@nekzus/liop 1.2.0-alpha.9 → 1.3.0-alpha.1

package/README.md

@@ -4,19 +4,19 @@
     <img alt="Logic-Injection-on-Origin Protocol Logo" src="https://res.cloudinary.com/dsvsl0b0b/image/upload/v1774702621/Neural-Mesh-Protocol/hoanw0m6tybpz5fbl12n.svg?v=20260328" width="700">
   </picture>
 
-  <h1>Logic-Injection-on-Origin Protocol (LIOP) — TypeScript SDK</h1>
+<h1>Logic-Injection-on-Origin Protocol (LIOP) — TypeScript SDK</h1>
 <p align="center">
-  <a href="https://github.com/Nekzus/Neural-Mesh-Protocol/actions/workflows/ci.yml"><img src="https://github.com/Nekzus/Neural-Mesh-Protocol/actions/workflows/ci.yml/badge.svg?event=push" alt="Github Workflow"></a>
+  <a href="https://github.com/Nekzus/LIOP/actions/workflows/ci.yml"><img src="https://github.com/Nekzus/LIOP/actions/workflows/ci.yml/badge.svg?event=push" alt="Github Workflow"></a>
   <a href="https://www.npmjs.com/package/@nekzus/liop"><img src="https://img.shields.io/npm/v/@nekzus/liop.svg" alt="npm version"></a>
   <a href="https://www.npmjs.com/package/@nekzus/liop"><img src="https://img.shields.io/npm/dm/@nekzus/liop.svg" alt="npm-month"></a>
   <a href="https://www.npmjs.com/package/@nekzus/liop"><img src="https://img.shields.io/npm/dt/@nekzus/liop.svg?style=flat" alt="npm-total"></a>
-  <a href="https://github.com/Nekzus/Neural-Mesh-Protocol/blob/main/LICENSE"><img src="https://img.shields.io/github/license/Nekzus/LIOP.svg" alt="License"></a>
-  <a href="https://liop.mintlify.app/"><img src="https://img.shields.io/badge/docs-mintlify-0D9373?style=flat" alt="Docs"></a>
+  <a href="https://github.com/Nekzus/LIOP/blob/main/LICENSE"><img src="https://img.shields.io/github/license/Nekzus/LIOP.svg" alt="License"></a>
+  <a href="https://nekzus-32.mintlify.app/"><img src="https://img.shields.io/badge/docs-mintlify-0D9373?style=flat" alt="Docs"></a>
   <a href="https://deepwiki.com/Nekzus/LIOP"><img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki"></a>
   <a href="https://paypal.me/maseortega"><img src="https://img.shields.io/badge/donate-paypal-blue.svg?style=flat-square" alt="Donate"></a>
 </p>
 
-  <p><strong>The official TypeScript SDK for the Logic-Injection-on-Origin Protocol.</strong></p>
+<p><strong>The official TypeScript SDK for the Logic-Injection-on-Origin Protocol.</strong></p>
   <p>Deploy Logic-on-Origin with WebAssembly sandboxing, gRPC-speed execution, and full MCP backward compatibility.</p>
 </div>
 
@@ -30,18 +30,19 @@ This fundamentally solves the data privacy, bandwidth, and latency challenges of
 
