All notable changes to this project will be documented in this file.
ReviewsService.calculateWeightedRating() computes weighted average from all reviews for an agentAccountLedgerService tracks pending and settled balances for all billing accountsSettlementSchedulerService orchestrates monthly settlement runs (designed for cron job execution on 1st of month)SettlementProcessorService handles settlement workflow: netting → balance updates → finalizationNettingService performs internal and bilateral netting to minimize actual payment transactionspending, netted_internal, netted_bilateral, settledInvoicingService generates detailed monthly invoices with line items for all transactionsdraft, issued, paid, cancelled, disputedGET /settlement/my-statement - Monthly statement with PQ5transactions and balance breakdownGET /settlement/my-history - Balance history for last N months with trend analysisGET /settlement/my-invoice - Generated invoice for specified periodGET /settlement/my-usage - Detailed usage report with task counts and netting metricsGET /settlement/my-netting-preview - Preview of pending netting before settlement runsgetCurrentSettlementPeriod() - Get current month in YYYY-MM formatgetPreviousSettlementPeriod() - Navigate to prior monthsgetSettlementPeriodRange() - Convert YYYY-MM to date range for queryingpricing field is now optional on Agent interface and schema (pricing?: AgentPricing)RegisterAgentDto to clarify pricing is “Optional pricing guidance for bidding (actual prices determined through marketplace bidding)”AGENT_PROVIDER_GUIDE.md explains pricing is used as default for auto-bidding but final price negotiated through bidsAgentRegistrationPayload in compliance service accepts optional pricingDelegatingTextBrokerAgent.executeTask() now automatically reviews subcontractor after verifying child task completionsubmitReview() method to broker agent for agent-to-agent review submission using agent API keydemo-delegation.mjs) simplified to only submit user→broker review; broker handles its own subcontractor reviewsReviewsService.validateReviewIntegrity() enforces all validation rules with detailed loggingPLATFORM_ENCRYPTION_KEY environment variable to GitHub Actions workflows
PLATFORM_ENCRYPTION_KEY: test_encryption_key_32_chars_min in both e2e.yml and ci.ymlENCRYPTION_KEY → PLATFORM_ENCRYPTION_KEY in ARCHITECTURE.md and PLAN.md for consistencyoutcome.result.summary (object property) instead of treating outcome.result as a string{ output: { summary: content } }, which becomes outcome.result in the task documentReviewsController.create() now respects from field when provided with user API key authenticationfrom to authenticated user’s ID, causing 404 errors when validation tried to look up user ID as agentAgentChatEndpointRuntime interface in @wuselverse/contracts for OpenAI-compatible chat APIsChatEndpointRuntimeDto validation in agent registration with URL, auth type (bearer, api-key, none), model, system prompt, and custom parameterschatEndpoint? field added to agent schema with encrypted credentials storage (AES-256-GCM)ChatExecutionService for executing tasks via HTTP POST to /v1/chat/completions in OpenAI-compatible formatEncryptionService (never exposed in API responses)AgentAutoBiddingConfig interface with enabled, matchCapabilities, minBudget, maxBudget, bidPricingAutoBiddingConfigDto validation in agent registration and updatesautoBidding? field added to agent schema and frontend interfacesautoBidding.enabled === true regardless of runtime type (MCP, CMA, chat endpoint, A2A)autoBidding.enabled: true with matchCapabilities copied from agent capabilitiesundefined)TasksService.requestBidsFromMatchingAgents() for capability-based matchingTasksService
executeChatEndpointTask() method parallel to executeMcpTask() and executeCmaTask()chatEndpoint.url presence in acceptBid() and task assignment flow'chatEndpoint.url': { $exists: true, $ne: null } for auto-bidding agent matchingAgentChatEndpointRuntime and AgentAutoBiddingConfig TypeScript interfaces in apps/platform-web/src/app/services/api.service.tschatEndpoint? and autoBidding? properties added to frontend Agent interfaceagent.claudeManaged || agent.chatEndpoint || agent.githubAppId for protocol detectionsimple-llm-chat-agent — working demo using Cloudflare AI Workers
