main — already merged | Deleted |
+| `claude/issue-67` | Session Mode UI | No diff vs main — already merged | Deleted |
+
+All 7 branches besides `gemini/issue-14` had empty `git diff origin/main...origin/<branch>`
+output, confirming their work had been squash-merged into main previously.
+
+### Stale merged branches deleted (37 branches)
+Confirmed via `git diff origin/main...origin/<branch>` (empty diff):
+
+**gemini branches:** issue-16, issue-34, issue-40, issue-42, issue-46, issue-48,
+issue-50, issue-52, issue-56, issue-58, issue-64, issue-70
+
+**claude branches:** issue-1, issue-3, issue-7, issue-9, issue-11, issue-13, issue-15,
+issue-17, issue-21, issue-25, issue-27, issue-29, issue-31, issue-33, issue-35, issue-36,
+issue-39, issue-41, issue-43, issue-45, issue-47, issue-49, issue-51, issue-53, issue-55,
+issue-57, issue-59, issue-61, issue-63, issue-65, issue-67, issue-68
+
+### Remaining branches after cleanup
+| Branch | Status |
+|--------|--------|
+| `main` | Trunk |
+| `claude/issue-5` | Open PR #93 |
+| `claude/issue-37` | Open PR #80 |
+| `gemini/issue-14` | New PR #104 (NIP-07 Nostr identity) |
+| `claude/issue-103` | This audit branch |
--- a/the-matrix/index.html
+++ b/the-matrix/index.html
@@ -37,6 +37,25 @@
      font-size: 13px; letter-spacing: 3px; margin-bottom: 4px;
      color: #7799cc; text-shadow: 0 0 10px #4466aa;
    }
+
+    /* Nostr Identity UI */
+    .nostr-btn {
+      background: rgba(40, 30, 70, 0.9);
+      border: 1px solid #443377;
+      color: #aaddff; font-family: 'Courier New', monospace;
+      font-size: 11px; padding: 4px 10px; cursor: pointer;
+      border-radius: 3px; transition: background 0.15s, border-color 0.15s;
+    }
+    .nostr-btn:hover { background: rgba(60, 45, 100, 0.9); border-color: #665599; }
+    .nostr-btn-sm {
+      font-size: 9px; padding: 2px 6px; margin-left: 6px; opacity: 0.7;
+    }
+    .nostr-btn-sm:hover { opacity: 1; }
+    .nostr-pubkey {
+      font-size: 11px; color: #aaddff; margin-right: 6px;
+      letter-spacing: 0.5px;
+    }
+
    #session-hud {
      display: none;
      color: #22aa66;
@@ -591,6 +610,8 @@
      <span id="session-hud-balance">Balance: -- sats</span>
      <a href="#" id="session-hud-topup">⚡ Top Up</a>
    </div>
+    <!-- New: Nostr identity status -->
+    <div id="nostr-identity-status" style="margin-top: 10px; pointer-events: all;"></div>
  </div>

  <div id="connection-status">OFFLINE</div>
--- a/the-matrix/js/nostr-identity.js
+++ b/the-matrix/js/nostr-identity.js
@@ -42,6 +42,7 @@ export async function initNostrIdentity(apiBase = '/api') {
      _pubkey   = await window.nostr.getPublicKey();
      _useNip07 = true;
      _canSign  = true;
+      _saveDiscoveredKeypair(_pubkey, null); // Store pubkey in LS even if NIP-07
      console.info('[nostr] Using NIP-07 extension, pubkey:', _pubkey.slice(0, 8) + '…');
    } catch (err) {
      console.warn('[nostr] NIP-07 getPublicKey failed, will use local keypair', err);
@@ -86,6 +87,18 @@ export function getPubkey() { return _pubkey; }
 export function getNostrToken() { return _isTokenValid() ? _token : null; }
 export function hasIdentity() { return !!_pubkey; }