 ### Key Capabilities
 
-| Feature | Description |
-|:--|:--|
-| **Logic-Injection-on-Origin** | LLMs send code, not queries. Data never leaves the origin server. |
-| **MCP Drop-in Replacement** | `LiopServer` mirrors the Anthropic MCP `Server` API — tools, resources, and prompts with `Zod` schemas. |
-| **Guardian AST** | Zero-time heuristic inspection blocks sandbox escapes (`require`, `fs`, `eval`, `fetch`, prototype pollution). |
-| **WASI Sandbox** | JavaScript payloads execute inside V8 isolates with CPU fuel limits and no access to Node.js globals. |
-| **PII Shield** | Multi-layer egress filter with NIST/OWASP patterns (Email, Credit Card with Luhn, IP, Phone) and configurable forbidden keys. |
-| **ZK-Receipts** | Cryptographic proof (SHA-256 + SHA-512 seal) that the returned result was computed honestly from the injected logic. |
-| **Worker Pool** | Heavy computation (crypto, sandboxing) dispatched to OS threads via `piscina`, unblocking the V8 event loop. |
-| **MCP Bridge** | `LiopMcpBridge` adapts any `LiopServer` to the JSON-RPC 2.0 / stdio protocol used by Claude Desktop, Cursor, etc. |
-| **Post-Quantum Ready** | ML-KEM-768 (Kyber) handshake + AES-256-GCM symmetric encryption for transport-layer security. |
-| **P2P Mesh** | Kademlia DHT discovery via `libp2p` with TCP + WebSocket + Yamux multiplexing and Noise encryption. |
+| Feature                             | Description                                                                                                                                |
+| :---------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------- |
+| **Logic-Injection-on-Origin** | LLMs send code, not queries. Data never leaves the origin server.                                                                          |
+| **MCP Drop-in Replacement**   | `LiopServer` mirrors the Anthropic MCP `Server` API — tools, resources, and prompts with `Zod` schemas.                             |
+| **Guardian AST**              | Zero-time heuristic inspection blocks sandbox escapes (`require`, `fs`, `eval`, `fetch`, prototype pollution).                     |
+| **WASI Sandbox**              | JavaScript payloads execute inside V8 isolates with CPU fuel limits and no access to Node.js globals.                                      |
+| **PII Shield**                | Multi-layer egress filter with Regional Presets (Email, Credit Card with Luhn, IP, Phone, SSN, IBAN Mod-97, Passport MRZ) and custom keys. |
+| **ZK-Receipts**               | Cryptographic proof (SHA-256 ImageID + HMAC-SHA256 seal) that the returned result was computed honestly from the injected logic.            |
+| **Worker Pool**               | Heavy computation (crypto, sandboxing) dispatched to OS threads via `piscina`, unblocking the V8 event loop.                             |
+| **Cross-AI Adapters**         | Zero-Shot system prompts automatically adapt instructions for Claude (XML-heavy) vs OpenAI/Gemini (JSON-schema).                           |
+| **MCP Bridge**                | `LiopMcpBridge` adapts any `LiopServer` to the JSON-RPC 2.0 / stdio protocol used by Claude Desktop, Cursor, etc.                      |
+| **Post-Quantum Ready**        | ML-KEM-768 (Kyber) handshake + AES-256-GCM symmetric encryption for transport-layer security.                                              |
+| **P2P Mesh**                  | Kademlia DHT discovery via `libp2p` with TCP + WebSocket + Yamux multiplexing and Noise encryption.                                      |
 
 ---
 
@@ -90,6 +91,7 @@ To use the Neural Mesh inside Claude Desktop, update your `claude_desktop_config
 ### Persistence & Identity
 
 The agent automatically manages your P2P identity:
+
 - **Identity Path**: `~/.liop/identity.json`. This file contains your unique PeerID. Keep it safe if you want to maintain a consistent identity in the mesh.
 - **Bootstrap Nodes**: By default, the agent connects to the **LIOP Alpha Nexus**. You can provide custom bootstrap addresses as CLI arguments:
   ```bash
@@ -196,24 +198,24 @@ new LiopServer(
 
 #### Methods
 
-| Method | Signature | Description |
-|:--|:--|:--|
-| `tool()` | `(name, description, zodSchema, handler)` | Registers a callable tool with Zod input validation. |
-| `prompt()` | `(name, description, args, handler)` | Registers a dynamic prompt template. |
-| `resource()` | `(name, uri, description?, mimeType?, content?)` | Registers a readable resource. |
-| `dataDictionary()` | `(schema, name?, uri?, description?)` | Broadcasts a data schema so LLMs can write accurate Logic-Injection-on-Origin code. |
-| `setSandboxData()` | `(records: Record[])` | Injects data into the sandbox as `env.records` for Logic-on-Origin tools. |
-| `enableZeroShotAutonomy()` | `()` | Registers the "Blind Analyst" prompt for autonomous code generation. |
-| `callTool()` | `(request: CallToolRequest)` | Invokes a registered tool (used locally or via MCP Bridge). |
-| `listTools()` | `()` | Returns all registered tools. |
-| `listPrompts()` | `()` | Returns all registered prompts. |
-| `getPrompt()` | `(request: GetPromptRequest)` | Returns a specific prompt by name. |
-| `listResources()` | `()` | Returns all registered resources. |
-| `readResource()` | `(uri: string)` | Reads a resource by URI. |
-| `getServerInfo()` | `()` | Returns the server's name and version. |
-| `connectToMesh()` | `()` | Connects to the libp2p Kademlia DHT. |
-| `clearAstCache()` | `()` | Invalidates the Guardian AST logic cache. |
-| `close()` | `()` | Destroys the worker pool and releases threads. |
+| Method                       | Signature                                          | Description                                                                         |
+| :--------------------------- | :------------------------------------------------- | :---------------------------------------------------------------------------------- |
+| `tool()`                   | `(name, description, zodSchema, handler)`        | Registers a callable tool with Zod input validation.                                |
+| `prompt()`                 | `(name, description, args, handler)`             | Registers a dynamic prompt template.                                                |
+| `resource()`               | `(name, uri, description?, mimeType?, content?)` | Registers a readable resource.                                                      |
+| `dataDictionary()`         | `(schema, name?, uri?, description?)`            | Broadcasts a data schema so LLMs can write accurate Logic-Injection-on-Origin code. |
+| `setSandboxData()`         | `(records: Record[])`                            | Injects data into the sandbox as `env.records` for Logic-on-Origin tools.         |
+| `enableZeroShotAutonomy()` | `()`                                             | Registers the "Blind Analyst" prompt for autonomous code generation.                |
+| `callTool()`               | `(request: CallToolRequest)`                     | Invokes a registered tool (used locally or via MCP Bridge).                         |
+| `listTools()`              | `()`                                             | Returns all registered tools.                                                       |
+| `listPrompts()`            | `()`                                             | Returns all registered prompts.                                                     |
+| `getPrompt()`              | `(request: GetPromptRequest)`                    | Returns a specific prompt by name.                                                  |
+| `listResources()`          | `()`                                             | Returns all registered resources.                                                   |
+| `readResource()`           | `(uri: string)`                                  | Reads a resource by URI.                                                            |
+| `getServerInfo()`          | `()`                                             | Returns the server's name and version.                                              |
+| `connectToMesh()`          | `()`                                             | Connects to the libp2p Kademlia DHT.                                                |
+| `clearAstCache()`          | `()`                                             | Invalidates the Guardian AST logic cache.                                           |
+| `close()`                  | `()`                                             | Destroys the worker pool and releases threads.                                      |
 
 ### `LiopMcpBridge`
 
@@ -225,6 +227,7 @@ await bridge.connect();
 ```
 
