@adapt-toolkit/a2adapt 0.11.2 → 0.11.3

package/.claude-plugin/plugin.json

@@ -3,7 +3,7 @@
   "name": "a2adapt",
   "displayName": "a2adapt",
   "description": "Secure agent-to-agent communication channel over ADAPT: self-sovereign pubkey identity, end-to-end encryption, plan-first execution.",
-  "version": "0.11.2",
+  "version": "0.11.3",
   "author": {
     "name": "Adapt Toolkit"
   },

package/dist/index.js

@@ -22512,7 +22512,7 @@ function writeIdentityFile(target, opts, overwrite = false) {
 }
 
 // src/index.ts
-var VERSION = true ? "0.11.2" : "0.0.0-dev";
+var VERSION = true ? "0.11.3" : "0.0.0-dev";
 var CONFIG = loadConfig();
 var STATE_DIR = CONFIG.stateDir;
 var BROKER_URL = CONFIG.brokerUrl;

package/dist/mufl_code/actor.mu

@@ -5,6 +5,12 @@
 // encrypted; the key exchange is handled for us by the stdlib `encrypted_channel`
 // library — we only ever address peers by their container id.
 //
+// The wire-facing shapes and shared verification logic live in the shared
+// a2adapt-mufl-core repo (checked out as the core/ subfolder of this
+// directory): libraries `a2a_protocol` and `version`. They are shared with
+// the web messenger — change them there, bump core_version, and recompile
+// every consumer.
+//
 // User transactions (each backs one MCP tool, except gc which the host fires):
 //   set_my_name             — set the display name peers see for me
 //   set_my_bio              — set my profile bio (free-text, self-asserted)
@@ -62,25 +68,13 @@ application actor loads libraries
     key_storage,
     continuation,
     encrypted_channel,
-    current_transaction_info
+    current_transaction_info,
+    a2a_protocol,
+    version
     uses transactions
 {
     hidden
     {
-        metadef contact_t: ($name -> str, $container_id -> global_id).
-        // Slim invite. Short keys (no field-name bloat), no outer wrapper, and
-        // only the cryptographically load-bearing parts travel: the inviter's
-        // signed identity (public keys) + its self-signatures. inviter_id is NOT
-        // carried separately — it is the identity's own container_id. version is
-        // a constant reconstructed on the receiver. (See generate_invite /
-        // add_contact: the embedded identity is kept byte-for-byte so its
-        // _value_id — what the signatures are over — stays valid.)
-        //   $d invite_id   $n inviter_name   $c container_id
-        //   $k public keys  $a authorizations
-        // default_keys is NOT carried — the receiver rebuilds it from the keys
-        // (each key knows its own function + id), so the reconstructed identity is
-        // byte-identical to the signed one and the self-signatures still verify.
-        metadef invite_t: ($d -> global_id, $n -> str, $c -> global_id, $k -> key_utils::t_publickey(,), $a -> crypto_signature(,)).
         // A received message carries a stable per-packet id and a lifecycle status:
         // "unread" (just arrived) -> "processed" (handed to the agent via
         // get_messages) -> "ready_to_delete" (first gc tick) -> deleted (next gc
@@ -92,71 +86,13 @@ application actor loads libraries
         // migrates blobs in this shape forward — see below.
         metadef legacy_message_t: ($sender_id -> global_id, $sender_name -> str, $text -> str, $date -> time).
 
-        // ---- local contact book wire shapes ---------------------------------
-        // Introduction credential, minted PER CONNECT ATTEMPT by the host's
-        // registrar packet (never stored in the book). It binds the joiner's
-        // identity AND address document to one target, with freshness + a nonce,
-        // so possession of book material alone authorizes nothing: only the
-        // registrar (whose key never leaves the host) can mint one, which is
-        // what makes "local" a cryptographic property rather than a convention.
-        metadef intro_t: (
-            $version       -> int,
-            $joiner_cid    -> global_id,
-            $joiner_ad_hash -> hash_code,
-            $target_cid    -> global_id,
-            $iat           -> time,
-            $nonce         -> global_id
-        ).
-        metadef signed_intro_t: ($i -> intro_t, $s -> crypto_signature).
-        // What the registrar signs for a contact-book entry (tamper-evidence for
-        // the host-side book file; verified by the SENDER in connect_local).
-        metadef book_entry_t: ($version -> int, $name -> str, $ad_hash -> hash_code).
         // A not-yet-approved local introduction, with its bounded message queue.
+        // (The local-book WIRE shapes — intro_t, signed_intro_t, book_entry_t —
+        // live in a2a_protocol; these three are packet-local state/view shapes.)
         metadef pending_msg_t: ($text -> str, $date -> time).
         metadef pending_intro_t: ($name -> str, $ad -> address_document_types::t_address_document, $messages -> pending_msg_t[]).
         metadef pending_view_t: ($name -> str, $queued -> int).
 
