@figs-so/cli 0.8.0 → 1.1.0

package/SPEC.md

@@ -1,66 +1,78 @@
-# The `.figs` Protocol — `figs-spec v1`
+# The `.figs` Protocol — `figs-spec v2`
 
-> **Status:** v1 — minimal and stable. This spec defines the `.figs/` folder an AI agent writes and how
-> it is published. It is deliberately small: it describes *reporting* (agent → human), which is all v1
-> covers. Two-way (answers/sign-off flowing back to the agent) is **reserved for a future version** — see
-> [Reserved](#reserved-not-in-v1). Licensed **MIT** — implement it in anything.
+> **Status:** v2. This spec defines the `.figs/` folder an AI agent writes, how it is published, and
+> how a human's replies come back. It is deliberately small. **Account-optional:** the protocol and the
+> local tooling are fully usable with no account and no network; a reader/remote is strictly additive.
+> Licensed **MIT** — implement it in anything.
+>
+> *v2 (from v1): the human-reply ledger (`messages.jsonl`) is now part of the format and the loop is
+> two-way; ask types narrowed to `question`/`sign-off`; one unified `attachments[]`; `config.json`'s
+> destination fields are optional (local mode); wire auth is `Authorization: Bearer`. See each section.*
 
 ## 1. Design principles
 
-- **One-way.** An agent *publishes* its state. A Figs reader is a **read-only mirror** — it never writes
-  back into the agent or its repo.
-- **Local-first.** The agent owns a `.figs/` folder on disk. Publishing is an explicit act (`push`), not a
-  live connection.
-- **Upsert-only.** Publishing inserts or updates records by their `id`; it **never deletes** remote rows.
-  The remote is a durable record; the local folder is a transient outbox.
-- **Two content modes, no display language.** Everything is either *structured state* (JSON/JSONL we
-  describe below, rendered by fixed components) or a *rendered artifact* (a file shown in a sandboxed
-  viewer). There is no layout/templating DSL.
-- **Self-describing identity.** An agent generates its own UUID once; that UUID *is* its identity. The same
-  agent (a repo) may be run by many people; their pushes aggregate under that one identity.
+- **Local-first, account-optional.** The agent owns a `.figs/` folder on disk and is fully operational
+  with no account and no network — record work, raise asks, recover across sessions, validate. Publishing
+  to a reader is an explicit, optional act (`push`), not a live connection.
+- **Agent ledgers flow one way (up); the human ledger is the one two-way file.** An agent *publishes*
+  its own records (`runs.jsonl`, `asks.jsonl`); a reader never writes them back. A human's replies live
+  in `messages.jsonl` — the single file that also syncs *down* (§6, §8). Nobody writes into the other
+  side's ledger.
+- **One agent = one repo = one machine** (the topology rule). The agent ledgers are the source of truth
+  on that machine; a reader is an aggregation mirror for humans, never an authority over the files.
+  Running one agent from several machines at once is unsupported (commit the outbox and manage the merge
+  yourself, at your own risk); the fleet-wide cross-machine view is the reader's job.
+- **Upsert-only, never destructive.** Publishing inserts or updates records by their `id`; it never
+  deletes. A push may not walk a record backwards (a stale close/settle never reopens — §8).
+- **Two content modes, no display language.** Everything is either *structured state* (the JSON/JSONL
+  below, rendered by fixed components) or an *attachment* (a file shown in a sandboxed viewer or offered
+  for download). There is no layout/templating DSL.
+- **Self-describing identity.** An agent generates its own UUID once; that UUID *is* its identity. The
+  same agent (a repo) may be run by many people; their pushes aggregate under that one identity.
 
 ## 2. Folder layout
 
 ```
 .figs/
-├── config.json        # identity + destination (committed, non-secret)
+├── config.json        # identity (+ destination once linked); committed, non-secret
 ├── agent.json         # the charter — who this agent is (committed)
 ├── CONTRACT.md        # agent-authored: what this agent surfaces / holds back (committed)
 ├── GUIDE.md           # orientation breadcrumb, written by the CLI (committed)
-├── runs.jsonl         # activity log, one JSON object per line (outbox; gitignored)
-├── asks.jsonl         # things needing a human, one per line (outbox; gitignored)
-└── artifacts/         # files referenced by runs/asks (outbox; gitignored)
+├── runs.jsonl         # activity log — one job per line (machine-local outbox; gitignored)
+├── asks.jsonl         # handoffs to a human — one ask per line (machine-local outbox; gitignored)
+├── messages.jsonl     # the human's replies — one event per line (machine-local; gitignored)
+└── artifacts/         # files attached to any moment (machine-local; gitignored)
 ```
 
-**Commit** `config.json` + `agent.json` + `CONTRACT.md` + `GUIDE.md`. The activity files
-(`runs.jsonl`, `asks.jsonl`, `artifacts/`) are a transient outbox and are typically gitignored.
+**Commit** `config.json` + `agent.json` + `CONTRACT.md` + `GUIDE.md`. The journal
+(`runs.jsonl`, `asks.jsonl`, `messages.jsonl`, `artifacts/`) is a **machine-local** outbox — records
+live on this machine; once linked + pushed, the reader is the durable record humans see.
 
