npm - @adapt-toolkit/a2adapt - Versions diffs - 0.11.3 → 0.11.5 - Mend

@adapt-toolkit/a2adapt 0.11.3 → 0.11.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.claude-plugin/plugin.json +1 -1
package/dist/index.js +400 -38
package/dist/mufl_code/D317A840D97E3B17E4EC644D50BDBB19DE3B78F9941C25853E1F86164A234593.muflo +0 -0
package/dist/mufl_code/actor.mu +517 -451
package/package.json +1 -1
package/dist/mufl_code/7127B9740290EA8B2F30AFAE251198357D780A81DBF5EF30FE7DD9B66A510C21.muflo +0 -0

package/dist/mufl_code/actor.mu CHANGED Viewed

@@ -5,20 +5,39 @@
 // encrypted; the key exchange is handled for us by the stdlib `encrypted_channel`
 // library — we only ever address peers by their container id.
 //
-// The wire-facing shapes and shared verification logic live in the shared
-// a2adapt-mufl-core repo (checked out as the core/ subfolder of this
-// directory): libraries `a2a_protocol` and `version`. They are shared with
+// The shared transaction logic lives in the a2adapt-mufl-core repo (checked
+// out as the core/ subfolder of this directory): `a2a_protocol` (wire shapes +
+// verification), `a2a_messaging` (contact + message wire path, addressed
+// ::a2a_messaging::<name> by the host), and `version`. They are shared with
 // the web messenger — change them there, bump core_version, and recompile
 // every consumer.
 //
+// This packet keeps only what is agent-specific:
+//   - the inbox message store with its lifecycle (unread -> processed ->
+//     ready_to_delete -> deleted; see get_messages / gc / defer_messages)
+//   - the local contact book + identity hierarchy transactions (host-fired)
+//   - export_state / import_state wrappers composing the core helpers with
+//     the app-side fields (including the legacy-blob migrations)
+//   - ::actor:: compat shims for the network-visible inbound transactions
+//     (accept_contact, receive_message) — pre-migration peers send to these
+//     names, and the core keeps SENDING to them too (Option A: zero network
+//     break; drop both only when no old clients remain)
+//
+// Storage is wired into the core via a2a_messaging::init hooks (see the
+// hidden block): on_message_received deposits into the inbox (or the
+// pending-introduction queue for unknown senders); send/remove hooks are
+// agent no-ops.
+//
 // User transactions (each backs one MCP tool, except gc which the host fires):
-//   set_my_name             — set the display name peers see for me
-//   set_my_bio              — set my profile bio (free-text, self-asserted)
-//   generate_invite         — make a slim personal invite blob for a named peer
-//   add_contact             — join via an invite blob, reply to the inviter
-//   send_message            — send an e2e-encrypted message to a contact
-//   remove_contact          — forget a contact (drops it from my contacts)
-//   list_contacts           — (readonly) my contacts
+//   ::a2a_messaging::set_my_name        — set the display name peers see for me
+//   ::a2a_messaging::set_my_bio         — set my profile bio (free-text, self-asserted)
+//   ::a2a_messaging::generate_invite    — make an invite blob for a named peer
+//   ::a2a_messaging::add_contact        — join via an invite blob, reply to the inviter
+//   ::a2a_messaging::send_message       — send an e2e-encrypted message to a contact
+//   ::a2a_messaging::remove_contact     — forget a contact
+//   ::a2a_messaging::list_contacts      — (readonly) my contacts
+//   ::a2a_messaging::list_contact_roots — (readonly) verified root linkage per contact
+//   ::a2a_messaging::get_version        — (readonly) shared-core version
 //   list_incoming_messages  — (readonly) my inbox, with per-message id + status
 //   get_messages            — return unread messages + mark them processed (sole body egress)
 //   defer_messages          — flip processed/ready_to_delete messages back to unread
@@ -29,7 +48,6 @@
 //   export_root_profile     — root-only in practice: my self-signed root profile blob
 //   set_delegation          — role: store my verified delegation cert + root material
 //   describe_identity       — (readonly) name/bio/hierarchy position
-//   list_contact_roots      — (readonly) verified root linkage per contact
 //   connect_sibling         — register an intra-root peer + send sibling_introduce
 //
 // Local contact book (host-fired transactions; see the design notes above
@@ -44,18 +62,25 @@
 //   reject_introduction     — drop a pending local introduction
 //   list_pending_introductions — (readonly) pending introductions (names + queue sizes)
 //
+// Monitoring + control plane (host-fired unless noted; see
+// MONITORING-AND-SHARED-LIBRARY-DESIGN.md):
+//   get_monitoring_status   — (readonly) enabled flag / proxy binding / queue sizes
+//   sign_monitoring_auth    — root-only: sign an enable/disable auth for a role
+//   set_monitoring          — role: verify the root-signed auth, set the flag
+//   get_monitoring_copies   — root: drain queued copies for proxy forwarding
+//   get_control_requests    — root: drain queued proxy control requests
+//   set_proxy_pending       — root: store the host-generated 6-digit code
+//   verify_proxy_code       — root: check a bind attempt (atomic attempts/expiry)
+//   clear_monitoring_proxy  — root: drop the proxy binding
+//   ::a2a_control::send_control — send an opaque control payload to a contact
+//
 // External transactions (inbound, not exposed as tools):
-//   accept_contact          — inviter learns the joiner's identity + name
-//   receive_message         — store a decrypted inbound message
+//   accept_contact          — inviter learns the joiner's identity + name (core shim)
+//   receive_message         — store a decrypted inbound message (core shim)
+//   receive_monitoring_copy — a monitored role of mine reports a message copy
+//   ::a2a_control::control_message — control payload from a contact (queued for the daemon)
 //   local_introduce         — same-host peer connects via the local contact book
 //   sibling_introduce       — intra-root peer connects, authorized by its delegation cert
-//
-// Naming model (personal invites): generate_invite('Bob') tags a pending invite
-// with the peer-name "Bob"; whoever redeems it is registered under "Bob" (the
-// inviter's assigned name wins). Generating WITHOUT a name tags the invite with
-// "" — then the joiner's self-announced name wins (falling back to its container
-// id if the joiner never set one). The joiner, in turn, sees the inviter under
-// the inviter's own self-name (set via set_my_name), unless the joiner overrides it.
 application actor loads libraries
     identity_proof_document,
@@ -70,6 +95,8 @@ application actor loads libraries
     encrypted_channel,
     current_transaction_info,
     a2a_protocol,
+    a2a_messaging,
+    a2a_control,
     version
     uses transactions
 {
@@ -101,33 +128,54 @@ application actor loads libraries
         seen_nonce_cap is int = 1024.
         pending_queue_cap is int = 50.
+        // ---- monitoring shapes + limits (see MONITORING-AND-SHARED-LIBRARY-DESIGN.md) ----
+        // Root-signed authorization for flipping a role's monitoring flag. Like
+        // a delegation cert, verified against the role's pinned root keys, so
+        // only this hierarchy's root can change what its roles report.
+        metadef monitoring_auth_core_t: ($version -> int, $role_cid -> global_id, $enabled -> bool, $issued_at -> time).
+        metadef monitoring_auth_t: ($c -> monitoring_auth_core_t, $s -> crypto_signature).
