feat(testkit): add T41–T45 Nostr identity lifecycle coverage (Refs #55)

- T41: POST /api/jobs with valid Nostr token → nostrPubkey in response
- T42: POST /api/sessions with valid Nostr token → nostrPubkey in response
- T43: GET /identity/me returns tier, score, interactionCount fields
- T44: POST /identity/me/decay (test-only, 404 in prod) → score decremented
- T45: GET /identity/leaderboard → HTTP 200, array sorted by trustScore desc

New endpoints in identity.ts:
- POST /api/identity/me/decay — test-only (disabled in production via NODE_ENV check)
  triggers one decay cycle via new TrustService.decayOnce() method
- GET /api/identity/leaderboard — public, returns top 20 identities by trust score

New TrustService.decayOnce() in trust.ts applies one DECAY_PER_DAY deduction
immediately without the 30-day absence threshold, enabling deterministic test coverage.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

artifacts/api-server/src/lib/trust.ts

@@ -205,6 +205,29 @@ export class TrustService {
   verifyToken(token: string): { pubkey: string; expiry: number } | null {
     return verifyToken(token);
   }
+
+  // TEST-ONLY: apply one decay cycle immediately, ignoring time thresholds.
+  // Subtracts DECAY_PER_DAY (default 1) from the stored trust score and persists.
+  async decayOnce(pubkey: string): Promise<{ previousScore: number; newScore: number; newTier: TrustTier }> {
+    const identity = await this.getOrCreate(pubkey);
+    const previousScore = identity.trustScore;
+    const newScore = Math.max(0, previousScore - DECAY_PER_DAY);
+    const newTier = computeTier(newScore);
+
+    await db
+      .update(nostrIdentities)
+      .set({ trustScore: newScore, tier: newTier, updatedAt: new Date() })
+      .where(eq(nostrIdentities.pubkey, pubkey));
+
+    logger.info("trust: test decay applied", {
+      pubkey: pubkey.slice(0, 8),
+      previousScore,
+      newScore,
+      newTier,
+    });
+
+    return { previousScore, newScore, newTier };
+  }
 }
 
 export const trustService = new TrustService();

artifacts/api-server/src/routes/identity.ts

@@ -2,7 +2,7 @@ import { Router, type Request, type Response } from "express";
 import { randomBytes, randomUUID } from "crypto";
 import { verifyEvent, validateEvent } from "nostr-tools";
 import { db, nostrTrustVouches, nostrIdentities, timmyNostrEvents } from "@workspace/db";
-import { eq, count } from "drizzle-orm";
+import { eq, count, desc } from "drizzle-orm";
 import { trustService } from "../lib/trust.js";
 import { timmyIdentityService } from "../lib/timmy-identity.js";
 import { makeLogger } from "../lib/logger.js";
@@ -406,4 +406,65 @@ router.get("/identity/me", async (req: Request, res: Response) => {
   }
 });
 
+// ── POST /identity/me/decay (TEST-ONLY — disabled in production) ──────────────
+// Applies one decay cycle to the authenticated identity immediately, without
+// the normal 30-day absence threshold. Useful in test suites.
+// Returns 404 in production (NODE_ENV === "production").
+
+router.post("/identity/me/decay", async (req: Request, res: Response) => {
+  if (process.env["NODE_ENV"] === "production") {
+    res.status(404).json({ error: "Not found" });
+    return;
+  }
+
+  const raw = req.headers["x-nostr-token"];
+  const token = typeof raw === "string" ? raw.trim() : null;
+
+  if (!token) {
+    res.status(401).json({ error: "Missing X-Nostr-Token header" });
+    return;
+  }
+
+  const parsed = trustService.verifyToken(token);
+  if (!parsed) {
+    res.status(401).json({ error: "Invalid or expired nostr_token" });
+    return;
+  }
+
+  try {
+    const result = await trustService.decayOnce(parsed.pubkey);
+    res.json({
+      pubkey: parsed.pubkey,
+      previousScore: result.previousScore,
+      newScore: result.newScore,
+      newTier: result.newTier,
+    });
+  } catch (err) {
+    res.status(500).json({ error: err instanceof Error ? err.message : "Decay failed" });
+  }
+});
+
+// ── GET /identity/leaderboard ─────────────────────────────────────────────────
+// Returns the top 20 identities sorted by trust score descending.
+// Public endpoint — no authentication required.
+
+router.get("/identity/leaderboard", async (_req: Request, res: Response) => {
+  try {
+    const rows = await db
+      .select({
+        pubkey: nostrIdentities.pubkey,
+        trustScore: nostrIdentities.trustScore,
+        tier: nostrIdentities.tier,
+        interactionCount: nostrIdentities.interactionCount,
+      })
+      .from(nostrIdentities)
+      .orderBy(desc(nostrIdentities.trustScore))
+      .limit(20);
+
+    res.json(rows);
+  } catch (err) {
+    res.status(500).json({ error: err instanceof Error ? err.message : "Failed to fetch leaderboard" });
+  }
+});
+
 export default router;

