Merge pull request #358 from commandlayer/codex/add-ipfs-pinning-for-paid-agent-cards

Add admin-controlled IPFS pinning for paid agent cards

Author: GsCommand

api/admin/pin-agent-cards.js

@@ -0,0 +1,88 @@
+'use strict';
+
+const db = require('../../lib/db');
+const { stableStringify, sha256Hex, pinJsonToPinata } = require('../../lib/ipfsPinning');
+
+module.exports = async function handler(req, res) {
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  res.setHeader('Cache-Control', 'no-store');
+
+  if (req.method !== 'POST') {
+    res.setHeader('Allow', 'POST');
+    return res.status(405).json({ ok: false, status: 'METHOD_NOT_ALLOWED' });
+  }
+
+  if (!process.env.ADMIN_API_KEY || req.headers['x-admin-api-key'] !== process.env.ADMIN_API_KEY) {
+    return res.status(401).json({ ok: false, status: 'UNAUTHORIZED' });
+  }
+
+  const provider = process.env.IPFS_PINNING_PROVIDER || 'pinata';
+  if (provider !== 'pinata') return res.status(400).json({ ok: false, status: 'UNSUPPORTED_PINNING_PROVIDER' });
+
+  const claimId = req.body && req.body.claimId;
+  if (!claimId) return res.status(400).json({ ok: false, status: 'CLAIM_ID_REQUIRED' });
+
+  const claimResult = await db.query('select claim_id, status from claim_requests where claim_id = $1 limit 1', [claimId]);
+  const claim = claimResult.rows[0];
+  if (!claim) return res.status(404).json({ ok: false, status: 'CLAIM_NOT_FOUND' });
+  if (claim.status !== 'paid' && claim.status !== 'cards_pinned') return res.status(400).json({ ok: false, status: 'CLAIM_NOT_PAID' });
+
+  const cardsResult = await db.query(
+    `select id, claim_id, ens, card_json, card_cid, card_ipfs_uri, card_gateway_url, card_sha256, pin_status
+     from agent_cards
+     where claim_id = $1 and status = 'published'
+     order by created_at asc`,
+    [claimId]
+  );
+  if (!cardsResult.rows.length) return res.status(400).json({ ok: false, status: 'NO_PUBLISHED_CARDS' });
+
+  const allPinned = cardsResult.rows.every((r) => r.card_cid && r.card_ipfs_uri && r.card_sha256);
+  if (allPinned) return res.status(200).json({ ok: true, status: 'ALREADY_PINNED', claimId, cards: cardsResult.rows });
+
+  const gatewayBase = (process.env.IPFS_GATEWAY_BASE_URL || 'https://gateway.pinata.cloud/ipfs').replace(/\/$/, '');
+
+  try {
+    const pinned = [];
+    for (const row of cardsResult.rows) {
+      const canonical = stableStringify(row.card_json);
+      const hash = sha256Hex(canonical);
+
+      if (row.card_cid && row.card_ipfs_uri && row.card_sha256) {
+        pinned.push({ ens: row.ens, card_cid: row.card_cid, card_sha256: row.card_sha256, card_gateway_url: row.card_gateway_url });
+        continue;
+      }
+
+      const cid = await pinJsonToPinata(row.card_json);
+      const ipfsUri = `ipfs://${cid}`;
+      const gatewayUrl = `${gatewayBase}/${cid}`;
+      await db.query(
+        `update agent_cards
+         set card_cid = $2, card_ipfs_uri = $3, card_gateway_url = $4, card_sha256 = $5,
+             card_pinned_at = now(), pinning_provider = $6, pin_status = 'pinned', pin_error = null
+         where id = $1`,
+        [row.id, cid, ipfsUri, gatewayUrl, hash, provider]
+      );
+      pinned.push({ ens: row.ens, card_cid: cid, card_sha256: hash, card_gateway_url: gatewayUrl });
+    }
+
+    await db.query('update claim_requests set status = $2, updated_at = now() where claim_id = $1', [claimId, 'cards_pinned']);
+    await db.query(
+      `insert into claim_events (claim_id, event_type, message, metadata_json)
+       values ($1, 'agent_cards.pinned', 'Agent cards pinned to IPFS.', $2::jsonb)`,
+      [claimId, JSON.stringify({ provider, count: pinned.length })]
+    );
+    await db.query(
+      `insert into claim_status_transitions (claim_id, from_status, to_status)
+       values ($1, 'paid', 'cards_pinned')`,
+      [claimId]
+    );
+
+    return res.status(200).json({ ok: true, status: 'CARDS_PINNED', claimId, provider, cards: pinned });
+  } catch (error) {
+    await db.query(
+      `update agent_cards set pin_status = 'error', pin_error = $2 where claim_id = $1 and status = 'published'`,
+      [claimId, String(error && error.message ? error.message : 'pinning_failed')]
+    );
+    return res.status(502).json({ ok: false, status: 'PINNING_FAILED', claimId });
+  }
+};