+        // One monitored message, as the role reports it to its root.
+        metadef monitoring_copy_t: (
+            $version     -> int,
+            $source_cid  -> global_id,
+            $source_name -> str,
+            $direction   -> str,
+            $peer_cid    -> global_id,
+            $peer_name   -> str,
+            $date        -> time,
+            $body        -> str
+        ).
+        // Proxy binding (root only): a pending 6-digit-code verification and
+        // the verified binding that replaces it on success.
+        metadef proxy_pending_t: ($code -> str, $proxy_cid -> global_id, $created_at -> time, $attempts -> int).
+        metadef proxy_binding_t: ($proxy_cid -> global_id, $bound_at -> time).
+        // One queued control request from the bound browser proxy.
+        metadef control_req_t: ($sender_cid -> global_id, $sender_name -> str, $payload -> str, $date -> time).
+        proxy_code_max_age_seconds is int = 300.
+        proxy_max_attempts is int = 3.
+        monitoring_inbox_cap is int = 500.
+        control_inbox_cap is int = 200.
         // Wire the deserialization primitive into the libraries that need it.
         _read_or_abort = grab( _read_or_abort ).
         key_storage::init ($_read_or_abort -> _read_or_abort).
         encrypted_channel::init ($_read_or_abort -> _read_or_abort).
         // ---- packet state ---------------------------------------------------
-        // The display name peers see for me (set via set_my_name).
-        my_name is str = "".
-        // Known contacts, keyed by their container id.
-        contacts is (global_id ->> a2a_protocol::contact_t) = (,).
-        // Invites I generated, keyed by invite id -> the name I assigned the peer.
-        pending_invites is (global_id ->> str) = (,).
+        // (The shared contact/profile/hierarchy state — my_name, contacts,
+        // pending_invites, peer_ads, my_bio, delegation_cert, root_ad,
+        // root_profile, contact_roots — lives in a2a_messaging and is read /
+        // assigned as a2a_messaging::<field> below.)
+        //
         // Received messages. Each carries its own lifecycle status (see
-        // message_t / get_messages / mark_processed / defer_messages), so the
+        // message_t / get_messages / gc / defer_messages), so the
         // packet is the single authority on what has been read or processed —
         // no host-side cursor, safe across concurrent sessions.
         inbox is message_t[] = [].
         // Monotonic source of per-message ids (the stable handle the agent uses
         // to mark a message processed or defer it).
         next_msg_seq is int = 1.
-        // Peer address documents, captured when a contact is established. These are
-        // self-signed, code-independent, and seed-stable, so on a code upgrade the
-        // host re-creates this packet from the same seed and import_state replays
-        // them through address_document::process_address_document — re-registering
-        // every peer's keys in key_storage so encrypted channels survive the upgrade
-        // with no re-handshake. Only peer PUBLIC keys travel here, never secrets.
-        peer_ads is (global_id ->> address_document_types::t_address_document) = (,).
         // The host registrar's address document (pinned once at identity
         // creation / injected on upgrade) — its $identity $key_list is what
         // introduction credentials are verified against. NIL means this identity
@@ -142,18 +190,23 @@ application actor loads libraries
         // Verified-but-unapproved local introductions (when auto-accept is off),
         // each with a bounded queue of messages awaiting approval.
         pending_introductions is (global_id ->> pending_intro_t) = (,).
-        // ---- identity hierarchy state ----
-        // My profile bio (free-text, self-asserted; carried in role invites).
-        my_bio is str = "".
-        // My delegation cert. NIL == I am a root or a legacy flat identity.
-        delegation_cert is a2a_protocol::delegation_cert_t+ = NIL.
-        // My root's address document (set with the cert; its key list is what
-        // sibling introductions and my own cert are verified against).
-        root_ad is address_document_types::t_address_document+ = NIL.
-        // My root's self-signed profile, embedded in the invites I generate.
-        root_profile is a2a_protocol::root_profile_t+ = NIL.
-        // Verified root linkage per contact, keyed by the contact's container id.
-        contact_roots is (global_id ->> a2a_protocol::contact_root_t) = (,).
+        // ---- monitoring state -------------------------------------------------
+        // Whether THIS packet (a role) reports its message traffic to its root.
+        // Only flipped by a root-signed authorization (set_monitoring).
+        monitoring_enabled is bool = FALSE.
+        // Root only: copies received from monitored roles, awaiting the host's
+        // get_monitoring_copies pull (forwarded to the bound proxy). Capped;
+        // oldest copies are dropped first when no proxy drains the queue.
+        monitoring_inbox is monitoring_copy_t[] = [].
+        // Root only: the in-flight proxy binding (6-digit code verification)
+        // and the verified proxy that monitoring traffic is forwarded to.
+        proxy_pending is proxy_pending_t+ = NIL.
+        monitoring_proxy is proxy_binding_t+ = NIL.
+        // Root only: control requests from the bound proxy, awaiting the
+        // host's get_control_requests pull. Kept out of the message inbox so
+        // agent sessions never see them.
+        control_inbox is control_req_t[] = [].
         // Signal the host to persist the packet. Only emitted at the end of a
         // complete procedure — intermediate states (e.g. channel handshake) are
@@ -162,19 +215,6 @@ application actor loads libraries
         fn _return_data (payload: any) = (transaction::action::return_data ($kind -> $data, $payload -> payload)).
         fn _notify_agent (payload: any) = (transaction::action::return_data ($kind -> $notify_agent, $payload -> payload)).
-        // Resolve a contact reference (a display name or stringified container id)
-        // to a container id; aborts if no contact matches.
-        fn resolve_contact (ref: str) -> global_id
-        {
-            found is global_id+ = NIL.
-            sc contacts -- (cid -> c) ?? found == NIL && ((c $name) == ref || (_str cid) == ref)
-            {
-                found -> cid.
-            }
-            abort "Unknown contact: " + ref when found == NIL.
-            return found?.
-        }
         // Append a message to the inbox under a fresh id; returns the id.
         fn deposit_message (sender_id: global_id, sender_name: str, text: str, msg_date: time) -> int
         {
@@ -191,6 +231,39 @@ application actor loads libraries
             return mid.
         }
+        // Build the monitoring-copy action for one message IF this packet is a
+        // monitored role with a live encrypted channel to its root; [] otherwise.
+        // The is_container_registered guard makes a missing/lost root channel
+        // degrade to "no copy" instead of failing the user's message — the
+        // enable flow (host-side) establishes the channel via connect_sibling.
+        fn monitor_copy_actions (direction: str, peer_cid: global_id, text: str, msg_date: time) -> transaction::action::type[]
+        {
+            if monitoring_enabled == FALSE || a2a_messaging::delegation_cert == NIL { return []. }
+            root_cid = a2a_messaging::delegation_cert? $c $root_cid.
+            if key_storage::is_container_registered(root_cid) != TRUE { return []. }
+            peer_name is str = "".
+            p = a2a_messaging::contacts peer_cid.
+            if p != NIL { peer_name -> p? $name. }
+            copy is monitoring_copy_t = (
+                $version     -> 1,
+                $source_cid  -> _get_container_id(),
+                $source_name -> a2a_messaging::my_name,
+                $direction   -> direction,
+                $peer_cid    -> peer_cid,
+                $peer_name   -> peer_name,
+                $date        -> msg_date,
+                $body        -> text
+            ).
