@cotal-ai/core 0.5.0 → 0.7.0

package/dist/acls.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Durable read-ACL registry — read/write helpers over the per-space ACL KV bucket
+ * (`cotal_acl_<space>`). One {@link AclRecord} per OWNER under {@link aclKey}, holding that owner's
+ * current read ACL (`allowSubscribe`). This is the **keystone** that lets the Plane-3 trusted reader
+ * run in a stateless, server-side **delivery daemon**: the reader re-authorizes every durable entry
+ * against the owner's ACL read FRESH from here (not the manager's in-memory ledger), so a daemon
+ * restart re-reads the truth instead of nak-looping every unknown owner to `term()`.
+ *
+ * Writes are **privileged** — the manager records an agent's ACL at mint time (the same act as baking
+ * it into the JWT); agent-authored ACLs are forbidden (they would self-authorize reads). Every write
+ * is a single ATOMIC CAS put of the whole value, so a present record is always complete: a present
+ * `allowSubscribe: []` is a known "reads nothing" policy (the reader DROPS), distinct from an ABSENT
+ * record (a genuinely-unknown owner — the reader DEFERS, never drops).
+ */
+import { type KV } from "@nats-io/kv";
+import type { AclRecord } from "./types.js";
+/** Open the ACL registry bucket. Auth mode OPENs the bucket pre-created at `cotal up`; a privileged
+ *  caller may pass `{ create: true }` to lazily CREATE it. Mirrors {@link openMembersRegistry}. */
+export declare function openAclRegistry(nc: import("@nats-io/transport-node").NatsConnection, space: string, opts?: {
+    create?: boolean;
+}): Promise<KV>;
+/**
+ * Read one owner's read-ACL record, or `undefined` if there is NO usable record — absent, deleted,
+ * undecodable, or missing the `allowSubscribe` array. The reader maps that `undefined` to DEFER (an
+ * unknown owner, e.g. a pre-provision race — never dropped). A PRESENT record returns its
+ * `allowSubscribe` as-is, **including `[]`** (a known no-read policy → DROP). The CAS revision is
+ * returned alongside for a read-modify-write.
+ */
+export declare function readAcl(kv: KV, owner: string): Promise<{
+    record: AclRecord;
+    revision: number;
+} | undefined>;
+/**
+ * Record (set) an owner's read ACL — a single ATOMIC CAS put of the full value, never
+ * create-then-populate, so a present record is always complete and `[]` always means "no-read", never
+ * "not yet written". Bumps `revision`. Retries a revision conflict by re-reading. Idempotent in
+ * effect: writing the same `allowSubscribe` is harmless. Use `allowSubscribe: []` to revoke all reads
+ * (the reader then DROPS the owner's entries) — distinct from {@link deleteAcl}, which removes the row.
+ */
+export declare function commitAcl(kv: KV, owner: string, allowSubscribe: string[]): Promise<AclRecord>;
+/** Permanently remove an owner's ACL row (GC / footprint deletion — revocation deletes the footprint
+ *  AFTER invalidating creds). Distinct from a `commitAcl(kv, owner, [])` write, which keeps a present
+ *  "no-read" record so the reader DROPS (vs. DEFER for an absent owner). */
+export declare function deleteAcl(kv: KV, owner: string): Promise<void>;
+//# sourceMappingURL=acls.d.ts.map

package/dist/acls.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"acls.d.ts","sourceRoot":"","sources":["../src/acls.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,EAAO,KAAK,EAAE,EAAE,MAAM,aAAa,CAAC;AAE3C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE5C;mGACmG;AACnG,wBAAsB,eAAe,CACnC,EAAE,EAAE,OAAO,yBAAyB,EAAE,cAAc,EACpD,KAAK,EAAE,MAAM,EACb,IAAI,GAAE;IAAE,MAAM,CAAC,EAAE,OAAO,CAAA;CAAO,GAC9B,OAAO,CAAC,EAAE,CAAC,CAGb;AAED;;;;;;GAMG;AACH,wBAAsB,OAAO,CAC3B,EAAE,EAAE,EAAE,EACN,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,CAAC,CAU9D;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CA0BnG;AAED;;4EAE4E;AAC5E,wBAAsB,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAEpE"}

package/dist/acls.js

@@ -0,0 +1,86 @@
+/**
+ * Durable read-ACL registry — read/write helpers over the per-space ACL KV bucket
+ * (`cotal_acl_<space>`). One {@link AclRecord} per OWNER under {@link aclKey}, holding that owner's
+ * current read ACL (`allowSubscribe`). This is the **keystone** that lets the Plane-3 trusted reader
+ * run in a stateless, server-side **delivery daemon**: the reader re-authorizes every durable entry
+ * against the owner's ACL read FRESH from here (not the manager's in-memory ledger), so a daemon
+ * restart re-reads the truth instead of nak-looping every unknown owner to `term()`.
+ *
+ * Writes are **privileged** — the manager records an agent's ACL at mint time (the same act as baking
+ * it into the JWT); agent-authored ACLs are forbidden (they would self-authorize reads). Every write
+ * is a single ATOMIC CAS put of the whole value, so a present record is always complete: a present
+ * `allowSubscribe: []` is a known "reads nothing" policy (the reader DROPS), distinct from an ABSENT
+ * record (a genuinely-unknown owner — the reader DEFERS, never drops).