db/migrations/005_agent_card_ipfs_pinning.sql

@@ -0,0 +1,9 @@
+alter table if exists agent_cards
+  add column if not exists card_cid text,
+  add column if not exists card_ipfs_uri text,
+  add column if not exists card_gateway_url text,
+  add column if not exists card_sha256 text,
+  add column if not exists card_pinned_at timestamptz,
+  add column if not exists pinning_provider text,
+  add column if not exists pin_status text,
+  add column if not exists pin_error text;

lib/ipfsPinning.js

@@ -0,0 +1,35 @@
+'use strict';
+
+const crypto = require('node:crypto');
+
+function stableStringify(value) {
+  if (Array.isArray(value)) return `[${value.map(stableStringify).join(',')}]`;
+  if (value && typeof value === 'object') {
+    const keys = Object.keys(value).sort();
+    return `{${keys.map((k) => `${JSON.stringify(k)}:${stableStringify(value[k])}`).join(',')}}`;
+  }
+  return JSON.stringify(value);
+}
+
+function sha256Hex(value) {
+  return crypto.createHash('sha256').update(value).digest('hex');
+}
+
+async function pinJsonToPinata(cardJson) {
+  const jwt = process.env.PINATA_JWT;
+  if (!jwt) throw new Error('PINATA_JWT_MISSING');
+  const response = await fetch('https://api.pinata.cloud/pinning/pinJSONToIPFS', {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${jwt}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({ pinataContent: cardJson }),
+  });
+  if (!response.ok) throw new Error(`PINATA_ERROR_${response.status}`);
+  const body = await response.json();
+  if (!body || !body.IpfsHash) throw new Error('PINATA_MISSING_CID');
+  return body.IpfsHash;
+}
+
+module.exports = { stableStringify, sha256Hex, pinJsonToPinata };

public/admin-agent-cards.html

@@ -0,0 +1,34 @@
+<!doctype html>
+<html><head><meta charset="utf-8"><title>Admin Agent Cards</title></head>
+<body>
+  <h1>Admin Agent Card Pinning</h1>
+  <input id="claimId" placeholder="claim id" />
+  <button id="loadBtn">Load</button>
+  <div id="status"></div>
+  <div id="actions"></div>
+  <pre id="details"></pre>
+<script>
+async function loadClaim(){
+  const claimId=document.getElementById('claimId').value.trim();
+  const key=localStorage.getItem('adminApiKey')||'';
+  const status=document.getElementById('status');
+  const actions=document.getElementById('actions');
+  const details=document.getElementById('details');
+  status.textContent=''; actions.innerHTML=''; details.textContent='';
+  if(!claimId) return;
+  const paidBtn=document.createElement('button');
+  paidBtn.textContent='Pin cards to IPFS';
+  paidBtn.onclick=async()=>{
+    const r=await fetch('/api/admin/pin-agent-cards',{method:'POST',headers:{'content-type':'application/json','x-admin-api-key':key},body:JSON.stringify({claimId})});
+    details.textContent=JSON.stringify(await r.json(),null,2);
+  };
+  const ensBtn=document.createElement('button');
+  ensBtn.textContent='Copy ENS records';
+  ensBtn.onclick=async()=>navigator.clipboard.writeText('');
+  status.textContent='If status = paid: pin cards. If status = cards_pinned: show CID/hash/gateway links.';
+  actions.appendChild(paidBtn); actions.appendChild(ensBtn);
+}
+
+document.getElementById('loadBtn').onclick=loadClaim;
+</script>
+</body></html>