-**`CONTRACT.md` + `GUIDE.md` are companion conventions, not wire format** — they are never
-pushed. `CONTRACT.md` is the standing agreement between the agent and its user about what gets
-surfaced; `GUIDE.md` is an orientation stub the reference CLI writes (and never clobbers).
-Implementations may add files like these; readers must ignore files this spec doesn't name.
+**`CONTRACT.md` + `GUIDE.md` are companion conventions, not wire format** — never pushed.
+`CONTRACT.md` is the standing agreement between agent and user about what gets surfaced; `GUIDE.md`
+is an orientation stub the reference CLI writes (and never clobbers). Implementations may add files
+like these; **readers must ignore files this spec doesn't name.**
 
-**The membership rule — what belongs in `.figs/`:** everything in the folder is *Figs-facing* —
-protocol metadata (`config.json`), the published record (the charter, the outbox), or a
-convention *about* publishing (`CONTRACT.md`, `GUIDE.md`). An agent's private working state —
-memory, self-checks, scratch notes — lives outside `.figs/`, elsewhere in the repo. If a file's
-only reader is the agent itself, it does not belong here.
+**The membership rule:** everything in `.figs/` is *Figs-facing* — protocol metadata, the published
+record, or a convention *about* publishing. An agent's private working state (memory, scratch notes)
+lives elsewhere in the repo. If a file's only reader is the agent itself, it does not belong here.
 
-## 3. `config.json` — identity + destination
+## 3. `config.json` — identity (+ destination)
 
-Non-secret. Pins one shared identity so many runners' pushes aggregate.
+Non-secret. In **local mode** it is just `{ "agentId": "…" }`. `figs link` adds the destination
+(`endpoint` + `workspaceId`) when the agent connects to a reader.
 
-| Field | Type | Notes |
-|---|---|---|
-| `endpoint` | string (URL) | Where to publish (default `https://app.figs.so`). |
-| `workspaceId` | UUID | The workspace this agent belongs to. |
-| `agentId` | UUID | The agent's identity, generated once by `figs init`. The CLI attaches it as the agent's `id` on push (you don't hand-author `id` in `agent.json`). |
+| Field | Type | Req | Notes |
+|---|---|:--:|---|
+| `agentId` | UUID | ✓ | The agent's identity, minted once by `figs init`. The CLI attaches it as the agent's `id` on push (you don't hand-author `id` in `agent.json`). |
+| `endpoint` | string (URL) | | Where to publish (default `https://app.figs.so`). Written by `figs link`. |
+| `workspaceId` | UUID | | The workspace this agent belongs to. Written by `figs link`. **Its presence is what "linked" means** — absent = local mode. |
 
 ## 4. `agent.json` — the charter
 
 The agent's self-description. Authoring this and publishing makes the agent *appear*. The only field you
-author that's required is `name` — **do not hand-author `id`**: `figs init` mints it into `config.json` and
-the CLI attaches it on push. Everything else is optional and rendered when present.
+author that's required is `name` — **do not hand-author `id`**: `figs init` mints it into `config.json`
+and the CLI attaches it on push. Everything else is optional and rendered when present.
 
 | Field | Type | Req | Meaning |
 |---|---|:--:|---|
@@ -76,7 +88,7 @@ the CLI attaches it on push. Everything else is optional and rendered when prese
 | `mandate` | string | | One-paragraph statement of what it's responsible for. |
 | `steps` | string[] | | **Ordered** procedure (numbered render). For pipeline-shaped agents. |
 | `responsibilities` | string[] | | **Unordered** areas of work (bulleted render). For broad/mission agents. |
-| `properties` | `{ k, v }[]` | | Freeform catch-all for facts with no dedicated field. Keep keys short, values single-line. Don't duplicate first-class fields. |
+| `properties` | `{ k, v }[]` | | Freeform catch-all for facts with no dedicated field. Keep keys short, values single-line. |
 | `units` | `Unit[]` | | The instances/things the agent operates on (see below). |
 
 Use **`steps`** *or* **`responsibilities`** depending on shape — a fixed pipeline vs. a set of work areas.
@@ -95,186 +107,216 @@ Use **`steps`** *or* **`responsibilities`** depending on shape — a fixed pipel
 
 ## 5. `runs.jsonl` — activity
 
-One JSON object per line (JSON Lines). **One record = one job** — a unit of work the agent's
-*manager* would recognize ("recon — Acme — November"), under a **stable, meaningful id**
-(`recon-acme-2026-11`); the runs list reads as the job list. Records **fold by `id`** (same
-merge as asks): re-reporting a job's id layers progress onto its row (`status` evolves
-blocked-ish `warn` → `ok`) — sittings/sessions are agent plumbing and never mint records.
-Closing an ask is **not** a job: that's a `resolution` in `asks.jsonl` (§6), never a run.
-
-A job is either **in flight** or **settled** (`state`, below). A **checkpoint**
-(`figs checkpoint`) folds progress onto the job's id and marks it in-flight — the record
-survives the session working it, so a crash mid-job leaves a visible, recoverable stub
-instead of nothing. A **report** files the outcome and settles it; a report with no prior
-checkpoint is simply a job **born settled** (the single-sitting case). Nothing *external*
+One JSON object per line (JSON Lines). **One record = one job** — a unit of work the agent's *manager*
+would recognize ("recon — Acme — November"), under a **stable, meaningful id** (`recon-acme-2026-11`);
+the runs list reads as the job list. Records **fold by `id`**: re-reporting a job's id layers progress
+onto its row (`status` evolves `warn` → `ok`) — sittings/sessions are agent plumbing and never mint
+records. Closing an ask is **not** a job: that's a `resolution` in `asks.jsonl` (§6), never a run.
+
+A job is either **in flight** or **settled** (`state`). A **checkpoint** (`figs checkpoint`) folds
+progress onto the job's id and marks it in-flight — the record survives the session working it, so a
+crash mid-job leaves a visible, recoverable stub. A **report** files the outcome and settles it; a
+report with no prior checkpoint is a job **born settled** (the single-sitting case). Nothing *external*
 ever closes a run — only the agent's own report settles its job.
 