+            return [
+                encrypted_channel::send_encrypted_tx root_cid (
+                    $name -> "::actor::receive_monitoring_copy",
+                    $targ -> ($copy -> copy)
+                )
+            ].
+        }
         // Resolve a pending introduction by joiner name or stringified container
         // id; aborts when nothing matches.
         fn resolve_pending (ref: str) -> global_id
@@ -203,229 +276,83 @@ application actor loads libraries
             abort "No pending introduction matches: " + ref when found == NIL.
             return found?.
         }
-    }
-    // ---- user transactions --------------------------------------------------
-    trn set_my_name _:($name -> name: str)
-    {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-        my_name -> name.
-        return transaction::success [
-            _return_data ($name -> name),
-            _save_state NIL
-        ].
-    }
-    trn set_my_bio _:($bio -> bio: str)
-    {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-        my_bio -> bio.
-        return transaction::success [
-            _return_data ($bio -> bio),
-            _save_state NIL
-        ].
-    }
-    trn generate_invite _:($name -> name: str+)
-    {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-        invite_id = _new_id "a2adapt invite".
-        // Remember the name I'm assigning to whoever redeems this invite. An
-        // empty string is the "no assigned name" sentinel: accept_contact then
-        // registers the joiner under its self-announced name instead.
-        assigned = (name == NIL ?? "" ; name?).
-        pending_invites invite_id -> assigned.
-        // Carry only my signed identity (public keys) + its self-signatures. The
-        // joiner rebuilds my address document from these (version is constant, my
-        // container_id is the identity's own field) and stores it so it can
-        // re-register me after a code upgrade (see peer_ads / import_state). The
-        // identity sub-record is passed through untouched so its _value_id — what
-        // the authorizations sign over — survives the round trip unchanged.
-        my_ad = address_document::get_my_address_document().
-        my_identity = my_ad $identity.
-        // A delegated role embeds its cert + the root's profile (Ring 3 of the
-        // identity hierarchy: external peers verify the whole chain from the
-        // invite alone). A root or legacy identity emits the original shape
-        // byte-for-byte, so those invites stay redeemable by old clients.
-        if delegation_cert != NIL && root_profile != NIL
-        {
-            role_invite is a2a_protocol::invite_role_t = (
-                $d  -> invite_id,
-                $n  -> my_name,
-                $c  -> my_identity $container_id,
-                $k  -> my_identity $key_list,
-                $a  -> my_ad $authorizations,
-                $b  -> my_bio,
-                $dc -> delegation_cert?,
-                $rp -> root_profile?
-            ).
-            return transaction::success [
-                _return_data (
-                    $invite     -> (_write role_invite),
-                    $invite_id  -> invite_id,
-                    $peer_name  -> assigned
-                ),
-                _save_state NIL
-            ].
-        }
-        invite is a2a_protocol::invite_t = (
-            $d -> invite_id,
-            $n -> my_name,
-            $c -> my_identity $container_id,
-            $k -> my_identity $key_list,
-            $a -> my_ad $authorizations
+        // Wire the agent's storage into the shared messaging core. The receive
+        // hook owns everything app-specific about an inbound message: known
+        // senders deposit into the inbox; an unknown sender may be a verified-
+        // but-unapproved local introduction messaging before approval — queue
+        // (bounded) inside its pending entry, approval flushes the queue into
+        // the inbox in order; anything else from an unknown sender is rejected.
+        // The notification deliberately carries NO message body — only that a
+        // message arrived, from whom, and its id. The body stays in the packet
+        // and only leaves through get_messages.
+        a2a_messaging::init (
+            $_read_or_abort -> _read_or_abort,
+            $on_message_received -> fn (arg: any) -> transaction::action::type[]
+            {
+                sender_id = (arg $sender_id) safe global_id.
+                text = (arg $text) safe str.
+                msg_date = (arg $date) safe time.
+                if (arg $sender_name) == NIL
+                {
+                    p = pending_introductions sender_id.
+                    abort "Message from an unknown sender was rejected." when p == NIL.
+                    entry = p?.
+                    queued = entry $messages.
+                    abort "Pending-introduction message queue is full; awaiting approval." when (_count queued|) >= pending_queue_cap.
+                    queued (_count queued|) -> ($text -> text, $date -> msg_date).
+                    pending_introductions sender_id -> ($name -> entry $name, $ad -> entry $ad, $messages -> queued).
+                    return [
+                        _notify_agent ($event -> $pending_message, $sender_name -> entry $name, $queued -> _count queued|),
+                        _save_state NIL
+                    ].
+                }
+                sender_name = (arg $sender_name) safe str.
+                mid = deposit_message sender_id sender_name text msg_date.
+                actions is transaction::action::type[] = [].
+                sc monitor_copy_actions "in" sender_id text msg_date -- ( -> a)
+                {
+                    actions (_count actions|) -> a.
+                }
+                actions (_count actions|) -> _notify_agent ($event -> $message_received, $sender_name -> sender_name, $msg_id -> mid, $date -> msg_date).
+                actions (_count actions|) -> _save_state NIL.
+                return actions.
+            },
+            $on_message_sent -> fn (arg: any) -> transaction::action::type[]
+            {
+                return monitor_copy_actions "out" ((arg $target_id) safe global_id) ((arg $text) safe str) ((arg $date) safe time).
+            },
+            $on_contact_removed -> fn (_: any) -> transaction::action::type[] { return []. }
         ).
-        return transaction::success [
-            _return_data (
-                $invite     -> (_write invite),
-                $invite_id  -> invite_id,
-                $peer_name  -> assigned
-            ),
-            _save_state NIL
-        ].
-    }
-    trn add_contact _:($invite -> invite_blob: bin, $name -> custom_name: str+)
-    {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-        // Parse field-by-field rather than via one `safe invite_t` cast: the
-        // shared fields are identical between invite_t and invite_role_t, so
-        // this one path redeems both the legacy shape and the role shape (the
-        // hierarchy fields are simply NIL on a legacy invite).
-        raw = _read_or_abort invite_blob.
-        inviter_id = (raw $c) safe global_id.
-        abort "This invite is your own — you cannot add yourself." when inviter_id == _get_container_id().
-        invite_id = (raw $d) safe global_id.
-        inviter_name = (raw $n) safe str.
-        inviter_keys = (raw $k) safe (key_utils::t_publickey(,)).
-        inviter_auths = (raw $a) safe (crypto_signature(,)).
-        // Rebuild the inviter's full address document from the carried material
-        // (see a2a_protocol::rebuild_peer_address_document — the reconstructed
-        // identity is byte-for-byte the signed one). import_state later replays
-        // this document through process_address_document to re-register the
-        // inviter's keys after a code upgrade — so it must validate, and it does.
-        inviter_ad = a2a_protocol::rebuild_peer_address_document inviter_id inviter_keys inviter_auths.
-        // A role invite carries a delegation chain — verify it BEFORE anything
-        // is registered (an invalid chain rejects the whole invite), and record
-        // the root linkage. A legacy/root invite has no chain; nothing to check.
-        inviter_root is a2a_protocol::contact_root_t+ = NIL.
-        inviter_bio is str = "".
-        if (raw $dc) != NIL
-        {
-            cert = (raw $dc) safe a2a_protocol::delegation_cert_t.
