@ixo/editor 4.3.1 → 5.1.0

package/dist/{chunk-B7UIUYP5.mjs → chunk-75MWYZJ2.mjs}

@@ -15,7 +15,6 @@ var ACTION_TYPE_ALIASES = {
   "proposal.vote": "qi/proposal.vote",
   "protocol.select": "qi/protocol.select",
   "domain.sign": "qi/domain.sign",
-  "domain.card-build": "qi/domain.card-build",
   "domain.card-preview": "qi/domain.card-preview",
   "credential.store": "qi/credential.store",
   // POD setup flow — camelCase orchestrator labels → canonical action types
@@ -62,7 +61,6 @@ var CAN_TO_TYPE = {
   "matrix/dm": "qi/matrix.dm",
   "proposal/create": "qi/proposal.create",
   "proposal/vote": "qi/proposal.vote",
-  "domain/card-build": "qi/domain.card-build",
   "domain/card-preview": "qi/domain.card-preview",
   "domain/sign": "qi/domain.sign",
   "credential/store": "qi/credential.store",
@@ -77,7 +75,17 @@ var CAN_TO_TYPE = {
   "pod/entity-single-selection": "qi/pod.entity-single-selection",
   "pod/governance-config": "qi/pod.governance-config",
   "pod/member-multi-select": "qi/pod.member-multi-select",
-  "pod/list-domain-flows": "qi/pod.list-domain-flows"
+  "pod/list-domain-flows": "qi/pod.list-domain-flows",
+  "wallet/generate": "qi/wallet.generate",
+  "wallet/fund": "qi/wallet.fund",
+  "iid/create": "qi/iid.create",
+  "matrix/register": "qi/matrix.register",
+  "entity/createOracle": "qi/entity.createOracle",
+  "sandbox/provision": "qi/sandbox.provision",
+  "oracle/contract": "qi/oracle.contract",
+  "oracle/storeSecrets": "qi/oracle.storeSecrets",
+  "oracle/storeConfig": "qi/oracle.storeConfig",
+  "oracle/configureOracle": "qi/oracle.configureOracle"
 };
 var TYPE_TO_CAN = Object.fromEntries(Object.entries(CAN_TO_TYPE).map(([can, type]) => [type, can]));
 function canToType(can) {
@@ -150,6 +158,30 @@ function buildServicesFromHandlers(handlers) {
     } : void 0,
     matrix: handlers?.storeMatrixCredential ? {
       storeCredential: async (params) => handlers.storeMatrixCredential(params)
+    } : void 0,
+    oracle: handlers?.generateWallet ? {
+      generateWallet: async () => handlers.generateWallet(),
+      fundWallet: async (params) => handlers.fundWallet(params),
+      createIidDocument: async (params) => handlers.createIidDocument(params),
+      registerMatrixAccount: async (params) => handlers.registerMatrixAccount(params),
+      createOracleEntity: async (params) => handlers.createOracleEntity(params),
+      contract: async (params) => handlers.oracleContract(params),
+      provisionSandbox: async (params) => handlers.provisionSandbox(params),
+      storeSecrets: async (params) => handlers.storeSecrets(params),
+      storeConfig: async (params) => handlers.storeOracleConfig(params),
+      validateMcpServer: handlers.validateMcpServer || (async () => ({ success: false, error: "Handler not configured" })),
+      encryptForOracle: async (params) => handlers.encryptSecretForOracle(params),
+      readStoredSecrets: async (params) => handlers.readStoredSecrets(params),
+      getNetworkConstants: async (params) => handlers.getNetworkConstants(params),
+      deploySetup: handlers.deploySetup || (async () => {
+        throw new Error("deploySetup handler not configured");
+      }),
+      deployStart: handlers.deployStart || (async () => {
+        throw new Error("deployStart handler not configured");
+      }),
+      updateOracleDomain: handlers.updateOracleDomain || (async () => {
+        throw new Error("updateOracleDomain handler not configured");
+      })
     } : void 0
   };
 }
@@ -308,12 +340,31 @@ registerAction({
     { path: "nftContractAddress", displayName: "NFT Contract Address", type: "string", description: "NFT staking contract address \u2014 nftStaking only" },
     { path: "tokenConfig", displayName: "Token Config", type: "object", description: "Token configuration \u2014 tokenStaking only" }
   ],
+  events: [
+    {
+      name: "configured",
+      displayName: "Members Configured",
+      description: "Fires when membership configuration is complete.",
+      payloadSchema: [
+        {
+          path: "memberConfig",
+          displayName: "Member Config",
+          type: "object",
+          description: "Full member configuration (members, multisigThreshold, nftContractAddress, or tokenConfig depending on group type)"
+        }
+      ],
+      pendingDisplayFields: ["memberConfig.memberCount"]
+    }
+  ],
   run: async (inputs) => {
     const groupType = inputs.groupType || "categorical";
     if (groupType === "nftStaking") {
       const addr = String(inputs.nftContractAddress || "").trim();
       if (!addr) throw new Error("NFT contract address is required for nftStaking groups");
-      return { output: { nftContractAddress: addr } };
+      return {
+        output: { nftContractAddress: addr },
+        events: [{ name: "configured", payload: { memberConfig: { nftContractAddress: addr, memberCount: 0 } } }]
+      };
     }
     if (groupType === "tokenStaking") {
       const tokenConfig = inputs.tokenConfig;
@@ -326,7 +377,10 @@ registerAction({
         const supply = Number(tokenConfig.tokenSupply);
         if (isNaN(supply) || supply <= 0) throw new Error("Token supply must be a positive number");
       }
-      return { output: { tokenConfig } };
+      return {
+        output: { tokenConfig },
+        events: [{ name: "configured", payload: { memberConfig: { tokenConfig, memberCount: 0 } } }]
+      };
     }
     const members = Array.isArray(inputs.members) ? inputs.members : [];
     if (members.length === 0) throw new Error("At least one member is required");
@@ -337,7 +391,10 @@ registerAction({
       const threshold = Number(inputs.multisigThreshold);
       if (!Number.isInteger(threshold) || threshold < 1) throw new Error("Multisig threshold must be a positive integer");
       if (threshold > members.length) throw new Error(`Threshold (${threshold}) cannot exceed member count (${members.length})`);
-      return { output: { members, multisigThreshold: threshold } };
+      return {
+        output: { members, multisigThreshold: threshold },
+        events: [{ name: "configured", payload: { memberConfig: { members, multisigThreshold: threshold, memberCount: members.length } } }]
+      };
     }
     const hasAdmin = members.some((m) => String(m.role || "").toLowerCase() === "admin");
     if (!hasAdmin) throw new Error("At least one member must have the Admin role");
@@ -345,7 +402,10 @@ registerAction({
       const vp = Number(m.votingPower);
       if (!Number.isInteger(vp) || vp <= 0) throw new Error(`Voting power must be a positive integer (got ${m.votingPower} for ${m.did})`);
     }
-    return { output: { members } };
+    return {
+      output: { members },
+      events: [{ name: "configured", payload: { memberConfig: { members, memberCount: members.length } } }]
+    };
   }
 });
 
@@ -361,6 +421,19 @@ registerAction({
     { path: "groupType", displayName: "Group Type", type: "string", description: "Governance group type (categorical | multisig | nftStaking | tokenStaking)" },
     { path: "governance", displayName: "Governance Settings", type: "object", description: "Cosmos group decision policy parameters" }
   ],
+  events: [
+    {
+      name: "configured",
+      displayName: "Governance Configured",
+      description: "Fires when governance group type and decision policy are configured.",
+      payloadSchema: [
+        { path: "governanceConfig.groupName", displayName: "Group Name", type: "string" },
+        { path: "governanceConfig.groupType", displayName: "Group Type", type: "string" },
+        { path: "governanceConfig.governance", displayName: "Governance Settings", type: "object" }
+      ],
+      pendingDisplayFields: ["governanceConfig.groupName", "governanceConfig.groupType"]
+    }
+  ],
   run: async (inputs) => {
     const groupName = String(inputs.groupName || "").trim();
     if (!groupName) throw new Error("groupName is required");
@@ -387,7 +460,10 @@ registerAction({
         throw new Error("threshold + vetoThreshold cannot exceed 1.0");
       }
     }
-    return { output: { groupName, groupType, governance } };
+    return {
+      output: { groupName, groupType, governance },
+      events: [{ name: "configured", payload: { governanceConfig: { groupName, groupType, governance } } }]
+    };
   }
 });
 
@@ -2233,16 +2309,119 @@ var tempDomainCreatorSurvey = {
 };
 
 // src/core/lib/actionRegistry/actions/domainSign.ts
+function resolveEntityTypeFromSchema(schemaType) {
+  const normalized = schemaType.replace(/^schema:/i, "").toLowerCase();
+  const schemaToEntity = {
+    organization: "dao",
+    nonprofit: "dao",
+    corporation: "dao",
+    governmentorganization: "dao"
+  };
+  if (schemaToEntity[normalized]) return schemaToEntity[normalized];
+  const allowed = /* @__PURE__ */ new Set(["dao", "protocol", "oracle", "investment", "project", "asset"]);
+  return allowed.has(normalized) ? normalized : "dao";
+}
+function parseJsonInput(value) {
+  if (!value) return null;
+  if (typeof value === "object" && !Array.isArray(value)) return value;
+  if (typeof value === "string") {
+    try {
+      const parsed = JSON.parse(value);
+      return parsed && typeof parsed === "object" ? parsed : null;
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+function parseDuration(raw) {
+  const seconds = parseInt(raw, 10) || 0;
+  if (seconds % (7 * 86400) === 0) return { amount: seconds / (7 * 86400), unit: "weeks" };
+  if (seconds % 86400 === 0) return { amount: seconds / 86400, unit: "days" };
+  if (seconds % 3600 === 0) return { amount: seconds / 3600, unit: "hours" };
+  if (seconds % 60 === 0) return { amount: seconds / 60, unit: "minutes" };