+ */
+import { Kvm } from "@nats-io/kv";
+import { aclBucket, aclKey } from "./subjects.js";
+/** Open the ACL registry bucket. Auth mode OPENs the bucket pre-created at `cotal up`; a privileged
+ *  caller may pass `{ create: true }` to lazily CREATE it. Mirrors {@link openMembersRegistry}. */
+export async function openAclRegistry(nc, space, opts = {}) {
+    const kvm = new Kvm(nc);
+    return opts.create ? kvm.create(aclBucket(space)) : kvm.open(aclBucket(space));
+}
+/**
+ * Read one owner's read-ACL record, or `undefined` if there is NO usable record — absent, deleted,
+ * undecodable, or missing the `allowSubscribe` array. The reader maps that `undefined` to DEFER (an
+ * unknown owner, e.g. a pre-provision race — never dropped). A PRESENT record returns its
+ * `allowSubscribe` as-is, **including `[]`** (a known no-read policy → DROP). The CAS revision is
+ * returned alongside for a read-modify-write.
+ */
+export async function readAcl(kv, owner) {
+    const e = await kv.get(aclKey(owner));
+    if (!e || e.operation === "DEL" || e.operation === "PURGE")
+        return undefined;
+    try {
+        const record = e.json();
+        if (!Array.isArray(record.allowSubscribe))
+            return undefined; // half/garbled — treat as unknown (DEFER)
+        return { record, revision: e.revision };
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Record (set) an owner's read ACL — a single ATOMIC CAS put of the full value, never
+ * create-then-populate, so a present record is always complete and `[]` always means "no-read", never
+ * "not yet written". Bumps `revision`. Retries a revision conflict by re-reading. Idempotent in
+ * effect: writing the same `allowSubscribe` is harmless. Use `allowSubscribe: []` to revoke all reads
+ * (the reader then DROPS the owner's entries) — distinct from {@link deleteAcl}, which removes the row.
+ */
+export async function commitAcl(kv, owner, allowSubscribe) {
+    const key = aclKey(owner);
+    for (let attempt = 0; attempt < 5; attempt++) {
+        const cur = await readAcl(kv, owner);
+        const next = {
+            allowSubscribe: [...allowSubscribe],
+            revision: (cur?.record.revision ?? 0) + 1,
+            updatedAt: Date.now(),
+        };
+        const data = new TextEncoder().encode(JSON.stringify(next));
+        if (!cur) {
+            try {
+                await kv.create(key, data);
+                return next;
+            }
+            catch {
+                continue; // lost the create race — re-read and try as an update
+            }
+        }
+        try {
+            await kv.update(key, data, cur.revision);
+            return next;
+        }
+        catch {
+            continue; // revision moved under us — re-read and retry
+        }
+    }
+    throw new Error(`acl CAS exhausted retries for ${owner}`);
+}
+/** Permanently remove an owner's ACL row (GC / footprint deletion — revocation deletes the footprint
+ *  AFTER invalidating creds). Distinct from a `commitAcl(kv, owner, [])` write, which keeps a present
+ *  "no-read" record so the reader DROPS (vs. DEFER for an absent owner). */
+export async function deleteAcl(kv, owner) {
+    await kv.purge(aclKey(owner));
+}
+//# sourceMappingURL=acls.js.map

package/dist/acls.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"acls.js","sourceRoot":"","sources":["../src/acls.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,EAAE,GAAG,EAAW,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAGlD;mGACmG;AACnG,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,EAAoD,EACpD,KAAa,EACb,OAA6B,EAAE;IAE/B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC,CAAC;IACxB,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;AACjF,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,EAAM,EACN,KAAa;IAEb,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACtC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,KAAK,KAAK,IAAI,CAAC,CAAC,SAAS,KAAK,OAAO;QAAE,OAAO,SAAS,CAAC;IAC7E,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,CAAC,CAAC,IAAI,EAAa,CAAC;QACnC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC;YAAE,OAAO,SAAS,CAAC,CAAC,0CAA0C;QACvG,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,EAAM,EAAE,KAAa,EAAE,cAAwB;IAC7E,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1B,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC;QAC7C,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QACrC,MAAM,IAAI,GAAc;YACtB,cAAc,EAAE,CAAC,GAAG,cAAc,CAAC;YACnC,QAAQ,EAAE,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC;YACzC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QACF,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;QAC5D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;gBAC3B,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,CAAC,sDAAsD;YAClE,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,CAAC,8CAA8C;QAC1D,CAAC;IACH,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iCAAiC,KAAK,EAAE,CAAC,CAAC;AAC5D,CAAC;AAED;;4EAE4E;AAC5E,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,EAAM,EAAE,KAAa;IACnD,MAAM,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;AAChC,CAAC"}

package/dist/command.d.ts

@@ -28,6 +28,9 @@ export interface Command extends Extension {
     /** One-line usage shown by `cotal <cmd> --help` and on an invalid-argument error.
