@bitpub/cli 2.1.0 → 2.1.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bitpub/cli",
-  "version": "2.1.0",
+  "version": "2.1.2",
   "description": "BitPub CLI — local-first shared memory for AI agents. Six daily verbs (save/load/list/find/sync/delete), zero-config private namespace, encrypted client-side.",
   "bin": {
     "bitpub": "./bin/bitpub.js"

package/skills/bitpub/SKILL.md

@@ -241,6 +241,90 @@ valid pattern wherever a scope is accepted.
 
 ---
 
+## Publishing apps
+
+BitPub can render HTML apps directly in its browser (`bitpub browser`,
+served at `http://localhost:4141`). An "app" is just three slices saved
+at the same prefix — no CLI release, no plugin install, no extension API.
+Save the slices and the app appears in every member's BitPub Browser the
+moment their next `bitpub sync` lands.
+
+| Slice | What it is | Format |
+|---|---|---|
+| `<prefix>` | The app shell — rendered in a sandboxed iframe | `text/html` |
+| `<prefix>/manifest.json` | Declarative list of functions the app may call | `application/json` |
+| `<prefix>/<orchestrator>` | (Optional) script the app's functions execute | `text/plain` (or `text/x-python`, etc.) |
+
+Inside the iframe an app calls:
+
+```js
+window.bitpub.identity.me()                  // → { owner, domain, private_prefix }
+window.bitpub.namespace.list({ pattern })    // local SQLite read; no network, no LLM
+window.bitpub.run(functionId, args)          // dispatched through the manifest
+window.bitpub.navigate(hcu)                  // open another slice in the browser
+```
+
+`window.bitpub.run` does not execute arbitrary commands. It looks up
+`functionId` in the app's manifest and dispatches to one of two primitives
+the CLI bridge exposes:
+
+- **`script.run`** — `bitpub load <script_hcu>` to a temp file, then run
+  it with the named interpreter (`python3`, `node`, `bash`, `sh`). Reads
+  `env` and `cli_args` from the manifest, with values resolved from the
+  caller's `args`, the running user's `identity`, or literals.
+- **`os.open`** — `open` a URL or local path (Finder reveal, or
+  open-in-app).
+
+A minimal manifest:
+
+```json
+{
+  "id": "team.example",
+  "name": "Example",
+  "version": "0.1.0",
+  "functions": {
+    "ingest": {
+      "primitive": "script.run",
+      "params": {
+        "script_hcu": "bitpub://group:<domain>/Apps/example/orchestrator",
+        "runtime": "python3"
+      },
+      "env": {
+        "BITPUB_OWNER": { "from": "identity", "key": "owner" },
+        "TARGET":       { "from": "args",     "key": "target" }
+      }
+    },
+    "open_docs": {
+      "primitive": "os.open",
+      "params": { "url": "https://example.com/docs" }
+    }
+  }
+}
+```
+
+Two rules of thumb that keep apps portable across teammates:
+
+- **Read user identity at runtime** in both the orchestrator and the
+  manifest (via `{ "from": "identity", "key": "owner" }`). Never hardcode
+  an `agent_xxx` id — it breaks the moment a different teammate runs the
+  app.
+- **Split ingest from read.** Ingest (write to BitPub) is the slow,
+  credentialed step. Once data is local, every read should be a
+  deterministic `namespace.list` / `bitpub load` — no LLM, no API call.
+
+Before writing a new app, read the full publishing guide. It's hosted
+alongside this skill so it's always reachable from a fresh install:
+
+```bash
+curl -fsSL {{API_BASE_URL}}/publishing-apps.md
+```
+
+If the team has shipped its own copy at
+`bitpub://group:<domain>/Docs/how-to-publish-a-bitpub-app`, prefer that
+— it usually links to in-tree example apps you can fork from.
+
+---
+
 ## Writing scripts that use BitPub
 