+  return { amount: seconds, unit: "seconds" };
+}
+function buildGroupConfig(groupType, governance, memberConfig) {
+  const duration = parseDuration(governance.votingPeriod || "604800s");
+  const thresholdNum = parseFloat(governance.threshold || "0.51");
+  const baseConfig = {
+    proposalDurationAmount: duration.amount,
+    proposalDurationUnit: duration.unit,
+    proposalSubmissionPolicy: "members",
+    voteSwitching: false
+  };
+  if (groupType === "multisig") {
+    const members2 = memberConfig?.members || [];
+    return {
+      threshold: memberConfig?.multisigThreshold || 1,
+      membershipCategory: [{ members: members2.map((m) => m.did) }]
+    };
+  }
+  if (groupType === "nftStaking") {
+    return {
+      ...baseConfig,
+      nftContractAddress: memberConfig?.nftContractAddress || "",
+      unstakingDuration: governance.unstakingDuration ? parseDuration(governance.unstakingDuration) : void 0
+    };
+  }
+  if (groupType === "tokenStaking") {
+    const tokenConfig = memberConfig?.tokenConfig || {};
+    return {
+      ...baseConfig,
+      passingThreshold: thresholdNum === 0.5 ? "majority" : "percentage",
+      passingThresholdPercentage: Math.round(thresholdNum * 100),
+      tokenName: tokenConfig.tokenName || "",
+      tokenSymbol: tokenConfig.tokenSymbol || "",
+      tokenSupply: tokenConfig.tokenSupply || 0,
+      distributionCategory: tokenConfig.distributionCategory || [],
+      unstakingDuration: governance.unstakingDuration ? parseDuration(governance.unstakingDuration) : void 0
+    };
+  }
+  const members = memberConfig?.members || [];
+  const byRole = /* @__PURE__ */ new Map();
+  for (const m of members) {
+    const role = m.role || "member";
+    const existing = byRole.get(role);
+    if (existing) {
+      existing.dids.push(m.did);
+    } else {
+      byRole.set(role, { dids: [m.did], weight: m.votingPower || 1 });
+    }
+  }
+  return {
+    ...baseConfig,
+    passingThreshold: thresholdNum === 0.5 ? "majority" : "percentage",
+    passingThresholdPercentage: Math.round(thresholdNum * 100),
+    membershipCategory: Array.from(byRole.values()).map(({ dids, weight }) => ({
+      members: dids.map((did) => ({ memberAddress: did })),
+      weightPerMember: weight
+    }))
+  };
+}
 registerAction({
   type: "qi/domain.sign",
   can: "domain/sign",
   sideEffect: true,
   defaultRequiresConfirmation: true,
   requiredCapability: "flow/block/execute",
+  eligibleForEventTrigger: true,
   outputSchema: [
     { path: "entityDid", displayName: "Entity DID", type: "string", description: "The DID of the newly created domain entity" },
     { path: "transactionHash", displayName: "Transaction Hash", type: "string", description: "The on-chain transaction hash for domain creation" }
   ],
+  events: [
+    {
+      name: "created",
+      displayName: "Domain Created",
+      description: "Fires after the domain entity is successfully created on-chain.",
+      payloadSchema: [
+        { path: "entityDid", displayName: "Entity DID", type: "string", description: "DID of the newly created domain" },
+        { path: "transactionHash", displayName: "Transaction Hash", type: "string", description: "On-chain transaction hash" }
+      ],
+      pendingDisplayFields: ["entityDid"]
+    }
+  ],
   run: async (inputs, ctx) => {
     const handlers = ctx.handlers;
     if (!handlers) {
@@ -2267,8 +2446,7 @@ registerAction({
     if (!domainCardData?.credentialSubject?.name) {
       throw new Error("domainCardData is missing or invalid (credentialSubject.name required)");
     }
-    const extractEntityType = (type) => type.replace(/^schema:/i, "").toLowerCase();
-    const entityType = String(inputs.entityType || "").trim() || (domainCardData.credentialSubject?.type?.[0] ? extractEntityType(domainCardData.credentialSubject.type[0]) : "dao");
+    const entityType = String(inputs.entityType || "").trim() || (domainCardData.credentialSubject?.type?.[0] ? resolveEntityTypeFromSchema(domainCardData.credentialSubject.type[0]) : "dao");
     const issuerDid = handlers.getEntityDid?.() || handlers.getCurrentUser?.()?.address;
     if (!issuerDid) throw new Error("Unable to determine issuer DID");
     const entityDidPlaceholder = "did:ixo:entity:pending";
@@ -2313,18 +2491,27 @@ registerAction({
       serviceEndpoint: uploadResult.url,
       description: `Domain Card for ${domainCardData.credentialSubject?.name || "Domain"}`
     });
-    let linkedEntitiesData = [];
-    if (inputs.linkedEntities) {
-      if (typeof inputs.linkedEntities === "string") {
-        try {
-          linkedEntitiesData = JSON.parse(inputs.linkedEntities);
-        } catch {
+    let governanceGroupLinkedEntities = [];
+    const govConfig = parseJsonInput(inputs.governanceConfig);
+    const memberConfig = parseJsonInput(inputs.memberConfig);
+    if (govConfig && handlers.createGovernanceGroup) {
+      const groupType = govConfig.groupType;
+      const governance = govConfig.governance || {};
+      const config = buildGroupConfig(groupType, governance, memberConfig);
+      const groupResult = await handlers.createGovernanceGroup({
+        groupType,
+        name: govConfig.groupName || domainCardData.credentialSubject?.name || "Governance Group",
+        config
+      });
+      governanceGroupLinkedEntities = [
+        {
+          id: groupResult.coreAddress,
+          type: "group",
+          relationship: "governs",
+          service: ""
         }
-      } else if (Array.isArray(inputs.linkedEntities)) {
-        linkedEntitiesData = inputs.linkedEntities;
-      }
+      ];
     }
-    const governanceGroupLinkedEntities = buildGovernanceGroupLinkedEntities(parseLinkedEntities(JSON.stringify(linkedEntitiesData)));
     const endDate = domainCardData.endDate || validUntil;
     const { entityDid: newEntityDid, transactionHash } = await handlers.createDomain({
       entityType,
@@ -2337,81 +2524,8 @@ registerAction({
       output: {
         entityDid: newEntityDid,
         transactionHash
-      }
-    };
-  }
-});
-
-// src/core/lib/actionRegistry/actions/domainCardBuild.ts
-registerAction({
-  type: "qi/domain.card-build",
-  can: "domain/card-build",
-  sideEffect: false,
-  defaultRequiresConfirmation: false,
-  outputSchema: [
-    {
-      path: "domainCardData",
-      displayName: "Domain Card Data",
-      type: "object",
-      description: "Unsigned domain card envelope { credentialSubject, validFrom, validUntil } ready for preview and signing"
-    },
-    { path: "unsignedCredential", displayName: "Unsigned Credential", type: "object", description: "The full unsigned W3C Verifiable Credential" },
-    { path: "credentialSubject", displayName: "Credential Subject", type: "object", description: "The ixo:DomainCard credentialSubject extracted from the survey" },
-    { path: "surveyData", displayName: "Survey Answers", type: "object", description: "Raw survey answers used to build the card" },
-    { path: "entityType", displayName: "Entity Type", type: "string", description: "Resolved entity type (from survey or configured default)" },
-    { path: "issuerDid", displayName: "Issuer DID", type: "string", description: "DID of the user or entity that built the card" }
-  ],
-  run: async (inputs, ctx) => {
-    const handlers = ctx.handlers;
-    if (!handlers) throw new Error("Handlers not available");
-    const configEntityType = String(inputs.entityType || "dao").trim();
-    let surveyData = {};
-    if (inputs.surveyData) {
-      if (typeof inputs.surveyData === "string") {
-        try {
-          surveyData = JSON.parse(inputs.surveyData);
-        } catch {
-          throw new Error("surveyData must be valid JSON");
-        }
-      } else if (typeof inputs.surveyData === "object" && !Array.isArray(inputs.surveyData)) {
-        surveyData = inputs.surveyData;
-      }
-    }
-    if (!surveyData || Object.keys(surveyData).length === 0) {
-      throw new Error("surveyData is required to build a domain card");
-    }
-    const issuerDid = handlers.getEntityDid?.() || handlers.getCurrentUser?.()?.address;
-    if (!issuerDid) throw new Error("Unable to determine issuer DID");
-    const entityDidPlaceholder = "did:ixo:entity:pending";
-    const credentialSubject = transformSurveyToCredentialSubject(surveyData, entityDidPlaceholder);
-    const validFrom = surveyData["schema:validFrom"] || (/* @__PURE__ */ new Date()).toISOString();
-    const validUntil = surveyData["schema:validUntil"] || (() => {
-      const d = new Date(validFrom);
-      d.setFullYear(d.getFullYear() + 5);
-      return d.toISOString();
-    })();
-    const unsignedCredential = buildVerifiableCredential({
-      entityDid: entityDidPlaceholder,
-      issuerDid,
-      credentialSubject,
-      validFrom,
-      validUntil
-    });
-    const resolvedEntityType = surveyData["type_2"] || surveyData["daoType"] || configEntityType;
-    const domainCardData = {
-      credentialSubject,
-      validFrom,
-      validUntil
-    };
-    return {
-      output: {
-        domainCardData,
-        unsignedCredential,
-        credentialSubject,
-        surveyData,
-        entityType: resolvedEntityType,
-        issuerDid
-      }
+      },
+      events: [{ name: "created", payload: { entityDid: newEntityDid, transactionHash } }]
     };
   }
 });
@@ -2433,6 +2547,18 @@ registerAction({
     { path: "status", displayName: "Status", type: "string", description: "pending | loading | ready | approved | error" },
     { path: "approvedAt", displayName: "Approved At", type: "number", description: "Timestamp when the user approved the preview" }