      *  Falls back to `summary` when unset. */
     readonly usage?: string;
+    /** Hide from the top-level help listing while keeping it runnable — for dev/test aids
+     *  (e.g. `demo`) that clutter the surface but stay documented and invocable. */
+    readonly hidden?: boolean;
     run(argv: string[]): Promise<void>;
     /** Optional shell-completion provider, owned by the command exactly as `run` is. Given the
      *  args typed so far (everything after the command name; the last element is the word being

package/dist/command.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"command.d.ts","sourceRoot":"","sources":["../src/command.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAE/C;0FAC0F;AAC1F,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;uFAIuF;AACvF,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,cAAc,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;CAC/C;AAED;;;;GAIG;AACH,MAAM,WAAW,OAAQ,SAAQ,SAAS;IACxC,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,mFAAmF;IACnF,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB;8CAC0C;IAC1C,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnC;;;;2FAIuF;IACvF,QAAQ,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;CACzE"}
+{"version":3,"file":"command.d.ts","sourceRoot":"","sources":["../src/command.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAE/C;0FAC0F;AAC1F,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;uFAIuF;AACvF,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,cAAc,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;CAC/C;AAED;;;;GAIG;AACH,MAAM,WAAW,OAAQ,SAAQ,SAAS;IACxC,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,mFAAmF;IACnF,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB;8CAC0C;IAC1C,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB;oFACgF;IAChF,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnC;;;;2FAIuF;IACvF,QAAQ,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;CACzE"}

package/dist/connector.d.ts

@@ -17,6 +17,10 @@ export interface LaunchOpts {
      *  passes it through (`COTAL_AGENT_FILE`) so the joined session reads its own
      *  card from it, and applies the file's persona/model at launch. */
     configPath?: string;
+    /** Explicit model override — the `cotal start --model <m>` flag. Takes precedence over the
+     *  agent file's `model:` and is applied even when no agent file is present. Each connector
+     *  renders it in its host form (Claude `--model`, OpenCode `config.model`, Hermes `HERMES_MODEL`). */
+    model?: string;
     /** An initial message for the session to act on the moment it starts. Connectors
      *  that support an auto-submitted first prompt (Claude Code) deliver it; others
      *  ignore it. Used to make a driving session greet the operator on launch. */
@@ -54,6 +58,12 @@ export interface Connector extends Extension {
     readonly kind: "connector";
     readonly name: string;
     buildLaunch(opts: LaunchOpts): LaunchSpec;
+    /** External executables this connector invokes beyond `LaunchSpec.command` (e.g. the
+     *  `claude` / `opencode` CLI). A preflight PATH hint, not a full environment validator: the
+     *  manager checks each is on PATH before spawning and fails with a clear error naming the
+     *  missing one, instead of an obscure process-spawn failure. Optional — omit for connectors
+     *  whose harness runs in-process. */
+    readonly requires?: readonly string[];
     /** Directory of installable editor-plugin assets shipped with the connector
      *  (e.g. a Claude Code plugin dir), when the agent type needs a one-time
      *  plugin install. Consumers (like `cotal setup`) resolve it via the registry

package/dist/connector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"connector.d.ts","sourceRoot":"","sources":["../src/connector.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAE3D,oFAAoF;AACpF,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;8EAE0E;IAC1E,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ;mDAC+C;IAC/C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;wEAEoE;IACpE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;kFAE8E;IAC9E,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;yFAEqF;IACrF,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;qEAIiE;IACjE,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;CAC5C;AAED,oFAAoF;AACpF,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B;;;+CAG2C;IAC3C,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU,CAAC;IAC1C;;;+DAG2D;IAC3D,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B"}
+{"version":3,"file":"connector.d.ts","sourceRoot":"","sources":["../src/connector.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAE3D,oFAAoF;AACpF,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;8EAE0E;IAC1E,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ;mDAC+C;IAC/C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;wEAEoE;IACpE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;0GAEsG;IACtG,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;kFAE8E;IAC9E,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;yFAEqF;IACrF,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;qEAIiE;IACjE,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;CAC5C;AAED,oFAAoF;AACpF,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B;;;+CAG2C;IAC3C,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU,CAAC;IAC1C;;;;yCAIqC;IACrC,QAAQ,CAAC,QAAQ,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACtC;;;+DAG2D;IAC3D,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B"}

package/dist/endpoint.d.ts

@@ -1,5 +1,6 @@
 import { EventEmitter } from "node:events";
-import type { AgentCard, ChannelConfig, ControlReply, ControlRequest, ControlRequestInit, EndpointRef, Part, Presence, PresenceStatus, AttentionMode, ChannelMode, CotalMessage } from "./types.js";
+import type { AgentCard, ChannelConfig, ControlReply, ControlRequest, ControlRequestInit, EndpointRef, Part, Presence, PresenceStatus, AttentionMode, ChannelMode, CotalMessage, DeliveryClass, MembershipSnapshot } from "./types.js";
+import { type DeliveryLeaseInfo } from "./lease.js";
 export declare const DEFAULT_SERVER = "nats://127.0.0.1:4222";
 /** Space joined when none is given on the CLI (the `cotal-<space>` cmux tab, etc.). */
 export declare const DEFAULT_SPACE = "main";
@@ -50,6 +51,9 @@ export interface ChannelMember {
     role?: string;
     live: boolean;
 }
