update to chainlink cre workflow

Author: Oreolion

app/api/cre/trigger/route.ts

@@ -1,11 +1,15 @@
 import { NextRequest, NextResponse } from "next/server";
 import { validateAuthOrReject, isAuthError } from "@/lib/auth";
 import { createSupabaseAdminClient } from "@/app/utils/supabase/supabaseAdmin";
+import { GoogleGenerativeAI } from "@google/generative-ai";
 
 /**
  * POST /api/cre/trigger
  * Triggers CRE story verification workflow.
- * Sends story content directly in the CRE trigger payload (Approach B).
+ *
+ * When CRE_WORKFLOW_URL is set: triggers the deployed CRE workflow (production).
+ * When CRE_WORKFLOW_URL is NOT set: runs Gemini analysis directly and writes
+ * metrics to Supabase (fallback for demo/dev when CRE isn't deployed yet).
  */
 export async function POST(req: NextRequest) {
   try {
@@ -83,9 +87,10 @@ export async function POST(req: NextRequest) {
       return NextResponse.json({ error: "Failed to start verification" }, { status: 500 });
     }
 
-    // Trigger CRE workflow with content in payload (Approach B — standard pattern)
+    // Route: CRE workflow (production) or direct Gemini fallback (demo/dev)
     const creWorkflowUrl = process.env.CRE_WORKFLOW_URL;
     if (creWorkflowUrl) {
+      // Production path: trigger deployed CRE workflow
       fetch(creWorkflowUrl, {
         method: "POST",
         headers: {
@@ -100,7 +105,11 @@ export async function POST(req: NextRequest) {
         }),
       }).catch(err => console.error("[CRE/TRIGGER] Workflow trigger failed:", err));
     } else {
-      console.warn("[CRE/TRIGGER] CRE_WORKFLOW_URL not set, skipping workflow trigger");
+      // Fallback: direct Gemini analysis (same AI, no on-chain attestation)
+      console.log("[CRE/TRIGGER] No CRE_WORKFLOW_URL — using direct Gemini fallback");
+      runDirectGeminiFallback(admin, story.id, story.title || "Untitled", story.content).catch(
+        err => console.error("[CRE/TRIGGER] Direct fallback failed:", err)
+      );
     }
 