 Scripts should read `owner` and `domain` from `~/.bitpub/config.json` at

package/src/commands/browser.js

@@ -110,106 +110,126 @@ const ASSET_MIME = {
 
 /* ── Bridge (apps → local CLI) ──────────────────────────────────────
  *
- * Sandboxed app iframes (default-src 'none', no allow-same-origin)
- * cannot fetch, but they CAN postMessage to the parent window. The
- * parent is the BitPub Browser shell; it forwards approved calls to
- * this CLI process, which spawns a child and streams stdout/stderr
- * back over Server-Sent Events.
+ * Sandboxed app iframes can postMessage to the parent BitPub Browser
+ * shell, which forwards approved calls to this CLI process. The CLI
+ * spawns a child and streams stdout/stderr back over SSE.
  *
- * Security floor for v1:
- *   - Only functions listed in FUNCTIONS are runnable. Apps cannot
- *     execute arbitrary shell.
- *   - Arguments are typed and validated per function — no string
- *     interpolation into the shell.
- *   - The HTTP server binds to localhost only (default port 4141),
- *     so the surface is the same trust boundary as the CLI itself:
- *     anyone with shell access already has more power than the bridge.
- *   - The next layer (permission grants per app + audit log) is a
- *     console.html responsibility, not the CLI's.
+ * SUBSTRATE PRIMITIVES (this file):
+ *   - script.run   load a slice as a script + run with an interpreter
+ *   - os.open      open a URL in the default browser, or a path locally
+ *   - identity.me  who is this BitPub install (separate /bridge/identity endpoint)
  *
- * Functions in v1 are hardcoded here. The end state — functions
- * resolved from slices, e.g. bitpub://group:tollbit.com/Functions/<id>
- * — needs the same permission UX and a small sandbox for the script,
- * so we ship the registry shape first and back-fill the resolver.
+ * APP-SPECIFIC FUNCTIONS (live in the namespace as manifest.json slices):
+ *   Apps declare their own named functions in a manifest sibling slice,
+ *   e.g. bitpub://group:tollbit.com/Apps/github/manifest.json. The
+ *   Browser shell (console.html) reads that manifest, resolves each
+ *   function call to a script.run or os.open invocation, and forwards
+ *   to the bridge. This means no CLI release is needed to publish a
+ *   new app — anyone in a group can save HTML + script + manifest and
+ *   ship it.
+ *
+ * Trust model: same as installing an npm package. Anything the script
+ * can do, the orchestrator can do — we don't sandbox the child process.
+ * The browser shell is responsible for the install consent UI; the CLI
+ * only enforces input shape on the primitives.
  */
 const FUNCTIONS = {
-  'granola.ingest': {
-    description: 'Pull new Granola meetings into your private namespace.',
-    build(args) {
-      const limit = clampInt(args && args.limit, 1, 200, 5);
-      const script =
-        'set -e; ' +
-        'bitpub load bitpub://group:tollbit.com/Agents/granola-ingest/script > "$T" && ' +
-        `python3 "$T" --limit ${limit}`;
-      return {
-        cmd: 'bash',
-        args: ['-lc', script],
-        env: { T: path.join(os.tmpdir(), `.bitpub-fn-granola-ingest.py`) },
-      };
-    },
-  },
 
-  // Orchestration script for sales_brief.generate lives as a slice at
-  // bitpub://private:.../Apps/sales-brief-generator/orchestrator so the
-  // logic can be iterated without restarting the CLI. The function below
-  // is the thin entry point that loads + runs it.
-  'sales_brief.generate': {
-    description: 'Synthesize a bespoke sales brief PDF from selected call transcripts.',
+  // ── Substrate primitive 1: load + run a script slice ───────
+  // Everything else (ingest scripts, generators, summarizers) is
+  // implementable on top of this. Args are deliberately flat so a
+  // declarative app manifest can construct them without a build step.
+  'script.run': {
+    description: 'Load a slice as a script and run it with the given interpreter.',
     build(args) {
       const a = args || {};
-      const transcriptHcus = Array.isArray(a.transcript_hcus) ? a.transcript_hcus.slice(0, 25) : [];
-      const template = String(a.template || 'discovery').slice(0, 32).replace(/[^a-z_]/gi, '');
-      const customer = String(a.customer || '').slice(0, 120);
-      const dealStage = String(a.deal_stage || '').slice(0, 80);
-      const extraNotes = String(a.extra_notes || '').slice(0, 2000);
-      const outputDir = path.join(os.homedir(), 'Downloads', 'Briefs');
-
-      if (transcriptHcus.length === 0) {
-        throw new Error('no transcripts selected');
+      const hcu = String(a.script_hcu || a.script || '').trim();
+      const runtime = String(a.runtime || 'python3').trim();
+      const env = (a.env && typeof a.env === 'object') ? a.env : {};
+      const cliArgs = Array.isArray(a.cli_args) ? a.cli_args : [];
+
+      // HCU must be a real bitpub:// address and free of shell metachars.
+      // (We re-embed it into the bash -lc string below, so be paranoid.)
+      if (!/^bitpub:\/\/(private|group|public):[A-Za-z0-9._-]+\/[A-Za-z0-9._\/\-]+$/.test(hcu)) {
+        throw new Error('invalid script_hcu');
       }
+      if (/[\s"'`$;&|<>\\]/.test(hcu)) throw new Error('script_hcu contains unsafe characters');
 
