74831bba7c
Task #26 — Nostr Identity + Trust Engine (foundational layer for cost-routing) DB changes: - New `nostr_identities` table: pubkey PK, trust_score, tier, interaction_count, sats_absorbed_today, absorbed_reset_at, last_seen, created_at, updated_at - Added nullable `nostr_pubkey` column to `sessions` and `jobs` tables - Schema pushed to DB (drizzle-kit push) - lib/db rebuilt to emit updated declaration files New lib: - `artifacts/api-server/src/lib/trust.ts` — TrustService with: - getTier(pubkey): returns tier label for a pubkey - getOrCreate(pubkey): upsert identity row - recordSuccess/recordFailure: adjust trust score; update tier - Soft score decay applied lazily (absent > N days = -1 pt/day) - issueToken/verifyToken: HMAC-SHA256 signed nostr_token (pubkey:expiry:hmac) - All thresholds env-var configurable (TRUST_TIER_ESTABLISHED/TRUSTED/ELITE) New route: - `artifacts/api-server/src/routes/identity.ts`: - POST /api/identity/challenge — issues 32-byte hex nonce (5-min TTL, in-memory) - POST /api/identity/verify — verifies NIP-01 Nostr signed event, consumes nonce, upserts identity, returns signed nostr_token + trust profile - GET /api/identity/me — look up trust profile by X-Nostr-Token header - Route registered in routes/index.ts Session + job binding: - POST /api/sessions and POST /api/jobs accept optional nostr_token (header or body) - Verified pubkey stored on the DB row; returned in create response + poll responses - trust_tier included in GET /sessions/:id and GET /jobs/:id responses - After session request completes: recordSuccess on complete, recordFailure on reject - After job work completes: recordSuccess fire-and-forget CORS: X-Nostr-Token added to allowedHeaders and exposedHeaders Smoke tested: all existing routes pass, challenge returns nonce, /identity/me 401 without token, sessions/jobs still create correctly with trust_tier: none (expected for anonymous requests)