-        // ---- identity hierarchy wire shapes ---------------------------------
-        // Delegation certificate: "role X belongs to root Y, signed by Y". The
-        // signature is over the core's _value_id, binding the role's container
-        // id AND its full key material (the address-document hash) to one root.
-        // An identity carrying NIL here is a root (or a legacy flat identity) —
-        // detection is structural, not a flag. v1 revocation == delete the role.
-        metadef delegation_core_t: (
-            $version      -> int,
-            $role_cid     -> global_id,
-            $role_ad_hash -> hash_code,
-            $role_id      -> str,
-            $root_cid     -> global_id,
-            $issued_at    -> time
-        ).
-        metadef delegation_cert_t: ($c -> delegation_core_t, $s -> crypto_signature).
-        // Self-signed root profile, carried in role invites so an external peer
-        // learns WHO is behind the role. It includes the root's key list, so the
-        // receiver can verify both this signature and the delegation cert with
-        // no prior knowledge of the root.
-        metadef root_profile_core_t: (
-            $version  -> int,
-            $root_cid -> global_id,
-            $name     -> str,
-            $bio      -> str,
-            $keys     -> key_utils::t_publickey(,)
-        ).
-        metadef root_profile_t: ($p -> root_profile_core_t, $s -> crypto_signature).
-        // Verified root linkage learned about a contact (from its role invite or
-        // a sibling introduction). Kept beside `contacts` so old state blobs
-        // (whose contact_t has no such fields) import unchanged.
-        metadef contact_root_t: ($root_cid -> global_id, $root_name -> str, $role_id -> str).
-        // Role invite: the slim invite plus the delegation chain and the role's
-        // self-asserted bio. Roots and legacy identities keep emitting the old
-        // invite_t shape byte-for-byte, so their invites stay redeemable by old
-        // clients; only role invites require a hierarchy-aware receiver.
-        metadef invite_role_t: (
-            $d -> global_id, $n -> str, $c -> global_id,
-            $k -> key_utils::t_publickey(,), $a -> crypto_signature(,),
-            $b -> str, $dc -> delegation_cert_t, $rp -> root_profile_t
-        ).
-
         // Acceptance window for an introduction credential (seconds since mint;
         // small negative slack for clock oddities) and the matching nonce-table
         // retention horizon (window + slack, so a nonce outlives its credential).
@@ -174,7 +110,7 @@ application actor loads libraries
         // The display name peers see for me (set via set_my_name).
         my_name is str = "".
         // Known contacts, keyed by their container id.
-        contacts is (global_id ->> contact_t) = (,).
+        contacts is (global_id ->> a2a_protocol::contact_t) = (,).
         // Invites I generated, keyed by invite id -> the name I assigned the peer.
         pending_invites is (global_id ->> str) = (,).
         // Received messages. Each carries its own lifecycle status (see
@@ -210,14 +146,14 @@ application actor loads libraries
         // My profile bio (free-text, self-asserted; carried in role invites).
         my_bio is str = "".
         // My delegation cert. NIL == I am a root or a legacy flat identity.
-        delegation_cert is delegation_cert_t+ = NIL.
+        delegation_cert is a2a_protocol::delegation_cert_t+ = NIL.
         // My root's address document (set with the cert; its key list is what
         // sibling introductions and my own cert are verified against).
         root_ad is address_document_types::t_address_document+ = NIL.
         // My root's self-signed profile, embedded in the invites I generate.
-        root_profile is root_profile_t+ = NIL.
+        root_profile is a2a_protocol::root_profile_t+ = NIL.
         // Verified root linkage per contact, keyed by the contact's container id.
-        contact_roots is (global_id ->> contact_root_t) = (,).
+        contact_roots is (global_id ->> a2a_protocol::contact_root_t) = (,).
 