-      const payload = JSON.stringify({
-        transcript_hcus: transcriptHcus,
-        template,
-        customer,
-        deal_stage: dealStage,
-        extra_notes: extraNotes,
-        output_dir: outputDir,
-      });
-
-      const script =
-        'set -e; ' +
-        'bitpub load bitpub://private:agent_ewim9gf01nq3/Apps/sales-brief-generator/orchestrator > "$ORCH" && ' +
-        'python3 "$ORCH"';
-
-      return {
-        cmd: 'bash',
-        args: ['-lc', script],
-        env: {
-          ORCH: path.join(os.tmpdir(), '.bitpub-fn-sales-brief.py'),
-          BRIEF_PAYLOAD: payload,
-        },
-      };
-    },
-  },
+      const ALLOWED_RUNTIMES = ['python3', 'python', 'node', 'bash', 'sh'];
+      if (!ALLOWED_RUNTIMES.includes(runtime)) {
+        throw new Error(`runtime "${runtime}" not allowed (use one of ${ALLOWED_RUNTIMES.join(', ')})`);
+      }
 
-  'sales_brief.open': {
-    description: 'Open a generated PDF in the default viewer.',
-    build(args) {
-      const p = String((args && args.path) || '');
-      if (!p || !p.startsWith('/') || p.includes('"')) throw new Error('invalid path');
-      return { cmd: 'bash', args: ['-lc', `open "${p}"`] };
+      // Sanitize env: only POSIX-ish var names, stringify values.
+      const cleanEnv = {};
+      for (const [k, v] of Object.entries(env)) {
+        if (!/^[A-Z_][A-Z0-9_]{0,63}$/i.test(k)) continue;
+        if (v == null) continue;
+        cleanEnv[k] = (typeof v === 'string') ? v : JSON.stringify(v);
+      }
+
+      // Sanitize CLI args: stringify, reject anything with shell metachars.
+      const cleanCliArgs = [];
+      for (const x of cliArgs) {
+        const s = String(x);
+        if (s.length > 256) throw new Error('cli arg too long');
+        if (/[`$;&|<>\\\n]/.test(s)) throw new Error('cli arg contains unsafe characters');
+        cleanCliArgs.push(s);
+      }
+
+      // Unique temp file per invocation so two concurrent runs of the
+      // same script can't trample each other.
+      const tag = `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+      const T = path.join(os.tmpdir(), `.bitpub-script-${tag}`);
+      cleanEnv.T = T;
+
+      // Re-shell-quote CLI args by passing them as positional args to bash
+      // via the "_" sentinel, then "$@" preserves quoting.
+      const cliPart = cleanCliArgs.length
+        ? ' ' + cleanCliArgs.map(a => `"${a.replace(/"/g, '\\"')}"`).join(' ')
+        : '';
+      const script = `set -e; bitpub load "${hcu}" > "$T" && ${runtime} "$T"${cliPart}`;
+      return { cmd: 'bash', args: ['-lc', script], env: cleanEnv };
     },
   },
 