+/** A value or a promise of it — the Plane-3 `aclFor` reads the durable ACL registry FRESH per entry
+ *  (async), so the reader/fan-out call sites await it. */
+type MaybePromise<T> = T | Promise<T>;
 export declare class CotalEndpoint extends EventEmitter {
     readonly card: AgentCard;
     readonly space: string;
@@ -72,10 +76,18 @@ export declare class CotalEndpoint extends EventEmitter {
     private jsm?;
     private kv?;
     private channelKv?;
-    /** Plane-3 durable-membership registry KV — lazily opened by the privileged (manager) endpoint. */
+    /** Plane-3 durable-membership registry KV — lazily opened by the privileged delivery daemon (or a
+     *  short-lived provisioner). */
     private membersKv?;
-    /** When set, this endpoint hosts the Plane-3 fan-out writer + trusted reader (the manager). `aclFor`
-     *  maps an owner id to its current read ACL (`allowSubscribe`) for the reader's re-authorization. */
+    private aclKv?;
+    private deliveryKv?;
+    private membershipKv?;
+    /** The live `ctl.delivery` serve subscription (delivery daemon) — re-created on every (re)connect by
+     *  {@link armDeliveryControl}; tracked so the stale one is dropped on reconnect. */
+    private deliveryServeSub?;
+    /** When set, this endpoint hosts the Plane-3 fan-out writer + trusted reader (the server-side delivery
+     *  daemon). `aclFor` maps an owner id to its current read ACL (`allowSubscribe`) for the reader's
+     *  re-authorization — read FRESH per entry from the durable ACL registry KV, hence async. */
     private plane3?;
     /** Live local cache of the channel registry (key = channel token), kept by a KV watch. */
     private readonly channelConfigs;
@@ -111,6 +123,12 @@ export declare class CotalEndpoint extends EventEmitter {
      *  {@link pendingDurableLeaves} (the connector shows it in `cotal_channels`, never as ordinary
      *  absence). Persists across reconnect; cleared on tombstone success or full stop. */
     private readonly pendingDurableLeave;
+    /** Boot durable channels whose self-join hasn't yet established a membership (daemon down/absent at
+     *  first connect, or a transient `durable:false`). {@link reconcileBootJoin} retries with capped
+     *  backoff until the membership exists or the channel is left — so a first-connect daemon outage
+     *  self-heals on recovery instead of leaving the channel silently live-only. Surfaced to the connector
+     *  via {@link hasDurableMembership} (a joined durable channel NOT yet a member renders degraded). */
+    private readonly pendingBootJoins;
     /** Chat-join subjects currently being broker-confirmed. An out-of-ACL subscribe among these trips an
      *  EXPECTED async permission violation that joinChannel turns into a clean throw, so watchStatus
      *  suppresses it rather than surfacing a spurious connection error. */
@@ -221,10 +239,26 @@ export declare class CotalEndpoint extends EventEmitter {
     tap(handler: (subject: string, msg: CotalMessage | undefined) => void, opts?: {
         subject?: string;
     }): void;
-    /** Serve control requests for a service (manager side). */
-    serveControl(service: string, handler: (req: ControlRequest) => Promise<ControlReply> | ControlReply): void;
+    /** Serve control requests for a service. Returns the subscription so a caller that re-registers on
+     *  reconnect (the delivery daemon) can drop the stale one. `boundReply` is REQUIRED for any service
+     *  whose responder holds a wildcard publish grant over the service subtree (the delivery daemon's
+     *  `ctl.delivery.*.reply.>`): without it, an authenticated caller could set its reply target to a
+     *  PEER's reply lane (`ctl.delivery.<victim>.reply.<n>`) and turn the responder into a confused
+     *  deputy — the broker does NOT permission-check the requester's embedded reply subject. With it, a
+     *  reply is published only when `m.reply` is under the AUTHENTICATED request subject
+     *  (`${m.subject}.reply.…`), binding the reply to the broker-policed sender token. (The manager's
+     *  tiers reply into the per-id `_INBOX` and leave it off.) */
+    serveControl(service: string, handler: (req: ControlRequest) => Promise<ControlReply> | ControlReply, opts?: {
+        boundReply?: boolean;
+    }): import("@nats-io/transport-node").Subscription;
     /** Send a control request to a service and await its reply (client side). */
     requestControl(service: string, req: ControlRequestInit, timeoutMs?: number): Promise<ControlReply>;
+    /** Send a durable-membership request to the SERVER-SIDE delivery daemon (`ctl.delivery`) and await its
+     *  reply. Unlike {@link requestControl}, the reply rides a subject UNDER `ctl.delivery.<id>.>` (not the
+     *  per-id `_INBOX`), so the scoped delivery cred can answer without broad inbox-publish — see
+     *  CONTROL_DELIVERY. `noMux` lets us name the reply subject while keeping NoResponders detection (so a
+     *  caller can fail-closed vs. degrade to live-only when no daemon is present). */
+    private requestDelivery;
     getRoster(): Presence[];
     setActivity(activity: string): Promise<void>;
     setStatus(status: PresenceStatus): Promise<void>;
@@ -245,14 +279,19 @@ export declare class CotalEndpoint extends EventEmitter {
     /** Effective replay-on-join policy for a channel: per-channel override ?? space default ??
      *  true. Reads the live cache, so it reflects runtime registry edits. */
     channelReplay(channel: string): boolean;
+    /** Effective delivery class for a channel (per-channel override ?? space default ?? "durable"),
+     *  from the live watch cache — drives the non-gating delivery-health surface (only durable-class
+     *  channels have a Plane-3 backstop to report on). */
+    channelDeliveryClass(channel: string): DeliveryClass;
     /** The channels this endpoint is currently subscribed to (live — reflects join/leave). */
     joinedChannels(): string[];
     /**
      * Join a channel mid-session: open a native core subscription (manager-free live read, broker-
      * confirmed against `sub.allow`), capture the stream frontier as the join watermark, backfill its
-     * history if replay is on, and — for a `durable`-class channel under a manager — request a Plane-3
-     * durable backstop. Idempotent: re-joining is a no-op (no re-backfill). Returns the backfill count +
-     * whether the durable backstop is active (+ a `reason` when a durable channel couldn't get one).