   ],
+  events: [
+    {
+      name: "approved",
+      displayName: "Preview Approved",
+      description: "Fires when the user approves the oracle-enriched domain card preview.",
+      payloadSchema: [
+        { path: "domainCardData", displayName: "Domain Card Data", type: "object", description: "Approved domain card envelope ready for signing" },
+        { path: "approvedAt", displayName: "Approved At", type: "number", description: "Timestamp of approval" }
+      ],
+      pendingDisplayFields: ["approvedAt"]
+    }
+  ],
   run: async (inputs) => {
     let domainCardData = inputs.domainCardData;
     if (typeof domainCardData === "string") {
@@ -2456,13 +2582,15 @@ registerAction({
         domainPreviewData = void 0;
       }
     }
+    const now = Date.now();
     return {
       output: {
         domainCardData,
         domainPreviewData,
         status: "approved",
-        approvedAt: Date.now()
-      }
+        approvedAt: now
+      },
+      events: [{ name: "approved", payload: { domainCardData, approvedAt: now } }]
     };
   }
 });
@@ -2608,6 +2736,853 @@ registerAction({
   }
 });
 
+// src/core/lib/actionRegistry/actions/walletGenerate.ts
+registerAction({
+  type: "qi/wallet.generate",
+  can: "wallet/generate",
+  sideEffect: false,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "address", displayName: "Wallet Address", type: "string", description: "The generated IXO wallet address" },
+    { path: "did", displayName: "DID", type: "string", description: "The DID derived from the wallet address" },
+    { path: "pubKey", displayName: "Public Key", type: "string", description: "The secp256k1 public key (hex)" },
+    { path: "mnemonic", displayName: "Mnemonic", type: "string", description: "The BIP39 mnemonic seed phrase" }
+  ],
+  run: async (_inputs, ctx) => {
+    if (!ctx.services.oracle?.generateWallet) {
+      throw new Error("oracle.generateWallet handler not available");
+    }
+    const result = await ctx.services.oracle.generateWallet();
+    return { output: result };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/walletFund.ts
+registerAction({
+  type: "qi/wallet.fund",
+  can: "wallet/fund",
+  sideEffect: true,
+  defaultRequiresConfirmation: true,
+  outputSchema: [
+    { path: "transactionHash", displayName: "Transaction Hash", type: "string", description: "The funding transaction hash" }
+  ],
+  run: async (inputs, ctx) => {
+    if (!ctx.services.oracle?.fundWallet) {
+      throw new Error("oracle.fundWallet handler not available");
+    }
+    if (!inputs.address) throw new Error("address is required");
+    const result = await ctx.services.oracle.fundWallet({
+      address: inputs.address,
+      amount: inputs.amount || 25e4
+    });
+    return { output: result };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/walletGenerateAndFund.ts
+registerAction({
+  type: "qi/wallet.generateAndFund",
+  can: "wallet/generateAndFund",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "address", displayName: "Wallet Address", type: "string", description: "The generated IXO wallet address" },
+    { path: "did", displayName: "DID", type: "string", description: "The DID derived from the wallet address" },
+    { path: "pubKey", displayName: "Public Key", type: "string", description: "The secp256k1 public key (hex)" },
+    { path: "mnemonic", displayName: "Mnemonic", type: "string", description: "The BIP39 mnemonic seed phrase" },
+    { path: "transactionHash", displayName: "Transaction Hash", type: "string", description: "The funding transaction hash" }
+  ],
+  run: async (inputs, ctx) => {
+    if (!ctx.services.oracle?.generateWallet) {
+      throw new Error("oracle.generateWallet handler not available");
+    }
+    if (!ctx.services.oracle?.fundWallet) {
+      throw new Error("oracle.fundWallet handler not available");
+    }
+    const walletResult = await ctx.services.oracle.generateWallet();
+    if (!walletResult?.address) {
+      throw new Error("generateWallet did not return an address");
+    }
+    const fundResult = await ctx.services.oracle.fundWallet({
+      address: walletResult.address,
+      amount: inputs.amount || 25e4
+    });
+    if (!fundResult?.transactionHash) {
+      throw new Error("fundWallet did not return a transactionHash");
+    }
+    return {
+      output: {
+        address: walletResult.address,
+        did: walletResult.did,
+        pubKey: walletResult.pubKey,
+        mnemonic: walletResult.mnemonic,
+        transactionHash: fundResult.transactionHash
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/iidCreate.ts
+registerAction({
+  type: "qi/iid.create",
+  can: "iid/create",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "did", displayName: "DID", type: "string", description: "The IID document DID" },
+    { path: "transactionHash", displayName: "Transaction Hash", type: "string", description: "The IID creation transaction hash" }
+  ],
+  run: async (inputs, ctx) => {
+    if (!ctx.services.oracle?.createIidDocument) {
+      throw new Error("oracle.createIidDocument handler not available");
+    }
+    if (!inputs.mnemonic) throw new Error("mnemonic is required");
+    if (!inputs.did) throw new Error("did is required");
+    if (!inputs.address) throw new Error("address is required");
+    if (!inputs.pubKey) throw new Error("pubKey is required");
+    const result = await ctx.services.oracle.createIidDocument({
+      mnemonic: inputs.mnemonic,
+      did: inputs.did,
+      address: inputs.address,
+      pubKey: inputs.pubKey
+    });
+    return { output: result };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/matrixRegister.ts
+registerAction({
+  type: "qi/matrix.register",
+  can: "matrix/register",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "matrixUserId", displayName: "Matrix User ID", type: "string", description: "The Matrix user ID" },
+    { path: "matrixAccessToken", displayName: "Matrix Access Token", type: "string", description: "The Matrix access token" },
+    { path: "matrixRoomId", displayName: "Matrix Room ID", type: "string", description: "The Matrix room ID" },
+    { path: "matrixDeviceId", displayName: "Matrix Device ID", type: "string", description: "The Matrix device ID" },
+    { path: "matrixMnemonic", displayName: "Matrix Mnemonic", type: "string", description: "The Matrix account mnemonic" },
+    { path: "matrixPassword", displayName: "Matrix Password", type: "string", description: "The Matrix account password" },
+    { path: "matrixRecoveryPhrase", displayName: "Recovery Phrase", type: "string", description: "The Matrix recovery phrase" },
+    { path: "matrixHomeServerUrl", displayName: "Matrix Homeserver", type: "string", description: "The Matrix homeserver URL" }
+  ],
+  run: async (inputs, ctx) => {
+    if (!ctx.services.oracle?.registerMatrixAccount) {
+      throw new Error("oracle.registerMatrixAccount handler not available");
+    }
+    if (!inputs.mnemonic) throw new Error("mnemonic is required");
+    if (!inputs.address) throw new Error("address is required");
+    if (!inputs.did) throw new Error("did is required");
+    if (!inputs.pin) throw new Error("pin is required");
+    if (!inputs.oracleName) throw new Error("oracleName is required");
+    const result = await ctx.services.oracle.registerMatrixAccount({
+      mnemonic: inputs.mnemonic,
+      address: inputs.address,
+      did: inputs.did,
+      pin: inputs.pin,
+      oracleName: inputs.oracleName,
+      avatarUrl: inputs.avatarUrl
+    });
+    return { output: result };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/identityCreate.ts
+registerAction({
+  type: "qi/identity.create",
+  can: "identity/create",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "did", displayName: "DID", type: "string", description: "The IID document DID" },
+    { path: "transactionHash", displayName: "Transaction Hash", type: "string", description: "The IID creation transaction hash" },
+    { path: "alreadyExisted", displayName: "Already Existed", type: "boolean", description: "Whether the IID document already existed" },
+    { path: "matrixUserId", displayName: "Matrix User ID", type: "string", description: "The Matrix user ID" },
+    { path: "matrixAccessToken", displayName: "Matrix Access Token", type: "string", description: "The Matrix access token" },
+    { path: "matrixRoomId", displayName: "Matrix Room ID", type: "string", description: "The Matrix room ID" },
+    { path: "matrixDeviceId", displayName: "Matrix Device ID", type: "string", description: "The Matrix device ID" },
+    { path: "matrixMnemonic", displayName: "Matrix Mnemonic", type: "string", description: "The Matrix account mnemonic" },
+    { path: "matrixPassword", displayName: "Matrix Password", type: "string", description: "The Matrix account password" },
+    { path: "matrixRecoveryPhrase", displayName: "Recovery Phrase", type: "string", description: "The Matrix recovery phrase" },
+    { path: "matrixHomeServerUrl", displayName: "Matrix Homeserver", type: "string", description: "The Matrix homeserver URL" }
+  ],
+  run: async (rawInputs, ctx) => {
+    const form = (() => {
+      const raw = rawInputs.formAnswers;
+      if (typeof raw !== "string" || !raw) return {};
+      try {
+        const parsed = JSON.parse(raw);
+        return parsed && typeof parsed === "object" ? parsed : {};
+      } catch {
+        return {};
+      }
+    })();
+    const inputs = {
+      // Rename: form.logoUrl → avatarUrl for the registerMatrixAccount handler
+      avatarUrl: form.logoUrl,
+      ...form,
+      ...rawInputs
