@cotal-ai/connector-claude-code 0.3.2 → 0.5.0

package/README.md

@@ -0,0 +1,11 @@
+# @cotal-ai/connector-claude-code
+
+The Claude Code adapter: a bundled, installed plugin plus `claude/channel` push that turns a
+real `claude` session into a Cotal mesh peer. A thin client over
+[`@cotal-ai/connector-core`](../connector-core).
+
+**Tier:** `extensions/`. Peer-depends [`@cotal-ai/core`](../../packages/core); self-registers on
+import.
+
+See [docs/claude-code-integration.md](../../docs/claude-code-integration.md) for the full
+integration, and the [root AGENTS.md](../../AGENTS.md) for the tier rules.

package/dist/extension.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"extension.d.ts","sourceRoot":"","sources":["../src/extension.ts"],"names":[],"mappings":"AAEA,OAAO,EAA2B,KAAK,SAAS,EAAoC,MAAM,gBAAgB,CAAC;AAmB3G;;;;;GAKG;AACH,eAAO,MAAM,eAAe,EAAE,SA8D7B,CAAC"}
+{"version":3,"file":"extension.d.ts","sourceRoot":"","sources":["../src/extension.ts"],"names":[],"mappings":"AAIA,OAAO,EAA2B,KAAK,SAAS,EAAoC,MAAM,gBAAgB,CAAC;AAoB3G;;;;;GAKG;AACH,eAAO,MAAM,eAAe,EAAE,SA2F7B,CAAC"}

