@adapt-toolkit/a2adapt 0.11.2 → 0.11.4

package/.claude-plugin/plugin.json

@@ -3,7 +3,7 @@
   "name": "a2adapt",
   "displayName": "a2adapt",
   "description": "Secure agent-to-agent communication channel over ADAPT: self-sovereign pubkey identity, end-to-end encryption, plan-first execution.",
-  "version": "0.11.2",
+  "version": "0.11.4",
   "author": {
     "name": "Adapt Toolkit"
   },

package/dist/index.js

@@ -22512,7 +22512,7 @@ function writeIdentityFile(target, opts, overwrite = false) {
 }
 
 // src/index.ts
-var VERSION = true ? "0.11.2" : "0.0.0-dev";
+var VERSION = true ? "0.11.4" : "0.0.0-dev";
 var CONFIG = loadConfig();
 var STATE_DIR = CONFIG.stateDir;
 var BROKER_URL = CONFIG.brokerUrl;
@@ -22962,7 +22962,7 @@ async function provisionIdentity(name, opts = { exposeLocal: true, localAutoAcce
   const seed = randomBytes(24).toString("hex");
   fs2.writeFileSync(seedPath(dir), seed, { mode: 384 });
   const id = await createPacket(name, seed, dir);
-  await mutatingTx(id, "::actor::set_my_name", { name });
+  await mutatingTx(id, "::a2a_messaging::set_my_name", { name });
   await pinRegistrar(id);
   if (!opts.localAutoAccept) {
     await mutatingTx(id, "::actor::set_local_policy", { auto_accept: false });
@@ -23174,7 +23174,7 @@ function createMcpServer(getSessionId) {
       if (identities.has(name)) return textResult(`create_identity failed: an identity named "${name}" already exists.`, true);
       try {
         const id = await provisionIdentity(name, { exposeLocal: expose_local, localAutoAccept: local_auto_accept });
-        if (bio) await mutatingTx(id, "::actor::set_my_bio", { bio });
+        if (bio) await mutatingTx(id, "::a2a_messaging::set_my_bio", { bio });
         let hierarchy = "";
         const root = rootName ? identities.get(rootName) : void 0;
         if (root) {
@@ -23216,7 +23216,7 @@ Ask the user: do you want to arm a message monitor for "${name}"? If yes, use: M
       }
       try {
         const id = await provisionIdentity(name, { exposeLocal: expose_local, localAutoAccept: local_auto_accept });
-        if (bio) await mutatingTx(id, "::actor::set_my_bio", { bio });
+        if (bio) await mutatingTx(id, "::a2a_messaging::set_my_bio", { bio });
         rootName = name;
         writeRootMarker(name);
         const adopted = [];
@@ -23444,7 +23444,7 @@ ${inbox.map((m) => fmtMsg(m)).join("\n")}`;
       try {
         const targ = {};
         if (name) targ.name = name;
-        const data = await mutatingTx(id, "::actor::generate_invite", targ);
+        const data = await mutatingTx(id, "::a2a_messaging::generate_invite", targ);
         const blob = packInvite(Buffer.from(data.Reduce("invite").GetBinary()));
         const heading = name ? `Invite for "${name}" created.` : "Invite created \u2014 the contact will be registered under the name the recipient announces when accepting.";
         return textResult(
@@ -23478,7 +23478,7 @@ ${blob}`
         const blobValue = id.pw.packet.NewBinaryFromBuffer(buf);
         const targ = { invite: blobValue };
         if (name) targ.name = name;
-        const data = await mutatingTx(id, "::actor::add_contact", targ);
+        const data = await mutatingTx(id, "::a2a_messaging::add_contact", targ);
         const added = data.Reduce("added").Visualize();
         const cid = data.Reduce("container_id").Visualize();
         const roleId = data.Reduce("role_id").Visualize();
@@ -23499,9 +23499,9 @@ ${blob}`
       const { id, err } = boundOr();
       if (err) return err;
       try {
-        const contacts = renderContacts(readonlyTx(id, "::actor::list_contacts"));
+        const contacts = renderContacts(readonlyTx(id, "::a2a_messaging::list_contacts"));
         const pending = renderPending(readonlyTx(id, "::actor::list_pending_introductions"));
-        const roots = renderContactRoots(readonlyTx(id, "::actor::list_contact_roots"));
+        const roots = renderContactRoots(readonlyTx(id, "::a2a_messaging::list_contact_roots"));
         const lines = [];
         lines.push(
           contacts.length === 0 ? "No contacts yet." : `Contacts (${contacts.length}):
@@ -23576,7 +23576,7 @@ ${lines.join("\n")}`);
       const { id, err } = boundOr();
       if (err) return err;
       try {
-        await mutatingTx(id, "::actor::set_my_bio", { bio });
+        await mutatingTx(id, "::a2a_messaging::set_my_bio", { bio });
         let refreshed = 0;
         if (id.name === rootName) {
           for (const other of identities.values()) {
@@ -23638,7 +23638,7 @@ ${lines.join("\n")}`);
       const { id, err } = boundOr();
       if (err) return err;
       try {
-        await mutatingTx(id, "::actor::send_message", { contact, text });
+        await mutatingTx(id, "::a2a_messaging::send_message", { contact, text });
         return textResult(`Message sent to "${contact}".`);
       } catch (e) {
         if (!/Unknown contact/.test(String(e))) {
@@ -23662,7 +23662,7 @@ ${lines.join("\n")}`);
       const { id, err } = boundOr();
       if (err) return err;
       try {
-        const data = await mutatingTx(id, "::actor::remove_contact", { contact });
+        const data = await mutatingTx(id, "::a2a_messaging::remove_contact", { contact });
         const name = data.Reduce("removed").Visualize();
         const cid = data.Reduce("container_id").Visualize();
         return textResult(`Removed contact "${name}" (${cid}).`);