 **Supported JSON-RPC methods:**
+
 - `initialize` — Returns server capabilities and info
 - `tools/list` — Lists available tools
 - `tools/call` — Calls a tool (with ZK-Receipt verification)
@@ -254,7 +257,7 @@ await bridge.connect();
 ├─────────────────────────────────────────────────────┤
 │  Layer 4: ZK-Receipt (Integrity Verification)       │
 │  SHA-256 ImageID + SHA-512 RISC0-style Seal         │
-│  LiopMcpBridge verifies before forwarding to LLM     │
+│  LiopMcpBridge verifies before forwarding to LLM    │
 └─────────────────────────────────────────────────────┘
 ```
 
@@ -263,13 +266,21 @@ await bridge.connect();
 Built-in patterns with multi-layer verification:
 
 ```typescript
-import { PII_PATTERNS } from "@nekzus/liop/server";
+import { PII_PATTERNS, PII_PRESETS } from "@nekzus/liop/server";
 
 // Available patterns:
 PII_PATTERNS.EMAIL         // RFC 5322 compliant, excludes @example.com/@test.com
 PII_PATTERNS.CREDIT_CARD   // Visa/MC/Amex + Luhn algorithm validation
 PII_PATTERNS.IP_ADDRESS    // IPv4 with octet range validation (excludes localhost)
 PII_PATTERNS.PHONE         // International phone formats with digit-length validation
+PII_PATTERNS.SSN           // USA Social Security Number rules (blocks 000 segments)
+PII_PATTERNS.IBAN          // ISO 7064 Modulo 97-10 algorithm precision via BigInt
+PII_PATTERNS.PASSPORT_MRZ  // Strict 44-character TD3 international passport MRZ string
+
+// Pre-built Regional Presets ready to drop-in via LiopServer(options):
+PII_PRESETS.GLOBAL_STRICT
+PII_PRESETS.US_COMPLIANT
+PII_PRESETS.EU_GDPR
 ```
 
 ### Forbidden Keys
@@ -292,7 +303,7 @@ const server = new LiopServer(info, {
 The following shows a complete Logic-Injection-on-Origin execution cycle (handled internally by the SDK):
 
 ```
-1. LLM generates JavaScript analysis code wrapped in ---BEGIN_LOGIC--- / ---END_LOGIC--- boundaries
+1. LLM generates JavaScript analysis code wrapped in @LIOP / @END boundaries
 2. LiopServer receives the payload via tools/call (JSON-RPC or direct)
 3. Guardian AST inspects for sandbox escapes (zero-time heuristic analysis)
 4. Code executes inside a V8 isolate with CPU fuel limits (no Node.js globals)
@@ -379,26 +390,27 @@ await server.connectToMesh();
 