 | Field | Type | Req | Meaning |
 |---|---|:--:|---|
 | `id` | string | ✓ | Stable id (upsert key). |
-| `ts` | string (ISO-8601 w/ offset) | ✓ | When it ran, e.g. `2026-05-28T23:41:26Z`. |
+| `ts` | string (ISO-8601 w/ offset) | ✓ | When it ran. Machine-stamped by the CLI, never typed. |
 | `unit` | string | | The `Unit.id` this run is about. |
 | `period` | string | | |
-| `result` | string | | The job's current one-line state — where it stands while in flight; the outcome once settled. |
-| `status` | `"ok"` \| `"warn"` \| `"fail"` | | Default `"ok"`. **Outcome, never lifecycle** — what the work looks like right now (a stuck job is `warn`); whether the job is *done* is `state`, the orthogonal dimension. |
-| `state` | `"in-flight"` \| `"settled"` | | Default `"settled"`. **Lifecycle, verb-stamped** — `figs checkpoint` stamps `in-flight`, `figs report` stamps `settled`; agents never hand-pick it. An in-flight job whose agent died stays visibly in flight — that's the point: the next session finds it in `figs inbox` and finishes or settles it. |
-| `artifacts` | string[] | | File names under `artifacts/` to attach. Singular `artifact` (string) remains valid shorthand for one — readers normalize to the array (same pattern as `resolution`'s bare-string shorthand). |
-| `session` | `Session` | | Where/how this ran (see [§5.1](#51-session--runtime-metadata-optional)). Optional, self-reported. |
+| `result` | string | | The job's current one-line state while in flight; its outcome once settled. |
+| `status` | `"ok"` \| `"warn"` \| `"fail"` | | Default `"ok"`. **Outcome, never lifecycle** — what the work looks like now (a stuck job is `warn`); whether it's *done* is `state`. |
+| `state` | `"in-flight"` \| `"settled"` | | Default `"settled"`. **Lifecycle, verb-stamped** — `checkpoint` → in-flight, `report` → settled. An in-flight job whose agent died stays in flight: the next session finds it in `figs inbox` and finishes or settles it. |
+| `attachments` | string[] | | File names under `artifacts/` produced at this moment (§7). Attachments belong to their line, not the folded record. |
+| `session` | `Session` | | Where/how this ran ([§5.1](#51-session--runtime-metadata-optional)). Optional, self-reported. |
 
 ### 5.1 `Session` — runtime metadata (optional)
 
 An optional, **self-reported** block describing the runtime session that produced a run (or raised an
-ask — see §6). Every field is optional — fill what your runtime exposes, omit the rest. This is
-*transparency, not attestation*: the values come from the runtime's own records — hand-authored, or
-written by integrations that can copy provable values at work-time (the CLI never infers them).
-Cryptographic provenance remains [reserved](#reserved-not-in-v1).
+ask, or a message). Every field is optional. This is *transparency, not attestation*: the values come
+from the runtime's own records — hand-authored, or written by integrations that copy provable values at
+work-time (the CLI never infers them). Cryptographic provenance remains [reserved](#reserved-not-in-v2).
 
 | Field | Type | Meaning |
 |---|---|---|
-| `runtime` | string | What ran it, e.g. `claude-code`, `codex`, `claude-managed-agents`. |
+| `runtime` | string | What ran it, e.g. `claude-code`, `codex`. |
 | `model` | string | Model id, e.g. `claude-fable-5`. |
 | `sessionId` | string | The runtime's own session identifier. |
 | `startedAt` | string (ISO-8601 w/ offset) | When this job began (the record's `ts` is when it was reported). |
-| `commit` | string | The agent repo's HEAD at run time; append `+dirty` when the working tree had uncommitted changes, e.g. `1b68668+dirty`. |
-| `trigger` | string | What set this sitting in motion — one self-reported line, e.g. `monthly close cron`, `inbox: answer on acme-bridge`, `Wayne, in chat`. A *fresh* sitting on a job states it (stamped from `--trigger` on `figs checkpoint`/`report`); records continuing the same session omit it. The one mechanically verified trigger stays `resolution.answer` ([§6.2](#62-resolution--how-an-ask-closed)). |
-| `tokens` | `{ input?, output?, cacheRead?, cacheWrite? }` (numbers) | **Session totals at report time** — cumulative for the whole session, *not* per-job. Approximate by design (an interactive session may include unrelated chat). Readers may derive per-run deltas between consecutive runs sharing a `sessionId`. Include cache figures when available — in agentic sessions they often dominate real cost. |
+| `commit` | string | The repo's HEAD at run time; append `+dirty` when the tree had uncommitted changes. |
+| `trigger` | string | What set this sitting in motion — one self-reported line (`monthly close cron`, `inbox: answer on acme-bridge`, `Wayne, in chat`). A *fresh* sitting states it; continuations omit it. |
+| `tokens` | `{ input?, output?, cacheRead?, cacheWrite? }` | **Session totals at report time** — cumulative for the whole session, not per-job. Approximate by design. |
 