package/dist/mufl_code/actor.mu

@@ -5,14 +5,39 @@
 // encrypted; the key exchange is handled for us by the stdlib `encrypted_channel`
 // library — we only ever address peers by their container id.
 //
+// The shared transaction logic lives in the a2adapt-mufl-core repo (checked
+// out as the core/ subfolder of this directory): `a2a_protocol` (wire shapes +
+// verification), `a2a_messaging` (contact + message wire path, addressed
+// ::a2a_messaging::<name> by the host), and `version`. They are shared with
+// the web messenger — change them there, bump core_version, and recompile
+// every consumer.
+//
+// This packet keeps only what is agent-specific:
+//   - the inbox message store with its lifecycle (unread -> processed ->
+//     ready_to_delete -> deleted; see get_messages / gc / defer_messages)
+//   - the local contact book + identity hierarchy transactions (host-fired)
+//   - export_state / import_state wrappers composing the core helpers with
+//     the app-side fields (including the legacy-blob migrations)
+//   - ::actor:: compat shims for the network-visible inbound transactions
+//     (accept_contact, receive_message) — pre-migration peers send to these
+//     names, and the core keeps SENDING to them too (Option A: zero network
+//     break; drop both only when no old clients remain)
+//
+// Storage is wired into the core via a2a_messaging::init hooks (see the
+// hidden block): on_message_received deposits into the inbox (or the
+// pending-introduction queue for unknown senders); send/remove hooks are
+// agent no-ops.
+//
 // User transactions (each backs one MCP tool, except gc which the host fires):
-//   set_my_name             — set the display name peers see for me
-//   set_my_bio              — set my profile bio (free-text, self-asserted)
-//   generate_invite         — make a slim personal invite blob for a named peer
-//   add_contact             — join via an invite blob, reply to the inviter
-//   send_message            — send an e2e-encrypted message to a contact
-//   remove_contact          — forget a contact (drops it from my contacts)
-//   list_contacts           — (readonly) my contacts
+//   ::a2a_messaging::set_my_name        — set the display name peers see for me
+//   ::a2a_messaging::set_my_bio         — set my profile bio (free-text, self-asserted)
+//   ::a2a_messaging::generate_invite    — make an invite blob for a named peer
+//   ::a2a_messaging::add_contact        — join via an invite blob, reply to the inviter
+//   ::a2a_messaging::send_message       — send an e2e-encrypted message to a contact
+//   ::a2a_messaging::remove_contact     — forget a contact
+//   ::a2a_messaging::list_contacts      — (readonly) my contacts
+//   ::a2a_messaging::list_contact_roots — (readonly) verified root linkage per contact
+//   ::a2a_messaging::get_version        — (readonly) shared-core version
 //   list_incoming_messages  — (readonly) my inbox, with per-message id + status
 //   get_messages            — return unread messages + mark them processed (sole body egress)
 //   defer_messages          — flip processed/ready_to_delete messages back to unread
@@ -23,7 +48,6 @@
 //   export_root_profile     — root-only in practice: my self-signed root profile blob
 //   set_delegation          — role: store my verified delegation cert + root material
 //   describe_identity       — (readonly) name/bio/hierarchy position
-//   list_contact_roots      — (readonly) verified root linkage per contact
 //   connect_sibling         — register an intra-root peer + send sibling_introduce
 //
 // Local contact book (host-fired transactions; see the design notes above
@@ -39,17 +63,10 @@
 //   list_pending_introductions — (readonly) pending introductions (names + queue sizes)
 //
 // External transactions (inbound, not exposed as tools):
-//   accept_contact          — inviter learns the joiner's identity + name
-//   receive_message         — store a decrypted inbound message
+//   accept_contact          — inviter learns the joiner's identity + name (core shim)
+//   receive_message         — store a decrypted inbound message (core shim)
 //   local_introduce         — same-host peer connects via the local contact book
 //   sibling_introduce       — intra-root peer connects, authorized by its delegation cert
-//
-// Naming model (personal invites): generate_invite('Bob') tags a pending invite
-// with the peer-name "Bob"; whoever redeems it is registered under "Bob" (the
-// inviter's assigned name wins). Generating WITHOUT a name tags the invite with
-// "" — then the joiner's self-announced name wins (falling back to its container
-// id if the joiner never set one). The joiner, in turn, sees the inviter under
-// the inviter's own self-name (set via set_my_name), unless the joiner overrides it.
 
 application actor loads libraries
     identity_proof_document,
@@ -62,25 +79,14 @@ application actor loads libraries
     key_storage,
     continuation,
     encrypted_channel,
-    current_transaction_info
+    current_transaction_info,
+    a2a_protocol,
+    a2a_messaging,
+    version
     uses transactions
 {
     hidden
     {
-        metadef contact_t: ($name -> str, $container_id -> global_id).
-        // Slim invite. Short keys (no field-name bloat), no outer wrapper, and
-        // only the cryptographically load-bearing parts travel: the inviter's
-        // signed identity (public keys) + its self-signatures. inviter_id is NOT
-        // carried separately — it is the identity's own container_id. version is
-        // a constant reconstructed on the receiver. (See generate_invite /
-        // add_contact: the embedded identity is kept byte-for-byte so its
-        // _value_id — what the signatures are over — stays valid.)
-        //   $d invite_id   $n inviter_name   $c container_id
-        //   $k public keys  $a authorizations
-        // default_keys is NOT carried — the receiver rebuilds it from the keys
-        // (each key knows its own function + id), so the reconstructed identity is
-        // byte-identical to the signed one and the self-signatures still verify.
-        metadef invite_t: ($d -> global_id, $n -> str, $c -> global_id, $k -> key_utils::t_publickey(,), $a -> crypto_signature(,)).
         // A received message carries a stable per-packet id and a lifecycle status:
         // "unread" (just arrived) -> "processed" (handed to the agent via
         // get_messages) -> "ready_to_delete" (first gc tick) -> deleted (next gc
@@ -92,71 +98,13 @@ application actor loads libraries
         // migrates blobs in this shape forward — see below.
         metadef legacy_message_t: ($sender_id -> global_id, $sender_name -> str, $text -> str, $date -> time).
 
-        // ---- local contact book wire shapes ---------------------------------
-        // Introduction credential, minted PER CONNECT ATTEMPT by the host's
-        // registrar packet (never stored in the book). It binds the joiner's
-        // identity AND address document to one target, with freshness + a nonce,
-        // so possession of book material alone authorizes nothing: only the
-        // registrar (whose key never leaves the host) can mint one, which is
-        // what makes "local" a cryptographic property rather than a convention.
-        metadef intro_t: (
-            $version       -> int,
-            $joiner_cid    -> global_id,
-            $joiner_ad_hash -> hash_code,
-            $target_cid    -> global_id,
-            $iat           -> time,
-            $nonce         -> global_id
-        ).
-        metadef signed_intro_t: ($i -> intro_t, $s -> crypto_signature).
-        // What the registrar signs for a contact-book entry (tamper-evidence for
-        // the host-side book file; verified by the SENDER in connect_local).
-        metadef book_entry_t: ($version -> int, $name -> str, $ad_hash -> hash_code).
         // A not-yet-approved local introduction, with its bounded message queue.
+        // (The local-book WIRE shapes — intro_t, signed_intro_t, book_entry_t —
+        // live in a2a_protocol; these three are packet-local state/view shapes.)
         metadef pending_msg_t: ($text -> str, $date -> time).
         metadef pending_intro_t: ($name -> str, $ad -> address_document_types::t_address_document, $messages -> pending_msg_t[]).
         metadef pending_view_t: ($name -> str, $queued -> int).
 
-        // ---- identity hierarchy wire shapes ---------------------------------
-        // Delegation certificate: "role X belongs to root Y, signed by Y". The
-        // signature is over the core's _value_id, binding the role's container
-        // id AND its full key material (the address-document hash) to one root.
-        // An identity carrying NIL here is a root (or a legacy flat identity) —
-        // detection is structural, not a flag. v1 revocation == delete the role.
-        metadef delegation_core_t: (
-            $version      -> int,
-            $role_cid     -> global_id,
-            $role_ad_hash -> hash_code,
-            $role_id      -> str,
-            $root_cid     -> global_id,
-            $issued_at    -> time
-        ).
-        metadef delegation_cert_t: ($c -> delegation_core_t, $s -> crypto_signature).
-        // Self-signed root profile, carried in role invites so an external peer
-        // learns WHO is behind the role. It includes the root's key list, so the
-        // receiver can verify both this signature and the delegation cert with
-        // no prior knowledge of the root.
-        metadef root_profile_core_t: (
-            $version  -> int,
-            $root_cid -> global_id,
-            $name     -> str,
-            $bio      -> str,
-            $keys     -> key_utils::t_publickey(,)
-        ).
-        metadef root_profile_t: ($p -> root_profile_core_t, $s -> crypto_signature).
-        // Verified root linkage learned about a contact (from its role invite or
-        // a sibling introduction). Kept beside `contacts` so old state blobs
-        // (whose contact_t has no such fields) import unchanged.
-        metadef contact_root_t: ($root_cid -> global_id, $root_name -> str, $role_id -> str).
-        // Role invite: the slim invite plus the delegation chain and the role's
-        // self-asserted bio. Roots and legacy identities keep emitting the old
-        // invite_t shape byte-for-byte, so their invites stay redeemable by old
-        // clients; only role invites require a hierarchy-aware receiver.
-        metadef invite_role_t: (
-            $d -> global_id, $n -> str, $c -> global_id,
-            $k -> key_utils::t_publickey(,), $a -> crypto_signature(,),
-            $b -> str, $dc -> delegation_cert_t, $rp -> root_profile_t
-        ).
-
         // Acceptance window for an introduction credential (seconds since mint;
         // small negative slack for clock oddities) and the matching nonce-table
         // retention horizon (window + slack, so a nonce outlives its credential).
@@ -171,27 +119,19 @@ application actor loads libraries
         encrypted_channel::init ($_read_or_abort -> _read_or_abort).
 