-  'sales_brief.reveal': {
-    description: 'Reveal a generated PDF in Finder.',
+  // ── Substrate primitive 2: open a URL or a local path ──────
+  // Wraps macOS `open` (the only OS-level capability apps reach for
+  // often enough to belong in the substrate). Manifests can declare
+  // url_pattern allowlists for extra hygiene — enforced at resolver
+  // time in the shell, not here.
+  'os.open': {
+    description: 'Open a URL in the default browser, or a path in Finder / a specific app.',
     build(args) {
-      const p = String((args && args.path) || '');
-      if (!p || !p.startsWith('/') || p.includes('"')) throw new Error('invalid path');
-      return { cmd: 'bash', args: ['-lc', `open -R "${p}"`] };
+      const a = args || {};
+      const url = a.url ? String(a.url) : null;
+      const filePath = a.path ? String(a.path) : null;
+      const reveal = !!a.reveal;
+      const inApp = a.in ? String(a.in) : null;
+
+      if (url) {
+        if (!/^https?:\/\//.test(url) || /["`$;&|<>\\]/.test(url)) throw new Error('invalid url');
+        return { cmd: 'bash', args: ['-lc', `open "${url}"`] };
+      }
+      if (filePath) {
+        if (!filePath.startsWith('/') || /["`$;&|<>\\]/.test(filePath)) throw new Error('invalid path');
+        let flag = '';
+        if (reveal) flag = '-R ';
+        else if (inApp) {
+          if (!/^[A-Za-z0-9. _-]{1,64}$/.test(inApp)) throw new Error('invalid app name');
+          flag = `-a "${inApp}" `;
+        }
+        return { cmd: 'bash', args: ['-lc', `open ${flag}"${filePath}"`] };
+      }
+      throw new Error('os.open needs either url or path');
     },
   },
+
+  // ───────────────────────────────────────────────────────────
+  // (Apps now declare their functions in manifest.json slices —
+  // see backend/static/console.html#resolveManifestFunction.)
+  // ───────────────────────────────────────────────────────────
+
 };
 
 function clampInt(value, lo, hi, dflt) {
@@ -415,6 +435,24 @@ function startBrowserServer(opts = {}) {
         return;
       }
 
+      // Bridge: who is this BitPub installation? Apps that ship via a
+      // group/public namespace can't hardcode an owner ID — they need to
+      // know "what is the current user's private prefix" at runtime so
+      // their namespace.list() / save() calls hit the right cache.
+      // Returns the minimum info needed: owner id, the domain (for
+      // display), and the canonical private namespace prefix.
+      if (url.pathname === '/bridge/identity') {
+        res.setHeader('Content-Type', 'application/json');
+        const owner = (cfg && cfg.owner) || null;
+        const domain = (cfg && cfg.domain) || null;
+        res.end(JSON.stringify({
+          owner,
+          domain,
+          private_prefix: owner ? `bitpub://private:${owner}` : null,
+        }));
+        return;
+      }
+
       // Bridge: list registered functions (for the permission UI to
       // describe what an app is about to run).
       if (url.pathname === '/bridge/functions') {

package/static/console.html

@@ -1613,8 +1613,18 @@ function renderBranch(scope, children, path) {
 
   let html = '';
 