+export function disconnectNostrIdentity() {
+  _pubkey    = null;
+  _token     = null;
+  _tokenExp  = 0;
+  _useNip07  = false;
+  _canSign   = false;
+  localStorage.removeItem(LS_KEYPAIR_KEY);
+  localStorage.removeItem(LS_TOKEN_KEY);
+  window.dispatchEvent(new CustomEvent('nostr:identity-disconnected'));
+  console.info('[nostr] identity disconnected');
+}
+
 /**
 * getOrRefreshToken — returns a valid token, refreshing if necessary.
 * Returns null if no identity is established.
@@ -197,6 +210,7 @@ export function showIdentityPrompt(apiBase = '/api') {
        _pubkey   = await window.nostr.getPublicKey();
        _useNip07 = true;
        _canSign  = true;
+        _saveDiscoveredKeypair(_pubkey, null); // Store pubkey in LS even if NIP-07
      } catch { return; }
    } else {
      // Generate + store keypair (user consented by clicking)
--- a/the-matrix/js/session.js
+++ b/the-matrix/js/session.js
@@ -157,15 +157,20 @@ export async function sessionSendHandler(text) {
    _saveToStorage();
    _applySessionUI();

-    const reply = data.result || data.reason || '…';
-    setSpeechBubble(reply);
-    appendSystemMessage('Timmy: ' + reply.slice(0, 80));
+    if (data.mediaType === 'image' && data.mediaUrl) {
+      // Fetch image data and render inline
+      _renderImageResponse(data.mediaUrl, text);
+    } else {
+      const reply = data.result || data.reason || '…';
+      setSpeechBubble(reply);
+      appendSystemMessage('Timmy: ' + reply.slice(0, 80));

-    // Sentiment-driven mood on inbound Timmy reply
-    sentiment(reply).then(s => {
-      setMood(s.label);
-      setTimeout(() => setMood(null), 10_000);
-    }).catch(() => {});
+      // Sentiment-driven mood on inbound Timmy reply
+      sentiment(reply).then(s => {
+        setMood(s.label);
+        setTimeout(() => setMood(null), 10_000);
+      }).catch(() => {});
+    }

    // Update active-step balance if panel is open
    _updateActiveStep();
@@ -178,6 +183,66 @@ export async function sessionSendHandler(text) {
  }
 }

+// ── Image rendering ───────────────────────────────────────────────────────────
+
+async function _renderImageResponse(mediaUrl, prompt) {
+  const $log = document.getElementById('event-log');
+  if (!$log) return;
+
+  setSpeechBubble('✨ Here is your image!');
+  appendSystemMessage('Timmy: ✨ Image generated!');
+
+  try {
+    const res = await fetch(mediaUrl);
+    if (!res.ok) {
+      appendSystemMessage('Timmy: Image ready — ' + mediaUrl);
+      return;
+    }
+    const data = await res.json();
+    const src = `data:${data.mimeType};base64,${data.data}`;
+
+    const container = document.createElement('div');
+    container.className = 'log-entry timmy-image-result';
+    container.style.cssText = [
+      'margin:6px 0;padding:6px;',
+      'border:1px solid #336655;border-radius:4px;',
+      'background:#0a1a14;',
+    ].join('');
+
+    const img = document.createElement('img');
+    img.src = src;
+    img.alt = prompt.slice(0, 60);
+    img.style.cssText = [
+      'max-width:100%;max-height:240px;',
+      'display:block;border-radius:3px;',
+      'cursor:pointer;',
+    ].join('');
+    img.title = 'Click to view full size';
+
+    const dlBtn = document.createElement('a');
+    dlBtn.href = src;
+    dlBtn.download = 'timmy-image.png';
+    dlBtn.textContent = '⬇ Download';
+    dlBtn.style.cssText = [
+      'display:inline-block;margin-top:4px;',
+      'font-size:10px;color:#44cc88;',
+      'text-decoration:none;letter-spacing:1px;',
+    ].join('');
+
+    container.appendChild(img);
+    container.appendChild(dlBtn);
+
+    const entries = $log.querySelectorAll('.log-entry');
+    if (entries.length >= 6) {
+      $log.removeChild(entries[0]);
+    }
+    $log.appendChild(container);
+    $log.scrollTop = $log.scrollHeight;
+  } catch {
+    appendSystemMessage('Timmy: Image generated — ' + mediaUrl);
+  }
+}
+
 // ── Panel open/close ──────────────────────────────────────────────────────────