         // Signal the host to persist the packet. Only emitted at the end of a
         // complete procedure — intermediate states (e.g. channel handshake) are
@@ -255,25 +191,6 @@ application actor loads libraries
             return mid.
         }
 
-        // Verify a delegation chain presented by a peer: the root profile is
-        // internally consistent and the cert binds the peer's container id AND
-        // its address document to that root, both signed by the root's keys.
-        // The chain is self-contained (the profile carries the root's key list),
-        // so it proves "this role belongs to the root that signed it" — it does
-        // NOT vouch for who the root is (root verification is deferred to v2).
-        // Aborts on any mismatch; returns the linkage to record.
-        fn verify_peer_delegation (peer_cid: global_id, peer_ad_hash: hash_code, cert: delegation_cert_t, rp: root_profile_t) -> contact_root_t
-        {
-            abort "Unsupported delegation certificate version." when (cert $c $version) != 1.
-            abort "Unsupported root profile version." when (rp $p $version) != 1.
-            abort "Delegation certificate was issued for a different identity." when (cert $c $role_cid) != peer_cid.
-            abort "Delegation certificate does not match the peer's address document." when (cert $c $role_ad_hash) != peer_ad_hash.
-            abort "Root profile does not match the delegation certificate's root." when (rp $p $root_cid) != (cert $c $root_cid).
-            abort "Root profile signature is invalid." when key_storage::check_signature_new_container (_value_id (rp $p)) (rp $s) (rp $p $keys) != TRUE.
-            abort "Delegation certificate was not signed by its root." when key_storage::check_signature_new_container (_value_id (cert $c)) (cert $s) (rp $p $keys) != TRUE.
-            return ($root_cid -> cert $c $root_cid, $root_name -> rp $p $name, $role_id -> cert $c $role_id).
-        }
-
         // Resolve a pending introduction by joiner name or stringified container
         // id; aborts when nothing matches.
         fn resolve_pending (ref: str) -> global_id
@@ -336,7 +253,7 @@ application actor loads libraries
         // byte-for-byte, so those invites stay redeemable by old clients.
         if delegation_cert != NIL && root_profile != NIL
         {
-            role_invite is invite_role_t = (
+            role_invite is a2a_protocol::invite_role_t = (
                 $d  -> invite_id,
                 $n  -> my_name,
                 $c  -> my_identity $container_id,
@@ -356,7 +273,7 @@ application actor loads libraries
             ].
         }
 
-        invite is invite_t = (
+        invite is a2a_protocol::invite_t = (
             $d -> invite_id,
             $n -> my_name,
             $c -> my_identity $container_id,
@@ -390,39 +307,23 @@ application actor loads libraries
         inviter_keys = (raw $k) safe (key_utils::t_publickey(,)).
         inviter_auths = (raw $a) safe (crypto_signature(,)).
 
-        // Rebuild default_keys from the carried public keys: each key reports its
-        // own function and id, so this reproduces the inviter's default-key map
-        // exactly. With it we reconstruct the full identity (and hence its
-        // _value_id, which the self-signatures sign over) byte-for-byte, then the
-        // full address document. import_state later replays this reconstructed
-        // document through process_address_document to re-register the inviter's
-        // keys after a code upgrade — so it must validate, and it does.
-        inviter_default_keys is (key_utils::t_function ->> key_utils::t_key_id) = (,).
-        sc inviter_keys -- (key -> )
-        {
-            inviter_default_keys (key_utils::key_get_function key) -> (_crypto_get_key_id key).
-        }
-        inviter_identity is key_storage::t_container_identity = (
-            $key_list     -> inviter_keys,
-            $default_keys -> inviter_default_keys,
-            $container_id -> inviter_id
-        ).
-        inviter_ad is address_document_types::t_address_document = (
-            $version        -> 1,
-            $identity       -> inviter_identity,
-            $authorizations -> inviter_auths
-        ).
+        // Rebuild the inviter's full address document from the carried material
+        // (see a2a_protocol::rebuild_peer_address_document — the reconstructed
+        // identity is byte-for-byte the signed one). import_state later replays
+        // this document through process_address_document to re-register the
+        // inviter's keys after a code upgrade — so it must validate, and it does.
+        inviter_ad = a2a_protocol::rebuild_peer_address_document inviter_id inviter_keys inviter_auths.
 