         // ---- packet state ---------------------------------------------------
-        // The display name peers see for me (set via set_my_name).
-        my_name is str = "".
-        // Known contacts, keyed by their container id.
-        contacts is (global_id ->> contact_t) = (,).
-        // Invites I generated, keyed by invite id -> the name I assigned the peer.
-        pending_invites is (global_id ->> str) = (,).
+        // (The shared contact/profile/hierarchy state — my_name, contacts,
+        // pending_invites, peer_ads, my_bio, delegation_cert, root_ad,
+        // root_profile, contact_roots — lives in a2a_messaging and is read /
+        // assigned as a2a_messaging::<field> below.)
+        //
         // Received messages. Each carries its own lifecycle status (see
-        // message_t / get_messages / mark_processed / defer_messages), so the
+        // message_t / get_messages / gc / defer_messages), so the
         // packet is the single authority on what has been read or processed —
         // no host-side cursor, safe across concurrent sessions.
         inbox is message_t[] = [].
         // Monotonic source of per-message ids (the stable handle the agent uses
         // to mark a message processed or defer it).
         next_msg_seq is int = 1.
-        // Peer address documents, captured when a contact is established. These are
-        // self-signed, code-independent, and seed-stable, so on a code upgrade the
-        // host re-creates this packet from the same seed and import_state replays
-        // them through address_document::process_address_document — re-registering
-        // every peer's keys in key_storage so encrypted channels survive the upgrade
-        // with no re-handshake. Only peer PUBLIC keys travel here, never secrets.
-        peer_ads is (global_id ->> address_document_types::t_address_document) = (,).
         // The host registrar's address document (pinned once at identity
         // creation / injected on upgrade) — its $identity $key_list is what
         // introduction credentials are verified against. NIL means this identity
@@ -206,18 +146,6 @@ application actor loads libraries
         // Verified-but-unapproved local introductions (when auto-accept is off),
         // each with a bounded queue of messages awaiting approval.
         pending_introductions is (global_id ->> pending_intro_t) = (,).
-        // ---- identity hierarchy state ----
-        // My profile bio (free-text, self-asserted; carried in role invites).
-        my_bio is str = "".
-        // My delegation cert. NIL == I am a root or a legacy flat identity.
-        delegation_cert is delegation_cert_t+ = NIL.
-        // My root's address document (set with the cert; its key list is what
-        // sibling introductions and my own cert are verified against).
-        root_ad is address_document_types::t_address_document+ = NIL.
-        // My root's self-signed profile, embedded in the invites I generate.
-        root_profile is root_profile_t+ = NIL.
-        // Verified root linkage per contact, keyed by the contact's container id.
-        contact_roots is (global_id ->> contact_root_t) = (,).
 
         // Signal the host to persist the packet. Only emitted at the end of a
         // complete procedure — intermediate states (e.g. channel handshake) are
@@ -226,19 +154,6 @@ application actor loads libraries
         fn _return_data (payload: any) = (transaction::action::return_data ($kind -> $data, $payload -> payload)).
         fn _notify_agent (payload: any) = (transaction::action::return_data ($kind -> $notify_agent, $payload -> payload)).
 
-        // Resolve a contact reference (a display name or stringified container id)
-        // to a container id; aborts if no contact matches.
-        fn resolve_contact (ref: str) -> global_id
-        {
-            found is global_id+ = NIL.
-            sc contacts -- (cid -> c) ?? found == NIL && ((c $name) == ref || (_str cid) == ref)
-            {
-                found -> cid.
-            }
-            abort "Unknown contact: " + ref when found == NIL.
-            return found?.
-        }
-
         // Append a message to the inbox under a fresh id; returns the id.
         fn deposit_message (sender_id: global_id, sender_name: str, text: str, msg_date: time) -> int
         {
@@ -255,25 +170,6 @@ application actor loads libraries
             return mid.
         }
 
-        // Verify a delegation chain presented by a peer: the root profile is
-        // internally consistent and the cert binds the peer's container id AND
-        // its address document to that root, both signed by the root's keys.
-        // The chain is self-contained (the profile carries the root's key list),
-        // so it proves "this role belongs to the root that signed it" — it does
-        // NOT vouch for who the root is (root verification is deferred to v2).
-        // Aborts on any mismatch; returns the linkage to record.
-        fn verify_peer_delegation (peer_cid: global_id, peer_ad_hash: hash_code, cert: delegation_cert_t, rp: root_profile_t) -> contact_root_t
-        {
-            abort "Unsupported delegation certificate version." when (cert $c $version) != 1.
-            abort "Unsupported root profile version." when (rp $p $version) != 1.
-            abort "Delegation certificate was issued for a different identity." when (cert $c $role_cid) != peer_cid.
-            abort "Delegation certificate does not match the peer's address document." when (cert $c $role_ad_hash) != peer_ad_hash.
-            abort "Root profile does not match the delegation certificate's root." when (rp $p $root_cid) != (cert $c $root_cid).
-            abort "Root profile signature is invalid." when key_storage::check_signature_new_container (_value_id (rp $p)) (rp $s) (rp $p $keys) != TRUE.
-            abort "Delegation certificate was not signed by its root." when key_storage::check_signature_new_container (_value_id (cert $c)) (cert $s) (rp $p $keys) != TRUE.
-            return ($root_cid -> cert $c $root_cid, $root_name -> rp $p $name, $role_id -> cert $c $role_id).
-        }
-
         // Resolve a pending introduction by joiner name or stringified container
         // id; aborts when nothing matches.
         fn resolve_pending (ref: str) -> global_id
@@ -286,245 +182,52 @@ application actor loads libraries
             abort "No pending introduction matches: " + ref when found == NIL.
             return found?.
         }
-    }
-
-    // ---- user transactions --------------------------------------------------
-
-    trn set_my_name _:($name -> name: str)
-    {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-        my_name -> name.
-        return transaction::success [
-            _return_data ($name -> name),
-            _save_state NIL
-        ].
-    }
-
-    trn set_my_bio _:($bio -> bio: str)
-    {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-        my_bio -> bio.
-        return transaction::success [
-            _return_data ($bio -> bio),
-            _save_state NIL
-        ].
-    }
-
-    trn generate_invite _:($name -> name: str+)
-    {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-
-        invite_id = _new_id "a2adapt invite".
-        // Remember the name I'm assigning to whoever redeems this invite. An
-        // empty string is the "no assigned name" sentinel: accept_contact then
-        // registers the joiner under its self-announced name instead.
-        assigned = (name == NIL ?? "" ; name?).
-        pending_invites invite_id -> assigned.
-
-        // Carry only my signed identity (public keys) + its self-signatures. The
-        // joiner rebuilds my address document from these (version is constant, my
-        // container_id is the identity's own field) and stores it so it can
-        // re-register me after a code upgrade (see peer_ads / import_state). The
-        // identity sub-record is passed through untouched so its _value_id — what
-        // the authorizations sign over — survives the round trip unchanged.
-        my_ad = address_document::get_my_address_document().
-        my_identity = my_ad $identity.
 