 ## 6. `asks.jsonl` — handoffs to a human
 
-One JSON object per line. Each is something the agent needs a person to resolve. **This is the handoff
-primitive** — the agent reached the edge of its autonomy.
+One JSON object per line. Each is something the agent needs a person to resolve — the agent reached the
+edge of its autonomy.
 
 | Field | Type | Req | Meaning |
 |---|---|:--:|---|
 | `id` | string | ✓ | Stable id (upsert key). |
-| `type` | enum | ✓ | `needs-decision` \| `sign-off` \| `fyi` — **the type is the answer contract**: *needs-decision* wants an answer (an option or free text), *sign-off* wants a verdict (approve / request changes / reject), *fyi* wants nothing (a for-the-record note; readers never count it as needing a human). `blocked` was **folded into `needs-decision`** (2026-06, pre-launch in-place edit): a stuck job is the *run's* `status`, not an ask type. |
-| `status` | enum | | `"open"` (default) \| `"resolved"` (the need was met) \| `"withdrawn"` (the **asker** retracted it — no longer needed, nobody acted) \| `"rejected"` (the **answerer** declined it — a human said no; usually born in the reader's UI, but the agent may record an out-of-band rejection too). Three closes, three authors-of-the-ending. **Rejected is terminal** on this id — readers keep it sticky; re-raising is a new ask. |
-| `to` | `"manager"` \| `"builder"` | | Who the ask is addressed to: the human accountable for the **work** (`manager`) or for the **machine** (`builder` — e.g. self-edit/logic-change flags). Absent = unaddressed; readers may guess from `type` but must present it as a guess. |
+| `type` | enum | ✓ | `question` \| `sign-off` — **the type is the answer contract**: *question* wants an answer (an option or free text), *sign-off* wants a verdict (approve / request-changes / reject). (`needs-decision` was renamed `question`; `fyi` was retired — a for-the-record note is a settled report, not an ask; `blocked` is the run's `status`, not an ask type.) |
+| `status` | enum | | `"open"` (default) \| `"resolved"` (the need was met) \| `"withdrawn"` (the **agent** retracted it; nobody acted) \| `"rejected"` (a human declined it). **Rejected is terminal** on this id — re-raising is a new ask. |
+| `to` | `"manager"` \| `"builder"` | | Who the ask is addressed to: the human accountable for the **work** (`manager`) or for the **machine** (`builder`). Absent = unaddressed. |
 | `title` | string | ✓ | The ask, in one line. |
 | `unit` | string | | The `Unit.id` this concerns. |
-| `run` | string | | The run `id` this ask was raised during (the work that surfaced it). **Optional** — asks also arise outside runs (a self-found issue, expired credentials). |
+| `run` | string | | The run `id` this ask was raised during. **Optional** — asks also arise outside runs. |
 | `found` | string | | What the agent found / why it's stuck. |
 | `need` | string | | What it needs from the human. |
-| `options` | string[] | | Candidate resolutions — **short, stable, quotable** strings: an answer references one *verbatim* (see [§6.2](#62-resolution--how-an-ask-closed)). On a **sign-off** they are **answer paths** — qualified verdicts the human's verdict can cite verbatim alongside approve/request-changes (e.g. `"Approved — file the 15 ready charges"`). |
-| `onApprove` | string[] | | **Sign-off only.** The ordered steps approval sets in motion — **an approval authorizes exactly these stated steps, in order** (e.g. `"Post the 8 journal entries to SAP"`, `"Email the filing to Acme"`); flag anything irreversible in the step itself. This is the agent's **declared intent, not a bound plan** — readers present it as the agent's claim. Invalid on other types: a *needs-decision* has no approval; there, the chosen option carries the next step. |
+| `options` | string[] | | Candidate answers — **short, stable, quotable** strings: a reply cites one *verbatim* (§6.2). On a **sign-off** they are qualified-verdict paths (e.g. `"Approved — file the 15 ready charges"`). |
+| `onApprove` | string[] | | **Sign-off only.** The ordered steps approval sets in motion — **an approval authorizes exactly these steps, in order**; flag anything irreversible in the step. The agent's declared intent, not a bound plan. Invalid on a `question`. |
 | `details` | `{ l, v }[]` | | Labelled facts (e.g. amount at risk). |
-| `refs` | `{ label, artifact? }[]` | | Pointers to artifacts that back the ask. |
+| `attachments` | string[] | | File names under `artifacts/` attached to this ask (the exact content to review — §7). |
 | `resolution` | string \| `Resolution` | | The agent's account of the close ([§6.2](#62-resolution--how-an-ask-closed)). A bare string is shorthand for `{ "note": … }`. |
-| `ts` | string (ISO-8601 w/ offset) | | |
-| `session` | `Session` | | The session that raised this ask (same shape as [§5.1](#51-session--runtime-metadata-optional)). |
-
-### 6.1 Lifecycle — two ledgers, split by author
+| `ts` | string (ISO-8601 w/ offset) | | Machine-stamped. |
+| `session` | `Session` | | The session that raised this ask. |
 