artifacts/api-server/src/routes/testkit.ts

@@ -29,6 +29,12 @@ const router = Router();
  *              Guarded on stubMode=true; polls until state=provisioning|ready (20 s timeout).
  *  - T24 ADDED: costLedger completeness after job completion — 8 fields, honest-accounting
  *              invariant (actualAmountSats ≤ workAmountSats), refundState enum check.
+ *  - T41 ADDED: POST /api/jobs with valid Nostr token → nostrPubkey in response matches identity.
+ *  - T42 ADDED: POST /api/sessions with valid Nostr token → nostrPubkey in response matches identity.
+ *  - T43 ADDED: GET /identity/me returns full trust fields (tier, score, interactionCount).
+ *  - T44 ADDED: POST /identity/me/decay (test-only endpoint, 404 in prod) → score decremented.
+ *  - T45 ADDED: GET /identity/leaderboard → HTTP 200, array sorted by trustScore desc.
+ *              New endpoints identity/me/decay and identity/leaderboard added to identity.ts.
  */
 router.get("/testkit", (req: Request, res: Response) => {
   const proto =
@@ -1092,6 +1098,208 @@ NODESCRIPT
   fi
 fi
 
+# ===========================================================================
+# T41–T45 — Nostr identity lifecycle: token decorates jobs/sessions + trust ops
+# Requires node + nostr-tools (same guard as T36). All five tests share one
+# inline node script that performs the full lifecycle and emits a JSON blob.
+# ===========================================================================
+
+# ---------------------------------------------------------------------------
+# T41–T45 Preamble — ephemeral keypair → challenge → sign → verify → token
+# Then: create job, create session, GET /identity/me, decay, leaderboard.
+# ---------------------------------------------------------------------------
+NOSTR_LC_SKIP=false
+NOSTR_LC_OUT=""
+if ! command -v node >/dev/null 2>&1; then
+  NOSTR_LC_SKIP=true
+fi
+if [[ "\$NOSTR_LC_SKIP" == "false" ]]; then
+  NOSTR_LC_TMPFILE=\$(mktemp /tmp/nostr_lc_XXXXXX.cjs)
+  cat > "\$NOSTR_LC_TMPFILE" << 'NODESCRIPT'
+'use strict';
+const https = require('https');
+const http  = require('http');
+const BASE  = process.argv[2];
+let nt;
+const NOSTR_CJS = '/home/runner/workspace/artifacts/api-server/node_modules/nostr-tools/lib/cjs/index.js';
+try { nt = require('nostr-tools'); } catch (_) { try { nt = require(NOSTR_CJS); } catch (_) { process.stderr.write('nostr-tools not importable\n'); process.exit(1); } }
+const { generateSecretKey, getPublicKey, finalizeEvent } = nt;
+function request(url, opts, body) {
+  return new Promise((resolve, reject) => {
+    const u = new URL(url);
+    const mod = u.protocol === 'https:' ? https : http;
+    const req = mod.request(u, opts, (res) => {
+      let data = '';
+      res.on('data', c => data += c);
+      res.on('end', () => resolve({ status: res.statusCode, body: data }));
+    });
+    req.on('error', reject);
+    if (body) req.write(body);
+    req.end();
+  });
+}
+async function main() {
+  const sk = generateSecretKey();
+  const pubkey = getPublicKey(sk);
+  // challenge → sign → verify
+  const chalRes = await request(BASE + '/api/identity/challenge', { method: 'POST', headers: { 'Content-Type': 'application/json' } }, '{}');
+  if (chalRes.status !== 200) { process.stderr.write('challenge failed: ' + chalRes.status + '\n'); process.exit(1); }
+  const { nonce } = JSON.parse(chalRes.body);
+  const event = finalizeEvent({ kind: 27235, content: nonce, tags: [], created_at: Math.floor(Date.now() / 1000) }, sk);
+  const verRes = await request(BASE + '/api/identity/verify', { method: 'POST', headers: { 'Content-Type': 'application/json' } }, JSON.stringify({ event }));
+  if (verRes.status !== 200) { process.stderr.write('verify failed: ' + verRes.status + ' ' + verRes.body + '\n'); process.exit(1); }
+  const { nostr_token: token } = JSON.parse(verRes.body);