-        // A delegated role embeds its cert + the root's profile (Ring 3 of the
-        // identity hierarchy: external peers verify the whole chain from the
-        // invite alone). A root or legacy identity emits the original shape
-        // byte-for-byte, so those invites stay redeemable by old clients.
-        if delegation_cert != NIL && root_profile != NIL
-        {
-            role_invite is invite_role_t = (
-                $d  -> invite_id,
-                $n  -> my_name,
-                $c  -> my_identity $container_id,
-                $k  -> my_identity $key_list,
-                $a  -> my_ad $authorizations,
-                $b  -> my_bio,
-                $dc -> delegation_cert?,
-                $rp -> root_profile?
-            ).
-            return transaction::success [
-                _return_data (
-                    $invite     -> (_write role_invite),
-                    $invite_id  -> invite_id,
-                    $peer_name  -> assigned
-                ),
-                _save_state NIL
-            ].
-        }
-
-        invite is invite_t = (
-            $d -> invite_id,
-            $n -> my_name,
-            $c -> my_identity $container_id,
-            $k -> my_identity $key_list,
-            $a -> my_ad $authorizations
-        ).
-
-        return transaction::success [
-            _return_data (
-                $invite     -> (_write invite),
-                $invite_id  -> invite_id,
-                $peer_name  -> assigned
-            ),
-            _save_state NIL
-        ].
-    }
-
-    trn add_contact _:($invite -> invite_blob: bin, $name -> custom_name: str+)
-    {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-
-        // Parse field-by-field rather than via one `safe invite_t` cast: the
-        // shared fields are identical between invite_t and invite_role_t, so
-        // this one path redeems both the legacy shape and the role shape (the
-        // hierarchy fields are simply NIL on a legacy invite).
-        raw = _read_or_abort invite_blob.
-        inviter_id = (raw $c) safe global_id.
-        abort "This invite is your own — you cannot add yourself." when inviter_id == _get_container_id().
-        invite_id = (raw $d) safe global_id.
-        inviter_name = (raw $n) safe str.
-        inviter_keys = (raw $k) safe (key_utils::t_publickey(,)).
-        inviter_auths = (raw $a) safe (crypto_signature(,)).
-
-        // Rebuild default_keys from the carried public keys: each key reports its
-        // own function and id, so this reproduces the inviter's default-key map
-        // exactly. With it we reconstruct the full identity (and hence its
-        // _value_id, which the self-signatures sign over) byte-for-byte, then the
-        // full address document. import_state later replays this reconstructed
-        // document through process_address_document to re-register the inviter's
-        // keys after a code upgrade — so it must validate, and it does.
-        inviter_default_keys is (key_utils::t_function ->> key_utils::t_key_id) = (,).
-        sc inviter_keys -- (key -> )
-        {
-            inviter_default_keys (key_utils::key_get_function key) -> (_crypto_get_key_id key).
-        }
-        inviter_identity is key_storage::t_container_identity = (
-            $key_list     -> inviter_keys,
-            $default_keys -> inviter_default_keys,
-            $container_id -> inviter_id
-        ).
-        inviter_ad is address_document_types::t_address_document = (
-            $version        -> 1,
-            $identity       -> inviter_identity,
-            $authorizations -> inviter_auths
+        // Wire the agent's storage into the shared messaging core. The receive
+        // hook owns everything app-specific about an inbound message: known
+        // senders deposit into the inbox; an unknown sender may be a verified-
+        // but-unapproved local introduction messaging before approval — queue
+        // (bounded) inside its pending entry, approval flushes the queue into
+        // the inbox in order; anything else from an unknown sender is rejected.
+        // The notification deliberately carries NO message body — only that a
+        // message arrived, from whom, and its id. The body stays in the packet
+        // and only leaves through get_messages.
+        a2a_messaging::init (
+            $_read_or_abort -> _read_or_abort,
+            $on_message_received -> fn (arg: any) -> transaction::action::type[]
+            {
+                sender_id = (arg $sender_id) safe global_id.
+                text = (arg $text) safe str.
+                msg_date = (arg $date) safe time.
+
+                if (arg $sender_name) == NIL
+                {
+                    p = pending_introductions sender_id.
+                    abort "Message from an unknown sender was rejected." when p == NIL.
+                    entry = p?.
+                    queued = entry $messages.
+                    abort "Pending-introduction message queue is full; awaiting approval." when (_count queued|) >= pending_queue_cap.
+                    queued (_count queued|) -> ($text -> text, $date -> msg_date).
+                    pending_introductions sender_id -> ($name -> entry $name, $ad -> entry $ad, $messages -> queued).
+                    return [
+                        _notify_agent ($event -> $pending_message, $sender_name -> entry $name, $queued -> _count queued|),
+                        _save_state NIL
+                    ].
+                }
+
+                sender_name = (arg $sender_name) safe str.
+                mid = deposit_message sender_id sender_name text msg_date.
+                return [
+                    _notify_agent ($event -> $message_received, $sender_name -> sender_name, $msg_id -> mid, $date -> msg_date),
+                    _save_state NIL
+                ].
+            },
+            $on_message_sent -> fn (_: any) -> transaction::action::type[] { return []. },
+            $on_contact_removed -> fn (_: any) -> transaction::action::type[] { return []. }
         ).
-
-        // A role invite carries a delegation chain — verify it BEFORE anything
-        // is registered (an invalid chain rejects the whole invite), and record
-        // the root linkage. A legacy/root invite has no chain; nothing to check.
-        inviter_root is contact_root_t+ = NIL.
-        inviter_bio is str = "".
-        if (raw $dc) != NIL
-        {
-            cert = (raw $dc) safe delegation_cert_t.
-            rp = (raw $rp) safe root_profile_t.
-            inviter_root -> verify_peer_delegation inviter_id (_value_id inviter_ad) cert rp.
-            inviter_bio -> (raw $b) safe str.
-        }
-
-        // Register the inviter under my chosen name, or the name they embedded.
-        contact_name = (custom_name == NIL ?? inviter_name ; custom_name?).
-        contacts inviter_id -> ($name -> contact_name, $container_id -> inviter_id).
-        // Remember the inviter's address document so I can re-register them after
-        // an upgrade (their keys are seed-stable, so this stays valid).
-        peer_ads inviter_id -> inviter_ad.
-        if inviter_root != NIL
-        {
-            contact_roots inviter_id -> inviter_root?.
-        }
-
-        my_self_name = my_name.
-        my_ad = address_document::get_my_address_document().
-        // If I am a delegated role myself, carry my own chain in the reply so
-        // the inviter learns my root linkage symmetrically.
-        my_cert_blob is bin+ = NIL.
-        my_rp_blob is bin+ = NIL.
-        if delegation_cert != NIL && root_profile != NIL
-        {
-            my_cert_blob -> (_write delegation_cert?).
-            my_rp_blob -> (_write root_profile?).
-        }
-
-        root_name_out is str = "".
-        role_id_out is str = "".
-        if inviter_root != NIL
-        {
-            root_name_out -> inviter_root? $root_name.
-            role_id_out -> inviter_root? $role_id.
-        }
-
-        // Establish the encrypted channel with the inviter (handshake happens
-        // transparently if we haven't talked before), then tell them I redeemed
-        // their invite, what my own name is, and my address document, so they can
-        // finish the handshake and remember me for future upgrades.
-        return encrypted_channel::execute_transaction inviter_id (fn (_) -> transaction::results::type {
-            return transaction::success [
-                encrypted_channel::send_encrypted_tx inviter_id (
-                    $name -> "::actor::accept_contact",
-                    $targ -> (
-                        $invite_id -> invite_id,
-                        $joiner_name -> my_self_name,
-                        $joiner_ad -> my_ad,
-                        $joiner_cert -> my_cert_blob,
-                        $joiner_root_profile -> my_rp_blob
-                    )
-                ),
-                _return_data (
-                    $added -> contact_name,
-                    $container_id -> inviter_id,
-                    $root_name -> root_name_out,
-                    $role_id -> role_id_out,
-                    $bio -> inviter_bio
-                ),
-                _save_state NIL
-            ].
-        }).
-    }
-
-    trn send_message _:($contact -> contact_ref: str, $text -> text: str)
-    {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-
-        target_id = resolve_contact contact_ref.
-
-        return encrypted_channel::execute_transaction target_id (fn (_) -> transaction::results::type {
-            return transaction::success [
-                encrypted_channel::send_encrypted_tx target_id (
-                    $name -> "::actor::receive_message",
-                    $targ -> ($text -> text)
-                ),
-                _return_data ($sent_to -> target_id, $text -> text),
-                _save_state NIL
-            ].
-        }).
-    }
-
-    trn remove_contact _:($contact -> contact_ref: str)
-    {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-
-        target_id = resolve_contact contact_ref.
-        removed = contacts target_id.
-        removed_name = removed? $name.
-
-        delete contacts target_id.
-        if peer_ads target_id != NIL { delete peer_ads target_id. }
-        if contact_roots target_id != NIL { delete contact_roots target_id. }
-
-        return transaction::success [
-            _return_data ($removed -> removed_name, $container_id -> target_id),
-            _save_state NIL
-        ].
     }
 