+     * history if replay is on, and — for a `durable`-class channel when a delivery daemon is present —
+     * request a Plane-3 durable backstop (via `ctl.delivery`). Idempotent: re-joining is a no-op (no
+     * re-backfill). Returns the backfill count + whether the durable backstop is active (+ a `reason`
+     * when a durable channel couldn't get one).
      */
     joinChannel(channel: string): Promise<{
         joined: boolean;
@@ -290,6 +329,24 @@ export declare class CotalEndpoint extends EventEmitter {
      */
     channelMembers(channel: string): Promise<ChannelMember[]>;
     channelMembers(): Promise<Map<string, ChannelMember[]>>;
+    /** Lazily open the derived membership feed KV (admin/observer read; the delivery daemon writes it).
+     *  Read-only here — the dashboard consumes it; agents hold no grant and never call this. */
+    private membershipRegistry;
+    /**
+     * Snapshot the broker-sourced channel-membership feed (admin/observer read): every agent's
+     * `{live, durable}` record plus `asOf` — the feed's freshness heartbeat (epoch ms of the daemon's last
+     * successful poll, from the reserved {@link MEMBERSHIP_FEED_KEY}). `live` patterns are kept as-is
+     * (wildcards preserved); the consumer expands them against the channel registry. `asOf` is undefined
+     * when the feed has never been written (no daemon → the dashboard degrades to traffic-only).
+     */
+    readMembership(): Promise<MembershipSnapshot>;
+    /** Watch the membership feed for changes (admin/observer): `onChange` fires on every KV entry,
+     *  including the initial replay — the caller debounces + re-reads {@link readMembership}. Returns a
+     *  stop handle. Best-effort: a feed the cred can't read (or absent) surfaces as an `error` event and
+     *  the dashboard keeps its last snapshot. */
+    watchMembership(onChange: () => void): Promise<{
+        stop(): void;
+    }>;
     /** Fetch recent messages from a channel's JetStream backlog. */
     channelHistory(channel: string, opts?: {
         limit?: number;
@@ -322,20 +379,6 @@ export declare class CotalEndpoint extends EventEmitter {
     /** Create the three backing streams for this space (idempotent). Open-mode lazy create;
      *  the same definitions are used by `cotal up` at privileged setup. */
     private ensureStreams;
-    /**
-     * Privileged: write an agent's BOOT durable membership — each `durable`-class channel in its boot
-     * subscribe set gets a Plane-3 durable-active record (via {@link durableJoinFor}: cursor capture +
-     * activation catch-up), so it receives durable backstop copies from boot exactly like a runtime
-     * `durableJoin`. `live`-class (and non-concrete) channels are skipped. Idempotent.
-     *
-     * Writes the durable RECORDS with the caller's privileged creds — it does NOT require this endpoint
-     * to host the runtime fan-out/reader loops (a space-level manager service), so EVERY auth launcher
-     * provisions identically: the manager AND the short-lived `cotal spawn` provisioner both write boot
-     * records, which the space's manager then delivers (no silent no-op — that would hide a boot
-     * membership; AGENTS.md "no fallbacks"). A space running no manager is live-only for everyone (the
-     * records exist; nothing delivers them until a manager hosts the loops).
-     */
-    provisionMembership(targetId: string, channels: string[]): Promise<void>;
     /**
      * Privileged: pre-create an agent's DM inbox durable (auth mode), so the agent can BIND
      * it without holding CONSUMER.CREATE on DM_<space>. The creator sets the filter to
@@ -359,13 +402,51 @@ export declare class CotalEndpoint extends EventEmitter {
      * Idempotent per role. The caller must be permissive on TASK_<space>.
      */
     provisionTaskQueue(role: string): Promise<void>;
-    /** Lazily open the privileged members registry KV (manager / open-mode self). */
+    /** Lazily open the privileged members registry KV (delivery daemon / open-mode self). */
     private membersRegistry;
+    /** Lazily open the durable read-ACL registry KV. Privileged write (the manager records an agent's
+     *  ACL at mint); the delivery daemon reads it fresh per durable entry to re-authorize. */
+    private aclRegistry;
+    /** Privileged ({@link DurableProvisioner}): record an agent's read ACL in the durable registry at
+     *  provision/mint time — the same act as baking it into the JWT, persisted so the server-side
+     *  delivery daemon can re-authorize the agent's durable entries and validate its runtime
+     *  durable-joins without holding any in-memory ledger. Written ATOMICALLY ({@link writeAclRecord}),
+     *  so a present record is always complete (`[]` = known no-read, never a half-write). */
+    commitAcl(targetId: string, allowSubscribe: string[]): Promise<void>;
+    /** The server-side delivery daemon's fresh-per-entry ACL read: an owner's CURRENT read ACL
+     *  (`allowSubscribe`) from the durable registry, or `undefined` if no record (an unknown owner — the
+     *  reader DEFERS, never drops). A present `[]` (known no-read) returns `[]` (the reader DROPS). */
+    aclForOwner(owner: string): Promise<string[] | undefined>;
+    /** Lazily open the delivery lease/readiness KV (pre-created at `cotal up`; bind, never create). */
+    private deliveryRegistry;
+    private encodeLease;
+    /** Acquire the single-flight delivery lease for a shard via an ATOMIC CAS create, marked NOT-ready.