 This package is continuously tested across multiple platforms and Node.js versions via CI/CD:
 
-- **51+ tests** spanning unit, integration, and conformance suites
+- **209+ tests** spanning unit, integration, conformance, and crossnet suites
 - **Multi-OS matrix:** Ubuntu, Windows, macOS
 - **Node.js versions:** 22.x, 24.x
 - **Code quality:** Enforced by [Biome.js](https://biomejs.dev/) (linting + formatting)
+- **Security:** Verified defense-in-depth architecture — see [Security Architecture](https://nekzus-32.mintlify.app/typescript-sdk/security)
 
-> To run tests locally or contribute, clone the [repository](https://github.com/Nekzus/Neural-Mesh-Protocol) and follow the [Contributing Guide](https://github.com/Nekzus/Neural-Mesh-Protocol/blob/main/CONTRIBUTING.md).
+> To run tests locally or contribute, clone the [repository](https://github.com/Nekzus/LIOP) and follow the [Contributing Guide](https://github.com/Nekzus/LIOP/blob/main/CONTRIBUTING.md).
 
 ---
 
 ## Related
 
-- [LIOP Documentation](https://liop.mintlify.app/) — Full conceptual and API documentation
-- [LIOP Specification](https://github.com/Nekzus/Neural-Mesh-Protocol/blob/main/protocol/SPECIFICATION.md) — Technical specification
-- [LIOP Manifesto](https://github.com/Nekzus/Neural-Mesh-Protocol/blob/main/MANIFESTO.md) — Project philosophy
-- [Contributing Guide](https://github.com/Nekzus/Neural-Mesh-Protocol/blob/main/CONTRIBUTING.md) — How to contribute
-- [Rust Mesh Node](https://github.com/Nekzus/Neural-Mesh-Protocol/tree/main/servers/liop-node) — Native high-performance backend
-- [LIOP CLI](https://github.com/Nekzus/Neural-Mesh-Protocol/tree/main/tools/liop-cli) — Developer diagnostics
+- [LIOP Documentation](https://nekzus-32.mintlify.app/) — Full conceptual and API documentation
+- [LIOP Specification](https://github.com/Nekzus/LIOP/blob/main/protocol/SPECIFICATION.md) — Technical specification
+- [LIOP Manifesto](https://github.com/Nekzus/LIOP/blob/main/MANIFESTO.md) — Project philosophy
+- [Contributing Guide](https://github.com/Nekzus/LIOP/blob/main/CONTRIBUTING.md) — How to contribute
+- [Rust Mesh Node](https://github.com/Nekzus/LIOP/tree/main/servers/liop-node) — Native high-performance backend
+- [LIOP CLI](https://github.com/Nekzus/LIOP/tree/main/tools/liop-cli) — Developer diagnostics
 
 ---
 
 ## License
 
-[MIT](https://github.com/Nekzus/Neural-Mesh-Protocol/blob/main/LICENSE) © [Nekzus](https://github.com/Nekzus)
+[MIT](https://github.com/Nekzus/LIOP/blob/main/LICENSE) © [Nekzus](https://github.com/Nekzus)