package/dist/extension.js

@@ -1,6 +1,9 @@
-import { resolve } from "node:path";
+import { mkdtempSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 import { loadAgentFile, registry } from "@cotal-ai/core";
+import { launchEnv, mcpServerEnvKeys } from "@cotal-ai/connector-core";
 /** Name the cotal MCP server is registered under via --mcp-config (see buildLaunch). */
 const MCP_SERVER_NAME = "cotal";
 /** Channel ref for `--dangerously-load-development-channels`, which turns on the cotal MCP server's
@@ -27,16 +30,25 @@ export const claudeConnector = {
     name: "claude",
     pluginRoot: PLUGIN_ROOT,
     buildLaunch(opts) {
+        // Operator MCP servers shared with this agent (default none — see the --mcp-config block).
+        const shared = opts.mcpServers ?? {};
+        // claude auths via macOS Keychain / an OAuth token, not an env key → forward NO provider key.
+        // The OS allow-list (PATH/HOME/TERM/…) is the only thing inherited from the manager env, plus
+        // — only when a shared server declares them via `${VAR}` — the named secrets it needs (mcpKeys,
+        // by name). The operator's unrelated secrets don't reach the child (P3).
         const env = {
+            ...launchEnv({ mcpKeys: mcpServerEnvKeys(shared) }),
             COTAL_SPACE: opts.space,
             COTAL_NAME: opts.name,
             // Force the connector to emit channel wake-nudges: Claude doesn't advertise the
             // `claude/channel` capability back over MCP, so auto-detection would see it "off".
             COTAL_CHANNEL: "1",
-            // Managed sessions mirror their own transcript to `tr-<name>` so peers can read
-            // what the agent actually did. Personal sessions (no buildLaunch) never mirror.
-            COTAL_TRANSCRIPT: "1",
         };
+        // A session can mirror its own transcript to `tr-<name>` so peers can read what the
+        // agent actually did — OFF by default (transcripts are verbose and may carry sensitive
+        // content); `--transcript` (opts.transcript === true) opts in. Personal sessions never mirror.
+        if (opts.transcript === true)
+            env.COTAL_TRANSCRIPT = "1";
         if (opts.role)
             env.COTAL_ROLE = opts.role;
         if (opts.id)
@@ -54,13 +66,39 @@ export const claudeConnector = {
         // can look something up under `npx` (no repo on disk) without prompting the operator
         // mid-demo. Additive under the default permission mode — leaves other tools as-is.
         args.push("--allowedTools", "WebFetch(domain:github.com),WebFetch(domain:raw.githubusercontent.com)");
-        // Isolate the spawned session's MCP to ONLY the cotal server. --strict-mcp-config drops every
-        // other MCP source — including the operator's personal ~/.claude.json servers (e.g. a headless
-        // Chromium, a DB server) that a meshed teammate never needs and that, multiplied across several
-        // spawns on a busy machine, starve memory and kill the session before it registers presence —
-        // and --mcp-config re-supplies cotal so its tools + presence still load. The plugin itself stays
-        // enabled (its hooks + the dev-channels wake path are unaffected; only MCP config is scoped).
-        args.push("--strict-mcp-config", "--mcp-config", JSON.stringify({ mcpServers: { [MCP_SERVER_NAME]: { command: "node", args: [MCP_CJS] } } }));
+        // Isolate the spawned session's MCP. --strict-mcp-config drops every ambient MCP source —
+        // including the operator's personal ~/.claude.json servers (e.g. a headless Chromium, a DB
+        // server) that a meshed teammate never needs and that, multiplied across several spawns on a
+        // busy machine, starve memory and kill the session before it registers presence — so the ONLY
+        // servers that load are the ones we name in --mcp-config: cotal (always, for its tools +
+        // presence) plus any the operator explicitly opted to share (`shared`, from the cotal config).
+        // The plugin itself stays enabled (its hooks + the dev-channels wake path are unaffected).
+        // cotal is spread LAST so a shared server can never shadow the mesh server by reusing its name.
+        const mcpServers = { ...shared, [MCP_SERVER_NAME]: { command: "node", args: [MCP_CJS] } };
+        // Default (no shared servers): pass the config inline, unchanged. With shared servers, write it
+        // to a file instead and pass the path. Either way the secret stays a `${VAR}` reference (Claude
+        // expands it from the child env at launch — see the mcpKeys forwarding above), never the resolved
+        // value, so nothing secret reaches disk or argv. We prefer the file when sharing because env
+        // expansion is only *documented* for --mcp-config files (inline expansion does work today, but
+        // isn't contracted), and a file keeps a potentially multi-server config off the process argv.
+        // Verified end-to-end on claude 2.1.183: ${VAR} expands in the --mcp-config file and the value
+        // is handed to the shared server. This is host-version behavior — if a future claude stops
+        // expanding here, a shared server would receive a literal `${VAR}`; re-check on host upgrades.
+        let mcpConfig;
+        if (Object.keys(shared).length === 0) {
+            mcpConfig = JSON.stringify({ mcpServers });
+        }
+        else {
+            // A private 0700 temp dir (unique per spawn) holds the 0600 config. mkdtemp can't be raced
+            // by a pre-created or symlinked path the way a predictable name in the world-writable tmpdir
+            // could, and a fresh file guarantees the 0600 mode applies on creation (mode is ignored on an
+            // overwrite). Left for the OS to reap: the file must outlive this call (Claude reads it at
+            // startup and on /mcp reconnect), and buildLaunch doesn't own the child's lifecycle.
+            const dir = mkdtempSync(join(tmpdir(), "cotal-mcp-"));
+            mcpConfig = join(dir, "mcp.json");
+            writeFileSync(mcpConfig, JSON.stringify({ mcpServers }, null, 2), { mode: 0o600 });
+        }
+        args.push("--strict-mcp-config", "--mcp-config", mcpConfig);
         // An agent file carries identity (read in-session via COTAL_AGENT_FILE) plus
         // persona + model, which can only be applied to a `claude` session at launch.
         if (opts.configPath) {