         // A role invite carries a delegation chain — verify it BEFORE anything
         // is registered (an invalid chain rejects the whole invite), and record
         // the root linkage. A legacy/root invite has no chain; nothing to check.
-        inviter_root is contact_root_t+ = NIL.
+        inviter_root is a2a_protocol::contact_root_t+ = NIL.
         inviter_bio is str = "".
         if (raw $dc) != NIL
         {
-            cert = (raw $dc) safe delegation_cert_t.
-            rp = (raw $rp) safe root_profile_t.
-            inviter_root -> verify_peer_delegation inviter_id (_value_id inviter_ad) cert rp.
+            cert = (raw $dc) safe a2a_protocol::delegation_cert_t.
+            rp = (raw $rp) safe a2a_protocol::root_profile_t.
+            inviter_root -> a2a_protocol::verify_peer_delegation inviter_id (_value_id inviter_ad) cert rp.
             inviter_bio -> (raw $b) safe str.
         }
 
@@ -720,7 +621,7 @@ application actor loads libraries
 
         joiner_ad = (_read_or_abort joiner_ad_blob) safe address_document_types::t_address_document.
         target_ad = (_read_or_abort target_ad_blob) safe address_document_types::t_address_document.
-        intro is intro_t = (
+        intro is a2a_protocol::intro_t = (
             $version        -> 1,
             $joiner_cid     -> joiner_ad $identity $container_id,
             $joiner_ad_hash -> _value_id joiner_ad,
@@ -728,7 +629,7 @@ application actor loads libraries
             $iat            -> (current_transaction_info::get_transaction_time())?,
             $nonce          -> _new_id "a2adapt local introduction"
         ).
-        signed is signed_intro_t = ($i -> intro, $s -> key_storage::default_sign (_value_id intro)).
+        signed is a2a_protocol::signed_intro_t = ($i -> intro, $s -> key_storage::default_sign (_value_id intro)).
         return transaction::success [
             _return_data ($intro -> (_write signed))
         ].
@@ -742,7 +643,7 @@ application actor loads libraries
         current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
 
         ad = (_read_or_abort ad_blob) safe address_document_types::t_address_document.
-        entry is book_entry_t = ($version -> 1, $name -> name, $ad_hash -> _value_id ad).
+        entry is a2a_protocol::book_entry_t = ($version -> 1, $name -> name, $ad_hash -> _value_id ad).
         return transaction::success [
             _return_data ($sig -> (_write (key_storage::default_sign (_value_id entry))))
         ].
@@ -763,7 +664,7 @@ application actor loads libraries
         target_id = target_ad $identity $container_id.
         abort "This contact-book entry is your own identity." when target_id == _get_container_id().
 
-        entry is book_entry_t = ($version -> 1, $name -> name, $ad_hash -> _value_id target_ad).
+        entry is a2a_protocol::book_entry_t = ($version -> 1, $name -> name, $ad_hash -> _value_id target_ad).
         entry_sig = (_read_or_abort entry_sig_blob) safe crypto_signature.
         abort "Contact-book entry failed registrar verification." when key_storage::check_signature_new_container (_value_id entry) entry_sig (registrar_ad? $identity $key_list) != TRUE.
 
@@ -856,7 +757,7 @@ application actor loads libraries
         role_cid = role_ad $identity $container_id.
         abort "Cannot issue a delegation certificate to myself." when role_cid == _get_container_id().
 