package/dist/bin/agent.js

@@ -2,9 +2,105 @@
 import * as fs from "node:fs";
 import * as os from "node:os";
 import * as path from "node:path";
+import { multiaddr } from "@multiformats/multiaddr";
 import { LiopMcpRouter } from "../gateway/router.js";
 import { MeshNode } from "../mesh/index.js";
 import { LiopServer } from "../server/index.js";
+import { log } from "../utils/logger.js";
+/**
+ * Resolves a full libp2p multiaddr (with PeerID) from a LIOP node's
+ * HTTP health endpoint. This enables zero-config bootstrap — users
+ * only need to provide a URL, not a cryptographic PeerID.
+ *
+ * @param url - HTTP URL of a LIOP node's health endpoint (e.g. "http://host:3000")
+ * @returns Full multiaddr string with PeerID, or null if resolution fails
+ */
+async function resolveBootstrapFromUrl(url) {
+    try {
+        const healthUrl = url.endsWith("/health") ? url : `${url}/health`;
+        const response = await fetch(healthUrl, {
+            headers: { Accept: "application/json" },
+            signal: AbortSignal.timeout(10000), // Increased to 10s
+        });
+        if (!response.ok)
+            return null;
+        const data = await response.json();
+        if (!data.mesh?.multiaddrs?.length || !data.mesh?.peerId)
+            return null;
+        // Find TCP multiaddr (prefer non-websocket for stability)
+        const tcpAddr = data.mesh.multiaddrs.find((a) => a.includes("/tcp/") &&
+            !a.includes("/ws") &&
+            !a.includes("/ip4/127.0.0.1/"));
+        if (!tcpAddr)
+            return null;
+        // Rewrite internal Docker IP using industrial mapper if available
+        let resolved = industrialAddressMapper(tcpAddr);
+        if (!resolved || resolved === tcpAddr) {
+            const urlHost = new URL(url).hostname;
+            resolved = tcpAddr.replace(/\/ip4\/[^/]+/, `/ip4/${urlHost}`);
+        }
+        if (!resolved)
+            return null;
+        resolved += resolved.includes("/p2p/") ? "" : `/p2p/${data.mesh.peerId}`;
+        return resolved;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Normalizes a bootstrap multiaddr string.
+ * If the address contains a Docker bridge IP (172.16-31.x.x) or Loopback (127.0.0.1),
+ * rewrites it to the host accessible via LIOP_NEXUS_URL (e.g. WSL2 IP).
+ * This is critical when WSL2 mirror-mode networking is broken.
+ */
+function normalizeBootstrap(addr) {
+    const trimmed = addr.trim();
+    // Remap Docker bridge IPs and ANY external physical IPs to 127.0.0.1
+    // because Test-NetConnection confirmed 127.0.0.1 is the only reliable path to Docker ports.
+    const dockerIpRegex = /\/ip4\/172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}/;
+    const loopbackRegex = /\/ip4\/127\.0\.0\.1/;
+    const physicalIpRegex = /\/ip4\/192\.168\.[0-9]{1,3}\.[0-9]{1,3}/;
+    if (dockerIpRegex.test(trimmed) ||
+        loopbackRegex.test(trimmed) ||
+        physicalIpRegex.test(trimmed)) {
+        const targetIp = "127.0.0.1";
+        const normalized = trimmed
+            .replace(dockerIpRegex, `/ip4/${targetIp}`)
+            .replace(loopbackRegex, `/ip4/${targetIp}`)
+            .replace(physicalIpRegex, `/ip4/${targetIp}`);
+        if (normalized !== trimmed) {
+            log.info(`[LIOP-Agent] 🔄 Local Routing Hack → Forced 127.0.0.1: ${normalized}`);
+        }
+        return normalized;
+    }
+    return trimmed;
+}
+/**
+ * industrialAddressMapper
+ *
+ * Mapea IPs internas de Docker a puertos industriales mapeados en el Host.
+ * Nexus (172.20.0.10) -> 13001
+ * Vault (172.20.0.11) -> 13003
+ * Bank  (172.20.0.12) -> 13004
+ * Oracle(172.20.0.13) -> 13005
+ */
+function industrialAddressMapper(addr) {
+    if (addr.includes("/ip4/172.20.0.10"))
+        return addr.replace(/\/ip4\/172\.20\.0\.10\/tcp\/[0-9]+/, "/ip4/127.0.0.1/tcp/13001");
+    if (addr.includes("/ip4/172.20.0.11"))
+        return addr.replace(/\/ip4\/172\.20\.0\.11\/tcp\/[0-9]+/, "/ip4/127.0.0.1/tcp/13003");
+    if (addr.includes("/ip4/172.20.0.12"))
+        return addr.replace(/\/ip4\/172\.20\.0\.12\/tcp\/[0-9]+/, "/ip4/127.0.0.1/tcp/13004");
+    if (addr.includes("/ip4/172.20.0.13"))
+        return addr.replace(/\/ip4\/172\.20\.0\.13\/tcp\/[0-9]+/, "/ip4/127.0.0.1/tcp/13005");
+    // Drop container-internal loopbacks to prevent the Host Agent from dialing itself or conflicting ports
+    if (addr.includes("/ip4/127.0.0.1/tcp/4000") ||
+        addr.includes("/ip4/127.0.0.1/tcp/3000")) {
+        return null;
+    }
+    return addr;
+}
 /**
  * LIOP Agent (Zero-Config CLI)
  *
@@ -15,6 +111,8 @@ import { LiopServer } from "../server/index.js";
  * No hardcoded tools, PeerIDs, or port mappings.
  */
 async function main() {
+    const buildTime = new Date().toISOString();
+    log.info(`[LIOP-Agent] 🚀 Version 1.2.0-alpha.9 | Build: ${buildTime}`);
     const liopDir = path.join(os.homedir(), ".liop");
     const identityPath = path.join(liopDir, "identity.json");
     if (!fs.existsSync(liopDir)) {
@@ -27,31 +125,41 @@ async function main() {
     if (args.length > 0) {
         bootstrapNodes = args.filter((a) => a.startsWith("/"));
     }
-    // Environment variable
-    if (bootstrapNodes.length === 0 && process.env.LIOP_BOOTSTRAP) {
-        bootstrapNodes.push(process.env.LIOP_BOOTSTRAP.trim());
-    }
-    // Convenience: Try to read nexus.multiaddr from multiple locations
+    // Priority 1: Physical Beacons (Industrial Pattern) - DETERMINISTIC & INSTANT