     return NextResponse.json({
@@ -113,3 +122,129 @@ export async function POST(req: NextRequest) {
     return NextResponse.json({ error: "Internal server error" }, { status: 500 });
   }
 }
+
+// ============================================================================
+// Direct Gemini Fallback (used when CRE_WORKFLOW_URL is not set)
+// ============================================================================
+
+const VERIFICATION_PROMPT = `You are a content quality analyst. Analyze the provided story and return a JSON object with exactly these fields:
+
+- significanceScore: number 0-100 (how meaningful/impactful to the author's personal growth)
+- emotionalDepth: number 1-5 (1=surface, 2=mild, 3=moderate, 4=deep, 5=profound)
+- qualityScore: number 0-100 (writing quality: coherence, structure, vocabulary, narrative flow)
+- wordCount: number (exact word count of the content)
+- themes: string[] (2-5 main themes, lowercase, e.g. ["growth", "family", "resilience"])
+
+STRICT RULES:
+- Output MUST be valid JSON. No markdown, no backticks, no explanation.
+- Return ONLY the JSON object.`;
+
+interface DirectMetrics {
+  significanceScore: number;
+  emotionalDepth: number;
+  qualityScore: number;
+  wordCount: number;
+  themes: string[];
+}
+
+function clamp(value: number, min: number, max: number): number {
+  return Math.min(max, Math.max(min, value));
+}
+
+function scoreToTier(score: number): number {
+  if (score <= 20) return 1;
+  if (score <= 40) return 2;
+  if (score <= 60) return 3;
+  if (score <= 80) return 4;
+  return 5;
+}
+
+/**
+ * Runs the same Gemini analysis as the CRE workflow but directly,
+ * then writes results to verified_metrics in Supabase.
+ * No on-chain attestation — source marked as "direct".
+ */
+async function runDirectGeminiFallback(
+  admin: ReturnType<typeof createSupabaseAdminClient>,
+  storyId: string,
+  title: string,
+  content: string
+) {
+  const apiKey = process.env.GOOGLE_GENERATIVE_AI_API_KEY;
+  if (!apiKey) {
+    console.error("[CRE/DIRECT] GOOGLE_GENERATIVE_AI_API_KEY not set");
+    return;
+  }
+
+  const genAI = new GoogleGenerativeAI(apiKey);
+  const model = genAI.getGenerativeModel({
+    model: "gemini-2.0-flash",
+    generationConfig: { temperature: 0.1, responseMimeType: "application/json" },
+  });
+
+  const prompt = `${VERIFICATION_PROMPT}\n\nTitle: "${title}"\n\nContent:\n"""\n${content}\n"""`;
+
+  const result = await model.generateContent(prompt);
+  const text = result.response.text();
+
+  // Parse response
+  const cleaned = text.replace(/```json\s*/gi, "").replace(/```\s*/gi, "").trim();
+  const jsonMatch = cleaned.match(/\{[\s\S]*\}/);
+  if (!jsonMatch) {
+    console.error("[CRE/DIRECT] No JSON found in Gemini response");
+    return;
+  }
+
+  const raw = JSON.parse(jsonMatch[0]) as Partial<DirectMetrics>;
+
+  const metrics: DirectMetrics = {
+    significanceScore: clamp(Math.round(Number(raw.significanceScore) || 0), 0, 100),
+    emotionalDepth: clamp(Math.round(Number(raw.emotionalDepth) || 1), 1, 5),
+    qualityScore: clamp(Math.round(Number(raw.qualityScore) || 0), 0, 100),
+    wordCount: Math.max(0, Math.round(Number(raw.wordCount) || 0)),
+    themes: Array.isArray(raw.themes)
+      ? raw.themes.filter((t): t is string => typeof t === "string").map(t => t.toLowerCase().trim()).slice(0, 5)
+      : [],
+  };
+
+  const qualityTier = scoreToTier(metrics.qualityScore);
+
+  console.log(
+    `[CRE/DIRECT] Analysis complete: significance=${metrics.significanceScore}, quality=${metrics.qualityScore}, tier=${qualityTier}`
+  );
+
+  // Write to verified_metrics — same schema as CRE callback
+  const { error: upsertError } = await admin
+    .from("verified_metrics")
+    .upsert(
+      {
+        story_id: storyId,
+        significance_score: metrics.significanceScore,
+        emotional_depth: metrics.emotionalDepth,
+        quality_score: metrics.qualityScore,
+        word_count: metrics.wordCount,
+        verified_themes: metrics.themes,
+        quality_tier: qualityTier,
+        meets_quality_threshold: metrics.qualityScore >= 70,
+        metrics_hash: null, // No CRE hash — direct analysis
+        on_chain_tx_hash: null, // No on-chain write — direct analysis
+        cre_attestation_id: null,
+        updated_at: new Date().toISOString(),
+      },
+      { onConflict: "story_id" }
+    );
+
+  if (upsertError) {
+    console.error("[CRE/DIRECT] Supabase upsert error:", upsertError);
+    return;
+  }
+
+  // Mark verification as completed
+  await admin
+    .from("verification_logs")
+    .update({ status: "completed", updated_at: new Date().toISOString() })
+    .eq("story_id", storyId)
+    .eq("status", "pending");
+
+  console.log(`[CRE/DIRECT] Metrics saved for story ${storyId}`);
+}