package/dist/extension.js.map

@@ -1 +1 @@
-{"version":3,"file":"extension.js","sourceRoot":"","sources":["../src/extension.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAoD,MAAM,gBAAgB,CAAC;AAE3G,wFAAwF;AACxF,MAAM,eAAe,GAAG,OAAO,CAAC;AAChC;;;;;+EAK+E;AAC/E,MAAM,WAAW,GAAG,UAAU,eAAe,EAAE,CAAC;AAEhD;qEACqE;AACrE,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAClE;0DAC0D;AAC1D,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;AAExD;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAc;IACxC,IAAI,EAAE,WAAW;IACjB,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE,WAAW;IACvB,WAAW,CAAC,IAAgB;QAC1B,MAAM,GAAG,GAA2B;YAClC,WAAW,EAAE,IAAI,CAAC,KAAK;YACvB,UAAU,EAAE,IAAI,CAAC,IAAI;YACrB,gFAAgF;YAChF,mFAAmF;YACnF,aAAa,EAAE,GAAG;YAClB,gFAAgF;YAChF,gFAAgF;YAChF,gBAAgB,EAAE,GAAG;SACtB,CAAC;QACF,IAAI,IAAI,CAAC,IAAI;YAAE,GAAG,CAAC,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC;QAC1C,IAAI,IAAI,CAAC,EAAE;YAAE,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,EAAE,CAAC;QACpC,IAAI,IAAI,CAAC,KAAK;YAAE,GAAG,CAAC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC;QAC7C,IAAI,IAAI,CAAC,OAAO;YAAE,GAAG,CAAC,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC;QAEnD,4EAA4E;QAC5E,mEAAmE;QACnE,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM;YACtB,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,yCAAyC,EAAE,WAAW,CAAC;YACvE,CAAC,CAAC,CAAC,yCAAyC,EAAE,WAAW,CAAC,CAAC;QAE7D,kFAAkF;QAClF,qFAAqF;QACrF,mFAAmF;QACnF,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,wEAAwE,CAAC,CAAC;QAEtG,8FAA8F;QAC9F,+FAA+F;QAC/F,gGAAgG;QAChG,8FAA8F;QAC9F,iGAAiG;QACjG,8FAA8F;QAC9F,IAAI,CAAC,IAAI,CACP,qBAAqB,EACrB,cAAc,EACd,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,EAAE,CAAC,eAAe,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,CAAC,CAC5F,CAAC;QAEF,6EAA6E;QAC7E,8EAA8E;QAC9E,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACtC,GAAG,CAAC,gBAAgB,GAAG,IAAI,CAAC;YAC5B,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;YAChC,IAAI,GAAG,CAAC,OAAO;gBAAE,IAAI,CAAC,IAAI,CAAC,wBAAwB,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAClE,IAAI,GAAG,CAAC,KAAK;gBAAE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;QACjD,CAAC;QAED,OAAO;YACL,OAAO,EAAE,QAAQ;YACjB,IAAI;YACJ,GAAG;YACH,wEAAwE;YACxE,yEAAyE;YACzE,OAAO,EAAE,kBAAkB;SAC5B,CAAC;IACJ,CAAC;CACF,CAAC;AAEF,QAAQ,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC"}
+{"version":3,"file":"extension.js","sourceRoot":"","sources":["../src/extension.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAoD,MAAM,gBAAgB,CAAC;AAC3G,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAEvE,wFAAwF;AACxF,MAAM,eAAe,GAAG,OAAO,CAAC;AAChC;;;;;+EAK+E;AAC/E,MAAM,WAAW,GAAG,UAAU,eAAe,EAAE,CAAC;AAEhD;qEACqE;AACrE,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAClE;0DAC0D;AAC1D,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;AAExD;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAc;IACxC,IAAI,EAAE,WAAW;IACjB,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE,WAAW;IACvB,WAAW,CAAC,IAAgB;QAC1B,2FAA2F;QAC3F,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC;QACrC,8FAA8F;QAC9F,8FAA8F;QAC9F,gGAAgG;QAChG,yEAAyE;QACzE,MAAM,GAAG,GAA2B;YAClC,GAAG,SAAS,CAAC,EAAE,OAAO,EAAE,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC;YACnD,WAAW,EAAE,IAAI,CAAC,KAAK;YACvB,UAAU,EAAE,IAAI,CAAC,IAAI;YACrB,gFAAgF;YAChF,mFAAmF;YACnF,aAAa,EAAE,GAAG;SACnB,CAAC;QACF,oFAAoF;QACpF,uFAAuF;QACvF,+FAA+F;QAC/F,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI;YAAE,GAAG,CAAC,gBAAgB,GAAG,GAAG,CAAC;QACzD,IAAI,IAAI,CAAC,IAAI;YAAE,GAAG,CAAC,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC;QAC1C,IAAI,IAAI,CAAC,EAAE;YAAE,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,EAAE,CAAC;QACpC,IAAI,IAAI,CAAC,KAAK;YAAE,GAAG,CAAC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC;QAC7C,IAAI,IAAI,CAAC,OAAO;YAAE,GAAG,CAAC,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC;QAEnD,4EAA4E;QAC5E,mEAAmE;QACnE,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM;YACtB,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,yCAAyC,EAAE,WAAW,CAAC;YACvE,CAAC,CAAC,CAAC,yCAAyC,EAAE,WAAW,CAAC,CAAC;QAE7D,kFAAkF;QAClF,qFAAqF;QACrF,mFAAmF;QACnF,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,wEAAwE,CAAC,CAAC;QAEtG,0FAA0F;QAC1F,2FAA2F;QAC3F,6FAA6F;QAC7F,8FAA8F;QAC9F,yFAAyF;QACzF,+FAA+F;QAC/F,2FAA2F;QAC3F,gGAAgG;QAChG,MAAM,UAAU,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC,eAAe,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QAC1F,gGAAgG;QAChG,gGAAgG;QAChG,kGAAkG;QAClG,6FAA6F;QAC7F,+FAA+F;QAC/F,8FAA8F;QAC9F,+FAA+F;QAC/F,2FAA2F;QAC3F,+FAA+F;QAC/F,IAAI,SAAiB,CAAC;QACtB,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC;QAC7C,CAAC;aAAM,CAAC;YACN,2FAA2F;YAC3F,6FAA6F;YAC7F,8FAA8F;YAC9F,2FAA2F;YAC3F,qFAAqF;YACrF,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,YAAY,CAAC,CAAC,CAAC;YACtD,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;YAClC,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACrF,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,qBAAqB,EAAE,cAAc,EAAE,SAAS,CAAC,CAAC;QAE5D,6EAA6E;QAC7E,8EAA8E;QAC9E,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACtC,GAAG,CAAC,gBAAgB,GAAG,IAAI,CAAC;YAC5B,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;YAChC,IAAI,GAAG,CAAC,OAAO;gBAAE,IAAI,CAAC,IAAI,CAAC,wBAAwB,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAClE,IAAI,GAAG,CAAC,KAAK;gBAAE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;QACjD,CAAC;QAED,OAAO;YACL,OAAO,EAAE,QAAQ;YACjB,IAAI;YACJ,GAAG;YACH,wEAAwE;YACxE,yEAAyE;YACzE,OAAO,EAAE,kBAAkB;SAC5B,CAAC;IACJ,CAAC;CACF,CAAC;AAEF,QAAQ,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC"}