     if (bootstrapNodes.length === 0) {
-        const searchPaths = [
-            path.join(process.cwd(), "nexus.multiaddr"),
-            path.join(liopDir, "nexus.multiaddr"),
-            // Try relative to the agent binary (dist/bin/agent.js -> root/nexus.multiaddr)
-            path.join(path.dirname(new URL(import.meta.url).pathname), "../../nexus.multiaddr"),
-            // Windows path fix (remove leading slash if present)
-            path.join(path
-                .dirname(new URL(import.meta.url).pathname)
-                .replace(/^\/([A-Z]:)/, "$1"), "../../nexus.multiaddr"),
-        ];
-        for (const nexusPath of searchPaths) {
+        const searchDirs = [];
+        // Priority 1.1: Explicit file from environment variable
+        if (process.env.LIOP_BOOTSTRAP_FILE) {
+            const filePath = path.resolve(process.env.LIOP_BOOTSTRAP_FILE);
+            if (fs.existsSync(filePath)) {
+                const addr = fs.readFileSync(filePath, "utf8").trim();
+                if (addr)
+                    bootstrapNodes.push(normalizeBootstrap(addr));
+            }
+        }
+        // Priority 1.2: Traditional locations (Scan for all *.multiaddr)
+        searchDirs.push(process.cwd(), path.join(process.cwd(), "tests/infra/nexus-data"), liopDir, path.join(path
+            .dirname(new URL(import.meta.url).pathname)
+            .replace(/^\/([A-Z]:)/, "$1"), "../../tests/infra/nexus-data"));
+        for (const dir of searchDirs) {
             try {
-                if (fs.existsSync(nexusPath)) {
-                    const addr = fs.readFileSync(nexusPath, "utf8").trim();
-                    if (addr && !bootstrapNodes.includes(addr)) {
-                        bootstrapNodes.push(addr);
-                        console.error(`[LIOP-Agent] Found bootstrap at: ${nexusPath}`);
-                        break;
+                if (fs.existsSync(dir)) {
+                    const files = fs.readdirSync(dir);
+                    const multiaddrFiles = files.filter((f) => f.endsWith(".multiaddr"));
+                    for (const file of multiaddrFiles) {
+                        const filePath = path.join(dir, file);
+                        const addr = fs.readFileSync(filePath, "utf8").trim();
+                        if (addr) {
+                            const normalized = normalizeBootstrap(addr);
+                            if (!bootstrapNodes.includes(normalized)) {
+                                bootstrapNodes.push(normalized);
+                                log.info(`[LIOP-Agent] ✅ Loaded beacon: ${file} from ${dir}`);
+                            }
+                        }
                     }
+                    // If we found any beacons in this directory, we consider discovery successful for this layer
+                    if (bootstrapNodes.length > 0)
+                        break;
                 }
             }
             catch (_e) {
@@ -59,78 +167,141 @@ async function main() {
             }
         }
     }
+    // Priority 2: Auto-Discovery via NEXUS URL (Aggressive Parallel Discovery)
+    if (process.env.LIOP_NEXUS_URL) {
+        const nexusUrl = process.env.LIOP_NEXUS_URL;
+        log.info(`[LIOP-Agent] 🌐 Running parallel discovery from: ${nexusUrl} (Sources Found: ${bootstrapNodes.length})`);
+        const resolved = await resolveBootstrapFromUrl(nexusUrl);
+        if (resolved) {
+            const normalized = normalizeBootstrap(resolved);
+            if (!bootstrapNodes.includes(normalized)) {
+                bootstrapNodes.push(normalized);
+                log.info(`[LIOP-Agent] ✅ Added bootstrap from URL discovery: ${normalized}`);
+            }
+        }
+    }
+    // Priority 3: Environment variable (direct multiaddr)
+    if (bootstrapNodes.length === 0 && process.env.LIOP_BOOTSTRAP) {
+        bootstrapNodes.push(process.env.LIOP_BOOTSTRAP.trim());
+    }
+    // Final fallback: local Nexus bootstrap for demo environments.
+    // Avoid injecting stale static peer IDs when discovery already found valid peers.
+    if (bootstrapNodes.length === 0) {
+        bootstrapNodes.push("/ip4/127.0.0.1/tcp/13001/p2p/12D3KooWD8FUFdnLQzzLFNdicsaTknM5cpD7os9sK9NWVSVABJMD");
+    }
+    // Sanitize/validate all candidate multiaddrs so malformed PeerIDs don't crash startup.
+    bootstrapNodes = bootstrapNodes.filter((addr) => {
+        try {
+            multiaddr(addr);
+            return true;
+        }
+        catch {
+            log.warn(`[LIOP-Agent] Ignoring invalid bootstrap multiaddr: ${addr}`);
+            return false;
+        }
+    });
     // If no bootstrap nodes found, the agent operates in standalone mode.
     // It will only serve local tools until peers are discovered.
     if (bootstrapNodes.length === 0) {
-        console.error("[LIOP-Agent] No bootstrap nodes configured. Operating in standalone mode.");
-        console.error("[LIOP-Agent] Pass a multiaddr as argument or create 'nexus.multiaddr' file.");
+        log.info("[LIOP-Agent] No bootstrap nodes configured. Operating in standalone mode.");
+        log.info("[LIOP-Agent] Pass a multiaddr as argument or create 'nexus.multiaddr' file.");
     }
     // Initialize local server node (lightweight, no tools registered locally)
     const liopServer = new LiopServer({
         name: "@nekzus/liop-agent",
         version: "1.0.0",
     });
+    // Enable Zero-Shot Autonomy (Industrial Prompt Injection)