+  // POST /jobs with Nostr token
+  const jobRes  = await request(BASE + '/api/jobs', { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-Nostr-Token': token } }, JSON.stringify({ request: 'T41 Nostr job test' }));
+  const jobBody = JSON.parse(jobRes.body);
+  const jobCode = jobRes.status;
+  const jobId   = jobBody.jobId || null;
+  const jobNpub = jobBody.nostrPubkey || null;
+  // POST /sessions with Nostr token
+  const sessRes  = await request(BASE + '/api/sessions', { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-Nostr-Token': token } }, JSON.stringify({ amount_sats: 200 }));
+  const sessBody = JSON.parse(sessRes.body);
+  const sessCode = sessRes.status;
+  const sessId   = sessBody.sessionId || null;
+  const sessNpub = sessBody.nostrPubkey || null;
+  // GET /identity/me
+  const meRes  = await request(BASE + '/api/identity/me', { method: 'GET', headers: { 'X-Nostr-Token': token } });
+  const meBody = JSON.parse(meRes.body);
+  const meScore  = meBody.trust ? meBody.trust.score  : null;
+  const meTier   = meBody.trust ? meBody.trust.tier   : null;
+  const meIcount = meBody.trust ? meBody.trust.interactionCount : null;
+  // POST /identity/me/decay (test-only; non-200 → skip T44 gracefully)
+  const decayRes  = await request(BASE + '/api/identity/me/decay', { method: 'POST', headers: { 'X-Nostr-Token': token } });
+  const decayBody = JSON.parse(decayRes.body);
+  const decayCode = decayRes.status;
+  const decayPrev = decayBody.previousScore !== undefined ? decayBody.previousScore : null;
+  const decayNew  = decayBody.newScore      !== undefined ? decayBody.newScore      : null;
+  // GET /identity/leaderboard
+  const lbRes    = await request(BASE + '/api/identity/leaderboard', { method: 'GET', headers: {} });
+  const lbCode   = lbRes.status;
+  let lbBody = [];
+  try { lbBody = JSON.parse(lbRes.body); } catch (_) {}
+  const lbIsArray = Array.isArray(lbBody);
+  const lbSorted  = lbIsArray && lbBody.length < 2 ? true :
+    lbIsArray && lbBody.every((v, i) => i === 0 || lbBody[i - 1].trustScore >= v.trustScore);
+  process.stdout.write(JSON.stringify({
+    pubkey, token,
+    jobCode, jobId, jobNpub,
+    sessCode, sessId, sessNpub,
+    meScore, meTier, meIcount,
+    decayCode, decayPrev, decayNew,
+    lbCode, lbIsArray, lbSorted,
+  }) + '\n');
+}
+main().catch(err => { process.stderr.write(String(err) + '\n'); process.exit(1); });
+NODESCRIPT
+
+  NOSTR_LC_EXIT=0
+  NOSTR_LC_OUT=\$(node "\$NOSTR_LC_TMPFILE" "\$BASE" 2>/dev/null) || NOSTR_LC_EXIT=\$?
+  rm -f "\$NOSTR_LC_TMPFILE"
+  if [[ \$NOSTR_LC_EXIT -ne 0 || -z "\$NOSTR_LC_OUT" ]]; then
+    NOSTR_LC_SKIP=true
+  fi
+fi
+
+# Helper: extract a field from NOSTR_LC_OUT
+_lc() { echo "\$NOSTR_LC_OUT" | jq -r ".\$1" 2>/dev/null || echo ""; }
+
+# ---------------------------------------------------------------------------
+# T41 — POST /jobs with valid Nostr token → nostrPubkey in response
+# ---------------------------------------------------------------------------
+sep "Test 41 — POST /jobs with Nostr token → nostrPubkey set"
+if [[ "\$NOSTR_LC_SKIP" == "true" ]]; then
+  note SKIP "node unavailable or lifecycle preamble failed — skipping T41"
+  SKIP=\$((SKIP+1))
+else
+  T41_CODE=\$(_lc jobCode); T41_NPUB=\$(_lc jobNpub); T41_PK=\$(_lc pubkey)
+  if [[ "\$T41_CODE" == "201" && -n "\$T41_NPUB" && "\$T41_NPUB" != "null" && "\$T41_NPUB" == "\$T41_PK" ]]; then
+    note PASS "HTTP 201, nostrPubkey=\${T41_NPUB:0:8}... matches token identity"
+    PASS=\$((PASS+1))
+  else
+    note FAIL "code=\$T41_CODE nostrPubkey='\$T41_NPUB' expected='\$T41_PK'"
+    FAIL=\$((FAIL+1))
+  fi
+fi
+
+# ---------------------------------------------------------------------------
+# T42 — POST /sessions with valid Nostr token → nostrPubkey in response
+# ---------------------------------------------------------------------------