-        core is delegation_core_t = (
+        core is a2a_protocol::delegation_core_t = (
             $version      -> 1,
             $role_cid     -> role_cid,
             $role_ad_hash -> _value_id role_ad,
@@ -864,7 +765,7 @@ application actor loads libraries
             $root_cid     -> _get_container_id(),
             $issued_at    -> (current_transaction_info::get_transaction_time())?
         ).
-        cert is delegation_cert_t = ($c -> core, $s -> key_storage::default_sign (_value_id core)).
+        cert is a2a_protocol::delegation_cert_t = ($c -> core, $s -> key_storage::default_sign (_value_id core)).
         return transaction::success [
             _return_data ($cert -> (_write cert))
         ].
@@ -879,14 +780,14 @@ application actor loads libraries
         abort "Only a root identity can export a root profile." when delegation_cert != NIL.
 
         my_ad = address_document::get_my_address_document().
-        core is root_profile_core_t = (
+        core is a2a_protocol::root_profile_core_t = (
             $version  -> 1,
             $root_cid -> _get_container_id(),
             $name     -> my_name,
             $bio      -> my_bio,
             $keys     -> my_ad $identity $key_list
         ).
-        profile is root_profile_t = ($p -> core, $s -> key_storage::default_sign (_value_id core)).
+        profile is a2a_protocol::root_profile_t = ($p -> core, $s -> key_storage::default_sign (_value_id core)).
         return transaction::success [
             _return_data ($profile -> (_write profile))
         ].
@@ -901,9 +802,9 @@ application actor loads libraries
     {
         current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
 
-        cert = (_read_or_abort cert_blob) safe delegation_cert_t.
+        cert = (_read_or_abort cert_blob) safe a2a_protocol::delegation_cert_t.
         new_root_ad = (_read_or_abort root_ad_blob) safe address_document_types::t_address_document.
-        rp = (_read_or_abort rp_blob) safe root_profile_t.
+        rp = (_read_or_abort rp_blob) safe a2a_protocol::root_profile_t.
 
         abort "Unsupported delegation certificate version." when (cert $c $version) != 1.
         abort "This delegation certificate was issued to a different identity." when (cert $c $role_cid) != _get_container_id().
@@ -950,6 +851,12 @@ application actor loads libraries
         return contact_roots.
     }
 
+    // The shared-core version this packet was compiled with (see core/version.mm).
+    trn readonly get_version _
+    {
+        return ($core -> version::get_core_version()).
+    }
+
     // Connect to an intra-root sibling (Ring 1): register it as a contact and
     // introduce myself over the encrypted channel, presenting my delegation
     // cert (NIL when I am the root itself — the channel proves I control the
@@ -1033,7 +940,7 @@ application actor loads libraries
         // The fields that did not change across the schema bump are validated the
         // same way for any version of the blob.
         my_name         -> (data $my_name) safe str.
-        contacts        -> (data $contacts) safe (global_id ->> contact_t).
+        contacts        -> (data $contacts) safe (global_id ->> a2a_protocol::contact_t).
         pending_invites -> (data $pending_invites) safe (global_id ->> str).
         peer_ads        -> (data $peer_ads) safe (global_id ->> address_document_types::t_address_document).
 
@@ -1114,7 +1021,7 @@ application actor loads libraries
         }
         if (data $delegation_cert) != NIL
         {
-            delegation_cert -> (data $delegation_cert) safe delegation_cert_t.
+            delegation_cert -> (data $delegation_cert) safe a2a_protocol::delegation_cert_t.
         }
         if (data $root_ad) != NIL
         {
@@ -1122,11 +1029,11 @@ application actor loads libraries
         }
         if (data $root_profile) != NIL
         {
-            root_profile -> (data $root_profile) safe root_profile_t.
+            root_profile -> (data $root_profile) safe a2a_protocol::root_profile_t.
         }
         if (data $contact_roots) != NIL
         {
-            contact_roots -> (data $contact_roots) safe (global_id ->> contact_root_t).
+            contact_roots -> (data $contact_roots) safe (global_id ->> a2a_protocol::contact_root_t).
         }
 
         // Re-register every peer's keys so encrypted channels keep working after
@@ -1180,12 +1087,12 @@ application actor loads libraries
 
