examples: add Lit Triggers examples (release-attestation, uptime-insurance, chainlink-feed-mirror)

[clawdbot-glitch003]

Summary

Adds examples/lit-triggers/ — full, runnable Lit Triggers examples, each matching the examples/ convention (hardened action + contract + setup.js + e2e client + README with flow diagram & trust model). They're grouped in a subfolder because they depend on the lit-triggers service (the parent-folder examples call the Lit Action endpoint directly).

Every on-chain example signs with the action's own keyless wallet (derived from its IPFS CID). And because a trigger has no downstream caller, the action broadcasts the tx itself — so setup funds the action wallet.

Example	Trigger	Shows
release-attestation	webhook	Verify a GitHub release webhook (HMAC over the raw body) → anchor on-chain in ReleaseRegistry (action wallet pinned as attester).
uptime-insurance	schedule	Parametric insurance: cron checks a status page, pays ETH to the policyholder from the keyless pool wallet when the service is down. No contract.
chainlink-feed-mirror	chain_event	Relay a Chainlink AnswerUpdated to a PriceConsumer on a chain Chainlink doesn't serve. Hardened: dest-chainId pin (action) + updater & stale-round guards (contract).

setup.js flow per example: action CID → group → scoped usage key (from your master key) → derive + fund action wallet → deploy contract (where applicable) → interactive lit-triggers browser authorize → create the trigger. call() retries transient 5xx/non-JSON from the Lit API.

Verified end-to-end on Base Sepolia

• release-attestation — full setup incl. master-key minting + the real browser-authorize (clicked) + attest() e2e; registry reads back. Also exercised the full authorized-token API surface (CRUD, disable→reject→enable, 401 for unauthorized).
• uptime-insurance — setup + claim: scheduled run paid out, confirmed by the policyholder +0.0002 ETH balance delta.
• chainlink-feed-mirror — setup resolved the live Chainlink aggregator + deployed PriceConsumer; mirror --simulate relayed a price (roundId advanced on-chain, run success, tx confirmed).

Notes

• Depends on the raw-body/header passthrough from feat(lit-triggers): expose raw webhook body and verification headers #404 (deployed).
• Companion docs in docs: add Lit Triggers section (overview, creating triggers, examples) #406.

🤖 Generated with Claude Code

[clawdbot-glitch003]

✅ Full npm run setup now verified end-to-end on Base Sepolia with a real master LIT_API_KEY — including the previously-unexercised master-key calls:

• get_lit_action_ipfs_id → CID Qmasj6fp8hkNxK5e3MoncDHhcrkDDR2hZ24B7xzEg3Gq1k
• add_group → group 46
• add_usage_api_key → fresh scoped key minted
• add_action + add_action_to_group
• action wallet derived (0x2ab7…aac4) + funded
• ReleaseRegistry deployed (0x66fEC8aD0470A07234385Bc63d88B8c7Eaf707Bf, attester pinned)
• webhook trigger created

Then npm run attest against the freshly-minted scoped key: signed webhook → run success → attest() tx 0xff1880329cf450907e321caf69a7dbfa8e9b5130db9d596effbe4641404e7d2b → getRelease() reads back commitish: main + timestamp.

The browser-authorize step (step 9) used the reuse path; the interactive handshake itself was exercised earlier in development.

[clawdbot-glitch003]

Addressed codex adversarial review

Ran a codex challenge pass; applied + live-verified fixes for the actionable findings.

[P1] feed-mirror trusted unverified trigger data → the action now re-fetches the receipt by (tx hash, log index) from a hostname-pinned, https-only source RPC, verifies the emitter is the baked SOURCE.aggregator with the AnswerUpdated topic + confirmations, and decodes the price from the verified log. destChainId is now required; setup warns on aggregator drift; --simulate replays a real on-chain event.

• Verified: real price relayed (answer 200157745000, roundId 11972, src tx 0xdbc714…).
• Verified forgery rejected: a real Base tx whose log is a USDC Transfer → error: "unexpected log emitter", consumer unchanged.

[P1] uptime drains by default → setup now creates the schedule trigger disabled; claim enables it, catches one payout, disables it again. Verified: disabled → +0.0002 ETH payout (0xcd149c…) → disabled.

[P2] PriceConsumer round-0 sentinel → replaced roundId != 0 with an explicit initialized flag.

[P1/P2] release-attestation trust model → README now states plainly that params.secret is caller-controllable on a direct call, so the HMAC only gates the public webhook path; the usage key is the trust root, and encrypting the secret (Lit.Actions.Encrypt, needs a PKP) is the production fix. Also noted commitish may be a branch, not a SHA.

Accepted as known/by-design (documented): plaintext keys in gitignored .env (local example config); no nonce coordination for keyless broadcasts (matters only for high-frequency triggers); replay/last-write-wins on (repo,tag).