-  // Aggregated direct-leaf entry for this level
-  if (directLeaves.length > 0) {
+  // Direct leaves: render by name when small enough to be useful as a
+  // package contents listing (e.g. an Apps/github folder showing its
+  // `orchestrator` child by name). Aggregate into a single "N context
+  // slices" summary above a threshold so very large folders (282
+  // transcripts, hundreds of PRs) don't blow up the tree.
+  const LEAF_NAME_THRESHOLD = 8;
+  if (directLeaves.length > 0 && directLeaves.length <= LEAF_NAME_THRESHOLD) {
+    const sorted = [...directLeaves].sort((a, b) => a.name.localeCompare(b.name));
+    for (const { name, slice } of sorted) {
+      html += renderLeaf(slice, name);
+    }
+  } else if (directLeaves.length > LEAF_NAME_THRESHOLD) {
     const mostRecent = directLeaves.reduce(
       (a, b) => ((a.slice.last_synced || '') > (b.slice.last_synced || '') ? a : b)
     );
@@ -1623,7 +1633,11 @@ function renderBranch(scope, children, path) {
     const pathArg = JSON.stringify(path).replace(/"/g, '&quot;');
     const isActiveSummary = S.view === 'namespace' && S.currentScope === scope && arrayEq(S.currentPath, path);
     const when = mostRecent.slice.last_synced ? timeAgo(mostRecent.slice.last_synced) : '';
-    html += `<div class="tree-leaf tree-summary${isActiveSummary ? ' active' : ''}" onclick="navigateTo('${escAttr(scope)}', ${pathArg})" title="View ${directLeaves.length} slice${directLeaves.length !== 1 ? 's' : ''} at this level">
+    // Aggregated summary goes to the namespace listing (not the self-slice).
+    // Calls navigateToNamespace to bypass the directory-index resolution in
+    // navigateTo() — clicking "47 PRs" should show the listing, not whatever
+    // happens to live at the parent address.
+    html += `<div class="tree-leaf tree-summary${isActiveSummary ? ' active' : ''}" onclick="navigateToNamespace('${escAttr(scope)}', ${pathArg})" title="View ${directLeaves.length} slice${directLeaves.length !== 1 ? 's' : ''} at this level">
       <span class="fresh-dot ${freshClass}"></span>
       <span class="tree-label">${directLeaves.length} context slice${directLeaves.length !== 1 ? 's' : ''}</span>
       <span class="tree-badge">${esc(when)}</span>
@@ -1934,6 +1948,24 @@ function goRoot() {
 }
 
 function navigateTo(scope, path) {
+  const segs = Array.isArray(path) ? path : [];
+  // Directory-index semantics: if a slice exists AT this folder address
+  // (e.g. an HTML app at `Apps/github` that also has `Apps/github/orchestrator`
+  // as a child), render the slice as the primary view — same as a
+  // browser serving /foo/index.html when you visit /foo/. Children stay
+  // reachable via the tree chevron and named-leaf entries underneath.
+  const selfHcu = `bitpub://${scope}` + (segs.length ? '/' + segs.join('/') : '');
+  const self = S.slices.find(s => s.hcu === selfHcu);
+  if (self) { selectSlice(selfHcu); return; }
+
+  navigateToNamespace(scope, segs);
+}
+
+// Explicit "show me the folder listing" navigation. Used by the
+// aggregated "N context slices" summary in the tree, and anywhere
+// else we want to skip the directory-index check (e.g. "see all in
+// this namespace" links).
+function navigateToNamespace(scope, path) {
   S.view = 'namespace';
   S.currentScope = scope;
   S.currentPath = Array.isArray(path) ? path : [];
@@ -2458,7 +2490,7 @@ function renderSlice(sl) {
   if (S.raw) {
     html += `<pre class="content-raw">${esc(content)}</pre>`;
   } else if (canRenderAsApp) {
-    html += renderHtmlAppFrame(content);
+    html += renderHtmlAppFrame(content, sl.hcu);
   } else if (kind === 'html') {
     html += `<div class="app-public-note">${ICON.info}
       <div>HTML apps from <code>public:</code> addresses are shown as source until the public sandbox model lands. Apps in <code>private:</code> and <code>group:</code> scopes render inline.</div>
@@ -2523,14 +2555,21 @@ function detectContentKind(sl, content) {
  *   - The iframe never reaches the network itself — only the parent
  *     does. CSP can stay locked down (default-src 'none').
  */
-function renderHtmlAppFrame(html) {
+function renderHtmlAppFrame(html, appHcu) {
   const csp = `<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; img-src data: blob:; font-src data:; base-uri 'none'; form-action 'none'">`;
   const baseTag = `<base target="_blank">`;
+  // Inject the app's own HCU into the iframe so the bridge shim can tag
+  // every postMessage. The parent uses this to look up the calling app's
+  // manifest and resolve short-named functions to script.run / os.open
+  // invocations. (Apps could lie about this in v1 — we trust app code
+  // the same way you trust an npm package.)
+  const safeHcu = String(appHcu || '').replace(/['"\\]/g, '');
+  const hcuConst = `<\x73cript>window.__BITPUB_APP_HCU__='${safeHcu}';<\/script>`;
   // The shim tag uses \x73 + escaped slash so the closing pattern can't
   // be detected by the outer HTML parser. The escapes are transparent to
   // the JS parser but defeat the HTML scanner's greedy script-end match.
   const shim = `<\x73cript>${BRIDGE_SHIM_SOURCE}<\/script>`;
-  const headInject = `${csp}${baseTag}${shim}`;
+  const headInject = `${csp}${baseTag}${hcuConst}${shim}`;
 