-            rp = (raw $rp) safe a2a_protocol::root_profile_t.
-            inviter_root -> a2a_protocol::verify_peer_delegation inviter_id (_value_id inviter_ad) cert rp.
-            inviter_bio -> (raw $b) safe str.
-        }
-        // Register the inviter under my chosen name, or the name they embedded.
-        contact_name = (custom_name == NIL ?? inviter_name ; custom_name?).
-        contacts inviter_id -> ($name -> contact_name, $container_id -> inviter_id).
-        // Remember the inviter's address document so I can re-register them after
-        // an upgrade (their keys are seed-stable, so this stays valid).
-        peer_ads inviter_id -> inviter_ad.
-        if inviter_root != NIL
-        {
-            contact_roots inviter_id -> inviter_root?.
-        }
-        my_self_name = my_name.
-        my_ad = address_document::get_my_address_document().
-        // If I am a delegated role myself, carry my own chain in the reply so
-        // the inviter learns my root linkage symmetrically.
-        my_cert_blob is bin+ = NIL.
-        my_rp_blob is bin+ = NIL.
-        if delegation_cert != NIL && root_profile != NIL
-        {
-            my_cert_blob -> (_write delegation_cert?).
-            my_rp_blob -> (_write root_profile?).
-        }
-        root_name_out is str = "".
-        role_id_out is str = "".
-        if inviter_root != NIL
-        {
-            root_name_out -> inviter_root? $root_name.
-            role_id_out -> inviter_root? $role_id.
-        }
-        // Establish the encrypted channel with the inviter (handshake happens
-        // transparently if we haven't talked before), then tell them I redeemed
-        // their invite, what my own name is, and my address document, so they can
-        // finish the handshake and remember me for future upgrades.
-        return encrypted_channel::execute_transaction inviter_id (fn (_) -> transaction::results::type {
-            return transaction::success [
-                encrypted_channel::send_encrypted_tx inviter_id (
-                    $name -> "::actor::accept_contact",
-                    $targ -> (
-                        $invite_id -> invite_id,
-                        $joiner_name -> my_self_name,
-                        $joiner_ad -> my_ad,
-                        $joiner_cert -> my_cert_blob,
-                        $joiner_root_profile -> my_rp_blob
-                    )
-                ),
-                _return_data (
-                    $added -> contact_name,
-                    $container_id -> inviter_id,
-                    $root_name -> root_name_out,
-                    $role_id -> role_id_out,
-                    $bio -> inviter_bio
-                ),
-                _save_state NIL
-            ].
-        }).
-    }
-    trn send_message _:($contact -> contact_ref: str, $text -> text: str)
-    {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-        target_id = resolve_contact contact_ref.
-        return encrypted_channel::execute_transaction target_id (fn (_) -> transaction::results::type {
-            return transaction::success [
-                encrypted_channel::send_encrypted_tx target_id (
-                    $name -> "::actor::receive_message",
-                    $targ -> ($text -> text)
-                ),
-                _return_data ($sent_to -> target_id, $text -> text),
-                _save_state NIL
-            ].
-        }).
-    }
-    trn remove_contact _:($contact -> contact_ref: str)
-    {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-        target_id = resolve_contact contact_ref.
-        removed = contacts target_id.
-        removed_name = removed? $name.
-        delete contacts target_id.
-        if peer_ads target_id != NIL { delete peer_ads target_id. }
-        if contact_roots target_id != NIL { delete contact_roots target_id. }
-        return transaction::success [
-            _return_data ($removed -> removed_name, $container_id -> target_id),
-            _save_state NIL
-        ].
+        // Wire the control plane (see MONITORING-AND-SHARED-LIBRARY-DESIGN.md
+        // Part 4): control requests from the bound browser proxy queue in
+        // control_inbox — NEVER the message inbox, so agent sessions don't see
+        // them — and the notify event wakes the daemon's dispatcher. The
+        // payload stays opaque here; sender authorization happens in the
+        // daemon against the packet's monitoring_proxy / proxy_pending state.
+        a2a_control::init (
+            $on_control_received -> fn (arg: any) -> transaction::action::type[]
+            {
+                abort "Control queue is full." when (_count control_inbox|) >= control_inbox_cap.
+                sender_name = (arg $sender_name) safe str.
+                control_inbox (_count control_inbox|) -> (
+                    $sender_cid  -> (arg $sender_id) safe global_id,
+                    $sender_name -> sender_name,
+                    $payload     -> (arg $payload) safe str,
+                    $date        -> (arg $date) safe time
+                ).
+                return [
+                    _notify_agent ($event -> $control_request, $sender_name -> sender_name, $queued -> _count control_inbox|),
+                    _save_state NIL
+                ].
+            }
+        ).
     }
-    trn readonly list_contacts _
-    {
-        return contacts.
-    }
+    // ---- message store --------------------------------------------------------
     trn readonly list_incoming_messages _
     {
@@ -668,10 +595,10 @@ application actor loads libraries
         entry_sig = (_read_or_abort entry_sig_blob) safe crypto_signature.
         abort "Contact-book entry failed registrar verification." when key_storage::check_signature_new_container (_value_id entry) entry_sig (registrar_ad? $identity $key_list) != TRUE.
-        contacts target_id -> ($name -> name, $container_id -> target_id).
-        peer_ads target_id -> target_ad.
+        a2a_messaging::contacts target_id -> ($name -> name, $container_id -> target_id).
+        a2a_messaging::peer_ads target_id -> target_ad.
-        my_self_name = my_name.
+        my_self_name = a2a_messaging::my_name.
         my_ad = address_document::get_my_address_document().
         return encrypted_channel::execute_transaction target_id (fn (_) -> transaction::results::type {
             return transaction::success [
@@ -691,8 +618,8 @@ application actor loads libraries
         pid = resolve_pending ref.
         entry = (pending_introductions pid)?.
-        contacts pid -> ($name -> entry $name, $container_id -> pid).
-        peer_ads pid -> entry $ad.
+        a2a_messaging::contacts pid -> ($name -> entry $name, $container_id -> pid).
+        a2a_messaging::peer_ads pid -> entry $ad.
         queued = entry $messages.
         flushed is int = 0.
@@ -751,7 +678,7 @@ application actor loads libraries
     trn sign_delegation _:($role_ad -> role_ad_blob: bin, $role_id -> role_id: str)
     {
         current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-        abort "Only a root identity can sign delegation certificates." when delegation_cert != NIL.
+        abort "Only a root identity can sign delegation certificates." when a2a_messaging::delegation_cert != NIL.
         role_ad = (_read_or_abort role_ad_blob) safe address_document_types::t_address_document.
         role_cid = role_ad $identity $container_id.
@@ -777,14 +704,14 @@ application actor loads libraries
     trn export_root_profile _
     {
         current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-        abort "Only a root identity can export a root profile." when delegation_cert != NIL.
+        abort "Only a root identity can export a root profile." when a2a_messaging::delegation_cert != NIL.
         my_ad = address_document::get_my_address_document().
         core is a2a_protocol::root_profile_core_t = (
             $version  -> 1,
             $root_cid -> _get_container_id(),
-            $name     -> my_name,
-            $bio      -> my_bio,
+            $name     -> a2a_messaging::my_name,
+            $bio      -> a2a_messaging::my_bio,
             $keys     -> my_ad $identity $key_list
         ).
         profile is a2a_protocol::root_profile_t = ($p -> core, $s -> key_storage::default_sign (_value_id core)).