package/dist/hook.cjs

@@ -3504,16 +3504,16 @@ var require_errors = __commonJS({
       }
     };
     exports2.ProtocolError = ProtocolError;
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
       constructor(message = "", options) {
         super(message, options);
         this.name = "RequestError";
       }
       isNoResponders() {
-        return this.cause instanceof NoRespondersError;
+        return this.cause instanceof NoRespondersError2;
       }
     };
-    exports2.RequestError = RequestError;
+    exports2.RequestError = RequestError2;
     var TimeoutError = class extends Error {
       constructor(options) {
         super("timeout", options);
@@ -3521,7 +3521,7 @@ var require_errors = __commonJS({
       }
     };
     exports2.TimeoutError = TimeoutError;
-    var NoRespondersError = class extends Error {
+    var NoRespondersError2 = class extends Error {
       subject;
       constructor(subject, options) {
         super(`no responders: '${subject}'`, options);
@@ -3529,7 +3529,7 @@ var require_errors = __commonJS({
         this.name = "NoResponders";
       }
     };
-    exports2.NoRespondersError = NoRespondersError;
+    exports2.NoRespondersError = NoRespondersError2;
     var PermissionViolationError2 = class _PermissionViolationError extends Error {
       operation;
       subject;
@@ -3572,10 +3572,10 @@ var require_errors = __commonJS({
       InvalidArgumentError,
       InvalidOperationError,
       InvalidSubjectError,
-      NoRespondersError,
+      NoRespondersError: NoRespondersError2,
       PermissionViolationError: PermissionViolationError2,
       ProtocolError,
-      RequestError,
+      RequestError: RequestError2,
       TimeoutError,
       UserAuthenticationExpiredError: UserAuthenticationExpiredError2
     };
@@ -13797,7 +13797,7 @@ var require_kv = __commonJS({
         throw new Error(`invalid bucket name: ${name}`);
       }
     }
-    var Kvm5 = class {
+    var Kvm6 = class {
       js;
       /**
        * Creates an instance of the Kv that allows you to create and access KV stores.
@@ -13863,7 +13863,7 @@ var require_kv = __commonJS({
         return new internal_2.ListerImpl(subj, filter, this.js);
       }
     };
-    exports2.Kvm = Kvm5;
+    exports2.Kvm = Kvm6;
     var Bucket = class _Bucket {
       js;
       jsm;
@@ -14708,6 +14708,56 @@ var require_mod6 = __commonJS({
 var import_node_os = require("node:os");
 var import_node_fs2 = require("node:fs");
 