   let doc;
   if (/<head[\s>]/i.test(html)) {
@@ -2595,6 +2634,16 @@ const BRIDGE_SHIM_SOURCE = String.raw`
       readHandlers.delete(d.requestId);
       if (d.ok) rh.resolve({ slices: d.slices || [], count: d.count || 0, pattern: d.pattern || '' });
       else rh.reject(new Error(d.error || 'namespace read failed'));
+    } else if (d.type === 'bitpub.identity.result') {
+      var ih = readHandlers.get(d.requestId);
+      if (!ih) return;
+      readHandlers.delete(d.requestId);
+      if (d.ok) ih.resolve({
+        owner: d.owner,
+        domain: d.domain,
+        private_prefix: d.private_prefix,
+      });
+      else ih.reject(new Error(d.error || 'identity lookup failed'));
     }
   });
   window.bitpub = {
@@ -2606,6 +2655,7 @@ const BRIDGE_SHIM_SOURCE = String.raw`
         type: 'bitpub.run',
         requestId: requestId,
         functionId: String(functionId),
+        appHcu: window.__BITPUB_APP_HCU__ || '',
         args: args || {}
       }, '*');
       return requestId;
@@ -2638,6 +2688,43 @@ const BRIDGE_SHIM_SOURCE = String.raw`
           }, 10000);
         });
       }
+    },
+    navigate: function (hcu) {
+      // Hand off to another slice in the parent BitPub Browser
+      // (e.g. discovery page → installed app). HCU must be a
+      // bitpub:// address; everything else is dropped silently.
+      window.parent.postMessage({
+        __bitpub: true,
+        type: 'bitpub.navigate',
+        hcu: String(hcu || ''),
+      }, '*');
+    },
+    identity: {
+      // me() -> Promise<{ owner, domain, private_prefix }>
+      //   owner          e.g. "agent_ewim9gf01nq3"
+      //   domain         e.g. "tollbit.com"
+      //   private_prefix e.g. "bitpub://private:agent_ewim9gf01nq3"
+      //
+      // Lets apps that are distributed via a group/public namespace
+      // construct addresses that point at the *running user's* private
+      // data without hardcoding an owner ID. Use this if your app ships
+      // to other people.
+      me: function () {
+        return new Promise(function (resolve, reject) {
+          var requestId = ++nextId;
+          readHandlers.set(requestId, { resolve: resolve, reject: reject });
+          window.parent.postMessage({
+            __bitpub: true,
+            type: 'bitpub.identity.me',
+            requestId: requestId,
+          }, '*');
+          setTimeout(function () {
+            if (!readHandlers.has(requestId)) return;
+            readHandlers.delete(requestId);
+            reject(new Error('identity.me timed out'));
+          }, 5000);
+        });
+      }
     }
   };
 })();
@@ -2705,13 +2792,151 @@ function bridgeForward(source, requestId, event, payload) {
   } catch (_) { /* iframe gone */ }
 }
 