-    trn readonly list_contacts _
-    {
-        return contacts.
-    }
+    // ---- message store --------------------------------------------------------
 
     trn readonly list_incoming_messages _
     {
@@ -720,7 +423,7 @@ application actor loads libraries
 
         joiner_ad = (_read_or_abort joiner_ad_blob) safe address_document_types::t_address_document.
         target_ad = (_read_or_abort target_ad_blob) safe address_document_types::t_address_document.
-        intro is intro_t = (
+        intro is a2a_protocol::intro_t = (
             $version        -> 1,
             $joiner_cid     -> joiner_ad $identity $container_id,
             $joiner_ad_hash -> _value_id joiner_ad,
@@ -728,7 +431,7 @@ application actor loads libraries
             $iat            -> (current_transaction_info::get_transaction_time())?,
             $nonce          -> _new_id "a2adapt local introduction"
         ).
-        signed is signed_intro_t = ($i -> intro, $s -> key_storage::default_sign (_value_id intro)).
+        signed is a2a_protocol::signed_intro_t = ($i -> intro, $s -> key_storage::default_sign (_value_id intro)).
         return transaction::success [
             _return_data ($intro -> (_write signed))
         ].
@@ -742,7 +445,7 @@ application actor loads libraries
         current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
 
         ad = (_read_or_abort ad_blob) safe address_document_types::t_address_document.
-        entry is book_entry_t = ($version -> 1, $name -> name, $ad_hash -> _value_id ad).
+        entry is a2a_protocol::book_entry_t = ($version -> 1, $name -> name, $ad_hash -> _value_id ad).
         return transaction::success [
             _return_data ($sig -> (_write (key_storage::default_sign (_value_id entry))))
         ].
@@ -763,14 +466,14 @@ application actor loads libraries
         target_id = target_ad $identity $container_id.
         abort "This contact-book entry is your own identity." when target_id == _get_container_id().
 
-        entry is book_entry_t = ($version -> 1, $name -> name, $ad_hash -> _value_id target_ad).
+        entry is a2a_protocol::book_entry_t = ($version -> 1, $name -> name, $ad_hash -> _value_id target_ad).
         entry_sig = (_read_or_abort entry_sig_blob) safe crypto_signature.
         abort "Contact-book entry failed registrar verification." when key_storage::check_signature_new_container (_value_id entry) entry_sig (registrar_ad? $identity $key_list) != TRUE.
 
-        contacts target_id -> ($name -> name, $container_id -> target_id).
-        peer_ads target_id -> target_ad.
+        a2a_messaging::contacts target_id -> ($name -> name, $container_id -> target_id).
+        a2a_messaging::peer_ads target_id -> target_ad.
 
-        my_self_name = my_name.
+        my_self_name = a2a_messaging::my_name.
         my_ad = address_document::get_my_address_document().
         return encrypted_channel::execute_transaction target_id (fn (_) -> transaction::results::type {
             return transaction::success [
@@ -790,8 +493,8 @@ application actor loads libraries
 
         pid = resolve_pending ref.
         entry = (pending_introductions pid)?.
-        contacts pid -> ($name -> entry $name, $container_id -> pid).
-        peer_ads pid -> entry $ad.
+        a2a_messaging::contacts pid -> ($name -> entry $name, $container_id -> pid).
+        a2a_messaging::peer_ads pid -> entry $ad.
 
         queued = entry $messages.
         flushed is int = 0.
@@ -850,13 +553,13 @@ application actor loads libraries
     trn sign_delegation _:($role_ad -> role_ad_blob: bin, $role_id -> role_id: str)
     {
         current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-        abort "Only a root identity can sign delegation certificates." when delegation_cert != NIL.
+        abort "Only a root identity can sign delegation certificates." when a2a_messaging::delegation_cert != NIL.
 
         role_ad = (_read_or_abort role_ad_blob) safe address_document_types::t_address_document.
         role_cid = role_ad $identity $container_id.
         abort "Cannot issue a delegation certificate to myself." when role_cid == _get_container_id().
 
-        core is delegation_core_t = (
+        core is a2a_protocol::delegation_core_t = (
             $version      -> 1,
             $role_cid     -> role_cid,
             $role_ad_hash -> _value_id role_ad,
@@ -864,7 +567,7 @@ application actor loads libraries
             $root_cid     -> _get_container_id(),
             $issued_at    -> (current_transaction_info::get_transaction_time())?
         ).
-        cert is delegation_cert_t = ($c -> core, $s -> key_storage::default_sign (_value_id core)).
+        cert is a2a_protocol::delegation_cert_t = ($c -> core, $s -> key_storage::default_sign (_value_id core)).
         return transaction::success [
             _return_data ($cert -> (_write cert))
         ].
@@ -876,17 +579,17 @@ application actor loads libraries
     trn export_root_profile _
     {
         current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-        abort "Only a root identity can export a root profile." when delegation_cert != NIL.
+        abort "Only a root identity can export a root profile." when a2a_messaging::delegation_cert != NIL.
 
         my_ad = address_document::get_my_address_document().
-        core is root_profile_core_t = (
+        core is a2a_protocol::root_profile_core_t = (
             $version  -> 1,
             $root_cid -> _get_container_id(),
-            $name     -> my_name,
-            $bio      -> my_bio,
+            $name     -> a2a_messaging::my_name,
+            $bio      -> a2a_messaging::my_bio,
             $keys     -> my_ad $identity $key_list
         ).
-        profile is root_profile_t = ($p -> core, $s -> key_storage::default_sign (_value_id core)).
+        profile is a2a_protocol::root_profile_t = ($p -> core, $s -> key_storage::default_sign (_value_id core)).
         return transaction::success [
             _return_data ($profile -> (_write profile))
         ].
@@ -901,9 +604,9 @@ application actor loads libraries
     {
         current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
 