+    liopServer.enableZeroShotAutonomy();
     // 2. Mesh Node Configuration
     const meshNode = new MeshNode({
         identityPath: identityPath,
         bootstrapNodes: bootstrapNodes,
+        addressMapper: industrialAddressMapper,
     });
     // Start P2P Mesh
     await meshNode.start();
     // 3. Initialize the Dynamic Router
     // No hardcoded tools — all discovery happens via liop:manifest protocol
     const router = new LiopMcpRouter(liopServer, meshNode);
-    // Proactive Notification to Claude Desktop when tools are discovered dynamically
+    // Proactive Notification to Claude Desktop when tools/resources are discovered dynamically
     router.onToolsChanged = () => {
         process.stdout.write(`{"jsonrpc":"2.0","method":"notifications/tools/list_changed"}\n`);
+        process.stdout.write(`{"jsonrpc":"2.0","method":"notifications/resources/list_changed"}\n`);
     };
-    // Initial warming period (2s) then Periodic Discovery Worker (every 10 seconds)
-    // This silently polls the DHT for new nodes and triggers onToolsChanged if the topology shifts.
+    // Initial warming period (2s) then Adaptive Background Discovery
+    // Polls DHT for new nodes and triggers onToolsChanged when topology shifts.
+    // Uses exponential backoff to reduce polling load on stable meshes.
     setTimeout(() => {
         // biome-ignore lint/suspicious/noExplicitAny: access internal for telemetry
         const rtSize = meshNode.getRoutingTableSize?.() || 0;
-        console.error(`[LIOP-Agent] Warm-up complete. Routing Table size: ${rtSize}`);
+        log.info(`[LIOP-Agent] Warm-up complete. Routing Table size: ${rtSize}`);
         router.refreshManifestCache(true).catch(() => { });
     }, 2000);
-    setInterval(() => {
-        router.refreshManifestCache(true).catch(() => { });
-    }, 15000);
-    // 4. STDIO Transport implementation
+    const POLL_BASE_MS = 10_000;
+    const POLL_MAX_MS = 120_000;
+    let pollIntervalMs = POLL_BASE_MS;
+    const scheduleAdaptivePoll = () => {
+        setTimeout(async () => {
+            const prevSize = router.getCacheSize();
+            await router.refreshManifestCache(true).catch(() => { });
+            const newSize = router.getCacheSize();
+            if (newSize !== prevSize) {
+                // Topology changed — reset to aggressive polling
+                pollIntervalMs = POLL_BASE_MS;
+                log.info(`[LIOP-Agent] Topology change detected (${prevSize} → ${newSize}). Resetting poll to ${POLL_BASE_MS / 1000}s.`);
+            }
+            else {
+                // Stable — relax polling interval (factor 1.5)
+                pollIntervalMs = Math.min(Math.round(pollIntervalMs * 1.5), POLL_MAX_MS);
+            }
+            scheduleAdaptivePoll();
+        }, pollIntervalMs);
+    };
+    scheduleAdaptivePoll();
+    // 4. STDIO Transport — Buffered Line Reader
+    // Uses readline to guarantee complete JSON-RPC messages before parsing.
+    // Raw stdin.on("data") can fragment large payloads across multiple chunks.
+    const readline = await import("node:readline");
+    const rl = readline.createInterface({
+        input: process.stdin,
+        terminal: false,
+    });
     process.stdout.on("error", (err) => {
         if (err.code === "EPIPE") {
             process.exit(0); // Graceful exit when Claude Desktop disconnects
         }
     });
-    process.stdin.on("data", async (data) => {
-        const payload = data.toString().trim();
-        if (!payload)
+    rl.on("line", async (line) => {
+        const trimmed = line.trim();
+        if (!trimmed)
             return;
-        const messages = payload.split("\n");
-        for (const msg of messages) {
-            try {
-                const request = JSON.parse(msg);
-                if (request.method) {
-                    const response = await router.dispatch(request);
-                    if (response) {
-                        process.stdout.write(`${JSON.stringify(response)}\n`);
-                    }
+        try {
+            const request = JSON.parse(trimmed);
+            if (request.method) {
+                const response = await router.dispatch(request);
+                if (response) {
+                    process.stdout.write(`${JSON.stringify(response)}\n`);
                 }
             }
-            catch (_err) {
-                // Silent catch for binary noise
-            }
         }
+        catch (_err) {
+            // Silent catch for binary noise or malformed lines
+        }
+    });
+    rl.on("close", () => {
+        process.exit(0);
     });
     // Status directed only to stderr
-    console.error(`[LIOP-Agent] Guarding Claude Desktop via STDIO.`);
-    console.error(`[LIOP-Agent] P2P Mesh: Joined (${bootstrapNodes.length} bootstraps)`);
-    console.error("[LIOP-Agent] Tool discovery: Dynamic via /liop/manifest/1.0.0");
+    log.info(`[LIOP-Agent] Guarding Claude Desktop via STDIO.`);
+    log.info(`[LIOP-Agent] P2P Mesh: Joined (${bootstrapNodes.length} bootstraps)`);
+    log.info("[LIOP-Agent] Tool discovery: Dynamic via /liop/manifest/1.0.0");
     process.on("SIGINT", async () => {
         await meshNode.stop();
         process.exit(0);
     });
 }
 main().catch((err) => {
-    console.error(`[LIOP-Agent] Fatal Error: ${err.message}`);
+    log.error(`[LIOP-Agent] Fatal Error: ${err.message}`);
     process.exit(1);
 });