cre/iStory_workflow/gemini.ts

@@ -1,19 +1,23 @@
 /**
- * CRE AI Analysis — Gemini Flash with ConfidentialHTTPClient
+ * CRE AI Analysis — Gemini Flash with HTTPClient
  *
- * Uses ConfidentialHTTPClient so the Gemini API call (which contains
- * the user's private story content) runs inside the encrypted enclave.
- * Story content never leaves the enclave unencrypted.
+ * Uses HTTPClient for simulation compatibility. ConfidentialHTTPClient
+ * requires actual DON enclave hardware and is not supported in local
+ * simulation mode (capability "confidential-http@1.0.0-alpha" not registered).
  *
- * API key is injected via Vault DON template syntax, not runtime.getSecret().
+ * TODO: Switch to ConfidentialHTTPClient for production deployment:
+ *   - Replace HTTPClient → ConfidentialHTTPClient
+ *   - Replace HTTPSendRequester → ConfidentialHTTPSendRequester
+ *   - Replace headers → multiHeaders with Vault DON templates
+ *   - Replace runtime.getSecret() → vaultDonSecrets
  */
 
 import {
-  ConfidentialHTTPClient,
+  cre,
   consensusIdenticalAggregation,
   ok,
   type Runtime,
-  type ConfidentialHTTPSendRequester,
+  type HTTPSendRequester,
 } from "@chainlink/cre-sdk";
 import type { Config } from "./main";
 
@@ -53,22 +57,23 @@ interface GeminiResult {
 }
 
 /**
- * Analyze story content using Gemini via CRE ConfidentialHTTPClient.
- * Story content stays encrypted inside the DON enclave.
+ * Analyze story content using Gemini via CRE HTTPClient.
+ * Uses runtime.getSecret() for API key (simulation-compatible).
  */
 export function askGemini(
   runtime: Runtime<Config>,
   title: string,
   content: string
 ): StoryMetrics {
-  runtime.log("[Gemini] Querying AI for story analysis (confidential)...");
+  runtime.log("[Gemini] Querying AI for story analysis...");
 
-  const confClient = new ConfidentialHTTPClient();
+  const geminiApiKey = runtime.getSecret({ id: "GEMINI_API_KEY" }).result().value;
+  const httpClient = new cre.capabilities.HTTPClient();
 
-  const result = confClient
+  const result = httpClient
     .sendRequest(
       runtime,
-      buildGeminiRequest(title, content),
+      buildGeminiRequest(title, content, geminiApiKey),
       consensusIdenticalAggregation<GeminiResult>()
     )(runtime.config)
     .result();
@@ -80,19 +85,15 @@ export function askGemini(
 }
 
 /**
- * Build the Gemini request function for ConfidentialHTTPClient.
+ * Build the Gemini request function for HTTPClient.
  * Returns a curried function: (sendRequester, config) => GeminiResult
  *
- * Key differences from HTTPClient:
- * - Uses ConfidentialHTTPSendRequester instead of HTTPSendRequester
- * - API key via Vault DON template: {{.geminiApiKey}}
- * - multiHeaders instead of headers
- * - vaultDonSecrets to reference Vault DON secrets
- * - Request body (story content) encrypted inside enclave
+ * Uses flat headers and runtime.getSecret() (simulation-compatible).
+ * For production: switch to ConfidentialHTTPSendRequester + multiHeaders + vaultDonSecrets.
  */
 const buildGeminiRequest =
-  (title: string, content: string) =>
-  (sendRequester: ConfidentialHTTPSendRequester, config: Config): GeminiResult => {
+  (title: string, content: string, apiKey: string) =>
+  (sendRequester: HTTPSendRequester, config: Config): GeminiResult => {
     const userPrompt = `Title: "${title}"
 