-An ask is the **anchor of a thread whose two halves are owned by different parties**:
+### 6.1 Lifecycle — two ledgers, two directions
 
-- **The agent's ledger** is `asks.jsonl` — only the agent writes here. Records **fold by `id`**
-  (field-level merge: later lines layer over earlier ones), so the close is an *append*, not an edit:
+An ask anchors a thread whose two halves are owned by different parties:
 
-  ```jsonc
-  { "id": "acme-bridge", "status": "resolved",
-    "resolution": { "chosen": "Strip the alpha prefix", "via": "human",
-                    "by": "Sarah (accounting)", "ts": "2026-06-01T09:12:00Z" } }
-  ```
-
-  Appending keeps the local file crash-safe, concurrency-safe (multiple runners), and an honest
+- **The agent's ledger** is `asks.jsonl` — only the agent writes here, one-way **up**. Records **fold
+  by `id`** (field-level merge; later lines layer over earlier), so the close is an *append*, not an
+  edit. Appending keeps the file crash-safe, concurrency-safe (same-machine sessions), and an honest
   self-audit trail; the folded record the reader stores is one complete ask.
-- **The human's ledger** is server-side — claims, answers, and verdicts born in the reader's UI.
-  These are [reserved](#reserved-not-in-v1) in v1 and **never appear in `asks.jsonl`**: nobody
-  writes into the other side's record; the two ledgers cross-reference by id.
+- **The human's ledger** is `messages.jsonl` (§6.3) — replies (answers/verdicts). It is the one file
+  that flows **down** too: a reply made in the reader's UI syncs into `messages.jsonl`; a reply given
+  out-of-band (e.g. in chat) is transcribed there by the agent (`figs answer`). Either way, nobody
+  writes the other side's ledger.
 
-The full state machine: `open` → *(answered/verdict — human, server-side)* →
-`resolved` | `withdrawn` *(agent, in `asks.jsonl`)* — plus the one human-side close:
-**`rejected`** (a reject verdict in the reader's UI closes the ask immediately; the agent's
-later resolution append folds onto it without reopening). Today resolution otherwise happens
-in the agent's own workflow; answers flowing back through the reader are arriving incrementally.
+State machine: `open` → *(a reply arrives — `messages.jsonl`)* → the agent **closes** it
+(`resolved` | `withdrawn` | `rejected`, derived from the reply; §6.2). `rejected` is terminal.
 
 ### 6.2 `Resolution` — how an ask closed
 
+The close is derived from the newest reply on the ask and cites it.
+
 | Field | Type | Meaning |
 |---|---|---|
 | `note` | string | The agent's one-line account of the close. |
-| `chosen` | string | The decision taken — **verbatim** one of the ask's `options[]`. |
-| `via` | `"figs"` \| `"human"` \| `"self"` | Where the unblock came from: an answer pulled from Figs (verified — see `answer`) · answered out-of-band (self-reported) · the blocker cleared on its own. |
-| `by` | string | Who answered, as the agent knows it (self-reported; verified attribution only exists for `via: "figs"`). |
-| `answer` | string | The Figs answer-event id the agent acted on — written by `figs resolve` when the answer came through the inbox (attribution by mechanism, never typed). The cited event may be an answer **or a qualified verdict** (a verdict carrying `chosen`). |
-| `ts` | string (ISO-8601 w/ offset) | When the agent closed it — **machine-stamped by `figs resolve`, never typed**. The agent's claim of the execution-adjacent moment, same self-reported grade as the record `ts`; readers stamp their own receipt at ingest and surface both only when they diverge. Lives *inside* `resolution` so the fold can't collide with the record's raise `ts`. |
+| `chosen` | string | The decision taken — **verbatim** one of the ask's `options[]` (copied from the cited reply). |
+| `run` | string | The job the reply set in motion (mirror of `ask.run`) — so a reader can navigate answer → work → outcome. |
+| `via` | `"figs"` \| `"human"` \| `"self"` | How it closed: `figs` = derived from a reply on file, citing it (`answer`) · `human` = an out-of-band reply with no event cited · `self` = the blocker cleared on its own. |
+| `answer` | string | The `messages.jsonl` event id the close acted on — written by `figs close` (attribution by mechanism, never typed). **Trust derives from that event's mint origin** (§6.3), not from this field. |
+| `ts` | string (ISO-8601 w/ offset) | When the agent closed it — **machine-stamped, never typed**. Lives *inside* `resolution` so the fold can't collide with the ask's raise `ts`. |
 
-All fields optional; a bare-string `resolution` is shorthand for `{ "note": … }` and readers
-normalize it to the object form.
+All fields optional; a bare-string `resolution` is shorthand for `{ "note": … }`.
 
-## 7. `artifacts/` — rendered files
+### 6.3 `messages.jsonl` — the human-reply ledger *(new in v2)*
 
-Files referenced by a run's `artifact` or an ask's `refs[].artifact`. Each is content-addressed (an
-unchanged file is skipped on publish).
+One JSON object per line. Each is a **human's reply** to an ask. Messages are **events, not records**:
+immutable, ids minted once, they **accumulate** (no fold) — an ask can carry answer → changes-requested
+→ approved, and every one survives. A correction is a *new* message.
 