         // A delegated-role joiner carries its chain so I learn its root linkage
         // symmetrically; an invalid chain rejects the redemption outright.
-        joiner_root is contact_root_t+ = NIL.
+        joiner_root is a2a_protocol::contact_root_t+ = NIL.
         if (args $joiner_cert) != NIL
         {
-            cert = (_read_or_abort ((args $joiner_cert) safe bin)) safe delegation_cert_t.
-            rp = (_read_or_abort ((args $joiner_root_profile) safe bin)) safe root_profile_t.
-            joiner_root -> verify_peer_delegation sender_id (_value_id joiner_ad) cert rp.
+            cert = (_read_or_abort ((args $joiner_cert) safe bin)) safe a2a_protocol::delegation_cert_t.
+            rp = (_read_or_abort ((args $joiner_root_profile) safe bin)) safe a2a_protocol::root_profile_t.
+            joiner_root -> a2a_protocol::verify_peer_delegation sender_id (_value_id joiner_ad) cert rp.
         }
 
         contacts sender_id -> ($name -> contact_name, $container_id -> sender_id).
@@ -1263,7 +1170,7 @@ application actor loads libraries
         sender_id = current_transaction_info::get_external_envelope_or_abort() $from.
         abort "This identity does not accept local-contact-book introductions." when registrar_ad == NIL.
 
-        signed = (_read_or_abort intro_blob) safe signed_intro_t.
+        signed = (_read_or_abort intro_blob) safe a2a_protocol::signed_intro_t.
         intro = signed $i.
         abort "Unsupported introduction credential version." when (intro $version) != 1.
         abort "Introduction credential was not signed by this host's registrar." when key_storage::check_signature_new_container (_value_id intro) (signed $s) (registrar_ad? $identity $key_list) != TRUE.
@@ -1356,7 +1263,7 @@ application actor loads libraries
         sender_id = current_transaction_info::get_external_envelope_or_abort() $from.
         now = (current_transaction_info::get_transaction_time())?.
 
-        link is contact_root_t+ = NIL.
+        link is a2a_protocol::contact_root_t+ = NIL.
         if cert_blob == NIL
         {
             // Sender claims to be my root.
@@ -1366,7 +1273,7 @@ application actor loads libraries
         }
         else
         {
-            cert = (_read_or_abort cert_blob?) safe delegation_cert_t.
+            cert = (_read_or_abort cert_blob?) safe a2a_protocol::delegation_cert_t.
             abort "Unsupported delegation certificate version." when (cert $c $version) != 1.
             abort "Sibling certificate was issued for a different sender." when (cert $c $role_cid) != sender_id.
             abort "Sibling certificate does not match the sender's address document." when (cert $c $role_ad_hash) != (_value_id joiner_ad).

package/dist/mufl_code/config.mufl

@@ -1,20 +1,25 @@
 // a2adapt messenger packet — compile configuration.
 //
-// Pulls in the full ADAPT standard library so `actor.mu` can `loads libraries`
-// the crypto / identity / transport modules by name. No app-private libraries
-// (everything we need lives in the stdlib, including `encrypted_channel`, which
-// does the peer key-exchange for us).
+// Pulls in the full ADAPT standard library plus the shared a2adapt mufl core
+// (the a2adapt-mufl-core repo, checked out as the core/ subfolder) so
+// `actor.mu` can `loads libraries` the crypto / identity / transport modules
+// and the shared protocol libraries (`a2a_protocol`, `version`) by name.
 //
-// Compile:
-//   MUFL_STDLIB_PATH=<adapt-toolkit>/mufl_stdlib \
-//     mufl-compile -mp <adapt-toolkit>/meta -mp <adapt-toolkit>/transactions -d-c actor.mu
-// -> emits <content-hash>.muflo in the cwd.
+// Compile: scripts/compile-mufl.sh (copies actor.mu, this file, and core/
+// into a temp dir and runs mufl-compile there).
 
 config script
 {
+    stdlib_config = (config_load #$MUFL_STDLIB_PATH).
+    core_config = (config_load #"core").
+
     (
-        $imports -> ((config_load #$MUFL_STDLIB_PATH) $exports),
-        $exports -> (
+        $imports ->
+        (
+            $libraries -> (stdlib_config $exports $libraries)'(core_config $exports $libraries),
+        ),
+        $exports ->
+        (
             $libraries -> (,),
             $applications -> (,)
         )

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adapt-toolkit/a2adapt",
-  "version": "0.11.2",
+  "version": "0.11.3",
   "description": "MCP server daemon for a2adapt — one native ADAPT wrapper hosting N self-sovereign identities, exposing secure agent-to-agent messaging tools over HTTP (Streamable HTTP). Run `a2adapt-mcp start`.",
   "type": "module",
   "license": "MIT",