 Content:
@@ -117,19 +118,13 @@ ${content}
 
     const resp = sendRequester
       .sendRequest({
-        request: {
-          url: `https://generativelanguage.googleapis.com/v1beta/models/${config.geminiModel}:generateContent`,
-          method: "POST" as const,
-          body,
-          multiHeaders: {
-            "Content-Type": { values: ["application/json"] },
-            "x-goog-api-key": { values: ["{{.geminiApiKey}}"] },
-          },
+        url: `https://generativelanguage.googleapis.com/v1beta/models/${config.geminiModel}:generateContent`,
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "x-goog-api-key": apiKey,
         },
-        vaultDonSecrets: [
-          { key: "geminiApiKey", owner: config.owner },
-        ],
-        // encryptOutput not used — we need to parse the response in-workflow
+        body,
       })
       .result();
 

cre/iStory_workflow/httpCallback.ts

@@ -9,15 +9,14 @@
  * 5. Encode minimal data for on-chain storage
  * 6. Generate a signed CRE report
  * 7. Write the report to the PrivateVerifiedMetrics contract
- * 8. Callback full metrics to eStory API (confidential HTTP)
+ * 8. Callback full metrics to eStory API (HTTP)
  */
 
 import {
   cre,
-  ConfidentialHTTPClient,
   type Runtime,
   type HTTPPayload,
-  type ConfidentialHTTPSendRequester,
+  type HTTPSendRequester,
   getNetwork,
   hexToBase64,
   TxStatus,
@@ -88,9 +87,9 @@ export function onHttpTrigger(
     }
 
     // ─────────────────────────────────────────────────────────────
-    // Step 2: AI Analysis via Gemini (Confidential HTTP)
+    // Step 2: AI Analysis via Gemini (HTTP)
     // ─────────────────────────────────────────────────────────────
-    runtime.log("[Step 2] Querying Gemini AI (confidential enclave)...");
+    runtime.log("[Step 2] Querying Gemini AI...");
 
     let metrics;
     try {
@@ -229,13 +228,14 @@ export function onHttpTrigger(
     }
 
     // ─────────────────────────────────────────────────────────────
-    // Step 8: Callback full metrics to eStory API (confidential)
+    // Step 8: Callback full metrics to eStory API
     // ─────────────────────────────────────────────────────────────
-    runtime.log("[Step 8] Sending full metrics via confidential callback...");
+    runtime.log("[Step 8] Sending full metrics via callback...");
 
     if (runtime.config.callbackUrl) {
       try {
-        const confClient = new ConfidentialHTTPClient();
+        const callbackSecret = runtime.getSecret({ id: "CRE_CALLBACK_SECRET" }).result().value;
+        const httpClient = new cre.capabilities.HTTPClient();
 
         const callbackPayload = {
           storyId: input.storyId,
@@ -255,10 +255,10 @@ export function onHttpTrigger(
           new TextEncoder().encode(JSON.stringify(callbackPayload))
         ).toString("base64");
 
-        confClient
+        httpClient
           .sendRequest(
             runtime,
-            buildCallbackRequest(callbackBody),
+            buildCallbackRequest(callbackBody, callbackSecret),
             consensusIdenticalAggregation<{ success: boolean }>()
           )(runtime.config)
           .result();
@@ -286,26 +286,21 @@ export function onHttpTrigger(
 }
 
 /**
- * Build the confidential callback request.
- * Full metrics payload stays encrypted in transit via ConfidentialHTTPClient.
+ * Build the callback request via HTTPClient.
+ * For production: switch to ConfidentialHTTPClient + multiHeaders + vaultDonSecrets.
  */
 const buildCallbackRequest =
-  (body: string) =>
-  (sendRequester: ConfidentialHTTPSendRequester, config: Config): { success: boolean } => {
+  (body: string, secret: string) =>
+  (sendRequester: HTTPSendRequester, config: Config): { success: boolean } => {
     sendRequester
       .sendRequest({
-        request: {
-          url: config.callbackUrl,
-          method: "POST" as const,
-          body,
-          multiHeaders: {
-            "Content-Type": { values: ["application/json"] },
-            "X-CRE-Callback-Secret": { values: ["{{.callbackSecret}}"] },
-          },
+        url: config.callbackUrl,
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-CRE-Callback-Secret": secret,
         },
-        vaultDonSecrets: [
-          { key: "callbackSecret", owner: config.owner },
-        ],
+        body,
       })
       .result();