+// ../../packages/core/dist/subjects.js
+function isConcreteChannel(channel) {
+  return !channel.split(".").some((s) => s.trim() === "*" || s.trim() === ">");
+}
+function subjectMatches(pattern, subject) {
+  const p = pattern.split(".");
+  const s = subject.split(".");
+  for (let i = 0; i < p.length; i++) {
+    if (p[i] === ">")
+      return i < s.length;
+    if (i >= s.length)
+      return false;
+    if (p[i] === "*")
+      continue;
+    if (p[i] !== s[i])
+      return false;
+  }
+  return p.length === s.length;
+}
+function assertValidChannel(channel) {
+  const segs = channel.split(".");
+  if (!channel.length || segs.some((s) => s.length === 0))
+    throw new Error(`invalid channel "${channel}": empty segment (no leading/trailing/double dots)`);
+  segs.forEach((s, i) => {
+    if (s === ">") {
+      if (i !== segs.length - 1)
+        throw new Error(`invalid channel "${channel}": '>' is only valid as the last segment`);
+      return;
+    }
+    if (s === "*")
+      return;
+    if (!/^[A-Za-z0-9_-]+$/.test(s))
+      throw new Error(`invalid channel "${channel}": segment "${s}" must be a NATS-safe token ([A-Za-z0-9_-]), '*', or '>' \u2014 policy channel names can't contain characters the wire layer would rewrite`);
+  });
+  return channel;
+}
+function channelInAllow(allow, channel) {
+  return allow.some((a) => subjectMatches(a, channel));
+}
+
+// ../../packages/core/dist/resolve.js
+function assertValidName(name) {
+  if (name.length === 0 || name !== name.trim())
+    throw new Error(`invalid name ${JSON.stringify(name)}: must be non-empty with no surrounding whitespace`);
+  if (/[\r\n]/.test(name))
+    throw new Error(`invalid name ${JSON.stringify(name)}: must be a single line`);
+  if (name.includes("/"))
+    throw new Error(`invalid name ${JSON.stringify(name)}: "/" is reserved (the owner/name separator)`);
+}
+
 // ../../packages/core/dist/link.js
 function parseJoinLink(link) {
   const tls = link.startsWith("cotals://");
@@ -16364,11 +16414,15 @@ var SYS_LIMITS = { ...BASE_LIMITS, mem_storage: 0, disk_storage: 0 };
 var import_jetstream = __toESM(require_mod4(), 1);
 var import_transport_node = __toESM(require_transport_node(), 1);
 var import_kv = __toESM(require_mod6(), 1);
+var PLANE3_DEDUP_WINDOW_MS = 2 * 60 * 60 * 1e3;
 
 // ../../packages/core/dist/channels.js
 var import_kv2 = __toESM(require_mod6(), 1);
 var import_transport_node2 = __toESM(require_transport_node(), 1);
 