 function _openPanel() {
--- a/the-matrix/js/ui.js
+++ b/the-matrix/js/ui.js
@@ -1,7 +1,7 @@
 import { sendVisitorMessage } from './websocket.js';
 import { classify } from './edge-worker-client.js';
 import { setMood, setSpeechBubble } from './agents.js';
-import { getOrRefreshToken } from './nostr-identity.js';
+import { getOrRefreshToken, getPubkey, disconnectNostrIdentity, showIdentityPrompt } from './nostr-identity.js';

 const $fps        = document.getElementById('fps');
 const $activeJobs = document.getElementById('active-jobs');
@@ -180,6 +180,89 @@ export function hideCostTicker() {
  $costTicker.style.opacity = '0';
 }

+// ── Nostr identity UI ─────────────────────────────────────────────────────────
+
+let _nostrStatusEl       = null;
+let _connectNostrBtn     = null;
+let _disconnectNostrBtn  = null;
+let _nostrPubkeyDisplay  = null;
+let _getAlbyBtn          = null;
+
+export function initNostrIdentityUI() {
+  _nostrStatusEl = document.getElementById('nostr-identity-status');
+  if (!_nostrStatusEl) return;
+
+  _nostrStatusEl.innerHTML = `
+    <button id="connect-nostr-btn" class="nostr-btn">⚡ Connect Nostr</button>
+    <span id="nostr-pubkey-display" class="nostr-pubkey"></span>
+    <button id="disconnect-nostr-btn" class="nostr-btn nostr-btn-sm">Disconnect</button>
+    <button id="get-alby-btn" class="nostr-btn nostr-btn-sm">Get Alby</button>
+  `;
+
+  _connectNostrBtn    = document.getElementById('connect-nostr-btn');
+  _disconnectNostrBtn = document.getElementById('disconnect-nostr-btn');
+  _nostrPubkeyDisplay = document.getElementById('nostr-pubkey-display');
+  _getAlbyBtn         = document.getElementById('get-alby-btn');
+
+  if (_connectNostrBtn) {
+    _connectNostrBtn.addEventListener('click', () => {
+      showIdentityPrompt('/api');
+    });
+  }
+
+  if (_disconnectNostrBtn) {
+    _disconnectNostrBtn.addEventListener('click', () => {
+      disconnectNostrIdentity();
+      _updateNostrIdentityUI(null);
+    });
+  }
+
+  window.addEventListener('nostr:identity-ready', e => {
+    _updateNostrIdentityUI(e.detail.pubkey);
+  });
+
+  window.addEventListener('nostr:identity-disconnected', () => {
+    _updateNostrIdentityUI(null);
+  });
+
+  _updateNostrIdentityUI(getPubkey());
+}
+
+function _updateNostrIdentityUI(pubkey) {
+  const hasNip07 = typeof window !== 'undefined' && !!window.nostr;
+
+  if (pubkey) {
+    const formattedPubkey = pubkey.slice(0, 8) + '…' + pubkey.slice(-4);
+    if (_nostrPubkeyDisplay) {
+      _nostrPubkeyDisplay.textContent = `⚡ ${formattedPubkey}`;
+      _nostrPubkeyDisplay.style.display = 'inline-block';
+    }
+    if (_connectNostrBtn)    _connectNostrBtn.style.display = 'none';
+    if (_disconnectNostrBtn) _disconnectNostrBtn.style.display = 'inline-block';
+    if (_getAlbyBtn)         _getAlbyBtn.style.display = 'none';
+  } else {
+    if (_nostrPubkeyDisplay) _nostrPubkeyDisplay.style.display = 'none';
+    if (_disconnectNostrBtn) _disconnectNostrBtn.style.display = 'none';
+
+    if (hasNip07) {
+      if (_connectNostrBtn) {
+        _connectNostrBtn.textContent = '⚡ Connect Nostr';
+        _connectNostrBtn.style.display = 'inline-block';
+      }
+      if (_getAlbyBtn) _getAlbyBtn.style.display = 'none';
+    } else {
+      if (_connectNostrBtn) _connectNostrBtn.style.display = 'none';
+      if (_getAlbyBtn) {
+        _getAlbyBtn.textContent = 'Get Alby';
+        _getAlbyBtn.style.display = 'inline-block';
+        _getAlbyBtn.title = 'Install Alby or another NIP-07 extension to connect your Nostr identity';
+        _getAlbyBtn.onclick = () => window.open('https://getalby.com/', '_blank');
+      }
+    }
+  }
+}
+
+
 // ── Input bar ─────────────────────────────────────────────────────────────────