-        cert = (_read_or_abort cert_blob) safe delegation_cert_t.
+        cert = (_read_or_abort cert_blob) safe a2a_protocol::delegation_cert_t.
         new_root_ad = (_read_or_abort root_ad_blob) safe address_document_types::t_address_document.
-        rp = (_read_or_abort rp_blob) safe root_profile_t.
+        rp = (_read_or_abort rp_blob) safe a2a_protocol::root_profile_t.
 
         abort "Unsupported delegation certificate version." when (cert $c $version) != 1.
         abort "This delegation certificate was issued to a different identity." when (cert $c $role_cid) != _get_container_id().
@@ -916,9 +619,9 @@ application actor loads libraries
         abort "The root profile's key list does not match the root's address document." when (_value_id (rp $p $keys)) != (_value_id (new_root_ad $identity $key_list)).
         abort "The root profile signature is invalid." when key_storage::check_signature_new_container (_value_id (rp $p)) (rp $s) (new_root_ad $identity $key_list) != TRUE.
 
-        delegation_cert -> cert.
-        root_ad -> new_root_ad.
-        root_profile -> rp.
+        a2a_messaging::delegation_cert -> cert.
+        a2a_messaging::root_ad -> new_root_ad.
+        a2a_messaging::root_profile -> rp.
 
         return transaction::success [
             _return_data ($delegated -> TRUE, $root_cid -> (_str (cert $c $root_cid)), $role_id -> cert $c $role_id),
@@ -928,16 +631,16 @@ application actor loads libraries
 
     trn readonly describe_identity _
     {
-        if delegation_cert == NIL
+        if a2a_messaging::delegation_cert == NIL
         {
-            return ($name -> my_name, $bio -> my_bio, $has_cert -> FALSE, $role_id -> "", $root_cid -> "", $root_name -> "").
+            return ($name -> a2a_messaging::my_name, $bio -> a2a_messaging::my_bio, $has_cert -> FALSE, $role_id -> "", $root_cid -> "", $root_name -> "").
         }
-        cert = delegation_cert?.
+        cert = a2a_messaging::delegation_cert?.
         rname is str = "".
-        if root_profile != NIL { rname -> root_profile? $p $name. }
+        if a2a_messaging::root_profile != NIL { rname -> a2a_messaging::root_profile? $p $name. }
         return (
-            $name      -> my_name,
-            $bio       -> my_bio,
+            $name      -> a2a_messaging::my_name,
+            $bio       -> a2a_messaging::my_bio,
             $has_cert  -> TRUE,
             $role_id   -> cert $c $role_id,
             $root_cid  -> (_str (cert $c $root_cid)),
@@ -945,11 +648,6 @@ application actor loads libraries
         ).
     }
 
-    trn readonly list_contact_roots _
-    {
-        return contact_roots.
-    }
-
     // Connect to an intra-root sibling (Ring 1): register it as a contact and
     // introduce myself over the encrypted channel, presenting my delegation
     // cert (NIL when I am the root itself — the channel proves I control the
@@ -965,22 +663,22 @@ application actor loads libraries
         abort "This sibling is your own identity." when target_id == _get_container_id().
 
         cert_blob is bin+ = NIL.
-        if delegation_cert != NIL { cert_blob -> (_write delegation_cert?). }
+        if a2a_messaging::delegation_cert != NIL { cert_blob -> (_write a2a_messaging::delegation_cert?). }
 
-        contacts target_id -> ($name -> name, $container_id -> target_id).
-        peer_ads target_id -> target_ad.
+        a2a_messaging::contacts target_id -> ($name -> name, $container_id -> target_id).
+        a2a_messaging::peer_ads target_id -> target_ad.
         // Record the target's root linkage: a sibling shares my root by
         // definition (the receiving side verifies the converse independently).
-        if delegation_cert != NIL && root_profile != NIL
+        if a2a_messaging::delegation_cert != NIL && a2a_messaging::root_profile != NIL
         {
-            contact_roots target_id -> ($root_cid -> delegation_cert? $c $root_cid, $root_name -> root_profile? $p $name, $role_id -> name).
+            a2a_messaging::contact_roots target_id -> ($root_cid -> a2a_messaging::delegation_cert? $c $root_cid, $root_name -> a2a_messaging::root_profile? $p $name, $role_id -> name).
         }
         else
         {
-            contact_roots target_id -> ($root_cid -> _get_container_id(), $root_name -> my_name, $role_id -> name).
+            a2a_messaging::contact_roots target_id -> ($root_cid -> _get_container_id(), $root_name -> a2a_messaging::my_name, $role_id -> name).
         }
 
-        my_self_name = my_name.
+        my_self_name = a2a_messaging::my_name.
         my_ad = address_document::get_my_address_document().
         return encrypted_channel::execute_transaction target_id (fn (_) -> transaction::results::type {
             return transaction::success [
@@ -1002,27 +700,32 @@ application actor loads libraries
     //
     // The packet-level snapshot is NOT used for upgrades: it is bound to the unit
     // code hash, so a new .muflo cannot load an old snapshot. This data blob is.
+    //
+    // The blob stays FLAT with the historical field names — the core fields come
+    // from a2a_messaging::export_core_state / import_core_state, the app fields
+    // are composed in here — so a PRE-migration export imports unchanged.
 
     trn readonly export_state _
     {
+        core_state = a2a_messaging::export_core_state NIL.
         return (
-            $my_name           -> my_name,
-            $contacts          -> contacts,
-            $pending_invites   -> pending_invites,
+            $my_name           -> core_state $my_name,
+            $contacts          -> core_state $contacts,
+            $pending_invites   -> core_state $pending_invites,
             $inbox             -> inbox,
             $next_msg_seq      -> next_msg_seq,
-            $peer_ads          -> peer_ads,
+            $peer_ads          -> core_state $peer_ads,
             $registrar_ad      -> registrar_ad,
             $local_auto_accept -> local_auto_accept,
             // Nonces are exported so a restart does not reopen the replay window
             // for still-fresh credentials; stale ones are purged lazily anyway.
             $seen_nonces       -> seen_nonces,
             $pending_introductions -> pending_introductions,
-            $my_bio            -> my_bio,
-            $delegation_cert   -> delegation_cert,
-            $root_ad           -> root_ad,
-            $root_profile      -> root_profile,
-            $contact_roots     -> contact_roots
+            $my_bio            -> core_state $my_bio,
+            $delegation_cert   -> core_state $delegation_cert,
+            $root_ad           -> core_state $root_ad,
+            $root_profile      -> core_state $root_profile,
+            $contact_roots     -> core_state $contact_roots
         ).
     }
 
@@ -1030,12 +733,11 @@ application actor loads libraries
     {
         current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
 
-        // The fields that did not change across the schema bump are validated the
-        // same way for any version of the blob.
-        my_name         -> (data $my_name) safe str.
-        contacts        -> (data $contacts) safe (global_id ->> contact_t).
-        pending_invites -> (data $pending_invites) safe (global_id ->> str).
-        peer_ads        -> (data $peer_ads) safe (global_id ->> address_document_types::t_address_document).
+        // Core fields (contacts/profile/hierarchy) — validated and restored by
+        // the shared library, which also replays every peer's address document
+        // through process_address_document so encrypted channels keep working
+        // after the upgrade with no re-handshake.
+        a2a_messaging::import_core_state data.
 