@@ -817,9 +744,9 @@ application actor loads libraries
         abort "The root profile's key list does not match the root's address document." when (_value_id (rp $p $keys)) != (_value_id (new_root_ad $identity $key_list)).
         abort "The root profile signature is invalid." when key_storage::check_signature_new_container (_value_id (rp $p)) (rp $s) (new_root_ad $identity $key_list) != TRUE.
-        delegation_cert -> cert.
-        root_ad -> new_root_ad.
-        root_profile -> rp.
+        a2a_messaging::delegation_cert -> cert.
+        a2a_messaging::root_ad -> new_root_ad.
+        a2a_messaging::root_profile -> rp.
         return transaction::success [
             _return_data ($delegated -> TRUE, $root_cid -> (_str (cert $c $root_cid)), $role_id -> cert $c $role_id),
@@ -829,34 +756,24 @@ application actor loads libraries
     trn readonly describe_identity _
     {
-        if delegation_cert == NIL
+        if a2a_messaging::delegation_cert == NIL
         {
-            return ($name -> my_name, $bio -> my_bio, $has_cert -> FALSE, $role_id -> "", $root_cid -> "", $root_name -> "").
+            return ($name -> a2a_messaging::my_name, $bio -> a2a_messaging::my_bio, $has_cert -> FALSE, $role_id -> "", $root_cid -> "", $root_name -> "", $monitoring_enabled -> monitoring_enabled).
         }
-        cert = delegation_cert?.
+        cert = a2a_messaging::delegation_cert?.
         rname is str = "".
-        if root_profile != NIL { rname -> root_profile? $p $name. }
+        if a2a_messaging::root_profile != NIL { rname -> a2a_messaging::root_profile? $p $name. }
         return (
-            $name      -> my_name,
-            $bio       -> my_bio,
+            $name      -> a2a_messaging::my_name,
+            $bio       -> a2a_messaging::my_bio,
             $has_cert  -> TRUE,
             $role_id   -> cert $c $role_id,
             $root_cid  -> (_str (cert $c $root_cid)),
-            $root_name -> rname
+            $root_name -> rname,
+            $monitoring_enabled -> monitoring_enabled
         ).
     }
-    trn readonly list_contact_roots _
-    {
-        return contact_roots.
-    }
-    // The shared-core version this packet was compiled with (see core/version.mm).
-    trn readonly get_version _
-    {
-        return ($core -> version::get_core_version()).
-    }
     // Connect to an intra-root sibling (Ring 1): register it as a contact and
     // introduce myself over the encrypted channel, presenting my delegation
     // cert (NIL when I am the root itself — the channel proves I control the
@@ -872,22 +789,22 @@ application actor loads libraries
         abort "This sibling is your own identity." when target_id == _get_container_id().
         cert_blob is bin+ = NIL.
-        if delegation_cert != NIL { cert_blob -> (_write delegation_cert?). }
+        if a2a_messaging::delegation_cert != NIL { cert_blob -> (_write a2a_messaging::delegation_cert?). }
-        contacts target_id -> ($name -> name, $container_id -> target_id).
-        peer_ads target_id -> target_ad.
+        a2a_messaging::contacts target_id -> ($name -> name, $container_id -> target_id).
+        a2a_messaging::peer_ads target_id -> target_ad.
         // Record the target's root linkage: a sibling shares my root by
         // definition (the receiving side verifies the converse independently).
-        if delegation_cert != NIL && root_profile != NIL
+        if a2a_messaging::delegation_cert != NIL && a2a_messaging::root_profile != NIL
         {
-            contact_roots target_id -> ($root_cid -> delegation_cert? $c $root_cid, $root_name -> root_profile? $p $name, $role_id -> name).
+            a2a_messaging::contact_roots target_id -> ($root_cid -> a2a_messaging::delegation_cert? $c $root_cid, $root_name -> a2a_messaging::root_profile? $p $name, $role_id -> name).
         }
         else
         {
-            contact_roots target_id -> ($root_cid -> _get_container_id(), $root_name -> my_name, $role_id -> name).
+            a2a_messaging::contact_roots target_id -> ($root_cid -> _get_container_id(), $root_name -> a2a_messaging::my_name, $role_id -> name).
         }
-        my_self_name = my_name.
+        my_self_name = a2a_messaging::my_name.
         my_ad = address_document::get_my_address_document().
         return encrypted_channel::execute_transaction target_id (fn (_) -> transaction::results::type {
             return transaction::success [
@@ -901,6 +818,232 @@ application actor loads libraries
         }).
     }
+    // ---- monitoring + control plane -------------------------------------------
+    // (see MONITORING-AND-SHARED-LIBRARY-DESIGN.md). A monitored ROLE reports
+    // every message it sends/receives to its ROOT (the monitor_copy_actions
+    // branches in the storage hooks above); the root queues the copies and the
+    // host forwards them to a human proxy bound via 6-digit-code verification.
+    // The proxy's control requests (create agent, update role, …) queue in
+    // control_inbox and are executed by the host daemon.
+    trn readonly get_monitoring_status _
+    {
+        pending is bool = FALSE.
+        if proxy_pending != NIL { pending -> TRUE. }
+        proxy_out is str = "".
+        if monitoring_proxy != NIL { proxy_out -> _str (monitoring_proxy? $proxy_cid). }
+        return (
+            $monitoring_enabled -> monitoring_enabled,
+            $proxy_cid          -> proxy_out,
+            $proxy_pending      -> pending,
+            $copies_queued      -> _count monitoring_inbox|,
+            $control_queued     -> _count control_inbox|
+        ).
+    }
+    // Sign a monitoring authorization for a role (ROOT packet only — the role
+    // verifies the signature against its pinned root keys, so an auth minted
+    // by any other packet fails). Stateless, mirrors sign_delegation.
+    trn sign_monitoring_auth _:($role_ad -> role_ad_blob: bin, $enabled -> enabled: bool)
+    {
+        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
+        abort "Only a root identity can sign monitoring authorizations." when a2a_messaging::delegation_cert != NIL.
+        role_ad = (_read_or_abort role_ad_blob) safe address_document_types::t_address_document.
+        core is monitoring_auth_core_t = (
+            $version   -> 1,
+            $role_cid  -> role_ad $identity $container_id,
+            $enabled   -> enabled,
+            $issued_at -> (current_transaction_info::get_transaction_time())?
+        ).
+        auth is monitoring_auth_t = ($c -> core, $s -> key_storage::default_sign (_value_id core)).
+        return transaction::success [
+            _return_data ($auth -> (_write auth))
+        ].
+    }
+    // Store a verified monitoring flag (ROLE packet, host-fired after the root
+    // signed the auth). An auth that does not name me or was not signed by my
+    // root is rejected — so even a compromised host process cannot silently
+    // flip monitoring without the root packet's keys.
+    trn set_monitoring _:($auth -> auth_blob: bin)
+    {
+        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
+        abort "Only a delegated role can be monitored." when a2a_messaging::delegation_cert == NIL || a2a_messaging::root_ad == NIL.