+     *  THROWS if a live lease exists — a loud refusal-to-bind (the daemon exits), never a retry, so two
+     *  daemons can't split a durable's delivery. A crashed holder's lease auto-expires (bucket TTL),
+     *  freeing a re-acquire. Acquired BEFORE binding (single-flight gate); {@link markDeliveryLeaseReady}
+     *  flips it ready AFTER the loops + `ctl.delivery` are bound. Returns the lease revision. */
+    acquireDeliveryLease(shardIndex: number): Promise<number>;
+    /** Flip the held lease to READY (CAS `kv.update`) AFTER `startPlane3` has bound the loops + the
+     *  `ctl.delivery` responder — so "lease ready" proves the responder is up, not just that the slot was
+     *  claimed. Returns the new revision. */
+    markDeliveryLeaseReady(shardIndex: number, revision: number): Promise<number>;
+    /** Renew the held lease (CAS `kv.update` against `revision`, keeping `ready:true`) to refresh it before
+     *  the bucket TTL expires it. Returns the new revision. Throws if the revision moved (lost the lease —
+     *  the daemon should exit). */
+    renewDeliveryLease(shardIndex: number, revision: number): Promise<number>;
+    /** Release the held lease on clean shutdown so a replacement daemon re-acquires immediately (best
+     *  effort — a crash just lets the bucket TTL expire it). */
+    releaseDeliveryLease(shardIndex: number): Promise<void>;
+    /** Read a shard's delivery lease (the daemon-availability signal), or `undefined` if none is live.
+     *  READ-ONLY surface — drives Component 6's `cotal_channels` delivery-health field (an agent reads it
+     *  under its own cred, which holds lease-bucket read but no write). */
+    readDeliveryLease(shardIndex: number): Promise<DeliveryLeaseInfo | undefined>;
     /** Privileged: one owner's NON-TOMBSTONED durable memberships as `{channel, generation, activated}` —
-     *  the manager serves this to a connecting agent (via the `listMemberships` self-service op). The agent
-     *  hydrates its leave mirror from the ACTIVATED ones (the confirmed backstops), but the non-activated
-     *  ones are returned too so `leaveChannel` can discover + close a record that still routes under the
-     *  pure-interval predicate (a crash-stuck pending activation) — without reading the privileged KV. */
+     *  the server-side delivery daemon serves this to a connecting agent (the `listMemberships` op on
+     *  `ctl.delivery`). The agent seeds its leave mirror from the ACTIVATED ones (the confirmed backstops),
+     *  but the non-activated ones are returned too so `leaveChannel` can discover + close a record that
+     *  still routes under the pure-interval predicate (a crash-stuck pending activation) — without reading
+     *  the privileged KV itself. */
     ownerMemberships(owner: string): Promise<{
         channel: string;
         generation: number;
@@ -385,16 +466,15 @@ export declare class CotalEndpoint extends EventEmitter {
      *  BLOCKER-1: the shared fan-out cursor advances independently of the stream frontier). */
     private fanoutDeliveredSeq;
     /**
-     * Privileged durable-JOIN write (the manager calls this after validating channel ⊆ allowSubscribe;
-     * {@link provisionMembership} calls it at provision time for boot channels): capture `joinCursor`,
-     * commit a `durable-active` record (CAS + generation bump), then ACTIVATION CATCH-UP idempotently
-     * copies `(joinCursor, fence]` into the owner inbox where `fence = max(frontier, fanoutDelivered)` —
-     * fan-out owns `seq > fence`. Idempotent against a timeout-retry (an already-activated membership
-     * no-ops). Returns `{durable:false}` (honest degrade) only if the catch-up window was evicted.
+     * Privileged durable-JOIN write (v3: the delivery daemon calls this from its `ctl.delivery` handler
+     * after validating channel ⊆ the caller's read ACL): capture `joinCursor`, commit a `durable-active`
+     * record (CAS + generation bump), then ACTIVATION CATCH-UP idempotently copies `(joinCursor, fence]`
+     * into the owner inbox where `fence = max(frontier, fanoutDelivered)` — fan-out owns `seq > fence`.
+     * Idempotent against a timeout-retry (an already-activated membership no-ops). Returns `{durable:false}`
+     * (honest degrade) only if the catch-up window was evicted.
      *
-     * This writes durable KV + dinbox state with the caller's privileged creds; it does NOT require THIS
-     * endpoint to host the fan-out/reader loops (those are a space-level manager service). So a
-     * short-lived provisioner can write a boot membership a separate long-lived manager then delivers.
+     * Runs on the daemon (which hosts the fan-out/reader loops + the members KV), so catch-up + the
+     * activation fence read are in-process — no cross-process cursor read.