+    };
+    if (!ctx.services.oracle?.createIidDocument) {
+      throw new Error("oracle.createIidDocument handler not available");
+    }
+    if (!ctx.services.oracle?.registerMatrixAccount) {
+      throw new Error("oracle.registerMatrixAccount handler not available");
+    }
+    if (!inputs.mnemonic) throw new Error("mnemonic is required");
+    if (!inputs.did) throw new Error("did is required");
+    if (!inputs.address) throw new Error("address is required");
+    if (!inputs.pubKey) throw new Error("pubKey is required");
+    if (!inputs.pin) throw new Error("pin is required");
+    if (!inputs.oracleName) throw new Error("oracleName is required");
+    const iidResult = await ctx.services.oracle.createIidDocument({
+      mnemonic: inputs.mnemonic,
+      did: inputs.did,
+      address: inputs.address,
+      pubKey: inputs.pubKey
+    });
+    if (!iidResult?.transactionHash && !iidResult?.alreadyExisted) {
+      throw new Error("IID creation returned success without a transaction hash or alreadyExisted flag");
+    }
+    const matrixResult = await ctx.services.oracle.registerMatrixAccount({
+      mnemonic: inputs.mnemonic,
+      address: inputs.address,
+      did: inputs.did,
+      pin: inputs.pin,
+      oracleName: inputs.oracleName,
+      avatarUrl: inputs.avatarUrl
+    });
+    if (!matrixResult?.matrixUserId) {
+      throw new Error("Matrix registration returned success without a matrixUserId");
+    }
+    return {
+      output: {
+        did: iidResult.did || inputs.did,
+        transactionHash: iidResult.transactionHash,
+        alreadyExisted: iidResult.alreadyExisted || false,
+        matrixUserId: matrixResult.matrixUserId,
+        matrixAccessToken: matrixResult.matrixAccessToken,
+        matrixRoomId: matrixResult.matrixRoomId,
+        matrixDeviceId: matrixResult.matrixDeviceId,
+        matrixMnemonic: matrixResult.matrixMnemonic,
+        matrixPassword: matrixResult.matrixPassword,
+        matrixRecoveryPhrase: matrixResult.matrixRecoveryPhrase,
+        matrixHomeServerUrl: matrixResult.matrixHomeServerUrl
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/entityCreateOracle.ts
+registerAction({
+  type: "qi/entity.createOracle",
+  can: "entity/createOracle",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "entityDid", displayName: "Entity DID", type: "string", description: "The oracle entity DID" },
+    { path: "transactionHash", displayName: "Transaction Hash", type: "string", description: "The entity creation transaction hash" },
+    { path: "encryptionPublicKeyMultibase", displayName: "Encryption Public Key (multibase)", type: "string", description: "Multibase-encoded P-256 public key registered as a keyAgreement vm on the entity DID" },
+    { path: "encryptionVerificationMethodId", displayName: "Encryption Verification Method ID", type: "string", description: "DID verification method id of the P-256 keyAgreement key" }
+  ],
+  run: async (rawInputs, ctx) => {
+    const form = (() => {
+      const raw = rawInputs.formAnswers;
+      if (typeof raw !== "string" || !raw) return {};
+      try {
+        const parsed = JSON.parse(raw);
+        return parsed && typeof parsed === "object" ? parsed : {};
+      } catch {
+        return {};
+      }
+    })();
+    const inputs = { ...form, ...rawInputs };
+    if (!ctx.services.oracle?.createOracleEntity) {
+      throw new Error("oracle.createOracleEntity handler not available");
+    }
+    if (!inputs.mnemonic) throw new Error("mnemonic is required");
+    if (!inputs.address) throw new Error("address is required");
+    if (!inputs.did) throw new Error("did is required");
+    if (!inputs.pubKey) throw new Error("pubKey is required");
+    if (!inputs.pin) throw new Error("pin is required");
+    if (!inputs.matrixAccessToken) throw new Error("matrixAccessToken is required");
+    if (!inputs.matrixRoomId) throw new Error("matrixRoomId is required");
+    if (!inputs.oracleName) throw new Error("oracleName is required");
+    if (!inputs.apiUrl) throw new Error("apiUrl is required");
+    if (!inputs.price) throw new Error("price is required");
+    const result = await ctx.services.oracle.createOracleEntity({
+      mnemonic: inputs.mnemonic,
+      address: inputs.address,
+      did: inputs.did,
+      pubKey: inputs.pubKey,
+      pin: inputs.pin,
+      matrixAccessToken: inputs.matrixAccessToken,
+      matrixRoomId: inputs.matrixRoomId,
+      oracleName: inputs.oracleName,
+      orgName: inputs.orgName,
+      description: inputs.description,
+      location: inputs.location,
+      logoUrl: inputs.logoUrl,
+      coverImageUrl: inputs.coverImageUrl,
+      apiUrl: inputs.apiUrl,
+      price: inputs.price,
+      llmModel: inputs.llmModel,
+      opening: inputs.opening,
+      communicationStyle: inputs.communicationStyle,
+      capabilities: inputs.capabilities,
+      mcpConfig: inputs.mcpConfig,
+      parentProtocol: inputs.parentProtocol
+    });
+    return { output: result };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/sandboxProvision.ts
+registerAction({
+  type: "qi/sandbox.provision",
+  can: "sandbox/provision",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "sandboxUrl", displayName: "Sandbox URL", type: "string", description: "The provisioned sandbox URL" },
+    { path: "status", displayName: "Status", type: "string", description: "Provisioning status" }
+  ],
+  run: async (inputs, ctx) => {
+    if (!ctx.services.oracle?.provisionSandbox) {
+      throw new Error("oracle.provisionSandbox handler not available");
+    }
+    if (!inputs.entityDid) throw new Error("entityDid is required");
+    if (!inputs.matrixRoomId) throw new Error("matrixRoomId is required");
+    const result = await ctx.services.oracle.provisionSandbox({
+      entityDid: inputs.entityDid,
+      matrixRoomId: inputs.matrixRoomId
+    });
+    return { output: result };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/oracleContract.ts
+registerAction({
+  type: "qi/oracle.contract",
+  can: "oracle/contract",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "userOracleRoomId", displayName: "User\u2194Oracle Room ID", type: "string", description: "Matrix room id of the user\u2194oracle DM room" },
+    { path: "userOracleRoomAlias", displayName: "User\u2194Oracle Room Alias", type: "string", description: "Matrix alias of the user\u2194oracle DM room" }
+  ],
+  run: async (inputs, ctx) => {
+    if (!ctx.services.oracle?.contract) {
+      throw new Error("oracle.contract handler not available");
+    }
+    if (!inputs.oracleEntityDid) throw new Error("oracleEntityDid is required (from entity.createOracle output)");
+    const result = await ctx.services.oracle.contract({
+      oracleEntityDid: inputs.oracleEntityDid
+    });
+    return { output: result };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/oracleStoreSecrets.ts
+var SENSITIVE_PLAINTEXT_KEYS = [
+  "SECP_MNEMONIC",
+  "MATRIX_ORACLE_ADMIN_PASSWORD",
+  "MATRIX_RECOVERY_PHRASE",
+  "MATRIX_VALUE_PIN"
+];
+registerAction({
+  type: "qi/oracle.storeSecrets",
+  can: "oracle/storeSecrets",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "storedSecrets", displayName: "Stored Secrets", type: "array", description: "List of secret names stored" },
+    { path: "roomId", displayName: "Room ID", type: "string", description: "Matrix room where secrets are stored" }
+  ],
+  run: async (inputs, ctx) => {
+    if (!ctx.services.oracle?.storeSecrets) {
+      throw new Error("oracle.storeSecrets handler not available");
+    }
+    if (!inputs.matrixRoomId) throw new Error("matrixRoomId is required (from oracle.contract output)");
+    if (!inputs.publicKeyMultibase) throw new Error("publicKeyMultibase is required (from entity.createOracle output)");
+    if (!inputs.verificationMethodId) throw new Error("verificationMethodId is required (from entity.createOracle output)");
+    if (!inputs.matrixHomeServerUrl) throw new Error("matrixHomeServerUrl is required (from matrix.register output)");
+    if (!inputs.matrixUsername) throw new Error("matrixUsername is required (from matrix.register output matrixUserId)");
+    if (!inputs.matrixPassword) throw new Error("matrixPassword is required (from matrix.register output)");
+    if (!inputs.mnemonic) throw new Error("mnemonic is required (from wallet.generate output)");
+    if (!inputs.matrixRecoveryPhrase) throw new Error("matrixRecoveryPhrase is required (from matrix.register output)");
+    if (!inputs.pin) throw new Error("pin is required (from form output)");
+    if (!inputs.openRouterApiKeyJwe) {
+      throw new Error("OPEN_ROUTER_API_KEY is required \u2014 enter it in the form before submitting");
+    }
+    const secrets = {
+      SECP_MNEMONIC: inputs.mnemonic,
+      MATRIX_ORACLE_ADMIN_PASSWORD: inputs.matrixPassword,
+      MATRIX_RECOVERY_PHRASE: inputs.matrixRecoveryPhrase,
+      MATRIX_VALUE_PIN: inputs.pin
+    };
+    const preEncryptedSecrets = {
+      OPEN_ROUTER_API_KEY: inputs.openRouterApiKeyJwe
+    };
+    if (inputs.mcpAuthSecrets) {
+      try {
+        const mcpSecrets = typeof inputs.mcpAuthSecrets === "string" ? JSON.parse(inputs.mcpAuthSecrets) : inputs.mcpAuthSecrets;
+        if (mcpSecrets && typeof mcpSecrets === "object") {
+          Object.assign(preEncryptedSecrets, mcpSecrets);
+        }
+      } catch {
+        console.warn("[oracle.storeSecrets] Failed to parse mcpAuthSecrets");
+      }
+    }
+    for (const k of SENSITIVE_PLAINTEXT_KEYS) {
+      if (!secrets[k]) throw new Error(`${k} is empty after assembly \u2014 refusing to call storeSecrets`);
+    }