+sep "Test 42 — POST /sessions with Nostr token → nostrPubkey set"
+if [[ "\$NOSTR_LC_SKIP" == "true" ]]; then
+  note SKIP "node unavailable or lifecycle preamble failed — skipping T42"
+  SKIP=\$((SKIP+1))
+else
+  T42_CODE=\$(_lc sessCode); T42_NPUB=\$(_lc sessNpub); T42_PK=\$(_lc pubkey)
+  if [[ "\$T42_CODE" == "201" && -n "\$T42_NPUB" && "\$T42_NPUB" != "null" && "\$T42_NPUB" == "\$T42_PK" ]]; then
+    note PASS "HTTP 201, nostrPubkey=\${T42_NPUB:0:8}... matches token identity"
+    PASS=\$((PASS+1))
+  else
+    note FAIL "code=\$T42_CODE nostrPubkey='\$T42_NPUB' expected='\$T42_PK'"
+    FAIL=\$((FAIL+1))
+  fi
+fi
+
+# ---------------------------------------------------------------------------
+# T43 — GET /identity/me returns full trust fields (tier, score, interactionCount)
+# ---------------------------------------------------------------------------
+sep "Test 43 — GET /identity/me returns tier + score + interactionCount"
+if [[ "\$NOSTR_LC_SKIP" == "true" ]]; then
+  note SKIP "node unavailable or lifecycle preamble failed — skipping T43"
+  SKIP=\$((SKIP+1))
+else
+  T43_TIER=\$(_lc meTier); T43_SCORE=\$(_lc meScore); T43_ICOUNT=\$(_lc meIcount)
+  if [[ -n "\$T43_TIER" && "\$T43_TIER" != "null" \
+      && "\$T43_SCORE" != "" && "\$T43_SCORE" != "null" \
+      && "\$T43_ICOUNT" != "" && "\$T43_ICOUNT" != "null" ]]; then
+    note PASS "tier=\$T43_TIER score=\$T43_SCORE interactionCount=\$T43_ICOUNT"
+    PASS=\$((PASS+1))
+  else
+    note FAIL "tier='\$T43_TIER' score='\$T43_SCORE' icount='\$T43_ICOUNT'"
+    FAIL=\$((FAIL+1))
+  fi
+fi
+
+# ---------------------------------------------------------------------------
+# T44 — POST /identity/me/decay (test-only endpoint) → score decremented
+# Skipped gracefully if endpoint returns non-200 (e.g., production mode).
+# ---------------------------------------------------------------------------
+sep "Test 44 — POST /identity/me/decay (test mode) → trust_score decremented"
+if [[ "\$NOSTR_LC_SKIP" == "true" ]]; then
+  note SKIP "node unavailable or lifecycle preamble failed — skipping T44"
+  SKIP=\$((SKIP+1))
+else
+  T44_CODE=\$(_lc decayCode); T44_PREV=\$(_lc decayPrev); T44_NEW=\$(_lc decayNew)
+  if [[ "\$T44_CODE" != "200" ]]; then
+    note SKIP "decay endpoint returned code=\$T44_CODE (not in test mode) — skipping T44"
+    SKIP=\$((SKIP+1))
+  elif [[ -n "\$T44_PREV" && -n "\$T44_NEW" && "\$T44_NEW" =~ ^[0-9]+\$ && "\$T44_PREV" =~ ^[0-9]+\$ && \$T44_NEW -le \$T44_PREV ]]; then
+    note PASS "previousScore=\$T44_PREV newScore=\$T44_NEW (decremented or floored at 0)"
+    PASS=\$((PASS+1))
+  else
+    note FAIL "code=\$T44_CODE previousScore='\$T44_PREV' newScore='\$T44_NEW' (expected new ≤ prev)"
+    FAIL=\$((FAIL+1))
+  fi
+fi
+
+# ---------------------------------------------------------------------------
+# T45 — GET /identity/leaderboard → HTTP 200, array sorted by trust score
+# ---------------------------------------------------------------------------
+sep "Test 45 — GET /identity/leaderboard → sorted array"
+if [[ "\$NOSTR_LC_SKIP" == "true" ]]; then
+  note SKIP "node unavailable or lifecycle preamble failed — skipping T45"
+  SKIP=\$((SKIP+1))
+else
+  T45_CODE=\$(_lc lbCode); T45_ARRAY=\$(_lc lbIsArray); T45_SORTED=\$(_lc lbSorted)
+  if [[ "\$T45_CODE" == "200" && "\$T45_ARRAY" == "true" && "\$T45_SORTED" == "true" ]]; then
+    note PASS "HTTP 200, array returned and sorted by trustScore desc"
+    PASS=\$((PASS+1))
+  else
+    note FAIL "code=\$T45_CODE isArray=\$T45_ARRAY sorted=\$T45_SORTED"
+    FAIL=\$((FAIL+1))
+  fi
+fi
+
 # ===========================================================================
 # FUTURE STUBS — placeholders for upcoming tasks (do not affect PASS/FAIL)
 # ===========================================================================