      */
     durableJoinFor(owner: string, channel: string): Promise<{
         durable: boolean;
@@ -409,16 +489,45 @@ export declare class CotalEndpoint extends EventEmitter {
      *  `chathist_<id>`/`histLock` — red-team HIGH-8). `evicted` ⇒ the oldest eligible seq aged out under
      *  `discard=Old` (the start seq could not be served), a durable shortfall the caller surfaces. */
     private catchupCopy;
-    /** Start the Plane-3 fan-out writer + trusted reader on THIS (privileged) endpoint. `aclFor` maps an
-     *  owner id to its current read ACL for the reader's re-authorization (the manager passes its managed
-     *  set). Call once after connect; idempotent durable creation lets it resume on a manager restart. */
-    startPlane3(aclFor: (owner: string) => string[] | undefined): Promise<void>;
+    /** Start the Plane-3 fan-out writer + trusted reader on THIS (privileged, server-side delivery-daemon)
+     *  endpoint, AND serve the `ctl.delivery` control service (runtime durable join/leave/list). `aclFor`
+     *  maps an owner id to its current read ACL for the reader's re-authorization — read FRESH per entry
+     *  from the durable ACL registry (async). Call once after connect; idempotent durable creation lets it
+     *  resume on a daemon restart. Both the JS loops AND the `ctl.delivery` subscription are (re)bound by
+     *  {@link armPlane3} on EVERY (re)connect — a reconnect drains the old connection, so re-binding both
+     *  is required, not optional (the responder would otherwise be lost on a broker blip). */
+    startPlane3(aclFor: (owner: string) => MaybePromise<string[] | undefined>): Promise<void>;
+    /** Serve one runtime durable-membership control request (the server-side delivery daemon). The caller
+     *  id is the authenticated subject sender ({@link serveControl} fail-closes on a mismatch). Validation
+     *  is against the durable ACL registry — the SAME KV the reader re-auths against (single source of
+     *  truth, no in-memory ledger to drift). */
+    private handleDeliveryControl;
+    /** Validate the channel ARG shape only — non-blank, valid, concrete (NO ACL check, that is op-specific).
+     *  Returns the channel on success or a ControlReply error to short-circuit. */
+    private checkDurableChannelArg;
+    /** JOIN requires the channel be within the caller's CURRENT read ACL (you can't durable-subscribe a
+     *  channel you may not read). */
+    private deliveryJoin;
+    /** LEAVE must NOT require current-ACL coverage. Leave fires precisely when the ACL was narrowed/revoked
+     *  (a refused live sub → {@link closeRefusedMembership}); gating the tombstone on the current ACL would
+     *  loop forever and leave the SPEC §7 boundary open (the membership could resume if the ACL is later
+     *  restored). The guards are: authenticated caller (serveControl), concrete channel, a finite generation
+     *  (the join epoch — without it a stale/replayed leave could tombstone a newer rejoin), and an EXISTING
+     *  own membership; `durableLeaveFor` → `tombstoneMember` then enforces the generation match. */
+    private deliveryLeave;
     /** (Re)bind the Plane-3 fan-out writer + trusted reader. Idempotent — the durables resume from their
      *  cursor. Called by {@link startPlane3} once AND by {@link connectAndBind} on every (re)connect, so
-     *  a manager-endpoint reconnect RE-ARMS the backstop. Without this, a broker blip would silently kill
+     *  the delivery daemon's reconnect RE-ARMS the backstop + the ctl.delivery responder. Without this, a broker blip would silently kill
      *  the loops while `durableJoinFor` kept reporting `durable:true` (the impl-review's BLOCKER-1). No-op
      *  unless this endpoint hosts Plane-3 (`this.plane3` set). */
     private armPlane3;
+    /** (Re)register the `ctl.delivery` control responder on the CURRENT connection. A reconnect drains the
+     *  old connection (the old sub is dead and `clearConnectionScoped` leaves caller-owned subs alone), so
+     *  this MUST run on every arm — otherwise durable join/leave/list silently lose their responder after a
+     *  broker blip. The stale sub is dropped (unsubscribed + removed from `this.subs`) before re-creating.
+     *  `boundReply` is essential here: the daemon holds a wildcard reply-publish grant, so the serve path
+     *  must reject any reply target outside the authenticated sender's own subtree (confused-deputy fix). */
+    private armDeliveryControl;
     /** Fan-out loop: bind the privileged `fanout` durable on CHAT and route each message (routing only —
      *  the trusted reader is the auth gate). */
     private runFanout;
@@ -434,13 +543,13 @@ export declare class CotalEndpoint extends EventEmitter {
      *  has moved to DLV — an §8 equivalent per-member at-least-once mechanism). The agent acks DLV. */
     private readerHandle;
     /** Agent-side: bind + pump our pre-created Plane-3 DELIVER durable (`dlv_<id>`). Every message here is
-     *  manager-written (DLV is manager-write-only, broker-enforced) and is a CHANNEL message by contract
+     *  delivery-daemon-written (DLV is delivery-write-only, broker-enforced) and is a CHANNEL message by contract
      *  (the backstop never carries DMs), so `kind=channel` is path-derived (SPEC §4) and the body is
      *  trusted (no spoof-guard). `durable:true` — real JetStream ack, coalesced with the core-sub live
      *  copy by `MeshAgent.ingest`. No-op when the durable isn't present (open mode / not provisioned). */
     private pumpDlv;
-    /** Agent-side: request a Plane-3 durable backstop for a channel via the manager (ctl.self). Throws
-     *  when no privileged writer is present (open / manager-less). 30s timeout — activation catch-up may
+    /** Agent-side: request a Plane-3 durable backstop for a channel via the server-side delivery daemon (ctl.delivery). Throws
+     *  when no privileged writer is present (open / no delivery daemon). 30s timeout — activation catch-up may
      *  run before the reply (the window is small, but a busy channel can take more than the 5s default). */
     durableJoinChannel(channel: string): Promise<{
         durable: boolean;