         // The inbox + next_msg_seq are the only parts the message-lifecycle changes
         // touched. A pre-lifecycle blob has no $next_msg_seq and inbox entries with
@@ -1106,36 +808,6 @@ application actor loads libraries
             pending_introductions -> (data $pending_introductions) safe (global_id ->> pending_intro_t).
         }
 
-        // Identity-hierarchy state arrived after the local-contact-book schema —
-        // same pattern: every field is optional, defaults stay when absent.
-        if (data $my_bio) != NIL
-        {
-            my_bio -> (data $my_bio) safe str.
-        }
-        if (data $delegation_cert) != NIL
-        {
-            delegation_cert -> (data $delegation_cert) safe delegation_cert_t.
-        }
-        if (data $root_ad) != NIL
-        {
-            root_ad -> (data $root_ad) safe address_document_types::t_address_document.
-        }
-        if (data $root_profile) != NIL
-        {
-            root_profile -> (data $root_profile) safe root_profile_t.
-        }
-        if (data $contact_roots) != NIL
-        {
-            contact_roots -> (data $contact_roots) safe (global_id ->> contact_root_t).
-        }
-
-        // Re-register every peer's keys so encrypted channels keep working after
-        // the upgrade — no handshake needed (my own keys are unchanged, and the
-        // peers' self-signed address documents re-authorize on this fresh packet).
-        sc peer_ads -- ( -> ad)
-        {
-            address_document::process_address_document ad TRUE.
-        }
         // Pending introducers' keys too: their channel to me predates approval,
         // so it must survive an upgrade exactly like an approved contact's.
         sc pending_introductions -- ( -> p)
@@ -1144,103 +816,24 @@ application actor loads libraries
         }
 
         return transaction::success [
-            _return_data ($imported -> TRUE, $contacts -> _count contacts|, $peers -> _count peer_ads|),
+            _return_data ($imported -> TRUE, $contacts -> _count a2a_messaging::contacts|, $peers -> _count a2a_messaging::peer_ads|),
             _save_state NIL
         ].
     }
 
     // ---- external (inbound) transactions ------------------------------------
 
-    // Args are taken as `any` (not a destructured shape) so old clients — whose
-    // accept_contact payload has no hierarchy fields — keep working unchanged.
+    // Compat shims (Option A): pre-migration peers address these as ::actor::*,
+    // and the core keeps SENDING to the ::actor:: names too. Each delegates to
+    // the shared handler — remove only when no old clients remain.
     trn accept_contact args: any
     {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::external,).
-        encrypted_channel::check_encrypted_or_abort().
-
-        sender_id = current_transaction_info::get_external_envelope_or_abort() $from.
-        invite_id = (args $invite_id) safe global_id.
-        joiner_ad = (args $joiner_ad) safe address_document_types::t_address_document.
-
-        // Only an invite I generated (and have not yet consumed) authorizes a
-        // contact registration. Without this gate any invite blob would be a
-        // multi-use bearer credential: anyone who ever saw one could register
-        // themselves as my contact with a self-chosen name.
-        assigned_name = pending_invites invite_id.
-        abort "Unknown or already-redeemed invite." when assigned_name == NIL.
-        // An empty assigned name means the invite was generated without one:
-        // the joiner's self-announced name wins (container id as a last resort
-        // when the joiner never set a name either).
-        contact_name is str = assigned_name?.
-        if contact_name == ""
-        {
-            joiner_self = (args $joiner_name) safe str.
-            contact_name -> (joiner_self == "" ?? (_str sender_id) ; joiner_self).
-        }
-
-        // A delegated-role joiner carries its chain so I learn its root linkage
-        // symmetrically; an invalid chain rejects the redemption outright.
-        joiner_root is contact_root_t+ = NIL.
-        if (args $joiner_cert) != NIL
-        {
-            cert = (_read_or_abort ((args $joiner_cert) safe bin)) safe delegation_cert_t.
-            rp = (_read_or_abort ((args $joiner_root_profile) safe bin)) safe root_profile_t.
-            joiner_root -> verify_peer_delegation sender_id (_value_id joiner_ad) cert rp.
-        }
-
-        contacts sender_id -> ($name -> contact_name, $container_id -> sender_id).
-        // Remember the joiner's address document for upgrade-time re-registration.
-        peer_ads sender_id -> joiner_ad.
-        if joiner_root != NIL
-        {
-            contact_roots sender_id -> joiner_root?.
-        }
-        delete pending_invites invite_id.
-
-        return transaction::success [
-            _notify_agent ($event -> $contact_accepted, $name -> contact_name, $container_id -> sender_id),
-            _save_state NIL
-        ].
+        return a2a_messaging::handle_accept_contact args.
     }
 
     trn receive_message _:($text -> text: str)
     {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::external,).
-        encrypted_channel::check_encrypted_or_abort().
-
-        sender_id = current_transaction_info::get_external_envelope_or_abort() $from.
-        msg_date = (current_transaction_info::get_transaction_time())?.
-        sender = contacts sender_id.
-
-        if sender == NIL
-        {
-            // A verified-but-unapproved local introduction may message me before
-            // approval: queue (bounded) inside its pending entry. Approval
-            // flushes the queue into the inbox in order; anything else from an
-            // unknown sender is rejected as before.
-            p = pending_introductions sender_id.
-            abort "Message from an unknown sender was rejected." when p == NIL.
-            entry = p?.
-            queued = entry $messages.
-            abort "Pending-introduction message queue is full; awaiting approval." when (_count queued|) >= pending_queue_cap.
-            queued (_count queued|) -> ($text -> text, $date -> msg_date).
-            pending_introductions sender_id -> ($name -> entry $name, $ad -> entry $ad, $messages -> queued).
-            return transaction::success [
-                _notify_agent ($event -> $pending_message, $sender_name -> entry $name, $queued -> _count queued|),
-                _save_state NIL
-            ].
-        }
-
-        sender_name = sender? $name.
-        mid = deposit_message sender_id sender_name text msg_date.
-
-        // The notification deliberately carries NO message body — only that a
-        // message arrived, from whom, and its id. The body stays in the packet
-        // and only leaves through get_messages.
-        return transaction::success [
-            _notify_agent ($event -> $message_received, $sender_name -> sender_name, $msg_id -> mid, $date -> msg_date),
-            _save_state NIL
-        ].
+        return a2a_messaging::handle_receive_message text.
     }
 
     // A same-host peer connects via the local contact book. The credential must
@@ -1263,7 +856,7 @@ application actor loads libraries
         sender_id = current_transaction_info::get_external_envelope_or_abort() $from.
         abort "This identity does not accept local-contact-book introductions." when registrar_ad == NIL.
 
-        signed = (_read_or_abort intro_blob) safe signed_intro_t.
+        signed = (_read_or_abort intro_blob) safe a2a_protocol::signed_intro_t.
         intro = signed $i.
         abort "Unsupported introduction credential version." when (intro $version) != 1.
         abort "Introduction credential was not signed by this host's registrar." when key_storage::check_signature_new_container (_value_id intro) (signed $s) (registrar_ad? $identity $key_list) != TRUE.
@@ -1289,12 +882,12 @@ application actor loads libraries
         abort "Too many concurrent introductions; try again shortly." when (_count seen_nonces|) >= seen_nonce_cap.
         seen_nonces (intro $nonce) -> now.
 