+    const result = await ctx.services.oracle.storeSecrets({
+      matrixRoomId: inputs.matrixRoomId,
+      publicKeyMultibase: inputs.publicKeyMultibase,
+      verificationMethodId: inputs.verificationMethodId,
+      matrixHomeServerUrl: inputs.matrixHomeServerUrl,
+      matrixUsername: inputs.matrixUsername,
+      matrixPassword: inputs.matrixPassword,
+      secrets,
+      preEncryptedSecrets
+    });
+    return { output: result };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/oracleStoreConfig.ts
+registerAction({
+  type: "qi/oracle.storeConfig",
+  can: "oracle/storeConfig",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "configStored", displayName: "Config Stored", type: "boolean", description: "Whether the oracle config was stored successfully" },
+    { path: "roomId", displayName: "Room ID", type: "string", description: "The Matrix room ID where config was stored" }
+  ],
+  run: async (inputs, ctx) => {
+    if (!ctx.services.oracle?.storeConfig) {
+      throw new Error("oracle.storeConfig handler not available");
+    }
+    if (!inputs.matrixRoomId) throw new Error("matrixRoomId is required (from oracle.contract output)");
+    if (!inputs.oracleName) throw new Error("oracleName is required");
+    if (!inputs.entityDid) throw new Error("entityDid is required");
+    const result = await ctx.services.oracle.storeConfig({
+      matrixRoomId: inputs.matrixRoomId,
+      config: {
+        oracleName: inputs.oracleName,
+        orgName: inputs.orgName || "",
+        description: inputs.description || "",
+        location: inputs.location || "",
+        price: inputs.price ?? 0,
+        apiUrl: inputs.apiUrl || "",
+        entityDid: inputs.entityDid,
+        logoUrl: inputs.logoUrl || "",
+        llmModel: inputs.llmModel || "",
+        opening: inputs.opening,
+        communicationStyle: inputs.communicationStyle,
+        capabilities: inputs.capabilities,
+        skills: inputs.skills,
+        mcpServers: inputs.mcpServers,
+        matrixUserId: inputs.matrixUserId || "",
+        matrixAccountRoomId: inputs.matrixAccountRoomId || "",
+        oracleAddress: inputs.oracleAddress || "",
+        oracleDid: inputs.oracleDid || ""
+      }
+    });
+    return { output: result };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/oracleStoreSecretsAndConfig.ts
+var SENSITIVE_PLAINTEXT_KEYS2 = [
+  "SECP_MNEMONIC",
+  "MATRIX_ORACLE_ADMIN_PASSWORD",
+  "MATRIX_RECOVERY_PHRASE",
+  "MATRIX_VALUE_PIN"
+];
+registerAction({
+  type: "qi/oracle.storeSecretsAndConfig",
+  can: "oracle/storeSecretsAndConfig",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "storedSecrets", displayName: "Stored Secrets", type: "array", description: "List of secret names stored" },
+    { path: "roomId", displayName: "Room ID", type: "string", description: "Matrix room where data is stored" },
+    { path: "configStored", displayName: "Config Stored", type: "boolean", description: "Whether oracle config was stored" }
+  ],
+  run: async (inputs, ctx) => {
+    if (!ctx.services.oracle?.storeSecrets) throw new Error("oracle.storeSecrets handler not available");
+    if (!ctx.services.oracle?.storeConfig) throw new Error("oracle.storeConfig handler not available");
+    if (!inputs.matrixRoomId) throw new Error("matrixRoomId is required (from oracle.contract output)");
+    if (!inputs.publicKeyMultibase) throw new Error("publicKeyMultibase is required (from entity.createOracle output)");
+    if (!inputs.verificationMethodId) throw new Error("verificationMethodId is required (from entity.createOracle output)");
+    if (!inputs.matrixHomeServerUrl) throw new Error("matrixHomeServerUrl is required (from matrix.register output)");
+    if (!inputs.matrixUsername) throw new Error("matrixUsername is required (from matrix.register output matrixUserId)");
+    if (!inputs.matrixPassword) throw new Error("matrixPassword is required (from matrix.register output)");
+    if (!inputs.mnemonic) throw new Error("mnemonic is required (from wallet.generate output)");
+    if (!inputs.matrixRecoveryPhrase) throw new Error("matrixRecoveryPhrase is required (from matrix.register output)");
+    if (!inputs.pin) throw new Error("pin is required (from form output)");
+    if (!inputs.openRouterApiKeyJwe) {
+      throw new Error("OPEN_ROUTER_API_KEY is required \u2014 enter it in the form before submitting");
+    }
+    const secrets = {
+      SECP_MNEMONIC: inputs.mnemonic,
+      MATRIX_ORACLE_ADMIN_PASSWORD: inputs.matrixPassword,
+      MATRIX_RECOVERY_PHRASE: inputs.matrixRecoveryPhrase,
+      MATRIX_VALUE_PIN: inputs.pin
+    };
+    const preEncryptedSecrets = {
+      OPEN_ROUTER_API_KEY: inputs.openRouterApiKeyJwe
+    };
+    if (inputs.mcpAuthSecrets) {
+      try {
+        const mcpSecrets = typeof inputs.mcpAuthSecrets === "string" ? JSON.parse(inputs.mcpAuthSecrets) : inputs.mcpAuthSecrets;
+        if (mcpSecrets && typeof mcpSecrets === "object") {
+          Object.assign(preEncryptedSecrets, mcpSecrets);
+        }
+      } catch {
+        console.warn("[oracle.storeSecretsAndConfig] Failed to parse mcpAuthSecrets");
+      }
+    }
+    for (const k of SENSITIVE_PLAINTEXT_KEYS2) {
+      if (!secrets[k]) throw new Error(`${k} is empty after assembly \u2014 refusing to call storeSecrets`);
+    }
+    console.log("[oracle.storeSecretsAndConfig] Phase 1: storing secrets");
+    const secretsResult = await ctx.services.oracle.storeSecrets({
+      matrixRoomId: inputs.matrixRoomId,
+      publicKeyMultibase: inputs.publicKeyMultibase,
+      verificationMethodId: inputs.verificationMethodId,
+      matrixHomeServerUrl: inputs.matrixHomeServerUrl,
+      matrixUsername: inputs.matrixUsername,
+      matrixPassword: inputs.matrixPassword,
+      secrets,
+      preEncryptedSecrets
+    });
+    if (!secretsResult.storedSecrets || secretsResult.storedSecrets.length === 0) {
+      throw new Error("storeSecrets returned success without any storedSecrets");
+    }
+    if (!inputs.oracleName) throw new Error("oracleName is required");
+    if (!inputs.entityDid) throw new Error("entityDid is required");
+    console.log("[oracle.storeSecretsAndConfig] Phase 2: storing config");
+    const configResult = await ctx.services.oracle.storeConfig({
+      matrixRoomId: inputs.matrixRoomId,
+      config: {
+        oracleName: inputs.oracleName,
+        orgName: inputs.orgName || "",
+        description: inputs.description || "",
+        location: inputs.location || "",
+        price: inputs.price ?? 0,
+        apiUrl: inputs.apiUrl || "",
+        entityDid: inputs.entityDid,
+        logoUrl: inputs.logoUrl || "",
+        llmModel: inputs.llmModel || "",
+        opening: inputs.opening,
+        communicationStyle: inputs.communicationStyle,
+        capabilities: inputs.capabilities,
+        skills: inputs.skills,
+        mcpServers: inputs.mcpServers,
+        matrixUserId: inputs.matrixUserId || "",
+        matrixAccountRoomId: inputs.matrixAccountRoomId || "",
+        oracleAddress: inputs.oracleAddress || "",
+        oracleDid: inputs.oracleDid || ""
+      }
+    });
+    if (!configResult.configStored) {
+      throw new Error("storeConfig returned success without configStored=true");
+    }
+    console.log("[oracle.storeSecretsAndConfig] Both phases complete");
+    return {
+      output: {
+        storedSecrets: secretsResult.storedSecrets,
+        roomId: secretsResult.roomId,
+        configStored: configResult.configStored
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/oracleConfigureOracle.ts
+var SENSITIVE_PLAINTEXT_KEYS3 = [
+  "SECP_MNEMONIC",
+  "MATRIX_ORACLE_ADMIN_PASSWORD",
+  "MATRIX_RECOVERY_PHRASE",
+  "MATRIX_VALUE_PIN"
+];
+registerAction({
+  type: "qi/oracle.configureOracle",
+  can: "oracle/configureOracle",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "userOracleRoomId", displayName: "User-Oracle Room ID", type: "string", description: "Matrix room id from contract phase" },
+    { path: "userOracleRoomAlias", displayName: "User-Oracle Room Alias", type: "string", description: "Matrix alias from contract phase" },
+    { path: "storedSecrets", displayName: "Stored Secrets", type: "array", description: "List of secret names stored" },
+    { path: "roomId", displayName: "Room ID", type: "string", description: "Matrix room where data is stored" },
+    { path: "configStored", displayName: "Config Stored", type: "boolean", description: "Whether oracle config was stored" },
+    { path: "freshAccessToken", displayName: "Fresh Access Token", type: "string", description: "Fresh Matrix access token from mxLogin during secret storage" },
+    { path: "openRouterApiKeyPlaintext", displayName: "OpenRouter API Key", type: "string", description: "Plaintext OpenRouter API key for deploy" }
+  ],
+  run: async (rawInputs, ctx) => {
+    const form = (() => {
+      const raw = rawInputs.formAnswers;
+      if (typeof raw !== "string" || !raw) return {};
+      try {
+        const parsed = JSON.parse(raw);
+        return parsed && typeof parsed === "object" ? parsed : {};
+      } catch {
+        return {};
+      }
+    })();
+    const inputs = { ...form, ...rawInputs };
+    if (!ctx.services.oracle?.contract) throw new Error("oracle.contract handler not available");
+    if (!ctx.services.oracle?.storeSecrets) throw new Error("oracle.storeSecrets handler not available");
+    if (!ctx.services.oracle?.storeConfig) throw new Error("oracle.storeConfig handler not available");
+    if (!inputs.oracleEntityDid) throw new Error("oracleEntityDid is required (from entity.createOracle output)");