@@ -448,7 +557,7 @@ export declare class CotalEndpoint extends EventEmitter {
         generation?: number;
     }>;
     /** Agent-side: release a Plane-3 durable backstop (tombstone membership at the leave cursor). Passes
-     *  the join generation so a stale leave can't tombstone a newer rejoin (the manager validates it). */
+     *  the join generation so a stale leave can't tombstone a newer rejoin (the delivery daemon validates it). */
     durableLeaveChannel(channel: string, generation?: number): Promise<void>;
     /** Fail-closed async cleanup for a channel forced out by a LATE sub.allow refusal (the broker revoked
      *  the live read). The sync sub callback can't await, so this RETRIES the Plane-3 tombstone with capped
@@ -456,7 +565,7 @@ export declare class CotalEndpoint extends EventEmitter {
      *  is reachable, never a silent give-up. While pending, the channel is tracked in
      *  {@link pendingDurableLeave} and surfaced via {@link pendingDurableLeaves} (the connector shows it in
      *  `cotal_channels` as `durable-unclosed`, never ordinary absence). The generation is kept the whole
-     *  time. Authoritative closure of a revoked membership is also the manager's job (revocation). */
+     *  time. Authoritative closure of a revoked membership is also handled by revocation (rotate creds + tear down). */
     private closeRefusedMembership;
     /** Channels with a Plane-3 durable membership whose §7 tombstone is still pending after a refused live
      *  sub (see {@link closeRefusedMembership}) — surfaced by the connector as a `durable-unclosed` state so
@@ -468,15 +577,29 @@ export declare class CotalEndpoint extends EventEmitter {
     private isNoResponders;
     /** Agent-side: this session's CURRENT durable memberships (channel + join generation) from the
      *  manager — the agent holds no read on the privileged members KV. `undefined` ⇒ NO control responder
-     *  (open / manager-less, so there is no Plane-3 and no memberships). THROWS on a responder-present RPC
+     *  (open / no delivery daemon, so there is no Plane-3 and no memberships). THROWS on a responder-present RPC
      *  failure, so a caller can FAIL-CLOSED rather than mistaking a transient error for "no membership". */
     private fetchMemberships;
-    /** Agent-side: seed `plane3Channels` with this session's boot durable memberships + generations on
-     *  first connect (the agent holds no read on the privileged members KV). A best-effort OPTIMIZATION: it
-     *  pre-fills the leave-generation mirror + the durable-state surface. If it can't (a transient manager
-     *  error), {@link leaveChannel} re-resolves the generation on demand and fails closed there — so a
-     *  missed hydration never silently leaves a boot durable channel untombstonable. */
-    private hydrateMemberships;
+    /** Agent-side, first connect (auth): SELF-JOIN this session's durable boot channels via the
+     *  server-side delivery daemon — replacing the old manager-written boot membership. Each concrete
+     *  `durable`-class boot channel gets a `durableJoin` whose returned generation seeds the leave mirror
+     *  + durable-state surface; an already-active membership (a relaunch) is idempotent (no re-catch-up).
+     *  If the daemon is down/absent at first connect (or reports a transient `durable:false`), the channel
+     *  is handed to {@link reconcileBootJoin} for capped-backoff retry — so the backstop is RESTORED once
+     *  the daemon recovers, not left silently live-only. Until a membership exists the channel renders
+     *  degraded in `cotal_channels` ({@link hasDurableMembership}). */
+    private armBootDurableMemberships;
+    /** Retry a boot durable self-join with capped backoff until a membership EXISTS (success → seed
+     *  `plane3Channels`) or the channel is left / the endpoint stops. Mirrors {@link closeRefusedMembership}:
+     *  a one-shot first-connect attempt that swallowed a daemon outage would leave the boot channel live-only
+     *  forever after the daemon recovers (and the lease-based health could then read "active" with no owner
+     *  membership). This loop is the reconcile that closes that gap. Idempotent — a channel already pending
+     *  is not double-driven; survives reconnect (it re-issues `durableJoinChannel` on the current connection). */
+    private reconcileBootJoin;
+    /** True if this session holds an established Plane-3 durable membership for `channel` (in `plane3Channels`).
+     *  Drives the membership-aware delivery-health surface: a joined durable channel that is NOT yet a member
+     *  (boot self-join pending / daemon down) must render degraded, never "active" off a live lease alone. */
+    hasDurableMembership(channel: string): boolean;
     /** Lazily obtain a JetStream manager — so a non-consuming endpoint (e.g. the supervisor,
      *  consume:false) can still pre-create others' durables. */
     private manager;
@@ -604,5 +727,25 @@ export declare function isPermissionDenied(e: unknown): boolean;
 export declare function isReachable(servers?: string, opts?: AuthOpts & {
     timeoutMs?: number;
 }): Promise<boolean>;
+/** What a connect attempt told us about the server — the distinction {@link isReachable} flattens.
+ *  `auth-required` means a server answered but rejected these creds (so it IS up); `unreachable`
+ *  means nothing answered (refused / timeout / a stale registry entry). */
+export type ProbeResult = {
+    ok: true;
+} | {
+    ok: false;
+    reason: "auth-required";
+} | {
+    ok: false;
+    reason: "unreachable";
+};
+/** Like {@link isReachable}, but distinguishes "up but won't take these creds" from "nothing there".
+ *  `spawn` needs the difference: auth-required → name the trust dir + next step; unreachable → the
+ *  mesh is down (prune the stale entry, tell the user to `cotal up`). Pass `creds` to confirm a
+ *  specific identity is accepted (`ok`); omit them to probe mere liveness (an auth broker answers
+ *  `auth-required`, which still proves it's up). */
+export declare function probeConnect(server?: string, opts?: AuthOpts & {
+    timeoutMs?: number;
+}): Promise<ProbeResult>;
 export {};
 //# sourceMappingURL=endpoint.d.ts.map