-- **Supported kinds** (by extension): `html`, `markdown` (`.md`), `text` (`.txt`), `json`, and `image`
-  (`.png` `.jpg` `.gif` `.webp` `.svg`).
-- **Size:** keep each file **≤ ~3 MB** (compress images client-side if needed).
-- Artifacts are shown in a **sandboxed iframe** by the reader; an artifact cannot reach the host app.
+| Field | Type | Req | Meaning |
+|---|---|:--:|---|
+| `id` | string | ✓ | Event id, minted once by whoever creates the message (the reader, or the CLI for a transcription). Never hand-authored, never re-minted. |
+| `kind` | `"answer"` \| `"verdict"` | ✓ | An answer (to a question) or a verdict (on a sign-off). |
+| `ask` | string | ✓* | The ask id this replies to. *Optional only for reserved human-initiated kinds (`note`/`directive`), which may anchor to a run or stand alone. |
+| `by` | string | ✓ | Who said it (the human). |
+| `ts` | string (ISO-8601 w/ offset) | ✓ | Machine-stamped (server clock for reader-minted, CLI clock for transcribed). |
+| `source` | `"app"` \| `"chat"` \| … | | **Where the reply arrived** (display metadata, *not* trust) — `app` = in the reader, `chat` = transcribed by the agent. Extensible (`slack`, `email`, …). |
+| `chosen` | string | | The option cited, **verbatim** from the ask's `options[]`. |
+| `text` | string | | Free-text reply. |
+| `verdict` | `"approved"` \| `"changes-requested"` \| `"rejected"` | | On a `verdict` message. |
+
+**The trust rule (normative):** a reader derives the *verified* grade from **mint origin** — a message
+the reader minted itself is attested; a message that arrived via push (transcribed by an agent) is
+self-reported, **whatever its `source` says.** `source` is display metadata; never trust input.
+
+`messages.jsonl` is part of the wire (pushed up, §8) and the one file that syncs **down**. It is not
+folded; readers and the CLI dedupe by event `id`.
+
+## 7. `artifacts/` — attachments
+
+Files attached to a moment via `attachments[]` on a run, ask, or close line. An attachment belongs to
+the line that produced it (a checkpoint draft on its checkpoint, the deliverable on its report, proof
+on its close) — **not** to the folded record, so an intermediate is never lost. Each file is
+content-addressed (an unchanged file is skipped on publish; a re-attach of the same name with different
+bytes is rejected — use a new name).
+
+- **Renderable** (shown inline in a sandboxed viewer): `html`, `md`, `txt`, `json`, images
+  (`.png .jpg .jpeg .gif .webp .svg`).
+- **Download-only** (offered as a download, never rendered — lower risk, nothing executes):
+  `.csv .pdf .xlsx .xls .docx`. Extensible.
+- **Size:** keep each file **≤ ~10 MB**.
+- Attachments are produced locally and **do not sync down** (a reference missing on a fresh clone is
+  shown as "view it in the app", not downloaded).
 
 ## 8. Publishing (the wire contract)
 
-`push` sends two things, authenticated by a per-user token in the `x-figs-token` header:
+Authenticated by a per-user token in the **`Authorization: Bearer <token>`** header. (The reference CLI
+also sends the legacy `x-figs-token` through the v1→v2 transition; readers may accept both until the
+minimum CLI version requires Bearer.)
+
+**Up — `push`** sends:
 
 1. **The spine** → `POST {endpoint}/api/ingest`, body:
    ```jsonc
    {
-     "workspaceId": "<uuid>",      // from config.json
-     "agent": { /* agent.json */ },
-     "runs":  [ /* runs.jsonl  */ ],   // optional
-     "asks":  [ /* asks.jsonl  */ ]    // optional
+     "workspaceId": "<uuid>",        // from config.json
+     "agent":    { /* agent.json */ },
+     "runs":     [ /* runs.jsonl     */ ],   // optional
+     "asks":     [ /* asks.jsonl     */ ],   // optional
+     "messages": [ /* messages.jsonl */ ],   // optional — transcribed replies the reader lacks
+     "confirmRename": true                   // optional — `figs push --rename`: confirm a real name change
    }
    ```
-2. **Each referenced artifact** → `POST {endpoint}/api/artifacts/upload`, content base64-encoded (so
-   binaries survive), hash server-verified.
+2. **Each attached file** → `POST {endpoint}/api/artifacts/upload`, base64-encoded, hash-verified.
+
+The server upserts the agent by `id` and runs/asks by `id`; it dedupes messages by event `id`; it never
+deletes. An agent **self-registers** on first push. **A push never walks a record backwards:** the
+server refuses a fold older than the record's stored close/settle (a stale machine pushing old state)
+and accepts a newer one (a legitimate reopen — the `warn` → `ok` evolution). **A push never re-homes an
+agent:** a `workspaceId` differing from the agent's registered home is rejected `409`
+`{ "error", "code": "agent_moved", "workspaceId"? }`; the agent recovers by setting
+`config.json#workspaceId` to the named workspace and pushing again. **A push never silently
+re-identifies an agent:** a `name` differing from the one registered for that `agentId` is the
+fingerprint of a copied folder and is rejected `409` `{ "error", "code": "agent_renamed" }` — the
+agent rotates identity (`rm -rf .figs && figs init`) for a genuinely new agent, or sets
+`confirmRename` (`figs push --rename`) once to confirm a real rename. `name` is the signal because a
+copy-to-make-another always renames while role/mandate evolve legitimately; the check is `name` only.
+
+**Down — the reply sync.** Delivery is **agent-pulled**, never pushed into the repo: a reader exposes a
+read returning **this agent's human messages** (answers/verdicts), which the CLI merges into
+`messages.jsonl` (append-if-id-absent). It must return the agent's complete open surface or flag
+truncation — a silently partial sync is forbidden. *(Only this — the human reply ledger — syncs down;
+agent ledgers and attachments never do. The exact endpoint is finalized alongside the reader.)*
+
+Because every push is authenticated, the receiver may stamp each newly created row with the pushing
+identity ("pushed by") — it attributes the *credential*, not necessarily the human at the keyboard.
+Agents never author this field.
 