+// ../../packages/core/dist/members.js
+var import_kv3 = __toESM(require_mod6(), 1);
+
 // ../../packages/core/dist/agent-file.js
 var import_node_fs = require("node:fs");
 function unquote(v) {
@@ -16419,10 +16473,45 @@ function loadAgentFile(path) {
   const name = str("name");
   if (!name)
     throw new Error(`agent file ${path}: "name" is required`);
+  assertValidName(name);
   const kind = str("kind");
   if (kind && kind !== "agent" && kind !== "endpoint")
     throw new Error(`agent file ${path}: "kind" must be "agent" or "endpoint"`);
-  const known = /* @__PURE__ */ new Set(["name", "role", "kind", "description", "tags", "channels", "publish", "model"]);
+  for (const old of ["channels", "publish"])
+    if (old in fm)
+      throw new Error(`agent file ${path}: "${old}" was renamed \u2014 use "subscribe"/"allowSubscribe" (read) and "allowPublish" (post)`);
+  const subscribe = list("subscribe");
+  const allowSubscribe = list("allowSubscribe");
+  const allowPublish = list("allowPublish");
+  const quiet = list("quiet");
+  const muted = list("muted");
+  for (const ch of [...subscribe ?? [], ...allowSubscribe ?? [], ...allowPublish ?? []])
+    try {
+      assertValidChannel(ch);
+    } catch (e) {
+      throw new Error(`agent file ${path}: ${e.message}`);
+    }
+  const effSubscribe = subscribe?.length ? subscribe : ["general"];
+  const effAllow = allowSubscribe?.length ? allowSubscribe : effSubscribe;
+  for (const ch of effSubscribe)
+    if (!channelInAllow(effAllow, ch))
+      throw new Error(`agent file ${path}: subscribe channel "${ch}" is not within allowSubscribe [${effAllow.join(", ")}]`);
+  const both = (quiet ?? []).filter((c) => (muted ?? []).includes(c));
+  if (both.length)
+    throw new Error(`agent file ${path}: channel(s) [${both.join(", ")}] are in both quiet and muted \u2014 pick one`);
+  for (const [field, chans] of [["quiet", quiet], ["muted", muted]])
+    for (const ch of chans ?? []) {
+      try {
+        assertValidChannel(ch);
+      } catch (e) {
+        throw new Error(`agent file ${path}: ${e.message}`);
+      }
+      if (!isConcreteChannel(ch))
+        throw new Error(`agent file ${path}: ${field} channel "${ch}" must be a concrete channel (no wildcard)`);
+      if (!channelInAllow(effAllow, ch))
+        throw new Error(`agent file ${path}: ${field} channel "${ch}" is not within your read ACL / allowSubscribe [${effAllow.join(", ")}]`);
+    }
+  const known = /* @__PURE__ */ new Set(["name", "role", "kind", "description", "tags", "subscribe", "allowSubscribe", "allowPublish", "quiet", "muted", "model", "capabilities", "owner"]);
   const meta = {};
   for (const [k, v] of Object.entries(fm))
     if (!known.has(k) && typeof v === "string")
@@ -16433,9 +16522,14 @@ function loadAgentFile(path) {
     kind,
     description: str("description"),
     tags: list("tags"),
-    channels: list("channels"),
-    publish: list("publish"),
+    subscribe,
+    allowSubscribe,
+    allowPublish,
+    quiet,
+    muted,
     model: str("model"),
+    capabilities: list("capabilities"),
+    owner: str("owner"),
     meta: Object.keys(meta).length ? meta : void 0,
     persona: persona || void 0
   };
@@ -16444,13 +16538,13 @@ function loadAgentFile(path) {
 // ../../packages/core/dist/endpoint.js
 var import_transport_node3 = __toESM(require_transport_node(), 1);
 var import_jetstream2 = __toESM(require_mod4(), 1);
-var import_kv3 = __toESM(require_mod6(), 1);
+var import_kv4 = __toESM(require_mod6(), 1);
 var DEFAULT_SERVER = "nats://127.0.0.1:4222";
 
 // ../../packages/core/dist/spaces.js
 var import_transport_node4 = __toESM(require_transport_node(), 1);
 var import_jetstream3 = __toESM(require_mod4(), 1);
-var import_kv4 = __toESM(require_mod6(), 1);
+var import_kv5 = __toESM(require_mod6(), 1);
 