+    if (!inputs.publicKeyMultibase) throw new Error("publicKeyMultibase is required (from entity.createOracle output)");
+    if (!inputs.verificationMethodId) throw new Error("verificationMethodId is required (from entity.createOracle output)");
+    if (!inputs.matrixHomeServerUrl) throw new Error("matrixHomeServerUrl is required (from matrix.register output)");
+    if (!inputs.matrixUsername) throw new Error("matrixUsername is required (from matrix.register output matrixUserId)");
+    if (!inputs.matrixPassword) throw new Error("matrixPassword is required (from matrix.register output)");
+    if (!inputs.mnemonic) throw new Error("mnemonic is required (from wallet.generate output)");
+    if (!inputs.matrixRecoveryPhrase) throw new Error("matrixRecoveryPhrase is required (from matrix.register output)");
+    if (!inputs.pin) throw new Error("pin is required (from form output)");
+    if (!inputs.openRouterApiKeyJwe) {
+      throw new Error("OPEN_ROUTER_API_KEY is required \u2014 enter it in the form before submitting");
+    }
+    if (!inputs.oracleName) throw new Error("oracleName is required");
+    if (!inputs.entityDid) throw new Error("entityDid is required");
+    console.log("[oracle.configureOracle] Phase 1: contracting oracle");
+    const contractResult = await ctx.services.oracle.contract({
+      oracleEntityDid: inputs.oracleEntityDid
+    });
+    if (!contractResult.userOracleRoomId) {
+      throw new Error("contract returned success without userOracleRoomId");
+    }
+    const matrixRoomId = contractResult.userOracleRoomId;
+    const secrets = {
+      SECP_MNEMONIC: inputs.mnemonic,
+      MATRIX_ORACLE_ADMIN_PASSWORD: inputs.matrixPassword,
+      MATRIX_RECOVERY_PHRASE: inputs.matrixRecoveryPhrase,
+      MATRIX_VALUE_PIN: inputs.pin
+    };
+    const preEncryptedSecrets = {
+      OPEN_ROUTER_API_KEY: inputs.openRouterApiKeyJwe
+    };
+    if (inputs.mcpAuthSecrets) {
+      try {
+        const mcpSecrets = typeof inputs.mcpAuthSecrets === "string" ? JSON.parse(inputs.mcpAuthSecrets) : inputs.mcpAuthSecrets;
+        if (mcpSecrets && typeof mcpSecrets === "object") {
+          Object.assign(preEncryptedSecrets, mcpSecrets);
+        }
+      } catch {
+        console.warn("[oracle.configureOracle] Failed to parse mcpAuthSecrets");
+      }
+    }
+    for (const k of SENSITIVE_PLAINTEXT_KEYS3) {
+      if (!secrets[k]) throw new Error(`${k} is empty after assembly \u2014 refusing to call storeSecrets`);
+    }
+    console.log("[oracle.configureOracle] Phase 2: storing secrets");
+    const secretsResult = await ctx.services.oracle.storeSecrets({
+      matrixRoomId,
+      publicKeyMultibase: inputs.publicKeyMultibase,
+      verificationMethodId: inputs.verificationMethodId,
+      matrixHomeServerUrl: inputs.matrixHomeServerUrl,
+      matrixUsername: inputs.matrixUsername,
+      matrixPassword: inputs.matrixPassword,
+      secrets,
+      preEncryptedSecrets
+    });
+    if (!secretsResult.storedSecrets || secretsResult.storedSecrets.length === 0) {
+      throw new Error("storeSecrets returned success without any storedSecrets");
+    }
+    console.log("[oracle.configureOracle] Phase 3: storing config");
+    const configResult = await ctx.services.oracle.storeConfig({
+      matrixRoomId,
+      config: {
+        oracleName: inputs.oracleName,
+        orgName: inputs.orgName || "",
+        description: inputs.description || "",
+        location: inputs.location || "",
+        price: inputs.price ?? 0,
+        apiUrl: inputs.apiUrl || "",
+        entityDid: inputs.entityDid,
+        logoUrl: inputs.logoUrl || "",
+        llmModel: inputs.llmModel || "",
+        opening: inputs.opening,
+        communicationStyle: inputs.communicationStyle,
+        capabilities: inputs.capabilities,
+        skills: inputs.skills,
+        mcpServers: inputs.mcpServers,
+        matrixUserId: inputs.matrixUserId || "",
+        matrixAccountRoomId: inputs.matrixAccountRoomId || "",
+        oracleAddress: inputs.oracleAddress || "",
+        oracleDid: inputs.oracleDid || ""
+      }
+    });
+    if (!configResult.configStored) {
+      throw new Error("storeConfig returned success without configStored=true");
+    }
+    console.log("[oracle.configureOracle] All 3 phases complete");
+    return {
+      output: {
+        userOracleRoomId: contractResult.userOracleRoomId,
+        userOracleRoomAlias: contractResult.userOracleRoomAlias,
+        storedSecrets: secretsResult.storedSecrets,
+        roomId: secretsResult.roomId,
+        configStored: configResult.configStored,
+        freshAccessToken: secretsResult.freshAccessToken || "",
+        openRouterApiKeyPlaintext: inputs.openRouterApiKeyPlaintext || ""
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/oracleDeploySetup.ts
+registerAction({
+  type: "qi/oracle.deploySetup",
+  can: "oracle/deploySetup",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "setupComplete", displayName: "Setup Complete", type: "boolean", description: "Whether the oracle setup completed successfully" },
+    { path: "stdout", displayName: "Build Output", type: "string", description: "Build stdout output" }
+  ],
+  run: async (inputs, ctx) => {
+    if (!ctx.services.oracle?.deploySetup) {
+      throw new Error("oracle.deploySetup handler not available");
+    }
+    if (!inputs.name) throw new Error("name is required (project name from form)");
+    const config = typeof inputs.config === "string" ? JSON.parse(inputs.config) : inputs.config;
+    if (!config || typeof config !== "object") throw new Error("config is required (oracle config object)");
+    if (!inputs.roomId) throw new Error("roomId is required (from oracle contract/configure output)");
+    const result = await ctx.services.oracle.deploySetup({ name: inputs.name, config, roomId: inputs.roomId });
+    return { output: result };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/oracleDeployStart.ts
+registerAction({
+  type: "qi/oracle.deployStart",
+  can: "oracle/deployStart",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "processId", displayName: "Process ID", type: "string", description: "Running process identifier" },
+    { path: "status", displayName: "Status", type: "string", description: "Oracle process status" }
+  ],
+  run: async (inputs, ctx) => {
+    if (!ctx.services.oracle?.deployStart) {
+      throw new Error("oracle.deployStart handler not available");
+    }
+    if (!inputs.name) throw new Error("name is required (project name from form)");
+    if (!inputs.entityDid) throw new Error("entityDid is required (from entity.createOracle output)");
+    if (!inputs.roomId) throw new Error("roomId is required (from oracle contract/configure output)");
+    const result = await ctx.services.oracle.deployStart({ name: inputs.name, entityDid: inputs.entityDid, roomId: inputs.roomId });
+    return { output: result };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/oracleDeploy.ts
+registerAction({
+  type: "qi/oracle.deploy",
+  can: "oracle/deploy",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "setupComplete", displayName: "Setup Complete", type: "boolean", description: "Whether the oracle setup completed successfully" },
+    { path: "processId", displayName: "Process ID", type: "string", description: "Running process identifier" },
+    { path: "status", displayName: "Status", type: "string", description: "Oracle process status" },
+    { path: "deploymentUrl", displayName: "Deployment URL", type: "string", description: "The URL where the oracle was deployed" },
+    { path: "domainUpdateTxHash", displayName: "Domain Update Tx", type: "string", description: "Transaction hash of the on-chain domain update" }
+  ],
+  run: async (rawInputs, ctx) => {
+    const form = (() => {
+      const raw = rawInputs.formAnswers;
+      if (typeof raw !== "string" || !raw) return {};
+      try {
+        const parsed = JSON.parse(raw);
+        return parsed && typeof parsed === "object" ? parsed : {};
+      } catch {
+        return {};
+      }
+    })();
+    const inputs = {
+      // Rename: form.projectName → name for deploy handler
+      name: form.projectName,
+      ...form,
+      ...rawInputs
+    };
+    if (!ctx.services.oracle?.deploySetup) {
+      throw new Error("oracle.deploySetup handler not available");
+    }
+    if (!ctx.services.oracle?.deployStart) {
+      throw new Error("oracle.deployStart handler not available");
+    }
+    if (!inputs.name) throw new Error("name is required (project name from form)");
+    if (!inputs.entityDid) throw new Error("entityDid is required (from entity.createOracle output)");
+    if (!inputs.roomId) throw new Error("roomId is required (from oracle.configureOracle output)");
+    const config = {
+      oracleName: inputs.oracleName,
+      orgName: inputs.orgName,
+      description: inputs.description,
+      location: inputs.location,
+      price: inputs.price,
+      apiUrl: inputs.apiUrl,
+      logoUrl: inputs.logoUrl,
+      llmModel: inputs.llmModel,
+      opening: inputs.opening,
+      communicationStyle: inputs.communicationStyle,
+      capabilities: inputs.capabilities,
+      skills: inputs.skills,
+      mcpServers: inputs.mcpServers,
+      entityDid: inputs.entityDid
+    };
+    const secrets = {
+      mnemonic: inputs.mnemonic,
+      matrixPassword: inputs.matrixPassword,
+      matrixRecoveryPhrase: inputs.matrixRecoveryPhrase,
+      pin: inputs.pin,
+      matrixUsername: inputs.matrixUsername,
+      matrixAccountRoomId: inputs.matrixAccountRoomId,
+      freshAccessToken: inputs.freshAccessToken,
+      openRouterApiKey: inputs.openRouterApiKey
