feat(teardown)!: remove NFT-ownership stack (BREAKING) (#64)

Drops the user→wallet ownership stack the engine no longer owns: wallet_links / persona_ownership / sync_cursors tables, persona_genomes.asset_id, /s2s/wallets/* + /s2s/ownership/* endpoints, HMAC s2s auth, the marketplace self-heal sync pipeline, the enforce_nft_ownership gate, and MARKETPLACE_SVC_* env wiring. Migration 0023 drops the three tables + the asset_id column. Engine is chat + insights only.

Author: enriquephl

Cargo.lock

@@ -31,11 +31,6 @@ utoipa-scalar = { version = "0.3", features = ["axum"] }
 jsonwebtoken = "9"
 tower = "0.5"
 tower-http = { version = "0.6", features = ["trace", "cors"] }
-bs58 = "0.5"
-hmac = "0.12"
-sha2 = "0.10"
-subtle = "2.5"
-hex = "0.4"
 eventsource-stream = "0.2"
 futures-util       = "0.3"
 tokio-stream       = "0.1"

Cargo.toml

@@ -238,16 +238,22 @@ for frame layout and error semantics.
 | `OPENROUTER_APP_TITLE` | no | When set, sent as `X-Title`. Display name in OpenRouter app analytics. Pairs with `OPENROUTER_APP_REFERER`; both optional. |
 | `OPENROUTER_USAGE_HIDDEN_KEYS` | no | Comma-separated list of top-level keys to strip from the `usage` object on the SSE streaming `done` frame. Useful for hiding wholesale `cost` / `cost_details` from downstream customers. The full usage is still persisted and traced server-side. |
 | `VOYAGE_API_KEY` | yes | Embeddings. Empty keys fail server boot. |
-| `SUPABASE_URL` | no | Supabase project URL. Kept in `.env.example` for client/deploy conventions; the server does not read it today. |
-| `SUPABASE_JWT_SECRET` | yes | JWT signing secret for default auth. |
+| `SUPABASE_URL` | no | Supabase project URL. When set, the server derives the JWKS endpoint (`<url>/auth/v1/.well-known/jwks.json`) for asymmetric (RS256/ES256) JWT validation — the post-2025 Supabase default. |
+| `SUPABASE_JWKS_URL` | no | Explicit JWKS endpoint; takes precedence over deriving it from `SUPABASE_URL`. |
+| `SUPABASE_JWT_SECRET` | no | Legacy HS256 shared secret. At least one auth source — `SUPABASE_URL` / `SUPABASE_JWKS_URL` (JWKS) or `SUPABASE_JWT_SECRET` (HS256) — must be set, or the server refuses to boot (fail-closed). |
 | `BIND_ADDR` | no | Defaults to `0.0.0.0:8080`. |
 | `EXPOSE_AFFINITY_DEBUG` | no | Set `true` to enable `/comp/affinity/{session_id}`. |
 | `EMA_INERTIA` | no | EMA smoothing for affinity updates, in `[0, 1]`; defaults to `0.8`. Each turn applies `1 − inertia` of the evaluated delta, so a higher value moves the affinity vector less per turn (slower to build or lose) — a relationship-difficulty dial; `0` applies every delta in full. |
+| `DEMO_EMA_INERTIA` | no | EMA inertia applied only to sessions opened with `is_demo: true`; defaults to `0.3` so meters move visibly across a short demo. Falls back to `EMA_INERTIA` semantics otherwise. |
+| `DREAMING_DISABLED` | no | Set `1` to skip spawning the dreaming-lite sweeper (session-end memory extraction). |
+| `DREAMING_TICK_SECS` | no | How often the dreaming-lite sweeper wakes; defaults to `300`. |
+| `DREAMING_IDLE_SECS` | no | Minimum idle time before a session is eligible for classification; defaults to `1800`. |
+| `DREAMING_CLAIM_STALE_SECS` | no | How long a classification claim stays fresh before a crashed worker's row is re-claimed; defaults to `600`. |
+| `SNAPSHOT_DISABLED` | no | Set `1` to skip spawning the `companion_insights_snapshot` sweeper. |
+| `SNAPSHOT_CRON` | no | 6-field cron (`sec min hr dom mon dow`) for the snapshot sweeper; defaults to `0 0 23 * * *` (daily 23:00). |
+| `SNAPSHOT_TZ` | no | IANA timezone the snapshot cron is evaluated in; defaults to `Asia/Singapore`. |
 | `MODEL_CONFIG_PATH` | no | Defaults to `examples/model_config.toml`. |
 | `RUST_LOG` | no | Defaults to `info`. |
-| `MARKETPLACE_SVC_URL` | no | Base URL of eros-marketplace-svc. When set, the engine pulls /since cursors every 5 min as a self-heal recovery path. Requires `MARKETPLACE_SVC_S2S_SECRET`. |
-| `MARKETPLACE_SVC_S2S_SECRET` | no | HMAC secret shared with eros-marketplace-svc. Gates the `/s2s/*` routes the svc pushes into. Without it, `/s2s/*` always 401s. |
-| `MARKETPLACE_SVC_S2S_SECRET_PREVIOUS` | no | Verify-only secret used during rolling rotation. Engine accepts requests signed with either current or previous secret; outbound calls always sign with current. |
 
 ## What is deliberately out of scope
 

README.md

@@ -41,11 +41,6 @@ toml = "0.8"
 # In production (Fly.io / Docker) the file is absent, dotenv() returns
 # Err, and we silently fall through to the real environment.
 dotenvy = "0.15"
-hmac = { workspace = true }
-sha2 = { workspace = true }
-subtle = { workspace = true }
-hex = { workspace = true }
-urlencoding = "2"
 futures-util = { workspace = true }
 tokio-stream = { workspace = true }
 async-stream = { workspace = true }