-function handleBridgeRunMessage(source, msg) {
-  const { requestId, functionId, args } = msg;
+/* ── Manifest-driven app function dispatch ─────────────────────────
+ *
+ * Apps declare their callable functions in a sibling slice named
+ * `manifest.json`. The parent browser shell (this file) reads that
+ * manifest the first time the app calls bitpub.run(), then resolves
+ * every subsequent call to a CLI substrate primitive — without the
+ * CLI needing to know anything about the app.
+ *
+ * Manifest shape:
+ *   {
+ *     "id": "tollbit.github",
+ *     "name": "GitHub Pack",
+ *     "version": "0.1.0",
+ *     "functions": {
+ *       "ingest": {
+ *         "primitive": "script.run",
+ *         "params": {
+ *           "script_hcu": "bitpub://group:tollbit.com/Apps/github/orchestrator",
+ *           "runtime": "python3"
+ *         },
+ *         "env": {
+ *           "BITPUB_GH_ACTION": "ingest",
+ *           "BITPUB_GH_RECIPES": { "from": "args", "key": "recipes", "join": "," },
+ *           "BITPUB_OWNER":      { "from": "identity", "key": "owner" }
+ *         }
+ *       }
+ *     }
+ *   }
+ *
+ * Field values can be:
+ *   - a literal string                                 → used as-is
+ *   - { from: "args",     key: "...", join?: "," }     → arg-derived
+ *   - { from: "identity", key: "..." }                 → from identity.me()
+ */
+
+const MANIFEST_CACHE = new Map();   // appHcu → Promise<manifest|null>
+const PRIMITIVE_IDS = new Set(['script.run', 'os.open']);
+
+async function loadAppManifest(appHcu) {
+  if (!appHcu) return null;
+  if (MANIFEST_CACHE.has(appHcu)) return MANIFEST_CACHE.get(appHcu);
+  const p = (async () => {
+    const manifestHcu = appHcu + '/manifest.json';
+    try {
+      const u = new URL('/bridge/namespace/list', location.origin);
+      u.searchParams.set('pattern', manifestHcu);
+      u.searchParams.set('fields', 'full');
+      u.searchParams.set('limit', '1');
+      const r = await fetch(u.toString());
+      const body = await r.json();
+      const slice = (body.slices || [])[0];
+      if (!slice || !slice.content) return null;
+      return JSON.parse(slice.content);
+    } catch (_) {
+      return null;
+    }
+  })();
+  MANIFEST_CACHE.set(appHcu, p);
+  return p;
+}
+
+let CACHED_IDENTITY = null;
+async function getIdentityCached() {
+  if (CACHED_IDENTITY) return CACHED_IDENTITY;
+  try {
+    const r = await fetch('/bridge/identity');
+    CACHED_IDENTITY = await r.json();
+  } catch (_) {
+    CACHED_IDENTITY = {};
+  }
+  return CACHED_IDENTITY;
+}
+
+function resolveManifestValue(v, ctx) {
+  if (v == null) return null;
+  // Arrays: resolve each element (used for cli_args).
+  if (Array.isArray(v)) return v.map(x => resolveManifestValue(x, ctx)).filter(x => x != null);
+  if (typeof v !== 'object') return v;                // literal string / number
+  const src = v.from === 'args' ? ctx.args : v.from === 'identity' ? ctx.identity : null;
+  if (!src) return null;
+  // Whole-object reference: { from: "args" } with no key → the entire
+  // object. Useful for shipping all caller args as one JSON env var
+  // (e.g. BRIEF_PAYLOAD). The env serializer downstream auto-stringifies
+  // non-string values, so this Just Works.
+  if (!v.key) return src;
+  let val = src[v.key];
+  if (val == null) return v.default != null ? v.default : null;
+  if (v.join && Array.isArray(val)) val = val.join(v.join);
+  return val;
+}
+
+function resolveManifestFunction(manifest, funcName, args, identity) {
+  if (!manifest || !manifest.functions) throw new Error('app has no manifest');
+  const decl = manifest.functions[funcName];
+  if (!decl) throw new Error(`function "${funcName}" not declared in app manifest`);
+  if (!PRIMITIVE_IDS.has(decl.primitive)) throw new Error(`unknown primitive "${decl.primitive}"`);
+
+  const ctx = { args: args || {}, identity: identity || {} };
+  const params = {};
+  for (const [k, v] of Object.entries(decl.params || {})) {
+    const resolved = resolveManifestValue(v, ctx);
+    if (resolved != null) params[k] = resolved;
+  }
+  if (decl.primitive === 'script.run' && decl.env) {
+    params.env = params.env || {};
+    for (const [k, v] of Object.entries(decl.env)) {
+      const resolved = resolveManifestValue(v, ctx);
+      if (resolved != null) params.env[k] = resolved;
+    }
+  }
+  return { functionId: decl.primitive, args: params };
+}
+
+async function handleBridgeRunMessage(source, msg) {
+  const { requestId, functionId, args, appHcu } = msg;
   if (typeof requestId !== 'number' || !functionId) return;
 