+    };
+    const setupResult = await ctx.services.oracle.deploySetup({ name: inputs.name, config, roomId: inputs.roomId, secrets });
+    if (!setupResult.setupComplete) {
+      throw new Error(`Deploy setup failed: ${setupResult.stderr || "setupComplete was not true"}`);
+    }
+    const startResult = await ctx.services.oracle.deployStart({ name: inputs.name, entityDid: inputs.entityDid, roomId: inputs.roomId, secrets });
+    if (!startResult.processId && startResult.status !== "running") {
+      throw new Error("Deploy start failed: no processId returned and status is not running");
+    }
+    let deploymentUrl;
+    let domainUpdateTxHash;
+    if (startResult.url) {
+      if (!ctx.services.oracle?.updateOracleDomain) {
+        console.warn("[oracle.deploy] updateOracleDomain handler not available, skipping domain update");
+      } else {
+        const domainResult = await ctx.services.oracle.updateOracleDomain({
+          entityDid: inputs.entityDid,
+          newApiUrl: startResult.url
+        });
+        deploymentUrl = startResult.url;
+        domainUpdateTxHash = domainResult.transactionHash;
+      }
+    }
+    return {
+      output: {
+        setupComplete: setupResult.setupComplete,
+        processId: startResult.processId,
+        status: startResult.status,
+        deploymentUrl,
+        domainUpdateTxHash
+      }
+    };
+  }
+});
+
 // src/core/lib/actionRegistry/actions/bid/bid.diff.ts
 registerDiffResolver("bid", {
   resolver: async (inputs, _ctx) => {
@@ -2890,6 +3865,40 @@ registerDiffResolver("evaluateClaim", {
   }
 });
 
+// src/core/lib/actionRegistry/actions/walletFund.diff.ts
+registerDiffResolver("qi/wallet.fund", {
+  resolver: async (inputs, _ctx) => {
+    const address = String(inputs.address || "").trim();
+    const amount = String(inputs.amount || "250000").trim();
+    const network = String(inputs.network || "devnet").trim();
+    const ixoAmount = (Number(amount) / 1e6).toFixed(6);
+    return [
+      {
+        key: "recipient",
+        label: "Recipient",
+        before: "N/A",
+        after: address || "Pending wallet generation",
+        changeType: address ? "replace" : "unchanged"
+      },
+      {
+        key: "amount",
+        label: "Amount",
+        before: "0 IXO",
+        after: `${ixoAmount} IXO (${amount} uixo)`,
+        changeType: "replace",
+        severity: "info"
+      },
+      {
+        key: "network",
+        label: "Network",
+        before: network,
+        after: network,
+        changeType: "unchanged"
+      }
+    ];
+  }
+});
+
 // src/core/services/ucanService.ts
 import {
   createDelegation as ucanCreateDelegation,
@@ -3920,6 +4929,65 @@ function removePendingInvocation(yDoc, listenerBlockId, pendingInvocationId) {
   inner.delete(pendingInvocationId);
   return true;
 }
+var BARRIER_STATE_MAP_KEY = "barrierState";
+function getBarrierStateMap(yDoc) {
+  return yDoc.getMap(BARRIER_STATE_MAP_KEY);
+}
+function getOrCreateListenerBarrierMap(yDoc, listenerBlockId) {
+  const outer = getBarrierStateMap(yDoc);
+  let inner = outer.get(listenerBlockId);
+  if (!inner) {
+    inner = new Y.Map();
+    outer.set(listenerBlockId, inner);
+  }
+  return inner;
+}
+function recordBarrierEvent(yDoc, listenerBlockId, entry) {
+  let written = false;
+  yDoc.transact(() => {
+    const inner = getOrCreateListenerBarrierMap(yDoc, listenerBlockId);
+    const key = `${entry.sourceBlockId}::${entry.eventName}`;
+    const existing = inner.get(key);
+    if (existing && typeof existing === "object" && existing.runId === entry.runId) return;
+    inner.set(key, entry);
+    written = true;
+  });
+  return written;
+}
+function readBarrierState(yDoc, listenerBlockId) {
+  const outer = getBarrierStateMap(yDoc);
+  const inner = outer.get(listenerBlockId);
+  if (!inner) return [];
+  const entries = [];
+  inner.forEach((value) => {
+    if (value && typeof value === "object") {
+      entries.push(value);
+    }
+  });
+  return entries;
+}
+function clearBarrierState(yDoc, listenerBlockId) {
+  const outer = getBarrierStateMap(yDoc);
+  yDoc.transact(() => {
+    outer.delete(listenerBlockId);
+  });
+}
+function computeBarrierInvocationId(entries, listenerBlockId) {
+  const sorted = [...entries].sort((a, b) => a.sourceBlockId.localeCompare(b.sourceBlockId));
+  const input = sorted.map((e) => `${e.sourceBlockId}:${e.runId}:${e.eventName}`).join("|") + `|>${listenerBlockId}`;
+  return `bi-${fnv1a32(input)}`;
+}
+function mergeBarrierPayloads(entries) {
+  const merged = {};
+  for (const entry of entries) {
+    if (entry.alias) {
+      merged[entry.alias] = entry.payload;
+    } else {
+      Object.assign(merged, entry.payload);
+    }
+  }
+  return merged;
+}
 function appendRunRecord(yDoc, blockId, details, userId) {
   const auditMap = yDoc.getMap("auditTrail");
   yDoc.transact(() => {
@@ -3992,21 +5060,41 @@ function replayFailedListenerRun(yDoc, failedRecord, listenerBlockId, originalPa
 }
 
 // src/core/lib/flowEngine/reconcile.ts
+var _reconcileRunning = false;
 function reconcilePendingInvocations(editor) {
+  if (_reconcileRunning) return;
+  _reconcileRunning = true;
+  try {
+    _reconcilePendingInvocationsInner(editor);
+  } finally {
+    _reconcileRunning = false;
+  }
+}
+function _reconcilePendingInvocationsInner(editor) {
   const yDoc = editor._yDoc;
   if (!yDoc) return;
   const blocks = editor.document || [];
   if (blocks.length === 0) return;
   const listenersBySource = /* @__PURE__ */ new Map();
+  const barrierListenersBySource = /* @__PURE__ */ new Map();
   for (const block of blocks) {
     const trigger = parseTrigger(block);
-    if (!trigger || trigger.type !== "block.event") continue;
-    if (!trigger.sourceBlockId || !trigger.eventName) continue;
-    const key = `${trigger.sourceBlockId}::${trigger.eventName}`;
-    if (!listenersBySource.has(key)) listenersBySource.set(key, []);
-    listenersBySource.get(key).push({ block, trigger });
+    if (!trigger) continue;
+    if (trigger.type === "block.event") {
+      if (!trigger.sourceBlockId || !trigger.eventName) continue;
+      const key = `${trigger.sourceBlockId}::${trigger.eventName}`;
+      if (!listenersBySource.has(key)) listenersBySource.set(key, []);
+      listenersBySource.get(key).push({ block, trigger });
+    } else if (trigger.type === "block.event.all" && trigger.sources) {
+      for (const source of trigger.sources) {
+        if (!source.sourceBlockId || !source.eventName) continue;
+        const key = `${source.sourceBlockId}::${source.eventName}`;
+        if (!barrierListenersBySource.has(key)) barrierListenersBySource.set(key, []);
+        barrierListenersBySource.get(key).push({ block, trigger, source });
+      }
+    }
   }
-  if (listenersBySource.size === 0) return;
+  if (listenersBySource.size === 0 && barrierListenersBySource.size === 0) return;
   const runtimeMap = editor._yRuntime;
   const getNodeOutput = (nodeId) => {
     if (!runtimeMap) return void 0;
@@ -4025,14 +5113,21 @@ function reconcilePendingInvocations(editor) {
         break;
       }
     }
+    for (const key of barrierListenersBySource.keys()) {
+      if (key.startsWith(`${sourceBlockId}::`)) {
+        hasAnyListener = true;
+        break;
+      }
+    }
     if (!hasAnyListener) continue;
     const records = readRunRecords(yDoc, sourceBlockId);
     for (const record of records) {
-      processRunRecord(yDoc, sourceBlockId, record, listenersBySource, getNodeOutput);
+      processRunRecord(yDoc, sourceBlockId, record, listenersBySource, getNodeOutput, runtimeMap);
+      processBarrierRunRecord(yDoc, sourceBlockId, record, barrierListenersBySource, getNodeOutput, runtimeMap);
     }
   }
 }
-function processRunRecord(yDoc, sourceBlockId, record, listenersBySource, getNodeOutput) {
+function processRunRecord(yDoc, sourceBlockId, record, listenersBySource, getNodeOutput, runtimeMap) {
   if (!Array.isArray(record.events)) return;
   record.events.forEach((event, eventIndex) => {
     if (!event?.name) return;
@@ -4049,8 +5144,7 @@ function processRunRecord(yDoc, sourceBlockId, record, listenersBySource, getNod
         eventName: event.name,
         eventIndex
       });
-      const assigneeDid = resolveAssignee(listenerBlock);
-      if (!assigneeDid) continue;
+      const assigneeDid = resolveAssignee(listenerBlock) || "unassigned";
       const inputs = parseInputs(listenerBlock);
       const refSnapshots = snapshotInputRefs(inputs, getNodeOutput);
       const expiresAt = computeExpiry(listenerBlock, record.completedAt);
@@ -4067,9 +5161,77 @@ function processRunRecord(yDoc, sourceBlockId, record, listenersBySource, getNod
         expiresAt
       };
       queuePendingInvocation(yDoc, listenerBlockId, invocation);
+      if (runtimeMap) {
+        const prev = runtimeMap.get(listenerBlockId) || {};
+        runtimeMap.set(listenerBlockId, {
+          ...prev,
+          pendingPayload: { ...event.payload, ...refSnapshots }
+        });
+      }
     }
   });
 }
+function processBarrierRunRecord(yDoc, sourceBlockId, record, barrierListenersBySource, getNodeOutput, runtimeMap) {
+  if (!Array.isArray(record.events)) return;
+  for (const event of record.events) {
+    if (!event?.name) continue;
+    const key = `${sourceBlockId}::${event.name}`;
+    const listeners = barrierListenersBySource.get(key);
+    if (!listeners || listeners.length === 0) continue;
+    for (const { block: listenerBlock, trigger, source } of listeners) {
+      const listenerBlockId = listenerBlock.id;
+      if (!listenerBlockId) continue;
+      const entry = {
