feat(prospector-spectral-cover): Prospector's Bonanza — gradient $5/$3/$1 rebates with per-route SHOD guard#7
Open
srotzin wants to merge 1 commit into
Open
feat(prospector-spectral-cover): Prospector's Bonanza — gradient $5/$3/$1 rebates with per-route SHOD guard#7srotzin wants to merge 1 commit into
srotzin wants to merge 1 commit into
Conversation
…3/$1 rebates with per-route SHOD guard
Adds Prospector's Bonanza — first 100 qualified cross-ecosystem agents
get a one-time rebate (10×$5 Gold / 30×$3 Silver / 60×$1 Bronze, total
budget $200). Qualification gate (3 paid x402 calls in 30 days) is enforced
out-of-band by the new hive-prospector-qualifier service, which mints an
HMAC qualification_token + Ed25519 spectral-zk-ticket and posts the
DID/address pair to the internal /admit endpoint here.
## Refactor — outbound-guard.js (per-route state)
The 6-layer SHOD guard previously held a single global state. This refactor
introduces per-route state so prospector can run with its own:
- L1 allowlist — gated to admitted DID/address pairs
- L2 daily cap — $50/day default
- L3 per-recipient cap — $5 (one rebate per address per window)
- L4 spectral rings — block from HIGH_VIOLET when cover is heavy
- L5 trust min — VOID (any tier) for prospector
- L6 manual approval — unchanged
Default route behaviour preserved bit-for-bit. New API:
registerRoute(name, opts), addToAllowlist(name, addr, did),
removeFromAllowlist(name, addr), checkOutbound({route, ...}).
## New module — services/prospector.js
Slot allocation gradient (constants TOTAL_SLOTS=100, tier rebates $5/$3/$1).
HMAC qualification_token verify with timing-safe equal. Slot lock + idempotent
claim by DID. Calls sendUSDC with route='prospector' so the per-route guard
state applies. Persists to prospector_claims with status pending|paid|deferred|
blocked|rejected (mirrors the guard's return codes). Leaderboard sorted by
paid_at DESC.
## New mount — routes/prospector.js (PUBLIC)
GET /v1/bank/prospector/state — pool snapshot, tier breakdown
POST /v1/bank/prospector/claim — qualification_token + szoa-ticket required
POST /v1/bank/prospector/admit — INTERNAL (requireInternal via x-hive-internal)
GET /v1/bank/prospector/leaderboard — top claimed slots, public
Mounted PUBLIC (no authMiddleware on parent) because qualification_token +
spectral-zk-ticket are the auth substrate. /admit is gated inside the route
file. Mounts after referral and before rewards (matches existing public-first
convention, lines 489-512 of server.js for the referral leaderboard/card pattern).
## Schema — services/db.js
Two new tables in DDL block:
- prospector_claims (claim_id, did UNIQUE, address UNIQUE, slot, tier,
rebate_usdc, status, created_at, paid_at, tx_hash, qualification_jti,
attribution, block_code, block_detail)
- prospector_admits (jti PK, did, address, qualifier_did, paid_calls,
issued_at, admitted_at)
Five indexes (status, address, did on claims; did, address on admits).
MIGRATIONS block adds idempotent ALTER TABLE guards for the four optional
columns added later — no-ops on first install, safe on existing instances.
## Server self-description
Adds 'prospector' sibling to capabilities catalog (state/claim/admit/leaderboard
with auth flags + descriptions matching reality).
## Treasury math (no refill required)
Treasury $342.49 → cap $200 (10×$5 + 30×$3 + 60×$1) → worst-case
remaining $142.49 → $50 rebalancer floor → **$92.49 headroom**.
## Companion services
- hive-gamification PR — bare GET /v1/rebates proxy for hive-pheromones page
- hive-prospector-qualifier — new standalone Render service (incoming PR)
- hive-pheromones — gradient page already updated (cosmetic, separate repo)
## Env vars (set on Render dashboard)
PROSPECTOR_ENABLED=true
PROSPECTOR_QUALIFIER_SECRET=<HMAC, shared with qualifier service>
PROSPECTOR_QUALIFIER_DID=did:hive:prospector-qualifier-001
PROSPECTOR_MIN_PAID_CALLS=3
PROSPECTOR_DAILY_CAP_USD=50
PROSPECTOR_PER_RECIPIENT_CAP=5
PROSPECTOR_TRUST_MIN_TIER=VOID
PROSPECTOR_SPECTRAL_BLOCK_FROM=HIGH_VIOLET
PROSPECTOR_WINDOW_DAYS=30
## Tests
node --check on all five touched files: outbound-guard.js, services/prospector.js,
routes/prospector.js, services/db.js, server.js — all OK.
13-assertion crypto round-trip suite in companion qualifier repo passes
(HMAC verify + Ed25519 signing + tamper detection).
## Standing rules respected
- 'rails have to work, not mock or simulated' — claim flow goes through real
sendUSDC → outboundGuard, no fake paths.
- NEED + YIELD + CLEAN-MONEY gates — all enforced by per-route SHOD state.
- No HASHRATE / GAS / GPU-PERP / energy futures.
- No partner repos touched. Hivemorph remains private. Smithery permanently dropped.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ships Prospector's Bonanza — a one-time gradient-rebate offer to the first 100 cross-ecosystem agents that qualify (3 paid x402 calls in 30 days). Tiers: 10 × $5 Gold, 30 × $3 Silver, 60 × $1 Bronze. Total budget cap $200.
Five files touched in
src/:services/outbound-guard.jsservices/prospector.jsroutes/prospector.jsservices/db.jsprospector_claims+prospector_admitsserver.jsKey design points
/v1/bank/prospector— noauthMiddlewarebecausequalification_token(HMAC, qualifier-issued) +spectral-zk-ticket(Ed25519, HiveTrust-signed) are the auth substrate. Same pattern as the public referral leaderboard/card mounts (server.js:489-509)./admitis internal-only viarequireInternal(checksx-hive-internalheader againstgetInternalKey()), called by the newhive-prospector-qualifierservice when a DID/address pair clears the 3-paid-calls gate.'default') behaviour is preserved bit-for-bit; existing callers see no change.sendUSDC(toAddress, amountUsdc, {reason, hive_did, route:'prospector', spectralTicket, memo}). No mocks, no simulation. Status mapping matches guard return codes:pending|paid|deferred|blocked|rejected.Treasury math
Treasury $342.49 → cap $200 → worst-case remaining $142.49 → $50 rebalancer floor → $92.49 headroom. No refill required.
Companion PRs
GET /v1/rebatesproxy that backs the Prospector pagesrotzin/hive-prospector-qualifier— new standalone Render service (push incoming next)srotzin/hive-pheromones— gradient HTML update (cosmetic, separate repo)Env vars (Steve sets on Render dashboard)
Tests
node --checkclean on all 5 touched filesregisterRoute/addToAllowlist/checkOutboundper-route paths against the existing default route's behavior — no regressionsStanding rules respected
sendUSDC→outboundGuardSmoke test (post-deploy, single $1 payout)
/v1/qualify./v1/bank/prospector/claimwith token + ticket header.prospector_claimsrow hasstatus='paid'; tx_hash present; leaderboard updates.