+        auth = (_read_or_abort auth_blob) safe monitoring_auth_t.
+        abort "Unsupported monitoring authorization version." when (auth $c $version) != 1.
+        abort "This monitoring authorization was issued to a different identity." when (auth $c $role_cid) != _get_container_id().
+        abort "The monitoring authorization was not signed by my root." when key_storage::check_signature_new_container (_value_id (auth $c)) (auth $s) (a2a_messaging::root_ad? $identity $key_list) != TRUE.
+        monitoring_enabled -> auth $c $enabled.
+        return transaction::success [
+            _return_data ($monitoring_enabled -> monitoring_enabled),
+            _save_state NIL
+        ].
+    }
+    // A monitored role reports one message copy (ROOT packet, inbound). Only
+    // accepted from a verified role of THIS root (the contact_roots linkage
+    // recorded by sibling_introduce), and the copy must name its actual sender
+    // — a role cannot forge copies on another role's behalf.
+    trn receive_monitoring_copy _:($copy -> copy: monitoring_copy_t)
+    {
+        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::external,).
+        encrypted_channel::check_encrypted_or_abort().
+        sender_id = current_transaction_info::get_external_envelope_or_abort() $from.
+        link = a2a_messaging::contact_roots sender_id.
+        abort "Monitoring copies are only accepted from my own roles." when link == NIL || (link? $root_cid) != _get_container_id().
+        abort "Monitoring copy does not name its sender as the source." when (copy $source_cid) != sender_id.
+        abort "Unsupported monitoring copy version." when (copy $version) != 1.
+        // Capped queue, oldest first out: if no proxy drains the root, recent
+        // traffic wins over old.
+        if (_count monitoring_inbox|) >= monitoring_inbox_cap
+        {
+            trimmed is monitoring_copy_t[] = [].
+            i is int = 0.
+            sc monitoring_inbox -- ( -> m)
+            {
+                if i > 0 { trimmed (_count trimmed|) -> m. }
+                i -> i + 1.
+            }
+            monitoring_inbox -> trimmed.
+        }
+        monitoring_inbox (_count monitoring_inbox|) -> copy.
+        return transaction::success [
+            _notify_agent ($event -> $monitoring_copy, $source_name -> copy $source_name, $queued -> _count monitoring_inbox|),
+            _save_state NIL
+        ].
+    }
+    // Drain the queued monitoring copies (ROOT packet, host-fired before
+    // forwarding to the bound proxy). Cleared on read, like get_messages.
+    trn get_monitoring_copies _
+    {
+        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
+        copies = monitoring_inbox.
+        monitoring_inbox -> [].
+        return transaction::success [
+            _return_data ($copies -> copies),
+            _save_state NIL
+        ].
+    }
+    // Drain the queued control requests (ROOT packet, host-fired by the
+    // control dispatcher). Cleared on read.
+    trn get_control_requests _
+    {
+        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
+        reqs = control_inbox.
+        control_inbox -> [].
+        return transaction::success [
+            _return_data ($requests -> reqs),
+            _save_state NIL
+        ].
+    }
+    // Start a proxy binding (ROOT packet, host-fired): remember the code the
+    // host generated (MUFL has no random source) for one specific contact.
+    // Restarting overwrites any previous pending binding.
+    trn set_proxy_pending _:($code -> code: str, $proxy -> proxy_ref: str)
+    {
+        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
+        abort "Only a root identity can bind a monitoring proxy." when a2a_messaging::delegation_cert != NIL.
+        pid = a2a_messaging::resolve_contact proxy_ref.
+        proxy_pending -> (
+            $code       -> code,
+            $proxy_cid  -> pid,
+            $created_at -> (current_transaction_info::get_transaction_time())?,
+            $attempts   -> 0
+        ).
+        return transaction::success [
+            _return_data ($pending -> TRUE, $proxy_cid -> (_str pid)),
+            _save_state NIL
+        ].
+    }
+    // Verify a proxy's code attempt (ROOT packet, host-fired when a `bind`
+    // control request arrives). Failures are returned as DATA — not aborts —
+    // so the attempt counter and expiry clearing persist atomically; an abort
+    // would roll them back and reopen the brute-force window.
+    trn verify_proxy_code _:($code -> code: str, $sender -> sender_ref: str)
+    {
+        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
+        if proxy_pending == NIL
+        {
+            return transaction::success [ _return_data ($verified -> FALSE, $reason -> "no_pending") ].
+        }
+        p = proxy_pending?.
+        now = (current_transaction_info::get_transaction_time())?.
+        if (_substract_seconds now (p $created_at)) > proxy_code_max_age_seconds
+        {
+            proxy_pending -> NIL.
+            return transaction::success [
+                _return_data ($verified -> FALSE, $reason -> "expired"),
+                _save_state NIL
+            ].
+        }
+        sid = a2a_messaging::resolve_contact sender_ref.
+        if sid != (p $proxy_cid)
+        {
+            // Not the contact this binding was started for: reject without
+            // burning an attempt (the code was never compared).
+            return transaction::success [ _return_data ($verified -> FALSE, $reason -> "wrong_sender") ].
+        }
+        if code != (p $code)
+        {
+            attempts = (p $attempts) + 1.
+            if attempts >= proxy_max_attempts
+            {
+                proxy_pending -> NIL.
+                return transaction::success [
+                    _return_data ($verified -> FALSE, $reason -> "too_many_attempts"),
+                    _save_state NIL
+                ].
+            }
+            proxy_pending -> (
+                $code       -> p $code,
+                $proxy_cid  -> p $proxy_cid,
+                $created_at -> p $created_at,
+                $attempts   -> attempts
+            ).
+            return transaction::success [
+                _return_data ($verified -> FALSE, $reason -> "wrong_code", $attempts_left -> proxy_max_attempts - attempts),
+                _save_state NIL
+            ].
+        }
+        monitoring_proxy -> ($proxy_cid -> sid, $bound_at -> now).
+        proxy_pending -> NIL.
+        return transaction::success [
+            _return_data ($verified -> TRUE, $proxy_cid -> (_str sid)),
+            _save_state NIL
+        ].
+    }
+    // Drop the proxy binding (and any in-flight code verification).
+    trn clear_monitoring_proxy _
+    {
+        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
+        monitoring_proxy -> NIL.
+        proxy_pending -> NIL.
+        return transaction::success [
+            _return_data ($cleared -> TRUE),
+            _save_state NIL
+        ].
+    }
     // ---- upgrade: state export / import -------------------------------------
     // The host persists state by calling export_state (readonly) and serializing
     // the returned value to a code-independent blob. On a code upgrade it recreates
@@ -909,27 +1052,37 @@ application actor loads libraries
     //
     // The packet-level snapshot is NOT used for upgrades: it is bound to the unit
     // code hash, so a new .muflo cannot load an old snapshot. This data blob is.