-The server upserts the agent by `id` and runs/asks by `id`; it never deletes. An agent **self-registers**
-on first push — there is no "create agent" step.
+## 9. Validation & versioning
 
-**A push never re-homes an agent.** The workspace an agent is registered to is authoritative
-server-side: a payload whose `workspaceId` differs from it is rejected with HTTP `409` and body
-`{ "error", "code": "agent_moved", "workspaceId"? }`. The `error` text states the fix; `workspaceId`
-(the agent's current home) is included only when the pushing token has access to that workspace.
-Moving an agent between workspaces is a reader-side management act, outside this contract — the agent
-recovers by setting `config.json#workspaceId` to the workspace named in the error and pushing again
-(each runner self-heals on its own next push; nothing propagates through the repo).
+- **Local validation is normative for conformance** and runs account-free (`figs doctor`). A reader's
+  `POST {endpoint}/api/validate` is an additive second opinion, not the gate.
+- **`figs-spec` is integer-versioned.** v2 is current. **Additive/optional** fields keep the version
+  number; the number bumps only on a **breaking** change. (Implementations report support via
+  `GET {endpoint}/api/version`.) v1 → v2 bumped because two-way reply flow and `messages.jsonl` are not
+  additive to v1's one-way promise.
+- The spec stays intentionally minimal — extensions arrive as additive optional fields until a breaking
+  change is unavoidable.
 
-Because every push is authenticated, the receiver knows which account performed it and **may stamp each
-newly created run/ask with that identity** ("pushed by"). This is server-observed — it attributes the
-*credential*, not necessarily the human at the keyboard (a shared runner box should use a dedicated
-account named for what it is, e.g. "Runner — analytics box"). Agents never author this field.
+## Reserved (not in v2)
 
-## 9. Validation & versioning
+Named here so implementers don't repurpose these concepts:
 
-- A `.figs/` folder can be validated against this spec before publishing (`figs doctor` →
-  `POST {endpoint}/api/validate`). The shapes are the source of truth; readers reject malformed payloads.
-- **`figs-spec` is integer-versioned.** v1 is the current version. **Additive/optional** fields keep the
-  version number (an older `agent.json` still validates). The number is bumped only on a **breaking**
-  change. (Implementations report support via `GET {endpoint}/api/version`.)
-- v1 is intentionally minimal — it defines the smallest useful surface so we don't freeze the wrong
-  abstractions early. Extensions arrive as additive optional fields until a breaking change is unavoidable.
-
-## Reserved (not in v1)
-
-Deliberately out of scope for v1, named here so implementers don't repurpose these concepts:
-
-- **Two-way / answer-down — thread events.** A human answer or sign-off flowing *back* to the agent
-  through Figs (vs. the agent resolving in its own workflow). v1 is report-only. The shapes are locked
-  so `options[]`/`resolution` are designed for them: server-side events keyed to the ask id —
-  `answer { by, ts, chosen?, text? }` where
-  `chosen` verbatim-matches an `options[]` entry · `verdict { by, ts, verdict: "approved" | "changes-requested" | "rejected", text? }`
-  for sign-offs. Answers/verdicts are permission-gated to the agent's manager/builder (the injection
-  gate); delivery is **agent-pulled** (an inbox read), never pushed into the repo. Item kinds `note`
-  and `directive` (human-initiated) are named-reserved.
+- **Human-initiated messages — `note` / `directive`.** A human starting a thread ("also send the email
+  to X") rather than replying to an ask. The channel exists (`messages.jsonl` + the down-sync); these
+  kinds and their anchoring (to a run, or standalone) are named-reserved.
 - **Provenance / signing.** Cryptographic attestation that a report is complete, fresh, and untampered.
-  v1 state is *self-reported*; treat it as visibility, not a tamper-evident audit trail.
-- **Per-record visibility / scoping.** v1 publishes to a workspace where all members can read everything.
+  v2 state is *self-reported*; treat it as visibility, not a tamper-evident audit trail.
+- **Per-record visibility / scoping.** v2 publishes to a workspace where all members read everything.
+- **Sync cursors / pagination.** The down-sync returns the agent's open surface whole (or flags
+  truncation); cursors arrive when scale demands.
 