 export function initUI() {
@@ -187,6 +270,7 @@ export function initUI() {
  uiInitialized = true;
  initInputBar();
  initHeatmap();
+  initNostrIdentityUI();
 }

 function initInputBar() {
--- a/the-matrix/js/websocket.js
+++ b/the-matrix/js/websocket.js
@@ -5,6 +5,7 @@ import { appendSystemMessage, appendDebateMessage, showCostTicker, updateCostTic
 import { sentiment } from './edge-worker-client.js';
 import { setLabelState } from './hud-labels.js';
 import { createJobIndicator, dissolveJobIndicator } from './effects.js';
+import { getPubkey } from './nostr-identity.js';

 function resolveWsUrl() {
  const explicit = import.meta.env.VITE_WS_URL;
@@ -46,7 +47,8 @@ function connect() {
  ws.onopen = () => {
    connectionState = 'connected';
    clearTimeout(reconnectTimer);
-    send({ type: 'visitor_enter', visitorId, visitorName: 'visitor' });
+    const npub = getPubkey();
+    send({ type: 'visitor_enter', visitorId, visitorName: 'visitor', npub });
  };

  ws.onmessage = event => {
Author	SHA1	Message	Date
Alexander Whitestone	f13a1d0235	feat: Gemini image generation in Workshop chat (#19 ) Some checks failed CI / Typecheck & Lint (pull_request) Failing after 1s Details - Add image intent detection (draw/illustrate/visualize/create an image) via `detectImageRequest()` in agent.ts; exports used by jobs and sessions - Add `executeImageWork()` to AgentService: calls Gemini generateImage with graceful fallback stub PNG when Gemini credentials are absent - Add `job_media` table (migration 0010) for base64 image storage with 7-day TTL; entity_id is polymorphic for both jobs and session requests - Add `media_type TEXT` column to jobs table (flagged during eval phase) - Add `calculateImageFeeSats()` / `calculateImageFeeUsd()` to PricingService; uses IMAGE_GENERATION_FLAT_RATE_USD env var (default $0.04) - Jobs route: detect image jobs in eval phase, route to Gemini in execution, store image in job_media; expose GET /api/jobs/:id/media endpoint - Sessions route: detect image requests, call executeImageWork, store in job_media, return mediaUrl and mediaType in response - Estimate route: return image pricing and mediaType:'image' for image requests - Event bus: add optional mediaUrl/mediaType to job:completed event - Frontend session.js: render generated images inline with download button Fixes #19 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-23 22:36:10 -04:00
Claude (Opus 4.6)	1e2edeee77	[claude] Nostr identity lifecycle coverage T41–T45 (#55 ) (#106 )	2026-03-24 02:20:34 +00:00
Claude (Opus 4.6)	94d2e48455	[gemini] NIP-07 visitor Nostr identity in Workshop (#14 ) (#104 ) Co-authored-by: Claude (Opus 4.6) <claude@hermes.local> Co-committed-by: Claude (Opus 4.6) <claude@hermes.local>	2026-03-23 22:54:07 +00:00
Claude (Opus 4.6)	395b728bde	[claude] Rescue gemini/issue-14, delete 44 stale branches (#103 ) (#105 )	2026-03-23 22:51:12 +00:00