package/dist/bridge/index.js

@@ -1,5 +1,6 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { LiopServer } from "../server/index.js";
+import { log } from "../utils/logger.js";
 /**
  * LIOP MCP Bridge
  * A bi-directional bridge that allows legacy MCP servers to join the LIOP mesh,
@@ -14,11 +15,11 @@ export class LiopMcpBridge {
         // Determine mode: Exposing LIOP to MCP (Claude) or Wrapping MCP to LIOP (Mesh)
         if (source instanceof LiopServer) {
             this.liopServer = source;
-            console.error("[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)");
+            log.info("[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)");
         }
         else if (source instanceof McpServer) {
             this.legacyMcpServer = source;
-            console.error("[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)");
+            log.info("[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)");
         }
     }
     /**
@@ -47,7 +48,7 @@ export class LiopMcpBridge {
             return null;
         if (method === "initialize") {
             return this.successResponse(id, {
-                protocolVersion: "2025-03-26",
+                protocolVersion: "2025-11-25",
                 capabilities: {
                     prompts: {},
                     resources: {},
@@ -167,7 +168,7 @@ export class LiopMcpBridge {
             return true;
         }
         catch (e) {
-            console.error("[LIOP-Bridge] ZK-Verifier Failure:", e);
+            log.info("[LIOP-Bridge] ZK-Verifier Failure:", e);
             return false;
         }
     }
@@ -221,7 +222,7 @@ export class LiopMcpBridge {
             terminal: false,
         });
         const shutdown = async () => {
-            console.error("[LIOP-Bridge] Disconnecting session...");
+            log.info("[LIOP-Bridge] Disconnecting session...");
             if (this.liopServer)
                 await this.liopServer.close();
             process.exit(0);
@@ -240,7 +241,7 @@ export class LiopMcpBridge {
                 }
             }
             catch (e) {
-                console.error(`[LIOP-Bridge] Error: ${e.message}`);
+                log.error(`[LIOP-Bridge] Error: ${e.message}`);
             }
         });
     }