 ## 10. A complete example
 
 ```jsonc
-// .figs/config.json
-{ "endpoint": "https://app.figs.so", "workspaceId": "…uuid…", "agentId": "…uuid…" }
+// .figs/config.json   (linked; local mode would be just { "agentId": "…" })
+{ "agentId": "…uuid…", "endpoint": "https://app.figs.so", "workspaceId": "…uuid…" }
 ```
 
 ```jsonc
@@ -283,7 +325,6 @@ Deliberately out of scope for v1, named here so implementers don't repurpose the
   "name": "Reconciliation",
   "role": "Reconciliation Officer",
   "status": "in_dev",
-  "avatar": { "seed": "Reconciliation" },
   "org": { "department": "Finance Ops" },
   "runtime": "Claude Code",
   "cadence": "Monthly",
@@ -294,10 +335,6 @@ Deliberately out of scope for v1, named here so implementers don't repurpose the
     "Classify every key — matched / needs-review / our-side-only / customer-only — with a 'why'.",
     "Surface discrepancies. Never write back to the source."
   ],
-  "properties": [
-    { "k": "Data sources", "v": "Stripe · NetSuite" },
-    { "k": "Escalation", "v": "#finance-ops" }
-  ],
   "units": [
     { "id": "acme", "name": "Acme Corp", "status": "88% matched · 31 keys flagged", "period": "2025-11",
       "stats": [ { "l": "Matched", "v": "2,161 keys" }, { "l": "Needs review", "v": "31 keys" } ] }
@@ -306,25 +343,29 @@ Deliberately out of scope for v1, named here so implementers don't repurpose the
 ```
 
 ```jsonc
-// .figs/runs.jsonl   (one object per line; records fold by id — the checkpoint opened the job, the report settled it)
+// .figs/runs.jsonl   (records fold by id — the checkpoint opened the job, the report settled it)
 { "id": "acme-2025-11", "ts": "2026-05-28T23:05:40Z", "unit": "acme", "period": "2025-11", "state": "in-flight", "result": "Statements pulled — matching now",
-  "session": { "runtime": "claude-code", "trigger": "monthly close cron" } }
-{ "id": "acme-2025-11", "ts": "2026-05-28T23:41:26Z", "unit": "acme", "period": "2025-11", "result": "88% matched · 31 keys flagged", "status": "ok", "state": "settled", "artifact": "acme-2025-11.html",
-  "session": { "runtime": "claude-code", "model": "claude-fable-5", "sessionId": "3fffcd97-d4f5-4b77-8243-8f450d7c9614",
-    "startedAt": "2026-05-28T23:02:00Z", "commit": "1b68668",
-    "tokens": { "input": 26608, "output": 135532, "cacheRead": 8677869, "cacheWrite": 543145 } } }
+  "attachments": ["acme-wip.csv"], "session": { "runtime": "claude-code", "trigger": "monthly close cron" } }
+{ "id": "acme-2025-11", "ts": "2026-05-28T23:41:26Z", "unit": "acme", "period": "2025-11", "result": "88% matched · 31 keys flagged", "status": "ok", "state": "settled",
+  "attachments": ["acme-2025-11.html"], "session": { "runtime": "claude-code", "model": "claude-fable-5" } }
 ```
 
 ```jsonc
-// .figs/asks.jsonl   (one object per line; records fold by id — the close is an append)
-{ "id": "acme-bridge", "ts": "2026-05-28T21:05:00Z", "type": "needs-decision", "status": "open", "to": "manager", "unit": "acme", "run": "acme-2025-11",
+// .figs/asks.jsonl   (records fold by id — the close is an append, derived from the reply and citing it)
+{ "id": "acme-bridge", "ts": "2026-05-28T21:05:00Z", "type": "question", "status": "open", "to": "manager", "unit": "acme", "run": "acme-2025-11",
   "title": "No bridge rule for prefixed invoice numbers",
   "found": "~180 rows can't be matched safely; guessing risks false matches.",
   "need": "Confirm the bridge rule for prefixed invoice numbers.",
   "options": [ "Strip the alpha prefix", "Use a mapping you provide", "Treat as out-of-scope" ],
   "details": [ { "l": "Amount at risk", "v": "$50.0M" } ],
-  "refs": [ { "label": "Acme report", "artifact": "acme-2025-11.html" } ] }
+  "attachments": [ "acme-2025-11.html" ] }
 { "id": "acme-bridge", "status": "resolved",
-  "resolution": { "chosen": "Strip the alpha prefix", "via": "human", "by": "Sarah (accounting)",
-                  "note": "confirmed in terminal — applied from 2025-11 onward" } }
+  "resolution": { "chosen": "Strip the alpha prefix", "via": "figs", "answer": "msg-7f3a", "by": "Sarah (accounting)",
+                  "run": "acme-bridge-fix-2025-11", "ts": "2026-06-01T09:12:00Z" } }
+```
+
+```jsonc
+// .figs/messages.jsonl   (the human's replies — events, not folded; deduped by id)
+{ "id": "msg-7f3a", "kind": "answer", "ask": "acme-bridge", "by": "Sarah (accounting)", "ts": "2026-06-01T09:10:00Z",
+  "source": "app", "chosen": "Strip the alpha prefix" }
 ```