+        sourceBlockId,
+        eventName: event.name,
+        alias: source.alias,
+        runId: record.runId,
+        payload: event.payload || {},
+        emittedAt: record.completedAt
+      };
+      recordBarrierEvent(yDoc, listenerBlockId, entry);
+      if (runtimeMap) {
+        const prev = runtimeMap.get(listenerBlockId) || {};
+        const existing = prev.pendingPayload || {};
+        runtimeMap.set(listenerBlockId, {
+          ...prev,
+          pendingPayload: { ...existing, ...event.payload || {} }
+        });
+      }
+      const allSources = trigger.sources || [];
+      const currentState = readBarrierState(yDoc, listenerBlockId);
+      const allFired = allSources.length > 0 && allSources.every((s) => currentState.some((e) => e.sourceBlockId === s.sourceBlockId && e.eventName === s.eventName));
+      if (!allFired) continue;
+      const assigneeDid = resolveAssignee(listenerBlock) || "unassigned";
+      const id = computeBarrierInvocationId(currentState, listenerBlockId);
+      const mergedPayload = mergeBarrierPayloads(currentState);
+      const inputs = parseInputs(listenerBlock);
+      const refSnapshots = snapshotInputRefs(inputs, getNodeOutput);
+      const expiresAt = computeExpiry(listenerBlock, record.completedAt);
+      const invocation = {
+        id,
+        triggeringBlockId: sourceBlockId,
+        sourceRunId: record.runId,
+        eventName: `barrier:${allSources.map((s) => s.alias).join("+")}`,
+        eventIndex: 0,
+        payload: mergedPayload,
+        refSnapshots,
+        assigneeDid,
+        emittedAt: record.completedAt,
+        expiresAt
+      };
+      queuePendingInvocation(yDoc, listenerBlockId, invocation);
+      clearBarrierState(yDoc, listenerBlockId);
+      if (runtimeMap) {
+        const prev = runtimeMap.get(listenerBlockId) || {};
+        runtimeMap.set(listenerBlockId, {
+          ...prev,
+          pendingPayload: { ...mergedPayload, ...refSnapshots }
+        });
+      }
+    }
+  }
+}
 function parseTrigger(block) {
   const raw = block?.props?.trigger;
   if (!raw || typeof raw !== "string") return null;
@@ -4134,6 +5296,25 @@ function getActionForBlock(block) {
   return getAction(actionType);
 }
 
+// src/core/lib/flowEngine/emitEvents.ts
+function writeRunRecordAndReconcile(editor, blockId, output, events, actorDid) {
+  const yDoc = editor._yDoc;
+  if (!yDoc) return;
+  if (events.length === 0) return;
+  const runId = `run-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const details = {
+    runId,
+    output,
+    events,
+    startedAt: now,
+    completedAt: now,
+    actorDid
+  };
+  appendRunRecord(yDoc, blockId, details, actorDid);
+  reconcilePendingInvocations(editor);
+}
+
 // src/core/lib/flowEngine/migration.ts
 var MIGRATION_REGISTRY = {};
 function registerMigration(definition) {
@@ -4292,7 +5473,6 @@ var ICON_DEFAULTS = {
   "matrix/dm": "message-circle",
   "proposal/create": "scroll",
   "proposal/vote": "vote",
-  "domain/card-build": "file-text",
   "domain/card-preview": "id",
   "domain/sign": "feather",
   "credential/store": "shield",
@@ -4360,42 +5540,81 @@ function compileBaseUcanFlow(plan, registry) {
   const triggerEdges = [];
   for (const [nodeId, { cap, action }] of actionMap) {
     const trigger = cap.trigger;
-    if (!trigger || trigger.type !== "block.event") continue;
-    if (action.eligibleForEventTrigger !== true) {
-      throw new Error(
-        `Block "${nodeId}" is configured with a block.event trigger, but its action type "${action.type}" is not marked eligibleForEventTrigger. Set eligibleForEventTrigger: true on the action definition or change the trigger to manual.`
-      );
+    if (!trigger) continue;
+    if (trigger.type === "block.event") {
+      if (action.eligibleForEventTrigger !== true) {
+        throw new Error(
+          `Block "${nodeId}" is configured with a block.event trigger, but its action type "${action.type}" is not marked eligibleForEventTrigger. Set eligibleForEventTrigger: true on the action definition or change the trigger to manual.`
+        );
+      }
+      const sourceId = trigger.sourceBlockId?.trim();
+      const eventName = trigger.eventName?.trim();
+      if (!sourceId || !eventName) {
+        throw new Error(`Block "${nodeId}" has a block.event trigger but is missing sourceBlockId or eventName.`);
+      }
+      const source = actionMap.get(sourceId);
+      if (!source) {
+        throw new Error(`Trigger on block "${nodeId}" references unknown source block "${sourceId}".`);
+      }
+      const declaredEvents = source.action.events || [];
+      if (declaredEvents.length === 0) {
+        throw new Error(`Trigger on block "${nodeId}" references event "${eventName}" but source action "${source.action.type}" declares no events.`);
+      }
+      const found = declaredEvents.find((e) => e.name === eventName);
+      if (!found) {
+        const declared = declaredEvents.map((e) => e.name).join(", ");
+        throw new Error(`Trigger on block "${nodeId}" references unknown event "${eventName}" on action type "${source.action.type}". Declared events: [${declared}]`);
+      }
+      triggerEdges.push({
+        id: `${sourceId}~event:${eventName}~>${nodeId}`,
+        source: sourceId,
+        target: nodeId,
+        kind: "trigger"
+      });
     }
-    const sourceId = trigger.sourceBlockId?.trim();
-    const eventName = trigger.eventName?.trim();
-    if (!sourceId || !eventName) {
-      throw new Error(`Block "${nodeId}" has a block.event trigger but is missing sourceBlockId or eventName.`);
-    }
-    const source = actionMap.get(sourceId);
-    if (!source) {
-      throw new Error(`Trigger on block "${nodeId}" references unknown source block "${sourceId}".`);
-    }
-    const declaredEvents = source.action.events || [];
-    if (declaredEvents.length === 0) {
-      throw new Error(`Trigger on block "${nodeId}" references event "${eventName}" but source action "${source.action.type}" declares no events.`);
-    }
-    const found = declaredEvents.find((e) => e.name === eventName);
-    if (!found) {
-      const declared = declaredEvents.map((e) => e.name).join(", ");
-      throw new Error(`Trigger on block "${nodeId}" references unknown event "${eventName}" on action type "${source.action.type}". Declared events: [${declared}]`);
-    }
-    triggerEdges.push({
-      id: `${sourceId}~event:${eventName}~>${nodeId}`,
-      source: sourceId,
-      target: nodeId,
-      kind: "trigger"
-    });
-    const refs = collectOutputRefs(cap.nb || {});
-    for (const ref of refs) {
-      const parsed = parseOutputRef2(ref);
-      if (!parsed) continue;
-      if (!actionMap.has(parsed.nodeId)) {
-        throw new Error(`Listener "${nodeId}" references output of unknown block "${parsed.nodeId}" via ref "${ref}".`);
+    if (trigger.type === "block.event.all") {
+      if (action.eligibleForEventTrigger !== true) {
+        throw new Error(`Block "${nodeId}" is configured with a block.event.all trigger, but its action type "${action.type}" is not marked eligibleForEventTrigger.`);
+      }
+      const sources = trigger.sources || [];
+      if (sources.length === 0) {
+        throw new Error(`Block "${nodeId}" has a block.event.all trigger but no sources configured.`);
+      }
+      for (const src of sources) {
+        const srcId = src.sourceBlockId?.trim();
+        const evtName = src.eventName?.trim();
+        if (!srcId || !evtName) {
+          throw new Error(`Block "${nodeId}" has a block.event.all source with missing sourceBlockId or eventName.`);
+        }
+        const sourceEntry = actionMap.get(srcId);
+        if (!sourceEntry) {
+          throw new Error(`Barrier trigger on block "${nodeId}" references unknown source block "${srcId}".`);
+        }
+        const declaredEvents = sourceEntry.action.events || [];
+        const found = declaredEvents.find((e) => e.name === evtName);
+        if (!found) {
+          const declared = declaredEvents.map((e) => e.name).join(", ");
+          throw new Error(`Barrier trigger on block "${nodeId}" references unknown event "${evtName}" on action type "${sourceEntry.action.type}". Declared events: [${declared}]`);
+        }
+        if (!src.alias?.trim()) {
+          throw new Error(`Barrier trigger on block "${nodeId}" has a source (${srcId}/${evtName}) with no alias.`);
+        }
+        triggerEdges.push({
+          id: `${srcId}~event:${evtName}~>${nodeId}`,
+          source: srcId,
+          target: nodeId,
+          kind: "trigger"
+        });
+      }
+    }
+    if (trigger.type === "block.event" || trigger.type === "block.event.all") {
+      const refs = collectOutputRefs(cap.nb || {});
+      for (const ref of refs) {
+        const parsed = parseOutputRef2(ref);
+        if (!parsed) continue;
+        if (!actionMap.has(parsed.nodeId)) {
+          throw new Error(`Listener "${nodeId}" references output of unknown block "${parsed.nodeId}" via ref "${ref}".`);
+        }
       }
     }
   }
@@ -5139,6 +6358,7 @@ export {
   parseLinkedEntities,
   buildGovernanceGroupLinkedEntities,
   tempDomainCreatorSurvey,
+  resolveEntityTypeFromSchema,
   getHomeserver,
   didToMatrixUserId,
   findOrCreateDMRoom,
@@ -5170,6 +6390,7 @@ export {
   replayFailedListenerRun,
   reconcilePendingInvocations,
   getActionForBlock,
+  writeRunRecordAndReconcile,
   compileBaseUcanFlow,
   readCompiledFlowFromYDoc,
   mergeCompiledFlows,
@@ -5181,4 +6402,4 @@ export {
   readFlow,
   setupFlowFromBaseUcan
 };
-//# sourceMappingURL=chunk-B7UIUYP5.mjs.map
+//# sourceMappingURL=chunk-75MWYZJ2.mjs.map