+    //
+    // The blob stays FLAT with the historical field names — the core fields come
+    // from a2a_messaging::export_core_state / import_core_state, the app fields
+    // are composed in here — so a PRE-migration export imports unchanged.
     trn readonly export_state _
     {
+        core_state = a2a_messaging::export_core_state NIL.
         return (
-            $my_name           -> my_name,
-            $contacts          -> contacts,
-            $pending_invites   -> pending_invites,
+            $my_name           -> core_state $my_name,
+            $contacts          -> core_state $contacts,
+            $pending_invites   -> core_state $pending_invites,
             $inbox             -> inbox,
             $next_msg_seq      -> next_msg_seq,
-            $peer_ads          -> peer_ads,
+            $peer_ads          -> core_state $peer_ads,
             $registrar_ad      -> registrar_ad,
             $local_auto_accept -> local_auto_accept,
             // Nonces are exported so a restart does not reopen the replay window
             // for still-fresh credentials; stale ones are purged lazily anyway.
             $seen_nonces       -> seen_nonces,
             $pending_introductions -> pending_introductions,
-            $my_bio            -> my_bio,
-            $delegation_cert   -> delegation_cert,
-            $root_ad           -> root_ad,
-            $root_profile      -> root_profile,
-            $contact_roots     -> contact_roots
+            $my_bio            -> core_state $my_bio,
+            $delegation_cert   -> core_state $delegation_cert,
+            $root_ad           -> core_state $root_ad,
+            $root_profile      -> core_state $root_profile,
+            $contact_roots     -> core_state $contact_roots,
+            $monitoring_enabled -> monitoring_enabled,
+            $monitoring_inbox  -> monitoring_inbox,
+            $proxy_pending     -> proxy_pending,
+            $monitoring_proxy  -> monitoring_proxy,
+            $control_inbox     -> control_inbox
         ).
     }
@@ -937,12 +1090,11 @@ application actor loads libraries
     {
         current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::user,).
-        // The fields that did not change across the schema bump are validated the
-        // same way for any version of the blob.
-        my_name         -> (data $my_name) safe str.
-        contacts        -> (data $contacts) safe (global_id ->> a2a_protocol::contact_t).
-        pending_invites -> (data $pending_invites) safe (global_id ->> str).
-        peer_ads        -> (data $peer_ads) safe (global_id ->> address_document_types::t_address_document).
+        // Core fields (contacts/profile/hierarchy) — validated and restored by
+        // the shared library, which also replays every peer's address document
+        // through process_address_document so encrypted channels keep working
+        // after the upgrade with no re-handshake.
+        a2a_messaging::import_core_state data.
         // The inbox + next_msg_seq are the only parts the message-lifecycle changes
         // touched. A pre-lifecycle blob has no $next_msg_seq and inbox entries with
@@ -1013,36 +1165,29 @@ application actor loads libraries
             pending_introductions -> (data $pending_introductions) safe (global_id ->> pending_intro_t).
         }
-        // Identity-hierarchy state arrived after the local-contact-book schema —
-        // same pattern: every field is optional, defaults stay when absent.
-        if (data $my_bio) != NIL
+        // Monitoring + control state arrived after the local-book schema —
+        // optional in old blobs the same way.
+        if (data $monitoring_enabled) != NIL
         {
-            my_bio -> (data $my_bio) safe str.
+            monitoring_enabled -> (data $monitoring_enabled) safe bool.
         }
-        if (data $delegation_cert) != NIL
+        if (data $monitoring_inbox) != NIL
         {
-            delegation_cert -> (data $delegation_cert) safe a2a_protocol::delegation_cert_t.
+            monitoring_inbox -> (data $monitoring_inbox) safe (monitoring_copy_t[]).
         }
-        if (data $root_ad) != NIL
+        if (data $proxy_pending) != NIL
         {
-            root_ad -> (data $root_ad) safe address_document_types::t_address_document.
+            proxy_pending -> (data $proxy_pending) safe proxy_pending_t.
         }
-        if (data $root_profile) != NIL
+        if (data $monitoring_proxy) != NIL
         {
-            root_profile -> (data $root_profile) safe a2a_protocol::root_profile_t.
+            monitoring_proxy -> (data $monitoring_proxy) safe proxy_binding_t.
         }
-        if (data $contact_roots) != NIL
+        if (data $control_inbox) != NIL
         {
-            contact_roots -> (data $contact_roots) safe (global_id ->> a2a_protocol::contact_root_t).
+            control_inbox -> (data $control_inbox) safe (control_req_t[]).
         }
-        // Re-register every peer's keys so encrypted channels keep working after
-        // the upgrade — no handshake needed (my own keys are unchanged, and the
-        // peers' self-signed address documents re-authorize on this fresh packet).
-        sc peer_ads -- ( -> ad)
-        {
-            address_document::process_address_document ad TRUE.
-        }
         // Pending introducers' keys too: their channel to me predates approval,
         // so it must survive an upgrade exactly like an approved contact's.
         sc pending_introductions -- ( -> p)
@@ -1051,103 +1196,24 @@ application actor loads libraries
         }
         return transaction::success [
-            _return_data ($imported -> TRUE, $contacts -> _count contacts|, $peers -> _count peer_ads|),
+            _return_data ($imported -> TRUE, $contacts -> _count a2a_messaging::contacts|, $peers -> _count a2a_messaging::peer_ads|),
             _save_state NIL
         ].
     }
     // ---- external (inbound) transactions ------------------------------------
-    // Args are taken as `any` (not a destructured shape) so old clients — whose
-    // accept_contact payload has no hierarchy fields — keep working unchanged.
+    // Compat shims (Option A): pre-migration peers address these as ::actor::*,
+    // and the core keeps SENDING to the ::actor:: names too. Each delegates to
+    // the shared handler — remove only when no old clients remain.
     trn accept_contact args: any
     {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::external,).
-        encrypted_channel::check_encrypted_or_abort().
-        sender_id = current_transaction_info::get_external_envelope_or_abort() $from.
-        invite_id = (args $invite_id) safe global_id.
-        joiner_ad = (args $joiner_ad) safe address_document_types::t_address_document.
-        // Only an invite I generated (and have not yet consumed) authorizes a
-        // contact registration. Without this gate any invite blob would be a
-        // multi-use bearer credential: anyone who ever saw one could register
-        // themselves as my contact with a self-chosen name.
-        assigned_name = pending_invites invite_id.
-        abort "Unknown or already-redeemed invite." when assigned_name == NIL.
-        // An empty assigned name means the invite was generated without one:
-        // the joiner's self-announced name wins (container id as a last resort
-        // when the joiner never set a name either).
-        contact_name is str = assigned_name?.
-        if contact_name == ""
-        {
-            joiner_self = (args $joiner_name) safe str.
-            contact_name -> (joiner_self == "" ?? (_str sender_id) ; joiner_self).
-        }
-        // A delegated-role joiner carries its chain so I learn its root linkage
-        // symmetrically; an invalid chain rejects the redemption outright.
-        joiner_root is a2a_protocol::contact_root_t+ = NIL.
-        if (args $joiner_cert) != NIL
-        {
-            cert = (_read_or_abort ((args $joiner_cert) safe bin)) safe a2a_protocol::delegation_cert_t.
-            rp = (_read_or_abort ((args $joiner_root_profile) safe bin)) safe a2a_protocol::root_profile_t.
-            joiner_root -> a2a_protocol::verify_peer_delegation sender_id (_value_id joiner_ad) cert rp.
-        }
-        contacts sender_id -> ($name -> contact_name, $container_id -> sender_id).
-        // Remember the joiner's address document for upgrade-time re-registration.
-        peer_ads sender_id -> joiner_ad.