-        existing = contacts sender_id.
+        existing = a2a_messaging::contacts sender_id.
         if existing != NIL
         {
             // Already a contact (idempotent re-introduction): keep my assigned
             // name, refresh the stored address document, deliver any payload.
-            peer_ads sender_id -> joiner_ad.
+            a2a_messaging::peer_ads sender_id -> joiner_ad.
             if text != NIL
             {
                 mid = deposit_message sender_id (existing? $name) text? now.
@@ -1308,8 +901,8 @@ application actor loads libraries
 
         if local_auto_accept
         {
-            contacts sender_id -> ($name -> joiner_name, $container_id -> sender_id).
-            peer_ads sender_id -> joiner_ad.
+            a2a_messaging::contacts sender_id -> ($name -> joiner_name, $container_id -> sender_id).
+            a2a_messaging::peer_ads sender_id -> joiner_ad.
             if text != NIL
             {
                 mid = deposit_message sender_id joiner_name text? now.
@@ -1356,30 +949,30 @@ application actor loads libraries
         sender_id = current_transaction_info::get_external_envelope_or_abort() $from.
         now = (current_transaction_info::get_transaction_time())?.
 
-        link is contact_root_t+ = NIL.
+        link is a2a_protocol::contact_root_t+ = NIL.
         if cert_blob == NIL
         {
             // Sender claims to be my root.
-            abort "A certificate-less sibling introduction is only accepted from my root." when delegation_cert == NIL.
-            abort "Sender is not my root." when sender_id != (delegation_cert? $c $root_cid).
+            abort "A certificate-less sibling introduction is only accepted from my root." when a2a_messaging::delegation_cert == NIL.
+            abort "Sender is not my root." when sender_id != (a2a_messaging::delegation_cert? $c $root_cid).
             link -> ($root_cid -> sender_id, $root_name -> joiner_name, $role_id -> "").
         }
         else
         {
-            cert = (_read_or_abort cert_blob?) safe delegation_cert_t.
+            cert = (_read_or_abort cert_blob?) safe a2a_protocol::delegation_cert_t.
             abort "Unsupported delegation certificate version." when (cert $c $version) != 1.
             abort "Sibling certificate was issued for a different sender." when (cert $c $role_cid) != sender_id.
             abort "Sibling certificate does not match the sender's address document." when (cert $c $role_ad_hash) != (_value_id joiner_ad).
 
             root_name_known is str = "".
-            if delegation_cert != NIL
+            if a2a_messaging::delegation_cert != NIL
             {
                 // I am a role: the cert must name MY root and verify against the
                 // root key material pinned at delegation time.
-                abort "My root material is missing — cannot verify sibling certificates." when root_ad == NIL.
-                abort "Sibling certificate names a different root." when (cert $c $root_cid) != (delegation_cert? $c $root_cid).
-                abort "Sibling certificate was not signed by my root." when key_storage::check_signature_new_container (_value_id (cert $c)) (cert $s) (root_ad? $identity $key_list) != TRUE.
-                if root_profile != NIL { root_name_known -> root_profile? $p $name. }
+                abort "My root material is missing — cannot verify sibling certificates." when a2a_messaging::root_ad == NIL.
+                abort "Sibling certificate names a different root." when (cert $c $root_cid) != (a2a_messaging::delegation_cert? $c $root_cid).
+                abort "Sibling certificate was not signed by my root." when key_storage::check_signature_new_container (_value_id (cert $c)) (cert $s) (a2a_messaging::root_ad? $identity $key_list) != TRUE.
+                if a2a_messaging::root_profile != NIL { root_name_known -> a2a_messaging::root_profile? $p $name. }
             }
             else
             {
@@ -1388,18 +981,18 @@ application actor loads libraries
                 abort "Sibling certificate names a different root." when (cert $c $root_cid) != _get_container_id().
                 my_ad = address_document::get_my_address_document().
                 abort "Sibling certificate was not signed by me." when key_storage::check_signature_new_container (_value_id (cert $c)) (cert $s) (my_ad $identity $key_list) != TRUE.
-                root_name_known -> my_name.
+                root_name_known -> a2a_messaging::my_name.
             }
             link -> ($root_cid -> cert $c $root_cid, $root_name -> root_name_known, $role_id -> cert $c $role_id).
         }
 
-        existing = contacts sender_id.
+        existing = a2a_messaging::contacts sender_id.
         if existing != NIL
         {
             // Already a contact (idempotent re-introduction): keep my assigned
             // name, refresh the stored material, deliver any payload.
-            peer_ads sender_id -> joiner_ad.
-            contact_roots sender_id -> link?.
+            a2a_messaging::peer_ads sender_id -> joiner_ad.
+            a2a_messaging::contact_roots sender_id -> link?.
             if text != NIL
             {
                 mid = deposit_message sender_id (existing? $name) text? now.
@@ -1411,9 +1004,9 @@ application actor loads libraries
             return transaction::success [ _save_state NIL ].
         }
 
-        contacts sender_id -> ($name -> joiner_name, $container_id -> sender_id).
-        peer_ads sender_id -> joiner_ad.
-        contact_roots sender_id -> link?.
+        a2a_messaging::contacts sender_id -> ($name -> joiner_name, $container_id -> sender_id).
+        a2a_messaging::peer_ads sender_id -> joiner_ad.
+        a2a_messaging::contact_roots sender_id -> link?.
         if text != NIL
         {
             mid = deposit_message sender_id joiner_name text? now.

package/dist/mufl_code/config.mufl

@@ -1,20 +1,25 @@
 // a2adapt messenger packet — compile configuration.
 //
-// Pulls in the full ADAPT standard library so `actor.mu` can `loads libraries`
-// the crypto / identity / transport modules by name. No app-private libraries
-// (everything we need lives in the stdlib, including `encrypted_channel`, which
-// does the peer key-exchange for us).
+// Pulls in the full ADAPT standard library plus the shared a2adapt mufl core
+// (the a2adapt-mufl-core repo, checked out as the core/ subfolder) so
+// `actor.mu` can `loads libraries` the crypto / identity / transport modules
+// and the shared protocol libraries (`a2a_protocol`, `version`) by name.
 //
-// Compile:
-//   MUFL_STDLIB_PATH=<adapt-toolkit>/mufl_stdlib \
-//     mufl-compile -mp <adapt-toolkit>/meta -mp <adapt-toolkit>/transactions -d-c actor.mu
-// -> emits <content-hash>.muflo in the cwd.
+// Compile: scripts/compile-mufl.sh (copies actor.mu, this file, and core/
+// into a temp dir and runs mufl-compile there).
 
 config script
 {
+    stdlib_config = (config_load #$MUFL_STDLIB_PATH).
+    core_config = (config_load #"core").
+
     (
-        $imports -> ((config_load #$MUFL_STDLIB_PATH) $exports),
-        $exports -> (
+        $imports ->
+        (
+            $libraries -> (stdlib_config $exports $libraries)'(core_config $exports $libraries),
+        ),
+        $exports ->
+        (
             $libraries -> (,),
             $applications -> (,)
         )

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adapt-toolkit/a2adapt",
-  "version": "0.11.2",
+  "version": "0.11.4",
   "description": "MCP server daemon for a2adapt — one native ADAPT wrapper hosting N self-sovereign identities, exposing secure agent-to-agent messaging tools over HTTP (Streamable HTTP). Run `a2adapt-mcp start`.",
   "type": "module",
   "license": "MIT",