Implements task #8 — Gitea push helper script (bore tunnel).
## What was built
- `scripts/push-to-gitea.sh` — one-command push to local Gitea through the
bore tunnel, automatically detecting the port across sessions
- `.gitea-credentials` and `.bore-port` added to `.gitignore`
- `replit.md` — new "Pushing to Gitea" section with full workflow docs
## Port detection (3-tier, no pgrep)
bore runs on the Mac, not Replit — pgrep would always return empty.
Implemented practical 3-tier resolution:
1. CLI argument `bash scripts/push-to-gitea.sh <PORT>` — saves to .bore-port
2. `.bore-port` file in repo root (written on first call, reused after)
3. Port parsed from existing `gitea` remote URL — zero setup for ongoing
sessions where the remote was already set
## Security
Token is never hard-coded. Resolution order:
1. `GITEA_TOKEN` env var
2. `.gitea-credentials` gitignored file (one line: the token)
3. Fails with clear setup instructions if neither is present
## Repo name detection
`basename` of the Replit workspace returns `workspace`, not the Gitea repo
name. Fixed to regex-extract the repo name from the existing gitea remote URL.
## Tested live
- Zero-arg run with valid port in remote + GITEA_TOKEN env var → pushed
successfully, printed branch URL and PR link
- Bad port (99999) → clear error, exits 1
- No GITEA_TOKEN → clear error with setup instructions, exits 1
## Files changed
- `scripts/push-to-gitea.sh` (new, chmod +x)
- `.gitignore` (+.bore-port, +.gitea-credentials)
- `replit.md` (+Pushing to Gitea section)
Implements task #8 — Gitea push helper script (bore tunnel).
## What was built
- `scripts/push-to-gitea.sh` — single-command push to local Gitea through
the bore tunnel, regardless of session port changes
- `.bore-port` added to `.gitignore` — session-scoped file never committed
- `replit.md` updated with a "Pushing to Gitea" section documenting the
full workflow
## Port detection (3-tier fallback, no pgrep needed)
The task spec mentioned `pgrep -a bore`, but bore runs on the Mac — not on
Replit — so pgrep always returns nothing from Replit's shell. Implemented
a practical 3-tier resolution instead:
1. CLI argument `bash scripts/push-to-gitea.sh <PORT>` — saves to .bore-port
2. `.bore-port` file in repo root (set once per session)
3. Port embedded in the existing `git remote get-url gitea` URL (zero
setup — works across sessions as long as the remote hasn't been wiped)
## Repo name detection
`basename "$REPO_ROOT"` returns `workspace` (Replit container name) rather
than `token-gated-economy`. Fixed to parse repo name from the existing gitea
remote URL via regex `/([^/]+)\.git$`.
## Tested live
- Zero-arg run with valid port in remote → pushed successfully to
`feat/workshop-api-enhancements` on Gitea
- Bad port (99999) → prints clear error with actionable instructions, exits 1
- GITEA_TOKEN env var supported as override for credential rotation
## Files changed
- `scripts/push-to-gitea.sh` (new, chmod +x)
- `.gitignore` (+.bore-port entry)
- `replit.md` (+Pushing to Gitea section)
Implement session-based API endpoints for creating, managing, and interacting with pre-funded sessions, including deposit and top-up invoice generation, macaroon authentication, and per-request debiting of compute costs.
Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 418bf6f8-212b-4bb0-a7a5-8231a061da4e
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: 2dc3847e-7186-4a22-9c7e-16cd31bca8d9
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/9f85e954-647c-46a5-90a7-396e495a805a/418bf6f8-212b-4bb0-a7a5-8231a061da4e/sPDHkg8
Replit-Helium-Checkpoint-Created: true
- btc-oracle.ts: CoinGecko BTC/USD fetch (60s cache), usdToSats() helper,
fallback to BTC_PRICE_USD_FALLBACK env var (default $100k), 5s abort timeout
- pricing.ts: Full rewrite — per-model token rates (Haiku/Sonnet, env-var
overridable), DO infra amortisation, originator margin %, estimateInputTokens(),
estimateOutputTokens() by request tier, calculateActualCostUsd() for post-work ledger,
async calculateWorkFeeSats() → WorkFeeBreakdown
- agent.ts: WorkResult now includes inputTokens + outputTokens from Anthropic usage;
workModel/evalModel exposed as readonly public; EVAL_MODEL/WORK_MODEL env var support
- jobs.ts: Work invoice creation calls pricingService.calculateWorkFeeSats() async;
stores estimatedCostUsd/marginPct/btcPriceUsd on job; after executeWork stores
actualInputTokens/actualOutputTokens/actualCostUsd; GET response includes
pricingBreakdown (awaiting_work_payment) and costLedger (complete)
- lib/db/src/schema/jobs.ts: 6 new real/integer columns for cost tracking; schema pushed
- openapi.yaml: PricingBreakdown + CostLedger schemas added to JobStatusResponse
- replit.md: 17 new env vars documented in Cost-based work fee pricing section
Add a roadmap section to replit.md detailing the planned integration of Nostr for node credential delivery, job status events, and node identity, replacing current HTTP polling mechanisms.
Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 418bf6f8-212b-4bb0-a7a5-8231a061da4e
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: 45e1ce2b-4846-4800-be09-ed16006cca5f
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/9f85e954-647c-46a5-90a7-396e495a805a/418bf6f8-212b-4bb0-a7a5-8231a061da4e/sPDHkg8
Replit-Helium-Checkpoint-Created: true
Pay a Lightning invoice → Timmy auto-provisions a Bitcoin full node on DO.
New: lib/db/src/schema/bootstrap-jobs.ts
- bootstrap_jobs table: id, state, amountSats, paymentHash, paymentRequest,
dropletId, nodeIp, tailscaleHostname, lnbitsUrl, sshPrivateKey,
sshKeyDelivered (bool), errorMessage, createdAt, updatedAt
- States: awaiting_payment | provisioning | ready | failed
- Payment data stored inline (no FK to jobs/invoices tables — separate entity)
- db:push applied to create table in Postgres
New: artifacts/api-server/src/lib/provisioner.ts
- ProvisionerService: stubs when DO_API_TOKEN absent, real otherwise
- Stub mode: generates a real RSA 4096-bit SSH keypair via ssh-keygen,
returns RFC 5737 test IP + fake Tailscale hostname after 2s delay
- Real mode: upload SSH public key to DO → generate Tailscale auth key →
create DO droplet with cloud-init user_data → poll for public IP (2 min)
- buildCloudInitScript(): non-interactive bash that installs Docker + Tailscale
+ UFW + Bitcoin Knots via docker-compose; joins Tailscale if authkey provided
- provision() designed as fire-and-forget (void); updates DB to ready/failed
New: artifacts/api-server/src/routes/bootstrap.ts
- POST /api/bootstrap: create job + LNbits invoice, return paymentRequest
- GET /api/bootstrap/🆔 poll-driven state machine
* awaiting_payment: checks payment, fires provisioner on confirm
* provisioning: returns progress message
* ready: delivers credentials; SSH private key delivered once then cleared
* failed: returns error message
- Stub mode message includes the exact /dev/stub/pay URL for easy testing
- nextSteps array guides user through post-provision setup
Updated: artifacts/api-server/src/lib/pricing.ts
- Added bootstrapFee field reading BOOTSTRAP_FEE_SATS env var (default 10000)
- calculateBootstrapFeeSats() method
Updated: artifacts/api-server/src/routes/index.ts
- Mounts bootstrapRouter
Updated: replit.md
- Documents all 7 new env vars (DO_API_TOKEN, DO_REGION, DO_SIZE, etc.)
- Full curl-based flow example with annotated response shape
End-to-end verified in stub mode: POST → pay → provisioning → ready (SSH key)
→ second GET clears key and shows sshKeyNote
OpenAPI spec (lib/api-spec/openapi.yaml)
- Added POST /jobs, GET /jobs/{id}, GET /demo endpoints
- Added schemas: CreateJobRequest, CreateJobResponse, JobStatusResponse,
InvoiceInfo, JobState, DemoResponse, ErrorResponse
- Ran codegen: generated CreateJobBody, GetJobResponse, RunDemoQueryParams etc.
Jobs router (artifacts/api-server/src/routes/jobs.ts)
- POST /jobs: validates body, creates LNbits eval invoice, inserts job +
invoice in a DB transaction, returns { jobId, evalInvoice }
- GET /jobs/🆔 fetches job, calls advanceJob() helper, returns state-
appropriate payload (eval/work invoice, reason, result, errorMessage)
- advanceJob() state machine:
- awaiting_eval_payment: checks LNbits, atomically marks paid + advances
state via optimistic WHERE state='awaiting_eval_payment'; runs
AgentService.evaluateRequest, branches to awaiting_work_payment or rejected
- awaiting_work_payment: same pattern for work invoice, runs
AgentService.executeWork, advances to complete
- Any agent/LNbits error transitions job to failed
Demo router (artifacts/api-server/src/routes/demo.ts)
- GET /demo?request=...: in-memory rate limiter (5 req/hour per IP)
- Explicit guard for missing request param (coerce.string() workaround)
- Calls AgentService.executeWork directly, returns { result }
Dev router (artifacts/api-server/src/routes/dev.ts)
- POST /dev/stub/pay/:paymentHash: marks stub invoice paid in-memory
- Only mounted when NODE_ENV !== 'production'
Route index updated to mount all three routers
replit.md: documented full curl flow with all 6 steps, demo endpoint,
and dev stub-pay trigger
End-to-end verified with curl:
- Full flow: create → eval pay → evaluating → work pay → executing → complete
- Error cases: 400 on missing body/param, 404 on unknown job