-        if joiner_root != NIL
-        {
-            contact_roots sender_id -> joiner_root?.
-        }
-        delete pending_invites invite_id.
-        return transaction::success [
-            _notify_agent ($event -> $contact_accepted, $name -> contact_name, $container_id -> sender_id),
-            _save_state NIL
-        ].
+        return a2a_messaging::handle_accept_contact args.
     }
     trn receive_message _:($text -> text: str)
     {
-        current_transaction_info::validate_origin_or_abort (transaction::envelope::origin::external,).
-        encrypted_channel::check_encrypted_or_abort().
-        sender_id = current_transaction_info::get_external_envelope_or_abort() $from.
-        msg_date = (current_transaction_info::get_transaction_time())?.
-        sender = contacts sender_id.
-        if sender == NIL
-        {
-            // A verified-but-unapproved local introduction may message me before
-            // approval: queue (bounded) inside its pending entry. Approval
-            // flushes the queue into the inbox in order; anything else from an
-            // unknown sender is rejected as before.
-            p = pending_introductions sender_id.
-            abort "Message from an unknown sender was rejected." when p == NIL.
-            entry = p?.
-            queued = entry $messages.
-            abort "Pending-introduction message queue is full; awaiting approval." when (_count queued|) >= pending_queue_cap.
-            queued (_count queued|) -> ($text -> text, $date -> msg_date).
-            pending_introductions sender_id -> ($name -> entry $name, $ad -> entry $ad, $messages -> queued).
-            return transaction::success [
-                _notify_agent ($event -> $pending_message, $sender_name -> entry $name, $queued -> _count queued|),
-                _save_state NIL
-            ].
-        }
-        sender_name = sender? $name.
-        mid = deposit_message sender_id sender_name text msg_date.
-        // The notification deliberately carries NO message body — only that a
-        // message arrived, from whom, and its id. The body stays in the packet
-        // and only leaves through get_messages.
-        return transaction::success [
-            _notify_agent ($event -> $message_received, $sender_name -> sender_name, $msg_id -> mid, $date -> msg_date),
-            _save_state NIL
-        ].
+        return a2a_messaging::handle_receive_message text.
     }
     // A same-host peer connects via the local contact book. The credential must
@@ -1196,12 +1262,12 @@ application actor loads libraries
         abort "Too many concurrent introductions; try again shortly." when (_count seen_nonces|) >= seen_nonce_cap.
         seen_nonces (intro $nonce) -> now.
-        existing = contacts sender_id.
+        existing = a2a_messaging::contacts sender_id.
         if existing != NIL
         {
             // Already a contact (idempotent re-introduction): keep my assigned
             // name, refresh the stored address document, deliver any payload.
-            peer_ads sender_id -> joiner_ad.
+            a2a_messaging::peer_ads sender_id -> joiner_ad.
             if text != NIL
             {
                 mid = deposit_message sender_id (existing? $name) text? now.
@@ -1215,8 +1281,8 @@ application actor loads libraries
         if local_auto_accept
         {
-            contacts sender_id -> ($name -> joiner_name, $container_id -> sender_id).
-            peer_ads sender_id -> joiner_ad.
+            a2a_messaging::contacts sender_id -> ($name -> joiner_name, $container_id -> sender_id).
+            a2a_messaging::peer_ads sender_id -> joiner_ad.
             if text != NIL
             {
                 mid = deposit_message sender_id joiner_name text? now.
@@ -1267,8 +1333,8 @@ application actor loads libraries
         if cert_blob == NIL
         {
             // Sender claims to be my root.
-            abort "A certificate-less sibling introduction is only accepted from my root." when delegation_cert == NIL.
-            abort "Sender is not my root." when sender_id != (delegation_cert? $c $root_cid).
+            abort "A certificate-less sibling introduction is only accepted from my root." when a2a_messaging::delegation_cert == NIL.
+            abort "Sender is not my root." when sender_id != (a2a_messaging::delegation_cert? $c $root_cid).
             link -> ($root_cid -> sender_id, $root_name -> joiner_name, $role_id -> "").
         }
         else
@@ -1279,14 +1345,14 @@ application actor loads libraries
             abort "Sibling certificate does not match the sender's address document." when (cert $c $role_ad_hash) != (_value_id joiner_ad).
             root_name_known is str = "".
-            if delegation_cert != NIL
+            if a2a_messaging::delegation_cert != NIL
             {
                 // I am a role: the cert must name MY root and verify against the
                 // root key material pinned at delegation time.
-                abort "My root material is missing — cannot verify sibling certificates." when root_ad == NIL.
-                abort "Sibling certificate names a different root." when (cert $c $root_cid) != (delegation_cert? $c $root_cid).
-                abort "Sibling certificate was not signed by my root." when key_storage::check_signature_new_container (_value_id (cert $c)) (cert $s) (root_ad? $identity $key_list) != TRUE.
-                if root_profile != NIL { root_name_known -> root_profile? $p $name. }
+                abort "My root material is missing — cannot verify sibling certificates." when a2a_messaging::root_ad == NIL.
+                abort "Sibling certificate names a different root." when (cert $c $root_cid) != (a2a_messaging::delegation_cert? $c $root_cid).
+                abort "Sibling certificate was not signed by my root." when key_storage::check_signature_new_container (_value_id (cert $c)) (cert $s) (a2a_messaging::root_ad? $identity $key_list) != TRUE.
+                if a2a_messaging::root_profile != NIL { root_name_known -> a2a_messaging::root_profile? $p $name. }
             }
             else
             {
@@ -1295,18 +1361,18 @@ application actor loads libraries
                 abort "Sibling certificate names a different root." when (cert $c $root_cid) != _get_container_id().
                 my_ad = address_document::get_my_address_document().
                 abort "Sibling certificate was not signed by me." when key_storage::check_signature_new_container (_value_id (cert $c)) (cert $s) (my_ad $identity $key_list) != TRUE.
-                root_name_known -> my_name.
+                root_name_known -> a2a_messaging::my_name.
             }
             link -> ($root_cid -> cert $c $root_cid, $root_name -> root_name_known, $role_id -> cert $c $role_id).
         }
-        existing = contacts sender_id.
+        existing = a2a_messaging::contacts sender_id.
         if existing != NIL
         {
             // Already a contact (idempotent re-introduction): keep my assigned
             // name, refresh the stored material, deliver any payload.
-            peer_ads sender_id -> joiner_ad.
-            contact_roots sender_id -> link?.
+            a2a_messaging::peer_ads sender_id -> joiner_ad.
+            a2a_messaging::contact_roots sender_id -> link?.
             if text != NIL
             {
                 mid = deposit_message sender_id (existing? $name) text? now.
@@ -1318,9 +1384,9 @@ application actor loads libraries
             return transaction::success [ _save_state NIL ].
         }
-        contacts sender_id -> ($name -> joiner_name, $container_id -> sender_id).
-        peer_ads sender_id -> joiner_ad.
-        contact_roots sender_id -> link?.
+        a2a_messaging::contacts sender_id -> ($name -> joiner_name, $container_id -> sender_id).
+        a2a_messaging::peer_ads sender_id -> joiner_ad.
+        a2a_messaging::contact_roots sender_id -> link?.
         if text != NIL
         {
             mid = deposit_message sender_id joiner_name text? now.