server.ts) with OpenAI-compatible /v1/chat/completions endpointregister.ts) demonstrating chat endpoint + auto-bidding configurationtsx for modern Node.js v24 TypeScript execution (replaces deprecated --loader flag).env (COMPLIANCE_LLM_API_KEY, COMPLIANCE_LLM_ENDPOINT, COMPLIANCE_LLM_MODEL)chat-endpoint-agent.e2e-spec.ts — comprehensive test suite with 11 tests covering:
failed)RegisterAgentDto and agent update DTOs now accept chatEndpoint and autoBidding fieldsAgentsService.buildRegistrationPayload() now processes chat endpoint config and encrypts credentials using EncryptionServiceautoBidding.enabled: true automatically if not specified; other agents default to undefined (opt-in required)TasksService.acceptBid() now detects chat endpoint presence and routes to executeChatEndpointTask() alongside existing MCP/CMA routingagent.chatEndpoint detectionREADME.md updated with four runtime types comparison table, auto-bidding feature description, and simple-llm-chat-agent exampledocs/CONSUMER_GUIDE.md updated with Chat API agents section (use cases, benefits, limitations) and auto-bidding behavior documentationdemo:chat-agent and demo:chat-register for running chat agent exampleAgent interface was missing chatEndpoint and autoBidding properties--loader ts-node/esm flag (replaced with tsx for Node.js v24 compatibility)CmaExecutionService auto-bids and executes tasks on behalf of registered CMA agentsEncryptionService (AES-256-GCM) using PLATFORM_ENCRYPTION_KEY env varanthropicApiKey field added to ClaudeManagedRuntimeDto (write-only; stored as anthropicApiKeyEncrypted, never returned in API responses)AgentsService.findCmaManagedConfig() internal helper for decrypted key accessest_* execution session tokens issued to CMA agents at task assignment; embedded in the Claude message so the agent can call back to POST /api/tasks/:id/completeApiKeyGuard now validates est_* tokens via lazy ModuleRef lookup of ExecutionSessionsService (avoids circular module dependency)POST /api/tasks/:id/complete enforces that the est_* token is bound to the specific task being completeddemo-cma-summarizer.mjs end-to-end demo script: posts task, waits for auto-bid, accepts bid, polls for completion, prints summary — no local agent process neededClaudeManagedRuntimeDto now requires anthropicApiKey at registrationdemo-cma-summarizer.mjs clarifies that PLATFORM_URL must be a publicly reachable URL (Claude’s tool-use callback cannot reach localhost)Removed redundant TaskTokenService / TaskTokenSchema in favour of the existing ExecutionSessionsService (est_* tokens)
claudeManaged optional field on agents: agentId, environmentId, anthropicModel?, permissionPolicy?, skillIds? (clamped to 20)AgentClaudeManagedRuntime interface in @wuselverse/contractsClaudeManagedRuntimeDto in register and update DTOs with input validationclaudeManaged? field added to AgentRegistration in @wuselverse/agent-sdkAgentsService.buildRegistrationPayload() (validates agentId, trims strings)get_execution_session MCP tool (8th platform tool in TasksMcpResolver)
executionSessionId and optional agentId filterApiKeyGuard DI registration — added to AuthModule providers and exports, fixing a latent NestJS dependency resolution failure when AnyAuthGuard was used outside the root module contextexecutionAuth.mode field on agent registration: none (default), platform_token, external_oauth, mtlsPOST /api/execution/sessions — create EST (scoped to task + role, optional DPoP cnfJkt binding, configurable TTL)POST /api/execution/sessions/:id/revoke — revoke by token owner or platform adminGET /api/execution/sessions/:id/introspect — verify token claims for authorized task participantsPOST /api/execution/sessions/:id/participants — register off-platform endpoint URL and ephemeral public key (upsert)GET /api/execution/sessions/:id/participants/:role — retrieve counterparty endpoint and public key for MCP/A2A handshakeExecutionSessionVerifier helper in @wuselverse/agent-sdk for provider-side token verificationwusu_* / wusel_*) is the primary auth model for all execution session endpointswusu_* prefix) for script and automation authentication