tests/api-admin-pin-agent-cards.test.js

@@ -0,0 +1,80 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+
+const db = require('../lib/db');
+const handler = require('../api/admin/pin-agent-cards');
+
+function makeRes() { return { statusCode: 200, headers: {}, body: null, setHeader(n, v) { this.headers[n.toLowerCase()] = v; }, status(c) { this.statusCode = c; return this; }, json(p) { this.body = p; return this; } }; }
+
+test('unpaid claims rejected', async () => {
+  process.env.ADMIN_API_KEY = 'k';
+  db.query = async (q) => (q.includes('from claim_requests') ? { rows: [{ claim_id: 'c1', status: 'created' }] } : { rows: [] });
+  const res = makeRes();
+  await handler({ method: 'POST', headers: { 'x-admin-api-key': 'k' }, body: { claimId: 'c1' } }, res);
+  assert.equal(res.statusCode, 400);
+  assert.equal(res.body.status, 'CLAIM_NOT_PAID');
+});
+
+test('paid claim pins cards', async () => {
+  process.env.ADMIN_API_KEY = 'k';
+  process.env.PINATA_JWT = 'jwt';
+  const calls = [];
+  global.fetch = async () => ({ ok: true, json: async () => ({ IpfsHash: 'bafy123' }) });
+  db.query = async (q, p) => {
+    calls.push(q);
+    if (q.includes('from claim_requests')) return { rows: [{ claim_id: 'c2', status: 'paid' }] };
+    if (q.includes('from agent_cards')) return { rows: [{ id: 'a1', ens: 'x.eth', claim_id: 'c2', card_json: { a: 1 }, status: 'published' }] };
+    return { rows: [] };
+  };
+  const res = makeRes();
+  await handler({ method: 'POST', headers: { 'x-admin-api-key': 'k' }, body: { claimId: 'c2' } }, res);
+  assert.equal(res.statusCode, 200);
+  assert.equal(res.body.status, 'CARDS_PINNED');
+  assert.ok(calls.some((q) => q.includes('update claim_requests set status')));
+});
+
+test('already pinned claim returns existing CID', async () => {
+  process.env.ADMIN_API_KEY = 'k';
+  db.query = async (q) => {
+    if (q.includes('from claim_requests')) return { rows: [{ claim_id: 'c3', status: 'cards_pinned' }] };
+    if (q.includes('from agent_cards')) return { rows: [{ id: 'a1', card_cid: 'bafy', card_ipfs_uri: 'ipfs://bafy', card_sha256: 'h' }] };
+    return { rows: [] };
+  };
+  const res = makeRes();
+  await handler({ method: 'POST', headers: { 'x-admin-api-key': 'k' }, body: { claimId: 'c3' } }, res);
+  assert.equal(res.statusCode, 200);
+  assert.equal(res.body.status, 'ALREADY_PINNED');
+});
+
+test('provider error records pin_error and does not mark cards_pinned', async () => {
+  process.env.ADMIN_API_KEY = 'k';
+  process.env.PINATA_JWT = 'jwt';
+  const queries = [];
+  global.fetch = async () => ({ ok: false, status: 500, json: async () => ({}) });
+  db.query = async (q) => {
+    queries.push(q);
+    if (q.includes('from claim_requests')) return { rows: [{ claim_id: 'c4', status: 'paid' }] };
+    if (q.includes('from agent_cards')) return { rows: [{ id: 'a1', card_json: { a: 1 }, status: 'published' }] };
+    return { rows: [] };
+  };
+  const res = makeRes();
+  await handler({ method: 'POST', headers: { 'x-admin-api-key': 'k' }, body: { claimId: 'c4' } }, res);
+  assert.equal(res.statusCode, 502);
+  assert.ok(queries.some((q) => q.includes("set pin_status = 'error'")));
+  assert.ok(!queries.some((q) => q.includes('update claim_requests set status')));
+});
+
+test('no secrets are logged', async () => {
+  process.env.ADMIN_API_KEY = 'k';
+  process.env.PINATA_JWT = 'super-secret-jwt';
+  const logs = [];
+  const oldLog = console.log;
+  console.log = (...a) => logs.push(a.join(' '));
+  db.query = async (q) => (q.includes('from claim_requests') ? { rows: [{ claim_id: 'c5', status: 'paid' }] } : { rows: [] });
+  const res = makeRes();
+  await handler({ method: 'POST', headers: { 'x-admin-api-key': 'k' }, body: { claimId: 'c5' } }, res);
+  console.log = oldLog;
+  assert.equal(logs.join('\n').includes('super-secret-jwt'), false);
+});