 // ../../packages/core/dist/registry.js
 var Registry = class {
@@ -16493,9 +16587,31 @@ function configFromEnv(env = process.env) {
   const name = env.COTAL_NAME?.trim() || def?.name || (link ? (0, import_node_os.userInfo)().username : void 0);
   if (!name)
     throw new Error("COTAL_NAME, COTAL_AGENT_FILE or COTAL_LINK is required \u2014 a Cotal session needs an explicit identity from its launcher");
-  const channels = splitList(env.COTAL_CHANNELS);
-  const resolvedChannels = channels.length ? channels : def?.channels ?? link?.channels ?? ["general"];
-  const publish = splitList(env.COTAL_PUBLISH);
+  const subscribe = splitList(env.COTAL_SUBSCRIBE);
+  const resolvedSubscribe = subscribe.length ? subscribe : def?.subscribe ?? link?.channels ?? ["general"];
+  const allowSub = splitList(env.COTAL_ALLOW_SUBSCRIBE);
+  const resolvedAllowSub = allowSub.length ? allowSub : def?.allowSubscribe ?? resolvedSubscribe;
+  for (const ch of resolvedSubscribe)
+    if (!channelInAllow(resolvedAllowSub, ch))
+      throw new Error(`COTAL config: subscribe channel "${ch}" is not within allowSubscribe [${resolvedAllowSub.join(", ")}]`);
+  const allowPub = splitList(env.COTAL_ALLOW_PUBLISH);
+  const resolvedAllowPub = allowPub.length ? allowPub : def?.allowPublish ?? [];
+  for (const ch of [...resolvedSubscribe, ...resolvedAllowSub, ...resolvedAllowPub])
+    assertValidChannel(ch);
+  const qEnv = splitList(env.COTAL_QUIET), mEnv = splitList(env.COTAL_MUTED);
+  const resolvedQuiet = qEnv.length ? qEnv : def?.quiet ?? [];
+  const resolvedMuted = mEnv.length ? mEnv : def?.muted ?? [];
+  const bothModes = resolvedQuiet.filter((c) => resolvedMuted.includes(c));
+  if (bothModes.length)
+    throw new Error(`COTAL config: channel(s) [${bothModes.join(", ")}] are in both quiet and muted`);
+  for (const [field, chans] of [["quiet", resolvedQuiet], ["muted", resolvedMuted]])
+    for (const ch of chans) {
+      assertValidChannel(ch);
+      if (!isConcreteChannel(ch))
+        throw new Error(`COTAL config: ${field} channel "${ch}" must be concrete (no wildcard)`);
+      if (!channelInAllow(resolvedAllowSub, ch))
+        throw new Error(`COTAL config: ${field} channel "${ch}" is not within allowSubscribe [${resolvedAllowSub.join(", ")}]`);
+    }
   const credsPath = env.COTAL_CREDS?.trim();
   return {
     space: env.COTAL_SPACE?.trim() || link?.space || "demo",
@@ -16505,9 +16621,17 @@ function configFromEnv(env = process.env) {
     role: env.COTAL_ROLE?.trim() || def?.role || void 0,
     description: def?.description,
     tags: def?.tags,
+    meta: def?.meta,
+    capabilities: def?.capabilities,
+    model: env.COTAL_MODEL?.trim() || def?.model || void 0,
     servers: env.COTAL_SERVERS?.trim() || link?.servers || DEFAULT_SERVER,
-    channels: resolvedChannels,
-    publish: publish.length ? publish : def?.publish ?? resolvedChannels,
+    subscribe: resolvedSubscribe,
+    allowSubscribe: resolvedAllowSub,
+    // Post ACL is default-DENY: only what's explicitly declared (env > agent-file). The broker
+    // enforces it under auth; in open mode posting is unrestricted regardless (see laneLine).
+    allowPublish: resolvedAllowPub,
+    quiet: resolvedQuiet,
+    muted: resolvedMuted,
     kind: env.COTAL_KIND?.trim() || def?.kind || "agent",
     token: env.COTAL_TOKEN?.trim() || link?.token,
     user: link?.user,