+  // Three paths:
+  //   1. Calling a primitive directly       → passthrough (power users + manifests)
+  //   2. Calling a manifest-declared name   → resolve, then call primitive
+  //   3. Calling a legacy hardcoded name    → passthrough (deprecation path)
+  let resolvedFunctionId = String(functionId);
+  let resolvedArgs = args || {};
+
+  if (!PRIMITIVE_IDS.has(resolvedFunctionId)) {
+    const manifest = await loadAppManifest(appHcu);
+    if (manifest && manifest.functions && manifest.functions[resolvedFunctionId]) {
+      try {
+        const identity = await getIdentityCached();
+        const resolved = resolveManifestFunction(manifest, resolvedFunctionId, resolvedArgs, identity);
+        resolvedFunctionId = resolved.functionId;
+        resolvedArgs = resolved.args;
+      } catch (err) {
+        bridgeForward(source, requestId, 'error', { message: 'manifest resolve: ' + err.message });
+        bridgeForward(source, requestId, 'exit',  { code: 2 });
+        return;
+      }
+    }
+    // else: fall through to legacy CLI passthrough (no manifest, name might
+    // still resolve in the CLI's hardcoded FUNCTIONS list).
+  }
+
   const qs = new URLSearchParams({
-    functionId: String(functionId),
-    args: JSON.stringify(args || {}),
+    functionId: resolvedFunctionId,
+    args: JSON.stringify(resolvedArgs),
   });
 
   let es;
@@ -2723,7 +2948,7 @@ function handleBridgeRunMessage(source, msg) {
     return;
   }
 
-  BRIDGE_RUNS.set(requestId, { es, source, functionId });
+  BRIDGE_RUNS.set(requestId, { es, source, functionId: resolvedFunctionId });
   BRIDGE_RUN_COUNT++;
   updateBridgeBadge();
 
@@ -2794,11 +3019,46 @@ async function handleBridgeNamespaceListMessage(source, msg) {
   }
 }
 
+async function handleBridgeIdentityMessage(source, msg) {
+  const { requestId } = msg;
+  if (typeof requestId !== 'number') return;
+  const reply = (extra) => {
+    try {
+      source.postMessage({
+        __bitpub: true,
+        type: 'bitpub.identity.result',
+        requestId,
+        ...extra,
+      }, '*');
+    } catch (_) { /* iframe gone */ }
+  };
+  try {
+    const r = await fetch('/bridge/identity');
+    const body = await r.json();
+    if (!r.ok) { reply({ ok: false, error: `http ${r.status}` }); return; }
+    reply({ ok: true, owner: body.owner, domain: body.domain, private_prefix: body.private_prefix });
+  } catch (err) {
+    reply({ ok: false, error: err && err.message || 'fetch failed' });
+  }
+}
+
+function handleBridgeNavigateMessage(_source, msg) {
+  // Apps can hand off to another slice in the running user's Browser.
+  // We only allow bitpub:// addresses (no http:, no javascript:), and
+  // we route through submitAddress() which already does all the
+  // existing scope/path parsing.
+  const hcu = String((msg && msg.hcu) || '').trim();
+  if (!/^bitpub:\/\/[^\s]+$/.test(hcu)) return;
+  try { submitAddress(hcu); } catch (_) { /* ignore */ }
+}
+
 window.addEventListener('message', (e) => {
   const d = e.data;
   if (!d || typeof d !== 'object' || d.__bitpub !== true) return;
   if (d.type === 'bitpub.run') handleBridgeRunMessage(e.source, d);
   else if (d.type === 'bitpub.namespace.list') handleBridgeNamespaceListMessage(e.source, d);
+  else if (d.type === 'bitpub.identity.me') handleBridgeIdentityMessage(e.source, d);
+  else if (d.type === 'bitpub.navigate' || d.type === 'navigate') handleBridgeNavigateMessage(e.source, d);
 });
 
 function renderWriteGuide(sl) {