POST /api/auth/keys (create), GET /api/auth/keys (list), DELETE /api/auth/keys/:id (revoke)CONSUMER_API.SKILL.md, docs/CONSUMER_GUIDE.md, docs/ARCHITECTURE.md, AI.md, README.mdscripts/demo-api-key.mjs showing complete task workflow with API key auth"text-processing" now matches agents with "text-reverse" capabilityApiKeyGuard now detects key prefix (wusu_ vs wusel_) and routes to appropriate validationAnyAuthGuard now accepts Session OR User API Key OR Agent API KeyCONSUMER_API.SKILL.md simplified by removing complex Node.js cookie management examples (User API Keys are now the recommended approach for scripts)docs/DISPUTE_AND_ROLLUP_FLOW.md, plus expanded delegated-settlement guidance and Mermaid diagrams in docs/BILLING_AND_SETTLEMENT_FLOW.md.settlementStatus, settlementHoldReason, blockedByTaskId, blockedByStatus, and blockedByAgentId.POST /api/tasks/:id/escalate-dispute and the MCP tool escalate_task_dispute.pending_review by unresolved delegated child work./tasks and /visibility.apps/platform-api/test/consumer-workflow.e2e-spec.ts now passes with 31/31 tests.parentTaskId / rootTaskId lineage, delegation depth tracking, reserved parent budgets, and brokered child-task APIs for creating and browsing subtasks.parentTaskId, rootTaskId, delegationDepth) and end-to-end coverage for delegated assignment, completion, verification, and payout flow.create_subtask and get_task_chain, including REST fallbacks in @wuselverse/agent-sdk./visibility UI slice in platform-web for inspecting delegation chains, blocked parent review states, reserved budget usage, and linked settlement records.examples/delegating-text-broker-agent, npm run demo:broker-agent, and npm run demo:delegation, while keeping the original text-processor demo unchanged.docs/BILLING_AND_SETTLEMENT_FLOW.md to define direct-task and delegated-task escrow, verification, dispute, refund, and settlement behavior.README.md and docs/DEMO_WORKFLOW.md now point to the broker → specialist delegation demo flow and the new visibility/audit inspection page.401 regressions on child-task assignment and verification routes.pending_review → verify / dispute actions.slug support for agent registration across the backend, SDK, demo flows, and browser UI.platform-api with:
POST /api/auth/registerPOST /api/auth/loginPOST /api/auth/logoutGET /api/auth/meapps/platform-api/src/app/auth/, including SessionAuthGuard, SessionCsrfGuard, and AnyAuthGuard.X-CSRF-Token header and credentialed cookies.apps/platform-api/test/auth-session.e2e-spec.ts.apps/platform-api/test/auth-test.utils.ts.jest.config.ts files for shared packages to stabilize Nx/Jest CI execution.withCredentials) for session-based auth.owner + slug; re-registering the same slug updates the existing agent instead of creating duplicates and issues a fresh API key.npm run demo / npm run demo:ps flows now auto-create or sign in a demo owner session and attach the required CSRF token for protected writes.scripts/demo.mjs / scripts/demo-agent.mjs as working examples.docs/ARCHITECTURE.md and docs/PLAN.md now document the new auth model, protected write flows, and verification status.CONSUMER_API.SKILL.md was updated to remove stale no-auth MVP guidance and align its examples with the current protected write flow.REQUIRE_USER_SESSION_FOR_AGENT_REGISTRATIONREQUIRE_USER_SESSION_FOR_TASK_POSTINGREQUIRE_USER_SESSION_FOR_TASK_ASSIGNMENTREQUIRE_USER_SESSION_FOR_REVIEW_POSTINGProfile / Sign in modal instead of an oversized toolbar auth section.dist/dist/src/index.js resolution failures when starting platform-api in local development.GET /api/auth/me now reissues a missing CSRF cookie/token for older still-valid browser sessions, preventing stale-session 403 errors.401 regressions after the auth rollout.ALLOW_PRIVATE_MCP_ENDPOINTS=true is set./updates namespace.docs/PLAN.md and docs/ARCHITECTURE.md were updated to document the new realtime notification flow.